Identity threat detection and response (ITDR) is a cybersecurity approach that uses a combination of tools, intelligence, and automation to proactively detect, investigate, and respond to threats targeting digital identities and authentication systems in the cloud.
Identity-related breaches involve compromise of credentials, keys, and other authentication factors that allow unauthorized access to systems and data. ITDR is quickly becoming an essential part of managing the threat landscape because a growing number of breaches are related to identity.
In this post, we’ll take an in-depth look at this relative newcomer to the security scene, including how ITDR works and how it’s different from other elements of your security stack. Finally, we’ll share vital tips to make sure your ITDR solution is working for you, not against you.
Why you need ITDR for modern cybersecurity
There are more and more identity-related breaches every single year. In fact, more than 90% of businesses report that they’ve experienced an identity-related breach.
Why are identity-related breaches increasing now? Demand for access is growing, which in turn grows the attack surface. That’s in part due to our increasing reliance on non-human identities (NHIs) through APIs, IoT, microservices, and cloud-based apps.
These types of identities are sometimes known as “machine identities” or “service accounts,” to differentiate them from standard accounts belonging to employees and third-party human users. Service accounts are used for backup automation, database applications, and network functions. But because they’re not associated with a single person or department, they can be difficult to log and track intelligibly, and they can quickly multiply out of control.
Compromised service accounts can be used for lateral movement within a network, data exfiltration, and launching malicious activities.
These services are essential for modern business activities, so we need to cut risk by finding ways to manage them securely. And that’s where ITDR comes in, offering a holistic approach that keeps NHIs and other identity-related threats under control.
How is ITDR different from IAM and PAM?
ITDR isn’t the only approach to identity security, especially when it comes to the proliferation of cloud identities that need access to your systems and resources.
Three leading approaches are IAM, PAM, and ITDR. Because they all deal with identity threats and NHIs, there’s lots of overlap among these approaches, along with some important differences.
What is IAM?
Identity access management (IAM) is a framework that includes identity management policies, tools, and processes across your organization’s IT resources. It manages user identities, permissions, and roles.
IAM tools let you enforce permission policies as well as implement security measures related to identity like single sign-on (SSO) and multi-factor authentication (MFA). The goal is to prevent unauthorized access to resources and oversee role-based access control, defining and enforcing access permissions based on user roles and responsibilities.
For example, IAM can automate user account creation based on HR system data, granting necessary permissions for work-related access while minimizing access to non-essential resources.
Cloud infrastructure entitlement management (CIEM) platforms support IAM in the cloud. They give you both visibility and control, focused on the unique challenges of managing access control in cloud environments. Like IAM for on-premises, CIEM allows you to manage entitlements, permissions, and privileged users within your cloud accounts.
Key functions of IAM security:
Ensuring robust authentication methods (SSO, MFA)
Proactive monitoring and response—newer solutions include AI/ML along with risk analytics
Periodic audit and revocation of access if needed due to inactive accounts, over-permissioning, etc.
What is PAM?
Privileged access management (PAM) is a subset of IAM that focuses on privileged accounts. Because privileged accounts are prime targets for attackers, you need to monitor them and enforce least privilege principles.
The operative term when it comes to PAM (as well as CPAM, a PAM approach for cloud-based environments) is “just in time” (JIT). Rather than leaving privileged accounts open, which also opens them up to abuse, PAM offers just-in-time (JIT) temporary access, with the exact access level necessary for business purposes.
For example, a database administrator might need temporary root access to the database server. PAM can automate the process of approving this access for a specific maintenance window and then secure the account once again when the work is done.
Key functions of PAM:
Session monitoring, recording, and alerting if trigger conditions are flagged
JIT provisioning of temporary privileges
Enforcing least privilege access while streamlining business operations
How does ITDR fit into the big picture?
ITDR encompasses both IAM and PAM. It’s built on the foundation of IAM functionality like user provisioning, then enhanced with PAM features like secure credential storage and JIT provisioning. But beyond both of these, ITDR offers threat detection and response. This involves continuous monitoring for identity-related threats like account compromises, insider threats, and data breaches.
With built-in anomaly detection and response automation, ITDR is a proactive solution that locks down all aspects of identity-related risk.
| Privileged access management (PAM) | Identity access management (IAM) | Identity threat detection & response (ITDR) | |
|---|---|---|---|
| Focus | Managing privileged/admin accounts | Managing user identities and access rights | Detecting and responding to identity-based threats |
| Scope | High-value accounts (admins, service) | All users and systems | All users and systems |
| Functions | Secure storage, rotation of privileged credentials, least privilege | Provisioning, de-provisioning, authentication, authorization | Threat detection, investigation, incident response |
| Key features | Vault passwords, session recording, just-in-time access | User provisioning, password resets, MFA, SSO, role management | Threat detection, behavioral analysis, automated response |
Common ITDR use cases
Below, you’ll find two use cases for ITDR within a cloud-based environment.
Use case #1 – ITDR to mitigate CSP credential compromise
Imagine threat groups exploit cloud service provider (CSP) security weaknesses to steal user credentials through phishing and other malicious activities. They then use the credentials to exfiltrate user data, disrupt services, launch ransomware attacks, and more.
