Identity-based threats on SaaS applications are a growing concern among security professionals, although few have the capabilities to detect and respond to them.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing, an identity-based threat. Throw in attacks that use stolen credentials, over-provisioned accounts, and insider threats, and it becomes quite clear that identity is a primary attack vector.
To make matters worse, it’s not just human accounts that are being targeted. Threat actors are also hijacking non-human identities, including service accounts and OAuth authorizations, and riding them deep into SaaS applications.
When threat actors get through the initial defenses, having a robust Identity Threat Detection and Response (ITDR) system in place as an integral part of Identity Security can prevent massive breaches. Last month’s Snowflake breach is a perfect example. Threat actors took advantage of single-factor authentication to access the account. Once inside, the company lacked any meaningful threat detection capability, which enabled the threat actors to exfiltrate over 560 million customer records.
How ITDR Works
ITDR combines several elements to detect SaaS threats. It monitors events from across the SaaS stack, and uses login information, device data, and user behavior to identify behavioral anomalies that indicate a threat. Each anomaly is considered an indicator of compromise (IOC), and when those IOCs reach a predefined threshold, the ITDR triggers an alert.
For example, if an admin downloads an unusual amount of data, ITDR would consider that to be an IOC. However, if the downloading takes place in the middle of the night or is on an unusual computer, the combination of those IOCs may rise to be considered a threat.
Similarly, if a user logs in from a suspicious ASN following brute-force login attempts, the ITDR classifies the login as a threat, which triggers an incident response. By using a rich data set from multiple applications, the ITDR can detect threats based on data from different applications. If a user is logged into one application from New York and a second application from Paris at the same time, it might appear as normal behavior if the ITDR was limited to reviewing event logs for a single app. The power of SaaS ITDR comes from monitoring data from across the SaaS stack.
In a recent breach detected by Adaptive Shield, threat actors infiltrated an HR payroll system and changed the account numbers for several employees’ bank accounts. Fortunately, the ITDR engines detected the anomalous actions, and the account data was corrected before any funds were transferred to the threat actors.
Reducing Identity-Based Risks
There are a number of steps organizations should take to reduce their risk of identity-based threats and strengthen their identity fabric.
Multi-factor authentication (MFA) and single sign-on (SSO) are critical in these efforts. Permission trimming, adhering to the principle of least privilege (PoLP), and role-based access control (RBAC) also limit user access and reduce the attack surface.
Unfortunately, many identity management tools are underutilized. Organizations turn off MFA, and most SaaS applications require admins to have local login capabilities in case the SSO goes down.
Here are some proactive identity management measures to mitigate the risk of identity-based breaches:
Classify Your Accounts
High-risk accounts generally fall into several categories. To create strong identity governance and management, security teams should start by classifying the different user types. These may be former employees’ accounts, high-privilege accounts, dormant accounts, non-human accounts, or external accounts.
1. Deprovision Former Employees and Deactivate Dormant User Accounts
Active accounts of former employees can lead to significant risk for organizations. Many SaaS administrators assume that once an employee is offboarded from the Identity Provider (IdP), their access is automatically removed from company SaaS applications.
While that may be true for SaaS applications connected to the IdP, many SaaS apps aren’t connected. In those circumstances, administrators and security teams must work together to deprovision former users with local credentials.
Dormant accounts should be identified and deactivated whenever possible. Often, administrators used these accounts to run testing or set up the application. They have high privileges and are shared by multiple users with an easy-to-remember password. These user accounts represent a significant risk to the application and its data.
2. Monitor External Users
External accounts must also be monitored. Often given to agencies, partners, or freelancers, the organization has no real control over who is accessing their data. When projects end, these accounts often remain active and can be used by anyone with credentials to compromise the application. In many cases, these accounts are also privileged.
3. Trim User Permissions
As mentioned earlier, excessive permissions expand the attack surface. By applying the principle of least privilege (POLP), each user has access only to the areas and data within the app that they need to do their job. Reducing the number of high-privilege accounts significantly reduces a company’s exposure to a major breach.
4. Create Checks for Privileged Accounts
Admin accounts are high risk. If compromised, they expose organizations to significant data breaches.
Create security checks that send alerts when users act suspiciously. Some examples of suspicious behavior include unusual late-night logins, connecting to a workstation from abroad, or downloading large volumes of data. Admins who create high-privilege user accounts but don’t assign them to a managed email address may be suspicious.
Defining security checks that monitor for these types of behaviors can give your security team a head start in identifying an early-stage attack.
Making Identity Threat Detection a Priority
As more sensitive corporate information is placed behind an identity-based perimeter, it is increasingly important for organizations to prioritize their identity fabric. Every layer of security placed around identity makes it all the more difficult for threat actors to gain access.
For those who do get through the initial defenses, having a robust ITDR system in place as an integral part of the identity fabric is essential to maintaining security and protecting sensitive data from exposure. It identifies active threats and alerts security teams or takes automated steps to prevent threat actors from causing any damage.