Learning Library

← Back to Library

Identity Threat Detection and Response

13m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

IBM’s 2024 data‑breach report shows compromised credentials are the leading cause of breaches, highlighting identity and access management (IAM) as a critical security focus.
Security fundamentals are expressed as “prevention + detection + response,” with IAM prevention encompassing governance, provisioning/deprovisioning, least‑privilege enforcement, MFA, adaptive access, and role‑based controls.
Detection and response for identity‑related threats have traditionally been handled by generic SIEMs, creating a gap that calls for a dedicated “IAM SIEM” or identity‑focused threat detection and response capability.
An effective identity threat detection and response system follows three phases—collect, detect, and respond—mirroring the structure of traditional SIEM platforms.
The collection phase pulls data from identity sources such as identity providers (IDPs), single sign‑on services, and other authentication touch‑points to provide context for subsequent threat analysis.

Sections

Full Transcript

# Identity Threat Detection and Response **Source:** [https://www.youtube.com/watch?v=nXal8XnGmJo](https://www.youtube.com/watch?v=nXal8XnGmJo) **Duration:** 00:13:15 ## Summary - IBM’s 2024 data‑breach report shows compromised credentials are the leading cause of breaches, highlighting identity and access management (IAM) as a critical security focus. - Security fundamentals are expressed as “prevention + detection + response,” with IAM prevention encompassing governance, provisioning/deprovisioning, least‑privilege enforcement, MFA, adaptive access, and role‑based controls. - Detection and response for identity‑related threats have traditionally been handled by generic SIEMs, creating a gap that calls for a dedicated “IAM SIEM” or identity‑focused threat detection and response capability. - An effective identity threat detection and response system follows three phases—collect, detect, and respond—mirroring the structure of traditional SIEM platforms. - The collection phase pulls data from identity sources such as identity providers (IDPs), single sign‑on services, and other authentication touch‑points to provide context for subsequent threat analysis. ## Sections - [00:00:00](https://www.youtube.com/watch?v=nXal8XnGmJo&t=0s) **Credential Threats and IAM Fundamentals** - The speaker highlights that compromised credentials are the leading cause of data breaches and outlines IAM prevention tactics—governance, provisioning/deprovisioning, recertification, least‑privilege, MFA, adaptive access, and RBAC—while pointing out that detection and response are typically handled by SIEM solutions. - [00:03:05](https://www.youtube.com/watch?v=nXal8XnGmJo&t=185s) **Combining Directory and Flow Data for Security** - The speaker explains how identity directories (e.g., LDAP/Active Directory) and network flow data can be integrated to enhance logging, tamper‑resistance, and SIEM visibility. - [00:06:14](https://www.youtube.com/watch?v=nXal8XnGmJo&t=374s) **Detecting ‘Did Not Happen’ Scenarios** - The speaker explains that SIEMs capture events that occur but often miss absent actions such as skipped MFA, and proposes using finite state machines to model proper state transitions and flag when required steps fail to happen. - [00:09:20](https://www.youtube.com/watch?v=nXal8XnGmJo&t=560s) **Detecting Access Bypass Scenarios** - The speaker explains how state‑diagram tracking can reveal internal or external users circumventing controls such as the IDP, VPN, or PAM—highlighting bypasses that SIEM alone may miss. - [00:12:26](https://www.youtube.com/watch?v=nXal8XnGmJo&t=746s) **Identity as New Perimeter** - The speaker warns that legacy authentication protocols expose organizations to risk and stresses that without an identity threat detection and response capability to monitor, detect, and remediate these threats, the identity layer becomes an unguarded front door. ## Full Transcript

