Apr 15, 2024NewsroomCloud Security /SaaS Security

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.

“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 said in a report published last week.

“The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.”

Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to target networks.

“Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs,” the U.S. government said in an advisory late last year.

The attackers also have a history of monetizing access to victim networks in numerous ways, including extortion enabled by ransomware and data theft.

Unit 42 previously told The Hacker News that the moniker “Muddled Libra” comes from the “confusing muddled landscape” associated with the 0ktapus phishing kit, which has been put to use by other threat actors to stage credential harvesting attacks.

A key aspect of the threat actor’s tactical evolution is the use of reconnaissance techniques to identify administrative users to target when posing as helpdesk staff using phone calls to obtain their passwords.

The recon phase also extends to Muddled Libra, which performs extensive research to find information about the applications and the cloud service providers used by the target organizations.

“The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization’s various CSP environments,” security researcher Margaret Zimmermann explained.

The information obtained at this stage serves as a stepping stone for conducting lateral movement, abusing the admin credentials to access single sign-on (SSO) portals to gain quick access to SaaS applications and cloud infrastructure.

In the event SSO is not integrated into a target’s CSP, Muddled Libra undertakes broad discovery activities to uncover the CSP credentials, likely stored in unsecured locations, to meet their objectives.

The data stored with SaaS applications are also used to glean specifics about the infected environment, capturing as many credentials as possible to widen the scope of the breach via privilege escalation and lateral movement.

“A large portion of Muddled Libra’s campaigns involve gathering intelligence and data,” Zimmermann said.

“Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra.”

These actions specifically single out Amazon Web Services (AWS) and Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract relevant data.

Data exfiltration to an external entity is achieved by abusing legitimate CSP services and features. This encompasses tools like AWS DataSync, AWS Transfer, and a technique called snapshot, the latter of which makes it possible to move data out of an Azure environment by staging the stolen data in a virtual machine.

Muddled Libra’s tactical shift requires organizations to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics.

“By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s methodology shows the multidimensionality of cyberattacks in the modern threat landscape,” Zimmermann concluded. “The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders.”

In today’s digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the SaaS supply chain snowball quickly. That’s why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity.

Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorten, and iterative assessments over time must increase.

How Nudge Security can help

To address the need for a new, more flexible model, Nudge Security has created security profiles for over 97,000 SaaS apps, giving customers (and trial users) access to robust, actionable security context and AI-powered risk insights. ‍Each security profile includes an app description, key vendor details, security certifications, breach histories, data locality, security program links, supported authentication methods, and SaaS supply chain details. Using the information in these profiles, you can:

• Accelerate vendor security reviews with “one stop shopping” for key details
• Share a list of approved applications with employees
• Speed up vendor evaluations for new technology purchases
• Get alerted when your SaaS providers or those in your digital supply chain experience breaches

Let’s take a look at how Nudge Security helps you with each step of vendor risk management.

1. View security profiles for all SaaS apps used by anyone in your organization

Nudge Security discovers all SaaS accounts ever created by anyone in your organization within minutes of starting a free trial, and requires only a single point of integration: read-only API access to your Microsoft 365 or Google Workspace email provider. No endpoint agents, network proxies, browser plugins, app integrations, or other complicated deployment steps required. Learn more about how it works here.

For each of the apps used in your organization, Nudge Security provides a vendor security profile that includes many of the details required to conduct a vendor security review. Details include the app category and description, corporate headquarters, legal terms, data hosting details, and more. You can also view information about the vendor’s security program, breach history, compliance certifications, and links related to the vendor’s public support for security engagement.

‍2. Provide employees with a directory of approved applications

After you’ve reviewed an app, you can assign a status like “Approved”, “Acceptable”, or “Unacceptable” to indicate if usage should be permitted. For any apps that are deemed “Unacceptable”, automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

Additionally, Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application’s technical owner, whether or not that person sits within central IT. This removes the need for IT to be the “event forwarder” between users and app owners, while still retaining visibility and centralized governance.

3. Speed up vendor evaluations for new technology purchases

For apps your organization isn’t already using, Nudge Security still gives you access to vendor security profiles to help you evaluate apps more quickly. You can search for any app and your search results will indicate if it’s currently used in your organization or not.

‍

From there, you can access the same vendor security profile details described above and update the app status to indicate it if is “Approved”, “Acceptable”, or “Unacceptable”. Any apps deemed “Approved” can be automatically added to your app directory, and you can choose whether to also include apps with an “Acceptable” status in your app directory.

4. Dig into the SaaS supply chain for each application.

Nudge Security provides critical capabilities to help you manage SaaS security, including SaaS supply chain visibility. This information is available within each SaaS security profile—and you can even click through each supply chain app to see its associated security profile.

