What Is Identity Threat Detection and Response?

Key insights:

• What is identity threat detection and response (ITDR)?
• What are the differences and similarities between ITDR and EDR?
• What are the alternatives to ITDR?

Identity Threat Detection and Response (ITDR) is a comparatively new term in the cybersecurity scene. It was first coined by Gartner in 2022 and has since become a cornerstone of cybersecurity for many organizations.

In the aftermath of the pandemic, ITDR systems began to emerge as a new category of identity protection. Many organizations realized that a far more robust approach to managing digital identities and permissions was needed, after the widespread disruption and technical change that 2020-2021 brought. The new product promised to provide just that.

Yet even today, it remains an unfamiliar term to many. In this blog, therefore, we discuss the origins of ITDR and the distinct features and approach that these tools offer.

At a Glance: What is Identity Threat Detection and Response?

The threat detection landscape has previously been all about endpoint protection. But over the last two years, organizations have started to realize just how often users are the point of risk. With identity fraud on the rise, it’s now vital to defend users and accounts, as well as devices.

– Nabil Nistar, Director of Strategy and Portfolio Marketing, Heimdal

Traditional identity and access management (IAM) products generally focus on managing user identities, accounts, and permissions. This remains a hugely important cornerstone of effective cybersecurity.

But ITDR takes this to the next level by adding tools to detect and respond to realtime identity-based threats. It monitors activity associated with user accounts and conducts realtime behavioral analysis to identify suspicious activity.

These threat intelligence and monitoring techniques are common in security products that focus on behavioral monitoring:

• Endpoint detection and response (EDR),
• Extended detection and response (XDR),
• Security Information and Event Management (SIEM), and others.

Crucially, the cybersecurity solutions above aren’t focusing on identities and accounts in the same way as ITDR. This leaves an important gap in the market for a tool that has both:

– the identity-based focus of IAM and PAM products

– the threat detection and response capabilities of EDRs and XDRs.

In practice, this means ITDR offers a much more robust approach to defending your environment against identity attacks like phishing, behavioral manipulation, escalation of privilege, and much more.

It also makes it harder for hackers to perform lateral movement and reconnaissance once they’ve gained access.

Why is ITDR important?

The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.

Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure. ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation.

– Peter Firstbrook, Research Vice President at Gartner (Source: Gartner)

ITDR first appeared on the scene right after the pandemic – and that timing is no coincidence. That’s because 2020-2021 saw the acceleration of several important technology trends:

• remote working
• cloud technology
• the widespread adoption of bring-your-own-device policies

There are many good things to say about the move to remote and cloud-first working. But the trend has one hugely important implication: Identity has now become the primary (and often only) way to authenticate users and secure their accounts. Nowadays, physical location, building security, and the user’s device itself are far less effective ways of identifying the user.

For hackers, this is a goldmine, because identity has become a single point of failure. If a hacker can access an account without detection (particularly a privileged one), they get better chances to pass through other cybersecurity defenses the organization might have in place.

Therefore, identity has become an increasingly fundamental part of cyber attacks in the last few years. According to research covered in VentureBeat, 79% of detected incidents are now malware-free, which indicates that hackers are regularly logging in with valid credentials – without the need for malware or vulnerability exploitation. Likewise, some 90% of organizations have experienced identity-related intrusions in the last year, with 80% reporting that better identity management tools would have helped to avoid this.

These stats underpin just how important identity-related security measures are, and why ITDR has become increasingly popular in recent years.

Traditional IAM and PAM tools simply don’t scan the kinds of realtime data that could betray a hacker’s activity and enable the organization to lock down the account. At the same time, tools like EDR or XDR do scan user activity, but they’re not generally looking for evidence of hacked accounts.

It’s a significant gap in the cybersecurity strategies of many organizations, and is exactly the issue that ITDR aims to solve.

Key Features of an Effective ITDR Solution

Over the last few years, identity-related cyberattacks have greatly increased in scope and complexity. Now, hackers are relying on a new set of techniques to gain access and move through your environment. These include multi-factor authentication bypass techniques, stolen session cookies, access broker activity, and voice phishing (‘vishing’).

Crucially, these sit alongside the hacker’s tried-and-tested toolkit, with classic techniques like:

• compromised credentials
• email phishing
• credential stuffing
• brute force attacks, etc.

