Identity Threat Detection and Response (ITDR)

In 2022, Gartner coined the term “identity threat detection and response” (ITDR) and listed it among seven top security and risk management trends. At the time, the analyst firm described ITDR as “the collection of tools and best practices to defend identity systems.”

Let’s expand on that definition a bit. Whether you refer to ITDR as a solution, a discipline, or a security category, it isn’t a single tool or technology. Instead, ITDR brings together security products, processes, and leading practices. The goal is to protect user identities (human, machine, service account, etc.) and identity-based systems from cyber threats like account compromises, data breaches, and leaked passwords.

ITDR solutions provide deep insights into potential identity-related threats. They detect matches between credentials used in malicious activity and those of authorized users. This level of visibility helps uncover an attack’s root cause to guide security improvements and fixes.

To quickly detect and respond to identity-centric attacks, ITDR uses technologies like artificial intelligence (AI) and machine learning (ML), and resources like threat intelligence. Besides continuously monitoring user activity, identifying unusual behaviors, mapping them to known threats, and alerting security teams, ITDR adds an extra layer of security to identity and access management (IAM) systems. It also supports zero trust principles.

In short, IDTR is part of a robust defense-in-depth strategy.

ITDR has emerged as a response to the rise in distributed identities beyond the traditional network perimeter as a result of cloud migration and remote and third-party workforces. In fact, it has been called the new security perimeter, designed to thwart malicious actors who can now carry out identity-based attacks without breaching the network.

According to Markets and Markets, the global ITDR space is expected to surge from $12.8 billion in 2024 to $35 billion in 2029. Hurdles facing ITDR adoption include cost and integration challenges.

ITDR and endpoint detection and response (EDR) solutions complement each other by focusing on different aspects of threat protection. EDR tools collect, analyze, and respond to threat-related information about endpoints such as mobile devices, laptops, workstations, and servers. In addition to identifying suspicious activity on endpoints, EDR solutions generate alerts for security teams.

In many cases, traditional EDR solutions are being replaced by extended detection and response (XDR). XDR goes beyond endpoint protection by analyzing data from multiple sources, such as SIEM, user and entity behavior analytics (UEBA), and network detection and response (NDR) products, as well as EDR tools.

In contrast to EDR/XDR, ITDR focuses on monitoring attack surfaces to protect against identity-based attacks. ITDR solutions collect data from multiple identity and access sources, monitor and analyze user activity and access management logs, and flag malicious activity.

In brief, EDR/XDR solutions address individual devices on the periphery of an organization’s IT system, while ITDR solutions specialize in the core identity system across platforms, environments, and processes, including user authentication, permission granting, and privilege escalation. While different, they both deliver value in detecting threats and preventing cyberattacks, particularly those involving lateral movement and emerging TTPs.

As identity has become a top vector for attacks, threats have increased. This trend is being fueled by exponential growth in the number and types of users, devices, and environments, including public, private, and hybrid clouds. Identity expansion also is creating a larger, more vulnerable attack surface.

Various solutions, from IAM to security information and event management (SIEM), tackle different aspects of the identity security landscape. So, which specific challenges does ITDR address?

Cyberthreat landscape changes

• Rise in identity-based attacks. According to the 2024 Verizon Data Breach report, over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches. Further, the report found stolen credentials were the initial action in 24% of breaches.
• New TTPs. As major attack targets, misconfigured, unmanaged, and exposed identities have inevitably led threat actors to leverage many types of tactics, techniques, and procedures (TTPs). Common identity-focused methods include credential stuffing, account takeovers, insider threats, phishing, and social engineering.
• Increasing complexity of attacks. Defending against identity-based attacks is becoming highly complicated due to an expanding attack surface, the proliferation of new TTPs, and the tendency of attackers to split up their activities among systems and environments so it’s hard to connect the dots.

Technology challenges

• Multiple identity platforms. The use of two or more platforms, common in the cloud era, also complicates the process of defense. For example, most organizations use Microsoft Active Directory, but it has a different structure, controls, and auditing and threat signals compared to Azure Active Directory for the cloud.
• Gap between IAM and security tools. While IAM provides deep visibility into an account belonging to an identity, these tools can’t see the full picture of how this information relates to the identity’s access, entitlements, and privileges. In contrast, tools like SIEM and security orchestration, automation, and response (SOAR) provide broad visibility into identity events across the environment but lack depth.

ITDR bridges this gap by combining threat intelligence, detection, investigation, and response in one discipline.

Organizational limitations

• Limited visibility: Attackers take advantage of organizations’ lack of visibility into identities across different IT environments (particularly cloud, multi-cloud and hybrid cloud) and personal and other unmanaged devices. Even when an identity is known, security teams may not fully understand which access rights, privileges, and entitlements are associated with it. Therefore, it’s unclear which users present the greatest security risks.
• Insufficient or ineffective monitoring. Without robust, continuous monitoring across all environments and systems, organizations may fail to detect suspicious activities such as unusual login times, multiple failed login attempts, access from unrecognized devices or locations, or changes in user permissions.
• Inconsistent policy enforcement. Strong security policies are only as effective as the uniformity of their enforcement. Roadblocks to consistent, enterprise-wide enforcement include differences between legacy and cloud systems that make it unfeasible to implement the same protections in both environments. Also, teams may be unable to enforce policies on unmanaged devices.

When building an ITDR solution – remember, it’s not a single product – you should ensure that it offers the following:

Features

• Real-time, continuous monitoring. An ITDR solution should provide 24/7 visibility into all aspects of an organization’s identity infrastructure, such as user accounts (human, machine, service), passwords, access control lists, and single sign-on tools. Besides providing a comprehensive view, effective ITDR aggregates all identity-related signals.
• Automated threat detection. The solution should use behavior analysis and machine learning algorithms and incorporate threat intelligence feeds. Using these resources, the ITDR system can learn what is normal behavior for a given identity, and flag any deviations, such as identity-based anomalies, suspicious activity like failed logins and unauthorized access, and other potential threats.

Functionality

• Recognition of false positives. Given that security teams are often overwhelmed with the process of investigating alerts from tools like IAM and SIEM, an ITDR solution should help reduce the burden by distinguishing false positives from threats.
• Risk scoring and prioritization. An effective ITDR solution should be able to perform an identity security assessment of each threat and generate a score based on various indicators. This score can help security teams quantify and prioritize identity risks.
• Automated response: Based on threat identification and risk analysis, the system can then determine – and trigger – the most appropriate response, such as quarantining or disabling affected accounts, alerting security teams, or escalating the threat to incident responders.

Additional capabilities

• Forensics. An ITDR solution’s ability to store and analyze historical data can help in forensic investigations after a security incident.
• Integration with security tools. An ITDR solution should work well with IAM and privileged access management (PAM) solutions. Integration with SIEM, SOAR, and EDR/XDR helps stop or contain identity attacks in real time.