Understanding an app’s SaaS supply chain can help you assess and manage data security risks and ensure compliance with regulatory standards.

5. Get alerted to breaches affecting your SaaS providers

When an app in use at your organization experiences a data breach, it can put your own organization’s security at risk. Nudge Security alerts you when apps your employees are using experience a data breach—or the apps in their supply chains.

Within each security profile, you can see an overview of the app’s breach history or a green thumbs up if there are no known breaches.

When an app you use, or one in your digital supply chain is impacted by a breach, you will receive a notification like the one below so you can take appropriate action to assess and mitigate any potential impact.

Accelerate vendor risk assessments with Nudge Security

With Nudge Security’s patented method of SaaS discovery, an unrivaled database of vendor security profiles, and automated workflows, you can effectively manage third-party risk while strengthening your organization’s SaaS security posture.

Start your free 14-day trial now

Mar 13, 2024The Hacker NewsSaaS Security / Webinar

Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector.

The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth authorizations. Consequently, any identity in a SaaS app can create an opening for cybercriminals to compromise, leading to data breaches, compliance violations, and financial losses.

Many safeguards have been developed to better protect human identities, including multi-factor identification and single sign-on (SSO). These measures can protect enterprises against attacks using stolen credentials, such as password sprays.

Protecting non-human identities is more challenging, as MFA and SSO are usually not feasible with accounts that are not associated with any individual employee. Non-human accounts are also more sensitive since they come with the high privileges needed for integration activities. Cybersecurity for non-human entities requires different tactics, including monitoring tools to detect abnormal behavior indicative of different types of suspicious activity.

Despite the risks, the activity of non-human accounts is often overlooked. For non-human identities, advanced methods such as automated security checks must be deployed to detect unusual activity. Tools such as ITDR provide a defensive layer to help boost identity fabric to protect enterprises from attacks.

Join an informative webinar with Maor Bin, CEO and co-founder of Adaptive Shield, where he will dive into the identity risks in SaaS applications, and explain how to defend the SaaS environment through a strong identity security posture.

Topics to be covered during the webinar:

• The new attack surface: Discover how identities, including human users, service accounts, and API keys, are being exploited by cybercriminals.
• Identity-centric threats: Understand the unique risks posed by compromised identities within your SaaS environment.
• Managing Identities: Learn how to detect Identity threats through SSPM and ITDR

Register for this free webinar today and gain the insights you need to protect your organization from evolving cyber threats.

In today’s rapidly evolving SaaS environment, the focus is on human users. This is one of the most compromised areas in SaaS security management and requires strict governance of user roles and permissions, monitoring of privileged users, their level of activity (dormant, active, hyperactive), their type (internal/ external), whether they are joiners, movers, or leavers, and more.

Not surprisingly, security efforts have mainly been human-centric. Configuration options include tools like MFA and SSO for human authentication. Role-based access control (RBAC) limits the level of access; password complexity guidelines block unauthorized humans from accessing the application.

Yet, in the world of SaaS, there is no shortage of access granted to non-human actors, or in other words, 3rd party connected apps.

Service accounts, OAuth authorizations, and API keys are just a few of the non-human identities that require SaaS access. When viewed through the lens of the application, non-human accounts are similar to human accounts. They must be authenticated, granted a set of permissions, and monitored. However, because they are non-human, considerably less thought is given to ensuring security.

Non-human Access Examples

Integrations are probably the easiest way to understand non-human access to a SaaS app. Calendly is an app that eliminates the back-and-forth emails of appointment-making by displaying a user’s availability. It integrates with a user’s calendar, reads the calendar to determine availability, and automatically adds appointments. When integrating with Google Workspace through an OAuth authorization, it requests scopes that enable it to see, edit, share, and delete Google Calendars, among other scopes. The integration is initiated by a human, but Calendly is non-human.

Figure 1: Calendly’s required permission scopes

Other non-human accounts involve data sharing between two or more applications. SwiftPOS is a point-of-sale (POS) application and device for bars, restaurants, and retail outlets. Data captured by the POS is transferred to a business intelligence platform, like Microsoft Power BI, where it is processed and analyzed. The data is transferred from SwiftPOS to Power BI through a non-human account.

The Challenge of Securing Non-human Accounts

Managing and securing non-human accounts is not as simple as it sounds. For starters, every app has its own approach to managing these types of user accounts. Some applications, for example, disconnect an OAuth integration when the user who authorized it is deprovisioned from the app, while others maintain the connection.

SaaS applications also take different approaches to managing these accounts. Some include non-human accounts in their user inventory, while others store and display the data in a different section of the application, making them easy to overlook.

Human accounts can be authenticated via MFA or SSO. Non-human accounts, in contrast, are authenticated one time and forgotten about unless there is an issue with the integration. Humans also have typical behavior patterns, such as logging on to applications during working hours. Non-human accounts often access apps during off-peak time to reduce network traffic and pressure. When a human logs into their SaaS at 3 AM, it may trigger an investigation; when a non-human hits the network at 3 AM, it’s merely business as usual.

