Authentic Protection or Deceptive Commitment? The Comprehensive ITDR Selection Manual
In this era of authentication security, the surge of orchestrated ransomware attacks has brought to light a sobering fact for CISOs and cybersecurity squads – identity safeguarding significantly trails two decades behind their network and endpoint defenses. This phenomenon arises from the evolution of lateral traversal from sophisticated stratagems, once exclusive to APT and leading cybercrime factions, to a hacksmith’s skill exercised in nearly every ransomware campaign. This technique employs stolen credentials for illicit entry – a significant blind spot that existing XDR, network, and SIEM solutions falter to thwart.
ITDR (Identity Threat Detection and Response) has emerged in recent years to bridge this chasm. This article dissects the paramount five ITDR proficiencies and presents the crucial queries to pose to your ITDR provider. Only an unequivocal ‘YES’ to these interrogations can assure the efficacy of the solution under assessment in fulfilling its identity security pledge.
Coverage For All Users, Resources, and Access Methods
Why does it matter?
Partial defense is tantamount to no defense at all. If identity constitutes the core of the game, then the ITDR protection must encompass all user profiles, both on-premises and in the cloud, and equally crucial – all modes of access.
Inquiries to pose:
- Does the ITDR extend its reach to non-human identities such as Active Directory (AD) service accounts?
- Is the ITDR capable of scrutinizing the complete authentication trail of users, spanning on-premises resources, cloud workloads, and SaaS applications?
- Will the ITDR pinpoint malevolent access via command-line utilities like PsExec or PowerShell?
Real-Time (Or As Close As Feasible)
Why is it critical?
The velocity of threat detection in situ is crucial. Often, it marks the disparity between spotting and curbing a threat at its nascent stage or delving into a full-fledged active breach. To achieve this, the ITDR should execute its analysis on authentications and access endeavors as proximate to their incidence as feasible.
Questions to ask:
- Does the ITDR solution integrate directly with on-premises and cloud Identity Providers to analyze live authentications?
- Does the ITDR interrogate the IDP to unearth alterations in account configurations (e.g., OU, permissions, affiliated SPN, etc.)?
Multi-Dimensional Anomaly Detection
Why this is pivotal?
No detection mechanism is impervious to false alarms. The most effective way to heighten accuracy is by scouting for diverse anomalous patterns. Though each by itself might transpire during legitimate user engagements, the co-occurrence of several would amplify the likelihood of flagging a genuine attack.
Queries to raise:
- Can the ITDR solution identify anomalies in the authentication protocol (e.g., hash deployment, ticket disposition, weaker encryption, etc.)?
- Does the ITDR solution construct a profile on users’ routine behaviors to uncover accesses to resources not hitherto visited?
- Will the ITDR solution scrutinize access patterns linked with lateral traversal (e.g., reaching multiple destinations swiftly, transitioning from machine A to machine B and subsequently from B to C, etc.)?
Seeking an ITDR solution to fortify the identity attack surface in your on-premises and cloud ecosystems? Discover the workings of Silverfort ITDR and schedule a demonstration to address your specific requisites.
Chain Detection with MFA and Access Block
Why this is crucial?
Pinpointing threats accurately is simply the beginning, not the culmination of the race. As earlier mentioned, time and precision are the linchpins of effective defense. Analogous to an EDR halting a malicious process or an SSE obstructing pernicious traffic, the ability to trigger automated blocks on nefarious access attempts is paramount. While the ITDR itself cannot execute this, it should be adept at interfacing with other identity security controls to attain this objective.
Interrogations to pose:
- Can the ITDR follow up on spotting dubious access by prompting stepped-up verification from an MFA solution?
- Can the ITDR act on detecting suspicious access by commanding the Identity Provider to block access outright?
Integrate with XDR, SIEM, and SOAR
Why integration is crucial?
Threat mitigation is the result of the collaborative efforts of diverse products. These products may specialize in specific facets of hostile activities, consolidate signals to a coherent contextual perspective, or choreograph a response playbook. Alongside the capabilities enumerated above, ITDR should seamlessly integrate with the existing security stack, preferably as automation-friendly as conceivable.
Queries to raise:
- Can the ITDR solution convey XDR user risk cues and import risk indications on processes and machines?
- Does the ITDR relay its security discoveries to the extant SIEM?
- Can the ITDR’s detection of malicious user access activate a SOAR playbook on the user and the systems they are logged into?
Silverfort ITDR
Silverfort’s ITDR constitutes a portion of an amalgamated identity security solution encompassing, among other functionalities, MFA, privileged access security, service account fortification, and authentication firewalls. Capitalizing on its indigenous integration with AD, Entra ID, Okta, ADFS, and Ping Federate, Silverfort ITDR scrutinizes every authentication and access endeavor in the hybrid ecosystem employing a plethora of intersecting risk analysis methodologies to trace deceitful user deeds and initiate real-time identity security countermeasures.
For further details on Silverfort ITDR, click here or arrange a demo with our experts.
About Author
