There are many trends in cybersecurity today, as organizations battle ever more cunning and prevalent cybercriminals; new tools and methods are emerging all the time.

One of the latest: identity threat detection and response (ITDR). The term was only just coined by Gartner in March.

The firm points out that sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure, and credential misuse is now a primary attack vector. ITDR, then, is the “collection of tools and best practices to defend identity systems.”

This adds another layer of security to even mature IAM deployments, said Mary Ruddy, a VP analyst at Gartner. 

“Identity is now foundational for security operations (identity-first security),” she said. “As identity becomes more important, threat actors are increasingly targeting the identity infrastructure itself.” 

Simply put, “organizations must focus more on protecting their IAM infrastructure.”

Securing identity with identity threat detection and response

Stolen credentials account for 61% of all data breaches, according to Verizon’s 2022 Data Breach Investigations Report. Gartner, meanwhile, attributes 75% of security failures [subscription required] to lack of identity management; this is up from 50% in 2020, the firm reports. 

As noted by Peter Firstbrook, a research VP at Gartner, organizations have spent considerable effort improving IAM capabilities, but most of that focus has been on technology to improve user authentication. While this may seem beneficial, it actually increases the attack surface for a foundational part of the cybersecurity infrastructure. 

“ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation,” he said. 

One early entrant in the category is Boston-based startup Oort, which today announced the completion of a $15 million round including both seed and series A investments. 

Other companies in the space include Attivo Networks (SentinelOne), CrowdStrike, Portnox, Illusive, Authomize, Quest Cybersecurity and Semperis (among others). 

“Account takeover has become the dominant attack vector in 2022, said Oort CEO, Matt Caulfield.

Compromised identities have been the primary target in every recent major breach, he noted — Okta, Lapsus$, Uber, Twilio, Rockstar. 

“ITDR addresses this issue directly by locking down accounts that are vulnerable to takeover and by monitoring the behavior of all accounts to uncover suspicious activity,” said Caulfield. 

Preventing account takeover

The most common identity vulnerability: weak multifactor authentication (MFA). 

As Caulfield pointed out, most organizations are either not enforcing second-factor authentication, or they are enforcing it but still allowing weak forms of MFA, such as SMS. These are “highly susceptible to phishing and man-in-the-middle attacks,” he said. 

Oort detects accounts with weak MFA configuration and guides the account owner to adopt stronger authentication, thereby protecting those identities.

The platform can correlate data across multiple identity sources into a single unified view of the attack surface, said Caulfield. Its underlying architecture is a security data lake powered by Snowflake; this enables the platform to “ingest and store massive volumes of data.” Oort is also built on AWS Lambda, which allows it to automatically scale data-streaming architecture. 

The tool works with existing identity systems such as Okta and Microsoft Azure AD to enable comprehensive and quick ITDR. 

To secure its platform, Oort has gone through what Caulfield described as “rigorous testing” to meet industry standards and receive critical certifications, including SOC 2 Type 2. 

“No other tool can answer ‘Who is this user? What do they have access to?’ And, ‘what are they doing with that access?’” said Caulfield, who contends that his company is positioned to lead the young category.

All told, “ITDR helps enterprise security teams to discover, secure and monitor their full population of identities so they can mitigate that risk and prevent account takeover.” 

Nascent market

The company plans to use the funds to execute on its go-to-market (GTM) strategy by building out its sales and marketing functions. 

As Caulfield noted, the intention is “to capture the nascent ITDR market opportunity as an early leader in the space.” 

The funding round was co-led by .406 Ventures and Energy Impact Partners (EIP), and also included Cisco Investments. They join existing investors 645 Ventures, Bain Capital Ventures and First Star Ventures.