In recent years the form of attack has changed: it is no longer so much about "forcing doors" on servers as about taking advantage of valid credentials to enter and move with apparent normal. Engaged accounts and internal threats are today the most frequent and effective vector, because they allow attackers to operate in the appearance of legitimate users. Organizations that depend only on preventive measures are beginning to understand that they need a much deeper visibility of IT events to detect malicious activity before it causes irreparable damage.
Simple but effective techniques - phishing, password reuse, spraying passwords or social engineering - can be automated and run on a large scale, which generates a constant flow of attempts that can collapse the best filters. Reports such as DBIR from Verizon show that the theft of credentials remains a recurring cause of gaps. So, beyond blocking malicious emails and demanding multiple factors authentication, organizations need to know what happens in their real-time environments.
This is where the concept of identity-centred detection and response, known as Identity Threat Detection & Response (ITDR), enters. ITDR does not replace preventive measures; it complements them providing the context necessary to detect suspicious movements and activate a rapid response. By recording and analysing login events, changes in permits, account creation and policy modification, an ITDR system helps to discern between legitimate activity and alarm signals.
Many security reference frameworks, including the Zero Trust approach promoted by agencies such as NIST they recommend to assume that any identity can be a point of commitment and apply continuous controls. Within that paradigm, Identity governance and comprehensive event registration are key pieces to reduce the time between engagement and detection, which limits the damage a attacker can cause.
Detecting anomalies means first knowing the "normal" of each user: regular working hours, applications and resources that you usually consult, reasonable access volumes. With this reference model, atypical patterns can be identified, such as access in unusual times, peaks of failed authentication attempts, login from unexpected locations, or the appearance of administrative accounts outside established discharge processes. The technique of using valid accounts to move laterally is documented in the frame MITRE ATT & CK as "Valid Accounts" and stresses why identity telemetry is crucial.
The effective response requires not only alerts, but also an interface to investigate and act: being able to filter events by system, type of event or user; traces showing which resources were accessed; and easy access to contextual information to decide whether to disconnect a session, reset credentials or block privileges temporarily. Having consolidated records and analysis tools accelerates research and reduces exposure time.
Classical measures such as mail filters, multifactor authentication and access control by the principle of minimum privilege (PLP) remain essential and must form the basis of any strategy. However, none of these are infallible. Mature organizations combine prevention with identity-based detection and continuous governance, so that they do not depend only on a mechanism avoiding intrusion, but can quickly identify if any failure.
For IT and security equipment this means investing in platforms that integrate identity governance (role management, high and low automation, access reviews) with event audit and analysis capabilities at no additional cost per module or feature. A unified solution reduces operational friction and makes it easier for security officials to reach rapid conclusions on the health of the identity environment.
The adoption of such solutions also has a cultural benefit: it forces organizations to document processes, standardize high and permit changes, and create clear workflows to respond when something is considered suspicious. It also provides audits and compliance checks by maintaining a consulting history of who did what, when and from where.
If you want to deepen how to articulate an identity-centred defense, there are useful resources developed by the industry that can help design the road map: the guides on multi-factor authentication CISA, articles and security tips about identity in the blog Microsoft Security, and TTPCs analysis on MITRE ATT & CK.
If you are looking for a practical option to start gathering identity governance and event audit on a single platform, there are suppliers that offer custom demos and tours to show how these concepts are translated into daily operations. The key is to stop reacting and start seeing, correlate and respond before the attacker completes his goal.. If you are interested in seeing an example of a platform that integrates these capabilities, you can consult Tenfold and request a custom demonstration on tenfold.software.
Article sponsored and prepared by Tenfolk Software.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...