Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Is it a security problem or is it an IT problem?
  • Along came COVID...
  • New opportunities for attackers
  • Why can’t your SIEM be your ITDR solution
  • Evaluating Identity Threat Detection and Response solutions
  • What now?
  1. Blogs

8 Things to Look for in an ITDR Solution

PreviousDetecting Session HijackingNextEnhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration

What would you say you do here? ()

In 2018 I inherited the single sign-on project for Cisco security. Unlike my predecessor who tried to build an SSO solution on his own, I opted to leverage our acquisition for MFA and . The team and I unstuck a 3 year project in less than 9 months and moved 6 products under management. While I love both these products (and as well), when I was talking to my SE, I found a few gaps that made me start asking:

  1. 1. How do I know what factors a user is using?

  2. 2. Who are my admins and what are they doing?

  3. 3. How can I detect if any of my users get breached?

  4. 4. Are my users trending up or down?

Oh, and I wanted something I could easily pick off the shelf and deploy without a science project. Unfortunately, it ended up being a massive endeavor.

As I was rolling out the project to answer my four key questions I learned that while Identity Providers (IDPs) are critical parts of the security platform they are not geared or built to be part of the security ecosystem like traditional platforms. If you look at firewalls and Endpoint Detection and Response (EDR) platforms, they have robust analytics backends that can be secured stand-alone or connect to your SOC platform, SIEM or enterprise monitoring tools right out of the box. I was looking for something similar to Cisco’s SecureX or Cortex for identity, maybe a few built-in plugins and dashboards in Datadog, but I noticed that even the events for multi target outcomes (an application and a user for example) was not processed correctly by most platforms, not to mention analyzing which of my users are at risk.

Is it a security problem or is it an IT problem?

IDPs live in the zone between IT and Security and no one really wants to own them, therefore robust tooling has never been developed. The team I worked with at Okta offered Datadog or Splunk as the way to go. We used both but still didn’t get what I was looking for.

As we continued to deploy our IDP we discovered a few others lurking in the shadows. I needed to understand how Azure AD, Slack, Google Workspace, Salesforce and Ping worked with our main IDP.

Furthermore, the business needed to know:

  • How far are we into unifying our identity solutions? We always need to justify the cost of identity projects. Without knowing where we are, we might deploy bad policies or worse, launch massive marketing campaigns to solutions you can’t login into.

  • How fast do we block access in various scenarios? Knowing time to remediation is a critical security metric.

  • Where do we stand on various migration projects? Unifying IDPs comes as both a cost reduction exercise and security solution. If you are still paying for both, you might be missing the goal.

  • Which IDP the users actually use? Our customers could have used the pre-existing built in IDPs in the applications, might have brought their own IDP or used a social login. Understanding these trends were critical for feature development and policies we would like to enforce.

  • Who are our users? Are our customers logging in to our system? How do we know?

  • Does MFA registration or email confirmation cause users to drop subscriptions? The business might swing between “everything needs MFA” to “why do we need security?” based on weak metrics. The ability to show security posture impact on business helps navigate these mood swings without relaxing meaningful policies.

Along came COVID...

Initially the need for ITDR was clear for consumer or B2B IDPs. Workforce, on the other hand, was presumed to be well-defended behind firewalls, EDRs and other on-premise solutions. COVID accelerated a few trends.

First, there was a clear move towards cloud-based and SaaS solutions. In order to function, businesses needed to implement platforms like Workday, Salesforce, and Okta. When your workforce is at home, it makes more sense to have users go directly to the cloud.

Second, a similar shift was happening in infrastructure, with organizations looking for cost-savings by moving to on-premise servers to AWS, Azure, and GCP.

Third, the great resignation changed the workforce itself. Most organizations now rely on a large number of contractors. Due to remote hiring, many managers have never even met their full-time employees.

New opportunities for attackers

Or listen to Dimitry from Avid's experience as employees outsourcing their jobs.

Now you have the need for a dedicated solution for identity that can cover both consumer and workforce identities.

