Go back

8 Okta Security Best Practices to Implement Now

8 Okta Security Best Practices to Implement Now

Contents

Cyber attackers are continuously upping their game. They make it their mission to constantly search for user, system, and infrastructure vulnerabilities and gain unauthorized access to sensitive data. 

With 61% of all data breaches involving compromised credentials. An IAM breach’s consequences can vary from immediate financial losses to irreparable long-term reputational damage. Organizations must take proactive measures with specialized tools like Okta to identify and prevent IAM breaches.

Okta is a leading identity and access management provider with excellent features to safeguard your digital identities against cyber attacks. In this article, we will discuss eight security best practices to get the most out of Okta.

What is Okta Security?

Okta Security is a robust identity management service designed for businesses and developers. It offers two leading solutions: Customer Identity Cloud and Workforce Identity Cloud.

The Customer Identity Cloud is designed to secure consumer and Software as a Service (SaaS) applications across various industries, handling authentication, authorization, and secure access. On the other hand, the Workforce Identity Cloud aims to secure employees, contractors, and business partners, covering every part of the identity lifecycle.

Regardless of Okta’s reputation and capabilities, even they couldn’t stop the most recent security breach. This highlights the importance of continuously monitoring your systems and being prepared to take action if something goes wrong. It doesn’t matter how trusted a tool is; you should always be vigilant and prioritize security.

Why Do You Need an Identity Provider Like Okta Security?

Imagine your organization is a fort, holding your most valuable hidden digital treasures. In this context, identity provider Okta emerges as the watchful protector, improving the castle’s defenses against IAM threats and safeguarding sensitive data.

But the story doesn’t end there. As your organization scales, the benefits of having such an identity provider will multiply.

  • Enhanced security – Like the guardian at the castle gates, Okta centralizes access controls, authentication, and user management, ensuring that only those with the right keys gain entry to your digital assets.
  • Increased productivity – If you have users who constantly access your resource, you can use single sign-on to allow them access resources without repeatedly re-entering credentials.
  • Reduced IT workload – Okta can also act as the magician of your castle by automating various identity and access management tasks like user provisioning and freeing up IT resources.
  • Regulatory compliance – Okta helps organizations meet compliance requirements around data security, access controls, and auditing.

What Types of IAM Threats Might You Face?

IAM attacks constantly change, and attackers keep trying different methods to find weaknesses in users or systems. Here are a few common types of IAM threats and how Okta protects your organization against them:

  • Brute force attacks – Attackers try to guess user passwords through repeated login attempts. Okta prevents brute force attacks by locking accounts after several failed attempts.
  • MFA push notification fatigue – Attackers flood users with MFA push notifications, hoping they accidentally approve one. Okta lets you set policies to limit the number of MFA verification messages sent within a period.
  • Session hijacking – Attackers steal a user’s valid browser session cookie and take over their account. Okta’s device trust feature helps detect compromised sessions.
  • Phishing – Attackers try to steal credentials via spoofed login pages. Okta’s domain-bound certificates and email authentication features help block phishing attempts.

8 Okta Security Best Practices

DevOps

1. Use Okta SDKs and Libraries

Okta provides various SDKs and libraries for different programming languages and platforms. These pre-built code components and features are highly recommended when integrating Okta into your applications. In addition to smooth integrations, this approach provides several significant advantages:

  • Saves time
  • Ensure secure communication
  • Standardize the IAM implementations
  • Reduces the likelihood of coding errors

Tips for selecting the best SDKs:

  • Choose the SDK that matches your application’s programming language.
  • Regularly update the SDKs.
  • Look for security vulnerabilities in the libraries.

2. Secure API Tokens

API tokens are the keys to your digital fortress, providing access to stored digital assets. Therefore, securing API tokens is crucial to prevent unauthorized access to sensitive information and resources.

Tips to secure API tokens:

  • Store API tokens in a secure secret management solution rather than code or config files.
  • When creating tokens, grant only the minimum scopes needed for that application.
  • Set tokens to expire automatically after a shortened 30-90 days.
  • Audit and revoke tokens that are no longer needed.
  • Ensure tokens are transmitted only over secure channels like SSL/TLS.

CISOs (Chief Information Security Officer)

3. Integrate with ITDR Solutions

Identity Threat Detection and Response (ITDR) is a security solution category designed to detect, investigate, and respond to potential security threats that target an organization’s identities, credentials, and cloud entitlements. It entails detecting unusual activities, identifying compromised credentials, integrating with identity and access management (IAM) policy enforcement, and more. It’s important to note that integrating Okta with ITDR is a continuous process. While it helps to enhance an organization’s security posture, it does require regular updates and reviews to ensure it evolves with the changing threat landscape and effectively mitigates identity threats.

Here are a few tips to follow when integrating Okta with ITDR:

  • Conduct a thorough analysis to understand the gaps in your current ITDR strategy and see if the ITDR vendor has good coverage for Okta related threats and behavioral analysis.
  • Ensure you understand your organization’s compliance requirements and see how Okta’s features can help meet those requirements.
  • Before full-scale implementation, conduct pilot testing to understand any potential issues and fix them.
  • Conduct simulation exercises to help users understand how to respond to alerts and notifications generated through the Okta-ITDR integration.
  • Set up real-time monitoring of identity threats leveraging Okta’s analytics and reporting features. Ensure the ITDR solution integrates, streamlines, and prioritizes Okta’s threat insights according to your business’s threat models.
  • Leverage Okta’s API capabilities to integrate it with other systems in the organization’s IT ecosystem.
  • Implement Single Sign-On (SSO) functionalities to streamline access management and enhance security.

