Detangling a Confusing Threat Detection for SaaS Landscape - Adaptive Shield

Detangling a Confusing Threat Detection for SaaS Landscape

Arye Zacks, Sr. Technical Content Specialist

Detection and response sit at the heart of any well-thought-out cybersecurity program. As resilient and strong as perimeter-based defenses are, most security professionals will concede that threats can make their way into the network, device, or application.

Detection and response tools come into play after the breach has occurred, but often are able to stop the threat actor from moving forward. You can think about this in terms of a bank robbery, where the bad guys sneak their way into the vault and get caught before they can get out with the cash. The bank robbers were able to avoid security outside the vault, but once they were inside, some type of threat detection system alerted police that a robbery was in process, and the criminals were stopped.

Detection and response are the last lines of defense. Sometimes they can completely prevent a cybersecurity incident from occurring at all, while other times they detect a breach in progress and are able to significantly limit the damage. However, for all the benefits of detection and response, there is still some confusion in the marketplace about these tools.

Figure 1. Layers of Detection & Response Defense 

EDR, XDR, NDR and More

Detection and Response have made their way into the names of many security tools. Endpoint Detection and Response, Extended Detection and Response, and Network Detection and Response are just a few of the many tools used to secure corporate and government networks.

These detection tools are vital but are limited to the areas that they serve. Detecting malware threats within endpoint devices is certainly critical in a world where data is accessed by computers, tablets, and mobile phones. XDR often takes EDR one step further, gathering intelligence from networks, users, and workloads.

XDR can be confusing to security teams, who believe they have threat detection covered across their organization. While XDR is a powerful tool, it often lacks the context to threats that native tools have to offer. For example, XDR is capable of some network threat detection capabilities, but it is a far less rich solution than NDR, which limits false positives through network context and automated threat response.

Introducing ITDR

Identity Threat Detection and Response (ITDR) is one of the newest areas of threat detection. ITDR turns its attention to users and looks for any types of threats emanating from a user account.

User security starts with credentials, MFA, and SSO. However, not every application or organization requires MFA and SSO, and even some that use SSO allow local login for app admins. If a user hands over credentials during a social engineering attack, and MFA is not enforced, the threat actor may have full access to the application.

This is where ITDR steps in. It combines data from user and entity behavior analytics (UEBA), app logs, and IP data to find behavioral patterns that indicate an attack is underway. While some of this data may be accessible to an XDR, that tool lacks the deep user knowledge to be very effective.

Click here to read more about ITDR and key capabilities

For example, ITDRs are able to distinguish between a legitimate user logging in on a cellular and land-line connection, which may appear as coming from two different geo-locations, and a threat actor logging in from a foreign or unknown locale. Using the ITDR, security teams aren’t pestered by a series of false positives, whereas detection and response tools that aren’t designed with an understanding of identity context will deliver false positives and lead to alert fatigue.

Figure 2. ITDR detects threats emanating from authorized user accounts 

Integrating ITDR Into a Security Program

Today’s successful security teams are developing models based on domain specialization, data enrichment, and integration. It combines a number of tools, including ITDR, EDR, XDR, NDR, DDR (Data Detection and Response), and CDR (Cloud Detection and Response).

Part of this is due to changes within organizations. Most have moved away from centralization, with the proliferation of cloud processing and SaaS apps.

To keep up, security teams are using decentralized, loosely coupled tools using advanced and nested analytics to monitor for threats, using multiple vendors and open content. As threats are detected by the various tools, they are sent to a central orchestration engine, where they can be analyzed and acted upon.

Detection and Response is Not Optional

As the cybersecurity landscape evolves and threats become more sophisticated, the importance of detection and response cannot be overstated. While perimeter-based defenses are essential, the reality is that threats can find their way into networks, devices, and applications. This is where detection and response tools play a critical role in mitigating the impact of breaches and cyberattacks.

EDR, XDR, NDR, and ITDR are just a few examples of the specialized solutions available. Each tool has its strengths, but organizations require a combination of these tools to detect threats.

ITDR emerges as a vital addition to the cybersecurity arsenal. By focusing on users and analyzing behavioral patterns, ITDR provides a deeper understanding of identity context, helping to distinguish between legitimate users and threat actors. Integrating ITDR into a comprehensive security program alongside other tools creates a robust defense strategy.

About the writer

Arye Zacks, Sr. Technical Content Specialist

Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.