Let’s look at the stages of attack here—and how ITDR responds in real time.
| Attacker | ITDR solution |
|---|---|
| Steals credentials through phishing attacks or by exploiting vulnerabilities in CSPs | Monitors login attempts for suspicious patterns |
| Gains access to cloud resources using stolen credentials | Identifies anomalous behavior like unusual API calls and data downloads |
| Exfiltrates data, disrupts services, or launches further attacks | Runs automated responses (e.g., blocking suspicious IP addresses and quarantining compromised accounts) |
| Covers tracks by deleting logs | Retains detailed logs and forensic data for investigation |
| Continuously refines tactics to target newly discovered vulnerabilities (e.g., zero-day) | Updates current threat intelligence, enabling continuous improvement of security posture and threat response |
Use case #2 – ITDR for insider threat detection
Let’s say malicious insiders already have access to your network via legitimate credentials. This makes it simpler for them to gain access to resources they shouldn’t have access to. They can then exploit this access to steal data, sabotage systems, or cause significant harm.
Let’s look at the stages of this type of attack—and, again, how ITDR responds to the threat in real time.
| Attacker | ITDR solution |
|---|---|
| A disgruntled employee decides to steal sensitive data before leaving the company | Monitors user activity for deviations from normal behavior |
| Starts accessing files and folders outside their usual scope of work | Detects anomalous data access patterns, (e.g., accessing sensitive files or downloading large amounts of data) |
| Attempts to exfiltrate data (like via email to personal account or by uploading to external cloud storage) | Identifies suspicious transfers, triggers alerts or automations (for example, block the transfer, quarantine user account) |
| Tries to cover tracks by deleting logs or modifying access timestamps | Retains detailed logs and forensic data for investigation |
| Attempts to escalate privileges or access other systems | Monitors for privilege escalation attempts and unauthorized access |
How does ITDR keep identities safer?
As we’ve already seen, ITDR complements other solutions like IAM and PAM, going beyond access, authorization, authentication to give you visibility into behaviors and anomalies that might point to identity-related breaches.
ITDR doesn’t replace your existing advanced security solutions like EDR and XDR. Instead, it adds a new layer focused on protecting credentials, privileges, cloud entitlements, and the systems that manage them. This fills a significant security gap.
And because it supports total visibility and automation and scales as quickly as your cloud environment does, it’s ideal for giving you the extra protection you need against rogue use of machine identities.
Let’s take a look at the ITDR process from end to end.
Step 1: Centralized visibility
ITDR provides continuous, centralized visibility. To accomplish this, it monitors and analyzes human and machine identities across multi-cloud environments. It assesses effective permissions (what identities can actually do) and compares them to the organization's least privilege policy to flag over-permissioning. It also monitors identity behaviors to detect anomalies, such as unusual access patterns, privilege escalations, or risky API calls.
Step 2: Risk prioritization
Visibility and context on their own aren’t enough—and can lead to alert fatigue—without the ability to prioritize risk. ITDR maps potential attack paths by correlating exposed identities with other risks (e.g., misconfigurations and unpatched vulnerabilities). It should assign risk scores based on factors such as public exposure, over-permissioning, or unused permissions, helping prioritize remediation efforts.
Step 3: Real-time detection
The ITDR solution should identify real-time threats such as credential misuse, unauthorized privilege escalation, or malicious API calls. It’s absolutely essential that this not impact performance or introduce risk to the workload from an agent or sensor component. That’s why an agentless model is generally preferable—as well as being simpler to implement.
In real time, ITDR will correlate runtime activity with cloud configurations, permissions, and other identity signals for a comprehensive view of threats. It will then enrich this with cloud context, helping security teams focus response and remediation efforts on the most critical identity-based threats that have immediate exploitability.
Step 4: Response and remediation
Based on predefined policies, ITDR provides automated responses to enforce least privilege, such as remediating over-permissioned identities, removing unused roles, or locking compromised credentials. It should also integrate seamlessly with incident response workflows, such as security information and event management (SIEM) platforms, to quickly contain and remediate identity-based incidents.
Wiz Defend: Your best defense against identity-related threats
To get the most out of ITDR, it helps to choose a cloud native application protection platform (CNAPP) that offers a unified, code-to-cloud approach to securing cloud-native workloads and data.
As part of the Wiz CNAPP platform, Wiz Defend provides your security operations center with full insight into every aspect of ITDR: visibility, prioritization, detection, and response.
Wiz Defend gives you…
Comprehensive coverage across your entire environment
Real-time visibility into identity-related threats like credential misuse and privilege escalation
Attack path analysis and context-rich investigation across identity, data, network, compute, secrets, and PaaS cloud layers
Automated threat response actions such as blocking suspicious IP addresses, quarantining compromised accounts, and containing threats
Wiz Defend ingests cloud telemetry and runtime data, including context on identity, data, network, and compute resources, leveraging advanced analytics to detect high-fidelity threats in real time. And with the Wiz Security Graph providing rich context and automated response guidance and forensics, you can eliminate false positives, receive meaningful alerts, and streamline investigation and remediation.
From code to cloud to runtime, Wiz gives you total visibility into your multi-cloud environment, letting you proactively identify and remediate misconfigurations and address identity-related threats before they become an issue— whether they could lead to potential breach or violate compliance benchmarks. With ongoing refinement of detection rules, you get better and better results over time, with fewer false positives.
When ITDR meets CNAPP, you get more than the sum of all your tools—you turn scattered security signals into one clear story about all your cloud identities.Schedule a demo to see how Wiz Defend can secure NHIs and put an end to identity-related risk.
See Your Cloud Activities Come to Life
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
