I know I’m biased because we wake up every day working on solving this problem, but hear me out. What was reported this week about the Workday breach needs your attention.
It’s easy to get caught up in the details of the specific attack, and the headlines always focus on the “how”: the social engineering, the vishing, and the compromise of a third-party CRM (which some have reported to be Salesforce). While important, I believe we’re missing the BIG POINT.
This isn’t just another tale of a phishing attack. It’s a clear, public, and high-profile demonstration that the threat landscape has fundamentally shifted. The new cyber battleground is no longer just the perimeter; the threat has moved inside, to our applications and identities themselves.
Let’s call this what it really is: an authenticated threat actor incident.
The breach wasn’t a result of a zero-day exploit in the CRM software. The attackers didn’t “break in” in the traditional sense. They logged in. They used stolen credentials, gained through deception, to operate with a level of trust inside a critical business application. These attacks are on the rise, given the simplicity of execution and the lower risk to the criminal actor. Why waste time with developing bypasses, 0-days, or creating a complex attack chain when you can simply log in?
This is a critical wakeup call for the cybersecurity community.
We need to focus on two things:
- Applications are a Critical Attack Surface: We must accept that our applications – whether they’re third-party SaaS like Salesforce and Workday, or internally developed platforms – are no longer just data repositories. They are the new endpoints for malicious insiders and authenticated attackers. Our security controls must be just as robust inside the application as they are at the network edge, and THIS IS OUR PART OF THE SHARED RESPONSIBILITY.
- Detection is Just as Important as Prevention: For too long, we’ve poured the majority of our resources into building more walls to keep people out. But what happens when the attacker is already inside, using a legitimate identity? Identity needs a layered security approach.
Extend the “Assume Breach” Mindset to Applications
We must invest in and mature our detection capabilities for authenticated threats. This means:
- Monitoring identity behavior for anomalies in the application pre and post auth.
- Detecting unusual and subtle patterns in how identities act in our environments.
- Taking preemptive action before all the bad things happen.
The old model of “prevent and protect” is insufficient. We need a new model that embraces the reality that an attacker can, and will, gain a foothold. The question is no longer “if,” but “what happens next?”
Let’s use this moment to move beyond the “they tricked a help-desk worker” level of solving this problem and start a conversation about a layered approach to identity security: one that recognizes that applications need a layer of detection – like any other part of the IT estate… AND it’s time to prioritize defenses against the authenticated identity threat.
Related Reading
Workday isn’t the first of these attacks. Read our blog to go deeper into similar and linked incidents over recent months.
Hackers are Stealing Salesforce Data, Google Warns
Scattered Spider is Back – Last Time: Retailers, This Time, They’re Targeting Insurers
Why Are CISOs Prioritizing Snowflake Security? The Breach Playbook Has Changed.
Apt28 Cyber Espionage Campaign Targets Logistics and Tech Companies, CISA Warns
