At first glance, Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) sound like two names for the same thing (because one thing we really need in cybersecurity is more acronyms). While they do share some similarities – like a keen eye for trouble – they each play a very specific role in identity security and solve very different problems. But that’s exactly why they complement each other so well. In this article, we’ll break down what each does, how they work together, and why you can’t afford to not know these differences.
ISPM: Proactively Reducing the Identity Attack Surface
ISPM’s primary function is to increase visibility into your entire identity infrastructure, including users, resources and permissions, whether on-prem or in the cloud. While ITDR focuses on the real-time response to ongoing threats, ISPM ensures your environment isn’t full of exploitable weaknesses in the first place.
ISPM continuously assesses the state of your identity attack surface to identify weaknesses before they are targeted by an actual attack. These weaknesses might include misconfigurations, excessive privileges, malpractices and insecure legacy infrastructure. For example, accounts configured with unconstrained delegation are ideal targets for privilege escalation – something attackers are always interested in as it allows them to acquire higher-level permissions. ISPM, however, can detect such misconfigurations and alert the identity team, giving them the opportunity to fix – or at least mitigate – the issue before any attacks are launched.
ITDR: Identifying Ongoing Attacks
ITDR is a security solution purpose-built to detect and respond to identity-related TTPs (Tactics, Techniques, and Procedures, as defined by MITRE ATT&CK) targeting credential access, privilege escalation, or lateral movement. For example, attackers often use compromised credentials to gain initial access into an environment, move laterally and spread ransomware. It’s ITDR’s job to detect this flow while it is in progress and, crucially, put a stop to it before too much damage is done. Think of ITDR as an identity watchdog, watching closely over all authentications and access attempts in real time to spot potential malicious presence and activity, such as attempts to access sensitive resources from unauthorized locations. When a threat is detected, ITDR should trigger a response – such as alerting the security team or, even better, locking down the affected accounts – and enable further investigation.
ITDR & ISPM: Better Together
ITDR and ISPM are two sides of the same coin: mitigation and remediation. As such, they work best when combined. ISPM will continuously monitor and harden your identity infrastructure to reduce your attack surface, while ITDR will detect and respond to active threats.
Here’s how they work together and why you need both:
| ITDR | ISPM |
| Detection of Anomalous Behavior: All users should have an individual behavioral profile and risk score, so ITDR can identify accounts that may have been compromised based on deviations from their normal behavior. | Visibility & Inventory: ISPM provides visibility into the organization’s identity attack surface, maintains a detailed inventory of all users, and makes this data available for further exploration and investigation. |
| Detection of TTPs: ITDR can detect TTPs, including Kerberoasting, Pass-the-Hash, Pass-the-Ticket, Brute Force, Credential Scanning, Lateral Movement, and more. | Risk Analysis & Remediation: ISPM analyzes, classifies, and prioritizes risks, and offers recommendations for posture remediation and improvement. |
| Investigation & Response: When a user displays suspicious behavior, ITDR can initiate automated response procedures, like blocking the user’s access or quarantining compromised users or resources until an investigation is complete. For example, when an endpoint is attacked, ITDR can determine who logged in and which resources were used. | Identity Hygiene: Having ISPM gives an organization a 360-degree view of how it’s performing when it comes to identity security. ISPM usually uses a scoring system to tell organizations where they stand; as problems are resolved, the ISPM score increases. |
Applying Theory to Practice: Real-World Examples
This is not just a theory. Unfortunately, there are far too many real-world examples that illustrate why you need both ITDR and ISPM.
In the 2024 Snowflake breach, for example, attackers used compromised credentials to gain access to critical data (you can read more about this breach here.) ISPM could have played a major preventative role here. The investigation highlighted a serious absence of MFA – a key weakness that could have been flagged by ISPM and mitigated by enforcing stronger access controls before it became an issue. If the attackers had still succeeded in gaining access to their systems, ITDR would have likely detected it much sooner and given their security teams a head start.
Similarly, the 2023 MOVEit Improper Authentication Vulnerability led to authentication bypass and affected numerous organizations, including government agencies, using MOVEit file transfer. While ITDR and ISPM wouldn’t have necessarily stopped the initial access, they could have detected the suspicious activity and significantly reduced its impact. For example, if attackers tried to move laterally or interact with systems or data outside of business hours or from unfamiliar locations, ITDR could have detected this. As for ISPM, it continuously assesses the environment to identify misconfigurations and flaws like – as in this case – leaving an application like MOVEit accessible to unauthorized users without additional controls.
Final Thoughts
ITDR and ISPM work best as a unified force. ISPM strengthens your identity security posture, making you aware of your identity weaknesses before potential attackers, and ITDR gives you the chance to deal with identity threats as they unfold. By working together, they don’t just address individual gaps – they fill in the missing pieces toward achieving a unified approach to identity security.