1 of 22

Okta Identity Threat Protection (ITDR)

<Presenter Job Title>, Okta

<Presenter2 Job Title>, Okta

Partner logo

2 of 22

{Presenter Name}

{Presenter title}

Partner logo

3 of 22

Partner logo

This presentation contains “forward-looking statements” within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our financial outlook, product development, business strategy and plans and market trends, opportunities and positioning. These forward-looking statements are based on current expectations, estimates, forecasts and projections. Words such as “expect,” “anticipate,” “should,” “believe,” “hope,” “target,” “project,” “goals,” “estimate,” “potential,” “predict,” “may,” “will,” “might,” “could,” “intend,” “shall” and variations of these terms and similar expressions are intended to identify these forward-looking statements, although not all forward-looking statements contain these identifying words. Forward-looking statements are subject to a number of risks and uncertainties, many of which involve factors or circumstances that are beyond our control. For example, the market for our products may develop more slowly than expected or than it has in the past; our operating results may fluctuate more than expected; there may be significant fluctuations in our results of operations and cash flows related to our revenue recognition or otherwise; a network or data security incident that allows unauthorized access to our network or data or our customers’ data could damage our reputation;

Safe harbor

we could experience interruptions or performance problems associated with our technology, including a service outage; we may not be able to pay off our convertible senior notes when due; and global economic conditions could deteriorate. Further information on potential factors that could affect our financial results is included in our most recent Annual Report on Form 10-K and our other filings with the Securities and Exchange Commission. The forward-looking statements included in this presentation represent our views only as of the date of this presentation and we assume no obligation and do not intend to update these forward-looking statements.

Any unreleased products, features or functionality referenced in this presentation are not currently available and may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature or functionality, and you should not rely on them to make your purchase decisions.

4 of 22

Identity is the connective fabric between the complex ecosystem of people and technologies, securely enabling your workforce to do their best work

The role of Identity in Security

Partner logo

5 of 22

Zero Trust & Risk Strategy

Any resource.

Any device.

Anywhere.

One secure passwordless experience.

Leading the journey to Phishing Resistance

Enhanced User & Admin Experience

Strengthen� Device Security

Evaluate Risk Continuously

Partner logo

6 of 22

Risk is informed through indicators of compromise

Unusual IP location

New device

Unusual time of day

New application access

Unusual browser-agent variables

and more!

Partner logo

7 of 22

We have no shortage of risk signals, but need the ability to quickly consolidate and take action on those insights

Security Stack

Service Providers

Risk

Partner logo

8 of 22

Assess ��

Amplify ��

Adapt ��

The new security paradigm centralizes understanding of risk

Continuously assess Identity risk

Evaluate user risk in real-time during initial login to proactively counter vulnerabilities
Continuously monitor for signs of session hijacking and other post-authentication risks

Harness threat signals across your apps and security stack

Uncover and address identity security blind spots through integrated threat signals
Enhance security posture and maximize existing investments

Respond to threats with precision

Take tailored actions inline such as instant logouts or on-demand MFA
Execute automated workflows to promptly address emerging risks

Partner logo

9 of 22

The Okta Risk Ecosystem

ThreatInsight

Class-leading protections offered by default, to protect users from suspicious login attempts

Foundational Security

Behaviors

Customizable profile controls to detect anomalous patterns & user behavior detections.

Customizable controls

Risk-based Auth.

Enabling intelligent prompting of MFA when the possibility of a threat actor exists.

AI-based Adaptive Auth

Identity Threat Protection (ITP)

Continuous identity threat assessment using first party and third party signals.

AI-based ITDR solution

Partner logo

10 of 22

App A

App B

App C

Device 1

Device 2

Identity

ThreatInsight�(pre-auth.)

The Okta Risk Paradigm: ThreatInsight

Partner logo

[Raghu]:

Thanks Vinayak!

There are multiple layers in protecting the user against credential based attacks. Let’s look at all the layers.

ThreatInsight is the first layer of defense. When a user accesses any sensitive endpoint within Okta, ThreatInsight checks if the request is associated with a credential based attack.
ThreatInsight uses an ML model to detect orgs that are under large credential based attacks and uses various detections to flag IPs that are involved in those attacks.
The cross-tenant component of ThreatInsight provides protections to tenants based on attack patterns seen across other tenants.
This protection kicks in even before the sign on policies are evaluated and even before the rate limit checks kick in.
If ThreatInsight considers a request to be malicious, we block the request based on customer configuration..

