For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Identity Threat Detection and Response (ITDR) explained

What is Identity Threat Detection and Response (ITDR)?

ITDR is an approach to protecting the integrity of your identity systems in an era when identity has become a basic business need and the new network perimeter. The controls, threat intelligence and processes in Identity Threat Detection and Response enable you to detect and respond to identity threats that elude the protection provided by your identity and access management (IAM) tools.


Why is ITDR important? What security challenges does it address?

Your identity systems are designed for prevention and built around tools like IAM, privileged access management (PAM) and identity governance and administration (IGA) to stop illicit network access. They strengthen account hygiene and keep you ahead of attackers by exposing and mitigating misconfigurations. They identify and apply additional prevention to protect your business-critical assets.

Identity systems are part of your competitive advantage, making collaboration possible among your employees, customers and business partners. No wonder those systems have become ripe targets for cybercriminals attempting to steal credentials (usernames and passwords), thwart multifactor authentication (MFA) and undermine prevention outright.

Identity Threat Detection and Response reinforces your up-front prevention with detection – continuous monitoring of factors like indicators of compromise (IOC) and user behavior analytics (UBA). When a threat is identified, ITDR processes and tools apply a response aimed at neutralizing it, mitigating the risk of breach and providing for recovery back to a known good state.


How do organizations solve the problem of identity-related risk today?

Most organizations rely on IAM tools to control and authenticate who has secure access to their data. The vast majority of enterprises rely on Active Directory as a mainstay of their IAM effort, both on premises and in the cloud. They understand IAM and its preventive value, but the security perimeter (and the target of threat actors) is shifting to identity, and a re-focusing is in order.

The landscape of identity threats is evolving to include generative AI in phishing techniques, dark-web marketplaces for stolen credentials and an attack surface encompassing IoT devices. IAM tools are overwhelmed as identity threats grow more sophisticated. You can think of your infrastructure security controls as your backstop, but they are not designed to protect identity systems.

In short, your prevention tools may be good, but they are only the first line of defense for your identity systems. Robust security comes from reinforcing them with Identity Threat Detection and Response.

According to Gartner, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure” (Teixeira, Firstbrook, Allan and Archambault, 2022, p. 3).

In the framework of the Center for Internet Security’s Critical Security Controls (CIS Controls), Identity Threat Detection and Response deals with account monitoring and control (Control 16) and maintenance, monitoring and analysis of audit logs (Control 6). In the NIST Cybersecurity Framework published by the U.S. National Institute of Standards and Technology, ITDR supports three aspects: detect, respond and recover.

Identity Threat Detection and Response (ITDR) explained

What is NDR?

Network Detection and Response (NDR) focuses on finding and stopping abnormal behavior in network traffic, which has long been the main focus of enterprise security. NDR includes firewalls and deep packet inspection to keep attackers out by continuously analyzing raw network packets or traffic metadata in search of anomalous behavior. It is designed to detect the results of a data breach, such as ransomware, insider threats and lateral movement within the network.

NDR relates to malware defenses (CIS Control 8) and implementing a security awareness and training program (Control 17). In the NIST Framework, NDR supports three aspects: protect, detect and respond.


What is EDR?

Endpoint Detection and Response (EDR) corresponds to the growth in computing on endpoints (workstations, laptops, tablets, mobile devices), especially outside of the network perimeter. As attacks on endpoints have increased, EDR has emerged as an approach for defending against security threats by monitoring and analyzing the activity of the organization’s endpoints. It detects when threats have been identified; provides investigation, response and alerts; and retains endpoint data for historical analysis and threat hunting.

EDR supports the limitation and control of network ports, protocols and services (CIS Control 9) and boundary defense (Control 12). In the NIST Framework, EDR covers two aspects: detect and respond.


What is XDR?

Extended detection and response (XDR) is focused on security incident detection and automated response across the infrastructure. XDR tools integrate cyber threat intelligence and telemetry data from multiple sources. They turn the data into security analytics that help security operations center (SOC) and incident response teams see security alerts in context and connect the dots among them. The tools are also capable of automating responses to threats according to playbooks.

XDR covers controlled use of administrative privileges (CIS Control 4), malware defenses (Control 8) and application software security (Control 18). In the NIST Framework, XDR deals with two aspects: detect and respond. 


What is Active Directory Threat Detection and Response (AD TDR)?

AD is the centerpiece of the identity system in many enterprises. As such, it is continually used as an attack vector both in the data center and to move to the cloud or Microsoft 365 for greater access.

AD TDR is focused on defending against threats to AD, for example by using a platform-specific tool to detect and send alerts on the misuse of the AD Group Policy infrastructure. Attackers try to exploit Group Policy because of its systems management capability inside the AD identity platform. AD TDR detects changes to Group Policy Objects and any affected identities, then responds according to an identity threat playbook or by notifying security teams.   It protects the secure operation of AD as an integral part of the enterprise identity infrastructure.

As Gartner notes, “AD TDR tools fulfill this mission by applying threat intelligence, behavioral signatures, heuristics, statistical analysis, analyses of known tactics, techniques and procedures (TTPs) and machine learning algorithms to discover indicators of exposure and indicators of compromise in Active Directory.”


How are they all related: ITDR, NDR, EDR, XDR and AD TDR?

The greatest threat lies in what you fail to detect and how swiftly you respond. Hence, the focus on *DR disciplines.

Like a medieval kingdom, your network has an ever-expanding perimeter, and it continually faces threats that are often disguised.

  • Extended Detection and Response provides an integrated, overarching view of threats, analogous to the intelligence gathered by the kingdom’s spy network.
  • Endpoint Detection and Response guards the endpoints – the gates through which digital marauders are trying to pass.
  • Network Detection and Response watches over network traffic, seeking out unusual patterns that signal danger and monitoring who is coming and going within the kingdom’s borders.
  • Identity Threat Detection and Response protects identities – the keys by which the kingdom knows who belongs there – which are the best way to do the most damage, as cyber adversaries have discovered.
  • Active Directory Threat Detection and Response reinforces protection of the kingdom’s main repository of identity and authentication, whose existence attackers know about and which they work hard to penetrate.

The *DR disciplines underpin a comprehensive set of tools, designed to address the multifaceted attack vectors confronting your cloud-based organization. The disciplines draw upon principles from areas like risk management, business continuity planning, emergency response protocols, physical security, intelligence/counterintelligence and military tactics and strategy.


What are best practices to identify, detect and respond to identity system attacks?

As organizations make it easier for employees, customers and business partners to access their data from anywhere with any device, identity becomes the new perimeter – the key to that access. As a result, attacks on users’ identities and on the identity systems themselves have increased in frequency and force.

Enterprises that subscribe to Identity Threat Detection and Response effectively give identity its own security discipline based on prevention, detection and response:

  • Prevention – Taking stock of the IAM controls they already have in place, these organizations apply configuration hygiene and controls to lock down critical assets. They strengthen their identity security by rooting out misconfigurations and changes to IAM settings, patching vulnerabilities as they are discovered and minimizing exposure by shrinking their attack surface.
  • Detection – They strengthen their detection controls around identity, emphasizing identity tactics, techniques and procedures (TTPs) in particular.
  • Response – They ensure that IAM enforcement is included in their response playbooks and in automating the processes of eliminating any identity threats as they are detected. They include IAM incidents in their ongoing efforts to hunt for threats.

Implement ITDR Today

Learn how you can prevent, detect and respond to threats quickly and seamlessly with Security Guardian