Five most in demand Identity Threat Detection & Response capabilities

The scene is set for identify-focused security to take centre stage in 2023.

In recent years, we’ve seen organisations openly embrace hybrid cloud environments as they move to more flexible models in the so-called ‘new normal’ era. The world of work has continued to become increasingly digitalised as a result, underpinned by a plethora of innovative applications, solutions, technologies and devices that are serving up numerous productivity and operational benefits.

By contrast, the security considerations of this transition have been a little more complex.

In embracing the cloud, the traditional network perimeter ceases to exist. Instead, organisations find themselves managing hybrid identity environments with an endless array of possible entry points to defend. And preventing attackers from moving freely between on-prem environments underpinned by Active Directory (AD) and cloud environments underpinned by Azure AD have emerged as a key concern among many enterprises.

Indeed, the primary motivator for many developing hybrid environments was operational necessity in response to the pandemic—not security. As a result, many organisations are now retrospectively attempting to bridge the security gaps.

Unfortunately, this task is proving to be tricky. Be it preventing, detecting, remediating, or recovering from threats that target AD, challenges are strewn across the entire AD attack lifecycle.

Indeed, many firms lack confidence in their ability to meet the challenges of the current threat landscape. Conducting a survey of IT and security leaders at more than 50 organisations, we found that just one third (33%) were confident in their ability to prevent on-prem AD attacks, while little over a quarter (27%) expressed confidence in mitigating Azure AD attacks.

The importance of identity threat detection and response 

Given the fact that identity systems have become a prime target for cybercriminals, these statistics are concerning.

It is estimated that AD is exploited in 9 out of 10 cyberattacks. Indeed, Gartner advises that misused credentials are now the top technique used in breaches, with nation-state-level attackers that actively target AD and the identity infrastructure seeing phenomenal success.

Further, hybrid environments aren’t going anywhere. Not only is AD the primary identity store for 90% of organisations worldwide, but Gartner also predicts that only 3% of organisations will migrate completely from on-premises AD to a cloud-based identity service by 2025.

For these reasons, Gartner not only named identity system defence as one of the 2022 top trends in cybersecurity, but also devised an entirely new category: Identity Threat Detection and Response (ITDR).

Clearly, organisations know they need to better protect their identity systems.

Critically, more than three quarters (77%) of our survey respondents admitted that they would likely suffer from a severe or catastrophic impact if a cyberattack were to take down AD, while just 32% indicated they were “extremely confident” that they could recover from an AD attack.

For this reason, as firms seek to turn the tide on AD-related threats, ITDR solutions specifically designed to defend identity systems have quickly climbed the priority ladder, with organisations seeking several methods of protecting and recovering their hybrid environments.

Here, we look at the most important ITDR requirements as identified by our survey respondents.

Automated, fast AD recovery

Our survey reveals that a clear majority (77%) of firms would suffer from a severe impact (as they have a general disaster recovery solution, but no specific support for AD) or a catastrophic impact (they would need to conduct a manual recovery using backups, which would require days or weeks) if a cyberattack took down AD. For this reason, the ability for firms to recovery quickly (within hours instead of days or weeks) and in an automated manner is a leading priority for those seeking ITDR solutions.

Detection of attacks that bypass traditional tools

Survey respondents also cited the failure to detect attacks that bypass traditional monitoring tools as a top overall concern in protecting AD. Organisations are seeking solutions that use multiple data sources—including the AD replication stream—to detect and mitigate the effects of advanced attacks.

Improved transparency in AD and Azure AD

Detecting attacks that move from on-prem AD to Azure AD, or vice versa, has emerged as a top concern for organisations managing hybrid environments. Indeed, only one-third of respondents expressed that they would be very confident in preventing or remediating an on-prem AD attack, and only 27% indicated the same level of confidence regarding Azure AD. Firms require solutions that can provide greater transparency into activities that involve both AD and Azure AD environments.

Discovery of legacy misconfigurations and vulnerabilities

Given the number of attacks that exploit AD vulnerabilities on a near-daily basis, organisations are understandably concerned about assessing their environments for vulnerabilities that could leave them open to attackers. Knowing where those vulnerabilities lie is the first step towards improving security. A long-term maintenance plan involves checking identity security posture continuously for weaknesses—something that organisations are seeking in ITDR solutions.

Automated remediation

Cyberattacks often move at lightning speed once attackers drop malware, so automatic remediation is critical to preventing an exploit from leading to elevated privileges and an eventual network takeover. In the notorious 2017 NotPetya attack on shipping giant Maersk, the company’s entire network was infected in minutes. Survey respondents indicated that automated remediation of malicious changes to stop fast-spreading attacks was the most important remediation capability, followed by tracking and correlating changes between on-prem AD and Azure AD.

Addressing diverse requirements with a multi-layered strategy 

Clearly, organisations are seeking solutions that can address threats before, during, and after an identity-related attack.

Recovering from attacks quickly is a priority. The ability to respond to threats is equally important as firms look to address their vulnerabilities and stop nefarious actors in their tracks. A range of capabilities are required, from security posture assessments and real-time monitoring to automatic remediation of detected threats and fast AD forest backup and recovery.

For this reason, when evaluating ITDR solutions, organisations should seek to adopt those that deliver a comprehensive, layered defence to achieve optimal protection of their hybrid environments.

Download Semperis’ Evaluating Identity Threat Detection & Response (ITDR) Solutions survey report to learn more about the emerging ITDR category and how expert ITDR solutions can help you protect your identity infrastructure.

About the Author

Darren Mar-Elia is VP of Products at Semperis. For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organizations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies

Featured image: ©Mirexon