Identity-based threats in SaaS applications are a growing concern among security professionals, although few have the capabilities to detect and respond to them.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyber attacks start with phishing, an identity-based threat. Attacks using stolen credentials, over-provisioned accounts, and insider threats make it abundantly clear that identity is the primary attack vector.
Worse, it’s not just human accounts that are being targeted. Threat actors also capture non-human identities, including service accounts and OAuth authorizations, and infiltrate them deep into SaaS applications.
When threat actors get past initial defenses, having a robust Identity Threat Detection and Response (ITDR) system in place as an integral part of Identity Security can prevent mass breaches. Last month Snowflake breach is a great example. Threat actors took advantage of one-factor authentication to gain account access. Once inside, the company had no meaningful threat detection capability, allowing threat actors to steal more than 560 million customer records.
How ITDR works
ITDR combines several elements to detect SaaS threats. It tracks events across the entire SaaS stack and uses login information, device data, and user behavior to detect behavioral anomalies that indicate a threat. Each anomaly is considered an indicator of intrusion (IOC), and when these IOCs reach a pre-set threshold, ITDR triggers an alert.
For example, if an administrator downloads an unusual amount of data, ITDR will count it as an IOC. However, if the download is in the middle of the night or on an unusual computer, the combination of these IOCs can be considered a threat.
Similarly, if a user logs in from a suspicious ASN after a brute-force login attempt, ITDR classifies the login as a threat, triggering an incident response. Using a rich data set from multiple applications, ITDR can detect threats based on data from different applications. If a user is logged into one program from New York and another from Paris at the same time, it may seem normal for ITDR to be limited to viewing the event logs for one program. The power of SaaS ITDR comes from monitoring data from the entire SaaS stack.
In a recent breach discovered by Adaptive Shield, threat actors infiltrated an HR department’s payroll system and changed the account numbers of several employee bank accounts. Fortunately, ITDR’s mechanisms detected the anomalous activity and the account data was fixed before any funds were transferred to the threat actor.
Mitigation of risks based on identification
There are a number of steps organizations should take to reduce the risk of identity-based threats and strengthen their identity framework.
Multi-factor authentication (MFA) and single sign-on (SSO) are critical to this effort. Permission pruning, least privilege (PoLP) and role-based access control (RBAC) also limit user access and reduce the attack surface.
Unfortunately, many identity management tools are underutilized. Organizations disable MFA, and most SaaS applications require administrators to be able to log in locally in the event of an SSO system failure.
Here are some proactive identity management measures to reduce the risk of identity breaches:
Categorize your accounts
High-risk accounts generally fall into several categories. To create strong identity management, security teams must start by classifying the different types of users. These can be former employee accounts, high-privilege accounts, inactive accounts, non-human accounts, or external accounts.
1. Deactivate former employees and deactivate inactive user accounts
Active accounts of former employees can lead to significant risk for organizations. Many SaaS administrators assume that once an employee is disconnected from an identity provider (IdP), their access to the company’s SaaS programs is automatically removed.
While this may be true for SaaS applications connected to an IdP, many SaaS applications are not. In such circumstances, administrators and security teams must work together to strip former users of local credentials.
Dormant accounts should be identified and deactivated whenever possible. Often, administrators used these accounts to test or configure the application. They have high privileges and are used by multiple users with an easy-to-remember password. These user accounts pose a significant risk to the application and its data.
2. Monitor external users
External accounts must also be monitored. Often outsourced to agencies, partners or freelancers, the organization has no real control over who has access to their data. When projects are completed, these accounts often remain active and can be used by anyone with the credentials to compromise the application. In many cases, these accounts are also privileged.
3. Limit user rights
As mentioned earlier, excessive permissions increase the attack surface. By applying the Principle of Least Privilege (POLP), each user has access to only those areas and data in the application that they need to do their job. Reducing the number of high-privilege accounts significantly reduces a company’s risk of a serious breach.
4. Create checks for privileged accounts
Administrator accounts are high risk. If breached, they expose organizations to significant data breaches.
Create security checks that send alerts when users act suspiciously. Some examples of suspicious behavior include unusually late logins, connecting to a workstation from abroad, or downloading large amounts of data. Administrators who create high-privilege user accounts but do not assign them to a managed email address may be suspect.
Defining security checks that track these types of behaviors can give your security team a head start in detecting an attack at an early stage.
Make identifying threat detection a priority
As more sensitive corporate information is placed behind the identity-based perimeter, it is increasingly important for organizations to prioritize their identity framework. Each layer of security placed around an individual makes it even more difficult for threat actors to gain access.
For those who can handle the initial protection, having a robust ITDR system as an integral part of the identity framework is critical to maintaining security and protecting sensitive data from exposure. It identifies active threats and alerts security teams or takes automated steps to prevent threat actors from doing harm.
Learn more about threat detection in your SaaS stack