In an effort to simplify non-human account management, many organizations use the same API key for all integrations. To facilitate this, they grant broad permission sets to the API key to cover all the potential needs of the organization. Other times, a developer will use their own high-permission API key to grant access to the non-human account, enabling it to access anything within the application. These API keys function as all-access passes used by multiple integrations, making them incredibly difficult to control.

Figure 2: A Malicious OAuth Application detected through Adaptive Shield’s SSPM

Sign up for THN’s upcoming Webinar: Reality Check: Identity Security for Human and Non-Human Identities

The Risk Non-human Accounts Add to SaaS Stack

Non-human accounts are largely unmonitored and have wide-ranging permission scopes. This makes them an attractive target for threat actors. By compromising any of these accounts, threat actors can enter the application undetected, leading to breaches, unauthorized modifications, or disruptions in service.

Taking Steps to Secure Non-human Accounts

Using a SaaS Security Posture Management (SSPM) platform in concert with Identity Threat Detection & Response (ITDR) solutions, organizations can effectively manage their non-human accounts and detect when they behave anomalously.

Non-human accounts require the same visibility by security teams as human accounts and should be managed in the same user inventory as their human counterparts. By unifying identity management, it is far easier to view access and permissions and update accounts regardless of who the owner is. It also ensures a unified approach to account management. Organizational policies, such as prohibiting account sharing, should be applied across the board. Non-human accounts should be limited to specific IP addresses that are pre-approved on an allow list, and should not be granted access through the standard login screens (UI login). Furthermore, permissions should be tailored to meet their specific needs as apps, and not be wide-ranging or matching their human counterparts.

ITDR plays an important role as well. Non-human accounts may access SaaS apps at all hours of the night, but they are usually fairly consistent in their interactions. ITDR can detect anomalies in behavior, whether it’s changes in schedule, the type of data being added to the application, or the activities being performed by the non-human account.

The visibility provided by SSPM into accounts and ITDR into non-human identity behavior is essential in managing risks and identifying threats. This is an essential activity for maintaining secure SaaS applications.

Read more about protecting against non-human identities

With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can’t possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them.

Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access.

Nudge Security is a SaaS security and governance solution that can help you do just that, with automated workflows to save time and make the process manageable at scale. Read on to learn how it works.

1 . Discover all SaaS apps used by anyone in the org

As the old saying goes, you can’t secure what you can’t see, so the first step in SaaS identity governance is to get a full inventory of what technology is actually being used, and by whom.

Nudge Security discovers and categorizes all SaaS apps ever introduced by anyone in the organization and provides a vendor security profile for each app to give IT and security teams the context they need to vet new SaaS providers. And after they’ve reviewed an app, they can assign a status like “Approved,” “Acceptable,” or “Unacceptable” to indicate if usage should be permitted. For any apps that are deemed “Unacceptable”, automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

2. Share a directory of approved apps with employees

In an ideal world, IT teams want to empower employees to adopt technologies that will both enhance productivity and keep the business secure and compliant. Unfortunately, employees often have no way of knowing which tools fit the business’s requirements as well as their own.

Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application’s technical owner, whether or not that person sits within central IT. This removes the need for IT to be the “event forwarder” between users and app owners, while still retaining visibility and centralized governance.

3. Keep app owners up to date

Ever feel like you’re on the world’s worst scavenger hunt when tracking down the right people in your organization to get context on a SaaS application or user account? You’re not alone. This knowledge is often siloed and changes frequently. Nudge Security uses various methods to deduce the likely “technical contact” (like the first user) for every SaaS application discovered in your environment and gives you the ability to automate nudges to confirm app ownership periodically.

With this technical contact discovery process, Nudge Security automates emails or Slack messages to assumed technical contacts with a simple nudge that asks them to either validate that they are the correct technical contact or update this information. No more strings of emails and Slack threads to figure it out. With Nudge Security, you can automate the process of keeping this information up to date as administrative responsibilities change.‍

4. Automate user access reviews

For companies subject to any of a number of compliance standards like SOC 2, HIPAA, PCI DSS, and others, it is typically required to do periodic user access reviews of in-scope systems to ensure that only those who need access actually have access. And, for anyone who’s had the pleasure of conducting user access reviews, you know it usually involves an assortment of spreadsheets with inconsistent and incomplete information and a lot of manual effort to track down who’s using what.

Instead of this spreadsheet puzzle, with Nudge Security you can automate the process. First, you can group your in-scope assets together and automate nudges to app users to verify if they still need access. Then, Nudge Security collects the responses for you and routes the consolidated list of accounts to be removed to the app owners. Finally, it collects responses from the app owners to confirm they’ve completed the removals and documents all the actions taken in a .pdf report you can share with auditors.

