Article Details

Identity Threat Detection and Response Solution Guide. The Emergence of Identity Threat Detection and Response Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally into IaaS, Saas, PaaS and CI/CD environments. Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environment. ITDR solutions give security teams the ability to help teams answer the question "What's happening right now in my environment - what are my identities doing in my environments." Human and Non-Human Identities As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities. Human identities entail the workforce (employees), guests (contractors), and vendors. Non-human identities include tokens, keys, service accounts, and bots. Multi- environment ITDR solutions can detect and respond to all identity entity risk for example from the IdP to the IaaS and SaaS layers, as opposed to securing identities in a fragmented layer-specific level. Core ITDR Capabilities The essential capabilities of an ITDR solution include: For a full list of ITDR capabilities, you can access the full Identity Threat Detection and Response Solution Guide. Identity Threat Use Cases To effectively safeguard against identity attacks, organizations must choose an ITDR solution with advanced capabilities to detect and mitigate attacks. These capabilities should address a range of use cases for both human and non-human identities, including but not limited to: For a full list of identity threat use cases, you can access the full Identity Threat Detection and Response Solution Guide. Questions an Effective ITDR Solution Should Answer 1. IDENTITY INVENTORY AND ACCESS MANAGEMENT What entity identities are present in our environment? What roles and permissions do these identities have? What role/group gave a particular user access to a resource? What is the permission scope for that access? 2. RISK ASSESSMENT AND ANOMALY DETECTION What are the top 10 riskiest identities across my cloud services layer? What would the blast radius be should one of those identities be compromised? Are there any anomalies in identity behavior? Have any credentials been compromised? 3. AUTHENTICATION AND ACCESS PATTERNS How are identities being authenticated and accessed? What are the sources and locations of login attempts? How is my current environment being accessed by different types of entities (human and non-human)? How broadly is MFA being enforced across the applications and cloud services layers in my environment? 4. ACTIVITY MONITORING AND CHANGE TRACKING What changes were just made in my environment, who is responsible for those changes, and were similar changes made in other cloud services layers? Which identities have accessed sensitive data or critical systems? 5. INCIDENT CORRELATION AND RESPONSE How do identity-related incidents correlate across different environments? What actions should be taken to mitigate identified threats? For a full list of questions, and business use cases, you can access the full Identity Threat Detection and Response Solution Guide.