Blog

A fingerprint under a magnifying glass next to a ruler on white paper, highlighting the detailed ridges and patterns for forensic analysis.
Insurance Managed IT Services Security

Identity Is the New Perimeter: The Case for Identity Threat Detection and Response (ITDR)

For a long time, security had a clear shape. You put a firewall at the edge of your network, you kept the bad traffic out, and you trusted more or less everything on the inside. The office was the castle. The firewall was the wall. If you were inside, you belonged.

That model made sense when your servers lived in a closet down the hall and your people worked at desks wired into your switch. It does not describe how a small business runs today. Your email, your files, your accounting, your shared calendars, and half the apps your team touches every day now live in the cloud. Your people sign in from home, from a phone in a parking lot, from a laptop at a client site. The wall you were told to defend still exists, but most of the important stuff is no longer behind it.

So where is the perimeter now? It is the login. It is the identity of the person typing the password. That shift is the single most important thing a small business owner can understand about security in 2026, and it is the reason a category of tools called ITDR, or identity threat detection and response, has moved from a nice extra to the thing that catches the attack everyone else misses.

Let me walk through what changed, why your current defenses have a blind spot, and what ITDR actually does about it. No scare tactics. Just how the attacks work and where they land.

The perimeter did not disappear. It moved.

When your business moved to Microsoft 365 or Google Workspace, you did something quietly profound. You made a username and password the key to almost everything. That email account is not just email. It is the reset button for every other account your employee owns. It is where invoices arrive, where wire instructions get confirmed, where password reset links show up. Compromise the identity and you do not need to break through a firewall at all. You just sign in and start reading.

This is why attackers stopped kicking down doors. They log in instead. A stolen or guessed credential, or a convincing fake login page, gets them a valid session. From the system’s point of view, nothing looks wrong. The right password was entered. The account is behaving like an account. There is no malware to catch, no exploit to block, no alarm that a signature based tool would trip.

The federal numbers describe this in a sober way. In its 2025 Internet Crime Report, the FBI’s Internet Crime Complaint Center attributed just over 3 billion dollars in reported losses to business email compromise, the second most costly category of cybercrime that year, behind investment fraud. Business email compromise is, at its core, an identity problem. Someone gets into a mailbox, or convincingly impersonates one, and money moves. That same report formally recognized account takeover as a growing threat for the first time. That is the perimeter shift showing up in the loss column.

But we have MFA. Doesn’t that solve it?

Multi factor authentication is one of the best controls a small business can turn on. If you have not enabled it everywhere, stop reading and go do that first. It genuinely stops a large share of routine credential attacks.

But MFA is a lock on the front door, and there are now several well worn ways around a locked door.

The first is the stolen session. When you sign in and pass your MFA check, the system hands your browser a token, a small digital wristband that says “this person already proved who they are, let them back in without asking again.” Attackers have learned to steal that wristband. They stand up a fake login page that sits in the middle of your sign in, capturing not just your password but the finished session token. Once they have it, they walk right past MFA, because from the system’s view the hard part is already done. Stolen session tokens let an attacker skip the login and the second factor entirely.

The second is MFA fatigue. An attacker who already has your password triggers approval prompt after approval prompt until a tired employee taps “approve” just to make the buzzing stop.

The third is quieter and nastier. Once an attacker is in, they enroll their own MFA method on the account. Now they hold a permanent, legitimate second factor. Even if you reset the password later, they can still get back in, because the system sees them as an enrolled, trusted device. You have handed them a copy of your house key without ever knowing it.

None of these are exotic. They are the standard playbook. MFA raises the bar, and you should absolutely keep it turned on. But MFA is a prevention control, and prevention controls fail quietly. The question ITDR answers is the one MFA cannot: what happens in the minutes and hours after someone gets in anyway?

What an identity attack looks like from the inside

Here is the part most owners never see, because it happens inside the account and it is designed to be boring.

An attacker who has taken over a mailbox rarely starts firing off obvious scams. They read first. They learn how your team talks, who signs off on payments, which vendors are mid invoice. Then they set up quiet infrastructure to keep their access and hide their tracks.

