Will Okta recover its cred after Lapsus$ breach? We’ll see

Did you miss the session at the Data Summit? See on-demand here.


Octa’s decision not to disclose the January breach could affect hundreds of customers – and the vendor’s choice of what details to share after the hacker group Lapsus જાહેર reveals the incident – is gaining traction in the cyber security community.

This leads some to ask questions about Octa’s future, such as: How much damage can this do to Octa’s reputation? And will the leading identity security company be able to fully recover?

Investors have already hit hard on the octa, with shares of the company now down 15% following the announcement of the event. But within the security community, opinions on Okta’s potential reputation vary widely.

Jack Williams, a well-known cybersecurity consultant and IANS faculty member, wrote on Twitter today that based on Octa’s handling of the Lapsus 2 incident, “I honestly don’t know how Octa regains the trust of the Enterprise Organ.”

Williams Wrote“I am not so sure here. Seems to be without multiple crashes and complete transparency? Oops. “

Unanswered questions

The comment was the culmination of a thread of tweets in which he examined a number of components of Octa’s communication preferences about the incident. In particular, Williams noted a number of questions that Octa, a leading identity authentication and management vendor, continued to remain unanswered about what happened.

Williams Wrote,

What Okta has to say is that Lapsus $ accessed the laptop of a customer support engineer who worked for third-party Okta support provider, Sitel, between January 16-21. The company said 366 customers could be affected.

However, Octa did not disclose anything about the incident until Tuesday, and only then in response to posting screenshots on the Telegram as evidence of a Lapsus violation.

Okta CSO David Bradbury seems to be pointing fingers at Sitel for the time being. In a blog post, Bradbury said he was “very disappointed” at how long it took Octa to receive a report of the incident from Seattle, which hired a cyber forensic firm to investigate. (Sitel declined to comment on the issue.)

Octana’s message, however, “strongly indicates” that the company was “powerless to investigate without Seattle’s report,” Williams said. Wrote On Twitter.

“Looking at my experience in these matters, I’m saying Shenanigans,” he wrote. “If Okta wants to continue this story, they need to bring receipts.”

An ‘unimaginable’ scenario?

Eventually, Williams said, it was “inconceivable” that Octa knew one of his servicemen had been tampered with, but “no action has been taken in the meantime.”

Octa did not immediately respond to a request for comment today, but declined to comment Wednesday when asked about VentureBeat’s decision not to disclose the incident.

Williams is not alone in suggesting that Okta made the mistake of waiting so long to reveal a breach that could affect numerous customers.

“That [delay in disclosure] That’s why it’s bad, “said Andreas Cesar, Forrester’s vice president and chief analyst. “It’s not because they have violated – it happens. The fact is that they have not made any disclosure.”

At Cybersecurity vendor Atmosack, co-founder and CTO Misha Selzer says it is clear to them that “Octa made a mistake by not disclosing the issue in January.”

“Affected customers deserve to know so they can investigate on their own,” Celtzer said.

Too long to declare?

“Two months is too long,” Amit Yora, CEO of cyber security firm and octa consumer, Amit Yoran, told Tennable on Wednesday at LinkedIn Post.

Calling it an “open letter to Octa,” Yora said the seller was not only slow to disclose the incident, but also made a series of other errors in his communications.

“When you were fired by LAPSUS, you removed the incident and failed to provide customers with any actionable information,” Yora wrote. “LAPSUS પછી then called you on your apparently false statements. Only then do you decide and accept that 2.5% (hundreds) of consumer protection was compromised. And still no actionable details and recommendations exist.

Ultimately, “trust is built on transparency and corporate accountability, and it demands both,” he wrote. “The mandiant was also violated [in the SolarWinds attack], But he had the morale and ability to give as many details as possible. And as a result, they are one of the most trusted brands in security. “

Committed to transparency?

However, others in the cybersecurity industry have differently evaluated Octa’s management of the incident and the communication about it.

Ronen Slavin, co-founder and CTO of software supply chain security firm Sycode, said: “Octa is doing what the company should do to ensure security and customer success.” “They are communicating quickly and transparently.”

Slavin cited the fact that Octa CEO Todd McKinnon Replied Lapsus Twitter screenshots on Twitter at midnight on Tuesday (1:23 am PST).

“It shows that the issue was being handled at a high potential level of the company. And it shows that the CEOs were immediately involved and wanted to provide transparency personally,” Slavin said.

Okta also clarified that “they believed this was a separate incident, and there was nothing to disclose,” he said.

“They believe their service has not been breached, and still note that 366 customers may be affected, which is exactly the kind of transparency that all software companies should strive for,” Slavin said. “If Octa was not committed to being transparent, why would they accept the possibility of a breach of 366 customers?”

Thus, when asked whether Octa could have a long-term impact on his reputation, Slavin said he did not believe it would be guaranteed.

“I have no hope,” he said. “Octa has a strong track record of transparency, including heartburn and AWS outage incidents. So Octa has earned us credibility that they are transparent.”

Long term effect

Cser also said that despite the reaction from some people to the incident, they did not believe that the incident would have a lasting effect on Okta’s reputation.

“I don’t think it will hurt them in the long run,” he said. “They will probably spend a lot of money on analytics, instrumentation and end up with better security. I think they will come out of it stronger.

Demi Ben-Erie, co-founder and CTO of third-party security management firm Panoraz, said it was difficult to say at this time what a dignified outcome could be for Octa.

“Many large security companies have been breached and subsequently without permanent consequences,” he said. “The key is to see how that business handles its responsibilities to customers.”

For its part, Okta insisted that the potential impact on customers was limited because its own service was not breached, and only one account of a Sitel support engineer was accessed.

“We take our responsibility to protect and secure consumer information very seriously,” Bradbury said in a blog post. “We apologize for the inconvenience and uncertainty.”

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.