What is Identity Threat Detection and Response (ITDR)?
Identity threat detection and response (ITDR) is a cybersecurity solution that protects identities, credentials and the systems that manage them. A comprehensive ITDR solution will provide three main functionalities:
- Prevent complex, identity-based attacks, such as ransomware
- Detect identity-based attacks in real-time
- Enable efficient and effective response capabilities in the event of an attack
Why is ITDR important?
Analysis indicates that eight in ten (80%) of breaches are identity-driven. These modern attacks often bypass the traditional cyber kill chain by directly leveraging compromised credentials to accomplish lateral movements and launch bigger, more catastrophic attacks.
Identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very challenging to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools. Research shows that breaches from compromised credentials take, on average, 250 days to identify when relying on traditional authentication log analysis, disparate user behavior analysis solutions and non-consolidated products and solutions.
While modern organizations have multiple identity security solutions to help prevent and detect identity-related attacks, including Microsoft Active Directory, Azure Active Directory, single sign-on (SSO), multi-factor authentication (MFA), privileged access management (PAM) and more, companies must carefully integration these tools to produce an accurate and complete view of the identity threat landscape. They must also correlate authentication events coming from a variety of managed and unmanaged endpoints, as well as any third-party service providers.
Where does AD hygiene fit into ITDR?
An organization’s Active Directory (AD) – a directory service developed by Microsoft for Windows domain networks in 1999 – is widely considered one of the weakest links in an organization’s cyber defense strategy. Built on decades-old legacy technology, AD is one of the most widely used identity stores and is still relied upon by over 90% of Fortune 1000 organizations. This makes it a prime target for adversaries to breach the network, move laterally and escalate privileges.
Any security compromise of AD undermines the entire identity infrastructure, leading to potential data leaks as well as potential system corruption/takeover or catastrophic ransomware or supply chain attacks.
A good ITDR security solution should therefore include robust AD security capabilities to enable deep, continuous, unified visibility of all users across the enterprise as well as the ability to detect and prevent malicious AD-attacks in real-time.
Considerations when selecting an ITDR solution
There are many vendors that offer ITDR solutions – though not all are created equal. It is important for companies to understand what features and functionalities to look for in a solution. Key areas to consider include:
- Does the solution cover legacy and proprietary applications and tools?
- Can the solution detect and stop modern attacks, like ransomware, in real-time?
- Does it provide real-time, highly reliable detections by leveraging advanced analytics and AI?
- Does it enforce risk-based conditional access based on behavior, user and device risk?
- Does the solution offer complete and continuous visibility across a hybrid identity/multi-directory landscape?
- Does it offer attack path visibility?
- Does it provide deep insights into identity-based incidents in the event one occurs?
- Does the solution auto-classify every identity by type: human, service, privileged?
- Does it provide deep visibility into authentication traffic to detect and stop identity-based incidents, including lateral movement, service account misuse, malicious or suspicious behavior and protocol abuse?
- Does the vendor provide a scalable and unified platform to ensure protection as the company grows?
- Does the provider ensure frictionless, conditional access?
- Does the vendor offer identity protection as a service with continuous monitoring and remediation of hard-to-detect identity-based incidents?
Top 10 ITDR Solutions(in alphabetical order)
- Falcon Identity Protection by CrowdStrike
- Unified Security Platform by CyberArk
- Spotlight by Illusive
- Microsoft Defender by Microsoft
- Directory Service Provider by Semperis
- Identity Suite by SentinelOne
- Unified Identity Protection from Silverfort
- Active Directory Security and Management Solution by Stealthbits
- Tenable.ad by Tenable
- Varonis for Active Directory by Varonis
Falcon Identity Protection by CrowdStrike
Austin, TX | 2011 | www.crowdstrike.com
Falcon Identity Protection, which includes both Falcon Identity Threat Protection and Falcon Identity Threat Detection, is an ITDR solution that enables real-time prevention, detection and response of complex identity-based threats, including ransomware.
- Part of the CrowdStrike Falcon Platform with a single unified agent for identity and endpoint protection
- Provides continuous, multi-directory visibility for all identities across AD, Azure AD and any cloud single sign-on (SSO) solution
- Simple “point and click” functionality for discovering all credentials across the entire on-premises, cloud, hybrid or multi-cloud environment
- Automatically classifies identities as cloud-only or hybrid and provides customized risk scores for each
- Detects lateral movement and anomalous traffic in real time by any user or service account
- Provides correlated events and risk scoring that can track by credential or entity/endpoint for all related activity for incident response
- Correlates with the MITRE ATT&CK framework
Unified Security Platform by CyberArk
Newton, MA | 1999 | www.cyberark.com
The Unified Identity Security Platform from CyberArk leverages intelligent privilege controls to provide secure access for any identity to any resource or environment from any location, using any device.
