Go back

Okta Threat Hunting: Auditing Okta Logs Part 2


Update Note

Due to the recent events at MGM, which included the compromise of MGM’s Okta tenant, and the surge in attacks of Okta Admins,  we have updated the threat-hunting article, adding a few relevant queries to increase visibility surrounding compromised administrators, and detection of ransom groups that tend to perform aggressive steps to cause maximum disruption to their target and prevent recovery attempts.
To read our first Blog Post Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting, click here

Let the Hunt Continue 

Scenario 1 – User Account Hijack

Social engineering for initial access is on the rise. These techniques are usually simple and do not require much technical knowledge. Attacks such as phishing, MFA relay, or even buying credentials online may help attackers compromise user accounts.

Usually, when an adversary compromises a user, gaining persistent access to that account is essential. To do so, the adversary may change the user’s password and enroll a new MFA device, and in some cases even delete the original user’s factors.
The following query identifies user accounts that performed a series of actions from an IP address that is not being used often by the organization, during a short period of time – which might suggest that these accounts are compromised. The actions that this query searches for are:

  • Self-password reset
  • MFA enrollment
  • MFA deletion 

Relevant Okta Events:

  • user.mfa.factor.activate
  • user.mfa.factor.deactivate
  • user.account.reset_password
  • user.session.start
  • device.user.add

Okta Log Query

-- User Account Hijack
-- You can use the "actorAlternateId" filter to focus on administrators
select "clientIpAddress", "clientCountry", "actorAlternateId", min(time) as first_event, max(time) as last_event, count(distinct "eventType") as unique_events, 
count(id) as event_count, array_agg(distinct "eventType") as events, extract(EPOCH FROM max("time")) - extract(epoch from min("time")) as duration_epoch
from audit_log_okta_idp_entity aloie 
where "eventType" in ('user.mfa.factor.activate', 'user.mfa.factor.deactivate', 'user.account.reset_password', 'user.session.start', 'device.user.add')
and "actionResult" = 'SUCCESS'
and time > now() -interval '1 week'
--and "actorAlternateId" in ('admin1', 'admin2', ...)
group by "clientIpAddress", "clientCountry", "actorAlternateId"
having count(distinct "eventType") >= 3

MITRE Technique: Initial Access | Social Engineering and Phishing | ATT&CK T1566

Scenario 2 – Rogue Administrator Tenant Takeover

When an adversary successfully compromises an administrator they might try to block access to the rest of the administrators in the organization to strengthen their hold on the tenant and ensure that no one can reverse their actions.

In such a scenario, the rogue admin might try to revoke administrative privileges or disable multiple user accounts.

Use the following queries to detect the described scenario.

Relevant Okta Events:

  • user.lifecycle.deactivate
  • user.lifecycle.suspend
  • user.account.privilege.revoke
  • group.account.privilege.revoke

Okta Log Query 1

-- Multiple users disabled or deactivated by a single user
select "clientIpAddress", "clientCountry", "actorAlternateId", min(time) as first_event, max(time) as last_event,
count(distinct "targetAlternateId") filter (where "eventType"='user.lifecycle.suspend') as unique_suspended_users,
count(distinct "targetAlternateId") filter (where "eventType"='user.lifecycle.deactivate') as unique_deactivated_users
from (select aloie.time ,aloie."clientIpAddress", aloie."clientCountry", aloie."actorAlternateId",aloie."eventType", altoie."targetAlternateId" 
	from audit_log_okta_idp_entity aloie, audit_log_target_okta_idp_entity altoie 
	where "eventType" in ('user.lifecycle.deactivate', 'user.lifecycle.suspend')
	and aloie."actionResult" = 'SUCCESS'
	and aloie.id = altoie."auditLogId") base
group by "clientIpAddress", "clientCountry", "actorAlternateId"
having (count(distinct "targetAlternateId") filter (where "eventType"='user.lifecycle.suspend') > 1 or count(distinct "targetAlternateId") filter (where "eventType"='user.lifecycle.deactivate') > 1)

