Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • đŸ‘„Understanding your users
    • 📇Users
      • đŸ’ŸSaved Filters
      • ❓Basic Search & Advanced Query Mode
    • đŸ©»User 360
      • đŸ—șOverview Tab
      • 🔬Activity Tab
      • đŸ“¶Networks Tab
      • đŸ’»Devices Tab
      • đŸȘșApplications and Groups Tabs
      • ✅Checks Tab
    • đŸ› ïžTriaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • đŸ€·User Statuses
  • đŸ—ƒïžApplications
  • đŸ’»Devices
  • đŸ§©Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑Understanding Check failures
    • 🔍Reviewing Check Results
    • đŸ§čCustomizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙Tenant Settings
    • đŸ‘šâ€đŸ’ŒRole-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • đŸ„Identity Posture Score
  • 🚹User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • đŸŽïžCan Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • đŸ—ƒïžUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • đŸ›ŁïžWhat’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍KPIs for‹ IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerÂź 2023 Hype Cycle Reportsℱ
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  1. Blogs

Identity is the apex threat vector, so why is identity security still a mess?

PreviousIdentity security is bigger than just ITDRNextIdentity Threat Detection

The numbers are stunning: over 60% of data breaches are the result of credential abuse. Another way of saying this is that by focusing on identity security, you can reduce your likelihood of a breach by up to 60%. No other stratum in a layered security architecture is more consequential to an organization than identity. And yet, inside organizations large and small, identity isn’t always on the roadmap of security priorities.

Let’s explore why identity security is still such a mess.

Credentials are a legacy security paradigm

When information systems were invented, their mere existence was a form of security. Rather than having paper documents or intellectual property floating around the natural world, one could secure them in an information system where they would be protected from things like windstorms, floods, or hungry grizzly bears.

As individual information stores became the systems of record of more and more stuff used by more and more people, the need to control or restrict access to certain information to certain people became a requirement. Thus, the system for securing information needed a security system itself, and credentials were born.

When we look at why identity is a mess inside many organizations today, one of the reasons is because credentials are security, and things that are perceived to be already secure don’t get the attention or funding that the less-secure layers do.

Identity is a hot potato between IT and security

The legacy baggage of identity actually carries over into the modern enterprise as well, most acutely in those with separate IT and security teams. Generally speaking, the IT department existed long before any cybersecurity specialization was needed, and this has created the acceptance that as a baseline for security controls, identity and access management (IAM) is the default domain of the IT department and not security.

Operational tasks at the identity level that we now accept as part of the security domain (access control, privileges, authentication, etc.) are still in many cases stuck in the IT department simply because that’s where they’ve always lived. The IT department thinks they’ve got an identity provider hooked up as a directory, they’re using it for multi-factor authentication, and therefore, identity security can be checked off the IT punch list.

If only it were that easy. Identity and access management is inherently a security operation, and in organizations that have separate security and IT functions, identity should live with security, full stop.

Identity suffers from inertia and low visibility

Identity suffers from low visibility into activity and overall hygiene. Detecting threats, investigating users, and remediating vulnerabilities are all hard to do when you don’t know and can’t see the data you need.

As the saying goes, “out of sight, out of mind,” and this is especially true when it comes to security in general. The high level effort required just to see what’s going on with their identities means that many organizations simply and subconsciously deprioritize this security layer.

Identity is also perceived to be relatively inert when compared to other areas of cybersecurity. While this is certainly possible at smaller organizations, large organizations face a revolving door of identities coming and going nearly 24 hours a day, seven days a week.

The dynamic onslaught of personnel changes means that identity is anything but slow-moving in large organizations, regardless of their lack of visibility into it. Just because they don’t see it happening, doesn’t mean it isn’t a fast-moving, enigmatic challenge.

Identity isn’t cool like EDR and NDR

So called “shiny object syndrome” runs rampant in cybersecurity. We’ve all been seduced by it: the latest dashboard with the colorful charts and the bits of data streaming edge to edge on the screen. Or, take the idea of stopping an attack mid-execution by locking up a device and subsequently spoiling the vacation plans of some distant and anonymous threat actor. Endpoint detection and response (EDR) and network detection and response (NDR) are Hollywood-level cool! But all of the cloak-and-dagger aside, identity threat detection and response (ITDR) is more important than EDR and NDR – here’s why.

Identity threats start with nothing happening. Dormant accounts, accounts with no MFA, or guest users in your Slack (hello, sensitive data!) all represent security threats. There is no bitstream monitoring or endpoint agent that’s going to clean up these risky accounts. You literally have to look for nothing happening to see these threats and then take action to remediate them.

It’s not sexy, but good security – not just identity security – starts with good identity hygiene.

Identity is complicated

On average, organizations with over 500 people use more than 25 systems of identity. That’s a lot of time and money wasted switching between browser tabs, native apps, and SaaS when investigating threats or just in trying to maintain good, consistent identity hygiene. In fact, we recently had a customer tell us that we saved her “like 3 hours” when investigating a user.

When you combine the sheer number of different identity systems with their overlap in security capabilities in terms of things like permissions, conditional access control, and authentication, identity chaos is a virtual certainty.

Importantly, when you consider the reality of having to secure identities inside organizations, you’re never starting from scratch. That would be relatively easy. Instead, you likely inherited legacy systems talking to the latest and greatest technology (and some of the not-so-new and not-so-great tech), and if the people who duct taped them together are still at the company and never get sick, they’ll probably still work. That’s a big ‘IF.”

One thing is for sure. Identity sprawl within and across systems will continue unabated until good technical solutions are implemented. There is simply no way for people alone to stay ahead of the mess.

The best identity security solution should add simplicity

Since the dawn of civilization, whether guarding a castle or a network, the prevailing ethos in security has been “more is better.” While that may certainly be true in some cases, in all cases, the question must be asked, “but at what cost?” Identity touches every person in an organization. The cost of more security in this case is complexity and inefficiency that is felt far and wide each and every day.

The best identity security solutions make simplicity a priority. Getting your arms around your identity population is hard enough; making sense of the data, capabilities, inheritances, and dependencies of your identity systems is an order of magnitude more complicated.

Oort makes securing your identity program easy, with Identity Security Checks run on-demand or on-schedule against your selected identity population and across all of your identity systems. Regardless of whether responsibility for identity sits with IT or security in your organization, IAM and security operations center (SOC) teams love Oort for its simplicity in detecting, investigating, and responding to identity threats at scale. If you want to see what simplicity looks like, get a no-nonsense, 15-minute demo or start a 30-day free trial at oort.io/demo