Attivo Networks Blogs

Identity Detection and Response Technology Gives Zero Trust a Boost

By Carolyn Crandall, Chief Security Advocate, Attivo Networks

Zero trust has been a hot topic in the cybersecurity community for several years, mainly because attackers have gotten better at bypassing perimeter defenses and infiltrating networks. All too often, they are free to move laterally with little fear of detection once inside. Zero-trust architecture (ZTA) provides an added layer of in-network security by treating all identities as potential threats and preventing access to data and resources until it authenticates and authorizes the user.

Unfortunately, ZTA isn’t a single, easy- to-obtain product or service. It’s an ideal that organizations should strive for, but it is ultimately more of a journey than a destination. And as cybercriminals shift their approach toward identity-based attacks, Identity Detection and Response (IDR) technology has emerged as an essential way to fill in the ZTA gaps left by other in-network defenses.

Identity Exploitation Remains Rampant

Zero-trust architecture combines multiple security approaches, including identity management, asset management, application authentication, network segmentation, and threat intelligence. It is important to remember that treating all identities as potential threats doesn’t just apply to user identities. User trust is just one element of ZTA, alongside device trust, transport/session trust, application trust, and data trust. To be effective, ZTA must consider more than just whether an individual user is authorized. It also needs to consider the device or application used to access the network, the data accessed, and other factors.

Part of the reason for the rush to adopt ZTA is that cybercriminals have gotten very good at exploiting these various identities. The 2021 Verizon Data Breach Investigations Report indicates that credential data now factor into 61% of all breaches, while Gartner also estimates that “75% of security failures will result from inadequate management of identities, access, and privileges” by 2023 — up from 50% in 2020. These statistics shouldn’t come as a surprise, given that many network defenses do not detect suspicious activity from what they perceive to be valid identities. A cybercriminal with a set of stolen credentials can often use it to access the network and move laterally throughout it undetected, naturally making credential theft and other identity-based attack techniques extremely popular among adversaries while further highlighting the need for ZTA.

Privileges and entitlements also factor heavily into a comprehensive ZTA approach. ZTA should operate on the principle of least privilege: an identity should only have the right to access data or areas of the network it needs to fulfill its job or function. This limited set of privileges helps ensure that even if an attacker can compromise an identity, that attacker cannot access anything outside that identity’s usual purview. For this to work, organizations must thoroughly understand the rights and privileges of each identity present in the network, but many lack this level of visibility.

Filling in ZTA’s Identity Security Gaps

Identity Detection and Response or IDR is a relatively new category that arose to address certain gaps in identity protection — and thus broader zero-trust architecture. IDR detects credential theft, privilege misuse, and risk entitlements that create attack paths to high-value targets like Active Directory (AD).

Existing identity tools and categories like Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) tend to focus more directly on authorization and authentication. IDR tools (or solutions) don’t just ensure the right identities have access to the right information — they provide greater visibility in entitlement exposures, credential misuse, and privilege escalation activity. These capabilities are especially valuable as organizations continue to migrate to the cloud, since IDR protections extend from the endpoint into multi-cloud environments. And with the number of cloud- based identities continuing to skyrocket, the ability to extend this critical element of ZTA into cloud environments is essential.

IDR is a foundational step in the right direction. IDR solutions actively look for attacks targeting identities rather than collecting data for later analysis like Endpoint Detection and Response (EDR) and similar solutions. The “active” nature of this defense is significant. When an IDR solution detects attack activities, it feeds fake data back to the attacker, redirecting their attack away from valuable assets and toward decoys. Most IDR solutions can also isolate a system believed to be compromised, keeping the attacker walled off from the rest of the network.

IDR’s role alongside identity exposure visibility is also important to note. As the saying goes, you don’t know what you don’t know. You also can’t protect what you don’t know about, and too many organizations lack visibility into exposed credentials, overly permissive entitlements, AD (Active Directory) misconfigurations, and other vulnerabilities. Identifying and remediating these issues can significantly shrink the attack surface, leaving attackers little room to operate. Together, IDR and identity visibility tools present a powerful package in avoiding, stopping, and derailing threats.

Embracing IDR to Improve ZTA

It is easy to draw a straight line from IDR to ZTA. By introducing an active defense element to identity protection, IDR adds a new layer of security on top of today’s existing tools. Zero trust isn’t a single product — it’s a category of defense technologies that embrace the principles of ZTA to address the vulnerabilities that today’s attackers are continuing to exploit. And with identity-based attacks making up a significant percentage of today’s threat landscape, embracing IDR as a way to shore up the gaps in your Zero-trust architecture isn’t just smart — it’s essential.

Read the original article in the November edition of CISO Mag.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

sixteen + six =

Ready to find out what’s lurking in your network?

Scroll to Top