Oort Knowledge Base
  • Home
  • Glossary
  • šŸ“ŠDashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • šŸ‘„Understanding your users
    • šŸ“‡Users
      • šŸ’¾Saved Filters
      • ā“Basic Search & Advanced Query Mode
    • 🩻User 360
      • šŸ—ŗļøOverview Tab
      • šŸ”¬Activity Tab
      • šŸ“¶Networks Tab
      • šŸ’»Devices Tab
      • 🪺Applications and Groups Tabs
      • āœ…Checks Tab
    • šŸ› ļøTriaging Alerts and Remediation Actions
    • šŸ”—Linking User Accounts
    • 🤷User Statuses
  • šŸ—ƒļøApplications
  • šŸ’»Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ā˜‘ļøUnderstanding Check failures
    • šŸ”Reviewing Check Results
    • 🧹Customizing Checks
    • šŸ“–Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • āš™ļøTenant Settings
    • šŸ‘Øā€šŸ’¼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • šŸ„Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • šŸ”Accessing and Securing your Cisco Identity Intelligence Tenant
    • šŸŽļøCan Identity Intelligence analyze behavior and fail checks more frequently?
    • šŸ›‚Importing Known IP Address Lists
    • šŸ”ŽNetworks Tab & User Investigations
    • šŸ”Okta Workflows Webhook Example
    • šŸ—ƒļøUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • šŸ›£ļøWhat’s Next? How to use Identity Intelligence effectively
    • šŸ“šIdentity Security Reading List
    • āœļøKPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerĀ® 2023 Hype Cycle Reportsā„¢
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex ā€œSashaā€ Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  1. Blogs

Interview with Andy Winiarski (Head of Solutions Engineering)

PreviousInterview with Alex ā€œSashaā€ Zaslavsky (Oort Data Science Lead)NextInterview with Nicolas Dard (Oort’s VP of Product Management)

We sit down with Oort’s Head of Solutions Engineering, Andy Winiarski, for a conversation about the trends and opportunities he sees in identity threat detection and response. Read on for some great insights, and connect with Andy on LinkedIn here.

Interviewer / Question 1:

From when you were first introduced to Oort, what were some of the things that excited you most about what the company is creating and in the process of bringing to market?

Andy Winiarski:

In my previous role, I was with a multi factor authentication company and working with large enterprise customers on MFA deployments. I saw a lot of challenges from their side, in terms of visibility around ā€œWhat do I have deployed out there today? How can I tell how much success I am having and where are my blindspots?ā€ This is especially true with external users or a B2B use case. Frankly, the market out there is really lacking in terms of visibility for customers around that and the amount of that type of access between companies and external users, contractors, etc. Right. It’s just kind of growing exponentially, I would say.

Interviewer / Question 2:

It’s been interesting seeing all the tools that we utilize more and more requiring MFA. How do you see that evolving? And what’s next for MFA? How do you see the technology progressing in the next five years?

Andy:

Hopefully we’ll move away from things that are easily phishable, like SMS and OTP codes, to more device based MFA, whether it’s security keys or laptops and phones with secure chipsets and those types of things. I think the challenge is going to be having visibility into who used MFA, at what point did they MFA, etc. It’s very murky and there’s a lot of trust that has to happen right now. So there’s going to be this leveling up and trying to manage risk across all these organizations and relationships.

Interviewer / Question 3:

Can you tell us more about identity analytics? When did this term first appear and how do you see it evolving in the marketplace?

Andy:

I was working this past year specifically with a very large global life sciences company. So let’s say 100,000 users globally distributed, internally and externally, and they want to get to an ā€œMFA everywhere, wherever possibleā€ security posture. And as they looked across their groups of users that span manufacturing, logistics, office and corporate users, they were essentially relying on custom point-in-time reports. They had to go build and mine data to get this level of visibility. So there’s clearly a ton of white space to improve on top of existing identity and access platforms.

Interviewer / Question 4:

How do you see the market evolving and developing around identity vulnerabilities?