Customer Interview with AVID technologies

Why can’t your SIEM be your ITDR solution

SIEMs are awesome for correlating events from very chatty systems like firewalls or EDR/XDRs. They are built to alert when a chain of events, like automated malware traverses your organization, because those are machine-based patterns. For example, you may well be able to write a rule that will detect if an admin logs on from a new IP. It will lack a lot of context about that user, how they historically login, with what devices, factors, and so on. But you could do it. You will also miss directory information such as the person's role, whether or not it's a user or a service account, and whether it is a break glass account used for daily operations. In the case of an incident, the ability to answer these questions in real time allows the responder to be much more effective. And as we know time is money.

What you can’t do with SIEM rules is detect issues that are not event-based. You cannot detect inactive guest users. You cannot detect state changes. These are fundamental pieces of IAM hygiene that create opportunities for attackers. Some tools only focus on detecting the threats, but I think that misses a key element of reducing your identity attack surface. This is expanded when you see events that relate to a state such as inactivity, like a dormant user that starts being active after a long time of low and slow guessing attacks. Or the connection between a guest account to an internal user who is on an expiring contract or is about to be terminated.

Last, the staff that creates the detections for SIEM solutions has not been incentivized to build detections that are identity-related. Now, you can go off and build those detections via contractors and 3rd parties, but as we all know, detections and rules need to be constantly adjusted and updated. Ask yourself, are you staffed to play whack-a-mole with every new threat? The other option is to consider using the right ITDR solution. What does "right" mean? See my suggested list below, but in comparison to a SIEM solution, you need something that can deal with both high volume of login and audit events, while being able to correlate and enrich the data from directory and HR sources.

Evaluating Identity Threat Detection and Response solutions

Until now, getting the degree of visibility and control over identities for security purposes has required immense amounts of heavy lifting, taping and gluing capabilities together and, even at its best, still doesn’t deliver what I originally needed with my 4 main questions. ITDR can. But like all new shiny objects, every vendor is going to hop on the bandwagon and claim they can solve your woes. Be careful and make sure you get a solution that can do what it promises.

I’ve put together my view as a former practitioner of must-have criteria when evaluating solutions for ITDR.

1. Sources: Build an ingestion pipeline that includes:

  • IDP information (Okta, Azure, Google)

  • Productivity suites (Google, O365)

  • Messaging tools (Slack, Teams)

  • People information (HR)

  • Networking infrastructure information

2. Storage: Have a storage solution that can support:

  • Structured (like a database)

  • Semi-structured (e.g. log information) data.

3. Standards: Adhere to a standard as close as possible; SCIM is your friend

4. Operationalize effectively: Support lightweight automation based on Slack, ServiceNow and Jira.

5. Make the data accessible:

  • This can include digests in the tickets, enabling users to diagnose and react to issues easily.

  • Meeting the users where they are should not be a slogan, it should be done by design.

6. Understand the threats and needs in the space:

  • Session hijacking, available with a simple tool

  • Account takeover or sharing (they look the same)

  • Assess if unsuccessful attack research is worthwhile with your current budgetary constraints. Everyone gets attacked, all the time, continuously. You need to know are they looking at me, or is this a drive by where my MFA solution is holding up.

  • Understand if your MFA posture is the right one for your specific threat landscape. Some organizations can thrive with lightweight MFA, while others need strong cryptographical based solutions and tight refresh process.

7. Part of something bigger: Try being part of an ecosystem, such as Snowflake or Databricks that allow sharing of information with other parts of your security team.

8. Fulfill key questions and needs: Understand if you can answer the questions I asked in the beginning!

What now?

This long treatise is me trying to save you the lessons I learned the hard way. Leaving the identity part of your security solution and program in the dark seems to me an invitation for trouble. Consider getting an assessment for your program from a third party (We at Oort offer one for free, but feel free to ask your Azure or Okta reseller for one). Furthermore, start building KPIs for that program, don’t know what they should be, feel free to DM me on LinkedIn I can talk about these for hours.

With these changes attackers adjusted tactics to take advantage. Phishing, credential sharing and stealing sessions came back with a vengeance. It’s cheaper and easier to execute than a complicated malware-based attack. All you need is a fake website and a few emails. Don’t believe me, just read up on the and attacks, executed by 16 year olds.

Office Space
Duo
Okta’s Universal directory
Auth0
Lapsus$
0ktapus