Oort Knowledge Base
  • Home
  • Glossary
  • šŸ“ŠDashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • šŸ‘„Understanding your users
    • šŸ“‡Users
      • šŸ’¾Saved Filters
      • ā“Basic Search & Advanced Query Mode
    • 🩻User 360
      • šŸ—ŗļøOverview Tab
      • šŸ”¬Activity Tab
      • šŸ“¶Networks Tab
      • šŸ’»Devices Tab
      • 🪺Applications and Groups Tabs
      • āœ…Checks Tab
    • šŸ› ļøTriaging Alerts and Remediation Actions
    • šŸ”—Linking User Accounts
    • 🤷User Statuses
  • šŸ—ƒļøApplications
  • šŸ’»Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ā˜‘ļøUnderstanding Check failures
    • šŸ”Reviewing Check Results
    • 🧹Customizing Checks
    • šŸ“–Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • āš™ļøTenant Settings
    • šŸ‘Øā€šŸ’¼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • šŸ„Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • šŸ”Accessing and Securing your Cisco Identity Intelligence Tenant
    • šŸŽļøCan Identity Intelligence analyze behavior and fail checks more frequently?
    • šŸ›‚Importing Known IP Address Lists
    • šŸ”ŽNetworks Tab & User Investigations
    • šŸ”Okta Workflows Webhook Example
    • šŸ—ƒļøUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • šŸ›£ļøWhat’s Next? How to use Identity Intelligence effectively
    • šŸ“šIdentity Security Reading List
    • āœļøKPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerĀ® 2023 Hype Cycle Reportsā„¢
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex ā€œSashaā€ Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Why are we called Oort?
  • The Oort Cloud surrounding our solar system
  • What do comets have in common with security?
  • Why is identity security suddenly so important?
  • Zero trust starts with identity
  • Identity threats are real
  • Bridging the Divide Between IAM and Security
  • We’re building the identity security platform
  1. Blogs

Oort Origins and Our Vision for Identity Security

PreviousOort Launches One-Click Remediation Actions for Streamlined Identity Security ResponseNextRelease Notes

Since February 2022, when we the Oort Identity Security Platform, Oort has grown to secure more than half a million accounts.

We wouldn’t be where we are today without our early adopters, including the likes of , , and . We also wouldn’t have gotten far without our advisors and technology partners, such as , , Microsoft, and .

The industry has quickly realized that identity is a huge blindspot for security and we need to do something about it. This trend has been picked up in Gartner’s research, too. Their paper outlined why organizations need ITDR capabilities and why existing solutions are falling short.

With our investment, announced in October, we have set ourselves up for an exciting 2023 as we continue to expand our capabilities and customer base.

Amidst all that excitement, I want to take a moment to step back, and share a bit about where Oort came from and where we’re headed.

Why are we called Oort?

Customers, investors, partners, employees, random acquaintances… they all have the same question: ā€œwhy are you called Oort?ā€

Followed by:

  • ā€œIs that an acronym? Does it stand for something?ā€

  • ā€œHow do you pronounce it? Is it O.O.R.T. ? Or O-Ort?ā€

  • ā€œIs the comet in the logo a letter? Or is the name of the company just ORT?ā€

We’ve heard them all.

Fortunately, when we do reveal the origin of our name, it is often met with delight. The beauty of a good analogy. So let’s answer it then: why ARE we called Oort?

The Oort Cloud surrounding our solar system

Oort, our company, is named after the Oort Cloud, which, in turn, is named after 20th century Dutch astronomer Jan Oort. Back in the 1950s, Jan Oort theorized the existence of a massive spherical cloud of icy objects orbiting our solar system beyond the reaches of Pluto and the Kuiper belt, which later became known as the Oort Cloud.

Jan Oort himself was a remarkable scientist. Using real galactic observations, he was able to prove the theory that our Sun is not the center of the Milky Way and that the Milky Way itself rotates around its center which lies some 30,000 light years away from our solar system. Not only that, but the Earth and the rest of our solar system takes 225 million years to orbit the center of the galaxy. By observing the speed of rotation of the stars in our galaxy, Oort even discovered the first evidence of dark matter.

After surviving the Nazi occupation of the Netherlands during World War II, Jan Oort went on to study the behavior of comets and proposed the idea that long-period comets originate from a common region outside the reaches of the furthest planets. He theorized the existence of a swirling cloud of billions of comets orbiting our solar system.

A slight disruption of any one of these icy objects can send it hurtling towards our inner solar system. As these balls of dust and ice get close to the Sun, they begin to melt and let off gasses, which form the tail of the comet.

What do comets have in common with security?

While this history of astronomy may be fascinating, what has it got to do with enterprise security? Believe it or not, our solar system and the Oort Cloud are the perfect analogy for the modern enterprise.

Think of your typical model of the solar system from elementary school: the Sun, the eight planets, the asteroid belt. In our analogy, this is where all of your assets, data, and applications reside. Maybe you’re using cloud infrastructure, SaaS applications, on-premise systems; these are all part of the core of your business and this is exactly what you are trying to protect.

Now zoom way out.

What do you see orbiting your company? Thousands? Hundreds of thousands? Millions of identities. Employees, contractors, third-parties, vendors, partners, customers. They’re all out there, and they all need access to bits and pieces of your core assets and data.

Every company has an Oort Cloud. A swirling mass of identities orbiting their business. Whether they’ve discovered it yet or not, it’s always been there. The only difference is that now, in 2023, we can no longer afford to ignore it. The walls have come down and it just takes one errant object to inflict massive damage on our home planet.

