Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. My guest today is Mike Neunschwander. He is the Research Director for Identity and Access Management here at KuppingerCole, hailing from Utah, if I remember correctly. Hi, Mike. Good to see you.
Matthias, good to see you again.
Great. And we've made it. We've come to yet another four letter acronym. Today, we want to talk about ITDR. So first of all, can you start by explaining what ITDR is, what the acronym is, and why it is such a critical area in cybersecurity?
Sure. I'm smiling a little bit because this is even a stranger question, or the answer is stranger than even in most cases with four-letter acronyms. ITDR stands for Identity Threat Detection and Response. Now, this comes as an extension of what we have normally thought of as Threat Detection and Response. Only now what's happening is that the attackers, the threat actors out there have decided that it's easier to come in the front door than the back door. So identity is now being attacked as a vector into enterprise systems. And as a result, we now need Threat Detection and Response for identity systems themselves. So that's kind of the overall understanding, it's similar to Threat Detection and Response, as we already know, in the way it's practiced in the security operations center, for example. but now applied to identity.
Right, and when you say that the attackers are coming through the front door, attacking the identities, is this what makes it such a critical area in cybersecurity, so that just the threat scenario has changed?
Yeah, identity actually puts an important spin on this. And this is what it's really quite a different exercise than historical Threat Detection and Response. What I mean by the front door is that when you're thinking about a firewall or an endpoint or something of that nature, it's easy to go turn off a port, for example, to simply cut off access at a certain place. When you talk about an identity, you can't really cut off an identity. These are people who need access to your systems, right? And so you can't simply turn the identity off. And these are, as long as the identity is not compromised, it should have access to your system. So the insidious part of this is that the threat actor then has the opportunity to catch a ride, right, with your authorized people, authorized accounts to come into your environment and then from there move laterally or do whatever they need to do to gain access to your systems and data. So it makes it much harder to detect and much harder to deal with because identity is, by nature is not some kind of a hardware entity or something like that. It's a legitimate account that's been hijacked.
Right, so if we look at the functionalities that are in these ITDR tools and these platforms, whatever how they look like, what are some of the key features that are in there and that are important that organizations should look for? You did a report on that, you did a Leadership Compass on that, so you compared them, so you know, so what is important?
That's right. That's right, we did some research recently that just published and we're finding that there's actually pretty good agreement in terms of what the overall use case should be for identity Threat Detection and Response. But not everybody approaches it the same way and doesn't always provide all of these mechanisms. So the overall goal with these products is to create an identity posture that is essentially, able to ward off any attacks. I mean, ideally, you don't need, or at least not very often, to do a lot of response, right? Obviously, eventually there will be breaches, and you obviously do need to respond to those. But ideally, what you do is you set up a scenario in which your identity posture is so good that you don't really get very many opportunities to use your response tools. So to me, there's two different aspects to that. The first one is that there's an administrative function that helps you get visibility and tighter control around all the identities and all of the exposures to your identity system in check. So you can understand how to clean up dormant accounts, have better hygiene around the systems themselves, understand the groups, who owns system accounts, things like that. That's essentially a cleanup exercise. And it's very important because the threat actors will look for weak links in any kind of identity chain or system and begin their exploits there. But of course, that's not enough. We need to obviously monitor, right? So that's kind of a separate function is to continuously monitor these systems to identify hopefully not creating a lot of false positives so that the SOC gets overworked. Some of the best products know how to basically understand how to only identify those things that are actually really problems. And then essentially relate to the security operations team when they need to actually go threat hunting and essentially killing the threat and that sort of thing. And then there obviously needs to be some kind of response to that attack. So it's a very broad swath of technology all the way from just hygiene at the beginning to basically, handling attacks when they actually occur. Well, some would even think that once you have actually realized that you've had a breach, that you also need to have some ability to restore a previous known state or know how to basically not just respond to the attack, but then also restore the system to a good state. So it could even go that far.
