Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Yoav Kalati of Wing Security examines the current state of the SaaS landscape, and provides a best practices guide to secure it.
The adoption of SaaS platforms has grown significantly in recent years due to their convenience, flexibility, and the pandemic that pushed organizations to embrace remote working. According to Statista, the SaaS market is estimated to be worth approximately $195 billion in 2023 compared to an estimated $167 billion in 2022. According to Gartner, these numbers are even higher, with $208 billion in end-user spending during 2023, compared to $176 billion in 2022.
However, this rapid expansion of SaaS landscapes has also increased cyber threats targeting these platforms. As more organizations adopt SaaS applications, new attack methods, and techniques continuously evolve, posing a significant challenge to businesses seeking to protect their data and assets. Moreover, it is worth noting that the risks associated with using SaaS platforms are not limited to the software itself. Many organizations do not have complete visibility over the data being transmitted and stored on SaaS applications, creating additional security concerns. Employees can even unknowingly expose sensitive information through risky behaviors such as reusing passwords or sharing files insecurely.
The SaaS Landscape Today
Given the prevalence of SaaS applications in today’s digital workspace, it’s essential for organizations to have a solid understanding of the latest trends in cyber-attacks targeting these platforms. Some of the common tactics, techniques, and procedures (TTPs) used by cyber threat actors to attack SaaS platforms include:
- Stolen credentials: As SaaS platforms like Okta, Microsoft 365, and OneLogin become more widely used, the risk of malicious actors gaining access to these accounts also increases. When it comes to stealing credentials, the focus is often on Identity and Access Management (IAM) platforms, as they offer a central service that can provide access to multiple data sources, including sensitive and confidential information. Various methods can be used to steal credentials; phishing and acquiring leaked or purchased credentials from the darknet are the most commonly observed techniques. Last August, the cybersecurity company Group-IB disclosed the 0ktapus campaign, in which threat actors targeted employees of technology companies that use Okta, compromising nearly 10,000 accounts and over 5,000 multi-factor authentication codes in more than 130 organizations. The threat actor used a phishing scheme by sending SMS messages containing a custom link to a fake Okta login page and stealing the victims’ credentials and MFA codes.
- MFA fatigue: As the use of Multi-Factor Authentication (MFA) as a security measure increases, so do cyber-criminals’ attempts to bypass it in various creative ways. Auth0 by Okta reported that in the first quarter of 2022, they observed almost 113 million attacks against MFA. One of the leading techniques in 2022 was MFA fatigue, where the threat actor overwhelms the victim with multiple push verification requests until they accidentally approve the threat actor’s access. In fact, Microsoft reported in its 2022 Digital Defense Report that MFA fatigue-based attacks increased, estimating about 30,000 a month. In September 2022, Uber suffered a breach where a hacker known as Lapsu$ bought the corporate credentials of one of Uber’s external employees from the darknet. Lapsu$ then successfully bypassed Uber’s MFA challenge by initiating an MFA fatigue attack on the victim and impersonating Uber’s IT personnel through WhatsApp messages.
- OAuth tokens: As more people become aware of the importance of strong and unique login information, along with MFA, cyber-criminals are finding new ways to get around these security measures. This has led to an increase in the illegal use of tokens, specifically OAuth tokens, to gain access to data. OAuth is a standard protocol used for authorization, and it is commonly used in SaaS platforms where users give permission for applications to access their data in other applications. Using an OAuth token can save hackers the trouble of obtaining login credentials and MFA codes because the token automatically includes the necessary authorization and permissions. There are various methods used to steal and abuse these tokens, including stealing them from third-party sources, using phishing scams to trick users into giving consent, reusing old tokens, and conducting Man-in-the-Middle phishing attacks.
At the end of January 2023, Microsoft disclosed an OAuth phishing consent campaign where threat actors created fraudulent OAuth applications and impersonated legitimate companies when they enrolled in the Microsoft Cloud Partner Program, so the applications would be signed as “verified publisher,” seeming more reliable to victims. Knowing these main TTPs is critical, but not enough to prevent them.
Tips for Securing Your SaaS Posture
To mitigate risks associated with SaaS, organizations should follow these practical tips to secure SaaS applications and safeguard company data:
- Know your SaaS layer: To effectively manage the risks of using SaaS applications and prevent Shadow IT, it’s crucial to discover all the SaaS applications used within your organization regularly. This involves monitoring permissions granted to each application through tokens and identifying any potential security concerns that may arise.
- Off-board properly: It’s essential to have a process in place to ensure that the off-boarding procedure for former employees is comprehensive and thorough. This should include terminating all of the employees’ access to company assets– including SaaS applications, files, and data– when they leave the company to prevent potential data leakage.
- Control file sharing: While file sharing is a common practice for internal and external collaboration, it’s vital to monitor shared files and ensure that they are closed once a project is complete or the file is no longer required. This helps reduce the risk of data leakage and unauthorized access.
- Prioritize SSO: It’s recommended to use Single-Sign-On (SSO) instead of logging in with a username and password. SSO provides greater security by enabling centralized authentication and authorization. Users can access multiple systems and applications without having to remember numerous login details, reducing the risk of password reuse and phishing.
- Enforce a password policy: When SSO is unavailable, it’s important to establish a robust password policy for your organization. This policy should require users to create complex, lengthy, and unique passwords, which helps prevent unauthorized access by making it harder for threat actors to guess passwords.
- Enforce MFA: Ensure that all users properly utilize MFA. To prevent MFA fatigue attacks, it’s advisable to restrict the number of push notifications sent to users. Additionally, it’s recommended to include a number challenge in the push message, where the user must enter a number received in the push message.
Ensuring a Secure SaaS Landscape
It is clear that the adoption of SaaS platforms has grown exponentially in recent years, leading to a significant increase in cyber threats targeting these platforms. To protect against and stay ahead of emerging threats, businesses must adopt a proactive cybersecurity strategy that focuses on securing SaaS usage and safeguarding company data. Furthermore, security leaders need to be vigilant and stay updated on the latest trends in SaaS security and SaaS attacks so that they can incorporate these insights into timely and effective mitigation strategies.
- The SaaS Landscape and Best Practices to Secure It - March 29, 2023