Jul 26, 2022
Jul 26, 2022
7 min
Business-led SaaS pushes each organization closer to threats that move faster than light, use currencies you can’t trace, and strike with push-button tools or services stitched together in a weekend—threats we’ve never had to face or mitigate until now.
According to NIST guidelines for cloud and SaaS security, SaaS providers handle all [security] aspects except for identity management, device controls, and data access. And when cybercriminals successfully break into our SaaS, they gain access to all resources that it authorizes. These can include email, documents, credentials, administrative rights, and access to other applications, and any privileges exploitable there, too.
Once inside, the attacker can move laterally throughout your SaaS environment, creating ethereal persistence across SaaS and sticking around long enough to launch full-scale attacks, especially in the era of business-led IT and modern work.
Here, we will explore different SaaS threats and what you can do about it. Specifically, we will draw out the distinctions between traditional network attacks and SaaS compromise – demonstrating how a SaaS security control plane (SSCP) can help security teams safeguard SaaS.
When an attacker successfully takes over a SaaS session (usually through a user handing over credentials/token compromise), the threat actor gains access to all resources the SaaS app authorizes. After compromising an account and user through fraud (like business email compromise or phishing or social engineering), the attacker can use the accessed gained by one app to extend into other applications. For example, a Microsoft 365 account could be compromised through phishing, then use Microsoft as the identity provider (IdP) to move into other SSO apps, like CRM, document storage, or other SaaS while appearing legitimate authentication from an authorized user.
Once compromised, many attackers will use watering holes, fraud, or the customary phishing email to disrupt secure use of SaaS in the organization. This ability to go from one to many is what makes MITM attacks so impactful from a relatively inexpensive campaign.
Criminal access to a company file storage is yet another menace for SaaS security. Often, the compromised account will log-in from the same country (e.g., United States) but traffic logs indicate the attack is coming from an unusual IP space or ASN. This allows the attack to initiate largely unnoticed.
Once a file share is compromised, the threat actor can spin up new accounts with elevated permissions, including adding the new accounts to privileged groups—like finance, HR, or sales information. This allows previously inaccessible documents to become accessible for new (malicious) users in privileged groups whose rules grant access to other files not compromised with the initial breach, and now fully accessible to the malicious account.
When these attacks have been observed in the wild, they generally will remain unnoticed, especially when the SaaS app is completely outside the view of security teams—as is the case for business-led SaaS.
While phishing and business email compromise remain the top tactic for threat actors, and it has become commonplace to refer to these attacks as preventable, in the case of business-led SaaS and apps outside the direct control of security teams. Often, apps that live outside of security control and technologies like CASB.
Many times, business-led SaaS (formerly known as Shadow SaaS) has few instances, special users, and is typically newer SaaS technology. This prevents the typical rules, policies and enforcement from being effective against credential theft through phishing—there is no rule, tripwire, or trigger to flag anyone, the SaaS is wholly operated by the business team.
Business-led SaaS is particularly vulnerable to business email compromise because:
a) it is the primary means of connection and communication for the user and the app,
b) duplicate passwords (109 per user on average) means only one app or user needs to be compromised then access can proliferate, and
c) security teams, policies, controls, and enforcements do not regularly apply to business-led SaaS
According to Gartner, SaaS spend is greater than IaaS and PaaS, combined—and 36% happens outside of IT. Business-led SaaS is the hidden side of the SaaS estate, our longest unguarded border. The challenge for today’s enterprise is to unify SaaS security—core-IT and business-led IT—and command the SaaS security lifecycle. That is why customers choose Grip—easy to deploy, rapid time to value, unified SaaS security, secure SaaS lifecycle, zero disruptions.
Grip’s SaaS Security Control Plane (SSCP) unifies SaaS security (core-IT and business-led SaaS) and orchestrates the SaaS security lifecycle from discovery to justification to protection to decommissioning—cradle to grave. And that is why customers choose Grip to mitigate threats against the entire SaaS attack surface, without exception.
Get started with Grip’s FREE SaaS security risk assessment today!
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and we’ll send you our Datasheet.
Give us a test drive.
Fill out the form and we’ll get in touch with you.
Fill out the form and watch webinar's video.
