Identity threats are everywhere

Identity-based attacks are a major threat to organizations, thanks to the proliferation of identities across SaaS apps. As more companies adopt cloud services, remote work, and bring-your-own-device policies, attackers will try to exploit identities to gain the keys to your kingdom.

When your organization's resources are accessed from countless locations and devices, it’s difficult to know what identities exist, and what apps are in use, let alone deal with actual threats arising from compromised identities. This blog explores how organizations can effectively implement Identity Threat Detection and Response (ITDR) solutions to protect their most valuable assets: their identities.

What is Identity Threat Detection and Response?

Think of ITDR as your organization’s digital bouncer: an ITDR solution continuously monitors who's accessing what in your digital environment and how they're behaving once they're in.

Most attacks, breaches and security incidents are identity-initiated since they use the identities of internal users. Identity infrastructure is not centrally controlled or localized, but it’s applied across the internet, connecting various third-party apps and services. 

The main goal of Identity Threat Detection and Response (ITDR) is to detect and respond to attacks on identity systems and infrastructure. 

Common identity attacks include compromised or stolen credentials, phishing, insider threats from disgruntled employees, and ransomware.

Sophisticated identity attacks include Oktajacking, SAMLjacking, risky OAuth scopes, abusing SWA authentication, and stealing password manager secrets. 

The importance of identity threat detection in cybersecurity

The cloud has become the locus for sensitive and valuable company data, but it’s also increased the scale of the identity attack surface. Apps are usually directly exposed on the internet, so the only thing needed to access them is identities. 

Multiple identities across SaaS systems means there’s more than one way to breach your organization. With multi-faceted ITDR attack vectors, your cybersecurity system needs to be ten steps ahead.

Consider these identity attack statistics:

• 90% of organizations experienced an identity attack in the past year
• 81% of hacking-related breaches leveraged either stolen or weak passwords
• 68% of companies suffered direct business impact from an identity breach, losing on average millions of dollars

Identity-based attacks are particularly dangerous because they use legitimate credentials to access systems, making these breaches harder to detect with traditional security tools.

Let’s take a closer look at ITDR attack vectors to understand why it’s paramount that organizations have an ITDR solution in place:

• Insider threat - Employees can expose your organization's data in a variety of ways, including oversharing data within Google Drive, sharing with their own personal email, massive downloading or uploading of files, and cross-SaaS suspicious activity. Departing employees who don’t leave on good terms are a particular source of insider threat since they might try to exfiltrate or destroy company data.

• Account takeover - Abnormal access patterns can indicate possible account takeover, and include atypical or impossible travel, suspicious location access, IP/domain/URL anomalies, device or browser access deviations, password/login patterns, dormant accounts, and malware takeover.
• Supply chain attacks - Users with installed Google Workspace shadow apps that are unsanctioned can unknowingly open the backdoor to malicious supply chain attacks.
• External data theft - Users outside your organization, such as former employees and contractors, could access and exfiltrate sensitive assets.

It's a major organizational headache to detect and respond to these identity-based attacks in a timely manner.

The big gap in ITDR solutions

When it comes to protecting your organization from identity-based attacks, most Identity Threat Detection and Response (ITDR) solutions fall short. About one third of global businesses are affected by insider attacks, which escape detection by traditional ITDR systems. Here are some of the critical gaps in ITDR solutions:

Visibility challenges and legacy solutions - For organizations stretched across multiple platforms and identity providers, it’s difficult to attain end-to-end visibility across the identity landscape. Over 90% of organizations still rely on legacy Azure Active Directory (now Entra ID), which can be challenging to integrate with current ITDR solutions.

Identity impersonation - In work-critical apps such as Google Workspace, it’s possible for users to pretend to be someone else. Hackers recently managed to bypass the email verification step when creating Google accounts, and impersonate legitimate domain owners. What’s more, Google’s domain-wide delegation can unintentionally give users unauthorized access to an entire Workspace domain.

Challenge of monitoring NHIs - The proliferation of non-human identities (NHIs) makes it difficult to  monitor them, creating a significant security gap. Existing systems often fail to capture granular data about non-human identity activities, hindering compliance and investigation activities.