0:00The bad guys know that it's easier to log in than it is to break in. 0:04In fact, in 2024, IBM did the cost of a data breach report where we found 0:09that the number one way that bad guys get into systems and cause these data breaches relates to 0:16credentials, lost or stolen compromised credentials, think passwords. 0:21So this is really in the space of identity and access management. 0:25So what can we do about it? 0:27Let's go back to fundamentals. 0:29So let's start with a simple equation. 0:30Security equals prevention plus detection plus response. 0:35Everything we do in security involves one of those three things and hopefully all of those three things. 0:41Well, what do we do in IAM for the prevention stuff? 0:44Well, let's take a look in the identity management portion of this. 0:48That's where we do governance and things like that. 0:51We're basically looking at provisioning accounts and access rights, deprovisioning those things. 0:56In other words, taking away those access rights, in the right, at the right moment, 1:00and then doing recertification campaigns 1:03where we go back and make sure that everything an individual has is what they in fact still need, 1:08so that we preserve the principle of least privilege. 1:11On the access management side. 1:13It's things like multifactor authentication. 1:16It's adaptive access. 1:18It's role based access control. 1:21And these technologies basically are what we've done in order to do prevention, 1:27but what about the detection and response part of this? 1:30Well, that's largely been left as an area for the SIEM, the security information and event management systems. 1:37They're the ones that do the detection. 1:39That's I find there's a problem and response. 1:42Now I'm going to do something about it. 1:44But we need really a capability to do an IAM SIEM, 1:48basically an identity, a threat detection and response capability so that we have an answer for detection and response in IAM. 1:57That's what this video is going to deal with. 1:59So hang on and I'll take you through how we can do that. 2:02What goes into an identity threat detection and response system? 2:06Well the three phases are collect which we're going to cover first, detect and respond. 2:12So how do you do the collection? 2:14Well, let's think of it this way. 2:16If I have my system here and again, we need to think about this 2:20as being if you're familiar with a SIEM, a security information event management system. 2:24This is an identity SIEM sort of. 2:27So Well, think of it that way. 2:28Where is it going to do its collections? 2:30Well, it's going to draw from identity sources and things that have information related to that. 2:36An example would be something we call an IDP, an identity provider. 2:41That's the thing that, for instance, you go to a portal and it authenticates you. 2:46That's what you're logging into, 2:48and then maybe a does single sign on and refers you to other sites and vouches for you. 2:54So that's going to be one source of information into here. 2:57That's going to provide context because it's going to know who the user is to begin with. 3:01Another source of information be pretty important here is a directory. 3:05In an identity and access management system 3:07a directory is anywhere we store identities that be user IDs, passwords, other kinds of information about the user as well. 3:15And these two can be used in combination. 3:18So we might have multiple directory sources. 3:21So these things you may hear the protocol LDAP lightweight directory access protocol. 3:26That's what you access information in a directory or active directory, which is a very common directory that's in use these days. 3:34Other information that would be useful is flow data. 3:37So that is there are things that happen on the network that we'd like to collect that information as well. 3:44So examples might be information from firewalls. 3:47It could be information from a SASE product. 3:50If you have one of those and familiar with what those are about, out of scope for what this discussion is. 3:56It could also be flow collectors that you put into your network. 4:00Why are those useful? 4:01Well, we're going to pull logs from these sources, but someone might come in and hack the log here, 4:06make changes, delete the log, maybe well flow data if I have a collector. 4:11Information flowed across the network and it made a copy. 4:14I can't now. 4:16The bad guy would have a hard time deleting that copy because that information's already on a different system. 4:21So the network never lies, as people like to say. 4:24If I can capture the information going across the network, that adds yet additional information and additional visibility into this, 4:31and then why not also add the SIEM in here as well? 4:35So our security information event management system, it's got lots of different sources of information that are feeding into it, 4:42and it would be really useful to take some of that and feed it in to our identity threat detection and response system. 4:50Once I've gathered all of that information, well, then 4:54I'd like to put that out into a dashboard and do some visualization show where the risky users. 5:00Show where the suspicious accounts might be. 5:02Show where. 5:03And I'll take you through more examples of what kinds of things we might look for in in just in just a few minutes. 5:09One other thing to take a look at here is you say, well, why would the SIEM be here? 5:14Why wouldn't you have this report into the SIEM? 5:16Well, in fact, you could this could be a two way flow. 5:19So this is what the security operations center cares about. 5:24That's their view into the world is the SIEM because it's going to have this network systems a very comprehensive view, 5:31whereas this is going to have the IAM identity specific view. 5:36So if you have a team that just focuses on identity and those kinds of issues, well then this might be basically their SIEM. 5:44So there could be a symbiotic relationship where each one of these systems 5:48feeds the other and they all benefit from that sharing. 5:51So now we've done the collection. 5:53Let's do the detection, let's talk about what we're going to detect, 5:57what are we going to use as indicators to tell us that we've got a problem we need to do something about? 6:02Well, I'll tell you again, I'm going to go back to our old friend, the SIEM, the Security information and event management system. 6:09So SIEMs are really good at certain things, but not everything. 6:14And that's true of most tools. 6:15So a SIEM is really good at telling you what did happen. 6:19What they're not so good at is telling you what did not happen. 6:23So it's good at seeing this is what happens. 6:26So for instance, someone actually logged in and they were successful. 6:31A user went and did get logged in or maybe they didn't get logged in so it could log unsuccessful attempts as well. 6:39But what it wouldn't have necessarily noticed is that someone did log in. 6:44But what we didn't see happen was multifactor authentication. 