Dave MerkelDec 21, 2022
Chris Merkel 🐀👨🏼‍🍳

Should your organization freak out and roll IR because #okta got their source nicked?

Rather than say yes or no, ask yourself what your organization can meaningfully do. Odds are not much. Consider the need to do performative work to keep your executives calm, which sucks but infosec theater pays the bills and keeps auditors happy. Keep in mind that the Windows OS source has been in the hands of threat actors over and over for years and no new sploits came from that so far.

Make sure you're pulling Okta logs into your SEIM and have alerting in place for things like:

  • admin membership changes
  • abnormal amounts of password changes
  • password changes followed by MFA changes
  • configuration changes to key components, such as MFA or logon restrictions.
Dec 21, 2022 at 8:46pmWeb
Show threadKevin BeattieDec 27, 2022
@chrismerkel we were having the debate recently to SIEM or not to SIEM. The activity around the Okta and LastPass breaches will make for some interesting conversations to kick off Q1.
Show threadChris Merkel 🐀👨🏼‍🍳Dec 27, 2022
@compnerdkev interesting like is the question asking if monitoring logs for malicious activity is needed or is the question on wether the desired logging platform is called SEIM or not? Hopefully the later.
Show threadKevin BeattieDec 27, 2022
@chrismerkel the latter; we are a small start up and debating if we wanted to start work on standing up a SIEM for our IT / Security needs now or later.