Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Elevating Identity to the Frontlines of Threat Detection

Effective identity security depends on treating identity signals as vital threat intelligence through ITDR, enabling faster detection and response than legacy systems allow.
Written by
Mark Batchelor
Published on
July 22, 2025

This is the 3rd entry in our 3-post series, "Identity is the New Perimeter—So Why Are We Still Burying It in Logs?"

-----

We’ve established the problem: attackers are logging in, not breaking in. SIEMs are too slow and generic. IAM vendors are stuck in the past. And behavioral analysis rooted in identity is the only way forward. So what does a modern identity-centric security model actually look like?

Identity Signals as a First-Class Citizen

It starts with rethinking how identity telemetry is collected, enriched, and acted upon. Not as another log stream, but as a highly valuable layer of threat intelligence.

That means:

  • Real-time ingestion of every login, token issuance, session event, and privilege change.
  • Continuous profiling of users and service accounts—building baselines for what “normal” looks like.
  • Sequence-aware correlation across identity, device, network, and app activity.
  • Identity graph-based context, not flat event streams.

This specialized identity observability layer is purpose-built for catching behavior that IAM and SIEM miss entirely.

The Identity Industry Needs a Wake-Up Call

Identity vendors have spent years convincing enterprises that they’re the new perimeter. But to do that effectively, they would have evolved their platforms to detect post-authentication threats, and that hasn’t happened. Instead, they’re still handing out tokens like candy and hoping a downstream tool catches the fallout.

Okta, Ping, ForgeRock, and others still frame their value around control—not visibility, detection and response. They offer just enough security to pass an audit, but not nearly enough to detect modern adversaries.

The Future: ITDR and Identity Observability

This is where ITDR—Identity Threat Detection and Response—emerges as the new solution approach and critical security bridge. It’s not just any new security category, its recognition that identity itself is the source of most breaches today and a new more effective approach is needed.

ITDR requires a dedicated set of capabilities and features including:

  • Continuous signal ingestion from across the identity stack
  • Behavioral analysis that operates in real time
  • Graph-based detection of lateral movement and impersonation
  • Immediate response options—before escalation or exfiltration

It’s what the security industry needs, and it’s what identity vendors have failed to deliver.

Conclusion:

You can’t afford to treat identity security as an afterthought. The external threats are growing and they’re increasingly logging in with valid credentials. And they’re counting on your SIEM and your IAM provider to stay exactly as they are: blind to the threats and unable to respond.

It’s time to elevate identity security into the spotlight—not as legacy plumbing, but as the new tools and tactics needed to defend your organization against an increasingly dangerous battleground.

-----

In PART 1, we explain how SIEMs miss modern threats by treating identity activity as basic logs, allowing attackers using valid credentials to go undetected. Identity signals get lost in the noise, and by the time they’re analyzed, it’s often too late to stop the attack.

In PART 2, we explore why behavioral analysis—rooted in identity—is the only way forward to address these challenges, and how a new approach is needed rather than continued legacy thinking from IAM vendors and SIEM providers.

Subscribe to Our Newsletter
No spam. Just the latest releases and tips, interesting articles, industry news and event updates delivered to your inbox.
Mark Batchelor

As the CTO and co-founder of Verosint, Mark leads with a contagious passion for cybersecurity and team building. Before coming to Verosint, Mark served as the VP of Business Development at Chainalysis enabling partners and building strategic alliances for the company. Prior to Chainalysis, he served on the executive team at Ping Identity as the Chief Solution Architect for the global sales engineering team and leading the Innovation Lab initiatives.