The emergence of threat detection identification and response
Identity Threat Detection and Response (ITDR) has become a critical component to effectively detect and respond to identity-based attacks. Threat actors have demonstrated their ability to compromise identity infrastructure and move into IaaS, Saas, PaaS and CI/CD environments. Threat identification and response solutions help organizations better detect suspicious or malicious activity in their environment. ITDR solutions empower security teams to help teams answer the question “What is happening in my environment right now – what are my individuals doing in my environment.”
Human and non-human identities
As outlined in the ITDR Decisions Guide, ITDR’s comprehensive solutions cover both human and non-human entities. Human identities include workforce (employees), guests (contractors), and vendors. Non-human entities include tokens, keys, service accounts and bots. ITDR’s multi-environment solutions can detect and respond to all identity risks, for example from the IdP to the IaaS and SaaS layers, as opposed to securing identity data at a fragmented level.
Key features of ITDR
Key features of the ITDR solution include:
- Development of a universal identity profile for all entities, including human and non-human identification, operations at all levels of cloud services and on-premises applications and services.
- Combining the static analysis, position management, and configuration of these identities with the activity of executing these identities in the environment.
- Monitoring and tracking of direct and indirect access paths and activity monitoring of all identities in the environment.
- Multi-environment identity tracking and discovery orchestration spanning identity providers, IaaS, PaaS, SaaS, and CI/CD applications to track identities wherever they are in the environment.
- Highly accurate detection and response across multiple environments, enabling organizations to take action on identity threats as they manifest across the entire attack surface, rather than reacting to multi-volume atomic alerts based on individual events.
For a complete list of ITDR opportunities, you can get full access Threat Identification and Response Guidelines.
Identity threat use cases
To effectively protect against identity attacks, organizations should choose an ITDR solution with advanced attack detection and mitigation capabilities. These capabilities must accommodate a number of use cases for both human and non-human identifiers, including but not limited to:
- Account Hijacking Detection: Identify any of the many options that indicate that an individual has been compromised.
- Credential breach detection: Identify and warn about the use of stolen or compromised credentials in the environment.
- Detecting privilege escalation: Detect unauthorized attempts to elevate privileges in systems and applications.
- Detection of abnormal behavior: Watch for deviations from normal user behavior that may indicate malicious activity.
- Insider threat detection: Detect and respond to malicious or negligent actions of internal users.
For a complete list of identity threat use cases, you can get full access Threat Identification and Response Guidelines.
Questions that an effective ITDR solution must answer
1. IDENTITY INVENTORY AND ACCESS MANAGEMENT
What individuals are present in our environment?
- A complete list of human and non-human identities in all environments.
What roles and permissions do these individuals have?
- Details about the roles, groups, and specific permissions that each individual has in different cloud and on-premises environments.
What role/group gave a particular user access to the resource? What is the scope of permission for this access?
- Features roles/groups and permissions that grant access to resources.
2. RISK ASSESSMENT AND DETECTION OF ANALOGIES
What are the 10 most risky identities at the level of my cloud services? What would be the blast radius if one of these IDs were compromised?
- Identifying the most risky identities and assessing the potential impact of their compromise.
Are there any abnormalities in the person’s behavior?
- Identification of deviations from normal patterns of behavior for each individual, identification of potential malicious activity.
Have any credentials been compromised?
- Alerts about the use of stolen or compromised credentials in the environment.
3. AUTHENTICATION AND ACCESS PATTERNS
How is authentication and access to personal data carried out?
- Tracking of authentication methods and access paths for all credentials, including federated and non-federated access points.
What are the sources and locations of login attempts?
- Detailed logs of login attempts, including IP addresses, geographic location, and device information.
How do different object types (human and non-human) access my current environment?
- Monitoring access patterns for different types of objects in the environment.
How widespread is MFA at the application and cloud service levels in my environment?
- Evaluating the implementation and performance of multi-factor authentication (MFA) across the environment.
4. MONITORING ACTIVITIES AND REPORTING CHANGES
What changes have just been made to my environment, who is responsible for these changes, and have similar changes been made to other tiers of cloud services?
- Tracking and reporting of recent changes, responsible users, and consistency across layers.
Who accessed sensitive data or critical systems?
- Monitoring and reporting on identity access to sensitive data stores, mission-critical systems and high-risk applications.
5. MUTUALITY OF INCIDENTS AND RESPONSE
How do identity incidents correlate across environments?
- Correlate identity activities and incidents across IdP, IaaS, PaaS, SaaS, CI/CD and on-premises environments to provide a single view.
What actions should be taken to reduce the identified threats?
- Actionable recommendations and automated response options to reduce identified threats and prevent future incidents.
For a complete list of questions and business use cases, you can get full access Threat Identification and Response Guidelines.