11 of 22

App session 1

App A

App B

App C

Device 1

Device 2

Identity

Okta session

passage of time

persistence of access

App session 3

Okta session

Login Risk

ThreatInsight�(pre-auth.)

The Okta Risk Paradigm: Risk-based auth

Partner logo

12 of 22

App session 1

App A

App B

App C

Device 1

Device 2

Identity

Okta session

Session Risk (ITP)

App session 2

App session 3

passage of time

persistence of access

App session 3

Okta session

Login Risk

ThreatInsight�(pre-auth.)

The Okta Risk Paradigm: Identity Threat Protection

Partner logo

13 of 22

App session 1

App A

App B

App C

Device 1

Device 2

Identity

Okta session

Entity User Risk (ITP)

Session Risk (ITP)

App session 2

App session 3

passage of time

persistence of access

App session 3

Okta session

Login Risk

ThreatInsight�(pre-auth.)

The Okta Risk Paradigm: Identity Threat Protection

Partner logo

[Raghu]:

But there are attacks today that span beyond a single session:

A compromised device impacts more than just one Okta session, spans multiple client apps on a device.
A registration of authentication factor by a threat actor will impact the integrity of sessions across multiple devices.
A user may be risky even before the establishment of a single Okta session.

All these scenarios lead to the need for the calculation of risk that centers around the identity.

Entity Risk encapsulates this vision.
Entity could be any subject with an identifier. User is the first type of Entity. In future, devices, tenants or workload identities could have risks associated with them.

With entity user risk, we roll-up risk accrued on all threat surfaces like:

Risk at login
Risk during the session
Risk while using a device or accessing an application, on a network, without explicit interaction with Okta

to one risk level defined under Entity (User) risk

& what’s more, entity user risk is informed not just by 1P, native signal intelligence sources but by 3P signals as well! We enable this through scalable, standards-based protocols, thus meeting the promise of a “risk ecosystem”.

Let’s see a demo of this coming together.

14 of 22

Risk Engine

Policy

Continuous Risk Assessment

1st Party Signals

UEM

XDR

MDM

SOAR

ZTNA

CASB

SaaS

NGFW

3rd Party Signals

1st Party Signals

Device context�(Continuous)

SaaS apps built on CIC

Admin / user reported risk change

Authentication /�IP enrichment

Universal App Logout

Inline

30+ 3rd party integrations

50+ supported actions

SSE Transmitter / �Downstream Apps

Real Time Actions

MFA

Session

Session Risk�Assesses login/session based on IP, (1/3P) device context change

Entity (User) Risk �Detections for suspicious activity, MFA fatigue, critical state changes & 3P signals

Auth Policy��Evaluates IP, risk, behavior, and device context

Entity Policy

Allows admins to define responses to risk detected outside of authN context

Partner logo

15 of 22

What is it?

Standards-based means of receiving and transmitting security and risk events.

Benefits

Allows customers to simply incorporate 3rd party signals at scale into Okta’s Risk Engine

Expands Okta’s visibility into events relevant to user risk by orders of magnitude.

Shared Signals Framework (SSF) Pipeline

SSF

Device Events

Risk Events

Network Events

Application Events

User Events

Risk Events

Partner logo

The first is Signal ingestion - for both 1st and 3rd party signals
Signal ingestion will be based on a the OpenID’s Shared Signals Framework
We are taking a standards based approach to exchanging security signals to allow partners and customers to integrate with us seamlessly

What is the feature?

Standards-based means of receiving and transmitting security and risk events.

What are the customer benefits?

Allows customers to simply incorporate 3rd party signals at scale into Okta’s Risk Engine
Expands Okta’s visibility into events relevant to user risk by orders of magnitude.
Because it’s open, any vendor or customer can integrate with it.

What are the impacts (if any) to existing customers?

N/A

What is the target date? (use fiscal year)

Limited EA Q3 FY24

Is there any dependency on OIE versus Okta Classic?

This requires OIE

Link to any other helpful pages with more details of the feature

Spec: https://docs.google.com/document/d/1ZvEz1L44y9utIHIGc0VFzJU6wngCGV3gdAbjNM_WIlk/edit?usp=sharing

JIRA/ART Initiative or Project #:

16 of 22

Continuous Access Evaluation (CAE) Policy

What is it?