4. Develop an IAM Strategy

When organizations scale, they face issues managing user identities and access across multiple systems. But, if you have a well-defined IAM strategy, you can easily tackle such situations. A typical IAM strategy consists of objectives, identity inventory, IAM solution selection, access control policies, and more. With Rezonate’s IAM intuitive and collaborative IAM solution, you can gain real-time visibility over accounts, assets, and identity levels. It automatically uncovers and removes risky permissions. Rezonate integrates with Okta, so you’ll be up and running within 15 minutes with just one-click, fast deployment. 

Tips to follow when developing an IAM strategy:

  • Clearly define the objectives and goals.
  • Create workflows for user onboarding, offboarding, and role changes.
  • Take stock of all user identities within your organization.
  • Choose a robust IAM solution.
  • Use RBAC to assign and manage permissions based on user roles.

SecOps

5. Automate Account Lifecycles

Automating account lifecycles involves creating processes to manage user accounts from creation to deactivation or removal automatically. This simplifies tasks related to onboarding, offboarding, and role changes.

For example, when a new employee joins a company, automation will create an account, assign role-specific permissions, and provide access to the necessary resources. This ensures employees can access the tools and resources they need from day one.

Tips to automate account lifecycles:

  • Set up policies to provision and de-provision accounts immediately when employees join and leave.
  • Set alerts to detect if users gain additional application access or privileged roles over time to curb privilege creep.
  • Ensure automation is integrated with identity management, HR, and other relevant tools.

6. Regularly Audit Access and Privileges

Regular access and privilege audits help organizations ensure users have appropriate access levels to perform assigned tasks. In addition, they help to identify security gaps, reduce the risk of unauthorized access, and ensure compliance with policies and regulatory requirements.

Tips to follow when performing audits:

  • Establish a routine audit schedule.
  • Maintain precise records of user accounts, their roles, and their permissions.
  • Identify and pay special attention to high-privileged accounts like administrators.
  • Revoke access and privileges that are no longer needed.
  • Implement RBAC.

IAM Engineers

7. Leverage Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is a security measure that requires two or more verification methods to grant access to a system. MFA combines something you know (password) with something you have (mobile device) or something you are (fingerprint or face recognition).

For example, consider a scenario where an employee’s password gets somehow leaked. If you enabled MFA, the hacker couldn’t access the account because they didn’t have the second authentication factor.

Here are a few tips to follow when enabling MFA:

  • Enable MFA for all users.
  • Select robust authentication methods such as one-time passwords (OTP), biometrics, or hardware tokens.
  • Consider adaptive authentication, which assesses risk factors and adjusts the level of MFA required.
  • Ensure there are backup authentication methods in case users lose their primary MFA device.

8. Configure Strong Password Policies

Password policies are rules and requirements defined to strengthen the passwords users create. These policies typically include password complexity, length, and expiration time guidelines. Even without specialized tools, a strong password protects against brute-force attacks.

Here are a few tips to consider when defining a password policy:

  • Require passwords to include a combination of uppercase and lowercase letters, numbers, and special characters.
  • Require a minimum length for passwords.
  • Enforces regular password changes every 90 days.
  • Prevent using common passwords like ‘abcd1234’.
  • Set rules to lock user accounts temporarily after a certain number of failed login attempts.

How to Protect Your Okta Environment from Threats

Okta is one of the leading identity providers around the globe. However, as organizations move their resources towards the cloud, we can see a significant increase in threats to cloud identities and access management. This highlights the importance of using specialized tools like Rezonate to detect and mitigate risks before they become critical.

Rezonate is a modern identity and access management tool that integrates with Okta to help detect risks and threats across your Okta infrastructure. Moreover, it brings continuous risk monitoring, least privilege, real-time threat detection, and automated remediation to supercharge your IAM solution.

Book a free demo of Rezonate today and witness firsthand how it can revolutionize your organization’s access security.

Loading

Continue Reading

More Articles
Defending Azure Active Directory (Entra ID): Unveiling Threats through Hunting Techniques

Defending Azure Active Directory (Entra ID): Unveiling Threats through Hunting Techniques

