3 Essential Elements of an Identity Threat Detection and Response (ITDR) Strategy

Identity threat detection and response (IDTR) equips enterprises to protect digital identities along with the identity systems that manage them.

Digital identity data is a cybercriminal's favorite target. The 2023 ForgeRock Identity Breach Report revealed a 233% increase in U.S. data breaches exposing user credentials compared to the year before. The reason is simple: if stolen, user credentials enable criminals to break into entire networks. From there, they can find high-value data to steal, hold for ransom, expose, or sell.

This is why it's critical to secure your user identities and passwords and the IAM services that manage them. And it's why identity threat detection and response (ITDR) should be part of every enterprise's security strategy.

Last year, after a series of high-profile incidents in which IAM vendors and their infrastructure were targeted by attackers, Gartner proposed the need for an identity threat detection and response (IDTR) strategy. ITDR isn't a single solution you can buy from a vendor. It's a process for preventing, detecting, and responding to identity-based threats.

The firm recommends ITDR because it can detect when IAM systems are compromised, enable rapid investigations, and offer remediation suggestions to restore affected systems. ITDR can expose security misconfigurations in the IAM infrastructure and analyze identity activity in real time to detect cyberattacks.

Visibility is critical, and ITDR can illuminate how an attacker might compromise credentials, privileges, and entitlements to move between systems and into cloud infrastructure. By providing visibility into attack paths, it helps to mitigate these risks.

"Organizations' reliance on their identity infrastructure to enable collaboration, remote work and customer access to services has transformed identity systems into prime targets for threat actors."

Gartner

"Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response," 20 October 2022,
by Henrique Teixeira, Peter Firstbrook, Ant Allan, and Rebecca Archambault.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Prevention, detection, and response: the IAM and ITDR trifecta

ITDR is a multi-faceted approach to protecting identity data and the IAM infrastructure around it. It comprises technologies and best practices to protect against unauthorized access, account takeover, credential misuse, privilege escalation, and other malicious activities that target user accounts and credentials. There are three essential elements of an ITDR strategy, starting with prevention.

1. Prevention

Prevention starts with some basic security hygiene of your IAM infrastructure, like ensuring that your users always use multi-factor authentication (MFA) for any systems that need passwords, go passwordless for all modern applications that can support it, and leverage continuous authorization to ensure IAM infrastructure security. You can layer in strong configuration controls to ensure no one can simply change security configuration, and add AI/ML-based behavior analytics solutions to understand user behavior better and prevent any suspicious activity.

Multi-factor authentication (MFA): MFA requires users to provide more than one form of identification to access a system or application. For example, after entering a username and password or SSO credentials, a user may be required to accept a push notification from an authenticator app or enter a PIN sent to a personal device. Depending on the organization, MFA may include passwordless authentication as a factor, in which the user provides a fingerprint or facial scan.

Passwordless: Passwords are typically the weakest link in any organization's security apparatus. Removing passwords will mitigate many password-based cyberattacks, such as phishing, brute-force, and credential stuffing. However, many organizations may not be able to deliver complete passwordless authentication due to the complexity of IT systems. In these situations, delivering a passwordless experience while hiding the passwords is possible - passwords still exist for the legacy systems that need them, but users never see or interact with them.

Authorization: Continuous authorization involves capturing users roles, identity attributes, and contextual information, and evaluating the user's overall risk posture during every transaction, not just once during authentication. This capability combines role-based access control (RBAC) with attribute-based access control (ABAC), which assigns levels of access to users based on their authority level, responsibility, job title, status (employee vs. contractor), or department, as well as task-specific needs, such as viewing vs. editing rights. ABAC, along with risk-based access control, offers nuanced controls, such as allowing an accountant to access data while on a secure network and managed device, but not while outside the office or using a personal device.

Enterprise-wide visibility with AI/ML: IAM systems should continuously monitor login requests in real time, blocking malicious attempts and adding authentication steps when anomalous behavior is detected. Using device identification, user and entity behavior analytics (UEBA), biometrics, and location intelligence, IAM tools can detect anomalies at the point of login.

