This website requires Javascript for some parts to function propertly. Your experience may vary.

Oort: Defending Enterprises Against Orbiting Identity Attacks | Cisco Investments

We use cookies to improve your site experience and deliver personalized content. By continuing to use this site, you consent to our use of cookies.

Oort: Defending Enterprises Against Orbiting Identity Attacks

Prasad Parthasarathi's avatar

Prasad Parthasarathi

On the distant edge of the solar system, the Oort Cloud surrounds the sun and planets like a massive spherical bubble comprised of a trillion-plus icy space objects, some the size of mountains. Named after Jan Oort, the Dutch astronomer who predicted the icy cloud’s existence in the 1950s, Oort is where comets are thought to originate.

So, it follows that ‘Oort’ is a fitting name for the cybersecurity company that helps small and large distributed enterprise organizations secure the identities of employees, contractors, third parties and vendors, any of whom could pose substantial threat as they “orbit” the enterprise “mothership.”

“We are helping companies understand the Oort cloud that surrounds them,” says founder Matt Caulfield, a Cisco alum with a background in cloud, networking, and data. “They can’t see it clearly, but they know it’s there. We help them visualize and protect themselves against these threats.”

Which identities are just passing threats and which may be hurtling toward an enterprise company with a direct hit? Those are a few of the key questions that the Oort founding crew set out to discover when Caulfield launched the company in 2019. 

Cisco and Oort understand that identity is an important component of the security perimeter and that’s why Cisco Investments was excited to participate in Oort’s Series A funding round announced earlier this month.

.
Oort (l to r): Didi Dotan, CTO, and Matt Caulfield, Founder and CEO

The Identity Market Today: Plenty of Infrastructure, Not Enough Security

The identity and access management (IAM) market is a crowded space, and yet “everything that’s come so far has been mainly focused on infrastructure and operations,” says Caulfield. 

Caulfield and the Oort team wanted to expand the boundaries of identity security with solutions to protect users from account takeover. Now, the Chief Information Security Officer (CISO) customer can get far greater visibility and control over their IAM infrastructure with a “firewall for identity,” Caulfield says. 

Think about the number of “orbiting” identities encircling both small and large companies, and the need for security at scale becomes clear — even for a 20-employee organization like Oort, there are another 20+ identities in play across contractors, partners, and consultants.

“Even if you’re really small, identity is often the first piece of infrastructure that you put in place, and it’s also the most critical to secure,” says Caulfield. 

For large enterprises, where thousands of employees may have exponentially more identities and a disparate set of identity and access policies in place, a new set of rules to govern the security and maintain enterprise-wide visibility and control becomes imperative. 

Unlike other identity solutions, Oort sits above enterprise IdP and SaaS applications, providing a unique unified view of the identity universe and the power of automation to remediate these risks at scale. 

By leveraging tech that’s already in place, Oort can ingest the historical data and run a report within hours to identify any issues, vulnerable identities and threats while investigating users, says Caulfield. 

The end result is time saved for both the security analysts who are troubleshooting, debugging, and investigating threats, as well as the governance and compliance officers who need to know the right policies are intact and being followed.

Oort in Action: From MFA and Inactive Users to Threat Detection and Response

Most of Oort’s use cases are enterprise organizations with weak implementations of Multi-Factor Authentication (MFA). In many instances, these companies have MFA configured, but it’s not being enforced, or it’s limited to SMS. Or, attackers may flood users with push notifications for the second factor, causing MFA fatigue and eventually leading to a breach. 

“We have a built-in check just for that to recognize that scenario,” says Caulfield. “We flag these cases immediately and then bring them to the attention of the security team so they can investigate.”

“Phishing is often where these attacks tend to start and it’s something we can help prevent by making sure that the way the IAM infrastructure is set up is phishing-resistant from top to bottom, from the second factors you choose and how you set up those accounts to how you do password and factor resets,” he says. “You can only know if you’re doing that well if you have the right tools - that’s what we provide.”

In other cases, inactive accounts are sitting in a company’s IAM system “almost like a server sitting unpatched in a data center somewhere,” says Caulfield. “It’s sort of a sitting duck, waiting for somebody to take it over and use it against you. We help enterprises find those ‘populations of identities’ and remove them from their fleet.” The Oort approach is complementary to the best-in-class MFA offered by Cisco’s Duo Security. Armed with pinpointed telemetry on MFA gaps, enterprises can leverage Duo for better and more effective security, limiting end-user friction.

Because no architecture is perfect, threat detection and response has become a popular third use case for Oort, which can also identify behavioral anomalies, such as potential bad actors coming from new countries, says Caulfield. 

Building its analytics on a security data lake architecture, Oort is able to leverage massive data retention to run queries at scale across months of data and better understand the behavioral baseline of individual users. 

The range of detection spans from the simplest scenario of whether a user has logged in over the past 60 days to building a sophisticated baseline for each user and then measuring variants from that baseline. 

“That requires more of a statistical model,” says Caulfield. “We're really lucky to have a team with experience at Cisco, RSA, and Meta to build these models that look for user anomalies.” 

As a result, Oort is able to rely heavily on its domain expertise and pre-tuned, turnkey models, cutting the learning curve considerably compared to unsupervised machine learning-based threat detection models.

Charting New Frontiers for Oort

At Oort, the mission has always been to connect and secure our shared digital ecosystem. At Cisco, we see a great deal of synergy between Oort’s Identity Threat Detection and Response approach and Cisco’s Zero Trust and XDR strategy. Identity security is foundational to both. 

Looking ahead, Caulfield says Oort wants to expand from identity threat detection and response (ITDR) to identity governance and a higher control plane. 

“We’re betting big on cloud IAM, the distributed workforce, work from home and hybrid work as well as more companies going all cloud,” he says.

At Cisco, we, too, are predicting great things to come from Oort as this cyberspace startup continues to explore new dimensions in securing the enterprise and keeping all the interdependent companies in the tech universe protected – no matter what cyberspace “debris” comes their way.