Risks linked to identities in Software as a Service (SaaS) settings are a growing concern for cybersecurity professionals, with limited capacities to identify and counter them.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks originate from phishing, an identity-connected risk. Add in assaults utilizing purloined credentials, excessively provisioned accounts, and insider threats, and it’s evident that identity serves as a primary avenue for breaches.
Complicating things further, it’s not just human accounts that are under siege. Malicious actors are also seizing non-human identities, including service accounts and OAuth authorizations, to gain entry into SaaS platforms.
Once infiltrated past the initial security mechanisms, deploying a robust Identity Threat Detection and Response (ITDR) framework as a pivotal element of Identity Security can prevent substantial breaches. The recent Snowflake breach exemplifies this. Exploiting single-factor authentication, threat actors accessed the account. The absence of effective threat detection capabilities allowed them to make off with over 560 million customer records.
Functioning of ITDR
ITDR amalgamates various components to pinpoint SaaS threats. It scrutinizes events spanning the SaaS spectrum, leveraging login specifics, device intel, and user conduct to spot aberrations that hint at threats. Each anomaly is construed as an indicator of compromise (IOC), triggering an alert once these IOCs surpass a preset threshold.
For instance, if an administrator pulls a notable volume of data, ITDR would flag it as an IOC. However, if this download occurs late at night on an unfamiliar device, the amalgamation of these IOCs could escalate into a perceived threat.
Likewise, a user logging in from a dubious ASN post brute-force login attempts would be classified as a threat by ITDR, triggering an incident response. By leveraging data from various applications, ITDR can unveil threats rooted in diverse app data. An instance would be if a user is concurrently logged into one app from New York and another from Paris, appearing normal if ITDR solely reviewed event logs for an individual app. The potency of SaaS ITDR emanates from surveying data across the SaaS spectrum.
In a recent breach detected by Adaptive Shield, threat actors infiltrated an HR payroll system, altering the account numbers of multiple employees’ bank accounts. Thankfully, the ITDR engines spotted the irregular actions, rectifying the account data before any funds were siphoned by threat actors.
Mitigating Identity-Based Hazards
Organizations should take several actions to curtail the jeopardy posed by identity-based threats and fortify their identity mesh.
Multi-factor authentication (MFA) and single sign-on (SSO) are vital components in this endeavor. Trimming permissions, adhering to the principle of least privilege (PoLP), and implementing role-based access control (RBAC) also constrict user access and reduce the attack surface.
Regrettably, many identity management tools remain underexploited. MFA is disabled, and most SaaS apps necessitate admins to possess local login capabilities if SSO malfunctions.
Below are proactive steps for identity management to diminish the menace of identity-based breaches:
Categorize Your Accounts
High-risk accounts generally fall into several categories. To foster robust identity governance and management, security squads should commence by categorizing diverse user types, such as accounts of former employees, high-privilege accounts, inactive accounts, non-human accounts, or external accounts.
1. Nullify Former Employees’ Accounts and Inactive User Accounts
Active accounts of ex-employees pose substantial risks to organizations. Numerous SaaS administrators assume that exiting an employee from the Identity Provider (IdP) automatically revokes their access from company SaaS apps.
While this holds for SaaS apps linked to the IdP, many standalone SaaS apps aren’t interconnected. In such cases, administrators and security teams must collaborate to revoke access for ex-users having local credentials.
Dormant accounts should be identified and deactivated whenever feasible. These accounts, often used by administrators for testing or initial app setup, possess elevated privileges and have passwords shared among multiple users, presenting a major risk to the application and its data.
2. Supervise External Users
External accounts necessitate monitoring. Usually allocated to agencies, collaborators, or freelancers, organizations lack real oversight on who accesses their data. Post-project culmination, these accounts often persist and can be exploited by anyone with credentials to imperil the application. In numerous scenarios, these accounts also hold privileged status.
3. Slash User Permissions
As aforementioned, excessive permissions expand the attack surface. By embracing the principle of least privilege (POLP), each user solely accesses areas and data within the app requisite for their tasks. Curbing the count of high-privilege accounts significantly diminishes a company’s vulnerability to major breaches.
4. Institute Checks for Privileged Accounts
Admin accounts present high risks. When compromised, they expose organizations to substantive data breaches.
Establish security checks that dispatch alerts upon detecting suspicious user behavior, such as bizarre late-night logins, connections from abroad, or substantial data downloads. Such actions like admins generating high-privilege accounts sans assigning them to a managed email address could indicate foul play.
Crafting security checks that monitor these behaviors can offer your security squad an edge in recognizing nascent attacks.
Prioritizing Identity Threat Detection
Given that more sensitive corporate data is shielded behind an identity-based barrier, organizations are progressively urged to prioritize their identity framework. Each security layer encasing identity heightens the challenge for threat actors aiming to infiltrate.
For those who surmount the initial defenses, having a sturdy ITDR mechanism as a fundamental element of the identity network is indispensable to fortifying security and safeguarding delicate data from exposure. It flags active threats, alerts security teams, or enacts automated countermeasures to thwart threat actors from inflicting harm.
Discover more about spotting threats in your SaaS realm
About Author