Why is identity security suddenly so important?

Identity is the new perimeter. The shift to remote work finally brought these swirling identities into view. We’re all working from our own devices, from our own networks, accessing whatever applications we need to get the job done. Network security and device security don’t stand a chance in this brave new world of distributed work.

Attackers have been quick to target this change. They don’t need to wait for the next unpatchable 0-day vulnerability. In fact, most attackers don’t use malware at all; they simply login. Once they are in, security teams are blind to how attackers abuse and manipulate identities to access company assets, data, and applications.

Most companies have incredible security tools to secure devices, applications, networks, and data – but almost nothing for identity. Identity is an afterthought.

We intend to change that.

When I say ā€œidentity is the new perimeterā€, I’m not being hyperbolic: I truly believe that the future of security is identity-first.

Zero trust starts with identity

We’ve witnessed a few missteps in the rollout of Zero Trust. Many organizations jumped directly to Zero Trust Network Access (ZTNA) without realizing that every single ZTNA solution on the planet heavily depends on a solid identity foundation. Identity is so fundamental to adopting Zero Trust that organizations that rushed to deploy ZTNA are now backtracking to reassess whether their identity security program is up to the task (if it even exists in the first place).

At Oort, we’re lucky enough to have some incredible advisors, including John Kindervag – who first coined the term ā€œZero Trustā€ when he was an analyst at Forrester. The term Zero Trust has taken on a life of its own with a million different meanings. However, it all comes back to replacing the old ā€œtrust but verifyā€ mindset with ā€œnever trust always verify.ā€ Unfortunately, ZTNA solutions ignore this mantra when they blindly trust external IAM providers to both authenticate and authorize identities.

Identity threats are real

Bridging the Divide Between IAM and Security

Whose responsibility is identity anyway? Dmitriy Sokolovskiy once summed up ā€œidentity is at the root of pretty much everythingā€. Identity is an important piece of any security program; clearly, identifying authentication issues, identity threats, and identity attack surface weaknesses is critical.

Unfortunately, there is a strange, historical disconnect between the IAM infrastructure and the security teams. IT teams have spent years implementing new IAM tools, like Active Directory, Duo, Okta, SailPoint, CyberArk, and many others. Yet security teams often have zero visibility or control over these tools.

Your average security analyst understands network traffic and protocols, device operating systems and vulnerabilities, but when faced with federated SAML or OAuth tokens, they don’t know where to start.

While smart CISOs and security leaders are now adding IAM expertise to their teams and building out their IAM security programs, the vast majority are still in the dark on the fundamental importance of identity to their overall security program.

Just like securing any other infrastructure, IAM infrastructure requires IAM security. IAM security requires expertise.

We’re building the identity security platform

Oort is here to help.

I’m so grateful for everyone that has helped us to quickly become the leaders in ITDR space. We have exciting plans for 2023 to add new capabilities that will enable security teams to better detect and respond to identity threats.

But we don’t want to stop there: at Oort, we’re building the identity security platform that will provide a complete view of every orbiting identity and the risk they pose to organizations’ data and assets.

Watch this space!

If you want to be part of this journey, we’re hiring! Check out our current openings here: https://oort.io/careers.

If you want to see Oort in action, you can schedule a demo with our team here: https://oort.io/demo.

An artist’s’ impression of the Oort Cloud. Source:

When it comes to true Zero Trust adoption, I’m a big fan of , which seems to be one of the most sensible paths forward. CISA names Identity as the first pillar of Zero Trust. Understand the actors (who need access) and the assets (what they need access to). Everything else - when, where, why, how - is secondary.

Jan Oort used real empirical observations to prove the theory of galactic rotation. We can do the same for identity threats. This is not just a theoretical risk; it’s really happening. According to the , 80% of all breaches involved the use of lost or stolen credentials. Account takeover is real and it has real repercussions.

A string of high-profile attacks in 2022 prove it. In December, in two separate incidents, attackers stole code from the GitHub accounts of and . These are powerful examples of how hard it is to protect identities within enterprises (for those interested, I wrote a column in Dark Reading about some of the .)

Attackers are also becoming smarter about who they target. Earlier in 2022, . Lapsus$ targeted a customer support agent working for a third party. Via this identity, the attackers were able to access both internal company sites and customer service records.

It’s not simply a case of requiring Multi Factor Authentication (MFA), either. Attackers are now finding ways to bypass MFA, especially weak forms like SMS. A group known as (OTPs) delivered over SMS. These passwords could be used by Okta customers as temporary authentication codes. Unfortunately, with access to Twilio, 0ktapus could see these OTPs.

This is not a one off: we see attacks on MFA all the time. Auth0’s showed the scale of MFA attacks: on average, they saw 1.24M MFA bypass attacks every day. Sadly, MFA is not the silver bullet.

first launched
Avid Technology
Collibra
Northeastern University
Snowflake
Okta
Cisco
Your Cyberattack Preparedness With Identity Threat Detection and Response
Series A
https://www.skyatnightmagazine.com/space-science/what-is-the-oort-cloud/
CISA’s Zero Trust Maturity Model
2022 Verizon Data Breach Investigations Report
Slack
Okta
best practices for securing GitHub
Okta was targeted by a group of attackers called Lapsus$
0ktapus
targeted Twilio in order to access one-time passwords
2022 State of Secure Identity Report