5. Identify and clean up unused accounts

Meeting compliance requirements is one good reason to regularly review who needs access to what, but cost savings is another. Gartner’s research shows that 25% of SaaS is underutilized or over-deployed. No matter what the size of you organization, that can add up quickly.

Nudge Security monitors cloud and SaaS account status across your entire organization, so you can easily find and prune inactive and abandoned SaaS accounts. And, you’ll have up-to-date information at your fingertips in some very good-looking charts, so you can monitor SaaS account statuses right next to SaaS adoption trends.

While you can always discover unused accounts one app at a time from each application’s overview page, Nudge Security’s playbook for removing unused accounts enables you to audit multiple applications at once so you reduce SaaS sprawl at scale.

6. Ensure complete offboarding

Here’s a dirty little secret: most employees have signed up for apps outside the purview of IT, or even their department managers. With Nudge Security, you can see every account ever signed up for by anyone using an email associated with your organization. This includes domain registrations, social media accounts, developer accounts, and other assets that are often overlooked. You can also see if those apps are connected to other apps via OAuth grants, so you can minimize the chance of something breaking when an employee leaves the organization.

And, better yet, with Nudge Security, you can automate key steps of IT offboarding like suspending accounts, resetting passwords, revoking OAuth grants and more. And you’ll start with a full inventory of every account ever created for the departing employee so you can ensure all access is revoked.

Try Nudge Security for free

Our mission at Nudge Security is to help IT and security professionals everywhere regain control over SaaS security and governance while minimizing manual work for themselves and friction for end users. Start a free 14-day trial now to see what it can do for you.

The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world’s most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.

One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.

However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we’ll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps’ security posture.

Start with Admins

Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS app. There are two types of permissions within a SaaS application. Functional access covers things like creating accounts and navigating the application. Data access permissions, on the other hand, govern which users can retrieve and modify data. The admin account (or the super-admin account in some apps) is the most sensitive within the app, as it has full access to both types of permissions.

For threat actors, breaching an admin account is akin to winning the lottery. They have access to everything. Organizations must do everything within their power to maintain control over these accounts. This control is managed through configurations and best practices.

Implement Limited Redundancy

It’s important to have a minimum of two admins for every application. This redundancy makes it difficult for an admin to act alone against the best interests of the organization, as admins can monitor each other for any signs of a breach.

However, each admin increases the application’s attack surface. Organizations must strike a balance between having enough admins to adequately service the application while limiting exposure. An automated review of the number of admins should trigger alerts when the number of admins is outside the preferred range.

Eliminate External Admins

External admins introduce a new layer of uncertainty into SaaS security. Because they sit outside the organization, the security team can’t control the password policies or authentication tools that they use.

For example, should a threat actor try to log into your application and click Forgot Password, there is no way to know whether the threat actor can breach the external admin’s email account. That lack of oversight of external users could lead to a deep breach of your SaaS application, which is why NIST advises against having external admins. Depending on the application, either block external admins from getting admin privileges or identify external users with admin rights and remove those privileges.

For companies that hire an external IT company or outsource to MSSPs, those individuals should not be considered external. However, they should continue to monitor for other external users being given admin permissions.

Require Admin MFA

To comply with NIST standards, all admin user accounts should be required to access the application using multi-factor authentication (MFA), such as a one-time password (OTP). MFA requires users to present a minimum of two forms of ID before it authenticates the user. A threat actor would need to compromise two authentication systems, increasing the level of difficulty of the compromise and reducing the risk to the account. Make sure to set MFA for admins as required (we also recommend MFA for all users, but it is a must-have for admins).

Download this checklist and learn how to align your SaaS security with NIST

Prevent Data Leaks

SaaS data leaks pose significant risks to organizations and their users, potentially compromising sensitive information stored within cloud-based applications. SaaS applications are marketed as collaboration tools. However, the configurations that enable users to work together can also compromise files and data. NIST, for its part, advocates monitoring the permissions of every resource.

A visible calendar can expose employees to socially engineered phishing attacks, while shared repositories can lead to a company’s internal source code being shared publicly. Email, files, and boards all contain sensitive data that should not be accessible to the public. While the following configurations are often called something different in each application, almost any app that stores content will have this type of control.

Stop Public Sharing

The difference between Share with All and Share with a User is profound. When items are shared with all, anyone with a link can access the materials. Share with a User, in contrast, adds an additional authentication mechanism, as the user needs to log in before accessing the material.

To reduce the content that is exposed, app admins should disable sharing over public URLs (“Anyone with the link”). In addition, some applications allow users to revoke access to URLs that have already been created. When available, organizations should be sure to toggle that setting to on.

