When preventative identity security measures are circumvented successfully, ITDR provides a critical layer of detection, ensuring that:

• Malicious activity originating with trusted identities is detected quickly, before the threat actor can execute a more sophisticated, long-term campaign.
• Security teams have a detailed view of what happened, so they can execute a response and comply with mandated disclosure requirements in a timely and informed manner.

This isn’t trivial to do, since many of the techniques that threat actors use, including those used against Microsoft, are specifically designed to avoid detection by traditional rules-based detection methods or only work at the infrastructure level.

At Reveal Security, we overcome this challenge through a patented innovation we call Identity Journey Analytics. It applies unsupervised machine learning to discover how human users with varying levels of privileges, as well as APIs, interact with applications. This allows us to establish precise baselines of normal behavior and quickly reveal any anomalies that indicate abuse of a trusted identity.

In the case of Microsoft, this technique would have acted as a powerful complement to their preventative IAM controls, detecting that trusted identities were being used in abnormal ways and accelerating time to detection and response. For example, our Identity Journey Analytics would have detected the initial reconnaissance of Microsoft’s production environment from a non-production tenant as anomalistic behavior. Subsequent activities during the campaign, such as a privileged user reading the emails of other users, would also have been detected.

Identity Journey Analytics is also effective at detecting other forms of trusted identity misuse, such as insider threats and third parties using APIs in suspicious ways. 

Today’s reality is that while most organizations have made tremendous strides with identity security in recent years, detection of identity-based threats post authentication remains a critical gap. In fact, an estimated 86 percent of successful security breaches use stolen credentials.**
ITDR is the critical missing piece that will complete your identity security strategy.