Identity Threat Detection

Named a top trend in cyber security for 2022 by Gartner, identity threat detection is an area of security all businesses need to give considerable thought to this year.

We live in a day and age whereby security has become identity-first. Hybrid work and our migration to cloud applications have meant that identity is the new perimeter when it comes to security. Of course, identity-first security has taken on new urgency because attackers have started targeting identity and access management capabilities to gain silent persistence.


Today’s genuine threats to identities

There is a genuine threat to our workforce identities today. Every CISO should be making this a priority when you consider the damage that can happen if an identity is misused. According to the Verizon Data Breach Investigations Report of 2021, abuse of credential data is now a part of 61 percent of all data breaches that happen. More widely speaking, the so-called “human element” is factored into a massive 85 percent of data breaches, while phishing occurs in 36 percent of these data breaches.

The statistics that we have mentioned above highlight the fact that attacks continue to try and get access to valid credentials so that they can utilize them for moving throughout networks without any detection. The misuse of credentials has also contributed to the rapid rise in ransomware. Today, ransomware makes up 10 percent of all data breaches, which is twice the level it was in 2019.

Gartner estimates that by 2023, 75 percent of security failures will happen as a consequence of identities, access, and privileges being managed inadequately. This represents a jump of 25 percent from 2022 when it was just at 50 percent. Considering this, there is a clear need for more robust identity security, especially that which has the capability to determine whether there is any suspicious activity leveraging genuine account credentials.

What is identity threat detection and response?

With identity-based attacks increasing, today’s companies need to have the ability to detect when attacks misuse, exploit, or steal enterprise identities. This need is especially the case as companies race to adopt the public cloud, and both non-human and human identities continue to rise at an exponential rate. It is now vital that identity-based activity is detected when you consider the penchant for attackers to utilize credentials and access central identity providers such as Active Directory (AD), Okta and Azure AD.

Identity threat detection and response (ITDR) is a new type of security category that falls adjacent to a number of detection solutions, including Network Detection and Response (NDR), Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR).

While some people may be wondering whether the security sector requires another acronym, we can ensure that it is much more than a few words or letters. In fact, identity threat detection and response fill a very important role. When compared with other identity protection solutions, ITDR differs because it focuses on the protection of access, privileges, and credentials, as well as the systems that manage them. It represents a critical step forward, marking the introduction of a new range of security tools.

Understanding what makes identity threat detection and response different

At the core of these solutions, ITDR has features that enable you to determine credential theft and privilege misuse, as well as attacks on Active Directory and risky entitlements that generate attack paths.

Identity threat detection and response (ITDR) is about the protection of identities, entitlements, and the systems that manage them. This is very different when you compare this to existing identity protection tools, such as IGA, PAM, and IAM, which typically concentrate on authentication and authorization, and ensuring that the right people have access to the resources they require.

On the flip side, identity threat detection and response jumps in to give visibility to privilege escalation activities, entitlement exposures, and credential misuse, from the endpoint, to AD, to multi-cloud environments.

Uses for identity threat tools

There are a number of different use cases for identity analytics tools, and we are going to take a look at the main ones below so that you can get a better understanding.

Reduce risk with adaptive authentication

We are sure that you have noticed that multi-factor authentication (MFA) is widely being implemented across applications today. This approach demands that a user verifies their digital identity by authenticating themselves using a minimum of two factors rather than their user credential.

With the extra layers of verification, security is improved. However, when there is MFA implemented across the organization, this typically presents an authentication burden for the users who are inside of a secure network already. Therefore, this can have a negative impact on productivity and user experience.

With an adaptive authentication solution, real-time user risk assessments are carried out. Users will be prompted to supply extra authentication elements only if their risk is perceived to be high. What this means is that you are going to be able to enhance security without usability being compromised.

Monitoring dormant and terminated account use

Terminated and dormant accounts must be purged on a frequent basis, yet occasionally accounts are overlooked because of request backlogs or analyst oversight. Such accounts could end up being misused for the purpose of gaining access to your system.

Identity analytics can be utilized so that unusual activities can be detected and the privileges of terminated and dormant accounts can be remediated. This will lower the risk of credential misuse happening, as well as enhancing the risk posture of your business by removing high-risk credentials.

Discover orphan accounts

An orphaned account is an account that has lingered in the system once the users linked to the account have left them, for example, an account belonging to an ex-employee. An account like this is ripe for compromise.

With the assistance of an identity analytics solution, you will be able to identify actions that cannot be traced back to certain accounts or entitlements. These accounts can then be revoked, ensuring security is increased while licensing expenses are lowered.

Improve security and monitoring of accounts with privileges

There are two main kinds of privileged accounts that can be found in businesses:

  • The first is used by system processes or applications to interact with the operating system, i.e. service accounts
  • The second is the various user accounts that have administrative privileges

Cybercriminals target accounts like this because they can give them easy access to your company’s sensitive information.