Okta Log Query 2

-- Multiple admin privileges revoked
select "clientIpAddress", "clientCountry", "actorAlternateId", min(time) as first_event, max(time) as last_event,
count(distinct "targetAlternateId") filter (where "eventType"='user.account.privilege.revoke') as revoked_users,
count(distinct "targetAlternateId") filter (where "eventType"='group.account.privilege.revoke') as revoked_groups
from (select aloie.time ,aloie."clientIpAddress", aloie."clientCountry", aloie."actorAlternateId",aloie."eventType", altoie."targetAlternateId" 
	from audit_log_okta_idp_entity aloie, audit_log_target_okta_idp_entity altoie 
	where "eventType" in ('user.account.privilege.revoke', 'group.account.privilege.revoke')
	and aloie."actionResult" = 'SUCCESS'
	and aloie.id = altoie."auditLogId") base
group by "clientIpAddress", "clientCountry", "actorAlternateId"
having (count(distinct "targetAlternateId") filter (where "eventType"='user.account.privilege.revoke') > 1 or count(distinct "targetAlternateId") filter (where "eventType"='group.account.privilege.revoke') > 1)

MITRE Technique: Impact | Account Access Removal | ATT&CK T1531

Scenario 3 – Authentication Policy Downgrade

When an adevrary successfully compromises an administrator account, they may downgrade the tenant’s authentication requirement to ease their access to the tenant. Policy changes are not events that are triggered frequently since these are sensitive events that occur when the organization updates their authentication requirements. We can use these event to hunt for an adversary that made multiple changes to authentication policies and rules with the following query.

Relevant Okta Events:

  • policy.lifecycle.update
  • policy.rule.update
  • policy.rule.add

Okta Log Query

-- Multiple authentication policy and rules changes
select "clientIpAddress", "clientCountry", "actorAlternateId", min(time) as first_event, max(time) as last_event,
count(distinct "targetAlternateId") filter (where "eventType"='policy.lifecycle.update') as unique_policies_updated,
count(distinct "targetAlternateId") filter (where "eventType"='policy.rule.update') as unique_policy_rules_updated,
count(distinct "targetAlternateId") filter (where "eventType"='policy.rule.add') as unique_policy_rules_created,
count(id) as event_count
from (select aloie.id, aloie.time ,aloie."clientIpAddress", aloie."clientCountry", aloie."actorAlternateId",aloie."eventType", altoie."targetAlternateId" 
	from audit_log_okta_idp_entity aloie, audit_log_target_okta_idp_entity altoie 
	where "eventType" in ('policy.lifecycle.update', 'policy.rule.update', 'policy.rule.add')
	and aloie."actionResult" = 'SUCCESS'
	and aloie.id = altoie."auditLogId") base
group by "clientIpAddress", "clientCountry", "actorAlternateId"
having count(id) >= 3

MITRE Technique: Persistence | Modify Authentication Process | ATT&CK T1556

Scenario 4 – Authentication Via Proxy 

Adversaries will try to disguise their origin IP addresses using proxy solutions. When a user uses a proxy for authentication, Okta marks the sign-in as such. Monitor administrators that are logging in via proxy to detect suspicious administrator sign-ins.

Relevant Okta Events:

  • user.session.start

Okta Log Query

-- Proxy Authentication
select "clientIpAddress", "clientCountry", "actorAlternateId", min(time) as first_event, max(time) as last_event, age(max(time), min(time)) as duration,
count(id) as event_count
from audit_log_okta_idp_entity aloie 
where "eventType" ='user.session.start' 
and "actorAlternateId" in ('admin1', 'admin2', ...)
and "isProxy" = true
and "actionResult" = 'SUCCESS'
group by "clientIpAddress", "clientCountry", "actorAlternateId"

MITRE Technique: Initial Access | Proxy Usage | ATT&CK T1090

2 Additional Queries For Administrative Okta Governance

Okta Log Query 1 – Access to Okta Admin App from Rare Locations

Monitor access to the Okta admin app from rare IP addresses and search for unauthorized access to the Okta Admin app.

