What is identity threat detection and response?

What cybersecurity trends led to the development and adoption of identity threat

As platforms, systems, and applications continue to close their vulnerabilities, nascent outsiders often find it easier to exploit other weaknesses like credentials, misconfigurations, or exposed APIs. Various phishing techniques, key loggers, and other automated tools are all used and have proven easier to execute than directly going up against applications and system-level security. Whereas vulnerability research requires quite a bit of time, skill, and extensive testing to identify exploitable weaknesses, increasingly, attackers have opted instead to focus more on credential stuffing for quick access to these services. Along with their credential-based approach, attackers have honed their skills to identify privileged accounts and ways to promote other compromised accounts. These attacks can be persistent threats lasting months or even years. Of course, the most damaging and sought-after identities are information owners and other similar accounts with special access privileges. As such, the increasing risk for organizations was not just credential-based accounts, but attacks on the most privileged users. They were, and still are, the most complex threats to protect against because the outsider has the information traditionally relied upon for a person or process to identify themselves.

The road to ITDR

How were ITDR practices formalized?

In 2022, Gartner introduced ITDR as a cybersecurity practice. In that introduction, Gartner described ITDR as a way for organizations to be a more effective approach to responding to the increasing threats targeting identity systems, credentials, and privileged access. Emphasizing the need for organizations to elevate their ability to detect, investigate, and mitigate identity-based attacks more effectively. Unlike traditional approach to security tools, ITDR integrates identity and access management (IAM), user and entity behavior analytics (UEBA), and extended detection and response (XDR) to proactively defend against credential misuse, privilege escalation, and lateral movement. Since current security methodologies haven’t been able to stem the tide of cyber threats, ITDR helps organizations enhance visibility, detect anomalies, and enforce stronger authentication and access controls, all of which reduce the risk of identity-driven breaches.

What Makes ITDR different?

Gartner’s 2022 recognition of ITDR signified a meaningful milestone of coalescing IT technologies into a synergistic new security level, bringing together what is too often independent practices to power an expanded scenario. Together, IAM and security information and event management (SIEM) can identify and more accurately assign risk to related events, as well as execute an application, service, or other digital resource-level response to secure protected information. As such, ITDR has since gained momentum as a critical cybersecurity category for preventing identity-based attacks. Some key ITDR drivers include:

• Rise of identity-based attacks: Credential theft, lateral movement, and privilege escalation became primary attack methods. Current security protection is ineffective. ITDR incorporates XDR type information that identifies activity indicating elevated risk for users and resources.
• IAM and PAM gaps: The overall intent of identity and access management is to ensure that people and services have the right access to protected resources at the right time. Today’s IAM tools-controlled access but lacked real-time threat detection, and privileged access management (PAM) focused on privileged accounts but not general identity threats.
• Zero trust adoption: Organizations moved toward identity-first security, requiring continuous monitoring and response for identity threats.

What are key ITDR components?

While TDR can excel at real-time monitoring and automated responses, it’s inability to attach attacks to specific identities over time does limit its effectiveness. More components are needed to expand TDR’s ability to identify suspicious behaviors.

Extended detection and response
Extended detection and response (XDR) is an advanced cybersecurity solution that integrates multiple security tools and data sources to provide a unified approach to threat detection, investigation, and response across an organization's entire attack surface.

Unlike traditional SIEM or EDR solutions, XDR collects and correlates threat data across multiple security layers, including cross-layered detection and correlation. Unlike traditional SIEM or EDR solutions, XDR collects and correlates threat data across multiple security layers, including endpoints (EDR), networks (NDR), emails, cloud workloads, and identity and access management (IAM). This improves visibility into complex attacks that span multiple entry points.

Automated threat investigation and response—XDR automatically prioritizes alerts and connects related security incidents to reduce alert fatigue. It uses AI and machine learning to identify attack patterns and mitigate threats faster.

Proactive threat hunting—security analysts can search for hidden threats using historical data and behavioral analytics. MITRE ATT&CK framework is often integrated into XDR to map adversary tactics and techniques.

Integration with security stack—XDR works with SIEM, SOAR, ITDR, and EDR solutions to streamline security operations (SOC). It also provides real-time alerts and automated remediation actions across different security tools.

XDR as it relates to other security solutions
The table below lists technologies used today by IT security teams to enhance their threat detection and automated responses. By themselves, they're not as complete or integrated as XDR is.

What response mechanisms does ITDR have?

When suspicious behavior emerges—such as an unusual login, rapid privilege changes, or access from untrusted locations—XDR triggers automated actions such as compromised accounts being locked, MFA being enforced, or unauthorized sessions being terminated instantly. ITDR, which correlates identity information to XDR drivers, leverages XDR-derived information and automates the response needed to prevent attackers from exploiting stolen credentials by restricting access and enforcing dynamic authentication controls. Privileged activity is continuously monitored, and unauthorized escalations are blocked before they lead to a breach. XDR’s orchestration capabilities ensure ITDR seamlessly integrates with SIEM, SOAR, and IAM systems, streamlining automated remediation workflows. This ITDR-powered automated response fortifies security teams with an automated proactive defense, stopping identity-driven attacks before they escalate into full-scale breaches.