With identity analytics solutions, you can uncover unused privileged accounts with ease, and you can spot changes in behavior, for example, credential sharing attempts and privilege escalation.

User and entity behavior analytics (UEBA) is leveraged by analytics tools for the purpose of detecting such unusual user actions. ML techniques are applied by UEBA to generate a baseline of activities deemed normal, which are specific to each privileged account, and then deviations from the established baseline can be detected. When this happens, concerned personnel will receive alerts of what has happened.

Think about when a user account in an Active Directory is provisioned with just a single administrative privilege. Should this account suddenly accumulate a number of different privileges, for example, deleting child objects, modifying owners, resetting passwords, and so on, then the UEBA is going to determine that these activities are abnormal. The account will then be flagged as suspicious and alerts will be sent out to concerned personnel.

Identity analytics solutions give IT administrators and security analysts the ability to configure automated responses, such as disabling access temporarily, whenever unusual activity is detected.

Risk-based access certifications

In today’s businesses and organizations, a lot of users typically have excessive access privileges. However, it can take a lot of time to review each of these privileges manually. This can lead to fast, rubber-stamped approvals, with possible security concerns being overlooked.

Identity threat detection provides contextual risk scores for every user based on a number of sources, including peer group analysis, application usage data, and user behavior. Some solutions even provide entitlement-level risk scores.

You can configure identity threat solutions so that managers receive notifications about high-risk user profiles only. This will drastically lower the time managers must spend on certification campaigns.

As the majority of identity security tools offer a context-rich consolidated view of a user’s profile (which is collated from numerous applications and systems), managers are able to perform more successful and accurate access certifications.

Find and remove any excessive access permissions

In an ideal world, users should only be able to access resources that are relevant to their job roles, be it services, applications, directories, or servers. However, a lot of users end up having excessive permissions due to a number of different reasons.

This could be because they were granted a special permission to carry out a certain task, yet this permission was never removed. It could be because a person has switched roles or because they were promoted.

With identity analytics built into a security solution, there will be a review of all access privileges based on application usage patterns and user behavior. If there is an identity that has excessive access permissions, this can be flagged instantly to be reviewed for remediation of any access privileges that are not deemed necessary.

Make critical decisions about your business with identity analytics

Identity analytics can be used to help you make valuable decisions about your business and future growth.

Identity analytics helps decision-makers like CISOs and CIOs to see and measure their identity and access management program. This is done by gathering critical information regarding user behavior and key factors relevant to them, for example, trust, reputation, risk exposure, and costs across the entire organization. Based off of these insights, further investments can be evaluated in terms of human resources and technology spend.

Secure all areas of your business

You can use identity analytics to dynamically assess all of your access decisions, and also to intelligently manage and identify user risk profiles based on how they behave. This will lower the manual effort that is needed, as well as enhance how accurate your security operations are.

Identity threat detection enables the investigation of any user whose behavior or posture is out of policy or beyond normal expectations.

Characteristics identified from the analytics data can include, for example, time of the day, role of the user, device type, location or region, and the like can be used for the purpose of profiling and alerting on the security posture of the user.

Identity analytics and identity threat detection are complementary

The most famous example of ZTNA in a real setting is Google with its BeyondCorp project. Initially, it began as an internal Google initiative to allow employees to work from trusted networks without VPNs and is now widely used. Google implemented BeyondCorp as an internal initiative arising from Operation Aurora, a series of cyberattacks that occurred throughout 2009, and resulted in Google losing some of its intellectual property. As a result, Google started to reimagine its security architecture in relation to how employees and devices accessed internal applications.

Now, it is being rolled out to the general public and is naturally one of the biggest trailblazers of ZTNA in the real world. In fact, there are companies that have been called upon to adopt the Zero Trust model. The executive order issued in May 2021 by President Joe Biden has called for 18 companies to demonstrate to the National Institute of Standards and Technology their approaches to implementing Zero Trust. These include big names such as Amazon Web Services, Microsoft, Tenable, McAfee, and IBM. The 18 companies asked to participate in the Zero Trust project will provide examples of integrating open-source and commercial products that leverage cyber security standards and recommended practice.

As the real world is coming around to the notion of Zero Trust, it is now time for businesses to reap the benefits.

Effective threat analysis

Next, we take a look at how identity analysis plays a critical role in terms of threat analysis at your business. Threat analysis involves determining which elements of the system should be protected, and also the sort of security threats that these components ought to be protected from.

Businesses are able to define a threat model by making the most of identity analytics, for example, behavioral user patterns, the geographical distribution of users, the number of super users in the system, and also the number of active users in the system. Furthermore, machine learning and artificial intelligence can be used to define these threat models by making the most of analytics data.

