So much to share this week! Multiple major product updates and, not to mention, the incredible success of Identity Threat Detection & Response (ITDR) as the hot new trend in Cybersecurity for 2022. However, before we get into any of that, we need to address the elephant in the room…
⭕ Okta breach by LAPSUS$ data exfiltration group
This week Okta acknowledged a breach of 2.5% of their customer accounts (hundreds of companies) that took place back in January. This breach was originally discovered by Okta in January but only recently revealed publicly when the LAPSUS$ group shared screenshots of their access to the Okta dashboard.
Given this news, the Oort team has built a playbook to research whether your Okta tenant may have been affected. If you are an Okta + Oort customer, we have already reached out to you to offer assistance. However, if you are reading this and are not yet an Oort customer, please don’t hesitate to contact us and we will help.
If you are not an Okta customer, take a brief sigh of relief, and then realize that this attack can just as easily happen to Azure AD customers as well. It just takes one 3rd party support engineer or help desk worker who wants to make a bit of cash on the side by selling their credentials. The social engineering bar is incredibly low. Your endpoint and network security solutions are powerless here.
Now, onto the release notes.
🟢 Duo Integration
As much as we like to believe that the IAM world starts and stops with Okta and Azure AD, there really is so much more to it. Cisco’s Duo platform for multi-factor authentication has amazing market share and sits side-by-side with many Cloud SSO providers (such as Okta).
Neither one of these products (neither Okta nor Duo) have very good analytics and threat detection capabilities. We’re here to bridge the gap with the all new Duo Integration for Oort.
A few things you can d(u)o right out of the gate:
- 1. Detect users who are active in your SSO but absent from Duo (MFA enrollment is a pain!)
- 2. View MFA logs from Duo in for each user in the Activity view side-by-side with SSO logs
- 3. View details about what factors Duo is using to authenticate users
Over the next few weeks we’ll be rolling out more Duo-related capabilities including compliance checks and additional threat checks, such as MFA fatigue.
🐼 Protected Population
Every identity is a potential attack vector. Oort exists to protect your identities from being compromised by would-be attackers. However, this can be an intimidating and overwhelming problem when you have thousands of identities and just as many issues to resolve. Instead of trying to solve everything all at once, we are now introducing the concept of a “Protected Population” to help reduce the scope to a manageable level.
Protected Population allows you to configure specific groups to target with Oort’s existing library of identity checks. For example:
- Retailers can exclude frontline and temporary workers
- Universities can exclude student/alumni accounts to focus on just faculty and staff
⏬ Download Users CSV
We want to make it as easy as possible to resolve issues directly within Oort. That said, sometimes you just need a good ol’ spreadsheet with a list of users. One of our most requested features is a download button to extract users who are failing a particular check. We’ve now added this capability to two locations in the product.
First, to the Check Detail screen for every check. Hitting the “Download Users” button here will produce a CSV containing all the users who are failing this particular check.
Second, on the Users List screen. You can decide how you want to filter the Users List before hitting the download button.
🌉 Okta Log Streaming to AWS EventBridge – by default, Oort pulls data from various data sources once per day. With Okta’s latest release, we can also configure your Okta instance to stream events to an AWS EventBridge where they can be consumed by Oort. This new integration option reduces the burden on your Okta API rate limits and will eventually enable us to produce real-time alerts for specific scenarios that require them.
🙋♀️ Request Check / Integration – looking for a new check or integration? Hit the “Request Check” or the “Request Integration” button on their respective screens in the product to send a message directly to the Oort engineering team.
🔎 Global search – all new in the upper left: global search! You can search for usernames, email addresses, group names, IP addresses, locations, and more. Try it out to quickly bring up the data you need without having to click around.
🔺 Failed Check Notifications – we’ve updated our check notification messages to email, slack, and teams to only send the list of users who have started failing each check since the last notification was sent. This “delta notification” will help you stay on top of the latest failures in your environment.
👨👩👧👦 Group Membership Search – did you know you can filter the Users List by group membership? Just put the name of a group into the text box next to the “Filters” button and you’ll get a list of all users who are members of that particular group.
That’s all for this week! Take care and let us know how we can help you with your Identity Security needs!