Andy:

Similar to what we’ve seen around device or endpoint security in the past 5-7 years, as far as anomaly detection and vulnerability scanning and remediation, we’re going to see the same thing in the identity space. In addition to the cohesive visibility across identity platforms, organizations are going to look to automate common identity vulnerability remediation scenarios – things that today are a very manual and time consuming process for IT and security teams. Visibility also gives them the power to move to more ephemeral or just-in-time (JIT) access flows. They can move away from the brittle and insecure identity lifecycle today and close gaps or eliminate unnecessary attack surfaces.

Even just in the near term, there’s a tremendous amount of low hanging fruit around identity hygiene. For example, if you look at these sort of ā€œzombie accountsā€ hanging around in an organization – ones that haven’t been logged into in over 30 days or maybe never logged into – we can help close that door right now and make sure it stays closed to attackers.

Interviewer / Question 5:

I guess I got a little sneak peek from a conversation internally with one of your team members that there was a company you’re working with now that had hundreds of these ā€œzombie accountsā€ that were just sitting there. It sounds like a massive liability. Is it?

Andy:

Oh, absolutely. When you consider that there’s a lot more collaboration going on and having the ability to quickly invite people into your organization via Teams, Slack, and other tools – the business is moving much faster than IT security and governance. Some of these platforms are in some sense themselves becoming their own identity sources. So seeing your identity terrain is clearly step one.

Interviewer / Question 6:

There’s a lot of different ways to utilize identity when you log into something like the Google Workspaces of the world or Microsoft or Facebook or any of one of these majority platforms… Do you see some companies like those ahead of others in regards to how they’re doing it or how they are evolving in the identity landscape?

Andy:

Yeah, great question. I will say, for instance, Microsoft seems to have put a lot of focus recently on exposing identity-related events in their premium versions of Azure AD, for example starting to do risk scoring around logon events. So having that data available for us to ingest and correlate with the overall user activity is fantastic. As on-prem AD slowly dies, we just need them to hopefully make that functionality available in other non-premium Azure tiers, even on a short-lived basis, so that smaller orgs, EDUs, and the like aren’t flying blind.

Microsoft is also doing some very interesting work in decentralized self-sovereign identity or SSI, which really needs a big player involved to make it real. So the commitment to identity as a whole is clearly there for them, both on the commercial and enterprise side.

Interviewer / Question 7:

I feel like it’s almost like the Apple model, where you have Android first to market some sort of functionality, and then Apple takes its time and kind of perfects it, and then they release it for the iPhone. I wonder if that may be happening with identity almost where a company like Microsoft may be on the forefront and then a big player like Google or Facebook or someone may refine it, but it is interesting to see the different options that people have from a personal level and a corporate level.

Andy:

Right. If you look at the broader market of both customer identity or CIAM and enterprise identity, someone like an Okta, which was really first to implement FIDO2 and Webauthn in a flexible way – they’ve invested heavily with the Auth0 acquisition on the customer identity side. So they might be best positioned to enable some crossover or ā€œbest of both worldsā€ for the B2B space. Because while many CISOs may not be ready for full-blown BYO identity or BYOID, it’s certainly a challenge today.

One organization that we’re working with, they have roughly 5,000 thousand identities in their directory, but over half are external users in some form – contractors, guests, managed service providers (MSP) entities. How do you manage that kind of churn? Treating them all like internal users just doesn’t make sense today.

Interviewer / Question 8:

Do you have any final thoughts on identity vulnerabilities or other topics we discussed?

Andy:

One parting thought is that I view identity today in the same way we used to look at endpoint devices maybe 3-5 years ago, where the OS and the applications were the target and it was this vast landscape of unpatched vulnerabilities. Now it’s identity, but the difference is that attackers have gotten much more targeted in their campaigns. It’s not like the spray-and-pray malware campaigns of the past. And our identities are so much more visible in the digital world to attackers than our devices. So the bad guys just need to find that crack in the window that they can get a shot in through.

So I’m really excited about our ability to give organizations that sort of wall-to-wall visibility of their identity threats at their fingertips. I want to help them easily find those gaps and quickly close them.