Week 11, 2023
Oort’s Engineering Team was on 🔥last week. This week, you can benefit from our new dashboard and the ‘Quarantine User’ action type.
All of our checks are there to either a) help prevent account takeover or b) quickly detect compromised accounts. Some examples of compromised account detection include administrator anomalies, new email forwarding rules, parallel sessions, and reported suspicious behavior.
If we identify a compromised account, we also want to give you the power to respond quickly. One of the best actions to take is to quarantine the account. This will prevent the user from accessing applications and performing additional actions.
To set this up, reach out to your favorite Customer Success Manager.
Many of you have been excited to get your hands on our new dashboard, and rightly so! The dashboard provides an overview of some of the most critical aspects of your identity security program, including:
- Identity Snapshot. Understand your total number of identities, including inactive and guest accounts. This also includes the different sources of your identities and any hygiene issues associated with those users.
- Administrator Snapshot. See how many administrators you have across different identity platforms and their latest logins. This helps to protect your most targeted users, with our recent research finding that administrators encounter three times more attacks than regular users.
- Threat Activity. Identify accounts experiencing threats like inactive account probing and MFA flood attacks.
- Multi-Factor Authentication Status. See how many users have no MFA or weak MFA and usage trends.
- Login Geolocation. All user logins are displayed in a helpful map view, showing where your users are logging in.
- Unused Applications. Track applications with no or little usage. Removing access can reduce costs and reverse permission creep.
We’ve made the components dynamic so you can drill down into the full data and explore for yourself. For most of the components, you can also download the CSV (or the image of the chart) from the component itself. For further details about our new dashboard, check out our blog, ‘Oort’s New Identity Security Dashboard.’
We'd love to hear from you if you have any feedback or suggestions for the dashboard!
Last week we announced that we had increased the type of browsers we detect suspicious logins for. In this week’s release, we’ve added more context in the side panel to quickly identify the browser in question and understand the risk. Detection for this check type is also expanded. We previously analyzed the last browser used to log in, whereas the check will now look at all browsers used for the login.
Bug Fixes and Minor Improvements
- IP Context for Reported Activity. Additional context on an IP address is available in the activity panel for the ‘Suspicious Activity Reported by End User’ check.
- Sensitive Applications. In Tenant Settings, under ‘Sensitive Applications,’ you can edit and add applications you wish to define as sensitive. A bug that wrongly named applications from Okta has been fixed.