Configuration security: Misconfiguration is common, and, while malicious changes in configuration to reduce security may be less frequent, either can be a huge threat to your IAM infrastructure. Your IAM platform should have tight controls to prevent changes to policies around MFA, passwords, authorization, and others. The IAM platform should also detect and alert you when any change in configuration reduces your overall security posture so that you can detect and respond to these changes appropriately.

1. Detection

Integrated with a modern IAM system, ITDR provides centralized visibility and control over all assigned identities and privileges, continuously monitoring user activity, detecting unusual behavior, and alerting security teams. Some of its detection techniques include:

• Configuration monitoring: Ensuring IAM systems are properly configured by continuously monitoring the system for suspicious changes. These changes may include the creation of unusual accounts or registering new authentication devices.
• Identity monitoring: ITDR monitors login events, system logs, network traffic, user behavior analytics, and other sources of information. It continuously tracks user activities, access attempts, and changes in identity-related data.
• Anomaly detection: ITDR relies on advanced analytics and machine learning algorithms to establish patterns of user behavior and to identify deviations from those patterns. Unusual activities, such as multiple login attempts from different geographic locations, indicate potential threats.
• Risk scoring: Based on the detected anomalies, ITDR assigns risk scores or profiles to individuals or events. These scores help prioritize and allocate resources for further investigation and response. Higher risk scores indicate a greater likelihood of identity-related threats.
• Real-time alerts: When suspicious activities or anomalies are detected, the system generates real-time alerts to notify security teams or administrators. These alerts provide relevant details about the detected threat, enabling quick response and mitigation measures.

1. Response

During response, ITDR requires interoperability with the IAM system to identify and contain the threat. If the IAM infrastructure or its data have been compromised, Gartner recommends taking a variety of actions, including (but not limited to) those that follow.

• Contain and eradicate: Isolate the threat and disable syncing between directories, on-prem targets, and cloud user repositories.
• Investigate: Gather additional information and assess the severity of the threat. This may involve analyzing log files, interviewing users, or using forensic to gather evidence.
• Mitigate: Reset compromised credentials, block suspicious accounts or IP addresses, and implement additional security controls. Mitigation may also include freezing automated provisioning, quarantining certain users at risk, and stopping all account changes in IGA, IAM, and PAM.
• Recover: Restore data from backups and collect logs from access management and governance.
• Report: Notify executives, legal staff, and response teams early to maintain a posture of transparency and accountability.
• Remediate: Reset affected credentials, remove rogue accounts and excessive permissions, patch systems, and rotate security keys.

ForgeRock is a key part of an ITDR strategy

The ForgeRock Identity Platform provides a comprehensive identity perimeter for your organization, offering many of the ITDR capabilities recommended by Gartner. It includes full-suite identity and access management (IAM) and identity governance and administration (IGA) capabilities in a converged, AI-powered platform. The ForgeRock platform secures all identities (workforce, consumers, applications, and things), and is delivered as a cloud service with self-managed and hybrid deployment options.

With ForgeRock, you can implement federated single sign-on (SSO), multi-factor authentication (MFA), and provisioning and enabling identity for backend applications and services - all vital capabilities for identity security. ForgeRock's AI-driven Autonomous Access fraud prevention solution specializes in risk decisioning by taking in a range of signals about who is trying to do what and then determining what they can or cannot do next. It can prevent attempts to gain unauthorized access by incorporating multiple contextual signals into the decision process (UEBA), such as login location, device posture, IP network reputation, and the distance between login attempts and registered MFA devices.

By deploying these technologies as a service in the ForgeRock Identity Cloud, you will benefit from the prevention and detection technologies recommended by Gartner, In addition, by integrating our best practices and run books, you can implement Gartner's recommended responses.

Attend an upcoming webinar to learn more

Please join our upcoming webinar covering findings from the 2023 ForgeRock Identity Breach Report to learn about the top trends, including the leading cause of breaches, the costs, and the industries most vulnerable. If you can't attend, be sure to download the Identity Breach Report, which includes recommendations for protecting your organization.

IAMMFAMulti-factor authenticationData BreachITDRIdentity Threat Detection and ResponseIdentity and Access ManagementArtificial IntelligenceAI Passwordless AuthenticationAttribute-based Access ControlABACRBACRole-based Access ControlRisk-based Authentication