Identity Security
In October 2022, Gartner released a research paper discussing the significance of Identity Threat Detection and Response (ITDR) titled:
"Strengthening Cyberattack Readiness Through Identity Threat Detection and Response," published on October 20, 2022, authored by Henrique Teixeira, Peter Firstbrook, Ant Allan, and Rebecca Archambault.
ITDR is a recent term introduced by Gartner to characterize the security discipline dedicated to safeguarding the identity infrastructure. Similar to how Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) protect critical organizational infrastructure, ITDR plays a crucial role in securing the systems governing identity and access across the organization. With identity now serving as the new perimeter, malicious actors, both internal and external, frequently exploit the detection gaps between traditional Identity and Access Management (IAM) solutions and infrastructure security controls.
Before seeking tools to fortify your identity infrastructure, it is recommended to identify gaps in your environment through the following three steps:
Evaluate the security posture with an emphasis on identity:
- Scrutinize the risk associated with identity across your environment by assessing actual access privileges.
- Identify dormant accounts, over-privileged accounts, and paths for privilege escalation.
- The proliferation of identities and assets, often results in concealed, unused, and excessive access.
As businesses leverage the benefits of the technological revolution in order to scale, the growing number of employees, contractors, vendors, machines, users and identities has resulted in an expansive, unmanaged and misunderstood identity jungle. Always quick to identify and exploit blind spots and chaos, attackers were not far behind and take advantage of this chaos in order to perform account takeovers, abuse stolen credentials and expand their attacks’ blast radius. Identity Security Posture Management (ISPM) is a new approach to identity security, which moves away from a disconnected patchwork of identity tools that provide partial, incremental and sporadic visibility and mitigation capabilities.
Evaluate Identity Threats:
- Scrutinize the configurations and deployments of your IAM tools (Identity Provider/Single Sign-On, Identity Governance and Administration, and Privileged Access Management) to uncover risks and threats like exposed passwords, user impersonation, and unauthorized changes.
- Even mature IAM deployments may be susceptible to identity threats due to misconfigurations or intentional design choices.
A point-in-time assessment will offer an estimate of your exposure level, helping prioritize and determine the extent of ITDR adoption for ongoing protection. Identifying areas of exposure will also aid in determining ownership of ITDR within your organization.
Examine Response Playbooks:
- Evaluate how your Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) tools handle incident response for your security infrastructure.
- Assess existing playbooks to identify their applicability to identity and access incidents, and determine if adjustments or new playbooks are necessary.
Certain ITDR solutions may offer automated remediation capabilities, such as disabling excessive access, along with resolution recommendations, like transitioning from Security Assertion Markup Language (SAML) to Secure Web Authentication (SWA). The severity and potential impact of incidents on your organization will influence the urgency and level of automation in your playbooks.