Take the First Steps Toward a Zero-Trust Model with Okta Automation

Managing multiple accounts across various cloud and on-premise infrastructures centrally is a challenge for most security operations centers. To address this ever-increasing need, the LogRhythm Office of the CISO recently implemented Okta.

Okta enables a nearly seamless management process for IT, the Office of the CISO, and global employees. It is a key component to LogRhythm’s vision of embracing a Zero-Trust security model, helping to expand services between on-premise and in the cloud. While integrating applications and visualizing this data within the SIEM is a great first step, it’s beneficial to take this process a bit further by fully automating Identity Access Management (IAM) with the SIEM at the center.

Please note: All of the items covered in this blog can be downloaded here: https://github.com/LogRhythm-Labs/Invoke-Okta

Visualizing Okta Data

To begin implementing a Zero-Trust model using Okta, you need to first visualize the Okta data you’re ingesting into the SIEM. This is pretty straightforward. You can use LogRhythm’s Okta Integration Guide to develop a dashboard to quickly and easily visualize the diverse authentication activity occurring within your organization.

LogRhythm Web Console use to Quickly and Easily Visualize Okta DataFigure 1: LogRhythm Web Console Used to Quickly and Easily Visualize Okta Data

When analyzing the dashboard, you can pick up on key data points that make this data a vital resource for understanding employee authentication activity. However, there is more you can do with this information. For example, leverage LogRhythm AI Engine to trigger alarms on suspicious activities.

Okta and AI Engine Rules Alert to Account Compromise

Alarm Fires to Alert to a New Okta API Key CreationFigure 2: Alarm Fires to Alert to a New Okta API Key Creation

Detecting Brute Force ActivityFigure 3: Detecting Brute Force Activity

Alarming When an Account Has Been Locked OutFigure 4: Alarming When an Account Has Been Locked Out

Triggering on a Successful Authentication, but Failed Multifactor LoginFigure 5: Triggering on a Successful Authentication, but Failed Multifactor Login (Likely Compromised Credentials)

SmartResponse Integrates with Okta

There are countless security and operations-related possibilities with Okta; however, this example focuses on the account lockout use case. When accounts are locked out, you should do more than simply notify the security operations center (SOC). One option is creating a SmartResponse™ action that sends emails off to the IT and Security Operations teams to let them know when this occurs. In addition, this SmartResponse will send an email to the end user, letting the individual know about their account lockout right away, so that he or she can contact IT to get their resolve system access.

End User is Alerted of Account LockoutFigure 6: End User Receives Alert of Account Lockout

This alert is only scratching the surface. In addition to setting up simple notifications, you should fully automate account management. For this reason, I created Invoke-Okta. Invoke-Okta is a PowerShell script that utilizes the Okta API to fully handle a majority of security-focused use cases, such as clearing user sessions across all Okta-integrated applications or resetting a user’s password.

Invoke-Okta is Used to Clear User SessionsFigure 7: Invoke-Okta Clears User Sessions

Integrating this script into a SmartResponse allows you to perform even more impactful actions within the Okta API from directly within the SIEM.

Figure 8: Okta SmartResponse Actions are CombinedFigure 8: Combine Okta SmartResponse Actions for Successful Outcomes

You can combine this SmartResponse with the previously mentioned employee notification email, to provide the ability to unlock an account directly from the Alarm page with the click of a button.

AI Engine Fires to Unlock an Account Following SOC Lead ApprovalFigure 9: AI Engine Fires to Unlock an Account Following SOC Lead Approval

These SmartResponse actions can be combined to suit the organization’s needs around both security and operations — simplifying and streamlining the process of IAM automation with the SIEM.

SmartResponse Actions Combined to Suit the Organization’s Needs Around Both Security and OperationsFigure 10: SmartResponse Actions Combined to Suit the Organization’s Needs Around Both Security and Operations

IAM Management in a single User Interface

Many organizations are embracing cloud-centric models and moving toward a Zero-Trust model. However, not many can seamlessly manage and respond to IAM-related attacks from a single user interface. By utilizing the power of Okta and LogRhythm together, you can provide the full capabilities of IAM management to both the SOC and IT Operations, giving these teams the tools they need to understand their threat landscape and respond to threats in seconds, all without leaving the SIEM.