There is a common question among CISOs, security practitioners, and IAM Engineers: “Do we need this new product category ITDR - Identity Threat Detection & Response?” I know, we already have so many Identity products purchased and implemented, like IDP - Identity providers, IGA - Identity Governance and Administration, PAM - Privileged Access Management, CIEM - Cloud Infra Entitlement management, SSO - Single Sign-On, etc. What is this new ITDR? So, here in this article, let me cover what ITDR is and my observations of the current trends in infrastructure and the cyber security threat landscape. I will also explain my take on the question, “Do we need ITDR?”

Current Trends

1. Organizations have already moved to the cloud or currently moving to the cloud; some have decided to run the workload on a hybrid cloud or distribute the workloads across different providers. This brings challenges with managing the workforce and machine identities.
2. Zero trust principles are accepted by organizations following the principle “Never Trust, always verify,” where identity verification is more crucial than network. So recently, bad actors have been targeting Identity vectors.
3. Haven't you heard this already? “Attackers don’t hack; they log in,” which is true. Recent breaches have happened because they involve humans, such as social engineering or misconfigurations.
4. As the IT infrastructure has become complex, there is a high chance of misconfiguration, which can turn into a vulnerability.
5. About 90% of attacks in 2023 targeted the identity infrastructure, and attackers bypassed some of the Identity security controls.
6. There is a massive proliferation of applications and identities in both cloud and on-prem environments.
7. Organizations have started adopting an Identity-first approach as part of Zero Trust. Cybersecurity has shifted the focus from network controls to identity controls, and VPNs are being decommissioned.
8. Traditionally, IAM was managed by IT teams or a separate IAM team inside an organization, but today, security teams are also focused on IAM misconfigurations.
9. Traditionally, applications (non-human Identities) use network firewall rules to communicate with other applications outside their environment. Today, even applications leverage their identity to connect to another environment.

What is ITDR?

Identity Threat Detection and Response (ITDR) is a cybersecurity approach that detects and responds to threats and attacks in the identity infrastructure. It aims to protect against account takeover, unauthorized access, lateral access, Impersonation, and Identity compromise by detecting suspicious behavior across environments by analyzing the identity logs and user behaviors from access management systems like IDP, IGA, MFA, and PAM platforms, along with correlating them with network and device data. Okay, I guess most of us now get this question: “Is it similar to EDR, XDR, and NDR?” Yes, XDR and EDR, NDR focuses on devices, endpoints, networks, cloud, and apps, whereas ITDR focuses on identity security. Gartner introduced ITDR in the 2022 “Top Security and Risk Management Trends” release.

Do we need ITDR?

We discussed the latest trends in the IT/Cloud infrastructure and Cybersecurity threat landscape and What is ITDR meant to do? Now, we can use an analogy to understand the situation by comparing getting a driver's license with authentication to the system. Once an individual gets the license, they can drive but must follow protocols. There are patrol officers and police who find out if someone doesn't follow those protocols or doesn't have a license. Similarly, authentication is just a front door. We have to monitor and find any suspicious user behaviors in real-time, like Brute force logging, unusual login hours, login from untrusted devices, etc.

Let's be practical. We security practitioners strive hard to achieve the least privilege and avoid any misconfiguration. Still, there is a slight chance of misconfiguring an element in the Identity system or assigning extra permissions to an individual. We need to find someone who is taking advantage of these misconfigurations. To tackle with this problem and situation, there is a massive need for a more data-analytic approach that can correlate with asset inventory, devices, network, and cloud. Please note that ITDR is another add-on to the Identity stack, and it does not replace IGA, MFA, PAM, or Identity providers.

Conclusion

As organizations move to the zero-trust model, Identity security is crucial and complex to achieve with traditional tools and frameworks. ITDR is helping to secure the most vulnerable attack vector, which can help and benefit security practitioners and SOC analysts in detecting and responding to threats and attacks. It is super critical for an organization to protect and respond to new-age cyber attacks.

Author Bio

Nivathan Athiganoor Somasundharam is a seasoned Cybersecurity professional focused on DevSecOps and Identity Security. Nivathan is passionate about building and evangelizing DevSecOps and cyber security solutions.