Brett Winterford and Defensive Cyber Operations

Okta and Splunk Combine to Detect Common Attacks

In an ideal world, every security function would have a Detection Engineering team. Regrettably, even organizations that are stewards of highly sensitive data often can’t afford (or don’t prioritize) the capabilities required for effective security monitoring. There can be a misconception that cloud service providers are doing the monitoring for them. It's a challenge that Okta Security wants to help address. Whenever we write a detection for our own purposes (we use Okta, too!), there’s an...

Josh Clark and Tin Nguyen

Setting the Right Levels of Assurance for Zero Trust

Okta Identity Engine (OIE) is an incredibly powerful platform. What other platform allows you to have this level of security, granularity and control? “Only allow access to a highly sensitive application if the user authenticates with multiple authenticators that are at least one phishing-resistant, and only from a corporate-managed device with a strong EDR posture score.” The more sensitive an application is, the more security context we might seek to verify to ensure the access is...

Brett Winterford

Catch-All's and Canary Rules

Okta Identity Engine offers admins the ability to vary authentication flows to applications based on everything from group membership, device management, device posture, network zones, risk evaluation, user behaviour and more. Generally speaking, the more context evaluated at the point of access, the better the security outcome. That’s what this whole zero trust journey is about: all the stars should align before a legitimate user can access a sensitive resource. The flip-side of this is that...

Okta

User Sign-in and Recovery Events in the Okta System Log

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP. We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library. The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and...

Okta

Okta Code Repositories

SUMMARY : In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers. SCOPE : The security event detailed below pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products. EVENT : In early December 2022, GitHub...

Brett Winterford and Defensive Cyber Operations

Detecting Real-Time Phishing Attacks

In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns? Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta...

Okta

Okta’s Response to OpenSSL Security Update

The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6). The two CVE’s are listed below: CVE-2022-3602 CVE-2022-3786 Response Okta’s engineering teams have applied patches and other mitigations, where required. Customer Guidance For both CVEs, the severity level has been listed as “high” and the following information has been made available: OpenSSL versions 3.0.0 to 3.0.6...

Chris Niggel and Brett Winterford

Monitoring for Abuse of Administrative Privileges

All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program. A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably the...

David Bradbury

System Log: a Window into Supporting the Okta Cloud

Transparency is a core value at Okta. In April 2022, Okta committed to a range of initiatives that aim to drive greater transparency in how we respond to security incidents. One of those commitments was to provide our customers with insights into all the things our customer support teams do behind the scenes to deliver the unrivaled experience that is the Okta Identity Cloud. Under 2.6 in our Security Action Plan: “Okta will enhance the Okta System Log so that every customer support activity -...

Brett Winterford

The Human Factor in Phishing Resistance

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. In this second part of our series on phishing resistance, we consider the human element. All organizations should aspire to a state in which technical and operational controls reduce the burden on end users to identify and respond appropriately to social engineering. Large numbers of Okta customers are...