- Real-time, continuous threat detection and prevention for AD and Azure AD
- Simple and secure access to business resources using single sign-on and adaptive MFA
- End-to-end visibility via a single admin portal
- Ability to discover and manage all credentials and remediate risks across all environments
- Protect privileged access across all identities, infrastructure and apps, from the endpoint to the cloud
Spotlight by Illusive
Tel Aviv, Israel and New York, NY | 2014 | www.illusive.com
Illusive Spotlight is an ITDR solution that enables clients to automatically discover and remediate identity vulnerabilities in real-time.
- Agentless solution
- Continuous discovery and prioritization of identity security risks, including AD and Azure AD misconfigurations, privileged access management (PAM) coverage gaps, and endpoint exposures
- Automated remediation
- Deception deployment to support failsafe intruder detection
- Identity-risk dashboard to effectively detect privilege escalation and lateral movement, as well as assess the risk of new environments
- Automated evidence collection to support reporting, audits and compliance activity
Microsoft Defender by Microsoft
Redmond, WA | 1975 | www.microsoft.com
Microsoft Defender is a comprehensive identity and access product suite that provides continuous, real-time protection against identity-based attacks.
- Incorporates new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity
- Verifies all types of identities; secures, manages, and governs access of any app or resource to any user
- Secures and verifies identities across hybrid and multicloud environments
- Real-time intelligent access decisions
Directory Service Provider by Semperis
Hoboken, NJ | 2013 | www.semperis.com
Directory Service Protector is an AD and Azure AD security assessment tool offered by Semperis.
- Comprehensive assessment scans for the most common and effective attack vectors to identify high-risk configurations and other security vulnerabilities
- Supports on-premises AD and Azure AD
- Generates a custom security score based on indicators of exposure (IOEs) and indicators of compromise (IOCs)
- Additional support to help prioritize remediation efforts
- Community-driven threat models and updates
- MITRE ATT&CK correlation
Identity Suite by SentinelOne
Mountain View, CA | 2013 | www.sentinelone.com
Identity Suite by SentinelOne is a comprehensive, real-time identity security solution that offers prevention, detection and response capabilities.
- Real-time protection against a wide array of identity-related risks, including credential theft, credential misuse in AD, privilege escalation, lateral movement, data cloaking and identity exposure
- Continuous, end-to-end visibility for all managed or unmanaged systems on any OS, across all endpoints
- Deception deployment and decoys
- Comprehensive protection for on-premises AD, Azure AD, and multi-cloud environments, as well as domain-joined assets
Unified Identity Protection from Silverfort
Tel Aviv, Israel | 2016 | www.silverfort.com
Unified Identity Protection is an identity security solution that extends MFA and modern identity security to any resource, including those once considered “unprotectable”, such as legacy applications, service accounts and OT systems.
- Agentless and proxyless solution
- Comprehensive offering, including prevention, detection and remediation for all resources, access interfaces and users
- Supports on-premises, cloud-based and hybrid environments
- Real-time visibility and response capabilities
- Leverages anomalous behavior based on all authentication requests to detect risk
- Connects and translates all protocols, IAM solutions and resources in a single cloud IAM platform
Active Directory Security and Management Solution by Stealthbits
Hawthorne, NJ | 2001 | www.stealthbits.com
The Active Directory Security and Management Solution is a suite of tools offered by Stealthbits that enables real-time prevention, detection and response capabilities within the AD.
- Comprehensive offering that includes: vulnerability identification; permissions auditing and governance; malicious change recovery; password policy enforcement; detection; and response
- Complete visibility of the AD environment, including all objects, policies and configurations
- Prioritization of risk and remediation efforts
- Continuous monitoring of changes to critical objects and other actions that may indicate an attack
- Open architecture that supports integration with virtually any system within the security stack
Tenable.ad by Tenable
Columbia, MD | 2002 | www.tenable.com
Tenable.ad is an identity security solution that enables continuous, real-time detection and response capabilities of AD attacks, as well as identification of weaknesses within the AD.
- Agentless solution
- Ability to find hidden weaknesses within the AD, including misconfigurations; Step-by-step remediation guidance
- On-premises and cloud-based solution
- Ability to correlate AD changes and malicious actions
- MITRE ATT&CK integration allows users to access descriptions directly from detected incidents
- Syslog integration supports out-of-the-box functionality for all SIEM and most ticketing systems
Varonis for Active Directory by Varonis
New York, NY | 2005 | www.varonis.com
Varonis for Active Directory is a comprehensive identity solution that allows companies to find and fix commonly exploited misconfigurations within the AD.
- Agentless solution
- Continuous, real-time awareness of AD and Azure AD vulnerabilities
- Support services for risk prioritization and event response
- Domain visualization for all domain and local users, groups, and objects in a single interface
- Correlates AD events with data access and network activity to spot anomalous behaviors that may indicate an attack or compromise
- Unified audit trail provides a complete record of every meaningful action on mission-critical systems
- SIEM integration enables real-time, data-centric alerts via syslog, SNMP, or custom-built connector