Several businesses I’ve worked with recently have had the misfortune of being victims of cybersecurity incidents. While these incidents come in many forms, there is a common thread: they all started with a compromise of user identity.
Why Identities are Targeted
Identity security—whether it involves usernames and passwords, machine names, encryption keys, or certificates—presents a real challenge. These credentials are needed for access control, ensuring only authorized users have access to systems, infrastructure, and data. Cybercriminals also know this, which is why they are constantly trying to compromise credentials. It’s why incidents such as phishing attacks remain an ongoing problem; gaining access to the right credentials is the foothold an attacker needs.
Attempts to compromise identity do leave a trail: a phishing email, an attempted logon from an incorrect location, or more sophisticated signs such as the creation of a new multifactor authentication (MFA) token. Unfortunately, these things can happen many days apart, are often recorded across multiple systems, and individually may not look suspicious. This creates security gaps attackers can exploit.
Solving the Identity Security Challenge
Identity security is complex and difficult to address. Threats are constant and many, with users and machines targeted with increasingly innovative attack methods by focused cyberattackers. A compromised account can be highly valuable to an attacker, offering hard-to-detect access that can be used to carry out reconnaissance and craft a targeted attack to deploy malware or steal data or funds. The problem of compromised identities is only going to grow, and the impact of compromise is significant, as in many cases, organizations do not have the tools or knowledge to deal with it.
It was the challenge of securing user identities that made me leap at the chance to work on a GigaOm research project into identity threat detection and response (ITDR) solutions, providing me with a chance to learn and understand how security vendors could help address this complex challenge. ITDR solutions are a growing IT industry trend, and while they are a discipline rather than a product, the trend has led to software-based solutions that help enforce that discipline.
How to Choose the Right ITDR Solution
Solution Capabilities
ITDR tools bring together identity-based threat telemetry from many sources, including user directories, identity platforms, cloud platforms, SaaS solutions, and other areas such as endpoints and networks. They then apply analytics, machine learning, and human oversight to look for correlations across data points to provide insight into potential threats.
Critically, they do this quickly and accurately—within minutes—and it is this speed that is essential in tackling threats. In the examples I mentioned, it took days before the identity compromise was spotted, and by then the damage had been done. Tools that can quickly notify of threats and even automate the response will significantly reduce the risk of potential compromise.
Proactive security that can help reduce risk in the first place adds additional value. ITDR solutions can help build a picture of the current environment and apply risk templates to it to highlight areas of concern, such as accounts or data repositories with excessive permissions, unused accounts, and accounts found on the dark web. The security posture insights provided by highlighting these concerns help improve security baselines.
Deception technology is also useful. It works by using fake accounts or resources to attract attackers, leaving the true resources untouched. This reduces the risk to actual resources while providing a useful way to study attacks in progress without risking valuable assets.
Vendor Approach
ITDR solutions fall into two main camps, and while neither approach is better or worse than the other, they are likely to appeal to different markets.
One route is the “add-on” approach, usually from vendors either in the extended detection and response (XDR) space or privileged access management (PAM) space. This approach uses existing insights and applies identity threat intelligence to them. For organizations using XDR or PAM tools already, adding ITDR to can be an attractive option, as they are likely to have more robust and granular mitigation controls and the capability to use other parts of their solution stack to help isolate and stop attacks.
The other approach comes from vendors that have built specific, identity-focused tools from the ground up, designed to integrate broadly with existing technology stacks. These tools pull telemetry from the existing stacks into a dedicated ITDR engine and use that to highlight and prioritize risk and potentially enforce isolation and mitigation. The flexibility and breadth of coverage these tools offer can make them attractive to users with broader and more complex environments that want to add identity security without changing other elements of their current investment.
Next Steps
To learn more, take a look at GigaOm’s ITDR Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.
If you’re not yet a GigaOm subscriber, sign up here.