Azure Active Directory (Entra ID) stands as one of the most popular and widely-used cloud-based identity and access management services provided by Microsoft. It serves as a comprehensive solution for managing user identities and controlling access to a diverse range of resources, both within the Microsoft Azure ecosystem and across other platforms. Azure AD offers crucial features like single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), and directory services.  Understanding  Azure AD logs is essential for maintaining a robust security posture in a cloud-centric environment. These logs provide a comprehensive record of user activities, authentication attempts, and access permissions. By analyzing Azure AD logs, organizations can detect and respond to suspicious or unauthorized activities promptly, identify security threats, track user behavior, and ensure compliance with regulatory requirements. Understanding these logs is pivotal in proactively mitigating security risks, protecting sensitive data, and safeguarding the integrity of Azure-based services, making it a fundamental aspect of any effective cybersecurity strategy in the cloud. Reading this blog will provide you with: Understanding of the logs that can be extracted from your Azure AD, and how. Knowledge about how to analyze these logs, and get the right information out of them. Learning about more than 10 Threat scenarios and corresponding hunting queries that you can run in your own environment to identify threats. Access to a tool Rezonate wrote to extract logs from AzureAD to any preferred analysis platform of your choice. Azure Active Directory Log Sources Azure Active Directory (Azure AD) offers two log sources that capture different types of events and activities within the Azure AD environment. These logs provide valuable insights for monitoring, security, and compliance purposes: Sign-in Logs: capture information about user sign-ins, including successful and failed attempts, sign-in locations, device details, and authentication methods used. Directory Audit Logs: capture information about various administrative activities, such as changes to user accounts, group memberships, application access, role assignments, and permission modifications. Data retention settings for the different licensing levels can be found here. Azure AD Sign-in Logs Azure AD sign-in logs are records that capture information about user sign-in activities within the Azure Active Directory (Azure AD) environment. These logs provide insights into the authentication and access activities of users as they interact with Azure AD-integrated applications and services. Sign-in logs are a crucial component of monitoring and maintaining the security of an organization's identity and access management infrastructure. The full structure of the sign-in logs can be found on Microsoft’s official reference page. Every data-point  in the log record could be useful in certain use cases, but we highlighted some of them  that you should focus on for most investigations and hunting scenarios: IdUnique identifier for the event.CreatedDateTimeEvent time.ActivityDisplayNameThe name of the activity, used as the type of the event. The full list can be found in Microsoft’s documentation.AppId The identifier of the Azure AD application that the entity logged in to.AppDisplayNameThe name of the Azure AD application that the entity logged in toUserPrincipalNameThe user name that was used to sign in.DeviceDetailThe device information from where the sign-in occurred. This property includes the client’s operating system and browser details.IpAddressThe IP address that was used for the authentication. UserAgentThe user agent that was used for the authentication.StatusIndicates the result of the sign-in. The full list of errors can be found in Microsoft’s documentation.IsInteractiveIndicates if the sign-in was interactive or not.CorrelationIdA unique identifier that is used to correlate other logs that are related to a specific sign-in event.  Sign-in logs are separated into four groups: Interactive sign-in: Interactive sign-ins occur when a user logs in using a web browser, a mobile app, or another client application, and the user directly interacts with the authentication prompts.  Non-interactive sign-ins: These logs typically involve automated processes, such as service accounts, background tasks, or system-to-system interactions, where user intervention is not necessary for authentication to occur. Service principal sign-ins:  A service principal is a security identity used by applications, services, or automation tasks to access Azure resources and perform specific actions. Service principal sign-ins occur when these identities are used to authenticate and access resources or services. Managed identity sign-ins: A managed identity is a feature in Azure that provides an identity for resources like virtual machines, Azure services, and applications. This identity can be used to authenticate with various Azure services without requiring explicit credential management. Managed identity sign-ins occur when resources or applications use their managed identity to authenticate and access other Azure services, APIs, or resources. Azure AD Directory Audit Logs Azure AD directory audit logs are records that capture details about administrative activities and changes within an Azure Active Directory (Azure AD) environment. These logs provide insights into actions taken by administrators or privileged users that impact user identities, groups, roles, and directory settings. Directory audit logs are essential for maintaining security, compliance, and accountability within an organization's identity and access management infrastructure. These logs help track changes, monitor user activities, and investigate potential security incidents. The structure of the audit logs can be found on Microsoft’s official reference page. Each data point in this log could be useful but we highlighted some of them that you should focus on for most investigations and hunting scenarios: IdUnique identifier for the event.ActivityDateTimeEvent time.ActivityDisplayNameThe name of the activity is used as the type of the event. The full list can be found in Microsoft’s documentation.InitiatedBy Provides information about the entity that performed the action that triggered the event.TargetResourcesThe resources that were involved in the event.ResultIndicates the result of the eventResultReasonLogs the reason for a failure if the event was not successful.CorrelationIdA unique identifier that is used to correlate the event to a specific sign-in event.  