Set Invitations to Expire

Many applications allow authorized users to invite external users to the application. However, most applications don’t implement an invite expiration date. In those circumstances, invites sent years prior can provide access to a threat actor who has just breached an external user’s email account. Enabling an auto-expiration date on invites eliminates that type of risk.

It’s worth noting that in some apps, configuration changes are retroactive, while others will only take effect moving forward.

Align your SaaS Security with NIST standards – download the full guide

Strengthening Passwords to Harden Application Security

Passwords are the first line of defense against unauthorized access. NIST advocates for a strong and well-managed password policy, which is essential to protect sensitive user data, confidential business information, and proprietary assets stored within the cloud-based infrastructure. The uniqueness, complexity, and regular updating of passwords are critical aspects of a robust security posture.

Passwords serve as a fundamental element in a layered security approach, complementing other security measures such as multi-factor authentication (MFA) and encryption. Compromised passwords can be a gateway for malicious actors to exploit vulnerabilities in the SaaS environment. The effective management of passwords enhances the overall resilience of SaaS systems, contributing to a more secure and trustworthy digital ecosystem for both businesses and their users.

Prevent Password Spray Attacks

In a spray attack, threat actors enter a username and common password terms, hoping to get lucky and access the application. Requiring MFA is the recommended way to prevent password spray attacks. For those that don’t insist on employees using MFA as part of the authentication process, many apps allow organizations to ban words from being used as passwords. This list of words would include terms like password1, letmein, 12345, and the names of local sports teams. Additionally, it would include terms like the user’s name, company products, partners, and other business terms.

Going into the configurations and adding a custom banned words list can significantly reduce the risk of a successful password spray attack.

Password Complexity

Most SaaS applications allow the organization to customize password complexity. These range from allowing any password to requiring alphanumeric characters, capital and lowercase letters, symbols, or a password length. Update the password requirements in the app to match your organization’s policy.

If your organization doesn’t have a password policy, consider following NIST guidelines:

1. Don’t make mandatory password changes, as users tend to choose easy-to-remember passwords.
2. Use long passwords over complex ones. Combinations of numbers, special characters and lower/upper case characters usually follow a format like this: Password1!. These are easy to brute force. A long password like MyFavoriteDessertIsPecanPie is easy to remember but with 27 characters, difficult to brute force.
3. Limit password attempts to no more than 10.
4. Screen passwords against published passwords and other easy to guess words with a banned words list.

Configurations Really Matter

Approximately 25% of all cloud-related security incidents start with a misconfigured setting. In addition to those mentioned here relating to access, password, and data leaks, which are fairly universal, configurations are used for key management, mobile security, operational resilience, phishing protection, SPAM protection, and more. Misconfigurations in any of those areas can lead directly to breaches.

It may seem unlikely that threat actors spend their time looking for misconfiguration that they can exploit. Yet, that is exactly what the Russian state-sponsored group Midnight Blizzard did when it breached Microsoft this year. If misconfigurations can happen at Microsoft, it’s worth reviewing to make sure that your applications are all secure.

See how you can apply NIST standards to your SaaS stack

Feb 15, 2024The Hacker NewsSaaS Security / Risk Management

With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications.

Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023. Their study reveals how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.

The TL;DR Version Of SaaS Security

2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively), and probably many others that often go unannounced.

The first insight from this research cements the concept that SaaS is the new supply chain, providing an almost intuitive framework to the importance of securing SaaS usage. These applications are clearly an integral part of the modern organization’s set of tools and vendors. That said, long gone are the days when every 3rd party with access to company data had to go through security or IT approval. Even in the most rigorous companies, when a diligent employee needs a quick and efficient solution, they’ll look it up and use it to get their jobs’ done faster and better. Again, think of the widespread use of GenAI, and the picture is clear.

As such, any organization concerned about the security of its supply chain must adopt SaaS security measures. According to the MITRE ATT&CK technique ‘Trusted Relationships’ (T1199), a supply chain attack occurs when an attacker targets a vendor to exploit it as a means to infiltrate a broader network of companies. By entrusting sensitive data to external SaaS vendors, organizations subject themselves to supply chain risks that reach beyond immediate security concerns.

Four Common SaaS Risks

There are various reasons and ways in which SaaS is being targeted. The good news is that most of the risks can be significantly mitigated when monitored and controlled. Basic SaaS security capabilities are even free, suited for organizations that are just beginning to develop their SaaS security posture or need to compare it to their current solution.

1) Shadow SaaS

The first problem with SaaS usage is the fact that it often goes completely unnoticed: The number of applications used by organizations is typically 250% larger than what a basic and often-used query of the workspace reveals.

