Identity Threat Detection and Response Explained

04/05/2022 • Gabriel Avner

In March, Gartner analysts dropped us some breadcrumbs on an emerging new category that they are calling “Identity Threat Detection and Response” (ITDR).

Citing it in their “Top Security and Risk Management Trends for 2022” release that we broke down in last week’s post, the analysts told us that they introduced the term “to describe the collection of tools and best practices to defend identity systems.”

The reason for the new category that they cite is the marked rise in active targeting of identity and access management (IAM) infrastructure by sophisticated threat actors, as well as the fact that credential misuse is “a primary threat attack vector.”

In this week’s piece, we will try to:

  • Understand what has changed in the security environment that has spurred the creation of this new category 
  • Reexamine a couple of our prior assumptions about identity and access security
  • Define as best we can what ITDR is and what problems it is looking to solve
  • Lay out Authomize’s approach to ITDR with a breakdown of how our solution fits the bill  

Identity and Access are Under Attack

Even before the pandemic, the identity and access layers were already under threat. Especially given the transition away from the on-prem to the cloud where identity is both the key to accessing an organization’s assets and the perimeter protecting those assets. Taking control of identities with privileged access gives attackers the keys to the kingdom, along with all of the crown jewels that they can reach with those privileges.

Attacks on the identity layer have only increased in the past two years given the move to remote and cloud work, with the Verizon Data Breach Investigations Report for 2021 telling us that 80% of breaches involve privileged credentials. 

The threat to identities has led to a blooming field of IAM (IGA, PAM, CEIM, CSPM, SSPM, etc ad infinitum) and authentication tools like MFA and SSO, all aimed at managing our identities more effectively and reducing the chances of compromised credentials being used against us. 

All of these factors and developments are important, but none of them are particularly new.

Reexamining our Assumptions on IAM

What is new is the recognition that these IAM tools are identity and access infrastructure and not security. 

Moreover, Gartner is explicitly telling us that, “Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure,” and that we need to develop ways to protect that infrastructure. 

The analysts go a step further in their critique of the current landscape. 

“Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure,” Peter Firstbrook, the research Vice President at Gartner quoted in the report. 

What he is saying is that while we have done a better job at putting tools into place aimed at acting more securely with our identities and access, with tools like authentication, attackers are finding ways to undermine those systems and use them as their avenue to reach deep inside their targets.

We have seen two high profile examples of this problem. First in the SolarWinds case where Russian hackers defeated MFA and hijacked Active Directory to create a new admin identity. More recently was the hack of Okta where the Lapsus$ group compromised a third-party vendor and used that access to penetrate into Okta’s clients, gaining scary amounts of access.

Given the evidence that malicious actors have the ability to use our identity and access infrastructure against us.

IAM tools can be incredibly powerful and useful. But they can also be a single point of failure if they are compromised. A basic principle of security tells us that we should not have the same system that is managing the infrastructure be the ones monitoring that it is working securely.

Think of it like a Segregation of Duties for your identity and access security. 

What is needed is a solution that actually secures our infrastructure and ensures that it continues to operate correctly.

This is where ITDR steps up into the limelight.

Defining IDTR

Going back to Firstbrook’s description of ITDR as “the collection of tools and best practices to defend identity systems,” we understand that this segment is still in its early days.

What we do know is what ITDR is looking to solve for and what it needs to do to get us there.

The Challenge

A major flaw in IAM tools is they have limited visibility. 

An identity provider (IdP) like Okta will only see the identities that are in its directory. If you are only tracking identities from the IdP side, then you are only seeing half of the picture from an access privilege POV.

What about looking at the asset side of the equation to see who has access privileges to them? There may be local IAM users in your AWS, or in the case of GitHub with its Bring Your Own Identity model, internal or external users with access to your repos that you simply do not know are there.  

Access privileges are the answer to the question of what can an identity, human or machine, do after they have had their identity authenticated? Which assets can they access? What level of access (read, write, admin, etc) will they have? 

These access privileges are the relationship between the identity and the apps and services where the identity interacts with their assets. Understanding who has access to what and how they are using those privileges is critical to operating securely.

The Solution

As noted above, what we need ITDR to do is to help us secure our IAM infrastructure and ensure that it continues to operate correctly.

Securing the infrastructure means:

  • Making sure that there are no misconfigurations, unintentional or intentional, that can lead to compromise 
  • Monitoring and detecting malicious activity

Ensuring that the infrastructure is used correctly:

  • Removing excessive privileges and working towards Least Privilege
  • Detecting anomalies in privilege usage and compromised accounts with access

This is a tall order, but Authomize has it covered. Here’s how we do it.

Authomize’s Approach to ITDR

Authomize is the first Cloud Identity and Access Security Platform.

We continuously monitor your identities, access privileges, assets, and activities, to secure all your apps and cloud services. This means that we go full-stack, connecting to everything from your IdPs (Okta, Ping, Azure AD), to IaaS (AWS, Azure, GCP) to SaaS (GitHub, O365, Google, etc), and beyond. 

Data from these sources is normalized and processed by our Machine Learning engine.

Our visibility allows you to continuously monitor your environments, detect threats, and effectively remediate risks, enabling you to achieve and maintain Least Privilege. 

Here’s how we do it:

Monitor

Once we connect to your IdPs and apps/services, we collect and monitor data on:

  • How they are configured, understanding trust, relationships, and more
  • Effective access showing you who has access to what, both direct and indirect
  • How that access is being used — think about this like audit logs for your access

Detect

Based on the data that we collected and normalized, we detect issues from:

  • Effective access risks like hidden access from groups, roles, and more
  • Lifecycle changes that can lead to privilege sprawl or risk from exposure 
  • Access privilege activity that 

All this information enables us to:

  • Help you achieve Least Privilege
  • Provide you with information about unused privileges, anomalous actions, and compromised accounts 
  • Notify you about risky misconfigurations that impact the security posture of your identity infrastructure
  • Identify suspicious changes to your identity infrastructure

Remediate

We then assist in the remediation process without impacting the ongoing operations.

Authomize enables your team to remediate more effectively and efficiently with surgical precision by:

  • Providing context with AI-based explanations, usage context, and knowledge of the overall situation
  • Communicate with the appropriate line of business personnel to confirm the changes and ensure a seamless remediation process
  • Authomize automates matching of incidents to the responsible parties for the follow up and integrates with your ITSM
  • Validate the fix to ensure that your de-facto access has returned to a secure state

Next Steps for Securing Your Cloud Identity and Access

Despite all of the challenges facing organizations when it comes to their identity and access security, we appear to be on the right track. 

More and more organizations are using IAM tools to manage their identities and access more efficiently. 

Now security teams have to take the next step and ensure that they are securing those tools and their environments.

For more information on how Authomize can help your organization secure your identity and access infrastructure, we invite you to schedule a meeting with us and request a demo of our platform.

Next read

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download