Episode 092 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Tracking Identity Threats Before They Track You
-
Host: Mike Schwartz, Founder/CEO Gluu
-
Guest: Mark Batchelor, Identity Leader, CTO at Verosint
-
Guest: Amie Dsouza, Cybersecurity Program Manager, Southwest Airlines
Description
As identity-based attacks grow more sophisticated, traditional IAM solutions need a boost. In this episode of Identerati Office Hours, we dive into Identity Threat Detection & Response (ITDR)—a critical enhancement for modern IAM strategies. How can ITDR go beyond access management to detect, mitigate, and respond to identity threats in real-time? Will a ITDR become essential for security teams to stay ahead of evolving threats? Tune into this IOH episode to learn more!
Homework
- Why ITDR is a Critical Enhancement for Traditional IAM Vendors
- What is Identity Threat Detection & Response (ITDR)
Comparison of SOAR, SIEM and ITDR compliements of ChatGPT
| Feature | SOAR (Security Orchestration, Automation, and Response) | SIEM (Security Information and Event Management) | ITDR (Identity Threat Detection and Response) |
|---|---|---|---|
| Primary Purpose | Automate and orchestrate security operations | Collect, aggregate, and analyze security logs | Detect and respond to identity-based attacks |
| Focus Area | Incident response, playbooks, automation | Log management, event correlation, compliance | Identity security, continuous monitoring, anomaly detection |
| Data Sources | SIEM, threat intelligence, security tools | System logs, network logs, IAM logs | IAM logs, authentication logs, behavioral analytics |
| Real-Time Threat Detection | No, relies on alerts from SIEM/EDR | Yes, but primarily based on rule-based alerts | Yes, monitors user behavior in real-time |
| Behavioral Analysis | No, relies on predefined rules | Limited, rule-based correlation | Yes, detects anomalies in identity usage |
| Identity Graphs | No | No | Yes, builds user identity graphs |
| Automated Response | Yes, automates playbooks | No, alerts need manual response or SOAR integration | Yes, can enforce step-up authentication, session revocation |
| Correlation of Identity-Based Attacks | No, needs external identity context | No, lacks identity behavioral monitoring | Yes, detects and mitigates identity-based attacks |
| Use Cases | Automating response actions, reducing analyst workload | Threat detection, log analysis, forensic investigations | Protecting against credential stuffing, MFA bypass, session hijacking |
| Limitations | Requires well-defined playbooks, lacks deep identity analytics | Generates high false positives, lacks identity correlation | Requires integration with IAM systems, relatively new market segment |
Takeaways
-
⚡ Hackers don't break in... they login. Enterprises need to do more to detect these malicious logins. But it's not easy... because it's hard to figure out if a particular login is really suspicious, especially if we want to avoid over-reacting to a false positive.
-
⚡ Making sense of the logs is hard. ITDR recognizes that we need special tools and algorithms to make information out of all this data. Traditional SIEM and SOAR tools aren't getting the job done, especially as they have trouble correlating identities across the enterprise application stack.
-
⚡ Enteprises have many tools... using them all effectively and integrating them into business processes is a challenge. ITDR is new, so it's not clear exactly how enterprises will utlize it to its maximum utility.
-
⚡ Detecting is nice, but responding is more valuable. But how to respond is easier said then done. In a federated topology, terminating the session at the IDP won't necessarily kill sessions in the RPs. Revoking tokens won't work if applications don't check for token revocation (and just wait for the tokens to expire). Enterprises need to buy and build applications that support more advanced authorization tools that to most effectively take advantage of ITDR.