To create the position of vice-president of customer trust weeks before it becomes the focal point of your organization Major cyber security incidents Exhibits the kind of conscience an end-of-the-peer fortune teller can only dream of.
But that’s exactly what happened to Ben King, who after two years working for regional security for authentication specialist okta In EMEA and APAC, established a customer trust function within the business as a way to enhance the external-facing bits of its security team.
“Since then, we’ve been putting more structure on the bones of how we as a team talk to customers, markets, prospects, governments or regulators,” he says. “I report to David Bradbury, Global Chief Security Officer, and I now have regional CISOs reporting to me, an assurance team that does things like answering due diligence questionnaires from customers, and an outreach function that creates blogs and thought leadership. piece by piece.”
Unknown to Raja, when he was setting up this function in February 2022, the event that would create Okta Front page news Another company in the tech industry, Seetel, was already exposed to a compromise.
The breach was the work of Lapsus$, a cyber extortion ring Exploited failures in multi-factor authentication (MFA) to compromise victims and hijack their data. Although it never deployed any ransomware, it hit multiple tech companies over a four- or five-month period in early 2022, and its operations continue today, albeit with several minors. Arrested and charged in UK Related to the attack.
Okta was caught as an innocent bystander, and the first indication that something had gone horribly wrong appeared at 11:20 PM GMT on 20 January 2022, when its security team received an alert that a new password had been added to a Sitel employee. Okta account from a new location.
Did not follow the target An MFA challenge, which prevents access to Okta accounts. The team investigates the alert and escalates it to an incident. Shortly after midnight on the morning of January 21, the rogue account’s Okta sessions were terminated and its access suspended.
Later that day, the Okta security team shared indicators of compromise (IoCs) with Seatel, which told them it was out of cyber forensics support after an incident. While the issue apparently remained, the incident was put on hold pending a full investigation, which was presented to Okta in a brief report on March 17.
However, five days later on March 22, Lapsus$ shared screenshots of Okta’s environment onlineCustomers rightfully panicked, and the rest is history.
doing a good job
Looking back on the incident, King says everyone and everything involved — including Oktar Zero-trust technology One that correctly identified the initial trigger and stopped it – hit their mark pretty perfectly from the start.
“They are [Sitel] All the right things were done – access to our site and theirs was suspended, they engaged third-party forensics,” he says.
However, it took some time for the forensic report to arrive and then another week for Seattle Okta to get its visibility, Raja said. With the benefit of hindsight, it is now clear that these gaps created problems in terms of how Okta’s well-thought-out response ultimately came across.
This problem was compounded because Lapsus$ posted screenshots during the brief period of access to the Seattle workstation. It must be emphasized at this point that these screenshots were obtained through the digital equivalent of shoulder-surfing on a crowded train – no systems related to Okta’s customers were compromised, and no critical data related to Okta or its customers was removed.
Nevertheless, the release of Lapsus$’s screenshots elevated the narrative from a minor compromise to one that had in fact already been dealt with effectively in global cyber security news. Reflecting on those days, King says Okta struggled with communication.
“We had a lot of people tell us, ‘You’re out on your blog And said you knew about it in January’ and we connected these events and said, ‘We were aware something was going on’, but a lot of people are saying, ‘Why didn’t you tell your customers in January?’. But as far as we knew, we had a failed account takeover, but no compromise,” he said.
“When we were running a live event, it was very difficult for us. We can’t guess, we need to have data. So we had to run the event before communicating. And I think that gap when we couldn’t communicate in a lot of detail made it very difficult for us from a trust standpoint.
“My manager talked about it being something we practice and tabletop. It was frustrating for us because we table these types of events with the right people, with the CEO, with the comms team, and when a real event hits, we feel like we let ourselves down a little bit in terms of communication. “
“We were trying to let our customers know not to panic.”
Ben King, Okta
King added: “We were trying to let our customers know not to panic. I was talking to customers who were going to reset passwords for millions of users and I said that we don’t have access to any support engineers to see or reset passwords. If they reset them, they push to the end user through the email channel to do that flow A password reset will not be required for the chance to compromise Sitel.
“But we had some very concerned customers, obviously, and because we learned this at the same time as the market, we were paddling underwater very quickly.”
Okta’s silence quickly sparked speculation and criticism from high-profile names in the security industry, social media regulars, its competitors and even Lapsus$, which pushed back against Okta’s response and even Claims his victims were false. Months later, the problem remains, King said.
