Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Why should I fix my organization's identity posture?
  • Dashboard widgets
  • Calculation of Identity Posture Score
  • How can I improve my organization's Identity Posture Score?

Identity Posture Score

PreviousSystems LogsNextUser Trust Level

Last updated 1 month ago

Overview

The Identity Posture Score is a single score calculated for your organization to help you quickly and easily determine areas of focus that will improve your organization's overall identity security hygiene. Scores range from 0 to 100, and from very weak to very good - the higher the score, the better your organization's security posture.

Additionally, recommendations on how to improve your organization's identity posture are provided in order of impact to the score, so you can easily determine which identity security hygiene gaps to prioritize.

The Identity Posture Score is determined based on a number of criteria including integrations connected, number of users impacted by a check, check severity, user context and other factors. See for detailed information on how the score is determined and the thresholds associated with each score category.

You can see more information about your organization's current Identity Posture Score, as well as the score's trends over time, on your .

There are no settings related to the Identity Posture Score and it cannot be customized directly. To learn more about tuning checks, which can impact the number of users failing a check and thus, indirectly the Identity Posture Score, please refer to our documentation on .

Why should I fix my organization's identity posture?

Identity attacks are really similar to home burglaries

Think of your organization as a house. You make sure all the doors are closed and locked before you go out to run an errand. While you're away, someone decides to break into your house. They will try to get in through the doors first because that's easiest. When they realize all your doors are locked, they don't give up - they try the windows next. But wait... you didn't check the windows! If you can't get the basics of closing and locking all your doors and windows down, it wouldn't make sense to install fancy video cameras or alarm systems to monitor your house while you're away because the burglar will still get in! Although these tools can be helpful to identify the burglar later on, or shorten the amount of time they have to take your valuables, it doesn't stop them from getting into your house in the first place and causing damage.

This house example, though simplified, depicts why it is so critical to address postural issues within your organization.

Just like a burglar, a bad actor will try to use the easiest path first, like guessing the password of accounts with no MFA configured. If that doesn't work, they'll try cleverer approaches, like MFA phishing or session theft, to try and gain access to your system. One thing is for certain - while the attack technique might change, the attacks themselves will not stop.

With good identity security posture, when a threat comes in (because we know they will come in), you have some peace of mind knowing that the basic protections are in place to ensure your organization is less likely to get "broken into". You've made sure all the doors AND windows are locked, by requiring basic MFA methods and cleaning up inactive accounts. As your organization's identity security posture matures, you then take more advanced steps to protect it, like enforcing stronger MFA methods and reducing session lengths.

Improving your organization's identity posture won't stop the attacks from coming, nor will it stop a very determined bad actor who is willing to try everything possible to gain access. But it does ensure that the attacks that come in are generally less risky because the right precautions and measures were put into place. With Cisco Identity Intelligence, you get both sides - Posture Score and posture checks act as the voice in the back of your head reminding you to lock your doors and windows. While User Trust Levels and threat checks act as the fancy security system to monitor and alert on potentially malicious behavior or threats that should be investigated, and help clean up as soon as possible if someone does slip through the cracks.

Dashboard widgets

Two widgets related to Identity Posture score can be found on the Dashboard. To read more about the widgets, please see our documentation for detailed information about each visualization.

Calculation of Identity Posture Score

Cisco Identity Intelligence weighs several factors together in a proprietary algorithm to produce an Identity Posture Score for each organization, which ranges from 0 to 100 and is categorized in distinct thresholds, where a score of:

  • 0 - 39 is considered Very Weak

  • 40-59 is considered Weak

  • 60-79 is considered Neutral

  • 80-89 is considered Good

  • 90-100 is considered Very Good

An Identity Posture Score will be calculated based on the data available in your organization's tenant. The more data available from different integration instances, the more accurate your score will be. The factors used in this algorithm include the following:

  • Severity levels of specific failed checks: Check severity levels are based on the severity assigned by known attack frameworks such as NIST, MITRE ATT&CK, etc and the potential risk associated with particular hygiene issues. Critical severity issues are weighted more heavily than low severity issues

  • Scale of a specific posture issue: Determined by looking at the number of users failing specific posture based checks

  • User Context: Specific checks related to MFA were split into subcategories to assign higher priority to posture issues among Priority users, who are higher risk and more sensitive than other users. Priority users are those listed as Integration Instance Admins and/or Executives based on job titles from the HRIS or IdP (ex: Chiefs, VPs, President, etc)

Other factors also impact your Identity Posture score such as:

  • Disabled checks: Checks that are included as part of the Identity Posture Score calculation but have been disabled in your tenant will negatively impact your score. A perfect score (100) cannot be achieved without enabling all checks that are part of the Identity Posture score calculation

  • Integration Instance configuration:

    • As mentioned above, the more integration instances that are connected in your tenant, the more data that is available to contribute to the Identity Posture score calculation. The more data available, the more accurate your organization's score will be. For this reason it is important to set up all available integration instances that exist for your environment. To learn more about what data integrations are available and how to configure them, refer to Integrations

    • Because of Identity Intelligence's data ingestion methods, connecting a new integration to your tenant will temporarily increase your score for 7 days while the new data collection settles. After the data has collected and normalized, you may notice a decrease in your score based on the new data collected and the associated posture issues of your users

Cisco Identity Intelligence is continuously refining its posture algorithm to include new factors, and/or modify the weighting of factors, to provide the most up-to-date and accurate portrayal of identity posture as possible. Any updates to the calculation will be reflected on this page

How can I improve my organization's Identity Posture Score?

To improve your organization's score you should refer to the recommended actions, which can be found in the widget with your organization's current Identity Posture Score. Each recommended action will provide high level guidance on what step(s) needs to be taken to review and/or remediate each user that is detracting from your organization's score because of check failures.

Click the number of users in this widget to go to the Users page where you can review each user that is impacting your posture score to determine if:

  • the end user needs to make a change to their account (Ex: configure any form of MFA, stop forwarding emails, externally, etc) so that you can contact them directly and remediate the problem

  • the end user's account(s) should be deleted (Ex: this user no longer exists or needs this account)

  • a check's configuration settings need to be tuned to better align with your organization's processes and policies (Ex: the default setting for the Inactive Users check is 30 days, when your organization's process is 90 days)

  • the Sensitive Applications list in Identity intelligence needs to be modified to better align with your organization's list of important applications. By default, the "Unused Application for a User" check settings are set to only consider sensitive apps, which are pulled from a pre-configured list set by Identity Intelligence

It is important to connect your organization's HRIS data to your tenant, as it is a critical component of the Identity Posture Score. A perfect score (100) cannot be achieved without connecting an HRIS system () or in your tenant, as this data is critical to identity mapping, data hygiene and enables specific checks that are part of the overall score calculation

there is a specific mitigating control in place that can allow an end user to be from a particular check so that they are no longer failing the check for a specified window of time

To configure a check's settings, navigate to the check you'd like to modify. If are available for that particular check, it will be located in the top right corner of the Check page, and select Custom Detection Settings. Note that not all checks have settings that can be modified

You can either modify the list of via the Tenant Settings to add or remove sensitive apps, or you can modify the for this check to analyze all applications, not just sensitive ones, as described in the bullet above. Note: once you add one Sensitive App to the list, it will erase the entire Identity Intelligence default list, so if you want like to keep any of the default apps, be sure take a screenshot of the widget on the Dashboard before making any changes

🏥
Workday
manually uploading HRIS data
Check Settings
customizing checks
Dashboard
Calculation of Identity Posture Score
checks settings
Dashboard
Sensitive Apps
Sensitive App Usage
excluded