Amongst the companies analyzed:

• 41% of applications were used by only one individual, resulting in a very long tail of unsanctioned applications.
• 1 out of 5 users were utilizing applications not used by anyone else within their organization, creating security and resource strains.
• 63% of single-user applications were not even accessed within a 3-month period, begging the question – why keep them connected to company data?
• 96.7% of organizations used at least one application that had a security incident in the previous year, solidifying the continuous risk and need for proper mitigation.

2) MFA Bypassing

Wing’s research indicates a trend where users opt to use a username/password to access the services they need, bypassing the security measures in place (see image 1).

Image 1: From Wing Security’s research, bypassing MFA.

3) Forgotten tokens

Users grant the applications they need tokens; this is necessary for the SaaS applications to serve their purpose. The problem is that these tokens are often forgotten about after a few or just one use. Wing’s research revealed a large presence of unused tokens over a period of 3 months, creating an unnecessarily large attack surface for many customers (Image 2).

4) The new risk of Shadow AI

In the beginning of 2023, security teams primarily concentrated on a select few renowned services offering access to AI-based models. However, as the year progressed, thousands of conventional SaaS applications adopted AI models. The research shows that 99.7% of companies were using applications with integrated AI capabilities.

Organizations were required to agree to updated terms and conditions permitting these applications to utilize and refine their models using the organizations’ most confidential data. Often, these revised terms and conditions slipped under the radar, along with the usage of AI itself.

There are different ways in which AI applications may use your data for their training models. This can come in the form of learning your data, storing your data and even having a human manually go over your data to improve the AI model. According to Wing, this capability is often configurable and totally avoidable, provided it is not overlooked.

Solving SaaS Security Challenges In 2024

The report ends on a positive note, listing 8 ways in which companies can mitigate the growing threat of the SaaS supply chain. Including:

1. Ongoing shadow IT discovery and management.
2. Prioritize the remediation of SaaS misconfigurations
3. Optimize anomaly detection with predefined frameworks, automate when possible.
4. Discover and monitor all AI-using SaaS applications, and constantly monitor your SaaS for updates in their T&C pertaining to AI usage.

For the full list of findings, tips on ensuring safe SaaS usage and a 2024 SaaS security forecast, download the full report here.

SaaS applications are the darlings of the software world. They enable work from anywhere, facilitate collaboration, and offer a cost-effective alternative to owning the software outright. At the same time, the very features that make SaaS apps so embraced – access from anywhere and collaboration – can also be exploited by threat actors.

Recently, Adaptive Shield commissioned a Total Economic Impact (TEI) study conducted by Forrester Consulting. The study demonstrates the impactful ROI achieved by a multimedia company with an annual revenue of $10 billion. While the quantitative ROI is significant, at 201%, the qualitative security ROI improvements were substantial.

Figure 1: Summary of the TEI Study

In this article, we’ll examine the study’s findings of how Adaptive Shield’s SaaS Security Posture Management (SSPM) platform impacted this global enterprise.

Learn how a $10B media firm dramatically improved their security posture with SSPM

The Organization’s Top SaaS Challenges

In interviews with Forrester Consulting, the organization being studied pointed out several key challenges that were facing in their SaaS stack leading up to 2022.

1. The organization acknowledged that they lacked the knowledge and skill to manage the applications. They didn’t understand many of the unique configurations or the impact they had on security or compliance, which left them unaware of the risks or mitigations that needed to happen.
2. The organization had experienced an increase in SaaS adoption across IT, HR, sales, marketing, and other departments. They recognized that sensitive assets and valuable data were moving into SaaS applications and being spread out in a way that the security team could no longer supervise all its comings and goings. In addition, they needed to foster collaboration between the app owners, who control the applications, and security teams that are tasked with securing them.
3. They were also dealing with increased complexity caused by their Merger & Acquisition (M&A) activity. Each M&A increased the number of applications that they needed to manage, many of which were geographically-distributed tenants that could not be easily combined with existing tenants of the app.

The organization began looking for a solution that could alleviate the SaaS misconfigurations that they were dealing with at scale. They needed a platform that would integrate with multiple business applications, mitigate communication issues between the app owners and security teams, and help them maintain regulatory compliance in their SaaS stack.

They were impressed with Adaptive Shield’s platform which not only demonstrated the widest coverage of supported applications but also found configuration issues during the proof of concept phase. In 2022, Adaptive Shield was selected and deployed to secure the organization’s stack.

Security Benefits Adaptive Shield Introduced to the Organization

Forrester Consulting found that Adaptive Shield enabled the security team to “gain complete control and increased visibility of the security posture of all business-critical applications.”

Increased SaaS Security Posture

The security team had dealt with six security issues stemming from misconfigurations and low-security posture in the past. However, the organization saw posture improvements beginning with the POC. They “realized substantial improvement in its security posture score through visibility, remediation guidance, and ongoing monitoring” while experiencing a 30% increase in posture.

