Response to: How Cloudflare Mitigated Yet Another Okta Compromise

On 10/21/2023, the Cloudflare team published a detailed blog post outlining a recent security incident involving Okta. Matthew Prince, Cloudflare's CEO, has been outspoken about the breach, attracting significant attention due to Okta's widespread use and the critical nature of their services.

Drawing from our experience as previous founding engineers at Opsgenie (now part of Atlassian), we understand the challenges of maintaining secure and robust systems. In this situation, it's worth highlighting that Okta's customers noticed the breach before Okta did, emphasizing the critical importance of swift communication from Okta's end—a valuable lesson they should internalize.

To me what is important is that we now get to see more and more identity and SaaS focused vulnerabilities making the headline. Okta’s centrality to many organizations’ security makes it a focal point. However, we observe across our customer base that monitoring identity and SaaS applications is becoming an essential component of any IT infrastructure, on par with cloud services.

In their insightful blog, Cloudflare not only shared their incident analysis but also offered recommendations for both Okta and its users. In this post, we aim to build on Cloudflare’s recommendations, providing practical advice on how Okta customers can enhance their security without incurring significant costs.

Let’s review: Cloudflare recommendations for Okta users

1. Enable Hardware MFA for All User Accounts

Passwords alone often fall short in providing adequate protection against sophisticated attacks. Here's where hardware Multi-Factor Authentication (MFA) shines. We highly recommend its implementation for all user accounts. Unlike other MFA methods that may be susceptible to social engineering attacks, hardware keys offer a higher level of security.

Hardware MFA provides an additional layer of defense by incorporating physical protection, making it significantly harder for attackers to compromise your accounts. It's worth emphasizing that MFA shouldn't be limited to Okta alone; all critical systems should have MFA enabled. At Resmo, we've simplified this process by offering native integrations that automate MFA setup. Additionally, our platform can pose automated validation questions to employees, further enhancing security.

2. Investigate all unexpected password and MFA changes

Investigate and respond promptly to any unexpected changes in passwords and MFA settings within your Okta instances. Pay particular attention to any suspicious support-initiated events and verify the validity of all password resets. It's essential to force a password reset for any account under suspicion.

At Resmo, we offer robust support for monitoring events in SaaS systems. Our native audit logs feature provides invaluable insights into your system's activity, enabling faster incident response. Additionally, we facilitate the consolidation of audit events with user data, streamlining your security efforts.

Monitoring events in SaaS systems involves two key approaches:

• ‍Audit Logs: You can collect audit logs directly from SaaS tools. At Resmo, we support this method through our native audit logs feature. This simplifies the process, providing valuable insights into your system's activity. It also allows you to correlate audit events with user data for faster incident response.‍
• User Activity: Another approach is to monitor user activity within browsers and emails. This method can reveal crucial information, such as identifying administrators who haven't logged into a tool for an extended period. This signals the need for access reviews. These practices represent essential security measures that every company should implement.

However, without a tool like Resmo, trying to set up and scale these practices can be challenging and resource-intensive. Our platform streamlines these processes, making them more manageable and efficient for your organization's security needs.

3. Monitor changes associated with Okta users

Monitoring changes related to Okta users is a crucial component of maintaining a secure environment. Here's what you should keep a close eye on:

• The creation of new Okta users.
• Reactivation of Okta users.
• Ensuring that all sessions have proper authentication.
• Tracking Okta account and permission changes.
• Monitoring MFA policy overrides, changes to MFA settings, and the removal of MFA.
• Vigilance regarding the delegation of sensitive applications.
• Monitoring access by supply chain providers to your tenants.

Resmo alerts you about the changes in your critical SaaS resources, aligning seamlessly with Cloudflare's monitoring recommendations. Configuring Resmo to generate Jira tickets or deliver Slack messages in response to these changes takes only a few minutes. In fact, Okta's user and policy changes, as well as Cloudflare's configuration changes, are among our most popular change alerts.

It's also worth noting that monitoring changes in all critical software like Cloudflare or JumpCloud, not just Okta, through an external party adds an extra layer of security.

4. Review session expiration policies to limit session hijack attacks

Mitigating session hijack attacks is critical in maintaining a secure environment. While some SaaS applications provide audit logs containing session-related data, Resmo doesn't currently offer a specific feature to validate this. However, rest assured that we have plans to address this specific use case in the near future, enhancing your overall security.

5. Utilize tools to validate devices connected to your critical systems

Resmo provides a unified overview of a user's assets, including managed devices. From this point, you can dive deeper and inspect each device for installed apps. Additionally, you can identify any potentially risky over-permissive browser extensions.

These components, such as direct app access, app-to-app connections, and browser extensions, are all crucial aspects for IT to monitor. They each carry their own significance and can potentially lead to security compromises within your systems.

6. Practice defense in depth for your detection and monitoring strategies

Implementing a robust defense-in-depth strategy is a formidable challenge, given the diverse range of use cases. Conducting regular "gamedays" can prove to be a valuable practice. These exercises simulate real-life security incidents, allowing teams to fine-tune their response strategies and gain valuable insights into potential vulnerabilities.

Closing thoughts

The challenge of app sprawl is real.

In companies with a workforce of 100 or more employees, we often see the utilization of over 400 different business applications.

It's a complex task to ensure the secure use and vigilant monitoring of these SaaS apps, whether employees adopt them knowingly or unknowingly.

Resmo simplifies this challenge by helping IT departments efficiently scale their security and management practices. This results in vigilant oversight, safeguarding both applications and data, while also reclaiming valuable time and resources that might otherwise be wasted on underutilized tools.

Reclaim the valuable time and resources that might otherwise be wasted on underutilized tools.

To explore further and receive a personalized demo on Okta best practices, as well as discover how we can assist you in securing your critical assets and identities while implementing optimal strategies, please get in touch with us.

Alternatively, you can quickly start a free trial to experience Resmo's capabilities firsthand.