Alert fatigue and risk prioritization - Most ITDR solutions generate a high number of false positives, creating alert fatigue in security teams. There’s a genuine need for intelligent context-based threat classification and prioritization.

Most ITDR solutions on the market will protect your organization’s endpoint - be it a laptop or mobile device - from being attacked and infecting the entire organization. But these solutions don’t take into account, or even correlate, the user’s behavior across SaaS apps.

Key components of Identity Threat Detection and Response solutions

Unlike traditional security solutions that focus on endpoints or networks, ITDR goes beyond traditional Identity and Access Management (IAM) by actively monitoring and responding to identity-based threats in real time. It's not just about managing permissions: ITDR will alert you when those permissions are compromised and strengthen the overall cybersecurity posture of your organization.

Key components of an ITDR solution work together to detect, analyze, and respond to identity-related incidents:

1. Identity monitoring

ITDR solutions provide real-time, continuous monitoring of user behavior, login activities, and authentication patterns across your network and cloud environments to detect anomalies and potential threats. Identity monitoring includes:

• User access data - Track which user and service accounts have access to resources and detect unusual access patterns that may indicate account takeovers or privilege escalation attacks
• Behavioral profiling - Establish baselines of normal user behavior, including login times, locations, and devices used. Deviations from these profiles may indicate account compromise. Any unusual activity, such as login attempts from strange locations, or excessive failed logins, is flagged.

2. Threat detection intelligence

Using algorithms, ITDR solutions inform organizations about current attack techniques and indicators of compromise, ranging from common credential abuse to advanced persistent threats (APTs):

• Matching against known threats - ITDR solutions compare behavioral anomalies and suspicious events with known threat patterns to identify an attack in real time, such as a brute-force attack 
• Machine learning with external sources - Data from threat intelligence feeds is incorporated to stay up-to-speed with emerging and unknown identity-based threats, such as spear phishing

3. Advanced analytics

User and entity behavior analytics (UEBA) establishes baselines for normal behavior and identifies deviations by users and entities within an organization:

• Behavioral analytics - An unusual pattern, such as strange login locations or abnormal access requests, might indicate a security threat
• Risk scoring - UEBA assigns risk scores to user activities and identities, based on their potential threat to the organization
  

4. Automated incident response

Swift and effective ITDR solution response ensures that threats are contained quickly, minimizing the impact of incidents:

• Predefined response actions - Automated workflows can be triggered by risky or suspicious events, and will mitigate risk by disabling compromised accounts or triggering MFA challenges
• Forensic and contextual analysis - Detailed logs and activity timelines support post-incident analysis and compliance reporting 

5. Integration with security ecosystem

ITDR solutions integrate seamlessly with SIEM, SOAR, and EDR tools to provide a holistic view and response to identity threats:

• Data correlation - ITDR monitors account activities after connecting to identity providers such as Azure Active Directory or Okta, and correlates identity data with security events in SIEM tools
• Orchestrated response - A coordinated response can be triggered for integrated tools across the security ecosystem, including endpoint detection and response (EDR) tools

Interested in understanding how DoControl approaches ITDR today? See below or click here to learn more. 

How to implement an effective Identity Threat Detection and Response strategy

If you want to stay aligned with your organizational goals and existing security frameworks, you need a structured approach for implementing ITDR. Here’s a step-by-step guide how to do it:

Step 1: Assess your current identity security posture

Conduct a comprehensive audit of your identity systems to map your current identity infrastructure, identify critical assets and access patterns, and document your existing security controls. Identify any gaps, vulnerabilities, and high-risk areas.

Step 2: Define ITDR objectives

Set clear identity goals, such as reducing credential-based incidents or improving insider threat detection. Only with clear objectives can you measure your success later.

Step 3: Choose a suitable ITDR solution

Evaluate tools based on features, scalability, and integration capabilities.

Step 4: Integrate with existing systems

Ensure ITDR integrates with your existing identity provider (such as Okta) and security tools (SIEM, SOAR).

Step 5: Develop detection rules and policies

Configure detection rules and policies that are aligned with your organization’s security requirements. Set up automated incident responses by creating customized playbooks.

