Closing the Gap: Integrating Identity into Your Detection and Response Strategy
The security perimeter is gone. In its place is identity. With cloud adoption and hybrid work now standard, attackers aren't breaking in—they're logging in.
At Cisco, we have been monitoring this trend closely. Our threat intelligence organization Cisco Talos found that identity was a factor in more than 60 percent of all breaches last year. Despite this, most security stacks—built for the age of networks and endpoints—are dangerously blind to identity threats.
It’s time to stop treating identity as an IT function and recognize it as the core of modern security architectures. To close this critical security gap, leaders need a new framework built on three pillars: visibility, adaptive defense, and identity-infused response.
A Crisis of Complexity and Confidence
To better understand the current issues with identity, Cisco surveyed 650 information technology and security leaders. The overall message was clear: the security industry is facing an identity crisis. Only a third (33 percent) of leaders believe their current identity tools can stop an attack.
Ninety-four percent of leaders believe that complexity in identity infrastructure decreases their overall security. This isn’t just a feeling; it's a reality. What’s more, 75 percent of leaders admit they lack full insight into identity vulnerabilities, and teams are using, on average, five different tools to resolve a single identity issue. This fragmented approach creates the perfect cover for attackers, who are now leveraging artificial intelligence (AI) to launch sophisticated phishing campaigns. With advanced threats on the rise, a new, simplified approach isn’t just an option—it’s a necessity.
An Identity-First Security Program
Building resilience requires architecting a security program that is identity-first by design. It starts with three core actions.
1. Achieve Total Visibility with Identity Security Posture Management (ISPM)
Identity complexity is not going away, but you can’t protect what you can’t see. ISPM is the practice of centralizing identity context, then using that context to continuously discover and remediate identity risks before they’re exploited. This means finding and disabling the 24 percent of user accounts that are typically dormant and closing the gap when up to 40 percent of active accounts lack strong multi-factor authentication (MFA). It also means securing the vast, often unmanaged, perimeter of contractor and third-party access. ISPM offers the visibility to systematically harden defenses across all identity data sources.
2. Build Proactive, Adaptive Defenses
For too long, security has been bolted onto identity systems. Seventy-four percent of leaders admit identity security is often an afterthought in infrastructure planning. A security-first approach flips this model. It means that identity and access management (IAM) systems have security functionality by default—and that those security controls are updated to address modern threats.
Building resilience requires architecting a security program that is identity-first by design.
MFA has been a key security measure, but its effectiveness has declined. Early forms of MFA, especially those using one-time codes sent via SMS or phone calls, are now susceptible to bypass because attackers can resort to device spoofing.
To truly defend against modern phishing, organizations must move toward stronger, phishing-resistant authentication and expand their defenses from the point of authentication to the entire identity lifecycle—from enrollment to the help desk.
Additionally, security controls should be enriched with contextual information—like device health and user behavior—to make smarter access decisions. This is critical for closing today’s most common breach vectors: weak or missing MFA.
3. Enrich Response with Identity Threat Detection & Response (ITDR)
A Zero Trust philosophy assumes that breaches are inevitable. When an attack happens, limiting the blast radius with ITDR is everything. Traditional detection and response tools see networks and endpoints; ITDR understands identity.
Instead of giving an analyst an IP address, ITDR provides the critical context: who is involved, what their role is, and whether their behavior is anomalous. This identity context transforms a low-fidelity alert into an actionable threat, enabling security teams to reduce investigation times and respond with speed and precision. It’s no surprise that 87 percent of leaders now view ITDR as a crucial capability.
From Theory to Reality
Imagine an attacker with stolen credentials. In a legacy environment, the attacker logs in successfully. The SOC team gets a vague alert and spends hours trying to connect the dots.
In an identity-first model, the system flags the login as high-risk due to an unrecognized device being used. An adaptive policy instantly triggers a phishing-resistant MFA prompt to prove proximity—that the user’s phone is near their computer when logging in—or perform a biometric verification using their fingerprint. The attacker is blocked. The SOC analyst receives a rich, contextual alert showing exactly who was targeted and why the attempt was stopped. The threat is contained in minutes, not hours. That is the power of an identity-centric defense.
The Path Forward
For too long, organizations have based their identity security strategies on strong authentication. MFA alone is no longer enough. The modern threat landscape demands a fundamental shift in the defensive mindset. By building a program centered on comprehensive visibility, proactive defense, and identity-enriched response, organizations can protect their true perimeter. The time to treat identity as the cornerstone of security is now.
Matt Caulfield is the vice president of identity and Duo at Cisco. Caulfield joined Cisco following the successful acquisition of his identity security startup, Oort, a pioneer in identity threat detection and response (ITDR) where he was Founder and CEO. Previously, Caulfield led the Boston Innovation Team as a Principal Engineer at Cisco. As an engineer turned entrepreneur, his experience spans identity, security, and networking.