Improve employee satisfaction and productivity with identity analytics

Identity analytics can help you in both finding out what works for your customers and also your employees. You can use the insights provided to determine what sort of strategies will be most beneficial in terms of enhancing efficiency and productivity in your workplace.

With the help of analytics tools, businesses can get an improved understanding of exactly how their employees work, as well as the processes within your business that consume more money and time and result in overall delays.

With these facts, businesses are able to understand how they can best support their employees to take productivity to the next level.

Moreover, they will be able to invest money in enhancing the organizational processes and automating processes where needed so that more productivity can be achieved within the business. In turn, this is going to result in employee satisfaction increasing.

All of these things will come together to help your business be a success. After all, we all know how difficult it can be for businesses today to hold onto their best talent, especially in today’s competitive environment. This is why it is important to make changes that make it easier for your workers to do their jobs and to feel happy within the workplace.

Protecting against the threat of fraud

Startling new statistics have revealed that identity theft has increased by 57 percent since last year. This is according to research by Cifas, a fraud prevention service.

LinkedIn, Twitter, and Facebook are a ‘hunting ground’ for identity thieves. 85 percent of the frauds were carried out on the Internet, and that most cases involved the fraudster accessing details about the person, including their date of birth, name, bank details, and address, and then assuming their identity, as opposed to cases involving fictitious identities. Most fraudsters pieced together identities using social media, with few hacking computers to carry out the theft.

This highlights the importance of being extra cautious when online nowadays. People need to think about the details they share online, and you should check your privacy levels to ensure high levels of security.

How you could be putting your ID at risk

Identity theft is rife at the moment. Unfortunately, we live in a day and age whereby we need to do all in our power to protect our personal information. You could be putting your ID at risk without realizing it.

Nowadays, a lot of fraudsters use social media to get the information they need to assume someone’s identity. They find out an individual’s birthday, address, and full name, for example, and then piece together the rest. If you over-share on social media, you could be putting your identity at risk. You also need to avoid using passwords that can be guessed with ease, such as your birthday or your pet’s name. Instead, use a combination of lowercase letters, uppercase letters, numbers, and special characters, and make sure you do not share passwords for your social media accounts, email or smartphone.

You could also be putting yourself at risk if you carry all of your credit cards in your purse or wallet. If you lose this, you’ll be in an extremely vulnerable position. Instead, only carry what you need. You also should avoid keeping account statements and any mail that contains personal information lying around the house. Shred documents so no one can obtain your personal details.

How identity analytics can help with threat detection

Identity analytics can be used for the purpose of defining a behavioral baseline for the normal user’s activities, as well as any anomalies. Conventional rules and statistical models are no longer enough to determine the threats in today’s complicated technology environments.

You can derive a behavioral baseline by using historical data. When new or current behavior is compared, the difference between the two can be used for the purpose of identifying anomalies and threats in the activities.

Threat detection involves assessing user behavior and posture so you can judge risk quickly. Threat prevention is also critical. Threat prevention happens prior to the attempt of a breach, and the aim of this is to lower the risk of a breach in the future,

Artificial intelligence and machine learning algorithms can be used for the purpose of identifying threats. For example, machine learning algorithms are able to model the normal behavior of events, and then anomalies can be detected as deviations from the modeled typical behavior in real time (or close enough).

Enhance identity and access management at your business

Identity analysis that is based on both current and historic data can be used for the purpose of enhancing the identity and access management processes of your business so you can cater to business and organizational needs.

This is going to help in terms of saving time and costs within your business, improving efficiency, and, ultimately, driving down costs. More importantly, you can use this to determine the security procedures that will best match your organizational and business needs.

For example, you can use identity analytics for the purpose of enhancing or improving the following procedures so that you can enjoy all of the benefits mentioned above:

Define processes for handling untrusted data

Monitor specific accounts

Improve access request and approval processes

Simplify role management procedures

Define the threat model for your business

Boost company agility and speed up innovation

Last but not least, we also cannot overlook the role that identity analytics play in terms of business agility. Business agility is the capability of a business to quickly adapt to changes in the market and respond quickly to demands. Business agility is a very vital thing, especially when it comes to enterprise workforce identity management.

Also, businesses can utilize identity analytics to determine where they are succeeding and where their security processes need to be improved.

Final words on identity threat detection

We hope that this has helped you to get a better understanding of what to expect from identity analytics, and why these solutions are so important today. Here at Oort, we can help you if your IAM is a mess. With our easy, yet powerful identity threat detection solution, we can give you 360-degree visibility into your business so that you can improve security without complicated deployments or integrations.

If you would like to find out more about the solution we provide or you have any questions, please do not hesitate to get in touch with our team for more information. Simply click here and we will be happy to help you in any way we can.


Recent Blogs

Advanced Search Query Input Improvements

We are excited to announce several enhancements to thetrue

Duo SSO Logging Improvements 

We’re committed to enhancing the visibility of data sourced from Duo.true