It’s the age of identity security. The explosion of driven ransomware attacks has made CISOs and security teams realize that identity protection lags 20 years behind their endpoints and networks. This realization is mainly due to the transformation of lateral movement from fine art, found in APT and top cybercrime groups only, to a commodity skill used in almost every ransomware attack. The lateral movement uses compromised credentials for malicious access – a critical blind spot that existing XDR, network, and SIEM solutions fail to block.
Identity Threat Detection and Response (ITDR) has emerged in the last couple of years to close this gap. This article breaks down the top five ITDR capabilities and provides the key questions to ask your ITDR vendor. Only a definitive ‘YES’ to these questions can ensure that the solution you evaluate can indeed deliver its identity security promise.
Coverage For All Users, Resources, and Access Methods
Why is it important?
Partial protection is as good as no protection at all. If identity is the name of the game, then the ITDR protection should range across all user accounts, on-prem and cloud resources, and no less importantly – all access methods.
What questions to ask:
- Does the ITDR also cover non-human identities, such as Active Directory (AD) service accounts?
- Can the ITDR analyze the full authentication trail of users, across on-prem resources, cloud workloads and SaaS apps?
- Would the ITDR detect malicious access over command line access tools such as PsExec or PowerShell?
Real-Time (Or As Close As You Can Get)
Why is it important?
In-threat detection speed matters. In many cases, it could be the difference between spotting and mitigating a threat at an early stage or investigating a full-size active breach. To deliver that, the ITDR should apply its analysis on authentications and access attempts as close to their occurrence as possible.
What questions to ask:
- Does the ITDR solution integrate directly with on-prem and cloud Identity Providers to analyze authentications as they happen?
- Does the ITDR query the IDP to detect changes in account configuration (for example OU, permissions, associated SPN, etc.)?
Multi-Dimensional Anomaly Detection
Why is it important?
No detection method is immune to false positives. The best way to increase accuracy is to search for multiple different types of anomalies. While each by itself might occur during legitimate user activity, the mutual occurrence of several would increase the likelihood that an actual attack was detected.
What questions to ask:
- Can the ITDR solution detect anomalies in the authentication protocol (for example, hash usage, ticket placement, weaker encryption, etc.)?
- Does the ITDR solution profile users’ standard behavior to detect access to resources that were never accessed before?
- Does the ITDR solution analyze access patterns that are associated with lateral movement (for example, accessing multiple destinations in a short period of time, moving from machine A to machine B and subsequently from B to C, etc.)?
Need an ITDR solution to secure the identity attack surface of your on-prem and cloud environments? Learn how Silverfort ITDR works and request a demo to see how we can address your specific needs.
Chain Detection with MFA and Access Block
Why is it important?
Accurate detection of threats is the starting point, not the end of the race. As we’ve mentioned above, time and accuracy are the key to efficient protection. Just like an EDR that terminates a malicious process, or an SSE that blocks malicious traffic, the ability to trigger automated blocking of malicious access attempts is imperative. While the ITDR itself cannot do that, it should be able to communicate with other identity security controls to achieve this goal.
What questions to ask:
- Can the ITDR follow up detection of suspicious access by triggering a step-up verification from an MFA solution?
- Can the ITDR follow up on the detection of suspicious access by instructing the Identity Provider to block access altogether?
Integrate with XDR, SIEM, and SOAR
Why is it important?
Threat protection is achieved by the conjoint operation of multiple products. These products might specialize on a certain facet of malicious activity, aggregate signals to a cohesive contextual view, or orchestrate a response playbook. On top of the capabilities that we’ve listed above, ITDR should also integrate seamlessly with the security stack already in place, preferably in an automated manner as possible.
What questions to ask:
- Can the ITDR solution send the XDR user risk signals and import risk signals on processes and machines?
- Does the ITDR share its security findings with the SIEM in place?
- Can the ITDR’s detection of malicious user access trigger SOAR playbook on the user and the resources it’s logged in to?
Silverfort ITDR
Silverfort’s ITDR is part of a consolidated identity security platform that includes, among other capabilities, MFA, privileged access security, service account protection, and authentication firewalls. Built on native integration with AD, Entra ID, Okta, ADFS, and Ping Federate, Silverfort ITDR analyzes every authentication and access attempt in the hybrid environment and applies multiple, intersecting risk analysis methods to detect malicious user activity and trigger real-time identity security controls.
Learn more on Silverfort ITDR here or schedule a demo with one of our experts.
https://thehackernews.com/2024/07/true-protection-or-false-promise.html