Step 6: Enable continuous monitoring and threat intelligence

Leverage real-time monitoring and external threat feeds to stay ahead of emerging threats.

Step 7: Train security teams and end users

Provide training to ensure effective use of ITDR tools and promote security awareness among your employees. Remember that employees are the weak link in any security chain, so it’s best to keep them informed.

Step 8: Regularly test and optimize

Conduct periodic assessments to measure effectiveness and update your ITDR configurations as needed. Monitor and adjust your security policies, or update your response playbooks to fit your requirements.

Meet DoControl - The #1 Multi-Layer SaaS Security Solution

DoControl is a layered security solution that protects your data from overexposure and safeguards your identities without slowing down your productivity.

As an agentless solution, DoControl leverages unique and proprietary technology to address all key components of an ITDR solution:

SaaS-agnostic identity management

DoControl aggregates user data into a single identity for organization-wide risk posture management. With DoControl, you can:

• Monitor, track, and manage risky users across SaaS identities
• Compare user behavior, login activities, and authentication patterns to detect access anomalies and potential threats
• Get notified for any unusual activity, such as login attempts from strange locations, or dramatic changes in a user’s risk score

For example: If an IdP admin deletes an account, the account can still be accessed using another login method. When monitoring risk, DoControl collects event data from all user accounts.

Threat detection algorithms for multiple risk factors

DoControl’s proprietary risk algorithms calculate the risk score for each identity, based on a range of risk elements that are constantly updated with data-enriched context: 

• Get a consolidated risk score for each user based on comprehensive risk profiling that includes, for example, data exposure, the number of assets this user publicly shared, or the number of workflows they triggered. 
• Identify a wide range of risk factors that are not limited to access behavior, but are based on DLP exposure, admin roles, risky shadow apps, and business context from HRIS or IdP data.

Benchmarking for user and entity behavior analytics (UEBA)

DoControl performs broad UEBA detection, where smart anomalies are based on user data exposure, access, HR profiling, and benchmarking:

• DoControl creates a normal behavioral baseline (department, organization) as an anomaly anchor to determine a user’s potential risk.
• With event-driven benchmarking, see how a user’s asset exposure and access patterns are compared to the department or entire company

For example: Anomalies include deviations from normal identity activity patterns, such as when a Finance Department employee shares an unusually large number of files with an external account from Google Workspace.

Automated responses to identity incidents

Simply detecting an identity threat is not enough. DoControl allows you to respond in real time to identity threats, helping to minimize their impact:

• Get notified immediately whenever a user’s risk score changes, depending on how you define your automatic workflows. For example, if a user’s risk score changes from low to high, get instant notification.  
• Add potentially risky users to a watchlist to monitor their behavior and risk score.

Integration with SIEM and SOAR systems

Security teams usually consolidate their organization's incident and response operation in a single security information and event management (SIEM) system, or in a security orchestration, automation and response (SOAR) platform.

• DoControl allows you to create SIEM and SOAR connectors. You can send DoControl alerts, workflows and SaaS events downstream to your organization's consolidated event management system, such as Datadog, Sumo Logic, Splunk, or a custom connector. 
• From your SIEM or SOAR system, drill-down and investigate any event or keep the audit trail for future analysis.

Only DoControl leverages enriched metadata from multiple sources to give you full visibility into risky identities, allowing you to easily monitor and mitigate risk in the same solution.

Curious about your identity risk posture? Try DoControl’s FREE SaaS Risk Assessment to gain a clear understanding of your exposure - click here.

Future trends in identity threat detection and response

As cyber threats continue to evolve, ITDR solutions are expected to advance. Here are some key trends to watch in 2025:

AI-powered threat detection and response

Advanced machine learning models will provide more accurate anomaly detection and fewer false positives. GPT-based models are already being used to analyze user behavior patterns. AI-driven tools will not only detect threats, but also offer automated remediation, significantly reducing the time between detection and response.

Focus on non-human identities (NHI)

As machine-to-machine interactions proliferate, ITDR solutions will expand their scope to cover IoT and API identity management. Solutions will manage the lifecycle of machine identities, including provisioning, authenticating, and decommissioning.