Continuously evaluates admin configured policies based on changes in the IP address, risk posture, or device posture of a user

Automatically publishes events to the syslog if policy requirements are not met

Benefit

Assess user risk on a continuous basis

Support remediation activities, such as session termination

Gain a more holistic view of user risk across your security ecosystem

Partner logo

Second is Detection and Evaluation:

This includes a New Risk engine to enable real-time detection of user risk
And Continuous evaluation of user and session risk, against authentication policies

This will allow our customer to get a real-time view of their Identity-security posture

Once we have signals ingested we are building two additional blocks… First a new risk engine..

We are creating New Risk engine detections for user risk based on shared signal data - session hijacking, MFA fatigue, user suspended, Device compromised, etc.

Second, a new way to evaluate these risks and context changes with the …

Continuous access evaluation Policy of these risks signals

Once we evaluate the events and risk changes, what can we do? <Click>

What is the feature?

A system that continuously evaluates user, device, and context status against admin configured policies, and can initiate necessary remediations based on the evaluation.

What are the customer benefits?

Allows continuous evaluation of App Sign On Policies and Global Session Policies, and support impacted session termination of at-least 4 applications for the beta.

What are the impacts (if any) to existing customers?

N/A

What is the target date?

Q3 FY’24

Is there any sub-components/features to the feature that has different dates? If so, what is the sub-component and what are the other dates?

Admins will have the ability to re-evaluate sign-on policies when the user’s context changes.
Okta will produce a risk level which admins can use to trigger protective actions in Okta and connected applications.

Is there any dependency on OIE versus Okta Classic?

Supported only on OIE

Link to Epic/Jira to track latest status

https://oktainc.atlassian.net/browse/OKTA-505737

Link to any other helpful pages with more details of the feature

https://docs.google.com/document/d/1kpBNvUR6EdoYAbDiYa8R3v12_TGErknn54M1cGNJtpQ/edit#heading=h.5vxz2bjzi7lk

17 of 22

What is it?

Revoke all active sessions on all devices for all supported applications at once, at anytime

Support ~15 top-tier applications with more to follow

Benefits

Prevent terminated employees and partners from accessing company resources via active sessions

Force an end user to re-authenticate in case of a security or risky event

Universal App Logout

App Sessions

Actions powered by

IDP Session

Partner logo

And Finally, Remediation - to empower our customers with automated actions to take in response to risk changes
This will be a great automated way to deal with post auth security concerns
One of the more important actions our customers can take is Universal App Logout. This would mean that if a critical threat is detected, customers will be able to universally log the user out - effectively ending their Okta SSO session.
Let’s watch a demo of UALO

15+ key SaaS apps, end their Okta SSO session, trigger a workflow (like open a ServiceNow ticket), and we are partnering with CIC to bake in universal app logout going forward… Overall we are very excited about the continuous access evaluation journey and want you all to see the product take shape. Especially as we start to get hands on with some design partner customers with an LEA in Q2.

Thanks and here is a final summary slide of everything we are planning for Q2 and Q3 look ahead… <Click>

Finally, we want to give a view into the value… <Click>

What is the feature?

The ability to revoke all active sessions on all devices for all supported applications at once, at any time.
At launch, will support ~15 top-tier applications, with more to follow.
Mixed-protocol - will work for applications with or without OIDC Backchannel Logout support.
Extensible via Workflows and CIC.

What are the customer benefits?

Prevent terminated employees and partners from accessing company resources via active sessions.
Force and end user to re-authenticate in case of a security or risky event.

What are the impacts (if any) to existing customers?

Now, when CLearing a User’s Sessions, you will have the option to clear not just the IDP sessions, but also the app sessions.

What is the target date? (use fiscal year)

EA Q4 FY24

Is there any dependency on OIE versus Okta Classic?

Link to any other helpful pages with more details of the feature

JIRA/ART Initiative or Project #:

18 of 22

Identity Threat Protection with Okta AI

Universal App Logout

SaaS apps built on CIC

Partner signals

Actions powered by

57 Supported Actions

3P integrations

Identity Risk Engine & Continuous Evaluation

Real Time

Device �Context

End User Reported risk change

Threat �Insights

Real Time

Partner logo

19 of 22

[Partner Placeholder Slide]

Partner logo

20 of 22

[Partner Placeholder Slide]

Partner logo

21 of 22

[Partner Placeholder CTA Slide]

Partner logo

22 of 22

Thank You

Partner logo