They create inbox rules. A rule that automatically deletes or files away any reply containing the word “invoice” or “wire” means the real employee never sees the conversation the attacker is having in their name. A rule that auto forwards mail to an outside address gives the attacker a live feed even if they later get locked out.

They grant themselves an app. Instead of relying on the password, they trick the account into approving a connected application, an app permission grant, that keeps read access to the mailbox. Reset the password all you want. The app keeps its keys.

They quietly climb. If the compromised account has any administrative rights, or can reach someone who does, the attacker works toward creating a new admin account of their own. That is the real prize, because an admin can switch off protections, read everyone’s mail, and reset anyone’s access.

Every one of these moves is legitimate on its face. Creating an inbox rule is a normal thing. Approving an app is a normal thing. That is exactly why they slip past tools built to catch bad files and bad traffic. Nothing here is a “virus.” It is a person, or a script acting like a person, using ordinary features for a dishonest purpose.

What ITDR actually does about it

Identity threat detection and response is built for exactly this blind spot. Instead of watching files and network traffic, it watches identity behavior. The sign ins, the permission changes, the mailbox configuration, the administrative actions. And it knows the difference between normal and suspicious.

In practice, a good managed ITDR service is doing this around the clock.

It watches how and where people sign in. A login from your accountant’s usual laptop in Orlando is fine. The same account signing in from another country twenty minutes later is not physically possible, and the system flags it. Logins routed through anonymizers or known bad infrastructure get the same scrutiny.

It catches stolen sessions. Because it is watching the session itself, not just the password prompt, it can spot a token being used from a place or device that does not fit the person. That is the exact move that walks around MFA, and it is invisible to anything only guarding the front door.

It notices the quiet infrastructure. A new inbox rule that hides or forwards mail gets flagged. A new MFA method added to an account gets flagged. A connected app suddenly granted broad access to a mailbox gets flagged. A new admin account created at an odd hour gets flagged and treated as the serious event it is.

And then, the part that actually matters, it responds. Detection without response is a smoke alarm going off in an empty house. A managed ITDR service does not simply email you an alert and wish you luck. It acts. It can cut off the compromised session, disable the account, strip out the malicious rule or app, and contain the intruder before the wire goes out. Speed is the whole game here. When 86 percent of business email compromise losses move by wire or ACH, and most of that money is gone the moment it lands, the gap between catching an intrusion in minutes and catching it in days is the gap between an incident and a disaster.

Why the “response” part needs people

You will notice ITDR has “response” right in the name, and that is not marketing filler. The tooling generates signals. Someone still has to decide, fast, which signals are a real attack and which are your bookkeeper logging in from a hotel on vacation. Get that judgment wrong in one direction and you ignore a live breach. Get it wrong in the other and you lock half your staff out of their email over nothing.

The approach we trust pairs the detection technology with a real security operations team that runs day and night. When something identity related trips at two in the morning, a trained analyst investigates it, confirms whether it is genuinely hostile, and either takes action or tells you plainly that it was a false alarm. For a small business, that is the honest value. You are not buying a dashboard you have to babysit. You are buying the outcome: an intruder found and removed while you sleep, without needing a security analyst on your own payroll.

That last point is the one I care about most, because I have watched plenty of small companies buy security tools that quietly turned into shelfware. A blinking light nobody watches is not protection. The years I spent earlier in my career on the signals and intelligence side of the house taught me one thing that has never stopped being true. Collecting the alert is the easy part. Acting on it, correctly and quickly, is the entire job.

What this means for your business

If you run a small business in the Orlando area, or anywhere else, the practical takeaway is simple. Your most valuable and most exposed asset is no longer a server in a closet. It is the collection of logins your team uses every day. That is where the money is, that is where the attackers have moved, and that is the layer most standard security packages barely watch.

You almost certainly already have antivirus and a firewall. Those still matter, and you should keep them. But they are guarding a wall that most of your business now lives outside of. ITDR guards the door everyone actually walks through, which is the login itself. Adding it is not about fear, and it is not about buying another blinking box. It is about closing the one gap that this generation of attacks was purpose built to exploit.

Harmony MSP has been helping small businesses across Central Florida run and protect their technology since 2011. Identity protection is now a core part of how we keep clients out of that loss column. If you are not certain what is watching your logins right now, that is a conversation worth having, give us a call at (407) 720-6540.