Identity security posture management
A core component of ITDR’s response engine is the ability to continuously manage (assess and respond) an organization’s security landscape identity security posture management (ISPM) at the identity level. As enterprises expand their digital ecosystems, the sheer volume of human and machine identities creates an ever-expanding attack surface. ISPM provides real-time visibility into identity risks, misconfigurations, and policy violations, enabling proactive defense against identity-based threats. By leveraging automation, risk analytics, and policy enforcement, ISPM ensures that identities adhere to security best practices, reducing exposure to credential-based attacks, privilege escalation, and unauthorized access.

At the core of ISPM is the ability to dynamically analyze identity posture across various environments, including on-premises, cloud, and hybrid infrastructures. This involves monitoring access entitlements, enforcing least privilege principles, and detecting anomalous behaviors indicative of compromise. Integrated with identity threat detection and response, ISPM enhances an organization’s ability to preemptively address identity vulnerabilities before they are exploited. Cyber threats are often based on compromised credentials, so identity-based ISPM serves as a critical layer of defense, aligning security posture with evolving risk landscapes. This is done by defining the level of risk the organization is willing to tolerate and then continuously evaluating the environment to respond when that level is reached. ISPM is a key component of ITDR because it enables organizations to maintain resilience against sophisticated cyber adversaries.

Empowering threat response with identity
Identity and access management solutions allow organizations to tie breach or threat indicator events to identities, as well as target response at the most effective level – that session(s) or application(s). IAM is the ‘I’ of ITDR. To effectively automate responses, these two technologies must work together seamlessly. When they do, the integration enhances visibility and threat detection and quickly responds to identity-based attacks.

OpenText™ IAM solutions generate authentication logs, access requests, and privilege changes. OpenText’s advanced threat detection & insider threat management solution correlates them with data from endpoints, networks, and cloud environments. Additionally, OpenText TDR offers additional user and entity behavior analytics (UEBA) beyond what is typically available in identity-based risk services. They detect risk through breach indicators derived from access and application usage when brought together. Traditional identity and access-based risk metrics are limited to prescribed criteria, such as whether or not the browser instance or the physical device is known and whether login attempts are unsuccessful. These same adaptive controls put conditions or limits on time ranges and geolocations, as well as identify impossible travel scenarios. While traditional adaptive access controls can also leverage the history of these prescribed conditions, XDR metrics can be far more sophisticated.

XDR technologies monitor a much broader spectrum of information than what is available in IAM infrastructure. From that data, XDR automation can correlate observed data into behavior patterns that are more discerning than rules-based controls. They discern which sessions are indicating risk factors from anomalies or attack patterns. When XDR monitoring capabilities are merged with identity information that forms an ITDR level of security, activities can be correlated and calculated into patterns—patterns that span long periods. With identity, the activity data collected from networks, devices, and session information is correlated to higher levels of interaction that identities (people or processes) have with digital services extending over a longer period. This persistent identity-based activity data empowers risk engines to calculate the risk of breach-related activities that are used to penetrate typical security practices. These patterns grow stronger over time in ways that make ITDR more effective in identifying user anomalies or potential breaches as the model of each active user grows. Beyond strengthening threat models, ITDR can respond through its security orchestration, automation, and response (SOAR) platforms—far more than what is available in an IAM environment. Additionally, IT can use this expanded security platform to initiate predefined workflows, such as blocking malicious IPs, alerting security analysts, or isolating affected devices.

What role should ITDR play in your organization?

Since each environment is unique, the road to an ITDR level of security is unique. This means that the need for ITDR may or may not exist for a specific environment, and the level of ITDR sophistication will vary. The makeup of your current environment will influence what you implement.

Some of the dynamics that may help determine how much to invest in an ITDR form of security include the following:

• Risk—the full spectrum of risk should be a dominating factor. What are the complete costs of a breach? What are the business consequences of failing a compliance audit or falling short of a cyber insurance requirement?
• Cost and expertise—in the existing ITDR components in today's environment, some of the most underestimated barriers to ITDR are cost and domain expertise. Organizations with robust IAM, PAM, and SIEM solutions will find it easier to upgrade to an ITDR security layer. However, IAM may be a more immediate need if identity security is incomplete or weak.
• Putting the pieces together—an organization's ability to integrate ITDR with its existing security stack is another determining factor. Seamless integration with IAM, SIEM, SOAR, and EDR/XDR solutions ensures that ITDR can provide real-time monitoring and incident response without creating operational silos.
• Scalability—with organizations increasingly adopting hybrid and multi-cloud environments, ITDR must cover cloud identities, privileged access, and federated authentication. It becomes particularly valuable for enterprises managing large remote workforces and extensive third-party access, ensuring secure identity verification across dispersed environments.
• Zero trust priority and budget—place ITDR at the forefront of modern cybersecurity strategies. ITDR enables continuous identity verification, behavioral analytics, and risk-based responses—core principles of a zero-trust model. As organizations move away from traditional perimeter-based security, ITDR plays a crucial role in safeguarding identities as the new perimeter.

Is ITDR the new access security layer?

ITDR has evolved from traditional identity security into a dedicated security discipline, addressing modern identity-driven cyber threats. As cybercriminals continue increasingly targeting credentials, privileged accounts, and identity systems, ITDR may become a standard security layer of an organization’s security strategy.