Oort is now part of Cisco  |  Learn more

Try it free

Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond

Security leaders have realized they must prioritize the security of their identities and user accounts. A robust identity security program is essential to protect sensitive information and prevent unauthorized access to your crown jewels.

One widely adopted framework that can guide organizations in developing an effective identity security program is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). This framework provides a structured approach to managing and mitigating cybersecurity risks. In this blog post, we will explore how you can map your identity security program to the four stages of the NIST CSF: Identify, Protect, Detect, and Respond.

This is the framework we have used to create the in our “Blueprint for Building an Identity Security Program”, which you can download to learn more. 

This blog is taken from our Blueprint for Building an Identity Security Program guide.


The first stage of the NIST CSF is "Identify," which involves understanding your organization's identity landscape and potential risks. To align with this stage, your identity security program should focus on several key areas.

Maintaining an accurate inventory of human and machine identities. Regularly reviewing and updating the identity inventory ensures that all accounts are legitimate and necessary. There can be several challenges with building an inventory, which you can read about here: Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory. 

Merging users is essential as organizations grow and accumulate multiple accounts for the same user across different systems. For example, you should consider human resources systems, cloud IAM, and Active Directory. By merging these accounts, you can consolidate access privileges and reduce the risk of orphaned accounts. 

Protect: Posture Management and IAM Hygiene 

The second stage of the NIST CSF is "Protect," which involves implementing safeguards to ensure the security of identities and user accounts. 

Maintaining good identity hygiene is crucial for preventing unauthorized access. This involves addressing issues such as inactive accounts, inactive guest accounts, lack of multifactor authentication (MFA), and excessive access privileges.

At this stage, you should also consider the configuration and policies of identity providers – sometimes referred to as “IAM Hardening”. For example, is there a policy for session management enabled? Are cloud and on-prem AD accounts syncing properly? Do guest accounts require MFA? 


The third stage of the NIST CSF is "Detect," which focuses on proactive monitoring and detection of identity-related threats. This includes leveraging indicators of compromise (IOC) and behavioral techniques to help identify suspicious activities associated with user accounts. 

More mature capabilities focus on the latest tactics, techniques, and procedures (TTP) employed by threat actors and mapping them to Mitre ATT&CK. This can include monitoring for signs of brute forcing, session hijacking, risky parallel sessions, admin anomalies, and MFA flooding.


The fourth stage of the NIST CSF is "Respond," which involves taking prompt and effective actions to mitigate identity-related incidents. Consider the following strategies to align with this stage.

This requires you to develop incident response playbooks specific to identity-related incidents. These playbooks outline the necessary steps and actions to be taken in the event of an identity compromise.

Within these playbooks, different teams can take different actions to effectively respond to identity threats. These actions include resetting MFA for compromised accounts, terminating suspicious sessions, and quarantining users. A timely response is crucial to minimize the impact of identity-related incidents and prevent further damage.

Building Your Identity Security Program

By mapping your identity security program to the four stages of the NIST CSF - Identify, Protect, Detect, and Respond - you can establish a comprehensive framework for managing and mitigating identity-related risks. This framework requires ongoing monitoring, assessment, and adaptation to address evolving threats. By speaking the same language as the NIST CSF, organizations can strengthen their identity security posture and protect their valuable digital assets from malicious actors.

In our “Blueprint for Building an Identity Security Program”, we dive into each of these areas and provide actionable recommendations, KPIs, and tools to address each stage.

Oort’s Identity Security Platform

Oort is an identity-centric enterprise security platform. As a turnkey solution for Identity Threat Detection and Response (ITDR), Oort is providing immediate value to security teams by working with existing sources of identity to enable comprehensive identity attack surface management in minutes. Led by a team with decades of domain expertise across identity, networking, and security, Oort is backed by venture capital investors including Energy Impact Partners, .406 Ventures, Bain Capital Ventures, Cisco Investments and others. Market-leading technology companies, like Collibra and Avid Technology, rely on Oort to provide full visibility into their identity populations.

To get a free identity security health assessment, request a demo.  

Recent Blogs

This week we’re introducing two new checks, a “registered location” tag, and more. Read on to learntrue

There have been plenty of exciting releases to get excited about over the last year. However, thistrue