Relevant Okta Events:

  • user.session.access_admin_app

Okta Log Query

-- Admin app access from non-oranizational IP addresses
with org_ips as (SELECT count("timebucket"),"clientIpAddress", "clientCountry"
                                FROM (
                                        SELECT DATE_TRUNC('day', "time") AS TimeBucket, COUNT(distinct "actorAlternateId") AS "userCount",  "clientIpAddress", "clientCountry"
                                        FROM audit_log_okta_idp_entity
                                        WHERE "actionResult" = 'SUCCESS'
                                        AND "time" > now() -interval '1 week'
                                        GROUP BY TimeBucket, "clientIpAddress", "clientCountry"
                                        HAVING COUNT(distinct "actorAlternateId") > 2
                                        ) subquery
                                GROUP BY "clientIpAddress", "clientCountry"
                                HAVING count("timebucket") > 1)
select time, "clientIpAddress", "clientCountry", "actorAlternateId", "eventType"  from audit_log_okta_idp_entity aloie
where "eventType" ='user.session.access_admin_app'
and aloie."clientIpAddress" not in (select distinct "clientIpAddress" from org_ips)
order by time desc

MITRE Technique: https://attack.mitre.org/techniques/T1078/

Okta Log Query 2 – Admin Sign-In With Abnormal Client Characteristics

Note – The following query is relevant only for tenants who use Okta’s behavior detections in their session policies.
Use Okta’s sign-in behavior enrichments to detect suspicious sign-ins to Okta administrators.  

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Okta Log Query

-- Admin Sign-In With Abnormal Client Characteristics
select time, "clientIpAddress", "clientCountry", "actorAlternateId", "eventType"  from audit_log_okta_idp_entity aloie
where "eventType" ='user.session.start' and "actionResult"='SUCCESS'
and "actorAlternateId" in ('admin1', 'admin2', ...)
and "clientBehaviorVelocity" = true 
and "clientBehaviorNewIP" = true 
and "clientBehaviorNewDevice" = true 
and "clientBehaviorNewCountry" = true 
and "clientBehaviorNewGeoLocation" = true 
order by time desc

MITRE Technique: https://attack.mitre.org/techniques/T1078/

Learn More

Discover more Okta Security best practices to Implement Now with Rezonate.