Exporting Azure AD Logs Exporting  Azure AD  logs requires one of the following roles: Reports Reader Security Reader Security Administrator Global Reader Global Administrator There are two primary approaches to accessing Azure AD logs. 1. Azure AD Console: In the monitoring section, you will find both “Sign-in Logs” and “Audit logs”. Login to Azure Portal From the Azure Services, select Azure Active Directory From the left pane, navigate to the “Monitoring” section Each sign-in event, of an interactive user, is displayed as a single event and can be expanded to view more detailed information: The tree remaining sign-in log groups are displayed differently. Instead of showing each sign-in attempt in a single event, the sign-in events are grouped by the target application that the user signed into: 2. Exporting The Logs To CSV\JSON While accessing the Azure AD logs from the Azure portal is easy, it is recommended to export the logs out of  Azure AD  so you will be able to cross reference Azure AD activity with other data sources and perform advanced queries and analyze it in scale. To export logs from Azure AD, we recommend using an Azure AD application and Microsoft Graph API. Follow the instructions below to create a new application for logs export in your tenant: Sign in to the Azure portal using your administrator account. From the Azure services, choose Azure Active Directory. From the left pane, choose App Registrations Click on “New Registration”. Name it as you wish. In “Supported account types” select  “Accounts in this organizational directory only (Default Directory only - Single tenant)”. Click Register. In the newly created application page, from the left pane, choose API Permissions. Click on Add permission. Click on Microsoft Graph - Application Permissions. Type “AuditLog” in the search box. Click on “AuditLog.Read.All”, and then “Add permissions”. Grant admin consent for the default directory - In other words, allow the application to use the assigned privileges. From the left pane, choose “Certificates and Secrets” Click on “New client secret” Choose your desired expiration date. Use the new secret to authenticate to Azure AD and query your logs. Let the Hunt Begin In this section, we will guide you through some of the top-relevant threat scenarios to look out for, explain them, mark the Relevant Azure AD Event Sources, align to the specific MITRE ATT&CK technique, and include our own queries in Postgres query syntax. Scenario 1 - Brute Force on an Azure AD User A brute force attack on an Azure AD user involves an attacker repeatedly trying different passwords to guess correctly and eventually gaining unauthorized access. To hunt for any occurrence of this scenario, you can search for an actor that performed more than X failed login attempts on at least Y target user, failing or ending up with a successful login. In cases of failure, the activity may result in a user's lockage. (Read more about Microsoft’s Smart Lockout protection mechanism) Relevant Azure AD Event Source Azure AD Sign-In Logs Query -- Get users who failed to login from the same IP address at least 5 times SELECT "userPrincipalName", "ipAddress" , "appDisplayName", "userAgent", count(id) as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event" FROM sign_in_activity_azure_ad_entity siaaae WHERE "errorCode" = 50126 -- Error code for invalid credentials AND "createdDateTime" > now() - interval 'X hours' GROUP BY "userPrincipalName", "ipAddress", "appDisplayName", "userAgent" having count(id) >= 5 ORDER BY "eventCount" desc MITRE Technique Credential Access | Brute Force | ATT&CK T1110  Attention: The user-agent field in authentication logs indicates the client application employed for the authentication process. To bypass modern authentication requirements like Multi-Factor Authentication (MFA), threat actors might exploit legacy authentication protocols such as SMTP. In cases where a legacy protocol is utilized for authentication, the user agent in the logs will be identified as 'BAV2ROPC'. In case you encounter a brute force attempt with the user agent set to 'BAV2ROPC', it is crucial to consider it as malicious unless proven otherwise. Scenario 2 - Password Spray on an Azure AD Account A password spray attack on an Azure AD account involves an attacker repeatedly submitting different usernames with the same password (a small set of passwords) to eventually manage to log in and gain unauthorized access. To hunt for any occurrence of this scenario, you can search for an actor that performed more than 1 failed login attempt on at least Y unique target user, from the same IP address. Relevant Azure AD Event Source Azure AD Sign-In Logs Query -- Get users who failed to login from the same IP address to at least 5 unique users SELECT "ipAddress", "appDisplayName", "userAgent", count(distinct "userPrincipalName") as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event" FROM sign_in_activity_azure_ad_entity siaaae WHERE "errorCode" = 50126 -- Error code for invalid credentials AND "createdDateTime" > now() - interval '1000 hours' GROUP BY "ipAddress", "appDisplayName", "userAgent" having count(id) >= 5 ORDER BY "eventCount" desc -- For Each result, check if the source IP address managed to login to the target user AFTER the "lastEvent" time MITRE Technique Credential Access | Brute Force | ATT&CK T1110 Scenario 3 - Multiple User Lockouts In certain instances of brute force attacks, the malicious actor may lock out the targeted users during their unauthorized access attempts. To identify such scenarios, we can employ a detection method that involves searching for multiple user lockouts originating from a single IP address. Relevant Azure AD Event Source Azure AD Sign-In Logs Query -- Search for login attempts to disabled users SELECT "ipAddress", count(distinct "userPrincipalName") AS "userCount", "appDisplayName", "userAgent", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event" FROM sign_in_activity_azure_ad_entity WHERE "errorCode" = 50053 -- Error code for user locked out AND "createdDateTime" > now() - interval 'X hours' GROUP BY "ipAddress", "appDisplayName", "userAgent" having count(distinct "userPrincipalName") >= 5 ORDER BY "userCount" desc MITRE Technique Credential Access | Brute Force | ATT&CK T1110  Scenario 4 - Multiple Authentication Failures During MFA Challenge An attacker that managed to compromise a credential set of an AzureAD user that is protected by MFA, upon authentication, will generate a specific sign-in log with the error code 500121 which correlates with the following message: “The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or have an issue with their authentication setup.” We can highlight suspicious IP addresses that generated multiple events with the mentioned error code.  Relevant Azure AD Event Source Azure AD Sign-In Logs Query -- Search for failed authentication attempts during MFA challenges SELECT "userPrincipalName", "ipAddress", "appDisplayName", "userAgent", count(id) as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event" FROM sign_in_activity_azure_ad_entity siaaae WHERE "errorCode" in 500121 -- Error code for no MFA response AND "createdDateTime" > now() - interval '2000 hours' GROUP BY "userPrincipalName", "ipAddress", "appDisplayName", "userAgent" having count(id) > 1 ORDER BY "eventCount" desc MITRE Technique Credential Access | Brute Force | ATT&CK T1110  Scenario 5 - Authentication Attempt to a Disabled User  In some cases, Azure AD user accounts might have been disabled due to security concerns, or maybe even as part of employee off-boarding. Monitoring login attempts to disabled users can help you detect unauthorized activities. Relevant Azure AD Event Source Azure AD Sign-In Logs Query -- Search for login attempts to disabled users SELECT "ipAddress", count(distinct "userPrincipalName") AS "userCount", "appDisplayName", "userAgent", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event" FROM sign_in_activity_azure_ad_entity WHERE "errorCode" = 50057 -- Error code for user disabled --AND "createdDateTime" > now() - interval 'X hours' - optional filter GROUP BY "ipAddress", "appDisplayName", "userAgent" ORDER BY "userCount" desc MITRE Technique Credential Access | Brute Force | ATT&CK T1110  Scenario 6 - Suspicious User Consent to Application When an attacker gains access to an Azure AD Tenant, they can create a new multi-tenant application equipped with specific API permissions such as Mail.Read, Mail.Send, Mailboxsettings.ReadWrite, Files.ReadWrite.All and User.ReadBasic.All, of which do not require administrative consent. Next, the attacker invites external users (potential victims) to use this application. Upon the first login by a new user to the attacker's application, a "Consent" prompt appears. If the user grants consent to the application, it enables the application to perform actions on behalf of the user, potentially leading to unauthorized access and misuse of the user's data and resources. We can utilize non-administrative consents to detect privileged applications that have access to user data. Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Search for non-administrative application consent select id,dn,"newValue" from (select id, jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'displayName' as "dn", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' as "newValue" from directory_audit_activity_azure_ad_entity daaaae where "activityDisplayName"='Consent to application') as subsearch where dn='ConsentContext.IsAdminConsent' and "newValue"='"False"' MITRE Technique Initial Access | User Consent | ATT&CK T1204  Scenario 7 - Persistence Via Service Principal Credentials An attacker could establish a persistence mechanism by adding new credentials to an already existing Azure AD application if one of the following applies to them: Application Administrator  Global Administrator (GA)  microsoft.directory/applications/credentials/update Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Search new application credentials events SELECT "id","user","ip", "activityDateTime", "activityDisplayName", "property", count("oldVals") AS "oldValsCount", count("newVals") AS "newValsCount" FROM ( SELECT "id","user","ip", "activityDateTime", "activityDisplayName", "property", jsonb_array_elements("oldVal"::jsonb) AS "oldVals",jsonb_array_elements("newVal"::jsonb) AS "newVals" FROM ( SELECT "id", "initiatedBy"->'user'->>'ipAddress' AS "ip", "initiatedBy"->'user'->>'userPrincipalName' AS "user", "activityDateTime", "activityDisplayName", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'displayName' AS "property", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'oldValue' AS "oldVal", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' AS "newVal" FROM directory_audit_activity_azure_ad_entity WHERE "activityDisplayName" = 'Update application – Certificates AND secrets management ' ) AS subquery WHERE "oldVal"!='[]' and "oldVal" is not null) AS query GROUP BY "id","user","ip", "activityDateTime", "activityDisplayName", "property" HAVING count("newVals")> count("oldVals") MITRE Technique Persistence | Additional Credentials | ATT&CK T1098 Scenario 8 - Admin Privileges Assignments Not Via PIM Azure AD PIM (Azure Active Directory Privileged Identity Management) is a Microsoft Azure service that helps organizations manage, control, and monitor access to privileged roles and resources in their Azure environment. It allows administrators to grant just-in-time privileged access, enforce approval workflows, and provide auditing and reporting for enhanced security and compliance.It is important to monitor Azure AD admin privileges assignments, not through PIM, since this behavior should not be common, and might suggest that an admin account is compromised. Relevant Azure AD Event Source  Azure AD Directory Audit Logs Query -- Search AAD administrative privileges assignment not via PIM select "ipAddress", "initiatedUser",category,"operationType", "targetResourceType", coalesce("targetUser","targetApp") as "targetDisplayName", ass3."value" as "newRoleName" from (select "id","ipAddress","userPrincipalName" as "initiatedUser",category,"operationType","TR"->'type' as "targetResourceType", nullif("TR"->'userPrincipalName', 'null') as "targetUser", nullif("TR"->'displayName', 'null') as "targetApp" from directory_audit_activity_azure_ad_entity daaaae , jsonb_array_elements("targetResources") as "TR" where category='RoleManagement' and "operationType" ='Assign' and "targetResources"::text like '%dmin%' and ("initiatedBy"->'app'->>'displayName' != 'MS-PIM' or "initiatedBy"->'user' is not null)) bq, (select * from (select "id",jsonb_array_elements("sub")->>'newValue' as "value", jsonb_array_elements("sub")->>'displayName' as "valueName" from (select "id",jsonb_array_elements("targetResources")->'modifiedProperties' as "sub" from directory_audit_activity_azure_ad_entity where category='RoleManagement' and "operationType" ='Assign') base1) base2 where "valueName" = 'Role.DisplayName') as base3 where bq."id" = ass3."id" and "targetResourceType"!='"Role"' MITRE Technique Privilege Escalation | Privilege Assignment via Valid Account | ATT&CK T1078 Scenario 9 - Account Hijacking Social engineering for initial access is on the rise. These techniques are simple in most cases and do not require much technical knowledge. Attacks such as phishing, MFA relay, or even buying credentials online may help attackers compromise user accounts.Usually, when an adversary compromises a user, gaining persistent access to that account is important. To do so, the adversary might change the user’s password and enroll a new MFA device. In some cases maybe even delete the original user’s factors.The following query identifies user accounts that performed a series of actions from an IP address that is not being used often by the organization, and during a short period of time - which might suggest that these accounts are compromised. The actions that this query searches for are: Self-password reset MFA enrollment MFA deletion  Relevant Azure AD Event Source  Azure AD Directory Audit Logs Azure AD Sign-In Logs Query -- Search multiple security information changes from a rare location in a short timeframe select * from(with org_ips as (SELECT count("timebucket"), "ipAddress","countryOrRegion" FROM ( SELECT DATE_TRUNC('day', "createdDateTime") AS TimeBucket, COUNT(distinct "userPrincipalName") AS "userCount", "ipAddress","countryOrRegion" FROM sign_in_activity_azure_ad_entity WHERE "errorCode" = 0 AND "createdDateTime" > now() -interval '1 week' GROUP BY TimeBucket, "ipAddress", "countryOrRegion" HAVING COUNT(distinct "userPrincipalName") > 1 ) subquery GROUP BY "ipAddress","countryOrRegion" HAVING count("timebucket") > 1) select count(distinct "activityDisplayName") as distinct_event_count, min("activityDateTime") as first_event, max("activityDateTime") as last_event, daaaae."ipAddress", "userPrincipalName",array_agg(distinct "activityDisplayName") as events, "result", age(max("activityDateTime"),min("activityDateTime")) as duration, extract(EPOCH FROM max("activityDateTime")) - extract(epoch from min("activityDateTime")) as duration_epoch from directory_audit_activity_azure_ad_entity daaaae , org_ips where "activityDisplayName" in ('Reset password (self-service)', 'Self-service password reset flow