The nature of user identity informs advanced cybersecurity while enabling an inherently personalized, seamless user experience. In the cybersecurity space, we say “identity is everything”, and we mean it. In a rapidly evolving threat landscape, identity is your best defense...but not all identity strategies are created equally.
In 2024, most companies have invested in governance, authentication, and multi-factor authentication (MFA), but operational identity security is still a critical blind spot. All hackers need to facilitate a breach within these companies is an identity and the means to compromise it. Identity threat detection and response (ITDR) can stop that from happening.
ITDR is an operational identity security discipline that leverages behavioral analysis to rapidly detect and respond to suspicious activity within an organization’s digital environment. Imagine ITDR as a cybersecurity fire alarm and sprinkler system -- without it, you might not realize your building is on fire until it's too late.
To better understand the role of ITDR in our current digital landscape, we spoke with identity security expert Arun Shrestha, CEO and cofounder of BeyondID, to address some of our frequently asked questions.
Why has ITDR become essential in today's cybersecurity landscape?
Threats aren't slowing down. Google's 2023 Threat Horizons Report revealed that 86% of security breaches involve the use of stolen credentials – that makes it clear to us that continuous, identity-informed monitoring is key to defending against hackers in 2024.
When a hack occurs, you have 1 minute to detect it, 10 minutes to understand it, and 60 minutes to contain it before hackers begin moving laterally through your network. Right now, the average time to detect and contain a security breach is 272 days. The consequences of missing these marks are significant, and without ITDR in place, hitting them is nearly impossible.
In the short term, organizations are accepting a higher risk of breach, longer response times, difficulties remaining compliant, and increased attack surface due to their inability to detect threats early on. With all these factors at play, organizations can expect to face significant financial losses and reputational damage in the event of an attack.
In the first nine months of 2021, a 2020 identity-based attack on SolarWinds cost the company $40M. This is an important story because it was revealed after the fact that hackers had breached SolarWinds’ security perimeter and moved within the company’s digital environment undetected for six months before launching their attack, and by the time they had detected any breach, hackers had been inside their environment for 14 months. If SolarWinds had implemented ITDR, this infamous attack could have been easily prevented.
Stories like this shed light on the importance of proactive cybersecurity investments, and with the release of the 2023 Mitre report confirming that 2/3 of attacks are account takeovers, ITDR is top of mind. But in a corporate culture of cost-cutting, ITDR has been mislabeled as a luxury item.
It’s common to see businesses try to stretch the realistic capabilities of extended detection and response (XDR) and security operations centers (SOC) -- tools that are not a 1:1 replacement for ITDR. Until they suffer a breach themselves, it’s easy to skate by on an “it won’t happen to us” mentality. As a result, we observe more reactive investments in ITDR.
Integrating ITDR into your overall security strategy is an important investment…and in 2024 it’s a necessary one. From where we stand, ITDR should be a cybersecurity standard.
You mentioned that businesses have minutes to detect and understand the scope of a threat and less than an hour to contain it. What are the critical first steps organizations should take within this narrow timeframe to effectively mitigate these threats?
There is a lot that goes into a response process, but ultimately it comes down to isolation and eradication -- how quickly can you take an indicator of attack and determine if it's real or a false positive? If it is real, progressing through multiple phases of investigation, analysis, remediation, communication, and so on, as quickly as possible is critical.
Early detection is key because any response is a race against a threat that could already be on the move within your environment, creating alternate modes of access, and making it difficult to remove them entirely.
Why do you think there has been a recent spike in identity-based attacks, and what specific factors are driving this trend now?
Identity-based attacks are popular because almost anyone can carry them out. There is a low technical barrier to entry for bad actors using stolen credentials, and it doesn't take great technical depth and skills to manipulate an individual through social engineering, relative to a purely technical attack vector. Humans are often the weakest link in any organization's infrastructure, and without widespread ITDR measures in place, the door is wide open for bad actors to continue exploiting this oversight.
While many companies focus on governance and multi-factor authentication, you argue that operational identity security is often neglected. Can you elaborate on the key tools and strategies that can help ensure threats don't slip through the cracks?
The first point I always emphasize is that tools alone are adequate to protect an organization. Companies need to address both internal and external threat actors by establishing a 24/7 Security Operations Center (SOC) that leverages ITDR in addition to XDR to detect suspicious behaviors and swiftly respond to, investigate, and remediate incidents by focusing on true positives.
When it comes to tools, I always encourage organizations to fully utilize the ones they already have. It's common for businesses to purchase cybersecurity solutions but leave capabilities unused. When we work with customers, we often find that features and functionalities aren't properly configured or were never set up. Solutions that are expertly configured perform far better than those that are underutilized, meaning the tool you're looking for to strengthen your defenses might already be in your back pocket.
What are the top three mistakes companies are making in their identity security strategy, and how can they address these issues to strengthen their defenses?
Between cost and resource constraints, corporate politics, and an ever-evolving threat landscape, there are plenty of things working against your organization’s cybersecurity strategy.
These are three common ways businesses are sabotaging their own cybersecurity posture:
1. Placing too much confidence in one solution
It is a huge mistake to trust that the procedures you currently have in place will be enough to prevent your company from being the next breach headline. Hackers are constantly evolving, and so are cybersecurity defenses, which is why isolated investments don’t work. To maintain a strong cybersecurity posture, organizations must create a holistic view of their strategy, understand that the environment changes constantly, and make continuous, robust efforts to evolve with the threat landscape.
2. Underfunding IT and cybersecurity
By technology standards and especially with staffing, security teams are underfunded all around. Organizations should not attempt to solve cybersecurity issues by themselves using the Do It Yourself (DIY) approach. Many malicious activities and threats are highly sophisticated and require attention from experts who are trained in effective methods and have access to cutting-edge technology available in modern 24/7 Security Operations Centers (SOC).
Investing in the right specialists -- whether in-house or externally -- and ongoing training is essential to maintaining strong defenses. Your organization will fall behind quickly if your team isn’t continuously evolving.
Where business leaders are concerned, cybersecurity is often an attractive place to trim expenses. But businesses simply cannot cut their cybersecurity budget and hope they don’t suffer a breach. Hackers aren’t stopping, so you can’t either.
3. Letting trends rule their strategy
Right now, ITDR is an important topic, but AI is overwhelmingly more relevant in today’s culture of conversation – the “hype cycle”, if you will. In a year, ITDR won’t be the new hot topic, but it will still be just as critical to your identity strategy, and that’s why trends are the enemy of a holistic cybersecurity strategy. Investing in a comprehensive, intentional approach to security – a secure total experience – will always yield better results than a one-off implementation of some cool new technology.
Comments