SECURE London: Securing Employee-Adopted SaaS Apps

By /

Adam Bateman of Push Security examined the growing issue many organizations still underestimate – employee-enrolled SaaS apps.

n

nIf there’s a recurring theme of the last three decades, it’s the way thatncybercriminals always seem to spot risky trends in new technology adoptionnbefore defenders are even aware the problem exists.n

n

nIn the 1980s, malware writers used the floppy drive ‘sneakernet’ to spreadnnuisance boot sector viruses. A decade later, email systems proved an easynway to spread worms at incredible speed. By the 2000s, the popularity of USBnsticks and the tendency of employees to lose them turned parking lots intonsites for a wave of corporate data breaches.n

n

nThen came the mother trend of them all – shadow IT – as employees startednusing the latest devices, apps and web services the security team knew nothing about.nBut just because every CISO today has heard of shadow IT doesn’t mean thenproblem has gone away.n

n

nIn his presentation at ISC2 SECURE London, Securing Employee-Adopted SaaS Apps, Adam Bateman, co-founder and CEO ofnnPush Security, offered stark insight into how this new stage in the shadow ITnphenomenon has the potential to dwarf the risks of employees usingnunsanctioned devices.n

n

nAdopt Your Own Softwaren

n

nEmployee SaaS is exactly what it sounds like – employees signing up for SaaS applications and accounts without following regular processes, effectively behind the backs of the security team or IT. Organizationsnknow that SaaS accounts are a risk but focus overwhelmingly on controllingnthe ones they can see such as Google Workspace, Office 365 or Azure.nHowever, employee SaaS is the shadow side of this issue, the SaaS you can’tnsee.n

n

n“There are literally thousands of SaaS apps at the moment,” said Bateman.n“They [employees] will sign up for one, start adding company data to it, andnthen they start inviting colleagues.”n

n

nThey then try another four and invite five colleagues to each, creating 25nidentities that now exist indefinitely, hugely expanding the attack surfacencriminals can aim at as part of what Bateman called “SaaS-native attacks.”n

n

nThe existence of these identities shifts the security perimeter to thenendpoint. Cybercriminals know this is a weak point because by compromisingnendpoint accounts such as SaaS, at a stroke they bypass whole layers ofnnetwork security. This is what is meant by the phrase “identities are thennew perimeter,” said Bateman.n

n

nSaaS applications fall into different categories, starting with standalone financialnapps, social media aggregators, password vaults, EDRs and management apps. Ansecond type are integrated platforms for marketing and HR, CRM and softwarendevelopment, which can contain critical information such as API keys andnaccess tokens.n

n

nIn theory, application policies and mandates on approved software should outlaw thenuse of these unvetted SaaS applications. In reality, employees are more likely to engage with thisnapproval process only once they’ve already tried out a selection of apps andnservices by which time the identities and their risk has existed for somentime. What caused the spike in SaaS use was a combination of the rise ofnremote work and the sales phenomenon called product-led growth (PLG), annidea that has spread like wildfire in the software industry.n

n

nHow Are Apps Compromised?n

n

nThe main danger lies with password re-use, which is almost inevitable whennemployees are using or trying out multiple SaaS apps, with identity providernAuth0nnreportingnnin 2022 that 34% of traffic and authentication events on its platform werenattempted credential stuffing attacks. Once they have gained access,nattackers utilize compromised accounts to social engineer other employees,nfor example by sending malicious links or redirecting them to SSO phishingnpages.n

n

nIn a growing number of incidents, these credentials are relayed in real timenthrough adversary-in-the middle proxies, not only giving attackers access tonthe genuine SSO and a way past MFA but a long-term access token to gainnpersistence. At this stage, attackers can start misusing automationnplatforms that Bateman characterized as being like PowerShell for thencloud. These are installed into compromised accounts to set up automationsnto do things such as stealing information.n

n

n“If you see these apps in the organization, you really want to defend themnbecause they are super powerful.”n

n

nInvisible Identitiesn

n

nBateman’s first recommendation is to gain visibility on the SaaS identitiesnbeing used inside an organization as long as this is done as quickly asnpossible after they have been created. Waiting months risks the employeenbeing less amenable to having controls imposed upon them, said Bateman.n

n

nHow can visibility be achieved? Logs and proxy can do the job in principle,nbut it can be difficult to make sense of the URLs flying around in traffic.nA simpler approach is email scanning. Because every SaaS application involves anconfirmation email plus marketing follow up, this can be a good indicatornthat a SaaS is being used.n

n

nBateman argued against adopting the traditional centralized approach to application and identity management, where onboarding and offboarding is managed in onenplace by a single team. This will almost certainly prove impractical.n

n

n“Decentralized It is where we are now. If you’re decentralizing IT,ndecentralize the security too,” said Bateman.n

n

nHe also recommended moving to user-centric security. This makes it easier tondistinguish between a malicious user and the genuine user because thensecurity team can quiz them directly about unusual actions. In addition, fornextra visibility security teams can deploy a new generation of browsernextensions that are able to detect login screens as a way of loggingnpossible SaaS sign-ups.n

n

nHowever, using a browser extension will only protect you from the day youninstall it on endpoints. Older accounts – possibly stretching back years –nwill still be out there, including ones that have been abandoned but stillnlose a risk. The only way to look backwards at shadow SaaS is to use emailnscanning to hunt down the original signs-ups.n

n

nUltimately, rather than resisting the rise of self-service SaaS, it isnbetter to develop a culture that allows it while encouraging employees notnto hide what they are signing up to from IT, argued Bateman.n

n

n“You’re paving a safe road for people to walk on rather than lockingneverything down.”

n n

 

n
n
]]>

Leave a Comment

Your email address will not be published. Required fields are marked *