ITDR solutions will evolve to secure automated systems, including AI platforms and DevOps environments.

Zero trust identity

The integration of ITDR with zero trust architectures will become standard, mandating continuous validation of every access request across devices. ITDR solutions will become more dynamic as they adjust security policies based on real-time risk assessments, and optimize controls on the go.

Passwordless authentication

ITDR solutions will incorporate biometric and token-based security for identity verification, and to reduce the risks associated with stolen or compromised credentials. Passwordless authentication might be a best practice, but its cost and complexity make it difficult to implement.

‍

Identity Threat Prevention and Response (ITPR)

Proactive threat hunting capabilities will become standard in ITDR solutions. ITDR solutions are evolving from a reactive approach to a proactive approach. Identity Threat Prevention and Response (ITPR) solutions will address the root causes of machine identity attacks, and leverage predictive analytics to preemptively block malicious actions before they compromise your system. 

FAQs

Still have questions about ITDR? Here are some frequently asked questions:

What types of threats can be identified through identity threat detection?

ITDR solutions can identify a range of identity cyberattacks, including:

• Credential stuffing attacks - Attackers use lists of compromised user credentials to breach into a system.
• Privilege escalation attempts - Cyberattack to gain unauthorized access of elevated rights, permissions or privileges beyond what is assigned to a specific identity, user or machine
• Insider threats from disgruntled employees - Attempts made by rogue employees or contractors to purposely leak an organization's confidential data for financial gain or misuse system access to inflict damage.
• Account takeover attacks - In an ATO, cybercriminals take ownership of online accounts using stolen passwords and usernames. These stolen credentials are usually purchased on the dark web, after they were obtained from social engineering, data breaches and phishing attacks.
• Unusual access patterns - Anomalous user behavior includes unusual login events at unusual times from suspicious locations.
• Password spraying attacks - An attacker uses common and weak passwords to access several accounts in one domain.
• Session hijacking attempts - Malicious hackers take control of a user’s web session, by completely bypassing secure authentication mechanisms, and gaining unauthorized access to information or services.
• Bruce force attacks - Hackers guess multiple passwords to gain access to one or multiple accounts.

How can identity threat detection improve overall cybersecurity?

By monitoring and securing user identities, ITDR detects potential threats, and limits an attacker’s ability to move laterally within a network.

ITDR strengthens your organization’s overall cybersecurity posture by:

• Protecting against insider threats by continuously monitoring for suspicious activity and privileged account usage
• Providing comprehensive visibility into identity-related activities across an organization
• Detecting anomalies in user behavior that could indicate account compromise, and providing early warning of potential breaches
• Pinpointing sophisticated attacks that target user identities
• Reducing the attack surface with proactive risk management and real-time response mechanisms, such as locking accounts
• Improving compliance posture with audit trails and reports so you can meet regulatory requirements

What’s the difference between identity threat detection and access management?

Access management focuses on controlling who can access resources, while ITDR identifies and responds to malicious activities involving identities.

Think of access management as giving out keys, while identity threat detection monitors how those keys are used.

Remember, implementing ITDR is not a one-time project but an ongoing endeavor. Start small, focus on your critical assets, and gradually expand your coverage as you gain experience and maturity in your identity security program.

Summary

End users are the weakest link in the organization’s SaaS security chain, so it’s no surprise that most data breaches are identity-initiated. 

By mastering ITDR strategies and leveraging the right tools, you can significantly enhance your cybersecurity posture to protect both your assets and your identities.

With DoControl's Identity Risk Management solution, you can leverage the power of enriched context to discover and monitor your SaaS identities, and protect your organization from identity threats.

DoControl connects the dots between all your SaaS apps, including Google Workspace, Slack, HRIS and IdPs, to provide your organization with a robust and secure ITDR solution based uniquely on enriched data context. Only with DoControl can you visualize, monitor and mitigate SaaS identity risk in the same solution.

Additional Resources

See our ITDR Module - Click Here

Get a demo of our ITDR Module - Click Here

Get a FREE Identity Posture Risk Assessment - Click Here