Continue Reading

More Articles
10 IAM Best Practices For 2023

10 IAM Best Practices for 2023

Most enterprises recognize IAM strategies as an effective way to mitigate security challenges, but turning intention into action is another story. Why do some businesses still allow their employees to use '12345' as a password despite knowing the financial and reputational implications of a data breach? 61% of all breaches involve credentials, and while it's hard to believe, '12345' and 'password1' continue to top the list of most-used passwords. Creating a strong password isn't a silver bullet, but it does represent a critical and often overlooked aspect of IAM and the importance of robust best practices.  In this article, we'll delve into what IAM is, its benefits, and its components, and we'll lay out essential best practices for 2023. What is IAM? IAM (Identity and Access Management) is a cybersecurity practice that controls user identities and access permissions in computer networks. IAM ensures that the right users and devices can access the right resources at the right time by automating identity management and enhancing security through tools like MFA (multi-factor authentication) and SSO (single sign-on). Some other authentication methods are: Multi-factor authentication (MFA): Requires users to provide two or more verification factors, such as codes, biometrics, or passwords, to gain access to a resource. Biometric verification: Uses unique physical characteristics like fingerprints or facial features for identity confirmation. Token-based authentication: Employs physical or digital tokens to generate temporary access codes. IAM in On-premises Vs. Cloud Environments IAM differs in on-premises and cloud environments. In on-premises setups, IAM controls access to internal systems and physical resources. IAM in cloud environments extends to cloud-based applications and services, accommodating remote access and scalability. Why is IAM Important? By ensuring proper user authentication, authorization, and audit, IAM has several advantages for organizations. Enhanced Security and Compliance IAM ensures that access privileges are granted based on policies, guaranteeing proper authentication, authorization, and audit of individuals and services. This helps companies adhere to regulatory standards like GDPR and PCI-DSS, reducing the risk of data breaches and demonstrating compliance during audits. Efficiency and Cost Savings Automating IAM streamlines user access management, decreasing manual effort, time, and expenses. This efficiency allows businesses to operate more smoothly and focus resources on core activities rather than access management. Reduced Data Breach Risk IAM is an effective strategy for data loss prevention caused by both internal and external threats. It adds layers of authentication beyond passwords and enforces policies that limit unauthorized lateral movement, thwarting potential threats. Facilitates Digital Transformation With the evolving landscape of remote work, multi-cloud environments, and IoT devices, IAM centralizes access management for various user types and resources. This enables secure access without compromising user experience, supporting digital transformation efforts. What are the Components of IAM? The IAM framework is essential for maintaining organizational efficiency and securit. Here are some components that it’s made up of. Authentication: This is where users prove their identity to access resources. It involves unique identifiers like usernames, passwords, fingerprints, or even smart cards. Multifactor authentication (MFA) adds extra layers of security, ensuring a robust login process. Authorization: Once a user is authenticated, authorization sets the boundaries. It determines what a user can access based on their role. Think of it as the bouncer at the door, only letting approved users in. Administration: This manages user accounts, permissions, and password policies. Administration is the foundation for authentication and authorization. It ensures accounts are secure, and it's where user roles and groups are handled. Auditing and Reporting (A&R): A&R keeps track of users' actions. It examines and records access logs and activities to detect unauthorized or suspicious actions.  10 IAM Best Practices for 2023 By implementing these best practices and tips, you'll establish a strong foundation for identity and access management, ensuring the security of your systems, data, and users. 1. Implement a Zero-Trust Approach to Security Zero trust is a security model that rejects the notion of implicit trust within networks and requires continuous verification of users and devices. This approach is crucial because it minimizes the risk of unauthorized access, especially in a dynamic threat landscape. To implement Zero Trust, start by segmenting your network, requiring MFA for all access, and enforcing strict access controls based on user roles. You could also implement contextual policies, such as only allowing certain types of access from certain locations or devices, for an extra layer of security. 2. Use Multi-Factor Authentication (MFA) Multi-factor authentication mandates users to provide several forms of identification before accessing systems. It’s a vital step, as passwords alone remain susceptible to vulnerabilities. Implement MFA by integrating it into your authentication process, using options like hardware tokens or biometric data as secondary authentication factors. Time-based one-time passwords (TOTP) can be an effective alternative to SMS-based codes, and strategies like this won’t cause alert fatigue or burden the user excessively.  