Secure your small business:
Apps → Data →

Identity Threat Detection and Response (ITDR)

Quick definition  ⓘ
Why it matters: Identity threats are responsible for the vast majority of cybersecurity breaches—but have proven amongst the hardest to address. ITDR addresses this.
Proportion of all data breaches that currently involve credential misuse, the most frequently encountered identity threat.

Key Points

  • Successful authentication has long used as practical proof of session identity
  • Phishing and other forms of credential theft show why this is way of thinking is obsolete
  • Identity threats go beyond mere stolen credentials
  • Stolen devices, step-ins, subcontracting, and employee account sharing are all threats
  • ITDR is a new cyber vertical focused on detecting and responding to identity threats
© Tsingha25 / Dreamstime

For decades, identity in computing has been a matter of usernames authenticating to a session. But an authenticated session is no guarantee of identity.

Quick Read

In the cloud and network computing era, it has become clear that the largest source of cybersecurity risk for systems and data isn't buggy code, misconfigured hardware, zero-day exploits, or other similarly technical—and more "traditionally" cybersecurity—issues.

Instead, the largest sources of cybersecurity risk, and the largest contributors to data breaches and cyber incidents, are identity threats—cases in which there may be a mismatch between the presumed identity associated with a session, process, or workflow, and the identity of the actual individual with hands on keyboard.

Identity threats come in all shapes and sizes, from clearly malicious activities like phishing and spear-phishing to instances of petty crime like corporate device theft to activities that are incorrectly seen as benign, like account sharing within departments or teams. In each case, the potential exists for a privileged or sensitive resource of some kind to be accessed by an authorized account—that is in use by an unauthorized individual that does not own it.

Though initially many of these threats were associated primarily with specific technical domains—phishing with email security, device theft with physical security, account sharing with IT policy and governance, and so on—the overwhelming prevalence of identity as a driver of breaches has led in recent years to the rise of identity threat detection and response (ITDR) in cybersecurity.

IDTR encompasses tools and technologies designed to detect instances in which the authenticated session account does not match the actual user at the keyboard and to respond to these instances accordingly. In some cases, these are accomplished at the attack surface or service edge and in other cases they are accomplished more centrally via security incident and event management (SIEM) or security orchestration and response (SOAR) and data enrichment and correlation, but in all cases the goal is to raise a flag saying "This user is not the owner of this account!" and then take necessary steps.

Key ITDR core technologies include behavioral biometrics, various forms of user and entity behavior analytics (UEBA), advanced SIEM/SOAR data management and integration, and biometric or other forms of post-user-pass authentication. Though ITDR is relatively new, it is likely to grow rapidly in importance as it matures, given the degree to which identity threat detection and response remains one of the great undersolved problems in the real-world cybersecurity landscape.

Further Reading

—Aron Hsiao

Need Identity Threat Detection and Response solutions?
We can help!

Plurilock offers a full line of industry-leading cybersecurity, technology, and services solutions for business and government.

Talk to us today.


Thanks for reaching out! A Plurilock representative will contact you shortly.

What Plurilock Offers
Real-time Identity Confirmation and SIEM Enrichment with Behavioral Biometrics
SSO, CASB, and DLP with Real-Time Passive Authentication

More to Know

© Kittisak Jirasittichai / Dreamstime


While related to IAM, SSO, and PAM in various ways, ITDR has different goals—specifically to detect cases in which there is a likely mismatch between the actual individual at the keyboard and authenticated sessions or accounts where identity is supposedly "known" and "proven."

© Ronstik / Dreamstime

ITDR Requires New Ways of Thinking

The biggest challenge faced when seeking and deploying ITDR solutions is often one of imagination. The user-pass identity architecture has become so entrenched as to seem self-evident, yet this is precisely the problem that ITDR seeks to solve—how to look beyond "successful authentication."

© Cammeraydave / Dreamstime

ITDR and Behavioral Biometrics

Behavioral biometrics one key early strand of ITDR technology. For example, products like Plurilock DEFEND use biometrically unique patterns in user keyboard and mouse activity to recognize and inform SIEM systems that the hands currently on the keyboard do not belong to the account owner.

Quick Definition

Identity Threat Detection and Response technologies concern themselves with detecting mismatches between the owner of a session, grant, or set of credentials and the individual who appears to be using them at any given moment. Unlike Identity and Access Management (IAM) tools, which mostly concern themselves with the day-to-day of identity management and authentication, ITDR technologies are designed to detect and enable responses to cases in which an unauthorized user may have gained access, whether as a matter of credential theft, account takeovers, session takeovers, other other instances in which the user of an identity appears no longer to be its owner.

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.