Okta’s breach disclosure woes trigger fierce debate among CISOs, vendors
Bigger companies than Okta have been hacked and have said less in the wake of the incident. (Looking at you, Microsoft.) Yet for various reasons — including Okta’s “membership” of the cybersecurity community and its function as a potential gateway to so many enterprise accounts — the authentication provider’s response to a recent breach by the Lapsus$ group has triggered one of the most feisty debates by CISOs on breach disclosure, transparency and client relationships in recent memory. And opinions have diverged, sharply.
(A quick disclosure timeline: On March 21, Lapsus$ claimed to have hacked an Okta environment, sharing screenshots that appeared to show access to multiple software tools. Early March 22 Okta CEO Todd McKinnon Tweeted: “Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” March 23, Okta CSO David Bradbury admitted that up to 366 customers may have had their Okta tenant accessed. March 25, Okta apologised for not notifying customers of the incident, first flagged in January 2022.)
Here is Okta’s own latest FAQs and timeline on the incident.
Okta breach disclosure slated: Is the criticism fair?
The company’s CEO coming out of the gate to wave his hands and effectively say “nothing to see here” aroused most ire. As one observer, Accenture’s Michael Goodman, noted: “CISOs everywhere need to look to [Mandiant’s example] as the perfect example of how to handle a breach. Hiding in the shadows and hoping others don’t find out about it is the worst strategy there is for incident response. People will *always* find out about it. Waiting is only going to make you look like you have a poor incident response playbook and likely poor security up and down your stack. And yes, sharing IOCs and other good cyber threat intel will signal to the greater community that we’re in it together. Hiding intel points to an inferiority complex… likely stemming from actual inferiority.
Chairman and CEO of security firm Tenable (an Okta customer) Amit Yoran and Okta CSO David Bradbury’s LinkedIn posts both attracted thousands of engagements by senior security professionals debating the incident, after Yoran expressed his frustration at a perceived opacity by Okta. Yet there has also been no shortage of CISOs and others defending Okta’s stuttering response, with many emphasising that security and IT leaders can in such circumstances be hamstrung by a combination of legal and communications/PR restrictions.
(As lawyer Marci Rosen at boutique law firm ZwillGen noted amid debate over Okta’s wording: “The term ‘breach’ is a legal term of art that means an incident triggering breach notification laws, which differ in different jurisdictions. In the US, an incident isn’t a ‘breach’ unless it affects certain kinds of sensitive info…”)
See also: 7 free cybersecurity tools CISOs should know
In a “good” company, many CISOs agreed however, the response to such a breach has already been wargamed with each part of the company knowing how they are going to respond under a strategy agreed at the top.
Amit Yoran’s stinging post struck a chord with many. As he put it on March 23, two days after the disclosure but before Okta spelled out more details: “As a customer, this is how the fact pattern feels: You either didn’t investigate properly or disclose the breach in January when it was discovered. When you were outed by Lapsus$, you brushed off the incident and failed to provide literally any actionable information to customers. Lapsus$ then called you out on your apparent misstatements. Only then do you determine and admit that 2.5% (hundreds) of customers’ security was compromised. And still actionable detail and recommendations are non-existent”.
One critic, Carla Roncato, disagreed: “An empathetic, security and industry leader would have called Todd [Okta’s CEO] and asked ‘how can I help’. Do better than this, you are not infallible and neither is tech” — an opinion that drew the response “As a security vendor it’s hard to call in the middle of a breach and offer support without appearing to be ambulance chasing… Society needs greater transparency around cyber breaches and other cyber practices. Hopefully continued pressure will create regulatory and behavioral norms that will get us there.”
Okta breach disclosure triggers animus, stone-throwing, reflection
The incident also seemed to dredge up a certain amount of quite pronounced animus among fellow vendors in the wake of the incident (despite an industry often keen to promote “hugops” or sympathy to those suffering from an outage or wrangling with an IT incident). Cloudflare’s CEO Tweeted “a fish rots from the head” and former Duo Security CTO and co-founder Jon Oberheid suggested that Okta had a track record playing “some misleading word-games on the impact of a vulnerability in their service”, saying: “In 2018, we at Duo Security discovered a critical SAML vulnerability (CERT VU#475445) that allowed user impersonation that impacted quite a few SAML libraries and SSO vendors: OneLogin, Shibboleth, Duo ourselves, and… yes, Okta as well. However, if you look at the CERT page, you’ll see Okta listed as “Not Affected”. So, what gives? As Okta communicated to CERT and to customers, Okta was “not affected” because they patched the vulnerability after we reported it to them.”
“That’s not how things work”, he added.
“While it may be “technically correct” that Okta was not vulnerable at the exact point in time they made that statement because they had patched it, they had been vulnerable to this bypass for years, which was the risk that customers were trying to understand in their IR work. I talked to customers who were confused about this and had closed out their IR cases because of the “Not Affected” status. It was disappointing to see a leading security vendor make the choice to obscure risk to their customers, to minimize PR/brand impact…”
Ultimately, as one security researcher notes: “It seems reasonable to expect a higher standard of reporting/disclosure from a company you’re paying to increase your resilience to these types of attacks.
“Breaches happen, but when your customers find out about them from the adversary, the victim organisation is very predictably going to lose the trust of their customer…”