activity progress', 'User deleted security info', 'User registered security info', 'User started security info registration') and daaaae."ipAddress" not in (select distinct org_ips."ipAddress" from org_ips) and "result"='success' group by "userPrincipalName",daaaae."ipAddress", "result") base where distinct_event_count = 5 and duration_epoch <= 604800 MITRE Technique Initial Access | Social Engineering and Phishing | ATT&CK T1566 Scenario 10 - Abusing Third-Party Users (Supply Chain Attack) Many Azure AD tenants are trusted by third-party accounts - IT providers, security tools, or maybe trusted partners. Third-party accounts should perform directory changes only if the activity is authorized by the tenant administrator. Use the following query to detect changes performed by guest accounts in your organization. Unauthorized activities may suggest that the third-party account is compromised  Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Guest directory changes select daaaae."activityDateTime", daaaae."ipAddress", daaaae."userPrincipalName", daaaae."activityDisplayName", daaaae."result", jsonb_array_elements(daaaae."targetResources")->>'userPrincipalName' as "external_user_name", siaaae."homeTenantId", siaaae."resourceTenantId" from directory_audit_activity_azure_ad_entity daaaae, sign_in_activity_azure_ad_entity siaaae where "result" ='success' and daaaae."correlationId" = siaaae."correlationId" and siaaae."homeTenantId" is not null and siaaae."homeTenantId"!=siaaae."resourceTenantId" MITRE Technique Execution | Trust Relationships | ATT&CK T1566 Scenario 11 - Abusing Single Password Authentication Single-factor authentication is a security risk that is best avoided by enforcing MFA, but it is not always possible to do so. Adversaries will often try to abuse users that are not protected by MFA. Use the following query to monitor single-factor authentication from non-organizational IP addresses. Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Guest invites with org_ips as (SELECT count("timebucket"), "ipAddress","countryOrRegion" FROM ( SELECT DATE_TRUNC('day', "createdDateTime") AS TimeBucket, COUNT(distinct "userPrincipalName") AS "userCount", "ipAddress","countryOrRegion" FROM sign_in_activity_azure_ad_entity WHERE "errorCode" = 0 AND "createdDateTime" > now() -interval '1 week' GROUP BY TimeBucket, "ipAddress", "countryOrRegion" HAVING COUNT(distinct "userPrincipalName") > 1 ) subquery GROUP BY "ipAddress","countryOrRegion" HAVING count("timebucket") > 1) select "createdDateTime", "ipAddress", "autonomousSystemNumber", "countryOrRegion", "userPrincipalName" , "appDisplayName", "conditionalAccessStatus" from sign_in_activity_azure_ad_entity siaaae where "authenticationRequirement" ='singleFactorAuthentication' and "errorCode" = 0 and "isInteractive" = true and "ipAddress" not in (select distinct "ipAddress" from org_ips) and "countryOrRegion" not in (select distinct "countryOrRegion" from org_ips) MITRE Technique Initial Access | Valid Cloud Account | ATT&CK T1078.004 Scenario 12 - Azure AD Sync Abuse Azure AD Connect is a Microsoft tool that enables synchronization and integration between on-premises Active Directory (AD) and Azure Active Directory (Azure AD). It allows organizations to extend their on-premises identity infrastructure to the cloud, providing users with a seamless single sign-on experience across both environments.  AAD Connect synchronizes user accounts between on-premises domain controllers and AAD tenants, utilizing a privileged user account authorized to update to the AAD directory. A compromised domain controller could allow an attacker to move laterally to Azure AD by extracting the login credentials of an AAD Connect user.  Relevant Azure AD Event Source  Azure AD Directory Sign-In Logs Query -- Search AAD Connect user abuse select "createdDateTime", "ipAddress", "countryOrRegion", "userPrincipalName", "appId","appDisplayName", "errorCode" from sign_in_activity_azure_ad_entity siaaae where "userPrincipalName" ilike 'Sync_%' and "appDisplayName" not in ('Microsoft Azure Active Directory Connect','') MITRE Technique Initial Access | Valid Cloud Account | ATT&CK T1078.004 3 Additional Queries For Azure AD Access Governance On top of the scenarios mentioned above, there are additional relevant queries that can be used to hunt for threats in an Azure AD tenant. Their results are harder to rely on since they require having a deeper context of the regular activities in the organization to differentiate the legitimate operations from those that may be part of an actual threat. For example, a user was assigned an administrative role. It could be malicious or legitimate, and requires triage for a verdict:  Who performed the action? Is this the first time this actor assigns privileges?  Are there any client characteristics that do not make sense coming from that actor? Query 1 - New Application Creation Malicious applications can serve adversaries to get their first foothold in an Azure AD tenant. Review the installed applications that were installed by administrators. Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Search for new AAD applications select "activityDateTime", "ipAddress", "userPrincipalName", "activityDisplayName", "result", jsonb_array_elements("targetResources")->>'displayName' as "appName" from directory_audit_activity_azure_ad_entity daaaae where "activityDisplayName" ='Add application' MITRE Technique https://attack.mitre.org/techniques/T1204/ Query 2 - A Guest Was Invited to the Organization Guest users can be invited to an Azure AD tenant - This means that users from different Azure AD tenants can access your tenant. It’s important to review these invites to make sure that only authorized third-party users will be invited. Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Guest invites select "activityDateTime", "ipAddress", "userPrincipalName", "activityDisplayName", "result", jsonb_array_elements("targetResources")->>'userPrincipalName' as "external_user_name" from directory_audit_activity_azure_ad_entity daaaae where "activityDisplayName" ='Invite external user' MITRE Technique https://attack.mitre.org/techniques/T1199/ Query 3 - New Authentication Policy Exclusion Azure AD Conditional Access Policy is a powerful feature that controls access to the organization based on specific criteria. If a user or a group of users are excluded from a conditional policy, they might put the organization at risk. Relevant Azure AD Event Source Azure AD Directory Audit Logs Query -- Policy Exclusions select "activityDateTime", "userPrincipalName", category, "activityDisplayName", "operationType",jsonb_array_elements("targetResources")->>'displayName' as "policyName", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' as "newConditions", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'oldValue' as "oldConditions" from directory_audit_activity_azure_ad_entity daaaae where "activityDisplayName"='Update conditional access policy' MITRE Technique https://attack.mitre.org/techniques/T1556/ Rezonate Tool For Exporting Azure AD Logs As promised, we have included 2 tools that can be used to accelerate the application creation and the log extraction process. They are both available in our GitHub repository.
Read More
Rezonate Named as a Cool Vendor 2023 Gartner Identity First Security

