Security professionals are increasingly worried about identity-based threats in SaaS applications, with limited capacity to identify and react to them.
Per the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of cyberattacks start with phishing, a type of identity-based threat. Add in attacks involving stolen credentials, excess account permissions, and insider risks, and it’s evident that identity is a primary attack avenue.
Besides targeting human accounts, threat actors are now exploiting non-human identities like service accounts and OAuth authorizations to penetrate SaaS systems.
When assailants breach initial defenses, a robust Identity Threat Detection and Response (ITDR) mechanism as part of Identity Security can avert major breaches. The recent Snowflake incident exemplifies this. Bad actors exploited single-factor authentication to infiltrate the account, as the company lacked effective threat detection, leading to the compromise of 560 million customer records.
Operational Overview of ITDR
ITDR integrates various components to detect SaaS threats by monitoring events across the SaaS infrastructure. It interprets login data, device details, and user conduct to identify irregular behavior implying a threat. Each anomaly acts as an indicator of compromise (IOC), triggering an alert when these IOCs surpass a predefined threshold.
For instance, excessive data downloads by an admin would be deemed an IOC by ITDR. Yet, if the download occurs late at night or from an atypical device, the amalgamation of these IOCs could indicate a threat.
Likewise, if a user logs in from an anomalous ASN post repeated login tries, ITDR marks it a threat, prompting an incident response. By leveraging diverse application data, ITDR can identify threats across applications. For instance, if a user accesses New York and Paris simultaneously, this could look routine if ITDR only scanned logs from one app. The vitality of SaaS ITDR stems from scrutinizing data across the SaaS spectrum.
Recently, Adaptive Shield thwarted an HR payroll system breach where malefactors altered employee bank account numbers. The ITDR engines swiftly flagged the unusual actions, averting fund transfers to the perpetrators.
Minimizing Identity-Related Risks
Organizations must take several measures to diminish identity threats and bolster their identity fabric.
Multi-factor authentication (MFA), single sign-on (SSO), permission trimming, adhering to the principle of least privilege (PoLP), and role-based access control (RBAC) are pivotal in this endeavor.
Regrettably, many identity management tools are underused. MFA is often disabled, and several SaaS apps mandate admin access through local logins in case SSO fails.
Below are proactive measures to mitigate identity breaches:
Categorize User Accounts
High-risk accounts are typically classified into diverse types to fortify identity governance. Categories may include ex-staff accounts, high-privilege accounts, dormant accounts, non-human accounts, and external accounts.
1. Deactivate Former Employee and Dormant User Accounts
Ex-staff’s active accounts can pose substantial threats. Although offboarding from the Identity Provider (IdP) may revoke access in connected apps, many apps outside this network require manual deprovisioning of ex-users.
Dormant accounts, often used for testing, present heightened risks and should be deactivated promptly to preclude potential misuse.
2. Supervise External User Accounts
Accounts assigned to external entities should be vigilantly monitored to prevent unauthorized access post-collaborations and projects.
3. Enforce User Permission Limits
Scrutinizing permissions minimizes attack surfaces. Implement PoLP to restrict user access to pertinent app areas exclusively. Fewer high-privilege accounts significantly diminish breach likelihood.
4. Institute Oversight Protocols for Privileged Accounts
Admin accounts are high-risk targets and warrant stringent monitoring, with alerts triggered by suspect actions like late logins, remote connections, or anomalous data activity.
Developing security protocols to flag such behaviors can facilitate early threat detection.
Emphasizing Identity Threat Detection
As sensitive corporate intel is shielded behind an identity-centric barrier, prioritizing identity fabric is paramount. Enhanced security layers around identity impede threat actors effectively.
For successful defenses, a robust ITDR system is integral to the identity fabric, promptly identifying threats, alerting security teams, or autonomously curtailing potential harm.
Explore detecting threats in your SaaS stack
About Author
