The State of SaaS Security report by Wing Security, issued early 2024, reveals surprising insights into the emerging threats and optimal strategies within the SaaS sector. At present, numerous predictions from the report have materialized, demonstrating the necessity for SaaS Security Posture Management (SSPM) solutions to confront these challenges effectively.
This write-up will revisit the earlier forecasts, illustrate tangible instances of these menaces in operation, and furnish practical suggestions and best principles to help you thwart such occurrences going forward.
It is noteworthy the escalating frequency of breaches in the current dynamic SaaS setting, compelling organizations to request timely threat alerts as a crucial asset. As market demands shift towards quick, accurate threat intelligence capabilities, organizations are increasingly emphasizing the significance of these attributes, accompanied by a comprehensive comprehension of the enumerated threat categories below.
Prediction of Threat 1: Stealth AI
Covert utilization of AI in a communication platform
In May 2024, a prominent communication platform faced public outrage for leveraging user data from messages and files to train machine learning algorithms for search and suggestions. This method triggered substantial data security apprehensions among organizations, wary of the potential exposure and misuse of their confidential information. Users expressed dissatisfaction with the insufficient clarity on this procedure, highlighting the inconvenient opt-out process. To counter these concerns, the platform revised its data usage regulations and streamlined the opt-out procedure.
Significance of this Issue
The deficient transparency surrounding AI implementation in SaaS applications raises concerns. With over 8,500 apps embedding generative AI functionalities and the majority of leading AI applications utilizing user data for training purposes, the concept of “Shadow AI,” unauthorized AI utilization, looms large.
Modern SaaS services seamlessly integrate into organizations, often overshadowing the terms and conditions. This trend provides thousands of SaaS applications access to a treasure trove of sensitive corporate data, potentially harnessing it for AI model training. The recent controversy regarding customer data exploitation for machine learning underscores the undeniable reality of this peril.
Countering Covert AI through Automated SSPM
Business entities need to undertake multiple measures to fortify their defenses against conceivable AI hazards. Initially, restoring control over AI deployment involves identifying and comprehending all active AI and AI-driven SaaS applications. Subsequently, pinpointing app impersonation via monitoring for the infiltration of risky or malevolent SaaS programs, including AI applications mimicking authentic versions, becomes imperative. Lastly, automating AI remediation through tools offering automated remediation workflows facilitates prompt resolution of identified threats.
Prediction of Threat 2: Supply Chain
Malicious Actors Targeting a Popular Cloud Storage Provider
A recent disclosure unveiled a data breach within a cloud-based service, brought to the public’s attention on April 24, 2024, and disclosed on May 1st. The breach stemmed from unauthorized entry to customer credentials and authentication data. Suspicions indicate a compromised service account, utilized for executing applications and automated services within the backend infrastructure, resulting in the exposure of customer data encompassing emails, usernames, phone numbers, hashed passwords, alongside information crucial for third-party integration like API keys and OAuth tokens.
Importance of this Development
Periodic evaluations of the SaaS supply chain represent a rudimentary measure. Employees possess the liberty to swiftly introduce new services and vendors into their organization’s SaaS framework, intricating the supply chain ecosystem further. In a landscape populated with numerous interconnected SaaS applications, a vulnerability in one can reverberate across the entire supply chain. This breach accentuates the necessity for promptly identifying and addressing vulnerabilities. Mandates such as NY-DFS now compel CISOs to promptly report incidents within their supply chains within 72 hours.
Combatting Supply Chain Weaknesses through Automated SSPM
In 2024, CISOs and their teams must access rapid threat intelligence notifications. This empowers them with real-time insights into security breaches within their SaaS supply chain, facilitating swift responses to minimize potential repercussions. Proactive strategies like robust Third-Party Risk Management (TPRM) play a pivotal role in evaluating the risks affiliated with each application. As the panorama of SaaS security threats expands, encompassing both familiar and nascent risks, effective risk management mandates prioritizing threat surveillance and leveraging a Secure SaaS Security Posture Management (SSPM) solution.
Prediction of Threat 3: Credential Breach
Cyber Intrusion into a Prominent Healthcare Provider
In February 2024, a leading healthcare provider succumbed to a cyber invasion wherein investigators believe malefactors utilized pilfered login credentials to infiltrate a server. A key lesson learned is the absence of Multi-Factor Authentication (MFA) combined with a compromised token enabled unauthorized access.