3. Adopt the Principle of Least Privilege The principle of least privilege is core to a zero-trust approach, as it restricts user access to the minimum permissions necessary for their roles. To apply this principle, regularly review user permissions and adjust them based on job requirements (otherwise known as role-based access control), ensuring that users have access only to what's needed for their tasks. Pair this with automated monitoring solutions that continuously scrutinize access rights and flag anomalies, and fine-grained permissions that let you customize access down to specific tasks or projects.  4. Perform Mandatory Awareness Training  Recent research from Stanford University suggests that up to 88% of data breaches could be caused by human error – ouch. In-person and computer-based security awareness training educates staff on the principles of secure password management, helping them recognize phishing attempts and understand the implications of access control policies. If you run the training regularly and get everyone involved, you can create a security-conscious culture and help break the cycle of compromised credentials.  5. Adhere to Regulatory Compliances Following regulatory compliance checklists like CCPA and GDPR ensures data protection and privacy, which is vital for maintaining a culture of trust amongst your business and customers. You can stay informed about the latest regulations and ensure your IAM policies and processes align with them. Other essential best practices include staying audit-ready with automated compliance reporting (e.g., using an IAM platform) and User Access Review templates. 6. Go Passwordless 8 out of 10 users find password management difficult. Passwordless authentication reduces the risk of credentials-related breaches, and it usually involves integrating biometric authentication or email-based login with unique codes. But should you get rid of them entirely? The choice is yours. You could alternatively implement a strong password policy by setting requirements for complexity, length, and rotation, and you can utilize advanced password management tools to help you do this. 7. Run Penetration Tests  Efficiency, effectiveness, and productivity are the golden trio of a successful IAM strategy, and automated and non-automated penetration tests are indispensable tools for evaluating these three pillars of your IAM framework. Automated pentesting tools rapidly scan for well-known vulnerabilities and provide quick insights into potential security gaps, helping alleviate some workload and support ongoing vulnerability management. Non-automated (or manual) testing enables experts to catch complex, context-sensitive threats, especially after significant system updates or access control changes.  8. Centralize Log Collection Centralized log collection simplifies monitoring and auditing for quick incident response and compliance. Utilize cloud-based or on-premises log storage solutions that aggregate logs from various data sources in real-time. This best practice will also help your compliance efforts too, as you will gain advanced analytics and alerting capabilities on suspicious activities.  9. Choose the Right IAM Security Platform Selecting the right IAM platform is critical for effective security management. You’ll need to choose one that offers end-to-end coverage and visibility across your entire access journey to your business assets. Otherwise, you only get a fraction of the story. Deployment is also a factor – when it comes to access control, you can’t afford any downtime or mistakes, so choosing a solution with fast and flexible deployment and integration options is a good idea. The whole point of an IAM security platform is to offer automated risk monitoring and remediation, or you’ll just create more work for your internal team. With that in mind, make sure the solution does what it says on the tin. 10. Implement Time-based access control Time-based access control is a strategy where user access permissions are restricted based on time constraints. This can help you effectively improve security by ensuring that users can only access resources (systems, applications, and data) when appropriate. Time-based access control helps to reduce risks by reducing the attack surface, increasing operational efficiencies, and, in some cases, is a requirement of compliance standards. Embrace IAM and Secure Access to Sensitive Information IAM's complexity is offset by its security advantages, and the need to stay vigilant against threats can't be overstated. When you have tens or even hundreds of employees and thousands of machine identities accessing a vast variety of systems, applications, and assets multiple times a day, IAM can become overbearing for both the users and the administrators.  With Rezonate’s identity-centric platform, IAM is radically simple. It offers end-to-end coverage and visibility of all access, from the creation time to the last active session and activity performed. Rezonate helps you see the complete picture of your IAM map, understand the context, and prioritize critical risks such as weak password policies, identity logging through SAML or SSO, Identity compliance checks, and overprivileged identities.  With Rezonate you can easily adhere to IAM security best practices and track your identity maturity program continuously in real time. Get a free demo of Rezonate today.
Read More
Circle CI Breach