Right, So from what you described, these are functionalities that are identifying signals that hint at that this identity is no longer as I was expecting it to be. So, and this sounds a lot like functionality that I talked to our colleague John Tolbert about when it comes to Fraud Reduction Intelligence Platforms. I know it's about fraud, it's a different use case, but they also need to identify, for example, account takeover. Is the right person using this account or can I identify any signals that make me at least suspicious that this is not the right person with the right account using it? Is it the same functionality? Is it similar?
Yeah, it's very similar. Yeah, it's definitely similar. That's a really good insight. The thing that's, I think, common in these use cases is that the introduction of this use of identity makes these signals very difficult to sort of correlate and to really understand what's happening. A lot of times, in traditional, when you're traditionally looking for somebody performing a denial of service attack or something of that nature, it's fairly easy to spot that there's a certain type of attack happening. There's a certain kind of pattern you can watch for with that. With fraud and even with any kind of account takeover, oftentimes it's not that apparent. And even using behavioral systems and other kinds of things. And often what happens is the original door in, there might be a compromised account. Usually the attacker won't stick with that account. They'll move laterally and try to find a more administrative account and they'll start moving around the environment. Now these signals are coming then from a number of different sources and it's not necessarily easy to correlate that whole view so that you can understand that you're actually under attack because it may look like a lot of random accounts performing actions that individually may seem perfectly fine, but collectively could raise an alarm.
Right, and you've written in your report that ITDR at its core is not a technology but a use case. So does that reflect what we've discussed already?
Yeah. It does. There's actually a pretty easy way to prove that that's the case. And then I'll talk a little bit more about what I mean. But really none, actually none of the vendors that we reviewed and none of that are even on our vendors to watch actually refer to their product as ITDR. That's not in the name of the product. Okay. So it's difficult to say that you're going to go buy an ITDR product. There's really no such thing. So what you're looking for are products that form an ITDR role in your environment. And usually these tools are integrated with SIEM tools, right, with orchestration tools and other kinds of things like SOAR, right? And they're also obviously connected to identity systems and other systems. But these tools are more general purpose, like the products that you buy offer a lot of other features. So for this reason, it's very difficult to compare one vendor to another in terms of their ITDR performance because each of the vendors has a slightly different approach to what they're actually trying to accomplish in a sort of "Gestalt" [shape] view, right? That is German. So, yeah. So that's why it's, I think that about, I predicted that next time we do this report, it will no longer be called ITDR as a report. I think that, so I came up with a fun acronym, identity defense in depth. And it's kind of fun because see, if you say, for example, who came up with, I did, right? Who came up with IDID? It's like, well, I did. It's like, I did? Yeah, I did. Anyway, it can go back and forth. But I think that what we'll find is that this market will morph into something different by the time we see it next.
Right, but if we distinguish between market and the use case, I think the necessity and the need for such a use case or these use cases is obviously there and this is changing towards that direction. And you've mentioned that this data, the Intel that comes in through these solutions, of course is consumed by, for example, SIEM, SOC, but these are then different types of signals than before. So it's no longer an alarm from a firewall. Now we're looking at identity. Is SOC moving closer to Identity and Access Management then?