Improved Collaboration

Forrester Consulting also found evidence of increased collaboration between security teams and app owners. They noted that business owners are critical players in securing applications, as they have “the key to the kingdom,” but they lacked the security expertise needed to secure their ecosystem. Deploying Adaptive Shield helped bridge that gap and foster collaboration between the app owners and security teams.

Many Other Security Benefits

While some security benefits were quantifiable by the Forrester Consulting team, they were unable to place a dollar value on everything offered by Adaptive Shield. For example, Forrester Consulting found that the automated processes within the Adaptive Shield platform allowed security teams to focus on security management rather than conduct interviews with app owners about their configurations. It also helped the organization overcome challenges introduced by the democratization of SaaS security. It helped the organization achieve continuous compliance, avoiding any interruptions to business operations, and staying ahead of any SaaS security trends.

Find out how an SSPM can deliver impressive ROI and security benefits

Why Economic Benefits Indicated a 201% ROI

The Total Economic Impact study measured the return on investment experienced by the organization that was interviewed. To quantify these findings, Forrester Consulting first calculated the value of an improved SaaS Security posture. They factored in the number of breaches that had taken place before Adaptive Shield was deployed and projected the number of breaches over three years. Their calculations included diminished productivity, impacted business and security users, and salary data. Their three-year present value estimate of an improved SaaS Security posture was $1.49M.

Figure 2: Breakdown of ROI by Category

Next, Forrester Consulting reviewed operational efficiency achieved through the Adaptive Shield’s SSPM platform. They factored in the number of applications being monitored, hourly wages, and the cost of securing SaaS applications with and without an automated solution. Their estimated three-year present value of savings was $397K.

Forrester Consulting then turned its attention to compliance. They calculated improvements in efficiency based on the time it takes organizations to review their applications and ensure compliance with the different standards. Their three-year present value was worth $260K.

Improved collaboration between security teams and business app owners added another 32K in savings over three years at present value. While the study noted other areas of ROI, it wasn’t able to quantify them.

The total benefits over three years (at present value) totaled $2.18M. The total licensing and deployment costs over those three years, at present value, was $723,866. Payback was reached in less than six months, and the ROI over the three-year time frame was 201%.

A Push Toward SaaS Security

Today, organizations are increasing the volume and value of data stored in the cloud. Modern SaaS apps contain highly sensitive data, including PII, intellectual property, and third-party confidential information. Protecting this data is paramount, and the only realistic way to secure it is through a SaaS Security Posture Management (SSPM) tool.

Organizations understand the need to secure their SaaS stack. At the same time, they need to justify the cost of adding new security tools. By demonstrating significant, measurable ROI, organizations can finally make the case for implementing an SSPM solution.

For the full TEI study, click here.

Note: This article has been expertly written by Maor Bin, CEO and co-founder of Adaptive Shield.

The SEC isn’t giving SaaS a free pass. Applicable public companies, known as “registrants,” are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them.

The new cybersecurity mandates make no distinction between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. In the SEC’s own words: “We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service.”

This evolving approach comes as SaaS security shortcomings continually make headlines and tech leaders debate how the SEC may change cybersecurity after charging both SolarWinds and its CISO with fraud.

Why SaaS and SaaS-to-SaaS Connection Risks Matter to the SEC — And To Your Organization

The perception and reality of SaaS security are, in many cases, miles apart. SaaS security leader AppOmni’s State of SaaS Security report showed that 71% of organizations rated their SaaS cybersecurity maturity as mid to high, yet 79% suffered a SaaS cybersecurity incident in the past 12 months.

The SEC finds SaaS security lacking as well, citing the “substantial rise in the prevalence of cybersecurity incidents” as a key motivating factor for its new approach. These concerns are not, of course, limited to small numbers of registrants relying on SaaS. Statista reports that by the end of 2022, the average global organization used 130 SaaS applications.

Data leak risk isn’t limited to SaaS’s ubiquity and vulnerability. To derive more value out of SaaS platforms, organizations routinely make SaaS-to-SaaS connections (connecting 3rd party apps to SaaS systems), whether these connections are approved by IT or integrated covertly as a form of shadow IT. As employees increasingly connect AI solutions to SaaS apps, the digital ecosystems CISOs oversee become more interconnected and nebulous.

Governance challenges and cybersecurity risks increase exponentially as intricate SaaS-to-SaaS connections flourish. While these connections typically boost organizational productivity, SaaS-to-SaaS apps introduce many hiddens risks. The breach of CircleCI, for example, meant countless enterprises with SaaS-to-SaaS connections to the industry-leading CI/CD tool were put at risk. The same holds true for organizations connected to Qlik Sense, Okta, LastPass, and similar SaaS tools that have recently suffered cyber incidents.

