This is the era of identity security. The explosion of ransomware attacks has forced CISOs and security teams to realize that identity protection is 20 years behind their endpoints and networks. This awareness is largely due to the transformation of lateral movement from a fine art found only in APTs and leading cybercriminal groups to a marketable skill used in virtually every ransomware attack. Lateral movement uses compromised credentials for malicious access – a critical blind spot that existing XDR, networking and SIEM solutions cannot block.
Identity Threat Detection and Response (ITDR) has emerged in the last couple of years to close this gap. This article examines the top five ITDR opportunities and provides key questions to ask your ITDR provider. Only a definitive “YES” to these questions can ensure that the solution you’re evaluating can actually deliver on its identity security promises.
Coverage for all users, resources and access methods
Why is this important?
Partial protection is as good as no protection at all. If identity is the name of the game, then ITDR protection must apply to all user accountson-premises and cloud resources and, just as importantly, all access methods.
What questions to ask:
- Does ITDR also cover non-human identities such as Active Directory (AD) accounts?
- Can ITDR analyze end-to-end user authentication across on-premise resources, cloud workloads and SaaS applications?
- Will ITDR detect malicious access via command-line access tools such as PsExec or PowerShell?
Real time (or as close as possible)
Why is this important?
Speed of threat detection matters. In many cases, this can be the difference between detecting and mitigating a threat at an early stage or investigating a full-scale active breach. To achieve this, ITDR must apply its analysis of authentication and access attempts as close as possible to their occurrence.
What questions to ask:
- Does the ITDR solution integrate directly with on-premises and cloud-based identity providers for authentication analysis?
- Does ITDR query IDP to detect changes in account configuration (eg OU, permissions, associated SPN, etc.)?
Multidimensional anomaly detection
Why is this important?
No detection method is immune to false positives. The best way to improve accuracy is to look for several different types of anomalies. While each can occur on its own during legitimate user activity, the co-occurrence of several will increase the likelihood that a genuine attack has been detected.
What questions to ask:
- Can the ITDR solution detect anomalies in the authentication protocol (eg hash usage, ticket placement, weaker encryption, etc.)?
- Does the ITDR solution profile standard user behavior to detect access to resources that have never been accessed before?
- Does the ITDR solution analyze the access patterns that are associated with lateral movement (eg accessing multiple destinations in a short period of time, going from machine A to machine B and then from B to C, etc.)?
Need an ITDR solution to protect the identity attack surface across your on-premises and cloud environments? Learn how Silverfort ITDR works and request a demo to see how we can meet your specific needs.
Circuit detection with MFA and access blocking
Why is this important?
Accurate threat detection is the starting point, not the end of the race. As we mentioned above, timing and accuracy are the keys to an effective defense. Just like EDR, which terminates a malicious process, or SSE, which blocks malicious traffic, the ability to run automated blocking of malicious access attempts is a must. While ITDR cannot do this by itself, it must be able to interact with other identity security controls to achieve this goal.
What questions to ask:
- Can ITDR track suspicious access detections by running an intensive scan from an MFA solution?
- Can ITDR follow up on detection of suspicious access by instructing the identity provider to block access entirely?
Integration with XDR, SIEM and SOAR
Why is this important?
Threat protection is provided by several products working together. These products can specialize in a specific aspect of malicious activity, combine signals for a holistic contextual view, or organize a response playbook. In addition to the capabilities listed above, the ITDR should also integrate seamlessly with the security stack already in place, preferably in an automated way as much as possible.
What questions to ask:
- Can the ITDR solution send risk signals to XDR users and import risk signals into processes and machines?
- Does ITDR share its security results with SIEM?
- Can ITDR detection of malicious user access trigger the SOAR playbook for the user and the resources they are logged on to?
Silverfort ITDR
Silverfort’s ITDR is part of a consolidated identity security platform that includes, among other capabilities, MFA, privileged access security, service account protection, and authentication firewalls. Built on native integrations with AD, Entra ID, Okta, ADFS and Ping Federate, Silverfort ITDR analyzes every authentication and access attempt in a hybrid environment and applies multiple cross-cutting risk analysis techniques to detect malicious user activity and ensure identity security in real-time. control elements.
Learn more at Silverfort ITDR is here or schedule a demo with one of our experts.