Yeah, so first of all, I feel like I want to answer two of those things. First of all, yes, the security operations center are starting to get signals and threat hunting for identity stuff is not something they're used to doing. They're not familiar with identity systems necessarily. And so what's happening is that the security operations center, or the analysts and IT administrators are starting to try to build a common vocabulary about how they can actually stop identity breaches. And this is another reason why attackers like identity is because they feel like they've found that place right in the middle to attack where neither team really knows for sure what they're doing when it comes to detection and response and that sort of thing. So these teams are sort of rushing together to understand how to protect enterprises from that attack that can happen right in between the teams. So these tools for ITDR, I think, are helping those teams collaborate more than they have before. And it really is important to find a tool that bridges the otherwise gap in between a normal sort of IT administration approach and what you do an analyst does in a SOC. The other thing I wanted to answer just briefly is the size of the market. You mentioned the market is growing and there always will be a market need. In the report, I ventured a number that last year there was easily a billion dollars worth of activity here in the market and it's growing and everyone I've talked to is growing at over 100%. So there was a tremendous need in this market. But I think it's important not to just look at what the vendors are earning. If you take into account not just what how much money is being spent on software, but also in terms of how much labor is going into, I mentioned analysts and IT administrators chasing down these threats. That's very expensive. In addition, you have a lot of custom built solutions to try to figure this stuff out and consulting costs. But I think in this case, we also have ransomware costs. So if you actually end up with a ransomware situation, That's very costly. And then of course, there's the lawsuits that ensue. And then there's all kinds of other problems that happen. So there's a lot of soft, I don't know if they're called soft costs in this case, but you see there is a tremendous amount of, there's a tremendous amount of financial pressure to find an answer to this identity threat detection area.
Right, when we look at how we position our advisory services in cybersecurity and we are an IAM native company, that is where we come from. So identity-centric security is something that we use as a term to describe what we are looking at. Is this a trend that is reflected in there and do you see that evolving over time? And if you look into, I don't know, the next two years, can you share some of your insights? What do you expect? What will happen with this identity-centric security with your identity defense in depth approach for the next two years? You said ITDR might go away, but the use case won't go away, right?
That's right. Yeah, let's not get that confused. Yes, absolutely. There's tremendous growth in this space. It's just that ITDR is just not broad enough of a term to describe what we're actually trying to accomplish. And so that's why I brought it. So what I was trying to do is create a larger umbrella, actually, with that terminology. But yes, I think for us, who have traditionally been in the identity business, it's already become cliche about how important identity is in security. But I hear a lot of people now starting to finally adopt the mantra that identity is the new perimeter. We've said that for, I don't don't know, a decade or more. But it's really been adopted now as a mantra even at the board level. People understand that identities are, in fact, extremely important to protect. And that's... And that's only going to increase over the next couple of years in terms of, especially now that we have AI agents out there, things that can behave as individuals, but essentially are just bots or agents of some type. So this is only going to really blur a lot of things and create a scenario where we need even more IDID. Yeah, to your point.
Exactly. So full disclosure, I'm in the role of the Director Practice IAM. You are in the role across the pond being the Research Director IAM. We are getting closer to EIC in June in Berlin. So you will come over to Germany to talk about these topics. ITDR will be an important part, but it will be a part of it, right?
Oh, absolutely. I have a presentation in Berlin on this topic and we'll discuss it, of course, in many other of the presentations that will be there as well. And you'll be doing a number of things as well, right?
Exactly, exactly. I'm more on the moderating side, which is good to have others talk and just ask questions just like here. But in general, yes, I'm looking really forward to seeing that topic evolve. So really understanding. Yes, you said we're saying that for 10 years now. So identity is the new perimeter. But finally understanding that it is the case and that there are technologies around that, that there are processes around that, that actually leverage this information. I think that is of importance. And seeing that in real life, that is maybe also the beauty of EIC, not only having products and analysts talking about stuff, but also having end users and best practices, already success stories around. That should be also an important part. So we will be there. You will be there. Any final words before we close down when it comes to ITDR or EIC?
Only that I hope to see everybody there and if you get a chance to stop either Matthias or myself in the hall, please do so. We'd love to talk.
Absolutely. Thank you very much Mike for being my guest today. To the audience, if you have any questions, as usual, drop your questions in the notes below this YouTube video or reach out to us if you're catching that episode via your favorite podcatcher from any of these platforms where we are out there. We are happy to discuss your questions or answer them. If you have suggestions what Mike and I could talk about, please reach out to us. We will do, unless it's not IAM related, of course. But please reach out to us, talk to us in Berlin and looking forward to having you, Mike, for a further episode very soon. Thanks again. Bye bye, Mike.
