Identity Threat Detection and Response Explained

Identity Threat Detection and Response Explained

In March, Gartner analysts sent us some breadcrumbs about a new emerging category they call “Identity Threat Detection and Response” (ITDR).

Cyber ​​Security Live - Boston

Quoting him in hisTop security and risk management trends for 2022” pitch we broke into last week’s postAnalysts told us they introduced the term “to describe the collection of tools and best practices for defending identity systems.”

The reason for the new category they cite is the marked increase in active targeting of identity and access management (IAM) infrastructure by sophisticated threat actors, as well as the fact that credential misuse is “a primary threat attack vector.

In this week’s article, we will try to:

  • Understand what has changed in the security environment that has driven the creation of this new category.
  • Re-examine a couple of our earlier assumptions about identity and access security
  • Define as best we can what ITDR is and what problems it seeks to solve
  • Design Authomize’s approach to ITDR with a breakdown of how our solution fits the bill

Identity and access are under attack

Even before the pandemic, the identity and access layers were already under threat. Especially given the transition from on-premises to the cloud, where identity is both the key to accessing an organization’s assets and the perimeter that protects those assets. Taking control of identities with privileged access grants attackers the keys to the kingdom, along with all the crown jewels they can attain with those privileges.

Attacks at the identity layer have only increased in the last two years due to the shift to remote and cloud work, with the Verizon Data Breach Investigations Report for 2021 telling us that 80% of breaches involve privileged credentials.

The threat to identities has led to a burgeoning field of IAM (IGA, PAM, CEIM, CSPM, SSPM, etc. ad infinitum) and authentication tools like MFA and SSO, all aimed at managing our identities more effectively and reducing the possibilities of compromised credentials. being used against us.

All of these factors and developments are important, but none of them are particularly new.

Reexamining our assumptions about IAM

Than it is What is new is the recognition that these IAM tools are identity and access infrastructure and not security.

Additionally, Gartner explicitly tells us that “sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure,” and that we need to develop ways to protect that infrastructure.

Analysts go a step further in their criticism of the current scenario.

“Organizations have put considerable effort into improving IAM capabilities, but much of it has focused on technology to improve user authentication, which actually increases the attack surface for a critical part of the cybersecurity infrastructure.” , quoted Peter Firstbrook, research vice president at Gartner. in the report

What it says is that while we’ve done a better job of implementing tools meant to act more securely with our identities and access, with tools like authentication, attackers are finding ways to undermine those systems and use them as their avenue to get in. . well within its goals.

We have seen two high-profile examples of this problem. First in the SolarWinds case where Russian hackers defeated MFA and hijacked Active Directory to create a new administrator identity. More recently it was the Okta trick where the Lapsus$ group compromised a third-party vendor and used that access to penetrate Okta’s clients, gaining terrifying amounts of access.

Given the evidence that malicious actors have the ability to use our identity and access infrastructure against us.

IAM tools can be incredibly powerful and useful. But they can also be a single point of failure if compromised. A basic principle of security tells us that we should not have the same system that is managing the infrastructure being the one monitoring that it is working safely.

Think of it as segregation of duties for your identity and access security.

What is needed is a solution that truly secures our infrastructure and ensures that it continues to function properly.

This is where ITDR comes into the spotlight.

Definition of IDTR

Going back to Firstbrook’s description of ITDR as “the collection of tools and best practices for defending identity systems,” we understand that this segment is still in its infancy.

What we do know is what ITDR seeks to solve and what it needs to do to get us there.

The challenge

A major flaw in IAM tools is that they have limited visibility.

An identity provider (IdP) like Okta will only see identities that are in its directory. If you’re only tracking identities from the IdP side, then you’re only seeing half the picture from an access privilege point of view.

How about looking at the assets side of the equation to see who has access privileges to them? There may be local IAM users on your AWS, or in the case of GitHub with its Bring Your Own Identity model, internal or external users with access to your repositories that you just don’t know are there.

Access privileges are the answer to the question of what an identity, human or machine, can do after having authenticated their identity. What assets can they access? What level of access (read, write, administrator, etc.) will they have?

These access privileges are the relationship between the identity and the applications and services where the identity interacts with its assets. Understanding who has access to what and how they use those privileges is critical to operating securely.

The solution

As stated above, what we need ITDR to do is help us secure our IAM infrastructure and ensure that it continues to function properly.

Securing infrastructure means:

  • Make sure there are no configuration errors, intentional or not, that could compromise
  • Monitoring and detection of malicious activity

Ensuring that the infrastructure is used correctly:

  • Removing Excessive Privilege and Working Toward Least Privilege
  • Detection of anomalies in the use of privileges and compromised accounts with access

This is a tall order, but Authomize has you covered. This is how we do it.

The Authorize Approach to ITDR

Automatize is the first cloud identity and access security platform.

We continuously monitor your identities, access privileges, assets and activities to protect all your applications and cloud services. This means we go full-stack, connecting to everything from your IdPs (Okta, Ping, Azure AD), to IaaS (AWS, Azure, GCP) to SaaS (GitHub, O365, Google, etc.) and more.

Data from these sources is normalized and processed by our Machine Learning engine.

Our visibility enables you to continuously monitor your environments, detect threats and effectively remediate risks, enabling you to achieve and maintain Least Privilege.

This is how we do it:


Once we connect to your IdPs and apps/services, we collect and monitor data about:

  • How they are set up, understanding trust, relationships and more
  • Effective access that shows you who has access to what, both direct and indirect
  • How that access is used – think of this as audit trails for your access


Based on the data we collect and normalize, we detect issues with:

  • Effective access risks like hidden access from groups, roles and more
  • Lifecycle changes that can lead to privilege expansion or risk exposure
  • Access privilege activity that

All this information allows us to:

  • Help you achieve Least Privilege
  • Provide you with information about unused privileges, abnormal actions, and compromised accounts
  • Notify you of risky misconfigurations that affect the security posture of your identity infrastructure
  • Identify suspicious changes to your identity infrastructure


We then assist in the remediation process without impacting ongoing operations.

Authomize enables your team to more effectively and efficiently remediate with surgical precision by:

  • Provide context with AI-based explanations, context of use, and general situational awareness
  • Contact the appropriate line of business personnel to confirm changes and ensure a smooth remediation process.
  • Authomize automates matching incidents with responsible parties for follow-up and integrates with your ITSM
  • Validate the fix to ensure your de facto access has returned to a secure state

Next steps to protect your identity and access to the cloud

Despite all the challenges organizations face when it comes to their identity and access security, it seems we are on the right track.

More and more organizations are using IAM tools to manage their identities and access more efficiently.

Now security teams need to take the next step and make sure they are protecting those tools and their environments.

To learn more about how Authomize can help your organization protect its identity and access infrastructure, we invite you to schedule a meeting with us and request a demo of our platform.

The charge Identity Threat Detection and Response Explained first appeared in Automate.

*** This is a syndicated Security Bloggers Network blog from Automate written by Gabriel Avner. Read the original post at:

Leave a Comment