Improve IAM with identity threat detection and response

What is identity threat detection and response?

ITDR aims to improve security around identity-focused infrastructure. ITDR products and strategies identify, analyze, quarantine, and eliminate or remediate suspicious activity targeting identity systems. They also identify vulnerabilities on the attack surface before attacks occur.

ITDR refers to a deployable tool or an overarching cybersecurity strategy that includes best practices and processes organizations can adopt to protect identity-based infrastructure. ITDR became a formalized segment of IT security in 2022, coined by Gartner.

How an organization adopts ITDR depends on the maturity and size of its security team. ITDR should include the following actions:

• Analyze and correct current permissions and configurations.
• Implement multifactor authentication (MFA).
• Deploy privileged access management (PAM).
• Monitor Microsoft Active Directory (AD) and similar platforms.
• Detect potential identity threats, both external and insider, in real time.
• Remediate security gaps and misconfigurations.

Why should organizations adopt ITDR?

Many organizations have identity and access management (IAM) frameworks that control user access to applications and data. IAM policies and procedures don't completely solve identity challenges, however. By adopting ITDR, organizations add threat detection and incident response capabilities to their overall IAM strategy.

IAM and PAM systems provide authorization and authentication capabilities so users can only access the resources they need to do their work. Identity threat detection and response expands upon IAM and PAM by providing visibility into possible misuse of credentials, such as account takeover and escalation of privilege activities. Additionally, IAM and PAM implementations may introduce gaps in security, which ITDR is meant to identify and prevent or remediate. ITDR products and services should perform rigorous identity-based investigations and analyses. They facilitate remediation as needed, enhance least-privilege access and, when appropriate, can shut down Remote Desktop Protocol sessions.

ITDR can complement endpoint detection and response (EDR) deployments. While EDR tools monitor endpoints for cyber threats, ITDR tools monitor user activity and access management logs. ITDR examines identity systems for possible attacks, tricks attackers into targeting decoys, isolates affected systems from further attacks and gathers event data for analysis.

Challenges of ITDR adoption

ITDR tools and strategies could tax an IT department's budget. This would affect how organizations deploy ITDR, whether adopting a vendor's tool or using ITDR as a strategy. Some organizations find their current tool set can monitor attack activity while they gradually introduce ITDR capabilities that supplement existing procedures.

Adding an ITDR tool requires a comprehensive vendor evaluation and selection process. Vendors often address training, installation, maintenance, documentation and customer service differently. Implementation also requires testing and acceptance steps before an organization can rely on an ITDR tool in production. Review system logs and other performance-related records regularly to ensure the system is working.

Get senior management buy-in on proposals to add ITDR capabilities and establish formal programs. Cybersecurity team members should drive requirements and adoption, as well as ongoing optimization.

How to establish an ITDR strategy and program

Adoption depends on the organization's current cybersecurity program maturity. IAM policies and procedures are a good precursor to identity threat detection and response, for example, requiring MFA, PAM and role-based access controls.

First, with IAM protocols and processes in place, organizations can deploy tools and strategies for ITDR. For example, a tool can detect misconfigurations or overly broad permissions in AD accounts, making IAM enforcement more effective. Also, they can help organizations review and update firewalls, intrusion detection and prevention systems, and other devices. ITDR can also modify antiphishing, antivirus, antimalware and other security applications. Work with existing tool vendors to implement identity-focused features, in addition to evaluating new tools.

The next step is continuous threat monitoring for suspicious account activity. This could include integrating ITDR with an existing SIEM deployment. If an ITDR tool or host system detects a threat, a SIEM system can alert security teams or trigger an automated response to mitigate the threat. For example, ITDR could trigger a process to temporarily revoke credentials until a human reviews the alert or automatically implement step-up authentication measures for the user.

From there, put an incident response plan in place that specifically accounts for identity-based threats. The incident response plan should explain how to handle stolen credentials, account takeover and privilege escalation.

Lastly, an ITDR strategy should include a knowledge base and employee training and awareness so users know how to spot and respond to suspicious identity-related activity.