- Use Cases
In the early hours of March 22, 2022, identity and access management industry leader, Okta, announced that its platform has been the victim of a targeted security attack. Per public social media and website posts, the company’s CEO and Founder, Todd McKinnon, issued a statement saying, “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was thoroughly investigated and contained by the subprocessor.” Further, McKinnon says the company believes that “there is no evidence of ongoing malicious activity.”
Why, then, is this news two months later? First, it could be that this is more than just an attempt at compromise— the attacker is now publicly stating their focus is to cause a security incident among “ONLY Okta customers”. Screenshots publicly shared by LAPSUS$, the threat actor group claiming responsibility for the attack, show details of an apparent internal Okta environment.
Second, as an industry leader, the potential damage that could result from a compromise of Okta (by LAPSUS$ or otherwise) will be widespread. Third, this is a warning to all companies, even the large, sophisticated security providers that are well resourced—like Okta— that they have a target on their back. Threat actors are coming after them. The bigger the provider, the more attractive it is as an exploit target.
If there is a “fourth” here, it is that LAPSUS$ is claiming to have also popped other big providers like Microsoft and LG Electronics (N.B., at the time of this writing, Microsoft is investigating the incident, as well). Whether or not these claims shake out—and only time will tell—it’s just more evidence that attackers are aiming for the most impactful objects.
Another day, another breach? Unfortunately, it seems so, but there are some things companies using Okta should do ASAP.
Items numbered 1 and 3 on this list are likely part and parcel of your security program already. Number 2 may be the place companies get tripped up. Finding all connected SaaS applications may be time consuming if SaaS app inventories are not fully up to date and if the company does not have an automated method of collecting and correlating asset information.
What’s more, understanding the security state of all Okta configurations and the associated confirmation of the connected SaaS apps may be extremely time consuming, especially if manual methods are used to match configurations to internal and/or recommended policies.
Fortunately, Okta already has many security capabilities built into the platform to help identify anomalies and certain misconfigurations. What’s more challenging for Okta is identifying and tracking scope—how many applications and user devices are impacted.
The Axonius SaaS Management platform complements Okta’s native capabilities by allowing users to identify all users, devices, and third-party SaaS apps to which Okta has access and then providing contextualized data around the security state and potential ramifications of a policy violation or misconfiguration.
As with any reported security vulnerability or exploit, more details are certain to come. This breach, if it is a confirmed breach, does not need to be treated as a hair-on-fire event. Instead, it is important to recognize the ever-growing importance of SaaS applications in the enterprise, understand the security risks they pose, and formalize a security program that helps systematically identify: