The Emergence of Identity Threat Detection and Response
Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally into IaaS, Saas, PaaS and CI/CD environments. Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environment. ITDR solutions give security teams the ability to help teams answer the question “What’s happening right now in my environment – what are my identities doing in my environments.”
Human and Non-Human Identities
As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities. Human identities entail the workforce (employees), guests (contractors), and vendors. Non-human identities include tokens, keys, service accounts, and bots. Multi- environment ITDR solutions can detect and respond to all identity entity risk for example from the IdP to the IaaS and SaaS layers, as opposed to securing identities in a fragmented layer-specific level.
Core ITDR Capabilities
The essential capabilities of an ITDR solution include:
- Developing a universal identity profile for all entities, including human and non-human identity, activity across cloud service layers and on-prem applications and services.
- Pairing static analysis, posture management, and configuration of those identities with the runtime activity of those identities in the environment.
- Monitoring and tracking direct and indirect access paths and monitoring the activity of all identities across the environment.
- Orchestrating multi-environment identity-tracking and detections that span identity providers, IaaS, PaaS, SaaS, and CI/CD applications to follow the identity wherever they go in the environment.
- Multi-environment high-fidelity detection and response that enables organizations to take action on identity threats as they manifest across the entire attack surface, rather than reacting to high-volume, atomic alerts based on single events.
For a full list of ITDR capabilities, you can access the full Identity Threat Detection and Response Solution Guide.
Identity Threat Use Cases
To effectively safeguard against identity attacks, organizations must choose an ITDR solution with advanced capabilities to detect and mitigate attacks. These capabilities should address a range of use cases for both human and non-human identities, including but not limited to:
- Account Takeover Detection: Detect any of the numerous variants that indicate an identity has been compromised.
- Credential Compromise Detection: Identify and alert on the use of stolen or compromised credentials within the environment.
- Privilege Escalation Detection: Detect unauthorized attempts to escalate privileges within systems and applications.
- Anomalous Behavior Detection: Monitor for deviations from normal user behavior that may indicate malicious activity.
- Insider Threat Detection: Identify and respond to malicious or negligent actions by internal users.
For a full list of identity threat use cases, you can access the full Identity Threat Detection and Response Solution Guide.
Questions an Effective ITDR Solution Should Answer
1. IDENTITY INVENTORY AND ACCESS MANAGEMENT
What entity identities are present in our environment?
- Comprehensive inventory of human and non-human identities across all environments.
What roles and permissions do these identities have?
- Details on roles, groups, and specific permissions each identity has across different cloud and on-premises environments.
What role/group gave a particular user access to a resource? What is the permission scope for that access?
- Specifics on roles/groups and permissions that grant access to resources.
2. RISK ASSESSMENT AND ANOMALY DETECTION
What are the top 10 riskiest identities across my cloud services layer? What would the blast radius be should one of those identities be compromised?
- Identification of the most at-risk identities and assessment of the potential impact of their compromise.
Are there any anomalies in identity behavior?
- Detection of deviations from normal behavior patterns for each identity, highlighting potential malicious activity.
Have any credentials been compromised?
- Alerts on the use of stolen or compromised credentials within the environment.
3. AUTHENTICATION AND ACCESS PATTERNS
How are identities being authenticated and accessed?
- Tracking authentication methods and access paths for all identities, including federated and non-federated access points.
What are the sources and locations of login attempts?
- Detailed logs of login attempts, including IP addresses, geographic locations, and device information.
How is my current environment being accessed by different types of entities (human and non-human)?
- Monitoring access patterns for different types of entities in the environment.
How broadly is MFA being enforced across the applications and cloud services layers in my environment?
- Assessment of the implementation and enforcement of Multi-Factor Authentication (MFA) across the environment.
4. ACTIVITY MONITORING AND CHANGE TRACKING
What changes were just made in my environment, who is responsible for those changes, and were similar changes made in other cloud services layers?
- Tracking and reporting recent changes, responsible users, and cross-layer consistency.
Which identities have accessed sensitive data or critical systems?
- Monitoring and reporting on identity access to sensitive data repositories, critical systems, and high-risk applications.
5. INCIDENT CORRELATION AND RESPONSE
How do identity-related incidents correlate across different environments?
- Correlation of identity activities and incidents across IdP, IaaS, PaaS, SaaS, CI/CD, and on-prem environments to provide a unified view.
What actions should be taken to mitigate identified threats?
- Actionable recommendations and automated response options to mitigate detected identity threats and prevent future incidents.
For a full list of questions, and business use cases, you can access the full Identity Threat Detection and Response Solution Guide.
