Mar 04, 2024The Hacker NewsSaaS Security / Vulnerability Assessment

A company’s lifecycle stage, size, and state have a significant impact on its security needs, policies, and priorities. This is particularly true for modern mid-market companies that are either experiencing or have experienced rapid growth. As requirements and tasks continue to accumulate and malicious actors remain active around the clock, budgets are often stagnant at best. Yet, it is crucial to keep track of the tools and solutions that employees are introducing, the data and know-how shared through these tools, and to ensure that these processes are secure.

This need is even more pronounced in today’s dynamic and interconnected world, where third-party applications and solutions can be easily accessed and onboarded. The potential damage of losing control over the numerous applications with access and permissions to your data requires no explanation. Security leaders in mid-market companies face a unique set of challenges that demand a distinct approach to overcome.

To begin mitigating the risks associated with third-party applications, one must first understand the fundamental premise behind these risks.

SaaS Security 101

Ensuring employees are onboarding, connecting and using applications safely, without whitelisting, spending valuable resources, or going on a wild goose chase may seem like a daunting task. Tackling this challenge starts with understanding two important characteristics of modern SaaS security:

1. Today’s third-party applications = SaaS applications: As mid-market companies experience rapid growth, integrating and utilizing SaaS applications have become increasingly prevalent. This surge in SaaS usage brings about significant advantages in terms of operational efficiency and flexibility. However, it also introduces complex challenges in maintaining robust security measures. Long gone are the days when employees had to go through IT (and subsequently, security) to onboard an application they needed. Diligent employees wishing to efficiently solve a business problem or need are probably going to search for, and find, a SaaS solution online. These solutions often require nothing more than a username and password, offer free trials or free versions, and “only” ask for permissions into your company’s data in return. A classic example is nearly any GenAI or AI-powered SaaS.
2. Managing SaaS usage can not be done manually: Recent research shows that the average employee uses 29 SaaS applications, and one in five users are using applications that no one else in the organization uses. This causes a modern shadow IT problem, and a complete lack of oversight and control over the SaaS layer in an organization. The complexity of securing SaaS usage is further compounded by the evolving nature of these applications, especially with the integration of artificial intelligence (AI). Modern businesses that leverage extensive SaaS and AI applications encounter an intricate application supply chain that adds layers of security vetting complexity. This scenario demands a vigilant oversight of user access and data-sharing practices to avoid creating inadvertent supply chain backdoors into the organization, potentially leading to the loss of control over critical intellectual property. Keeping track of, monitoring, assessing, and managing SaaS can be a VERY heavy lift. Especially, as mentioned above, when your employees are used to working a certain way and changing that for them is no easy task either.

The Solution: Let them use SaaS (They will anyway)

Unlike very small companies that have yet to establish their security needs or large corporations that have vast security resources, mid-market-sized companies find themselves with a unique set of needs. Traditionally, SaaS security solutions have been designed with large enterprises in mind, offering a level of complexity and resource demand that is unfeasible for mid-market companies. This misalignment leaves a considerable portion of the market vulnerable as these businesses struggle to find security solutions that are both effective and scalable to their specific operational models. So what can be done with limited resources and high expectations? There are many SaaS security solutions in the market today, and choosing the right one for your organization can be a very confusing task. Here are a few things to consider:

1. The magnitude of the problem at hand: While finding an organization that does not extensively use SaaS applications is quite the challenge, understanding the extent of usage and, more so, the extent of the potential shadow usage, are paramount. With SaaS usage skyrocketing and considering many employees negligently bypass the organizations’ identity access management systems and oftentimes multi-factor authentications, security teams must be able to assess the extent of the risk introduced by unsanctioned SaaS applications. Doing so is often easier than one might think, with the help of free-to-use, easy-to-onboard solutions such as Wing Security’s Free SaaS discovery tool.
2. Team size and skill: It’s essential to match the SaaS security solution to the team’s capabilities. Enterprises with large, expert teams may benefit from Cloud Access Security Brokers (CASB) solutions, while mid-market systems should look for offerings that provide significant automation to reduce the management load. While most solutions do highlight the various risks and vulnerabilities, with a smaller team, it is advised to seek solutions that offer in-product remediation capabilities.
3. Security’s maturity state: While the need in SaaS security is increasingly clear and prevalent in most board meetings, especially with the relatively recent and highly concerning introduction of GenAI in SaaS, many mid-size companies seek to start out with a smaller, more tailored solution. One that isn’t heavy on their budget, answers their basic needs and offers the ability to scale alongside them as they mature their overall security posture.

Addressing the Challenges Head-On

In the realm of mid-market businesses, the deployment of SaaS applications brings forth significant security challenges. Recognizing this, Wing Security has developed a tiered product approach designed to address these challenges head-on. By leveraging automation, their solutions aim to reduce labor costs and align with mid-market budgets, effectively managing the decentralized issue of negligent insider SaaS usage with minimal management time required—less than 8 hours per month. This strategy implies that CISOs can efficiently mitigate critical SaaS security risks without the need for additional resource allocation, thus saving considerable man-hours.

As mid-market companies continue to evolve and more deeply integrate SaaS applications into their operational frameworks, the imperative for scalable and effective security solutions becomes more pronounced. Wing Security’s introduction of solutions tailored to the unique needs of these companies represents a pivotal advancement in narrowing the gap between the growing demand for SaaS security and the availability of accessible, effective solutions for the mid-market. Emphasizing automation and comprehensive coverage, Wing Security addresses the distinct challenges presented by today’s digital landscape, enabling mid-market companies to secure their SaaS applications without sacrificing efficiency, scalability, or valuable resources.

Feb 16, 2024NewsroomCybersecurity / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization’s network environment was compromised via an administrator account belonging to a former employee.

“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency said in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The threat actor connected to the [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.”

It’s suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information.

The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set of credentials stored in the server, which had administrative privileges to both the on-premises network and the Azure Active Directory (now called Microsoft Entra ID).

This further made it possible to explore the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller. The attackers behind the malicious activity are presently unknown.

A deeper investigation into the incident has revealed no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.

The attackers ultimately accessed host and user information and posted the information on the dark web for likely financial gain, the bulletin noted, prompting the organization to reset passwords for all users, disable the administrator account as well as remove the elevated privileges for the second account.

It’s worth pointing out that neither of the two accounts had multi-factor authentication (MFA) enabled, underscoring the need for securing privileged accounts that grant access to critical systems. It’s also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

The development is a sign that threat actors leverage valid accounts, including those belonging to former employees that have not been properly removed from the Active Directory (AD), to gain unauthorized access to organizations.

“Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise,” the agencies said.

“By default, in Azure AD all users can register and manage all aspects of applications they create. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.”