Why Attackers Love Your SaaS
More Apps, More Problems
SaaS applications are everywhere, powering everything from your team’s travel booking to your company’s most critical operations. In 2023, the average number of SaaS apps used by a business reached 371. That said, security programs often only have the bandwidth to focus on the high-profile apps like Salesforce, Google Workspace, Slack, GitHub, and Zoom. In doing so, teams overlook other core apps that seem less critical but still hold immense value to attackers.
I get it. Securing SaaS apps is already difficult enough. First, the sheer volume of apps makes it challenging to keep track of every app in use creating many blindspots. Second, usually anyone can sign up for a new SaaS app and begin feeding it sensitive data without the approval of the security team. Third, the majority of security teams are stretched thin and suffer from alert fatigue. These bandwidth constraints mean that teams can only focus on the highest priority of tasks such as hunting down incidents, remediating their 293,013 “critical” vulnerabilities and getting ready for compliance audits.
This leaves very little time to think about the risks that every single SaaS app—that you know about—poses to the organization. However, this does not mean that motivated attackers will spare your SaaS. We’ve seen this recently with sophisticated threat actors like Scattered Spider, responsible for the MGM Resorts and Caesars Entertainment breaches, focusing more on SaaS apps. Such attacks are a key reason why we’re seeing an increase in SaaS security teams. Security leaders are realizing that SaaS security is just as important as any other security domain.
This post covers the risks of overlooking less visible SaaS apps, how attackers leverage artifacts from these apps in their attack chain, and provide best practices for taming the SaaS sprawl.
The Hidden Risks of Non-Core SaaS Apps
The risks of not having a strategy in place for seemingly benign apps and shadow SaaS can spell disaster. Apps like project management tools (e.g. Trello or Asana) and visual diagram tools (e.g., Miro or LucidChart) often fly under the security radar while hosting a wealth of sensitive information.
However, if compromised, they can give an attacker significant intelligence about the target’s network architecture, security tool stack, software bugs, company roadmaps, delivery dates and even provide visibility into who’s in charge of these key initiatives.
This is precisely what happened when a researcher found over 50 exposed Trello boards by the U.K. and Canadian governments. The boards contained details about software bugs, passwords for servers and an event-planning system.
Misconfigurations across crown jewel SaaS apps like Slack, Salesforce, and Snowflake have led to several devastating data breaches in the past. The lesser covered or shadow SaaS apps pose a similar risk and therefore, require a similar amount of security measures.
Attackers Love Low-Hanging Fruits
Attackers are opportunistic and prefer the path of least resistance. In many ways, non-core SaaS apps are low-hanging fruits and are fairly easy to gain access to. Phishing, credential stuffing and abusing misconfigurations are prevalent tactics attackers use to gain initial access to SaaS apps.
Once inside an app, attackers can gather an immense amount of detail to help them stage the next phases of their attack.
For example, if an attacker is able to gain access to a project management tool, they can learn more about ongoing initiatives, timelines and key personnel involved. Using this information, they can craft a targeted phishing campaign or exploit weak authentication to gain privileged access to more critical apps or systems. Using this privileged access, attackers can change user passwords, lock out users, and demand ransom for account recovery.
Attackers can also exfiltrate the data in these apps, which include intellectual property and customer information, to sell it on the dark web or use it to extort the target entity for financial gain.
In essence, non-core SaaS apps are attractive targets, especially as entry points because they’re rarely hardened, monitored, and they can aid and inform attacker's next steps which can lead to severe financial and reputation damage for the targeted entity.
Leave No App Behind: Best Practices for SaaS Security
It is paramount that security teams develop a robust strategy to secure their entire SaaS ecosystem, not just the few crown jewels.
Regardless of whether you have a SaaS security solution in place today, below are a few impactful steps you can take to ensure that you’re covering your blindspots. In line with the Pareto Principle where 80% of effects come from 20% of causes, following these four recommendations can help provide serious coverage for your SaaS ecosystem:
- Inventory Management: Maintain an up-to-date inventory of all SaaS apps connected in use. You can’t secure what you don’t know about.
- Multi-Factor Authentication (MFA): Implement MFA across all SaaS apps. This helps prevent unauthorized access even if credentials are compromised.
- Account Lifecycle Management: Ensure that inactive or unnecessary accounts are deactivated promptly, especially for contractors or departing employees.
- Configuration Hardening: Audit and fine-tune the configurations of your SaaS apps to prevent inadvertent data exposures and minimize your attack surface.
How Reco Levels the Playing Field
As evident, handling SaaS security is no walk in the park and is nearly impossible to address without an advanced solution. This is where a SaaS security solution like Reco comes into play. Reco s secures the lifecycle of SaaS applications by helping organizations:
- Shadow App Discovery: Identify and manage unapproved or unmanaged apps to bring them under the security umbrella.
- Identity- Access Governance: Ensure that user permissions and identities are properly managed and right-sized on a continuous basis.
- Threat Detection and Response: Utilize out-of-the-box threat detection rules for over ~100 apps to identify and respond to potential threats in real-time.
- Posture Management: Automatically assess and secure the configurations of SaaS apps according to best practices.
By leveraging Reco, security teams can significantly reduce the burden of ensuring their SaaS applications are secure, allowing them to focus on the things that matter most.
Conclusion
As SaaS adoption continues to accelerate, securing only the crown jewel SaaS apps is no longer enough. Every application, regardless of its perceived importance, can serve as a potential entry point for attackers and can lead to sensitive data leak. Overlooking non-core and shadow SaaS apps creates blindspots that attackers can exploit to carry out their mission.
To address these challenges, security teams must adopt a comprehensive, identity-centric approach that encompasses all applications. This involves maintaining a complete inventory of apps, implementing MFA, enforcing strict user lifecycle workflows, and regularly auditing and hardening app configurations. By leveraging Reco, security teams can streamline and automate many of these processes…
As sophisticated attackers continue to target SaaS apps, embracing a proactive and holistic approach to SaaS security is no longer optional – it's a necessity.
To learn more about how Reco can help secure your SaaS ecosystem, schedule a demo or contact us at info@reco.ai.
Request a demo and explore Reco in action
ABOUT THE AUTHOR
Darwin Salazar
Darwin is the founder of The Cybersecurity Pulse newsletter and co-host of the Enterprise Security Weekly podcast. He's also a Sr. Product Manager at Monad. In the past, he has served as a Detection Engineer and Cloud Security Consultant at places like DataDog, Accenture and Johnson&Johnson. Darwin has spoken and given workshops at conferences like DEF CON and fwd:cloudsec. He also holds the CKA and AZ-500 certifications. Darwin is passionate about all things related to security innovation and building a safer future.
Darwin is the founder of The Cybersecurity Pulse newsletter and co-host of the Enterprise Security Weekly podcast. He's also a Sr. Product Manager at Monad. In the past, he has served as a Detection Engineer and Cloud Security Consultant at places like DataDog, Accenture and Johnson&Johnson. Darwin has spoken and given workshops at conferences like DEF CON and fwd:cloudsec. He also holds the CKA and AZ-500 certifications. Darwin is passionate about all things related to security innovation and building a safer future.