CircleCI Breach: Detect and Mitigate to Assure Readiness

On January 4, 2023, CircleCI, a continuous integration (CI/CD) and delivery service, reported a data breach. The company urged its customers to take immediate action while a complete investigation is ongoing. First critical actions recommended by CircleCI were to ‘rotate any and all secrets stored in CircleCI’ and ‘review related activities for any unauthorized access starting from December 21, 2022 to January 4, 2023’. Why is it such a big deal Malicious use of access keys in conjunction with privileged access can have a significant impact on an organization’s source code, deployment targets, and sensitive data across its infrastructure.  CI/CD pipelines operation requires exactly that - high-privileged access which in most cases is administrative and direct access to source code repositories essential for smooth operation - and as such, considered a critical component of the software development life cycle (SDLC).  Start investigating for malicious activity in your cloud environment Data breaches are unfortunately common and should no longer be a surprise. Every third-party service or application has the potential to act as a supply chain vector by an attacker. When that occurs, excessive access that was previously benign can become a critical exposure, allowing the threat actor to exploit the system freely. Here are immediate next steps security and DevOps teams should take to eliminate any possible supply chain risk - those recommended by CircleCI and beyond: Discover possible entry points - Critical first step involves mapping, linking and reviewing the access of all secrets given to the compromised third-party service to fully understand all initial access attempts and possible lateral movement across all supply chain vectors.Specific to CircleCI data breach, Rezonate observed that multiple accounts had a few AWS programmatic access keys with administrative privileges in the CircleCI configuration, allowing for creation and modification of any resource within the account. Threat containment (& traps) - Once you identify any and all keys, the first option is to deactivate or delete them and create new ones (avoid rotating an unused key). However, while you prevent any future use of these keys, you also limit any potential traces of benign or malicious activity. Why? In the case of AWS, Cloudtrail has limited authentication logging for invalid or disabled keys.A second more preferred option is to remove all privileges from users while keeping the keys and users active. This enables further monitoring of activity using ‘canary keys,’ where every access attempt triggers an alert and extracts threat intelligence artifacts (IOCs such as IP address). Activity review & behavioral profiling - Once you capture all suspected keys, you can begin analyzing their activity within the defined range reported. In our case, we used AWS Cloudtrail as the main data source and investigated the access behavioral patterns. The goal is to create a ‘clean’ baseline of activities that occurred prior to the breach. To help define a profile, understand the scope, and identify any potential areas of concern, consider asking the following questions: Reduce the overwhelming number of insignificant incident alerts and the time spent addressing them Increase operational visibility into cloud identity and access security across platforms Discover and monitor third party cross-cloud access Limit permissions and restrict access to the minimum users required without any impact to operations. Once we have a good understanding of normal operation, we can apply the same approach to inspect activities from the date of breach until the present. In this case, the context of workflows, resources, and overall architecture is paramount, so it is critical to collaborate with the dev/infra team to quickly assess, validate, and prioritize findings. Activity review & threat models - Based on the results of previous steps, further questions may indicate a potentially malicious exploitation, such as attempts to elevate privileges, gain persistence, or exfiltrate data. To help pinpoint the most relevant findings, consider the following options: Activities performed outside of our regular regionsAlerting for anomaly of regular access in an attempt to locate compromised resourcesIdentity-creation activities(ATT&CK TA0003)Activities such as CreateUser and CreateAccessKey attempting to gain persistencyResource-creation activitiesDiscover attempts to perform resource exhaustion for crypto mining and othersActivities performed outside of the regular CircleCI IP rangesIdentify any access attempts from external IPs that may relate to known bad intelErrors occurredDetect “pushing the limits” attempts to exploit user privileges resulting in error (e.g. AccessDenied)Spike in enumeration activities(ATT&CK T1580)Detect increased recon and mapping actions (e.g. user and role listing)Defense evasion techniques(ATT&CK TA0005)Detect tampering attempts to limit defense controls (e.,g. DeleteTrail or modify GuardDuty settings)Secret access attemptsDetect bruteforce actions against mapped secrets to elevate account foothold It’s important to consider all suggested actions as part of the overall context, as some may be legitimate while others may be malicious. By correlating them all together, you can reduce noise and false positives.  How Rezonate can help It’s important to note that while this guidance specifically addresses key actions related to the CircleCI data breach, it can also serve as best practice for addressing any risks for any breach. Rezonate automates the actions described above to streamline the compromise assessment process and reduce the time and effort required for manual analysis. Rezonate simplifies discovery, detection, and investigation of the compromise. Work with a system that can automatically correlate and summarize all activities of all identities to save critical time. Working directly with CloudTrail can be challenging, lacking aggregation, data-correlation  and privileged tagging eventually slowing you down.  We have been collaborating with our clients and partners to utilize the Rezonate platform to thoroughly investigate the security incident and assess its potential impact on all activities mentioned here. If you require assistance, please do not hesitate to contact us. Providing support to our clients and the community is a key purpose of Rezonate's founding.
Read More
Rezonate Named as a Cool Vendor 2023 Gartner Identity First Security

