ITDR - What is it?

Identity Threat Detection and Response (ITDR) exactly what is this?

Is this something that is incorporated in Zero Trust?

Is this simply a new way of creating another space in the cyber security field for SOC Analysts to have to manage?

Is this just a way to do monitoring of your Active Directory environment?

Is this just another Gartner hype marketing term?

These are all good questions, let's dive in, but before I do: Identity Threat Detection and Response is term Gartner created. (Gartner, 2022) - "Gartner introduced the term 'identity threat detection and response' (ITDR) to describe the collection of tools and best practices to defend identity systems."

CyberSecurity Threat Detection and Response

Doing a quick question on Co-Pilot: Threat Detection and Response is defined as: "Threat detection and response (TDR) is a crucial cybersecurity process that involves identifying cyberthreats to an organization’s digital assets and promptly taking steps to mitigate them."

This is a good definition, determining threats to assets and looking to protect them, and ultimately, responding and mitigating threats and risks. The steps can be long and arduous. But in this definition, cyber security is still not defined; I like to take simple definition of cyber security. I know if you are reading this, you probably have an understanding of cyber security, but's let's start by an analogy I have used to define cyber security.

Cyber Security Defined (Jerry's Opinion)

I have taken a stance, for a long time, identity is core to cybersecurity! If you take a look back at posts, articles, and webinars I've done, or simply listened to me talk over any period of time, sometimes I do that way too much, you will know that I define cybersecurity as protecting the business asset.

The analogy I use to define cybersecurity is: if I am protecting the business asset and if that is what cybersecurity is all about then I should be able to dig a hole, pour some cement, dump in my "business asset", cover it and the asset is protected! However, that's not effective!

So cyber security is not just about protecting the business asset because it doesn't enable the business. In order to enable the business, I must create a door or a latch in the cement block, add an access key. Then, I must define who or what has the access key to the business asset. That's how we enable the business.

To go deeper, the cement block, the latch or the door, and the access codes are just the security controls you put in place to protect that business asset, but all of these controls are worthless until you determine or define who has access to that business asset. Therefore, Cyber Security is defined as: "Protecting a business asset and enabling the business to access the asset through security controls". Zero Trust is further defined by providing Just In Time (JIT) access and conditional access to further evaluate risk and access. For example, Jerry has access to this business asset every day from 9:00am to 5:00pm or when he asks for the access code, and he meets all of the conditions. Then, he can open the latch/door to the business asset, utilize it and close the door or latch. To further enhance the security controls, once the access is finished, the access code is changed; therefore, it is a one-time use access code. The next time he needs to access that business asset he has to request another access key.

Identity Thread Detection and Response

To address, Identity Threat Protection and Response (ITDR), we must understand, Threat Detection and Response. After you review the definition above, continue with my analogy, Threat Detection - is there an excavator coming to remove my safe and a jackhammer coming to destroy the safe, and Response - I raise my barriers to prevent the excavator and the jackhammer and provide mitigating factors to ensure the excavator and jackhammer cannot remove my asset.

Let's address it from the identity perspective, who is driving the excavator, and should do they have the right to move the safe or remove the asset from the cement safe?

Up to this point, there really hasn't been anything SPECIFIC to Identity with threat detection and response, therefore, the safe in the ground, with an access lock, how do we manage threat detection? Threat Detection needs to understand each of these to questions, and not only the context of the identity, but to supply valuable information to the SOC analyst.

• Is Jerry who he says he is? (Authentication)
• Have we validated that Jerry is who is requesting the access key? (Step-Up Authentication)
• Is he doing all the normal stuff that Jerry does and it's not somebody impersonating Jerry? (Does Jerry normally drive the excavator?) (Behavior Analytics)
• Does Jerry have the right access key and should he be granted access to the business asset with the key he has? (Asset and User Verification)
• Should we respond when Jerry enters the wrong access key? (Authorization)
• Is an intruder or an impostor using the wrong access key? (User Verification)

The questions above must be addressed through an integration of tools and proper signals sent to the analyst to effectively respond.

To clarify this a bit, threat actors are continuing to pursue vulnerabilities in the YOUR environment. IDENTITY is the threat vector, ITDR addresses.

Moving Forward to Technology

Let's put this into today's world today! Systems like Active Directory have served as the cornerstone for authentication within organizations. However, the landscape is shifting towards a more sophisticated model where Identity Providers (IdPs) emerge as the central authentication sources. This transition is not merely a change in technology but a strategic enhancement that allows for a deeper integration of analytics into threat detection mechanisms to support ITDR as a core cyber security functionality.

At the core of this evolution is the application of analytics to monitor and assess user behavior, service account activities, and API interactions. This analytical approach extends beyond simple authentication to scrutinize authorization and access patterns. For instance, an anomaly such as sending 15 emails within 30 seconds, creating service principal names unexpectedly, or transferring unusually large volumes of data, signals potential security risks. These activities, when detected, indicate actions that deviate from a user's normal behavior pattern within the organization.

These types of anomalies are indicative of out-of-bounds activities, suggesting either compromised accounts or insider threats. This is where behavior analytics, a subset of threat detection, plays a pivotal role. Behavior analytics is grounded in the principle of monitoring user actions to identify deviations from their typical behavior patterns. This approach is a part of context-based access control, which itself is a component of the broader concept of Policy-Based Access Control (PBAC). PBAC and its contextual counterpart are crucial for effective threat detection because they consider the specifics of user behavior and access requirements in real-time, ensuring that only legitimate activities are authorized.

The response to detected anomalies is equally important. Modern identity providers are equipped with mechanisms to react appropriately to potential threats. Responses can vary from terminating or suspending accounts to requiring users to undergo additional authentication steps, such as multi-factor authentication (MFA), based on the severity of the risk detected. These measures are part of an identity threat detection and response strategy, aimed at minimizing the impact of security breaches.

Summary

So, is ITDR new? No. From Gartner's site (Gartner, 2022) "Gartner introduced the term 'identity threat detection and response' (ITDR) to describe the collection of tools and best practices to defend identity systems." It is a classification for security elements we have been doing, but it is a way to take the technology that we have to encompass that as a part of our core cybersecurity program. Does it relate to Zero Trust? YES, Identity is a core component of Zero Trust.