With so many simultaneous events going on, heightened awareness in response to state actors, US President Biden’s cybersecurity call-to-action, and the Microsoft Event, all of us need to remain aware and vigilant as supply chain attacks continue. We highly recommend taking a proactive approach to secure your environment with a defense-in-depth strategy and appropriate monitoring.
Early today, news outlets reported the recent compromise of a support engineer's laptop at the Identity and Authentication (IAM) firm, Okta. Soon thereafter, Okta’s Chief Security Officer, David Bradbury, blogged that the Okta service has not been breached and remains fully operational.
Our Global Operations Center investigated Okta’s evolving situation and so far we have no evidence that Sumo Logic, our employees or services are impacted in any way.
Sumo Logic customers
If you are a Sumo Logic customer or if you are trialing Sumo Logic services, we can help you determine if you are at risk.
You can use the Okta App for Sumo Logic to get started with securing your environment by using the Okta logs to determine this potential compromise and much more, including:
- Identify top 10 user account lockouts in the last 24 hours
- Correlate user account lockout with a successful login
- Identify abnormal user activities
- Perform geo-velocity analysis
- Detect successful and failed logins
- Monitor admin activities
- Identify accounts with MFA disabled
Example: User Event Analysis using Okta App
If you are a Sumo Logic Cloud SIEM customer you have more fine-grained capabilities! Cloud SIEM includes targeted searches that you can use now, such as:
- Okta_API_Token_Created
- Okta_Admin_App_Access_Attempt_Failed
- Okta_Admin_App_Accessed
- Okta_Account_Lockout
- Okta_User_Attempted_to_Access_Unauthorized_App
- Okta_Administrator_Access_Granted
- Okta_Account Primary Email Address Update
- Okta_Credential Access User Impersonation
- Okta_MFA Bypass Attempt
- Okta_MFA Deactivated for User
- Okta_MFA Device Reset
Alternatively, from the Sumo Logic platform you can search Okta logs for signs of an attacker attempting to flood the target victim with Multi-Factor Authentication (MFA) push notifications until the victim accepts an MFA request.
| json field=_raw "outcome.result" as result
| json field=_raw "actor.alternateId" as user
| timeslice 10m
| if(result="SUCCESS",1,0) as success
| if(result="FAILURE",1,0) as failure
| count as total_pushes,sum(success) as success, sum(failure) as failure by user,_timeslice
| failure/total_pushes as push_fail_ratio
| "No Finding" as finding
| if(failure=total_pushes AND total_pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) as finding
| if(total_pushes=0,"Multiple pushes sent and ignored",finding) as finding
| if(success>0 AND total_pushes>3,"Multiple pushes sent, eventual successful authentication!",finding) as finding
| if(push_fail_ratio>.1,"High push fail Ratio with successful login detected",finding) as finding
| where finding = "High push fail Ratio with successful login detected" and total_pushes > 1
I am not a Sumo Logic customer
Don't worry, you can get started in minutes! Sign up for your free trial today. Once you sign up, our onboarding team will help you navigate the steps to be taken to get you going. You will be able to use all relevant Okta (or other) logs to help you determine if you are compromised.
Next steps
Sumo Logic Global Operations Center, Threat Labs and Engineering teams are working on releasing additional content to help you to stay ahead of such compromises.
If you are a Sumo Logic customer, reach out to us now for help.
If you want to get started with Sumo Logic, reach out to us.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
