Identity threat detection and response (ITDR) is a security procedure for identifying, reducing, and responding to potential identity-based threats, such as compromised user accounts, leaked passwords, data breaches, and fraudulent activity. These identity-based attacks pose serious threats to organizational security.
In this article, we’ll shed some light on ITDR, the security challenges it addresses, and how it compares against endpoint detection and response (EDR), a device-based security solution.
What Security Challenges Does ITDR Address?
Modern identity-based attacks pose a significant threat to organizations, often resulting in financial, legal, and reputational losses. Addressing them can be uniquely challenging.
Modern Attacks Are Faster and More Sophisticated
Malicious actors are increasing their repertoire of attacks to keep pace with advancing technology. The average speed, rate, and number of attack vectors for identity-based attacks are rising, leaving many organizations unprepared and vulnerable. The CrowdStrike 2023 Global Threat Report notes:
- Approximately 8 out of 10 attacks are estimated to involve stolen or compromised credentials. Stolen credentials allow attackers to move through a system laterally and remain undetected for longer.
- Twenty-five percent of attacks bypass standard security measures via unmanaged hosts — contractor laptops, rogue systems, legacy applications/protocols, or other parts of the supply chain outside of organizational control.
- The average breakout time for cyber criminals is only 84 minutes. However, organizations lacking the proper detection tools can take up to 250 days to detect an identity-based breach.
- Insider attacks affect approximately 34 percent of global businesses. These attacks are challenging to detect since traffic flowing within the confines of an organization doesn’t tend to be the primary focus of security policies and measures.
The Environment and Identity Landscape Have Become More Complex
Additionally, cloud technologies combined with remote work have significantly increased the complexity of attack surface management:
- The complexity of multi-cloud architecture and multiple identity stores makes it challenging to detect and defend against cyber attacks, reducing end-to-end visibility.
- Ninety percent of organizations still use Active Directory (AD) — legacy technology that’s vulnerable to attacks — to manage their identity infrastructure. Attackers can move laterally from on-prem to cloud infrastructure, making AD a viable target.
- Complex environments make it harder to perform regular user audits and identify potential gaps in identity stores.
As a result, organizations with poor visibility over their cloud environment are highly vulnerable.
ITDR solutions detect and respond to attacks by continuously monitoring user activity, detecting unusual behavior, and alerting security teams. ITDR solutions provide centralized visibility and control over all assigned user identities and privileges. They can also be integrated with existing identity and access management (IAM) tools to streamline and ease the complexity of user management in an ever-evolving environment.
ITDR versus EDR
ITDR and EDR are both solutions that provide value in detecting and preventing cyberattacks. However, they differ primarily in their points of focus.
ITDR monitors and analyzes user activity and access management logs, flagging any malicious activity. It collects data from multiple IAM sources, including on-prem and the cloud. EDR, on the other hand, monitors and analyzes endpoint devices, such as workstations and laptops. The procedure, therefore, collects system logs and network traffic to detect malicious activity in an organization’s equipment.
ITDR and EDR complement each other, providing valuable insights during incident analysis. In a scenario where an attacker has gained access to your network through an endpoint device, an EDR solution would detect suspicious activity on that device. Therefore, it's critical to understand how the attacker gained access and whether it resulted from leaked credentials.
Meanwhile, ITDR solutions provide deep insights into any potential identity-related threats. ITDR can quickly determine any matches between the credentials used in the malicious activity and those of authorized users. This level of visibility helps uncover the attack’s root cause and provides an opportunity to bolster your security measures to prevent similar incidents from occurring in the future.
Combining the capabilities of ITDR and EDR gives an organization a considerable boost in detecting and responding to sophisticated breaches and lateral attempts.
Must-Haves for an ITDR Solution
The Gartner® Report: Top Trends in CyberSecurity 2022 identifies ITDR as a top security and risk management trend, highlighting growing concerns surrounding identity-based attacks that are constantly evolving. As a result, organizations wanting to protect themselves by detecting such attacks require a solution that will meet their needs.
With this in mind, let’s explore three essentials for any ITDR solution.
1. Continuous Visibility
Visibility and visualization are crucial to detecting identity-based threats. As a result, an ITDR solution must continuously aggregate data from multiple sources and perform threat analysis.
To indicate potential security threats, this action requires leveraging a combination of the following:
- Identity analytics
- Machine learning
- Behavioral analysis techniques
- Anomaly detection
When pinpointing potential threats, quick analysis through dashboards also plays a vital role.
2. Proactive Control
Identity-based threats can escalate quickly. Your ITDR system should be able to trigger an automated response to block access to the affected user account, alert security personnel, and initiate an investigation.
3. Risk-Based Control
Not all alerts generated by a security solution are useful. Alert fatigue has profound implications that might lead to delays or threats lost in a backlog of similar alerts.
Your ITDR solution should be able to recognize false positives and prioritize according to the risk associated with the particular attacks. It must also be intelligent enough to recognize the type of attacks regularly hitting the infrastructure and then classify a threat level accordingly.
The CrowdStrike Approach
The CrowdStrike Falcon® Platform platform acts as a single threat interface, providing a comprehensive view of threats across endpoints and identities. This unified approach orchestrates real-time, automated, and policy-based responses across endpoints and identities that standalone tools don’t tend to offer. By unifying endpoint and identity telemetry, the platform provides real-time correlation of threats with the combination of threat intelligence and adversary tradecraft.
With complete visibility into attack paths, CrowdStrike covers all aspects of the adversary toolkit — including malware delivery, fileless attacks, stolen credentials, and compromised identity.
CrowdStrike has created a cloud-native solution with a single sensor that is deployable anywhere in the customer environment, vastly simplifying telemetry collection (from endpoint or identity). CrowdStrike can also combine ITDR with Cloud Infrastructure Entitlement Management (CIEM) to secure identity fabric by providing centralized visibility and control across cloud environments.