Identity Threat Detection and Response (ITDR) is a set of security measures designed to detect and respond to identity-related security threats. ITDR adds a new layer to the identity fabric, enabling organizations to secure data even after their perimeter has been breached.
Like traditional ITDR, SaaS Identity Threat Detection and Response looks at identity-centric threats that could lead to breaches within the application or enable threat actors to misuse the app.
ITDR includes monitoring user activity, detecting anomalies in user behavior to identify deviations from normal behavior, and taking appropriate actions in response to threats.
There are three types of identity vulnerabilities that are monitored with an ITDR:
ITDR is not a tool, it’s a methodology. As part of the ITDR process, companies should encompass information from multiple sources and look for anomalies within the data. Those sources include audit logs from SaaS applications, native user behavior analytics from each application alone and combined (correlated), and user or device data where applicable.
The data is analyzed by an AI tool, and any anomalies that indicate potential threats are highlighted and shared with the security team.
Monitoring the SaaS stack with ITDR tools helps protect an organization’s interests, as it prevents these and other consequences.
As organizations move from on-premises solutions to cloud-based SaaS software, identity has become a key piece of the digital perimeter. Threat actors have taken notice and are putting more pressure on user identities to breach systems.
ITDR addresses security gaps that were left exposed by traditional security solutions:
With so much data sitting on the public cloud behind an identity-based perimeter, protecting that perimeter with an ITDR is of paramount importance.
Identity threat detection and response systems work by combining data from multiple sources to identify threats. Those data sources include, among others:
Using an AI engine, it scans the audit logs to identify indications of compromise (IoC). When suspicious behaviors are detected, it alerts the SOC team, who follow incident response plans to secure the applications and prevent the breach.
ITDRs are able to detect a number of different responses, including:
ITDRs rely on data to detect threats. Expanding the source data to include all applications presents the security team with a far richer data set capable of finding threats that may be impossible to detect otherwise.
For example, if an ITDR solution is monitoring the entire SaaS stack, it would be able to identify an IP address where threat detectors were conducting dictionary attacks on a niche app. When the threat actor then tried to use the password it had discovered on a more important application from the same IP address, the threat would be detected, and the security team alerted.
Another example of this would be a user who accessed one application from an IP address in the United States and another app from an Asian IP address at the same time. A single-app data set would not detect anything wrong with the two logins, while comprehensive app-wide monitoring would quickly recognize that an identity had been compromised.
Here are some key terms and concepts related to identity threat detection and response that businesses should be familiar with:
Identity Fabric is essentially a number of identity tools that lay on top of each other to create a strong security mesh. In practical terms, if a company’s identity fabric includes a username, password, and MFA, the company’s SaaS app remains secure even if a user’s login credentials are compromised, as MFA still prevents access.
ITDR is used to maintain the strength of the identity fabric. It recognizes when settings within IAM tools are changed, such as new admin accounts, the creation of local accounts, or recognizing when an emergency or dormant account is suddenly in use. By alerting the security team, they are able to review the changes, and determine whether there are threat actors at play.
ITDRs work together with SaaS Security Posture Management (SSPM) tools as part of the SaaS security ecosystem. SSPMs enable organizations to upgrade their security posture by automating the monitoring of security configurations.
Once the apps are secured in a way that prevents unauthorized access, ITDR tools are able to effectively detect anomalous behaviors indicating a threat.
Adaptive Shield's threat detection capabilities are built directly into its platform. Any threatening event is listed in the platform's Threat Center, and includes supplemental information to help guide an organization's response.