Importance of Continuous Monitoring and Automated Threat Testing for SaaS

By Harold Byun, Chief Product Officer, AppOmni

“The harsh reality is that the security tools that the vast majority of companies are using today do nothing to mitigate the risks of data theft and compromise in SaaS. And yet, companies spend almost 3X more on SaaS applications compared to cloud infrastructure. This post looks at how organizations can extend their security controls and threat monitoring program to SaaS in a manner that is commensurate with the value of data living in these applications.”

Security programs have evolved over the years with many teams developing a set of best practices and risk remediation methods that can be used in a variety of scenarios. Historically, many frameworks and defense-in-depth approaches have focused on traditional perimeter-based networks and on-premise systems, and over time, with the adoption of public cloud infrastructure-as-a-service (IaaS), these practices have largely extended to cloud infrastructure.

Where there were visibility and control gaps, cloud IaaS providers and security vendors responded with additional services and capabilities to help facilitate a shared responsibility model. And as organizations embraced a cloud first strategy, zero trust security models and scores of vendors claiming to support them grew with that adoption.

Contrast this with the SaaS world where visibility is often limited, and many traditional detection and mitigation controls simply are not applicable. The irony here is two-fold. The volume of active data in and usage of SaaS far exceeds that of IaaS compute environments, but to date, the security tooling available to help companies truly secure their SaaS environments has mostly been unavailable. Furthermore, the nature of SaaS data breaches are fundamentally different than cloud data breaches or compromises of on-premise systems, but many organizations still try to shoehorn conventional security practices and apply them to SaaS and believe them (wrongly) to be adequate mitigation measures.

When we put this in the context of the heightened attack landscape and the requirements being put forth for organizations to ensure appropriate security controls for critical systems, it logically makes sense to extend security controls monitoring and automate threat analysis and testing for SaaS applications.

For example, just the other day, CISA released a Cybersecurity Advisory (CSA) in conjunction with the FBI, NSA, U.S. Department of the Treasury, the Australian Cyber Security Centre (ACSC) and several other international cybersecurity entities warning of heightened malicious activities conducted by advanced persistent threat (APT) actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).

The CSA outlines several tactics that the IRGC uses along with detection and mitigation methods, but also calls out the need to validate security controls. Using the MITRE ATT&CK for Enterprise framework, the advisory recommends looking at tactics and techniques, identifying a detection method and testing the technologies against such techniques.

Many techniques in the persistence category, such as establishment of new user accounts and/or modification of privileged or elevated roles, can be proactively defended against with SaaS Security Posture Management (SSPM) solutions such as AppOmni. Applying controls monitoring such as: ensuring proper implementation of IP whitelist blocks, network zone policies, multi-factor authentication, password requirements, OAuth requirements, and password requirements are additional mitigation measures that can be continuously validated using the AppOmni platform.

From a holistic perspective, AppOmni maintains the industry’s most comprehensive set of security controls to continuously monitor the attack surface of SaaS to enable a proactive defensive stance against nation state attackers.

That said, security practitioners also have a strong focus on more reactive methods such as threat detection, activity monitoring, privileged access management (PAM) and predictive behavioral models. While these may provide value in legacy on-premise and cloud infrastructure environments, the reality is that they are less practical in SaaS environments. The reason being that SaaS data breaches tend to be “smash and grab” operations, and visibility and real-time monitoring is not available in many SaaS environments. Simply stated, traditional detection methods only tell you that the horse has already left the barn.

In these scenarios, detection and investigation measures are key analysis and forensic tools. But it is important for practitioners to consider what mitigation measures are actually preventative and relevant given the SaaS threat model. And per the CSA guidance, test and analyze their efficacy against the tactics and techniques that adversaries are utilizing.

AppOmni’s security team and AO Labs, our offensive security group, are composed of the world’s most experienced SaaS security practitioners. Many of our team members have been on the front lines of SaaS security defending against nation state and advanced attackers for close to two decades in the world’s largest compute environments. That experience informs our approach to map the threat model for SaaS to the most effective threat mitigation methods which include both proactive and reactive security measures.

From a proactive standpoint, AppOmni provides a data access model that identifies actual exposed data in SaaS environments (we have helped clients secure over 260 million exposed data records in SaaS). This capability in tandem with our comprehensive controls analysis enables a continuous security monitoring capability to validate and test effectiveness of security programs as they relate to SaaS.

From a threat detection and activity monitoring standpoint, we currently monitor over 12 billion events per month and in excess of 90 million users in SaaS environments. This provides one of the largest SaaS data sets to build behavioral baselines, detect for anomalies, and validate detection methods against cloud breach tactics that are being used in the wild.

So, while SaaS applications have obviously been around for a while and have evolved into complex platforms, the security capabilities to monitor and secure the data inside them, by and large, have not kept pace. SSPM solutions, like AppOmni, can help organizations close the visibility and validation gap that has become a requirement given today’s attack landscape.

Related Resources