Notifications
Clear all
Topic starter
09/06/2026 11:29 pm
TL;DR: As cloud adoption grows, identity is becoming a top attack vector and traditional EDR and NDR tools are missing identity threats, according to Netwrix’s on-demand security masterclass on ITDR. The real issue is that SOC programmes still treat identity as a side signal, even though identity has become the frontline control plane for access and abuse.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams use ITDR in cloud and hybrid environments?
A: Security teams should use ITDR to correlate identity events, privilege use, and session behaviour into one detection and response path.
Q: Why do EDR and NDR miss many identity attacks?
A: EDR and NDR focus on endpoints and traffic, so they often miss abuse that happens through valid credentials, tokens, and delegated access.
Practitioner guidance
- Map identity telemetry into SOC triage paths Prioritise logs from identity providers, cloud control planes, SaaS audit trails, and privileged access workflows so analysts can correlate authentication, session, and role changes in one view.
- Define identity-specific containment playbooks Create response steps for token revocation, session termination, forced reauthentication, and privileged access review so identity alerts lead to immediate blast-radius reduction.
- Separate high-value identity signals from noise Triage privileged accounts, service accounts, and access to critical systems before broadening detection scope, because not every login event deserves the same response depth.
What to expect at the briefing
Netwrix's full on-demand session covers the operational detail this post intentionally leaves for the source:
- Walkthrough of the identity threats that traditional EDR and NDR programs tend to miss in hybrid environments
- Practical considerations for launching an ITDR program without overwhelming the SOC with low-value alerts
- Guidance on how to embed identity monitoring into existing SOC workflows and response processes
- Session framing around why identity is now the frontline attack surface for cloud-heavy organisations
👉 Watch Netwrix's on-demand session on closing the SOC's identity detection gap →
ITDR in the SOC: what closes the identity detection gap?
Explore further
10/06/2026 1:49 am
Identity is no longer a supporting signal in SOC operations. When cloud services, SaaS, and machine access become primary business dependencies, the identity layer becomes the path attackers use most often to bypass perimeter assumptions. EDR and NDR still matter, but they do not explain who should have access, who actually used it, or whether that use was legitimate. The practical conclusion is that identity telemetry must be treated as a first-class SOC data source.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should a SOC do immediately when identity abuse is suspected?
A: The SOC should move directly to containment by revoking tokens, ending active sessions, forcing reauthentication, and escalating privileged access review. Identity abuse can continue without malware or network anomalies, so waiting for endpoint confirmation wastes time. The fastest way to reduce impact is to interrupt the access path itself before the attacker expands privilege or reaches sensitive systems.
👉 Read our full editorial: Identity threats are outpacing EDR and NDR in the SOC
