Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Moving From Security to Identity: From One Acronym Hell to Another
  • Towards a Common Language
  • Aligning Processes
  • Communication Channels That Work for the User
  • Summary
  1. Blogs

Seizing the Communication Opportunity: Aligning Perspectives in Identity Security

PreviousRestrict Guest Access Permissions: Best Practices and ChallengesNextSession Hijacking in a Post-Genesis World

Last week, I saw a post from Richard Bird, Chief Security Officer at Traceable. It was simple, effective, and perfectly crystalized some recent thoughts on identity security. He wrote, “ITDR is the use of security language (finally) to define identity control.”

This is true in so many ways. At Identiverse and Gartner IAM this year, I’ve attended sessions about TTPs, Mitre ATT&CK, response playbooks, threat hunting, security data lakes, and XDR.

With a spate of high-profile identity attacks, it’s fair to say that we have caught the attention of security leaders, but how do we go one step further? How do we encourage security teams to be more interested in identity? Likewise, how do we make identity teams start thinking in terms of security? What do good look like?

How we communicate with different stakeholders is critical to this. This includes speaking a common language, aligning processes, and using communication channels that work for users.

Moving From Security to Identity: From One Acronym Hell to Another

Let me share a bit about my journey with you. Last year, I shifted from the world of cybersecurity, specifically cyber threat intelligence, to explore the new lands of identity.

Now, the cyber threat intelligence (CTI) industry has this rather unfortunate habit of drowning itself in acronyms. From IOC, IOA, and APT to IAB, AVC, and ACH, it’s all a bit…much.

Sure, the influence of the military on cybersecurity has brought professionalism and structure, but it also introduced a ton of jargon that can be quite overwhelming, especially for newcomers.

Little did I know that my venture into identity would take it to a whole new level of acronym madness. I found myself surrounded by many acronyms to decipher, like CIAM, CIEM, CNAPP, CSPM, CWPP, IGA, PAM, and PIM. And when I thought I had a handle on it, ITDR and ISPM came to add to the complexity!

In a recent piece of research, I stumbled upon an interesting perspective from James Hoover, Associate Principal Analyst at Gartner. He urged us to "demilitarize our security program," highlighting the significance of addressing this acronym overload in both cybersecurity and identity. Let’s all do better to cut out the acronyms and reduce the BS.

Towards a Common Language

The worlds of security and identity are starting to collide, but there’s still plenty of work to do. One of my favorite quotes on this topic comes from David Mahdi, Chief Identity Officer of Transmit Security. “Identity people are now at the point of no return where you’re going to have to learn more about cybersecurity. Cybersecurity people, conversely, now need to understand the notion of joiner, mover, and leaver and pick up some IAM knowledge.”

Aligning Processes

So far, I’ve spoken generally about “security teams”. One key area where identity teams should play a more significant role is the incident response process.

Establishing clear roles and a shared vocabulary regarding incident response playbooks is essential. For instance, how should the investigation proceed if there's a suspected compromised user? Does the investigating person have access to the necessary context, historical activity, and entitlements?

In the event of wiping a machine, it's not enough to stop there. Consider terminating all active sessions and quarantining the user to prevent login from a different device. Additionally, monitoring for access from new, unmanaged devices should be initiated.

These processes cannot be effectively managed in isolation, necessitating collaboration between security and identity teams. By enhancing communication and alignment well before an incident occurs, we can define effective playbooks and ensure swift response when needed.

Communication Channels That Work for the User

The real winners, however, will be those who manage to build an identity security program that works for the most important stakeholders: the users.

James extolls the benefits of meeting “users where they are at”. A great way to achieve this is by using communication channels that work for the user. For example, workers are using Slack and Teams more than email. Why not create workflows directly in these messaging platforms that make more sense for the user? Did you detect a suspicious login? Reach out to the user! Is an employee using a weak form of MFA? Slack them!

In addition to the platform, the tone and language of the message should also be considered. Avoid drowning them in technical jargon and avoid the annoying acronyms. Short videos within messages can make a world of difference, explaining why using a personal VPN or enabling MFA matters.

Summary

As organizations plan for what their identity security program looks like, the worlds of security and identity will continue to collide.

As this happens, security teams need to know more about IAM best practices and grasp how hygiene is vital for reducing their attack surface. Likewise, identity teams should push themselves to learn more from the threat landscape and begin thinking about how they can work with security counterparts. This will help to establish a common understanding between teams, as well as a common language.

At the same time, as we build, we must not forget to focus on making this meaningful to the end user. Mature organizations will embrace new communication channels, such as Slack or Teams, as part of their overall identity security strategy.

First, security professionals can better understand the joiner, mover, and leaver process. Here we need to increase the scope of identity beyond Active Directory. Security professionals should be as familiar with the implications of poor IAM hygiene and weaknesses in the offboarding process as with attacks and . For security professionals who have an appetite to learn more about identity best practices, we've pulled together a list of helpful resources, articles, books, and podcasts: .

Second, identity teams should learn more about cybersecurity and, specifically, the threat landscape. For example, in response to the , IAM teams can work to reduce session lengths. Mitre ATT&CK is awesome for identity teams to understand and categorize these emerging techniques.

In , James Hoover provides compelling reasons to be “human-first” in your identity security strategy. He argues that for identity security programs, enterprises must consider diverse workstyles and lifestyles of their user base, acknowledging factors beyond job functions, which can lead to enhanced security, reduced friction, increased productivity, and better user experiences across various channels.

At Oort, for example, you can set up automated Slack/Teams messages to be sent to users failing the checks. We also embed short Security Awareness Training videos from into these messages so the user understands the importance of rectifying the issue.

Golden Ticket
Pass-The-Hash
https://docs.oort.io/best-practices/identity-security-reading-list
rise of session hijacking and cookie theft
How a Human-First Approach Will Make Your Identity-First Security Initiative a Success
Wizer
identity security programs