As identity-based cyber threats increase, organizations are expanding their budgets to combat attacks by focusing on Identity Threat Detection and Response (ITDR) solutions—the hot topic in identity-related security. If you’re looking for ITDR solutions to protect Active Directory (the most common identity system), this guide is for you. Here we’ll cover what ITDR is and how to find the best ITDR solution for your organization.
What is ITDR?
Gartner created the Identity Threat Detection and Response (ITDR) category to describe solutions that protect identity systems such as Active Directory (AD) and Azure AD, which provide authentication and access to applications and services. In response to the increasing number of identity-based threats, ITDR was included in Gartner’s Hype Cycle for Endpoint Security as an emerging technology that works to protect the identity infrastructure from malicious attacks. Gartner also noted that attackers are now primarily using credential misuse to gain privileged access to an organization’s information systems and manipulate their identity and access management (IAM) systems.
What is an ITDR solution?
ITDR solutions focus on the identity infrastructure itself, rather than the users managed by that infrastructure. According to Gartner, ITDR solutions should both protect and defend with specific identity protection capabilities, including AD environment security posture assessment, attack path management, risk scoring and prioritization, real-time monitoring of indicators of compromise (IOCs), machine learning (ML) or analytics to detect abnormal behaviors or events, and automated remediation and incident response. Given that many identity-related attacks succeed in compromising AD, a tested, AD-specific ransomware disaster recovery solution should be included as part of incident response planning.
What’s the difference between EDR and ITDR?
Endpoint detection and response (EDR) solutions collect, analyze, and respond to threat-related information about endpoints—physical devices (desktop computers, virtual machines, mobile devices) that connect to and exchange information with a computer network. Extended endpoint detection and response (XDR) solutions integrate protection of endpoints, servers, cloud applications, email, and other technologies. XDR solutions combine prevention, detection, investigation, and response in a holistic view to combat cyberattacks.
While EDR and XDR solutions focus on the outer layer of an organization’s information system, ITDR solutions focus on the identity system itself, which authenticates users and grants permission to services and applications.
Because cyber criminals are constantly coming up with new attack methods, a cybersecurity strategy that protects both endpoints and your core identity foundation while avoiding single points of failure is the best defense against current threats.
Why is ITDR important?
ITDR solutions protect the identity infrastructure, which is a primary attack vector in most cyberattacks today. And because Active Directory (AD) is the core identity store for 90% of organizations worldwide, it is the top target for cybercriminals. Because AD is hard to secure and typically has legacy misconfigurations, it is routinely compromised in cyber incidents, including the SolarWinds breach and the Colonial Pipeline attack. In fact, Mandiant reported that AD is involved in 9 out of 10 attacks they investigate.
What’s the best ITDR solution?
Organizations searching for a capable ITDR solution are faced with an increasing number of decisions. From our survey results and conversations with customers, we know organizations are concerned about the challenges of protecting hybrid identity environments throughout the entire attack lifecycle: before, during, and after a cybersecurity incident.
We surveyed IT and security leaders at 50+ enterprises and organizations to learn how they are evaluating expert ITDR solutions. The most important capabilities for ITDR solutions they reported are:
- Security posture assessment and real-time monitoring. AD is vulnerable because of legacy misconfigurations that accumulate over time and because of constantly emerging threats from ransomware-as-a-service (RaaS) groups such as LockBit and Vice. Scanning the hybrid AD environment for indicators of exposure (IOEs) and compromise (IOCs) and closing security gaps is the first step in a layered identity system defense strategy. Real-time monitoring helps organizations avoid configuration drift by flagging security indicators as they arise.
- Fast, malware-free AD forest backup and recovery. Although preventing attacks is ideal, the ability to recover from an AD-related cyber disaster is key to risk management. According to a study from Enterprise Management Associates (EMA), 50% of organizations experienced an attack on AD in the last 1-2 years. More than 40% of those attacks were successful. Without a tested plan for quickly recovering AD—that also avoids reintroducing malware—organizations risk paying ransom or experiencing weeks of business downtime while they recover the identity system.
- Automatic remediation of detected threats. Malware often sweeps through systems faster than faster than humans can intervene. Automated remediation of malicious changes is critical to stop attacks and mitigate damage. A comprehensive AD threat detection and response solution should use multiple sources of data to detect advanced attacks such as DCShadow that evade traditional log-based and event-based tools, including security information and event management (SIEM) solutions.
ITDR solutions to protect AD before, during, and after an attack
For more information about how to evaluate ITDR solutions to protect your AD and Azure AD identity system, check out the survey report “Evaluating Identity Threat Detection & Response Solutions), which answers the questions:
- How many organizations need to protect a hybrid AD environment?
- What are enterprises’ biggest concerns regarding identity threats?
- How confident are organizations in their ability to prevent or recover from cyberattacks that involve AD or Azure AD?
- What type of impact would companies face from a cyberattack that takes down AD?
- What ITDR capabilities are most important to today’s IT and security leaders?
Key takeaway: Organizations are looking for solutions that address threats across the entire AD attack lifecycle—before, during, and after an attack. The top ITDR capabilities that leaders seek include capabilities for preventing, detecting, remediating, and recovering from an attack on hybrid identity systems.
Want to learn how other organizations are answering these questions? Download our Evaluating Identity Threat Detection & Response (ITDR) Solutions survey report to learn more about the emerging category of ITDR and how you can begin thinking about how expert ITDR solutions can help you protect your identity infrastructure.