Significance of this Issue
The exploitation of compromised credentials in SaaS security isn’t a novel phenomenon. Recent statistics indicate a staggering average of 4,000 blocked password assaults per second over the past year. Despite the emergence of intricate attack methodologies, threat actors frequently exploit the simplicity and efficacy of purloining login details. Enforcing stringent access controls, routine assessments, and audits are indispensable for detecting and rectifying vulnerabilities, ensuring solely authorized personnel access relevant data, thereby limiting unauthorized access potential.
access.
Defending Against Credential Attacks Using Automated SSPM
In order to counter credential attacks, organizations require a comprehensive strategy. Security teams must be vigilant in checking for exposed passwords on the dark web to promptly detect and respond to compromised credentials. The implementation of phishing-resistant multi-factor authentication (MFA) will provide an additional layer of strong security to prevent unauthorized entry even if passwords are compromised. Furthermore, security teams should proactively monitor for any unusual activities within systems to identify and address potential breaches before they escalate and cause significant damage.
Projection of Threat 4: MFA Circumvention
Emergence of New PaaS Tool Bypassing MFA for Gmail and Microsoft 365
A novel phishing-as-a-service (PaaS) tool named “Tycoon 2FA” has surfaced, simplifying phishing attempts on Gmail and Microsoft 365 accounts by circumventing multi-factor authentication (MFA). In the middle of February 2024, an updated version of Tycoon 2FA was launched, utilizing the AiTM (Adversary in the Middle) technique to bypass MFA. This exploitation involves the attacker’s server hosting a phishing page, intercepting the victim’s inputs, and transmitting them to the genuine service to trigger the MFA request. Subsequently, the Tycoon 2FA phishing page forwards the user inputs to the legitimate Microsoft authentication API, redirecting the user to a valid URL containing a “not found” page.
Significance of This Issue
Several organizations overlook MFA entirely, leaving themselves vulnerable to potential breaches. Based on our research, 13% of organizations did not deploy MFA for any of their users. This lack of authentication safeguard can be exploited by unauthorized individuals to access confidential data or resources. Effective implementation of MFA fortifies defenses against unauthorized entry and SaaS-related attacks, making it the optimal solution against credential-stuffing attacks.
Counteracting MFA Circumvention using Automated SSPM
Automated SSPM solutions persistently validate MFA setups and monitor for any signs of circumvention attempts. By automating these inspections, organizations can ensure robust implementation and functionality of MFA, thereby thwarting sophisticated attacks aimed at bypassing MFA protections. Automation guarantees that MFA configurations are always current and uniformly applied throughout the organization. It is recommended to utilize diverse forms of identification and multi-step login procedures, such as multiple passwords and additional verification steps.
Prediction of Threat 5: Interconnected Threats
Intrusion Due to Unauthorized Access
On May 11, 2024, a financial technology firm encountered unauthorized access to its user space on a third-party SaaS code repository platform. The company promptly addressed the matter, clarifying that no client data was stored on the repository. However, during the investigation, the firm determined that a credential from their user space had been stolen and used to infiltrate their production environment. This transition from the third-party SaaS platform to the company’s infrastructure permitted the attacker to access client data stored in the production environment.
Importance of This Incident
The surge in cross-domain attacks underscores the growing complexity of cyber threats, impacting on-premises, cloud-based, and SaaS environments alike. To grasp this threat, we need to consider the perspective of threat actors who exploit any available opportunity to penetrate a victim’s assets, regardless of the domain. While these domains are typically viewed as distinct target areas, attackers perceive them as interconnected components of a singular target.
Addressing Cross-Domain Attacks with Automated SSPM
SSPM tools offer a comprehensive overview of an organization’s security stance. By continuously overseeing and safeguarding the SaaS domain, threats can be restricted and contained. Additionally, by automating threat detection and response, organizations can promptly isolate and mitigate threats.
The Significance of Swiftness and Effectiveness in Tackling SaaS Breaches
Automation in SaaS security is imperative for organizations seeking to bolster their security posture and effectively handle security breaches. SSPM tools streamline critical functions such as threat detection and incident response, allowing security teams to function with increased efficiency and scalability.
By automating routine operations, organizations can proactively detect and mitigate security risks, ensuring faster and more efficient responses to breaches. Leveraging the capabilities of SSPM automation not only enhances cybersecurity defenses but also saves valuable time and resources, enabling organizations to combat evolving cyber threats with enhanced accuracy and speed.
About Author
