Okta Inc.

10/14/2024 | News release | Distributed by Public on 10/14/2024 14:14

Okta Identity Security Posture Management and Workflows: Automated detection and remediation of local accounts

In a previous blog about Okta Identity Security Posture Management, we discussed the challenges and potential solutions that enterprises face when dealing with local account management and security. Today, we'll look into an example of a solution for security teams, regardless of the application that creates local users.

What we'll explain is based on a two-step process:

  1. Okta Identity Security Posture Management detects local accounts, correlates their risks, and prioritizes remediation for the ones that matter most.
  2. Okta Workflows allows auto-remediation with flexible pre-built templates and connectors.

Prioritization is king

Security teams are buried under thousands of alerts from multiple tools every day. IT teams are at risk of being flooded by tickets opened by security-driven misconfigurations they need to fix.

Alerts vary in the impact, actionability, and business friction risk involved in their remediation. Too often, security teams have to default to manual processes that mean responding too late and allowing attackers to get in before the risk is eliminated.

Furthermore, a lack of expertise and permissions required to investigate and remediate issues in downstream apps reduces productivity even more and results in wasted time and resources. That's why, out of all issues detected, security teams need to be empowered to prioritize effectively, addressing the most critical and actionable vulnerabilities first.

Practical example

Let's take a real-life, common example called "Entra ID local unused, no multi-factor, old password admin." Out of all local accounts, unused privileged user accounts with no multi-factor authentication (MFA) and old passwords are the most actionable, present higher risks, and are the most likely to make your organization vulnerable.

Why? Let's review these in more detail.

  • Most actionable: Unused accounts can be disabled with minimal impact on business operations.
  • Highest risk: Privileged accounts with admin permissions can cause significant damage and are highly susceptible to exploitation.
  • Most vulnerable: Accounts without MFA and with old passwords present clear attack paths for threat actors.

How to remediate is pretty straightforward, with two alternatives available.

  1. Focus on the risky user and reduce risk by immediately disabling the local account, removing the privileged permissions, and resetting the password.
  2. Take a more systemic approach by creating an access review campaign (to consider whether access should be given back) or replace the local account with an Okta federated user account and enforce MFA.

Now let's see how such an approach can be implemented using the Okta platform in a fictitious case study.

Walk-through: Detection and auto-remediation with Okta Identity Security Posture Management and Workflows

Fictitious case study: ACME Corp

Ali, an employee at ACME Corp, created a local account in Microsoft Entra ID with the application administrator role. After transitioning to a new role three months ago, her account was left unused and vulnerable:

  1. Single sign-on not enforced:Ali's account allowed username and password login instead of utilizing passwordless methods like FastPass.
  2. Lack of central security policies:No MFA was required for her account.
  3. Stale credentials:The password had not been updated for months.
  4. Privileged access:Ali's admin permissions enabled her to create applications with access to sensitive user data.

This context is far from ideal from an Identity Security posture standpoint.

The attacker perspective

A potential attacker could exploit Ali's local account by leveraging its admin permissions to create malicious applications, access sensitive data, or compromise other user accounts, significantly jeopardizing organizational security.

Strengthening ACME's Identity Security posture

ACME'ssecurity team deploys Okta Identity Security Posture Management. Integration with Microsoft Entra ID allows continuous updates to the Identity inventory, including Ali's local user account ([email protected]). The team has also configured Okta Identity Security Posture Management and the Okta core platform to connect via Workflows using webhooks.

The solution correlates Ali's access, permissions, and security posture, confirming:

  • This account is local and belongs to Ali.
  • The account is unused.
  • MFA is not set up.
  • The password is outdated and appears in leaked password lists.
  • The account possesses admin privileges.

Upon detection, an alert titled "Unused, No MFA, Old Password Admin"is triggered.

  • An event hook labeled "Local Users Remediation"activates an automated workflow: The workflow automatically disables Ali's local account in Entra ID.
  • The issue is subsequently resolved, mitigating potential risks.

This simple example demonstrates Okta Identity Security Posture Management's ability to surface high-risk users and prioritize remediation. It also displays the solution's actionable aspect and its deep integration with the Okta platform. Note that automated remediation is not limited to Okta applications. Our customers can integrate with their own solutions using webhooks.

Bigger picture: Okta Secure Identity Commitment

Using Okta Identity Security Posture Management to detect and correlate risks combined with Okta Workflows for automated remediation, security teams can reduce risks effectively and immediately.

Okta Identity Security Posture Management is part of the Okta Secure Identity Commitment- Okta's long-term plan to lead the fight against Identity attacks. We're arming customers with the products and services they need to secure Identity in today's ever-changing threat landscape.

We're here to help, so please reach out to your Product Manager to see how Okta Identity Security Posture Management can impact your ability to manage your Identity security posture and reduce your risk of being breached.