What is Identity Threat Detection and Response (IDTR)?
Identity threat detection and response (ITDR) describes a new layer of security designed to protect against attacks on user identities, permissions, and identity and access management (IAM) systems.
Why it's time for ITDR
Digital identities are under attack. According to the 2022 ForgeRock Customer Identity Breach Report, two billion records containing usernames and passwords were compromised in 2021, an increase of 35% over the year before. The report went on to say that unauthorized access was the year's top attack vector, responsible for half of all data breaches.
How do cybercriminals get the credentials that open the door to unauthorized access? Some use social engineering, such as phishing emails, against organizations and identity providers' employees as a way to steal or misuse credentials, or they can simply buy previously stolen credentials on the dark web.
And, as it turns out, stolen identity data is a gift that keeps on giving. Criminals know that people reuse their passwords, so if they have credentials for one account, there's a good possibility that they can use those same credentials for other accounts. Furthermore, access to just one account can lead to lateral movement, in which an attacker moves deeper into a network in search of sensitive data, such as customer records, intellectual property, financial information, and other high-value targets.
In 2022, in response to evidence that increasingly sophisticated attackers were moving beyond social engineering and actively targeting IAM infrastructure to steal privileged credentials, Gartner introduced a new security term: identity threat detection and response (ITDR).
Is identity threat detection and response (ITDR) a new security product or service?
Not exactly. Gartner defines ITDR as, "A security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure."1 So, it is a collection of tools and practices to protect identity and access management systems, detect when they are compromised, enable rapid investigations, and offer remediation suggestions to restore affected systems. ITDR can expose and fix configuration vulnerabilities in the IAM infrastructure and analyze identity activity in real time to detect cyberattacks.
Because ITDR is specifically for the protection of identities, entitlements, and IAM systems, it can help organizations protect against a variety of identity-related threats, such as account takeover (ATO), credential or privilege escalations or misuse, insider threats, and lateral movement across the network.
ITDR can mitigate attacks by isolating suspicious traffic, triggering step-up authentication, and integrating with security information and event management (SIEM) or security orchestration, automation, and response (SOAR) tools. ITDR also checks for security misconfigurations in IAM systems to reduce the likelihood of successful attacks on these systems.
How to bring ITDR capabilities into your IAM infrastructure
As noted, ITDR is not one specific product or solution, but its capabilities are available now. The ForgeRock Identity Platform, for example, offers many of the features and capabilities that comprise the ITDR framework and key Gartner recommendations, including:
|Gartner recommendation for ITDR ForgeRock||ForgeRock solution|
|A modern IAM infrastructure using current and emerging standards||ForgeRock uses OAuth 2.0, FIDO2, OpenID Connect, SAML, UMA 2.0, WebAuth, and many more standards: Learn more|
|Best practices and a knowledge base||ForgeRock offers world-class expertise and guidance in the design, development, and deployment of identity solutions: Learn more|
|A single authoritative user directory that is protected by active management, threat detection, and response tools||ForgeRock Directory Services is a complete, high-performance, internet-scale identity store available globally|
|A single sign-on access management (AM) tool that continuously assesses user context attributes||ForgeRock Access Management and Single Sign-On are part of the integrated ForgeRock platform, which uses AI to continually assess and adapt authorization decisions|
|Multi-factor authentication (MFA)||ForgeRock MFA offers a range of options for MFA, including biometrics, push, OTPs, and more|
|Account takeover (ATO) fraud detection tools||ForgeRock Autonomous Access prevents fraud and ATO at the identity perimeter, during login|
|Identity governance and administration (IGA) and a cloud infrastructure||Cloud-Native Identity Governance is part of the converged ForgeRock IAM platform|
|User and entity behavior analytics (UEBA) tools||ForgeRock Autonomous Access uses AI, including UEBA, that continuously gets smarter at identifying the difference between normal behaviors and emerging threat patterns|
|Enterprise-wide visibility and explanations for decisions||ForgeRock Autonomous Access provides enterprise-wide views for administrators and analysts and clear explanations for access decisions
ForgeRock Autonomous Identity identifies security blind spots and mitigates risks by providing insights into risk during access review
|Configuration drift control||Allow configuration to be secured in a version control system outside of the IAM infrastructure|
|Controlled Configuration Promotion||With ForgeRock, a security configuration cannot be promoted to production without first going to a controlled promotion process through dev and staging.|
The importance of an integrated IAM platform for ITDR
Many IAM systems operate in silos. Enterprises may have multiple systems covering their legacy applications, databases, VPNs, with others designated for cloud services. But these systems can't talk to each other and can't provide you with a holistic view of potential threats.
With ForgeRock, you can eliminate the need for multiple point solutions. ForgeRock offers the industry's only end-to-end, AI-driven platform purpose-built for all identities and for any environment — on-prem, multi-cloud, or hybrid.