Use Case Series: Identity Threat Detection & Response (ITDR)

ITDR is a critical piece of an enterprise’s identity fabric. It adds an additional layer of protection, identifying both insider threats and external threat actors who have gained access to the application as they move stealthily through an app with malicious intent.

Adaptive Shield Team

Two years ago, few people associated SaaS security with threat detection. Conventional wisdom believed that SaaS apps and their data would be secure by securing configurations, monitoring users and their devices, and detecting third-party app scopes. Breaches on Microsoft, Snowflake, ServiceNow, Salesforce, and others have forced the industry to reassess their position, and today ITDR is considered a must-have in the fight to secure the SaaS stack.  

ITDRs in this realm are most effective when paired with an SSPM solution. They work with data and behavioral analytics from dozens of applications from across the entire SaaS stack, and can discern the differences between normal behaviors and those indicating a threat. These ITDR solutions offer broader insights that would be missed when looking at a single app instance. 

What is ITDR?

ITDR is a critical piece of an enterprise’s identity fabric. It adds an additional layer of protection, identifying both insider threats and external threat actors who have gained access to the application as they move stealthily through an app with malicious intent. 

Through 24/7 monitoring, it spots the tactics, techniques, and procedures (TTPs) of threat actors. It uses Artificial Intelligence (AI), Machine Learning (ML), rule-based detections, and analytics to identify legitimate user accounts that have been compromised and are now acting against the company’s best interests. 

By applying ITDR to the entire SaaS stack, ITDR can take a broader view of user behavior. This wide-angled view provides it with more data and insights into behavioral anomalies from specific users, allowing it to make more accurate decisions. 

Defending Against Insider Threats

Security teams are increasingly worried about employees accessing their SaaS and sharing data with competitors. Insider threats are often assumed to be unstoppable because users access the system with legitimate credentials.  

Fortunately, by tracking user and entity behavior analytics (UEBA), security teams can analyze user behavior patterns and prevent non-malware attacks. ITDRs look for indications of compromise (IOC), and when there are multiple IOCs impacting an area or user, it triggers an alert. For example, ITDR would detect if a user increases the volume of data that they download. This behavior is questionable, but normally would not rise to the level of threat. However, if the user was logged on in the middle of the night or from an atypical device, the combination of IOCs rises to a threat, and ITDR alerts the SOC team of the incident. 

Protecting Against Outsider Threats

ITDR is critical in defending SaaS apps against threat actors. These attacks use different attack vectors – stolen login credentials, brute force attacks, and malicious third-party applications – to mention a few.

Using TTP, UEBA, and Indications of Compromise (IoC), ITDR identifies threat actors attempting to infiltrate your SaaS. For example, users who log in to applications from different IP addresses or different geographies within a short time frame can trigger an alert. So will login attempts featuring multiple failed attempts using different usernames from a single IP address.

ITDR helps recognize malicious applications that attempt to steal, encrypt, or otherwise sabotage data through user-granted permission sets. It also detects anomalous tokens, which may be triggered due to unusual access rights or an unusual location.

An Integral Piece of SaaS Security

ITDR improves the depth of an organization’s SaaS security. Without it, threat actors that breach the perimeter have free reign within the application. They can download data, launch ransomware attacks, and lock users out of their accounts. 

With ITDR in place, organizations have a layered security apparatus securing their SaaS stack. The SSPM and identity management tools prevent unauthorized users from accessing an application. However, if a threat actor is able to breach the application, ITDR alerts the SOC team to the presence of an imminent threat and enables them to shut down access or disable accounts quickly. It keeps the data safe and provides companies with the confidence they need in their SaaS applications to continue using low-cost, highly scalable SaaS applications.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.