Week 29, 2022

Oort is in the AWS Marketplace!

Oort is now available in the AWS Marketplace! You can now subscribe to Oort’s identity security platform directly from the marketplace portal, giving you a single point of sale for a simplified procurement process. You can also see pricing, see a demo video, read reviews, and kick off a free trial. Check it out here!

New Features

🎛 🏷 ⏰ New Settings Page, Application Sensitivity Tagging & Checks Timing

You can now customize important aspects of your Oort tenant on an all-new Settings page. You can now label the applications in your IdP as “Sensitive” and have the tag show up wherever the application shows up in activity. Additionally, you can now set the time of day for your Identity Security Checks to run. This helps Oort admins select an appropriate time for any notifications to start firing.

🔏 ⚠️ 👩‍👩‍👧‍👦 0️⃣ See Access Granted By, Self Granted Access Flag, Groups & Unused Applications

You can now see who granted access to an application. Application access granted to the user by the user themself is now flagged in the user’s applications table. This warning could indicate privilege escalation or lateral movement so you’ll want to pay attention to the user. A user’s unused applications are now easily visible to enable quick evaluation of access requirements. If a user has unused applications, it makes sense to remove their access to reduce identity attack surface. Their group memberships are now easily viewable as well.

📊 Application Access Cohort Analysis

Our data science team has been busy! You can now see how a user’s access to applications compare to that of their peers. An outsized number of authorized applications can create additional, unnecessary organizational risk from that account. 😬

**NEW** Identity Security Checks:

✅Super Admin Login to Google

This check reports any time a user with “super admin” privileges logs into the Google Workspace console. Whether it’s nefarious activity or just someone overusing the privilege, it’s important to see this activity at a glance and to make it easy to take action to investigate where warranted.

✅Unmanaged Devices Access

This check detects if a user is accessing from an unmanaged device in the last 7 days (configurable). Oort will give an indication on event and IP if the device was managed or not to allow you to inspect it closer

✅User Activity Anomaly

Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges. To identify such actions, Oort alerts on new (over last 90 days) administrative actions performed by account or on actions performed on multiple targets simultaneously (more than 10 targets in 10 minutes – configurable).

✅New Country for Tenant

Attackers may obtain and abuse account credentials to gain initial access, persistence, privilege escalation, or defense evasion. Monitoring accesses from locations with no operation can identify such credentials misuse. To identify compromised accounts, Oort alerts on successful logins from a new (over last 90 days) country for the tenant from a new, unmanaged device.

✅MFA Flood

This is one of the more-recent TTPs whereby an attacker overwhelms a legitimate end user with MFA requests in order to get them to simply grant access that stops the alerts. Oort allows you to configure the rate by which this check is failed.

Last updated