ITDR - What is it?
Identity Threat Detection and Response (ITDR) exactly what is this?
Is this something that is incorporated in Zero Trust?
Is this simply a new way of creating another space in the cyber security field for SOC Analysts to have to manage?
Is this just a way to do monitoring of your Active Directory environment?
Is this just another Gartner hype marketing term?
These are all good questions, let's dive in, but before I do: Identity Threat Detection and Response is term Gartner created. (Gartner, 2022) - "Gartner introduced the term 'identity threat detection and response' (ITDR) to describe the collection of tools and best practices to defend identity systems."
CyberSecurity Threat Detection and Response
Doing a quick question on Co-Pilot: Threat Detection and Response is defined as: "Threat detection and response (TDR) is a crucial cybersecurity process that involves identifying cyberthreats to an organization’s digital assets and promptly taking steps to mitigate them."
This is a good definition, determining threats to assets and looking to protect them, and ultimately, responding and mitigating threats and risks. The steps can be long and arduous. But in this definition, cyber security is still not defined; I like to take simple definition of cyber security. I know if you are reading this, you probably have an understanding of cyber security, but's let's start by an analogy I have used to define cyber security.
Cyber Security Defined (Jerry's Opinion)
I have taken a stance, for a long time, identity is core to cybersecurity! If you take a look back at posts, articles, and webinars I've done, or simply listened to me talk over any period of time, sometimes I do that way too much, you will know that I define cybersecurity as protecting the business asset.
The analogy I use to define cybersecurity is: if I am protecting the business asset and if that is what cybersecurity is all about then I should be able to dig a hole, pour some cement, dump in my "business asset", cover it and the asset is protected! However, that's not effective!
So cyber security is not just about protecting the business asset because it doesn't enable the business. In order to enable the business, I must create a door or a latch in the cement block, add an access key. Then, I must define who or what has the access key to the business asset. That's how we enable the business.
To go deeper, the cement block, the latch or the door, and the access codes are just the security controls you put in place to protect that business asset, but all of these controls are worthless until you determine or define who has access to that business asset. Therefore, Cyber Security is defined as: "Protecting a business asset and enabling the business to access the asset through security controls". Zero Trust is further defined by providing Just In Time (JIT) access and conditional access to further evaluate risk and access. For example, Jerry has access to this business asset every day from 9:00am to 5:00pm or when he asks for the access code, and he meets all of the conditions. Then, he can open the latch/door to the business asset, utilize it and close the door or latch. To further enhance the security controls, once the access is finished, the access code is changed; therefore, it is a one-time use access code. The next time he needs to access that business asset he has to request another access key.
领英推荐
Identity Thread Detection and Response
To address, Identity Threat Protection and Response (ITDR), we must understand, Threat Detection and Response. After you review the definition above, continue with my analogy, Threat Detection - is there an excavator coming to remove my safe and a jackhammer coming to destroy the safe, and Response - I raise my barriers to prevent the excavator and the jackhammer and provide mitigating factors to ensure the excavator and jackhammer cannot remove my asset.
Let's address it from the identity perspective, who is driving the excavator, and should do they have the right to move the safe or remove the asset from the cement safe?
Up to this point, there really hasn't been anything SPECIFIC to Identity with threat detection and response, therefore, the safe in the ground, with an access lock, how do we manage threat detection? Threat Detection needs to understand each of these to questions, and not only the context of the identity, but to supply valuable information to the SOC analyst.
The questions above must be addressed through an integration of tools and proper signals sent to the analyst to effectively respond.
To clarify this a bit, threat actors are continuing to pursue vulnerabilities in the YOUR environment. IDENTITY is the threat vector, ITDR addresses.
Moving Forward to Technology
Let's put this into today's world today! Systems like Active Directory have served as the cornerstone for authentication within organizations. However, the landscape is shifting towards a more sophisticated model where Identity Providers (IdPs) emerge as the central authentication sources. This transition is not merely a change in technology but a strategic enhancement that allows for a deeper integration of analytics into threat detection mechanisms to support ITDR as a core cyber security functionality.
At the core of this evolution is the application of analytics to monitor and assess user behavior, service account activities, and API interactions. This analytical approach extends beyond simple authentication to scrutinize authorization and access patterns. For instance, an anomaly such as sending 15 emails within 30 seconds, creating service principal names unexpectedly, or transferring unusually large volumes of data, signals potential security risks. These activities, when detected, indicate actions that deviate from a user's normal behavior pattern within the organization.
These types of anomalies are indicative of out-of-bounds activities, suggesting either compromised accounts or insider threats. This is where behavior analytics, a subset of threat detection, plays a pivotal role. Behavior analytics is grounded in the principle of monitoring user actions to identify deviations from their typical behavior patterns. This approach is a part of context-based access control, which itself is a component of the broader concept of Policy-Based Access Control (PBAC). PBAC and its contextual counterpart are crucial for effective threat detection because they consider the specifics of user behavior and access requirements in real-time, ensuring that only legitimate activities are authorized.
The response to detected anomalies is equally important. Modern identity providers are equipped with mechanisms to react appropriately to potential threats. Responses can vary from terminating or suspending accounts to requiring users to undergo additional authentication steps, such as multi-factor authentication (MFA), based on the severity of the risk detected. These measures are part of an identity threat detection and response strategy, aimed at minimizing the impact of security breaches.
Summary
So, is ITDR new? No. From Gartner's site (Gartner, 2022) "Gartner introduced the term 'identity threat detection and response' (ITDR) to describe the collection of tools and best practices to defend identity systems." It is a classification for security elements we have been doing, but it is a way to take the technology that we have to encompass that as a part of our core cybersecurity program. Does it relate to Zero Trust? YES, Identity is a core component of Zero Trust.
Jerry, excellently crafted message. I love how you use storytelling as a key element of bringing the reader on this journey. Storytelling is a skill that is often lacking in cybersecurity when trying to get others to understand the value and severity of cybersecurity threats. ITDR is more relevant today than even before, given the increased amount of data breaches that are exposing user data.
Senior Director, Zero Trust Strategy at Optiv + ClearShark
11 个月“So cyber security is not just about protecting the business asset because it doesn't enable the business.” This THIS!!! Security can’t be an afterthought any longer… with business alignment we have better vision and more impactful security strategy. Love the concrete analogy too - I use a simular one one that involves the bottom of the Atlantic Ocean!! Great article Jerry - thanks for your insights…
Digital Identity & InfoSec Professional - Adjunct Professor - IDPro Board Emeritus - Elections Official
11 个月This is good, Jerry, but here's my essential challenge: Why do we need ITDR in addition to EDR, MDR, and XDR? Given the nature of attack vectors these days, can't the last three (particularly MDR) achieve the same objectives vs. investing in YAIT (yet another identity tool)?