Rezonate named as a “Cool Vendor”  in the 2023 Gartner® Cool Vendors™ in  Identity-First security

We are proud and humbled to announce that Rezonate has been named a 2023 'Cool Vendor' by Gartner Identity-First Security report. We believe that this is a significant milestone in our journey to build an identity-centric security platform to protect user and machine identities and their access privileges all across their access journey to cloud-native resources and critical SaaS Applications.  The rise in cloudification and SaaSification of things has consequently increased the volume and complexity of identities, their privileges, and activities, with that, the challenge of preventing and stopping access-based attacks. A new paradigm is necessary in this dynamic and distributed construction of the digital world. A paradigm that puts the defender a step ahead, exerting greater control than the adversaries. A paradigm that doesn't isolate applications and cloud services but instead views and orchestrates an identity in its entirety across its access journey with accumulated privileges and security controls, automating security posture enhancements, threat detection and response, and compliance requirements. The Magic of faster and more robust identity security adaptation lies back in the interdependencies between these 3 parts of the security missions, which cannot be done separately anymore and should Resonate together with the business cycle. This is our rai·son d'ê·tre, reason of existence - to make the rapid building, securing, and threat elimination Rezonate, which makes defenders much more powerful and successful vs. eliminating adversarial opportunities to compromise identities and breach organizations. At Rezonate, we believe from day zero that identities are the new core of security in the shared security model of cloud and SaaS. Our platform is built from the ground up to provide real-time visibility to identity's full access journey across clouds, SaaS, and identity providers. We aim to continuously fortify identity posture, reducing its susceptibility to compromises and defending against cyber attacks in real-time. This approach has enabled our customers to understand better, solve, and protect their assets. Congrats to all our customers, partners and of course the Rezonators all over the world. Let’s go! Join the revolution today and use Rezonate to mature your IAM Program and stop the next identity breach.  Rezonate was named as a Cool Vendor in the 2023 Gartner® Cool Vendors™ in Identity-First Security report.  “Gartner defines “identity-first security” as an approach to security design that makes identity-based controls the foundational element of an organization’s protection, detection and response architecture. It marks a fundamental shift from the perimeter-based controls that have become obsolete because of the decentralization of assets, users and devices. The focus of identity-first security is on the three C’s — Consistent, Contextual and Continuous — which marks a fundamental shift from perimeter-based, static controls toward dynamic ones.” Unique to Rezonate is our platform's ability to continually discover permissions based on identities' privileges and activities, identify weak spots and risky behaviors, and enable remediation playbooks. Rezonate offers a window to your entire ecosystem, extending to SaaS applications, identity providers, and native cloud. We believe this Gartner recognition is a significant milestone for us at Rezonate. We remain steadfast in our commitment to providing an all-encompassing identity-first security platform that continually strengthens security posture, empowers robust defense, and enables effective remediation. Thank you for helping us shape the space and redefine the way identity security should be done in the age of cloud and SaaS, and thank you to our customers, partners, and the awesome rezonators worldwide. This is only day one! Let’s go! Gartner, Cool Vendors in Identity-First Security, By Brian Guthrie, Robertson Pimentel, Henrique Teixeira, Michael Kelley, Felix Gaehtgens, Erik Wahlstrom, Rebecca Archambault, Published 6 September 2023 Gartner Disclaimer GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and COOL VENDORS is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read More
Mastering the Identity Management Lifecycle The Essential Guide