6:49In other words, they had a sort of weak authentication to get in. 6:52The SIEM would just see that this was a log in and that's probably all you'd have to do. 6:56A lot of customization to give it the smarts would recognize that this is a condition we need to know something about. 7:03Okay, so bear that in mind. 7:05And what we're going to take a look at is a technology that allows us to find some of these did not happen scenarios. 7:12I'll take you through some of those here. 7:14I'm going to start off with a thing going back to my days as an undergrad, we call a finite state machine. 7:20So these are different states and this is a diagram that indicates what are the proper flows from one state to another. 7:26The should occur conditions and then we'll go through a couple of should not occur conditions. 7:31So, for instance, let's say we have an internal user, internal user wants to hit just a general purpose app within the organization. 7:39So the internal user hits the IDP, the identity provider, they log in and from there they are able to hit the general purpose app. 7:49No big deal. 7:50Let's say they want to hit something that's sensitive. 7:52So now this user comes in, hits the IDP logs in, 7:57but part of the login process makes them go off and do multi-factor authentication, 8:01prove that you're with a greater degree of certainty you are who you claim to be. 8:06And then once they pass that, then they're allowed into the sensitive app. 8:09Okay, so far so good. 8:11How about a scenario where we have an external user? 8:13Well, an external user, we want them to come in through the VPN and the virtual private network. 8:18Then they hit the IDP, then they log in to multifactor authentication and then they're able to hit the sensitive app. 8:26So those are all should occur conditions. 8:28And then let's say an external user, which might be an employee working from home or off site, 8:33needs to get to a privileged account that's one that controls. 8:37Say it's the root account or it's a sysadmin account or database administrator account, network administrator account. 8:43Well, it's really super sensitive accounts. 8:45Okay. 8:45They're going to come in through the VPN. 8:47They're going to hit the IDP to log in. 8:50They're going to come down and authenticate strongly. 8:54Then they're going to hit our privileged account management system or privilege access management system. 8:59Then from there, they get the credentials to actually log into this. 9:03So there we go. 9:04That's a hypothetical situation that's basically talking about these are the situations that should occur. 9:10These are the states that should be allowed to happen. 9:13Now, that's what did happen or could or should have happened. 9:18What if something like this occurs? 9:20What if an internal user just comes in and directly hits the the general access app? 9:28Okay, that might be a problem. 9:30That's a bypass of the IDP. 9:33So we would want to know about that. 9:36And if you had a state diagram tracking all of that, it would tell you that, 9:39let's say they came in and they hit the IDP, 9:42but then from there they went straight to the sensitive app and somehow or other were able to get in. 9:47How could that happen? 9:49Well, if this thing was misconfigured, maybe someone left a backdoor intentionally or unintentionally 9:54and this person didn't follow the process correctly. 9:58Then we would have a multifactor authentication bypass. 10:02So that's another condition or something that did not occur that a state diagram would be able to highlight. 10:09Let's take another example. 10:11Let's say we've got this external user who just skips by the VPN and comes right straight in and hits this. 10:20Okay, that's a VPN access bypass. 10:24So a different type of bypass. 10:26And then maybe we have someone who comes in through a VPN, 10:30they hit the IDP and then from there they go straight down to this privilege account. 10:35Now we have PAM bypass, so you can see each one of these controls that we've put in place. 10:42Are designed to provide additional security. 10:45But if we're not checking all of the conditions, we might in fact find that somebody found a backdoor. 10:51They were able to find a bypass and get around that and the SIEM wouldn't be a great tool necessarily 10:57for highlighting that for you, but an identity threat detection and response tool that has 11:02this kind of intelligence built into it would be able to see that. 11:06Some other examples it might look for. 11:08There's a thing called a password spraying attack in this case, 11:11you know, if you try to log in to an account with a bad password, usually you get three strikes. 11:16You first time if you don't get the password right. 11:19It notes that second time. 11:21It notes that the third time, if you get it wrong now, you're locked out so bad guys only get three tries at trying to break in. 11:28So instead, with a password spraying attempt, they take a password and they try it one time on one account. 11:33Then they try it on another account. 11:35They try it on another, and another, and another, 11:37and that way they fly slow and low below radar, at least in most radars. 11:42The SIEM probably would not see that because it only looks like one failed attempt. 11:47This system, though, would be able to see that there's a frequency that's occurring here, this same type of thing. 11:54A guy is just going through and hitting all of these different accounts. 11:57So we wouldn't highlight that. 11:58That would be another detection scenario. 12:01How about shadow IAM? 12:02meaning the IT organization didn't bless it, 12:07didn't look at it, didn't configure it. 12:11It's not following the policies of the organization. 12:14So I'd be able to go and discover that there are other directories or other sources of identity that are out in my environment, 12:20and I'd want to be able to make sure that they're configured and locked down. 12:23There might be risky authentication protocols as well. 12:27Maybe some of these protocols that have been around for ages 12:30that have had vulnerabilities in them that haven't been fixed, and somebody just brought up a tool and now they're starting to use it 12:36and now they've exposed our organization because this is a risky authentication protocol, lots of different possibilities. 12:42I've only listed a few of them here, 12:44but you get the idea that an identity threat detection and response tool 12:49would be able to do a better job of finding these kinds of threats. 12:52We used to think of firewalls as the edge of the environment, 12:56but now people realize that identity is the new perimeter all the way out to the end user. 13:02And if you don't have an identity threat detection and response capability 13:06that allows you to collect, detect and respond to those threats, you've effectively left the front door wide open. 13:14And it's chilly in here.