I've been an Okta customer for almost 10 years, and I stand by them! I'm happy to report the DNC was not affected by this incident. There's been plenty of public criticism of their response. Some of which are warranted but a lot that is just plain unhelpful and rude. If we're going to unite as a community to improve our cybersecurity maturity, we need to learn from these experiences together and walk away with actionable insights in a healthy manner. I want to highlight what went right; 1. Okta Security received an alert that a new factor was added to a Sitel employee's Okta account from a new location. Bravo for proper logging and monitoring to detect and alert on these types of behavior. You'll be surprised how many organizations don't have a basic SIEM. 2. Okta Security investigated the alert and escalated it to a security incident. You'll be surprised how many organizations don't have an incident response plan to help identify and escalate issues. 3. Screenshots shared online by LAPSUS$ - Okta was not surprised and determined that the screenshots were related to the January incident at Sitel. How many instances have we seen organizations get caught by surprise only to learn they have been breached for months before declaring an incident? I commend Okta for not being in this reactive state! I'd be more concerned if they didn't know this happened at all! 4. When the first communication didn't meet expectations, they didn't give up and tried again until they got it right. David Bradbury stood in front of a large audience and took responsibility. That takes courage and demonstrates great leadership and ownership. I'm glad he didn't blame an intern! 5. Their commitment to customers is apparent in this latest posting https://lnkd.in/gYVxg4Wk. They're empowering us to be part of the solution to build trust and transparency. Trust but verify! Like any incident, there are always things we can do better. Why do you think we have a lessons learned phase?! There is no such thing as perfect, and we need to set the right expectations before casting stones. I'd rather partner with an organization that has been battled-tested and demonstrates readiness and resiliency versus an organization that has never dealt with these difficult situations. For those who were overly critical, I challenge you to step back and do a self-assessment and see if you can do better. I'm proud that President Biden made this statement to bring more awareness: https://lnkd.in/gmYMRPnU Are you practicing these basics and preparing yourself? https://lnkd.in/gRyyAYMC #cybersecurity #security #leadership #communication #okta #lapsus #incidentresponse #informationsecurity #zerotrust
Steve T. Well said! The public is too quick to judge without knowing all the facts. One incident should not erase all the good that an organization has achieved. Okta is a great security tool that has helped countless organizations over the years. In other posts I’ve warned about throwing stones. In the end, we should do more to communicate more effectively, but also support the security community when there is failure. We can all benefit from the lessons learned together.
Spot on Steve Tran well said
I agree that it is important to look at the elements that went right, because there are lessons for everyone there too. That being said, what verification of Sitel policy and procedures was undertaken when onboarding them as a supplier? how frequently are they assessing their supply chain? Is their assessment process adequately tiered? Are the assessments supplier relevant or a generic catch all attempt? Chris Roberts has posted previously about key info to gather in Supplier Assurance processes, and it rarely seems to be the case 🤷♂️
Thanks for sharing! I really like the prompt response to the escalation.
Way to go Steve T. I was wondering if / when customers who actually know first hand, how great Okta is / has been during this, were going to make their voices known. There's a lot of noise out there and it's people like you that are helping others understand the reality. so thank you!
While I agree that it's good to focus on the positive (and name calling and slapping are unproductive at best) and learn from the negative, some of the "positive" things, in my opinion, should be table stakes for such a key component of the ecosystem's security infrastructure - logging, SIEM, alerting, IR - I'm not sure I give particular positive credit for these functions to a security vendor running a security service critical to it's customers.
Well said Steve T. We need to learn from this and get better. If we just point fingers and blame that is not constructive.
My main issue with this situation are companies that aren’t eating their own dog food. If they had internally lived and breathed their zero trust paradigm this could have been avoided at best, substantially mitigated at worst. I’ve worked for a few CSOs and this isn’t the first company to not employ the concept they’re selling internally. A great CISO I once worked for was a huge proponent of eating your own dog food and that is just a systemic failure when you don’t
Senior E&S Casualty Underwriter | MSc in Information Security
3yI agree. Finger pointing and judging is not the way to go. Unless we have been in their shoes, we can't really comment, especially negatively.