So, ITDR tools have a tricky job on their hands, requiring visibility over a vast and diverse range of cyber threats. To protect against these issues, a common set of tools and functionality has emerged:

• Active Directory configuration: This enables IT teams to monitor, centralize, and configure user accounts and identities in the Microsoft Active Directory (AD), making it easier to keep the AD comprehensive and secure.
• Behavioral analysis: These tools monitor user account activity, with a particular focus on login events and access management. This uses AI-powered algorithms to detect suspicious and anomalous user account activity that might otherwise pass undetected through traditional EDR or PAM tools.
• Multi-factor authentication: IT teams can also enforce multi-factor authentication rules across all user accounts, making it harder for hackers to successfully log in with stolen credentials.
• Automated incident response: ITDR enables IT teams to configure automated response actions to common risk signals or threats, like suspicious login attempts or other identity security issues. This enables the IT environment to quickly lock down the threat, without relying on the security team to respond.
• Centralized dashboard: Security teams can view alerts, reports, and incidents from a single dashboard, giving a clear overview of all identity-related issues.
• Privileged access management: Some ITDR systems also incorporate the traditional IAM and PAM feature set, enabling IT teams to audit privileged  accounts, manage permissions, enable dynamic privilege escalation, and enforce least privilege. This enables security teams to consolidate licenses and manage all privilege and identity-related signals in one dashboard.

Is ITDR Really the Right Approach?

ITDR has plenty of overlap with other common security products like PAM, EDR, XDR, and SIEMs. This can create significant confusion and inefficiency for security teams.

ITDR fills an important gap in your security posture by detecting and blocking a whole range of identity-related threats. But often, it needs to be used alongside your existing identity protection and threat detection tools.

Here’s the issue: You can’t effectively respond to critical threats if there are three or four different tools all trying to respond to slightly different risk signals in slightly different ways. This more-is-more approach to security is bad for your security posture and worse for your budgets.

Read more: 3 Benefits of Using Consolidated Platforms in Cybersecurity

So, what’s the alternative?

Instead of adding yet another set of security controls to an increasingly unwieldy tech stack, we take a different approach. Heimdal offers an integrated set of tools to monitor your environment and detect threats across user accounts, endpoints, and networks. Here’s what that involves:

• Detect threats: Our integrated Threat Hunting Action Center identifies and locks down the full range of realtime threats across endpoints, networks, cloud environments, and user accounts.
• Protect accounts: Combine proactive access management with realtime threat detection. Heimdal features the full range of advanced PAM features, including privileged account and session management (PASM), privilege elevation and delegation management (PEDM), and more.
• Prevent phishing: Phishing remains one of the most common ways for hackers to gain unauthorized access. Our AI-powered tools can detect and prevent phishing attempts before they reach the inbox – stopping hackers at the source.
• Remote access protection: A brand-new security tool to monitor, manage, and block remote access attempts via remote desktop protocol (RDP) ports. This prevents hackers from exploiting your remote working policies to target your organization and infiltrate your IT environment.
• Managed SOC: All Heimdal security products come with an optional managed security operations center. This gives you access to a 24/7 expert security team that can monitor your environment and quickly respond to realtime critical alerts.

Request your demo to find out more.

ITDR: FAQs

What is ITDR in Cybersecurity?

Identity Threat Detection and Response (ITDR) is a relatively new cybersecurity product that monitors the activities and behavior of user accounts and login activity. It aims to detect suspicious and anomalous login activities, in order to prevent hackers from gaining unauthorized access. Unlike existing threat detection tools (e.g. EDR, XDR, SIEM), these tools focus on accounts and identities, rather than endpoints or networks.

What is the Difference Between ITDR and XDR?

Extended detection and response (XDR) products are consolidated security platforms that aim to integrate alerts from multiple areas of your IT environment. To do this, they monitor endpoints, networks, cloud workloads, email, and identity systems to create a single unified overview of activity across the organization.

ITDR takes a similar but more limited approach, focusing specifically on monitoring the behavior of user accounts and identities.

What is the Difference Between ITDR and IAM?

ITDR products monitor realtime activity associated with user accounts and identities. The goal is to identify when legitimate user accounts have been infiltrated by hackers.

Identity and Access Management (IAM), on the other hand, can carry two meanings. The first is a distinct product to deploy and manage digital identities and assign permissions to users across the organization. The second is an umbrella term for any cybersecurity product that focuses on identities, accounts, and permissions, including PASM, PEDM, IGA, and ITDR.

If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Guest Author