‘Two Months Is Too Long’: Tenable CEO Slams Okta’s Breach Response

‘I am disappointed that we know almost nothing. And it appears that what little we do know was basically forced out of Okta. Trust requires transparency,’ says Tenable Chairman and CEO Amit Yoran.

Tenable CEO Amit Yoran criticized Okta for not telling customers about the compromise sooner and wondered if Okta would have disclosed anything had screenshots not leaked.

“As a customer and as colleagues in the industry, we expect more, and as a market leader delivering critical capabilities, you should expect more of yourselves,” Yoran (pictured) wrote on Twitter at 1:55 p.m. ET Wednesday, linking to an open letter he published on LinkedIn. Yoran said Okta customers should have been able to determine their exposure in January when the identity giant first spotted the compromise.

“Two months is too long,” Yoran wrote in a 319-word open letter. “The compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis.”

[Related: Okta: Up To 366 Clients Had Data ‘Acted Upon’ in Lapsus$ Hack]

Okta didn’t immediately respond to a CRN request for comment, but the company acknowledged Wednesday it should have connected the dots sooner. Up to 366 Okta customers might have had their data ‘acted upon’ following a Lapsus$ cyberattack against Sitel, which Okta contracts with for customer support work. Okta’s stock was down $17.88 (10.74 percent) Wednesday to $148.55 per share.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Okta Chief Security Officer David Bradbury wrote in a blog post updated at 11:50 a.m. ET Wednesday. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”

Yoran criticized Okta for not publishing any indicators of compromise or best practices or releasing any guidance on how customers should mitigate the potential increase in risk. The only guidance for Okta customers came from security and performance services firm Cloudflare, who said clients should enable MFA for all user accounts using hard keys and look for support-initiated password and MFA changes.

“We have multiple layers of security beyond Okta and would never consider them to be a standalone option,” Cloudflare co-founder and CEO Matthew Prince tweeted early Tuesday. “Okta is one layer of security. Given that they may have an issue we’re evaluating alternatives for that layer.”

Yoran alleged that Okta didn’t either disclose the breach or investigate the compromise properly when it was first discovered on Jan. 21. After data extortion gang Lapsus$ posted screenshots to its Telegram channel early Tuesday of what it alleged was data from Okta customers, Yoran said Okta “brushed off the incident and failed to provide literally any actionable information to customers.”

“I am disappointed that we know almost nothing,” Yoran wrote on LinkedIn in response to a comment on his open letter. “And it appears that what little we do know was basically forced out of Okta. Trust requires transparency. It doesn’t feel that we’re getting that.”

Okta published a blog post at 1:45 p.m. ET Tuesday saying that its service had not been breached, the attempt by Lapsus$ to compromise the account of a Sitel customer support engineer was unsuccessful, and that its customers don’t need to take any corrective actions. Lapsus$ fired back Tuesday afternoon and called Okta out on its “lies,” saying the potential impact to Okta customers was not at all limited.

“I’m STILL unsure how it’s a unsuccessful attempt?” Lapsus$ wrote on Telegram. “Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”

Only then did Okta determine and admit that 2.5 percent – or 366 of Okta’s customers – had their security compromised, Yoran said. And still, Yoran said that actionable detail and recommendations were nonexistent from Okta. Yoran, 51, has served as chairman and CEO of Columbia, Md.-based Tenable since December 2016, and prior to that spent more than two years as president of RSA Security.

“As a customer, all we can say is that Okta has not contacted us,” Yoran wrote in the open letter. “And, to the best of our knowledge, we are not affected by the breach. Out of an abundance of caution, we are taking what we believe to be logical actions to minimize exposure.”

Yoran said he’s been in the space long enough to know that security is imperfect, but contrasted Okta’s response to this compromise with how Mandiant (then FireEye) reacted to a compromise of their own in December 2020. The threat intelligence superstar told the world Dec. 8, 2020, that it had been hacked and determined days later that SolarWinds was the source of the compromise, stopping a huge cyberattack campaign.

“They [Mandiant] had the fortitude and competence to provide as much detail as they could,” Yoran said. “And they remain one of the most trusted brands in security as a result.”