Delinea | Privileged Access Management Blog

Identity Threat Detection and Response Explained

Written by Phil Calvin | Jan 19, 2024 1:00:00 PM

In March 2022, Gartner analysts dropped us some breadcrumbs on an emerging new category that they are calling “Identity Threat Detection and Response” (ITDR).

Citing it in their “Top Security and Risk Management Trends for 2022” release, the analysts told us that they introduced the term “to describe the collection of tools and best practices to defend identity systems.”

The reason for the new category that they cite is the marked rise in active targeting of Identity and Access Management (IAM) infrastructure by sophisticated threat actors, as well as the fact that credential misuse is “a primary threat attack vector.”

In this post, we will attempt to:

  • Understand what has changed in the security environment that has spurred the creation of this new category.
  • Reexamine a couple of our prior assumptions about identity and access security.
  • Define as best we can what ITDR is and what problems it is looking to solve.
  • Lay out Delinea’s approach to ITDR with a breakdown of how our solution fits the bill.

Identity and access are under attack

Even before the pandemic, the identity and access layers were already under threat. Especially given the transition away from the on-prem to the cloud, where identity is both the key to accessing an organization’s assets and the perimeter protecting those assets. Taking control of identities with privileged access gives attackers the keys to the kingdom, along with all of the crown jewels that they can reach with those privileges.

Attacks on the identity layer have only increased in the past two years, given the move to remote and cloud work, with the Verizon Data Breach Investigations Report for 2021 telling us that 80% of breaches involve privileged credentials.

The threat to identities has led to a blooming field of IAM (IGA, PAM, CEIM, CSPM, SSPM, etc ad infinitum) and authentication tools like MFA and SSO, all aimed at managing our identities more effectively and reducing the chances of compromised credentials being used against us.

All of these factors and developments are important, but none of them are particularly new.

Reexamining our assumptions on IAM

What is new is the recognition that these IAM tools are identity and access infrastructure and not security.

Moreover, Gartner explicitly tells us that “Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure” and that we need to develop ways to protect that infrastructure.

The analysts go a step further in their critique of the current landscape.

“Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure,” Peter Firstbrook, the research Vice President at Gartner quoted in the report.

What he is saying is that while we have done a better job at putting tools into place aimed at acting more securely with our identities and access, with tools like authentication, attackers are finding ways to undermine those systems and use them as their avenue to reach deep inside their targets.

Malicious actors have the ability to use our identity and access infrastructure against us. IAM tools can be incredibly powerful and useful. But they can also be a single point of failure if they are compromised. A basic principle of security tells us that we should not have the same system that's managing the infrastructure be the one monitoring that it is working securely.

Think of it like a Segregation of Duties for your identity and access security.

What is needed is a solution that actually secures our infrastructure and ensures that it continues to operate correctly. This is where ITDR steps up into the limelight.

Defining IDTR

Going back to Firstbrook’s description of ITDR as “the collection of tools and best practices to defend identity systems,” we understand that this segment is still in its early days.

What we do know is what ITDR is looking to solve for and what it needs to do to get us there.

The challenge

A major flaw in IAM tools is they have limited visibility.

An identity provider (IdP) like Okta, for example, will only see the identities that are in its directory. If you are only tracking identities from the IdP side, then you are only seeing half of the picture from an access privilege POV.

What about looking at the asset side of the equation to see who has access privileges to them? There may be local IAM users in your AWS, or in the case of GitHub with its Bring Your Own Identity model, internal or external users with access to your repos that you simply do not know are there.

Access privileges are the answer to the question of what can an identity, human or machine, do after they have had their identity authenticated? Which assets can they access? What level of access (read, write, admin, etc) will they have?

These access privileges are the relationship between the identity and the apps and services where the identity interacts with their assets. Understanding who has access to what and how they are using those privileges is critical to operating securely.

The solution

As noted above, what we need ITDR to do is to help us secure our IAM infrastructure and ensure that it continues to operate correctly.

Securing the infrastructure means:

  • Making sure that there are no misconfigurations, unintentional or intentional, that can lead to compromise.
  • Monitoring and detecting malicious activity.

Ensuring that the infrastructure is used correctly:

  • Removing excessive privileges and working towards least privilege.
  • Detecting anomalies in privilege usage and compromised accounts with access.

This is a tall order, but Delinea has it covered. Here’s how we do it.

Delinea’s Approach to ITDR

Delinea provides a Cloud Identity and Access Security Platform that continuously monitors your identities, access privileges, assets, and activities to secure all your apps and cloud services.

This means that we go full-stack, connecting to everything from your IdPs (Okta, Ping, Azure AD), to IaaS (AWS, Azure, GCP) to SaaS (GitHub, O365, Google, etc), and beyond.

Data from these sources is normalized and processed by our machine learning engine. Our visibility allows you to continuously monitor your environments, detect threats, and effectively remediate risks, enabling you to achieve and maintain least privilege.

Here’s how we do it:

Monitor

Once we connect to your IdPs and apps/services, we collect and monitor data on:

  • How they are configured, understanding trust, relationships, and more.
  • Effective access, showing you who has access to what, both direct and indirect.
  • How that access is being used—think about this like audit logs for your access.

Detect

Based on the data that we collected and normalized, we detect issues from:

  • Effective access risks like hidden access from groups, roles, and more.
  • Lifecycle changes that can lead to privilege sprawl or risk from exposure.
  • Privileged activity.

All this information enables us to:

  • Help you achieve least privilege.
  • Provide you with information about unused privileges, anomalous actions, and compromised accounts.
  • Notify you about risky misconfigurations that impact the security posture of your identity infrastructure.
  • Identify suspicious changes to your identity infrastructure.

Remediate

We then assist in the remediation process without impacting the ongoing operations.

Delinea enables your team to remediate more effectively and efficiently with surgical precision by:

  • Providing context with AI-based explanations, usage context, and knowledge of the overall situation.
  • Communicating with the appropriate line of business personnel to confirm the changes and ensure a seamless remediation process.
  • Automated matching of incidents to the responsible parties for the follow-up and integration with your ITSM.
  • Validating the fix to ensure that your de-facto access has returned to a secure state.

Next steps for securing your Cloud Identity and Access

Despite all the challenges organizations face regarding identity and access security, we're on the right track. More and more organizations are using IAM tools to manage their identities and access more efficiently. Now, security teams must take the next step and ensure that they're securing those tools and their environments. For more information on how Delinea can help your organization secure its identity and access infrastructure, we invite you to schedule a meeting with us and request a demo of our platform.