Investigative report from Oort analyzed user data, login information, and behavioral intelligence from more than 500,000 identities
BOSTON, MA - Feb. 23, 2023 - Oort, provider of identity-centric enterprise security, today revealed the findings of its State of Identity Security Report, a comprehensive analysis of data from more than 500,000 identities. In its mission to address the challenges organizations face in securing their identity attack surface, Oort’s research unveils the most common Identity and Access Management (IAM) hygiene challenges leaving organizations at risk, and the most commonly used techniques attackers are utilizing to take over accounts.
“The vast majority of successful breaches in the past year were the result of account takeover (ATO). This research illustrates just how easy enterprises are making it for attackers to target their identities and launch successful ATO attacks,” says Oort Founder and CEO, Matt Caulfield. “IAM and security teams simply don’t have the visibility and control they need to see these risks, leaving them blind to the most common threats they are likely to face this year - account takeover.”
Oort reports that 40.26% of accounts in an average enterprise are using either weak second factors or none at all, leaving them vulnerable to targeting with simple techniques like phishing and social engineering. Additionally, the report finds that phishing-resistant second factors were used in only 1.82% of all logins. The lack of strong MFA adoption has implications not only for potential account takeover attacks but also for regulatory compliance, citing several compliance frameworks that have requirements for MFA.
The report unveils the most commonly targeted accounts are either dormant or those that belong to executives and administrators. Dormant accounts are the lowest-hanging fruit for attackers, and yet represent 24.15% of all accounts for an average enterprise. Oort found an average of 501 monthly attacks against dormant accounts per company emphasizing the importance of cleaning up and having oversight of suspicious behavior within dormant accounts. The findings show that administrator accounts, which give attackers the highest degree of permissions, are targeted more than three times the average account and often lacked, or were excluded from, MFA controls.
Oort’s research also revealed that 79.87% of application accounts go unused every month, highlighting that users have access to too many applications and sensitive data. The implications of having unnecessary access and the financial burden of excessive licenses are quick wins that organizations can avoid with the proper visibility over their identities and their associated behavior. By reducing user access to excessive applications and the data contained within, organizations can fairly easily reduce costs and improve visibility over their identities and their associated behavior.
Oort’s research impresses the importance for enterprises to gain visibility across all their identities to decrease their attack surface, enforce proper MFA adoption, and ensure poor IAM hygiene is not leaving them at risk. This includes regularly reviewing and updating user accounts, groups, and permissions, as well as implementing access controls and monitoring systems to detect and respond to any suspicious activity.
“Organizations can easily decrease the risk of account takeover by prioritizing identity security. Understanding their identity attack surface, having visibility into basic IAM hygiene issues and MFA compliance can go a long way in eliminating the easiest targets for attackers to succeed,” adds Caulfield regarding the opportunity organizations have to address these challenges and reduce their risk of breach. “Oort provides this greater visibility and control for security teams and we are laser-focused on helping enterprises secure their identities and stop account takeover.”
This report analyzed user data, login information, and information from identity providers including Okta, Azure Active Directory, Duo, and Auth0. In total, the analysis covered more than 500,000 identities from organizations with 1,000+ employees. The research relied on a variety of threat detection rules, which have been created by the Oort Data Science team. Oort’s State of Identity Security Report offers a comprehensive overview of the challenges organizations face in securing their IAM systems and offers practical advice for mitigating these risks.
Oort is an identity-centric enterprise security platform. As a turnkey solution for Identity Threat Detection and Response (ITDR), Oort is providing immediate value to security teams by working with existing sources of identity to enable comprehensive identity attack surface management in minutes. Led by a team with decades of domain expertise across identity, networking, and security, Oort is backed by venture capital investors including Energy Impact Partners, .406 Ventures, Bain Capital Ventures, Cisco Investments and others. Market-leading technology companies, like Collibra and Avid Technology, rely on Oort to provide full visibility into their identity populations. To learn more, please visit oort.io.