Business-led SaaS pushes each organization closer to threats that move faster than light, use currencies you can’t trace, and strike with push-button tools or services stitched together in a weekend—threats we’ve never had to face or mitigate until now.
Josh Mayfield
VP Product Marketing
This webinar will cover:
According to NIST guidelines for cloud and SaaS security, SaaS providers handle all [security] aspects except for identity management, device controls, and data access. And when cybercriminals successfully break into our SaaS, they gain access to all resources that it authorizes. These can include email, documents, credentials, administrative rights, and access to other applications, and any privileges exploitable there, too.
Once inside, the attacker can move laterally throughout your SaaS environment, creating ethereal persistence across SaaS and sticking around long enough to launch full-scale attacks, especially in the era of business-led IT and modern work.
Here, we will explore different SaaS threats and what you can do about it. Specifically, we will draw out the distinctions between traditional network attacks and SaaS compromise – demonstrating how a SaaS security control plane (SSCP) can help security teams safeguard SaaS.
Top SaaS Security Threats
Man-in-the-middle (MITM) attacks
When an attacker successfully takes over a SaaS session (usually through a user handing over credentials/token compromise), the threat actor gains access to all resources the SaaS app authorizes. After compromising an account and user through fraud (like business email compromise or phishing or social engineering), the attacker can use the accessed gained by one app to extend into other applications. For example, a Microsoft 365 account could be compromised through phishing, then use Microsoft as the identity provider (IdP) to move into other SSO apps, like CRM, document storage, or other SaaS while appearing legitimate authentication from an authorized user.
Once compromised, many attackers will use watering holes, fraud, or the customary phishing email to disrupt secure use of SaaS in the organization. This ability to go from one to many is what makes MITM attacks so impactful from a relatively inexpensive campaign.
File share account compromise
Criminal access to a company file storage is yet another menace for SaaS security. Often, the compromised account will log-in from the same country (e.g., United States) but traffic logs indicate the attack is coming from an unusual IP space or ASN. This allows the attack to initiate largely unnoticed.
Once a file share is compromised, the threat actor can spin up new accounts with elevated permissions, including adding the new accounts to privileged groups—like finance, HR, or sales information. This allows previously inaccessible documents to become accessible for new (malicious) users in privileged groups whose rules grant access to other files not compromised with the initial breach, and now fully accessible to the malicious account.
When these attacks have been observed in the wild, they generally will remain unnoticed, especially when the SaaS app is completely outside the view of security teams—as is the case for business-led SaaS.
Business email compromise, phishing
While phishing and business email compromise remain the top tactic for threat actors, and it has become commonplace to refer to these attacks as preventable, in the case of business-led SaaS and apps outside the direct control of security teams. Often, apps that live outside of security control and technologies like CASB.
Many times, business-led SaaS (formerly known as Shadow SaaS) has few instances, special users, and is typically newer SaaS technology. This prevents the typical rules, policies and enforcement from being effective against credential theft through phishing—there is no rule, tripwire, or trigger to flag anyone, the SaaS is wholly operated by the business team.
Business-led SaaS is particularly vulnerable to business email compromise because: a) it is the primary means of connection and communication for the user and the app, b) duplicate passwords (109 per user on average) means only one app or user needs to be compromised then access can proliferate, and c) security teams, policies, controls, and enforcements do not regularly apply to business-led SaaS
Conclusion
According to Gartner, SaaS spend is greater than IaaS and PaaS, combined—and 36% happens outside of IT. Business-led SaaS is the hidden side of the SaaS estate, our longest unguarded border. The challenge for today’s enterprise is to unify SaaS security—core-IT and business-led IT—and command the SaaS security lifecycle. That is why customers choose Grip—easy to deploy, rapid time to value, unified SaaS security, secure SaaS lifecycle, zero disruptions.
Grip’s SaaS Security Control Plane (SSCP) unifies SaaS security (core-IT and business-led SaaS) and orchestrates the SaaS security lifecycle from discovery to justification to protection to decommissioning—cradle to grave. And that is why customers choose Grip to mitigate threats against the entire SaaS attack surface, without exception.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Gain more technical details on how you can get a Grip on your SaaS Security.
Fill out the form and we’ll send you our Datasheet.
Your request has been sent
Oops! Something went wrong while submitting the form.
Visibility and control across nearly all your SaaS apps. Too good to be true?
Give us a test drive. Fill out the form and we’ll get in touch with you.
We're getting a grip on your request
Oops! Something went wrong while submitting the form.
Text for webinars more technical details on how you can get a Grip on your SaaS Security.