Because SaaS-to-SaaS connections exist outside the firewall, they cannot be detected by traditional scanning and monitoring tools such as Cloud Access Security Brokers (CASBs) or Secure Web Gateways (SWGs). On top of this lack of visibility, independent vendors often release SaaS solutions with vulnerabilities that threat actors can compromise via OAuth token hijacking, creating hidden pathways into an organization’s most sensitive data. AppOmni reports that most enterprises have 256 unique SaaS-to-SaaS connections installed in a single SaaS instance.

Data that could affect investors and the market is now accessible — and hackable — through a sprawling network of digital pipes.

“Follow The Data” Is The New “Follow The Money”

As the SEC is tasked with protecting investors and maintaining “fair, orderly, and efficient markets,” regulating registrants’ SaaS and SaaS-to-SaaS connections falls within the agency’s purview. In the cybersecurity rules announcement, the SEC chair stated, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”

The scope and frequency of breaches underpins the SEC’s regulatory expansion in the cyber risk realm. SaaS breaches and incidents occur at a regular clip across public companies, and AppOmni has tracked a 25% increase in attacks from 2022 to 2023. IBM calculates that the cost of a data breach averaged an all-time high of $4.45 million in 2023.

While disclosure requirements have garnered the most media attention, the new SEC regulations also specify prevention measures. CISOs must describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats,” as well as sharing the board of directors’ and management’s role in cybersecurity risk and threat oversight.

Love them or loathe them, these rules force SaaS customers to adopt better cybersecurity hygiene. Disclosing what happened — and what your organization did and is doing about it — as directly and candidly as possible enhances investor confidence, ensures regulatory compliance, and fosters a proactive cybersecurity culture.

In SaaS, the best offense is an impenetrable defense. Assessing and managing risk of every SaaS system and SaaS-to-SaaS connection that has access to your sensitive data is not only mandated, it’s essential to avoiding data breaches and minimizing their impact.

How to Protect and Monitor Your SaaS Systems and SaaS-to-SaaS Connections

The burden of manually evaluating SaaS security risk and posture can be alleviated with a SaaS security posture management (SSPM) tool. With SSPM, you can monitor configurations and permissions across all SaaS apps, along with understanding the permissions and reach of SaaS-to-SaaS connections, including connected AI tools.

Registrants need a comprehensive understanding of all SaaS-to-SaaS connections for effective risk management. This must include an inventory of all connections and the employees using them, the data these connections touch, and the levels of permissions to SaaS systems these 3rd party tools have been granted. SSPM assesses all these aspects of SaaS-to-SaaS security.

SSPM will also alert security and IT teams of configuration and permission drifts to ensure posture remains in check. It will also detect and alert for suspicious activity, such as an attempted identity compromise from an unusual IP address or geographic location.

CISOs and their teams may struggle to meet readiness requirements without the proper posture and threat detection tools to reduce data breach risk. SSPM centralizes and normalizes activity logs to help companies prepare thorough and factual disclosures within the four-day window.

Only time will tell how the SEC will enforce these new rules. But even if these regulations vanish tomorrow, stepping up SaaS security is vital to protecting the data markets and investors rely on.

Jan 29, 2024The Hacker NewsSaaS Security / Webinar

In today’s digital world, security risks are more prevalent than ever, especially when it comes to Software as a Service (SaaS) applications. Did you know that an alarming 97% of companies face serious risks from unsecured SaaS applications?

Moreover, about 20% of these organizations are struggling with internal data threats. These statistics aren’t just numbers; they’re a wake-up call.

We’re excited to invite you to a not-to-be-missed webinar, “Critical SaaS Security Do’s and Don’ts: Insights from 493 Companies,” with Ran Senderovitz, the Chief Operating Officer of Wing Security. Ran isn’t just going to talk about the problems; he’s going to dive deep into the realities of SaaS security, backed by extensive research and data analysis from almost 500 companies using SaaS.

Here’s What This Webinar Offers:

Insights Across Data, SaaS Applications, Users, and AI: Explore a comprehensive analysis of the statistics about SaaS security, discovered by Wing’s data and threat intelligence teams.

Practical Tips for Enhanced SaaS Security: Receive actionable tips that can be implemented immediately to strengthen your organization’s security posture, ensuring a proactive defense against emerging SaaS-related threats.

SaaS Threat Forecast 2024: Stay ahead of SaaS threats by hearing about expected challenges within the SaaS landscape, anticipated for the year ahead, and solutions to mitigate these challenges.

Why Should You Attend?

This webinar is tailor-made for those in the security and IT sectors. It’s more than just a discussion; it’s an opportunity to arm yourself with the knowledge and tools to fortify your organization against SaaS-related threats. With Wing’s comprehensive research and practical advice, you’ll walk away with valuable knowledge and actionable steps for a more secure SaaS environment.

See you there!