Mastering the Identity Management Lifecycle: The Essential Guide

Imagine this: Your company part ways with an unhappy ex-employee who still has access to cloud resources and applications. Although you assume they won't take sensitive data to a competitor, how can you be sure? A shocking 83% of people say they still had access to their previous employer's digital assets, including third-party integrations connected to their environment. This problem is not just about security – it's also about preserving your company's integrity, reputation, and competitive edge. That's why it is essential to clearly understand the identity management lifecycle to safeguard your organization against such breaches. What is Identity Lifecycle Management? Identity Lifecycle Management (ILM) is a comprehensive process that involves the management of your organization's digital identities (individuals, devices, or entities) throughout their entire lifecycle. ILM includes various stages like creation, modification, usage, and eventual de-provisioning or retirement of digital identities. The primary goal of ILM is to ensure that these identities are correctly and securely managed from their initial creation to their termination. ILM helps you maintain security, prevent unauthorized access, and comply with regulatory requirements by ensuring digital identities are always aligned with your organization's needs and policies. What is the Identity Lifecycle Management Process? ILM is crucial for managing your company's access, security, and compliance. This process ensures that the right individuals have the appropriate level of access to resources, enhancing security and efficiency. ILM consists of several key phases: Onboarding: Creating an identity when a new user joins involves provisioning access to relevant resources, setting permissions, and establishing initial configurations. Ongoing Access Modifications: This phase involves modifying access permissions to ensure they align with the user's current responsibilities. Monitoring and Reporting: Consistent monitoring of access activities is crucial for identifying suspicious behavior or unauthorized access.  Offboarding: The process of deactivating a user's access to resources when they leave the organization.  Source Why Do You Need Automated Identity Lifecycle Management? When your organization scales, manual identity management processes can be complicated, error-prone, and time-consuming, which is why automated identity lifecycle management offers a range of benefits: Efficiency: Streamlines the identity management process, reducing administrative overhead and ensuring that identity-related tasks are performed quickly and accurately. Security: Enforces consistent security policies and access controls. It can automatically revoke or adjust user privileges when someone changes roles, leaves the organization, or when security threats are detected. Compliance: Helps organizations demonstrate compliance with regulations like GDPR, HIPAA, and others by providing auditable access controls and data governance. Risk reduction: Manual processes are prone to errors, oversights, and inconsistencies. Automated ILM can reduce the risk of security breaches, data leaks, and compliance violations by ensuring that user identities and access permissions are always up to date. Scalability: Automated ILM solutions can scale with your organization, ensuring that identity management remains efficient and effective even as your business expands. User experience: Enhances the user experience by providing self-service options for identity-related tasks. Users can reset passwords, request access, and manage their profiles more easily, reducing the burden on IT support. Mastering Identity Lifecycle Management: The Essential Guide Although automation provides multiple benefits to the identity management process, you might face some challenges when implementing it. So, let's discuss the tips and best practices for overcoming the challenges associated with digital identity management. 1. Automate Onboarding and Offboarding Effective identity management starts with automated onboarding and offboarding to streamline the provisioning of accounts for new hires and remove access for departing employees. This automation ensures that employees quickly access the necessary resources, which boosts productivity. Also, it simplifies the de-provisioning process when employees leave, enhancing overall security and operational efficiency by protecting your business against disgruntled ex-employees. Actionable tips to follow:  Use rule-based access control to assign access rights based on job roles and responsibilities. Integrate identity management with HR systems to synchronize employee data. Define access templates that outline the specific permissions and resources required for various job roles. Source 2. Contractor and Temporary Employee Management Contractors and temporary employees require distinct identity management strategies to ensure that these individuals have access only to the resources necessary for their specific roles. This process involves creating separate user groups and access policies for these workforce segments, promoting a more tailored and secure approach. Actionable tips to follow:  Define specific access policies for contractors and temporary employees. Implement automated solutions to provision and de-provision access based on contract durations. Review and adjust access privileges periodically to ensure alignment with job responsibilities and contract terms. 3. Access Level Updates As employees change roles or responsibilities, organizations must also modify their access. Automation through role-based access control (RBAC) systems ensures that employees always have the right resources for their current roles while assuming the ‘trust no one, always verify’ approach as per the Zero Trust Maturity Model.  Actionable tips to follow:  Align employee roles with their job descriptions. Use automation to enforce access policies consistently. Periodically review and update role definitions. Create a straightforward process for employees to request role changes.  Periodically certify access levels to verify that employees have only the necessary resources for their roles. 4. Secure Offboarding Secure offboarding is essential for minimizing the risk of disgruntled ex-employees who maintain access to critical systems. It involves immediate revocation of access rights, asset retrieval (such as laptops and access cards), and thorough exit interviews. This comprehensive process ensures departing employees cannot access company systems, therefore safeguarding your organization. Actionable tips to follow:  Disable access rights instantly upon an employee's departure to prevent unauthorized access. Ensure the return of company assets, such as laptops and access cards, during offboarding. Conduct thorough exit interviews to identify potential issues or risks. Maintain an inventory of assets. 5. Attribute and Password Management Managing user attributes and passwords is fundamental to identity management, including enforcing strong password policies, promoting multi-factor authentication (MFA), and automating attribute updates. Ultimately, it will enhance security by reducing the risk of data breaches and ensuring compliance with regulatory requirements. Actionable tips to follow:  Enforce strict password policies, including complexity requirements and regular changes. Use of MFA to enhance security. Utilize identity management tools to automate attribute updates. Provide a password manager tool to help users generate and securely store complex passwords. Source 6. Audit and Reporting Regular audits and reporting are integral to effective identity lifecycle management. Audits involve the periodic review of user accounts, access rights, and system logs to detect anomalies and potential security breaches. Automated reporting generates insights into compliance adherence and potential threats, helping you keep in line with industry regulations and internal policies. Actionable tips to follow:  Conduct periodic audits of user accounts, access rights, and system logs to detect anomalies and potential security breaches. Use identity management tools that generate automated reports and alerts based on predefined criteria. Use reporting to demonstrate compliance with industry regulations and internal policies. 7. Training and Awareness Educating employees on security best practices is essential to increase their awareness of responsibilities. Training programs help understand threats like phishing, the importance of strong password practices, and adherence to security policies. Actionable tips to follow:  Develop awareness programs covering different areas related to your organization's security. Conduct periodic training sessions. Tailor training content to the specific roles of employees. Use real-life examples and scenarios to illustrate security threats. Your Automated Solution to Identity Lifecycle Management Challenges: Rezonate  This article discussed the ins and outs of ILM, but following these best practices might not be enough to survive in the fast-changing world of digital security. New threats are always popping up, and you need a more active and straightforward way of managing identities.  To protect your identities at speed and scale, choose an automated IAM solution like Rezonate. Rezonate simplifies privilege management, giving your IT team total visibility over all your identities and access behaviors immediately. Real-time risk scoring provides valuable insights for your teams to swiftly recognize and address security gaps, helping proactively enforce a least privileged access model and ensure users only have the access they need. Rezonate automatically detects identities that are not active for customizable periods of time. Our solution identifies specific entitlements that are not being used by identities and allows for a smoother and more secure offboarding process.Request a demo today to stay ahead in the digital security landscape.
Read More
See Rezonate in Action

Eliminate Attacker’s Opportunity To Breach Your Cloud today

Organizations worldwide use Rezonate to protect their most precious assets. Contact us now, and join them.