Cracking the Challenges of ITDR in the SaaS Environment

ITDR (identity threat detection and response) in the SaaS environment is like crime detection at a masquerade ball.

You can’t draw conclusions based on faces or any other means of individual identification, because everyone is wearing a mask. People may not be who they seem to be. 

You need to determine suspicion based on behavior alone. Not an easy job.

In the SaaS environment, everyone is wearing a mask: the mask of user identity. ITDR in the SaaS environment is not an easy job at all. 

What is the Mask of User Identity?

In the SaaS environment, your identity is the credentials you enter. If you enter an organization’s SaaS environment with the credentials of the CFO, you ARE the CFO.

The IT or information security team can’t see the actual individual entering those credentials. It might be the CFO. Then again, it could be the CFO’s teenage daughter. Or a member of a Russian nation-state threat organization. 

But you can’t ever know for sure. Because all you see is the mask of user identity credentials. 

Another thing the IT or information security team can’t see is the guilt written all over a sales manager’s face as they download lists of leads to sell to competitors or otherwise use for personal gain. (Note: even when you’re actually staring someone in the face, you can’t always see guilt written on it - but this makes it impossible.)

In the SaaS environment, there is no clear-cut way to determine true identity and intention, which makes ITDR a challenge. 

It is a critical challenge to crack, however, considering that credentials and identities are extensively used by bad actors to steal data. Gaining access to systems through the use of real credentials was the method behind 37% of the data breaches in 2024 analyzed in a Verizon report. 

Types of Identity Threats 

There are three main types of identity security threats that need detection ASAP:

• Identity impersonation
• Identity misuse
• Risky retained identity

Identity impersonation

This identity security threat takes the form of an external bad actor impersonating one of your legitimate internal users by using their credentials. 

Possible ways they might obtain those credentials are:

• Phishing attacks and other social engineering stratagems that get users to reveal their access credentials
• Brute force: trying combinations of usernames and passwords at scale
• Credential stuffing: leveraging lists of compromised credentials from one SaaS system to breach a different SaaS system (this is why they tell you never to use the same password for multiple systems!)
• Password-stealing malware

Identity misuse

Otherwise known as insider risk, identity misuse is when a legitimate internal user goes bad and uses their permissions to steal data or otherwise harm your organization.  

Motivations can include:

• Revenge
• Personal financial gain

Risky retained identity

When a formerly legitimate identity no longer needs access to your systems, but you don’t remove the access, it becomes a risky retained identity. 

Departing employees are common candidates for risky retained identities. If all access credentials are not revoked, and all permissions are not removed, there’s a good chance they will access your SaaS systems at some point in the future. In an analysis we did of DoControl clients, 90% of them had former employees who accessed assets stored in SaaS applications after they left the company (some up to 2 years later!).

Other frequently found risky retained identities are those of third-party contractors for a long-finished project. Ask any third-party service provider if they’ve ever been given access to an organization’s system and found admin users whom no one at the organization can identify. You’re almost certain to get a yes.

Better (or worse) together

Sometimes an identity security threat can come from a combination of the above. For example, an external bad actor discovers a risky retained identity and then leverages it to access your systems. 

This situation describes the 2023 Cloudflare breach that followed an Okta breach. Cloudflare rotated almost all the access tokens that had been revealed in Okta’s breach - except four. Why? Because they were under the impression that those tokens and service accounts were no longer used. 

Well, it may have been true that they were no longer used. But their access remained. And the bad actors responsible for the Okta breach (or those they sold the stolen data to), jumped on this risky retained access and used it.

Watch Your Behavior!

So what can you use in the SaaS environment to detect identity threats, if you can know so little from the user identity itself?

Follow the user identity behavior. Behavior is key to ITDR in the SaaS environment. 

The first step to identifying a bad actor is identifying a strange actor. Is the user identity acting objectively strange? Are they acting subjectively strange (as compared to how they usually act)?

Here are some of the key areas in which to track user identity behavior:

Logins

• How many login attempts they make 
• From which device/location they log in

Accounts

• Disabling MFA
• Changing password strength requirements

Asset interaction

• Sharing assets with personal emails
• Publicly sharing sensitive data 
• Bursts of intensive public sharing (even if the shared assets are not sensitive)
• Sharing assets with malicious domains

It’s All Relative

The importance of relativity and benchmarking when it comes to ITDR should be emphasized. If you don’t compare a user identity’s behavior against its own standard (or the standard for their department, role, etc.), you’ll either get many false positives (inducing alert fatigue and blindness) or false negatives. 

For a practical example, let’s take the above mentioned behavior area of logins. Your organization may have user identities who are globetrotters. They’re constantly traveling on business and it’s normal for them to log in to your organization’s SaaS applications from five different international locations over the course of a month. Then you have the user identities who never, ever login from anywhere further than a 30 mile radius of their home. 

If Stay-at-home Sam’s user identity suddenly logs in from Tasmania, that should be an immediate red flag. But if Globetrotting Gabby does the same, it would be premature to sound an alarm or take action. 

Remediating Identity Threats in Your SaaS Environment

Let’s get practical. What do you need to do to prevent, detect and respond to identity security threats in your SaaS environment?

Identity risk profiling

Effective ITDR usually depends on accurate, comprehensive identity risk profiles. These profiles - created for each user identity within your SaaS environment, including third-parties to whom you’ve given access - combine identity attributes with the identity’s behaviors. 

The identity risk profile is based on aggregated data, from data access patterns to user permissions to relevant business context from HRIS. Changes to any of this data (e.g. employment status in the HR system) will immediately be taken into account in the risk profile.

All of the identity’s subsequent behaviors, including system logins, data asset access and asset interaction, are evaluated in light of both objective risk (e.g. sharing with malicious domains) and subjective risk (e.g. sharing more sensitive files externally than that user identity or its department usually do). In addition to signaling risk and triggering alerts and/or automated remediation workflows, this behavioral data also informs the risk profile itself, adjusting the benchmarks and standards for this user identity as well as its overall risk score.

Risky retained identity

Dealing with risky retained identities is the low-hanging fruit of ITDR in the SaaS environment. If your SSPM (SaaS Security Posture Management) solution is efficiently integrated with your HR and project management systems, it should enable immediate and comprehensive removal of any user identity that is no longer relevant. 

If an employee departs, that should be registered with your HRIS. The HRIS will then inform your SSPM solution, which will remove the employee’s access to their user identity and also remove any of that identity’s access permissions on individual assets.

If a project on which external contractors worked is completed, that should be noted in your project management system. The project management system will then inform your SSPM solution, which will remove all access permissions related to those contractor’s identities.

Per-identity remediation

In order to make the above prevention and mitigation steps into a reality, your SSPM tool must be able to implement actions per user identity. If not, and you have to go into every SaaS asset to check if the user identity in question has access, SaaS identity risk management becomes ridiculously labor intensive. Effective SaaS ITDR requires the ability to both evaluate and act on the per-identity level.

ITDR = You Can’t Hide

Detecting criminals at a masquerade ball is hard. Detecting the bad actors in your SaaS environment is harder. 

But with ITDR that uses identity risk profiling, SaaS activity, effective cross-system integrations and per-identity remediation, you’re well on your way to revealing the identities’ true faces.