Problem: Assurance decay
Assurance decay is a security risk that grows over time during a user's active session, even after a successful, secure login. While traditional security models are effective at the front door, they lose visibility once a user is inside. A valid session token, once issued, becomes a valuable target for attackers.
Sophisticated threats like session hijacking can bypass authentication entirely, leaving us unaware of malicious activity that occurs minutes or hours after a legitimate login. Over 80% of all data breaches are linked to attacks on identity, and we knew we couldn't afford to ignore this rising tide of post-authentication threats.
This understanding was the catalyst for Okta’s journey. We recognized that our commitment to secure identity, a cornerstone of our security strategy, had to extend beyond the login prompt. Our quest was for a solution that could not just enforce policies at the point of access but maintain a continuous level of trust throughout every user session. We found that solution in Okta Identity Threat Protection with Okta AI, a key component of Okta's Secure Identity Commitment.
Solution: Identity Threat Protection
Okta Identity Threat Protection was the missing piece of our security puzzle. It unifies risk insights and continuously assesses and responds to threats in real time, during and after login. Its native integration within the Okta Identity Cloud gives it the unique ability to monitor user behavior at the most critical control point: identity.
We easily solved our problem with assurance decay with the product's core capabilities. Three features were particularly critical to our decision:
- Continuous Context Evaluation: This feature is based on the principle that trust is not static; it continuously evaluates risk and user context throughout an active session. Far beyond a single check at login, the feature monitors for changes in network zones, device context, and user behavior in real time, even when a user is not actively interacting with Okta. To enable this, we realized that configuring network zones, session policies, and authentication policies correctly was critical.
- Entity Risk Monitoring: Entity risk refers to a user’s risk level across all devices, sessions, and applications. The entity risk policy monitors for user risk-level changes related to identity-based threats like session hijacking, brute-force attacks, and sign-ins from high-threat IP addresses. Within the entity risk policy, you can configure specific actions to take when a user's risk changes to high or medium levels.
- Precision Risk Response: This is a universal logout setting to terminate an active user session for all supported apps in response to identity-based threats. This feature ensures a user’s account is terminated in case of threats, such as a bad actor hijacking a user’s session, an employee being terminated, changes in a user’s risk level, a lost device, an insider threat, or a credential compromise.
Together, these capabilities facilitate "always-on" protection that safeguards user sessions from sophisticated post-authentication attacks, helping to fulfill the promise of a secure identity commitment.
Our deployment of Okta Identity Threat Protection was a strategic, phased journey that moved methodically from a state of monitoring and observation to one of proactive enforcement. This gradual approach allowed us to build confidence in the product’s capabilities and tailor its responses to our specific environment.
Phase 1: Getting started and foundational configuration
We began our security enhancement journey by preparing our environment for the dynamic protection offered by Identity Threat Protection. This involved a thorough review of our foundational security configurations, including network zones, global sessions, and authentication policies. Our goal was to ensure these controls were robust enough to support the real-time data collection and policy evaluations that Identity Threat Protection requires.
Our foundational security posture included key measures like implementing a mandatory VPN for all employees and deploying managed device configurations for macOS, Windows, iOS, and Android devices. We also rolled out Okta FastPass as our primary, phishing-resistant authenticator. By integrating trust signals from our Endpoint Detection and Response solution, our login processes are now more secure and continuously evaluated for risk.
Phase 2: Learning and planning
With our foundational controls in place, our primary objective was to observe and learn, not to enforce. We deployed Identity Threat Protection in a monitoring-only mode and configured it to collect and analyze signals from user sessions without taking any automated action. This allowed us to discover risk detection events in our organization and understand the types of threats our users were facing post-authentication. We could see in our System Log and Admin Dashboard when an IP address changed mid-session or when a user's device posture regressed.
Phase 3: Enforcement
Once we had a clear understanding of the threats and were confident in the system's ability to detect them, we moved on to the enforcement phase. Then we took action. For high-risk threats, we configured the most powerful automated response: Universal Logout. We identified a few key, high-risk applications that supported the Universal Logout framework and deployed the policy for them.
When Identity Threat Protection detected a confirmed threat, such as a session cookie replay, the system would automatically terminate all of the user's sessions across all connected devices and supported applications. This was a game-changer, as it eliminated the need for a manual, time-consuming response to a potential breach.
Our phased, data-driven journey from monitoring to enforcement ensured a smooth transition and maximized the value of our Identity Threat Protection implementation.
What we learned
Based on our experience, we’ve learned some key technical and communication lessons about enforcing Okta Identity Threat Protection.
Technical guidance
- Custom Identity Threat Protection admin roles: Create a dedicated, custom Identity Threat Protection administrative role for your Cyber Defense Team. This ensures they have the specific permissions needed to manage Identity Threat Protection without granting unnecessary access to other Okta administrative features.
- Automated response to high-risk events: Configure a policy to immediately enforce user logout when an entity risk score changes to "High." This is a critical step for containing a potential threat.Log and investigate medium-risk events: For entity risk score changes to "Medium," ensure these events are meticulously logged for your security team to investigate. While not requiring immediate lockout, these events are often precursors to more serious attacks.
- Leverage Entity Risk Reports: The Entity Risk Report is an essential tool for Okta and Identity Threat Protection administrators. Regular review of this report is crucial for understanding your organization's overall risk posture and for identifying emerging threats.
Stakeholder communication
Communicate Proactively: Effective communication with internal stakeholders, both before and during Identity Threat Protection enforcement, is crucial. Proactive messaging prevents confusion and ensures that departments understand why certain actions—like automated logouts—are being taken.
Impact: Realized business value
By deploying Okta Identity Threat Protection, we have filled the security gap left by assurance decay and realized significant and measurable business value. Our security posture is now proactive and continuous, extending beyond initial authentication.
Perfect complement: Identity Security Posture Management and Okta Identity Threat Protection
We're constantly working to enhance our security infrastructure to protect our organization and our users. A cornerstone of this effort is a robust identity and access management strategy. We believe security isn't just about reacting to threats; it's about proactively building a strong defense.
That's why we’ve been working on adopting Okta's Identity Security Posture Management, a move that represents a significant step forward in our comprehensive security journey. Okta Identity Security Posture Management works hand-in-hand with Okta's Identity Threat Protection, a solution we already leverage.
While Identity Threat Protection is designed to detect and respond to identity-based threats in real time, Identity Security Posture Management focuses on preventing the conditions that allow such attacks to succeed.
Advanced posture check: FastPass phishing detection
To enhance our proactive defense against phishing, we’re planning a new detection capability for Identity Threat Protection that identifies suspicious login attempts originating from IP addresses flagged in previous phishing campaigns. The security team will evaluate and roll out this feature to fortify our identity security posture.
Interested in replicating Okta’s process? Read our setup guide for Identity Threat Protection.
