As Banyan Security’s Chief Security Officer, I want to not only make sure that the Banyan organization and product offering are safe, but also that our customers and partners are secure.
First, we want you to know that the Banyan Security solution is not impacted by the breach recently disclosed by Okta related to Lapsus$. For more information on the incident please refer to Okta’s website: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/.
We have taken steps internally to review our Okta tenant, accounts, and logs. We have confirmed that everything is in order and also that there is no evidence to suggest Okta’s incident impacted us as a customer.
Furthermore, the Banyan zero trust network access solution is often integrated with Okta as noted in our feature guide here: https://docs.banyansecurity.io/docs/feature-guides/manage-users-and-devices/identity-providers/okta/.
Banyan’s approach provides user trust independent of device trust, to reduce risk in scenarios like this. Customers who use Okta with Banyan are better protected as a result of this philosophy.
There is no evidence to suggest that in this case Okta was not operating under the principle of least privilege, or that the 3rd party in question had excessive permission to access to the services and applications needed to do their job.
However, at time of writing, there is an open question regarding how a lost device can be unlocked and authenticated providing access into systems, especially if you assume a short session duration for a user with privileged access. We’re hopeful that in the coming days and weeks there will be full transparency and we will learn more.
Banyan mitigation & potential response for this attack
Here is a list of key activities performed by Banyan’s security team. We recommend you perform similar checks in your environments.
Mitigation for employee directory and corporate resources
- Review user directory – Banyan Security staff reviewed the user directory and ensured that all accounts created had IT tickets associated with them and were known employees. We made sure no Okta support staff ever had access to our systems (by looking for eventType “user.session.impersonation.initiate” in the System Logs).
- Review certificate issuance – Banyan Security staff used data compiled from Banyan APIs and the console to identify when certificates were issued to new devices. Any certificate issued to a user that was not in good standing would be revoked (none were found).
- Review Okta & Banyan audit logs – Banyan Security staff reviewed the administrative logs within the Banyan Console for anomalous or unexpected configuration changes and found none. Additionally, a review of Okta audit logs for indicators provided by Okta did not turn up any findings.
Mitigation for production environments (our customer data and systems)
In order to access customer data either through the administrative console or directly via the production infrastructure, there are additional controls in place that must be met that do not rely solely on Okta users and groups. As a result, there is no additional risk from this incident to Banyan customer data.
Additional course of action for Banyan Customers
Any customers who feel they would like to take additional steps are encouraged to change their invite code to the Banyan platform and revoke any device certificates issued by Banyan in the last 90 days (the suspected incident window). Your new users will have to re-register their devices with Banyan and procure new device certificates.
See our blog, “The Okta Breach and Securing SaaS Administration Interfaces” for more information on preventing such breaches.
If you have any questions about the Banyan zero trust solution, please do not hesitate to contact us.