Identity Threat Detection and Response (ITDR) is a security discipline consisting of cyber threat intelligence, behavior analysis tools and structured processes that protect the identity infrastructure and accelerate the remediation of identity-centric attacks. ITDR supports Zero Trust and employs detection mechanisms to identify potential threats and examines any suspicious activity during and after the authentication and authorization process. It takes appropriate countermeasures to safeguard the trustworthiness of the identity infrastructure through security orchestration and response. These tools and processes help eradicate an attack and minimize the impacts of identity security-related breaches.
How ITDR works
An ITDR system continuously monitors an enterprise network for anomalous or suspicious activity connected to user identities. When an ITDR solution detects potentially malicious behavior, it alerts the security team and triggers an automated response, such as immediately blocking account access to sensitive data.
An ITDR system works by combining multiple functions in a comprehensive solution. Core ITDR functions include:
Data collection and activity modeling
Continuous monitoring and anomaly detection
Incident response and remediation
Data collection and activity modeling
To recognize suspicious activity, an ITDR system first needs to know what normal and authorized activity looks like.
ITDRs gather information from sources such as:
User access policies that detail access levels for different types of users and data.
User behavior records, such as normal login times, locations and devices used.
Threat intelligence feeds detailing current attack techniques.
The ITDR uses behavioral analytics and relationship mapping to process all of this data and create a baseline model of normal behavior for users, their accounts and the systems they access.
Continuous monitoring and anomaly detection
An ITDR system monitors identity activity and infrastructure throughout the network to detect threats, exposures and vulnerabilities. ITDRs track logins, authentications, identity providers (IdPs), access requests and directories such as Active Directory, comparing them to the baseline model. ITDR tools flag meaningful deviations from the baseline as potential threats.
Deviations can include activities such as login attempts from unusual locations, lateral movement of a user across unrelated datasets or unusual requests for privilege escalation.
Some ITDR systems use machine learning (ML) to analyze historical threat patterns—from company records, threat intelligence feeds and other sources—and identify different types of attacks. That way, the ITDR can more easily detect novel identity risks that it has not previously encountered directly.
Incident response and remediation
When an ITDR system detects a potential intrusion, it flags the activity to the security operations center (SOC) and triggers an immediate response to the anomaly. Response capabilities can include isolating the system being attacked, disabling compromised accounts, requesting additional user authentication and other means of stopping unauthorized or suspicious activities.