For modern financial and ecommerce organisations, identity, and access management (IAM), online fraud detection, and safeguarding systems and data are converging. Bad actors are getting more sophisticated with their attack vectors (the means of leveraging an attack, like bots or malware), and their attack surfaces (the point where the attacker enters, like a registration form or login). This is forcing IAM teams, fraud teams, and systems infrastructure teams to come together to map their dependencies, vulnerabilities, and responsibilities.
To combat today's threat landscape, organisations need identity solutions that continuously evaluate user risk, even after initial trust is established, to ensure resources are protected and incidents can be quickly remediated.
Strategy - aligning business priorities related to items like regulatory requirements and supply chain;
Proactive protection - assuming you are being targeted and protecting infrastructure, identities, and integrations;
Resilience - constantly refining and improving.
Breaches and fraud are incredibly costly. Aside from the immediate financial impact, they can also significantly damage financial institutions' credibility and trust, leading to lost revenue. All of this has led to heightened awareness in the C-suite and Zero Trust (and other security-related) mandates.
These pressures have pushed the identity market to formalise rules for protecting IAM systems, called Identity Threat Detection and Response. We are coalescing around a more robust definition of ITDR.
To firmly grasp the definition of ITDR, it’s easiest to break the concept into pieces.
First, the “I”, for identity. IAM infrastructure is the entrance point to business and financial resources or the digital ‘front door’. Bad actors penetrate identity systems to access valuable resources and commit business fraud. Account Takeover and New Account Fraud are the primary identity threats. Generally, IAM infrastructure includes services that provide the following capabilities: verification, authentication/SSO, profile management, multi-factor authentication, credentials, and authorisation.
As for the ‘TDR’, which stands for Threat Detection and Response, there are five core requirements for TDR that align with the fraud journey: orchestrate, configure, detect, respond, and insights.
There are many capabilities wrapped up in each requirement. So, let’s dive deep into each:
Orchestrate – is about automation and integration. It encompasses identity infrastructure, related services, and other security apps into automated end-user or administrative workflows. Learn more in the Ultimate Guide to Identity Orchestration.
Configure – is about settings, logic, and best practices. It happens at the start and throughout the fraud journey. It includes initial set-up and making adjustments/updates regularly based on real-world experience. It encompasses authentication/risk/authorisation policies, RBAC/ABAC, tenant/SaaS resiliency, user lifecycle management, business logic, breach processes and procedures, PII handling, entitlement management, CIEM, etc. It also includes determining who has access to what applications/resources and ensures no dormant or stale applications or accounts.
Detect – is about behaviour and infrastructure evaluation. It happens in production environments—live—while the bad actor is trying to gain access. It encompasses evaluating risk signals, flagging session and behaviour anomalies, and policy decisioning. Tools that evaluate for system/software misconfigurations, inactive accounts, privilege escalation, or API access/anomalous activity also play an essential role here.
o PingOne Protect offers robust online fraud detection capabilities and risk scoring, especially for new account fraud and account takeover. It combines multiple internal and external risk factors to provide a single access point for calculating and retrieving user risk scores. Detection techniques include event intelligence, device profiling, location intelligence, bot mitigation, block lists, behavioural biometrics, device security posture, UEBA, and more.
Respond – is about mitigation and remediation. It happens after the bad actors have gained access or an anomaly or misconfiguration is detected. There are two parts:
o Runtime Mitigations – encompasses end-user challenges/verifications or session termination. It is also about containing and eradicating a known threat. Examples include prompting MFA, killing an API connection, forcing password reset, ID proofing, etc.
o Post-Event Response – encompasses enacting breach processes, systems recovery, and automated response flows. Examples include event notifications, event investigation, authentication/risk policy tuning, authorisation framework adjustments, etc.
Insights – is about logs, dashboards, and analytics. It requires aggregating data sources to gain visibility into user activity, systems/software configuration, and change management. A big part is also about forensic investigations. Reviewing the data empowers administrations to make impactful changes to the other ITDR components (orchestration, configuration, detection, and response).
In summary, ITDR is a proactive approach to protecting IAM infrastructure that hinges on integrating services and automating workflows (orchestrate), best practice set-up and management of systems, users, and access (configure), real-time user and infrastructure evaluation (detect), response to breaches and misconfigurations (respond), and aggregated data for forensics and to fine-tune and optimise (insights).
For financial and ecommerce organisations to combat fraud, every department that touches digital properties must work together to meet the requirements of ITDR and to tailor solutions that protect identity and access management infrastructure.
Louise Watson began her career in public media, non-profit fundraising, and political advocacy after finishing her master’s in political management at George Washington University in Washington, DC. She specialised in membership, fundraising, and marketing at Rocky Mountain PBS and Donor Development Strategies before transitioning to lead customer and product development at ACD Direct. While at ACD, Louise became a certified Product Master via the Pragmatic Institute. She is now the Product Marketing Manager at Ping Identity and an avid skier and golfer in her spare time.
At Ping Identity, we believe in making enterprise experiences both secure and seamless for all users, without compromise. That’s digital freedom. To achieve this, the PingOne Cloud Platform turns you into an experienced artist who can bring exceptional journeys to life with a simple no-code canvas. You can deliver passwordless authentication, protect user privacy, prevent fraud, architect for zero trust, and much more. For more information, please visit www.pingidentity.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now