Rezonate named as a “Cool Vendor”  in the 2023 Gartner® Cool Vendors™ in  Identity-First security

We are proud and humbled to announce that Rezonate has been named a 2023 'Cool Vendor' by Gartner Identity-First Security report. We believe that this is a significant milestone in our journey to build an identity-centric security platform to protect user and machine identities and their access privileges all across their access journey to cloud-native resources and critical SaaS Applications.  The rise in cloudification and SaaSification of things has consequently increased the volume and complexity of identities, their privileges, and activities, with that, the challenge of preventing and stopping access-based attacks. A new paradigm is necessary in this dynamic and distributed construction of the digital world. A paradigm that puts the defender a step ahead, exerting greater control than the adversaries. A paradigm that doesn't isolate applications and cloud services but instead views and orchestrates an identity in its entirety across its access journey with accumulated privileges and security controls, automating security posture enhancements, threat detection and response, and compliance requirements. The Magic of faster and more robust identity security adaptation lies back in the interdependencies between these 3 parts of the security missions, which cannot be done separately anymore and should Resonate together with the business cycle. This is our rai·son d'ê·tre, reason of existence - to make the rapid building, securing, and threat elimination Rezonate, which makes defenders much more powerful and successful vs. eliminating adversarial opportunities to compromise identities and breach organizations. At Rezonate, we believe from day zero that identities are the new core of security in the shared security model of cloud and SaaS. Our platform is built from the ground up to provide real-time visibility to identity's full access journey across clouds, SaaS, and identity providers. We aim to continuously fortify identity posture, reducing its susceptibility to compromises and defending against cyber attacks in real-time. This approach has enabled our customers to understand better, solve, and protect their assets. Congrats to all our customers, partners and of course the Rezonators all over the world. Let’s go! Join the revolution today and use Rezonate to mature your IAM Program and stop the next identity breach.  Rezonate was named as a Cool Vendor in the 2023 Gartner® Cool Vendors™ in Identity-First Security report.  “Gartner defines “identity-first security” as an approach to security design that makes identity-based controls the foundational element of an organization’s protection, detection and response architecture. It marks a fundamental shift from the perimeter-based controls that have become obsolete because of the decentralization of assets, users and devices. The focus of identity-first security is on the three C’s — Consistent, Contextual and Continuous — which marks a fundamental shift from perimeter-based, static controls toward dynamic ones.” Unique to Rezonate is our platform's ability to continually discover permissions based on identities' privileges and activities, identify weak spots and risky behaviors, and enable remediation playbooks. Rezonate offers a window to your entire ecosystem, extending to SaaS applications, identity providers, and native cloud. We believe this Gartner recognition is a significant milestone for us at Rezonate. We remain steadfast in our commitment to providing an all-encompassing identity-first security platform that continually strengthens security posture, empowers robust defense, and enables effective remediation. Thank you for helping us shape the space and redefine the way identity security should be done in the age of cloud and SaaS, and thank you to our customers, partners, and the awesome rezonators worldwide. This is only day one! Let’s go! Gartner, Cool Vendors in Identity-First Security, By Brian Guthrie, Robertson Pimentel, Henrique Teixeira, Michael Kelley, Felix Gaehtgens, Erik Wahlstrom, Rebecca Archambault, Published 6 September 2023 Gartner Disclaimer GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and COOL VENDORS is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read More
See Rezonate in Action

Eliminate Attacker’s Opportunity To Breach Your Cloud today

Organizations worldwide use Rezonate to protect their most precious assets. Contact us now, and join them.