“We’re still chasing a lot of people trying to pick holes in a very successful, very secure service,” he says. “I’m not a media expert, but it generates clicks, it generates ad revenue, I imagine, and if it’s a hot story for a day, I think people see that as a win.
“But it’s very difficult when we don’t have the information to correct the story, and when we do, and when we do, there’s often no story to tell.”
Thousands of calls
Smartly, Okta has moved quickly to establish conversations with its customers, rather than spending time with reporters on corrections to news articles. Within days, it was able to share full, unredacted incident logs with every potentially affected customer. It notified just over 250 customers, though none of their data was seen by Lapsus$.
“We went out and notified a much larger number because we would have liked to have been notified if we were customers in this instance,” King said. “If there was any risk, we want to know.
“We gave them the full log, we went through the logs step by step, we did everything possible to try to rebuild that trust. I’ve fielded tens, if not hundreds, of customer calls. Other leaders in security and Oktay, likewise, were on hundreds of calls. After all, we’ve probably called thousands of customers, some with multiple customers.
“Where we ended up landing, I think we got that confidence back. In fact, I’ve had some really good feedback from a lot of customers saying we did the right things and it was obviously a tough situation.
“Many CISOs who have gone through an incident really felt for us in terms of the speed of our response and communication. And in many respects, I feel that we are closer and have better trust with our customers, having been so deeply involved with all of them, so recently, than we were before the incident.
“But it was very difficult to respond to the media when we didn’t have all the answers.”
The changes Okta has made and continues to make following the experience are twofold. First, there is a renewed focus Third party risk management Which goes much deeper than before – King himself admitted that Okta may have placed more faith in third-party verification than was wise, such as the SOC II report.
As a result, third-party providers such as Sitel (which Okta no longer works with) can no longer mark their own homework in this way, but must perform a much deeper level of verification, more akin to a bank’s demands. King, who before moving supply-side, ran Australia’s international, then European cyber functions Commonwealth BankThere is a good deal of experience in running such compliance systems.
“One of the first things we changed immediately was to audit our material suppliers in that regard, regardless of who they are SOC 2 compliance Or they may have to show us ISO compliance or whatever,” he says.
While it prefers to work with a third party, Okta won’t allow it to use its own tools to access Okta’s systems – the Lapsos$ breach occurred entirely within a Sitel workstation.
“Going forward, any customer support engineer or firm doing similar services for us is forced to use the Okta endpoint,” King said. “In this incident, our ability to respond and communicate was somewhat hampered because we were unable to investigate what happened. We had to rely on third parties and their forensic teams to tell us what happened.
“But going forward, anyone supporting Okta needs to use our devices so we can make sure it’s patched, make sure it’s in good health, make sure we can monitor it. And if another such incident occurs, we’ll be able to investigate and remediate more quickly.
“It could mean that we can’t look at some suppliers going forward, or that things are a bit more expensive because we supply laptops to third parties. But it is the cost of security.”
Second, in terms of how Okta communicates security alerts or incidents to its customers, King is making changes based on feedback it has gathered from customers, many of whom said the disclosure process was not as smooth as it should have been.
As a result, Okta is taking several steps. First, it’s establishing a dedicated security contact with each customer to serve as a dedicated touchpoint to talk to Okta’s security team. It doesn’t have to be one person; This can be a mailbox that every member of a customer SOC team has access to
Then, later in the year, it will create a dedicated security channel to share information and data with customers. The details are yet to be finalised, but King is adamant that both channels of communication are kept strictly on the matter. “I’m also a security professional — I’m contacted by vendors more than I want to be,” he says. “I like to communicate too much, I think it’s great, but it has to be legitimate communication.”
Ultimately, no one in an organization—let alone the heart and soul dedicated to cybersecurity—should be the victim of an attack, and a supply chain incident over which you have even less control than you would if an attacker breached your own systems. A uniquely painful experience.
But it’s also a learning experience, if you’re ready to learn from it. In fact, recently published UK government research found that in many cases, the experience of a cyber incident was valuable in getting company leadership. Take notice of security issuesAnd there is even evidence that Experiencing a breach can be good for a security professional’s career.
In Okta’s case, its experience, though fortunately mild, has led to policy changes and forced a new awareness of how events are perceived outside of the organization’s boundaries that will, hopefully, prove useful going forward. As King observes: “The benefit of an incident is very valuable to the security team.”