Watch Reveal Security’s Field CTO, Adam Koblentz, as he demonstrates just how simple it is to ‘Cover Your SaaS!’
SaaS is integral to nearly every organization today, yet many security tools such as SIEM, UEBA, and SSPM concentrate on pre-login activities, neglecting the crucial monitoring of authenticated user actions within SaaS platforms.
Learn how ML-based detection can safeguard your SaaS applications against insider threats, credential abuse from account takeovers, third-party risks, and more!
Transcript
01:14 Adam Koblentz: Well welcome to a webinar from reveal security on the top. 4 reasons you to cover your sas.
01:21 Adam Koblentz: My name is Adam Koblenz. I’m the field CTO at reveal security, and I have a history in defense. And Ir and I wanted to walk you through
01:30 Adam Koblentz: our viewpoints on how to cover your sas.
01:33 Adam Koblentz: we’re going to cover the main problems with Sas security solutions. The top 4 reasons that you’re going to have a real challenge and what to do about them. And then how do you actually cover your Sas and make your security system and program more effective for your company?
01:48 Adam Koblentz: So the real challenge, when it comes to Saas security is that it’s it’s growing.
01:53 Adam Koblentz: What we’re experiencing is a real explosion in the number of applications that different companies are using, that maybe the Security team doesn’t even know about.
02:02 Adam Koblentz: There’s also a huge issue with the fact that the security, the the Saas providers themselves are are increasing in terms of complexity.
02:13 Adam Koblentz: What you used to have on Prem and used to have control over in your data center has now been taken out of your hands you have less control over who has access to things, and you’re more reliant on those providers themselves.
02:26 Adam Koblentz: So
02:27 Adam Koblentz: the Re. The 1st reason that you need to cover your Sas is more and more of your business. Critical data, customer information.
02:35 Adam Koblentz: patient health information, etc, are all being stored in the sensitive Sas applications. So you can think about that as being your data store, your Crm, even things like onedrive. They all have important information inside of them.
02:49 Adam Koblentz: and you’ve lost more control over that.
02:52 Adam Koblentz: And the attackers know this.
02:54 Adam Koblentz: One of the things we’ve seen from various threat reports over the years is that the number of adversaries attacking, and the number of breaches reported in these Sas. Providers has increased to over 80% of the reports of the reported incidents that we’ve seen in the last year from Crowdstrike, for example.
03:13 Adam Koblentz: you may also remember that because of things like the Snowflake incident, when the attackers are able to get in and attack a 1 application, they’re able to get access to hundreds or thousands of companies data.
03:27 Adam Koblentz: And this is a really big challenge. Because now
03:30 Adam Koblentz: the security is outside of your control in a lot of ways.
03:35 Adam Koblentz: Now, as we said, there are over 80% of organizations that data exposure. It was related to Saas bridges. Now, that could be something as simple as
03:43 Adam Koblentz: Ms. 365. With email being leaked. It could be a snowflake could be a Crm. It could be anything where your data is stored, where your employees, or your customers, or external users, etc, or your your 3rd party partners have access, and if they’re compromised or their identities are compromised. Mfa is bypassed, etc. That data is now out there, and you’ve less control over it.
04:10 Adam Koblentz: Now, the other real. You know, elephant in the room when it comes to Saas security is that it’s a shared responsibility.
04:17 Adam Koblentz: and often
04:18 Adam Koblentz: and often this is actually a a an implied contract, not a not a a black and white legal one. So, for example.
04:28 Adam Koblentz: many of these Sas providers will tell you that in their best practices model, you should enable the audit login.
04:34 Adam Koblentz: The challenge with that is that that’s implying that you’re going to do something with those audit logs
04:39 Adam Koblentz: and the other issue that we’ve seen is many sas application providers or Csps sometimes require you to pay additional money to get access to those audit logs.
04:49 Adam Koblentz: and in real cases. Sometimes that can be an extra 30% of total spend
04:54 Adam Koblentz: for the company when it comes to getting access to those logs.
04:58 Adam Koblentz: Now, this is a real departure from traditional. You know, security models, because when things were on Prem you had the ability to control who could access things much more granularly. You also had the ability to lock things down, and you could control the logging because it was already being generated inside of your environment.
05:16 Adam Koblentz: The challenge that we’re facing here is they, don’t you know, exposing those logs to you sometimes is very expensive. Or they may not have a history, or it may be accessible in a very complicated and convoluted way.
05:31 Adam Koblentz: For example, we’ve seen some applications where the only way get logs out is to go and actually click a button from the admin panel.
05:38 Adam Koblentz: That doesn’t seem very productive and very scalable when you’re talking about a large organization.
05:44 Adam Koblentz: Now, the other challenge, when it comes to. You know why you need to secure your Sas is. There’s a real lack of visibility into Sas and cloud providers, and the way that those things work. And so, because of that.
05:57 Adam Koblentz: the it’s easy to have a false sense of some of security.
06:01 Adam Koblentz: You know the the burglar alignment number goes off
06:04 Adam Koblentz: makes, but it’s still there makes you feel more secure when in reality, maybe it’s not hooked up.
06:09 Adam Koblentz: You don’t know that, and it’s a real challenge. Because when it comes to what’s available to you to actually secure your data and the things that drive your business.
06:19 Adam Koblentz: you’re really limited to mostly access controls not so much the underlying understanding of what’s happening inside of the environment and your application estate.
06:29 Adam Koblentz: So because of this, it’s a real challenge. You you have this belief that what you’re doing is working and that your data is safe. And we also have all these new requirements from the government and and regulators around. How quickly you have to provide information to the public
06:44 Adam Koblentz: and report when you’ve had an incident.
06:47 Adam Koblentz: But this visibility concern, really, you know, makes that hard to to comply with. So there’s a real lack of visibility in in Sas and Cloud, and there’s a real lack of
06:58 Adam Koblentz: true understanding of your attack surface and the things that you need to be concerned about when it comes to the actual securing of your your data in those applications.
07:10 Adam Koblentz: Now, what do you? What should you do to help make sure you’re covering your sas?
07:14 Adam Koblentz: The 1st thing is, and this is again near and dear to my heart is really, you should only be working with vendors that have proper logging. If you don’t have logging, you don’t know what’s happening in your application. And that’s true, everything from software engineering all the way through to performance to to security. So when you’re trying to figure out what’s going on in an application that has your data. If they don’t have logging, you should not be working with them because you have a compliance requirement
07:42 Adam Koblentz: to actually have and store logs related to several kinds of data.
07:46 Adam Koblentz: For example, the patient health information or other kinds of of pii. You know the the
07:52 Adam Koblentz: if you don’t have the logging, you don’t know what’s happening. And that’s not okay. From a compliance perspective.
07:58 Adam Koblentz: we should absolutely talk about incorporating. Sspm, so posture management’s huge understanding what applications are even being used in your environment, understanding who has access to them what they’re, how they’re locked down.
08:10 Adam Koblentz: All of those are are critical to get you to a base level of of security when it comes to Saas applications and csps, enforcing things like using assumed roles versus IM, or hooking everything up to Sso to ensure that you’re taking the authentication out of the actual hands of the application and putting it into something that you can have more control over.
08:31 Adam Koblentz: the security organization needs to be involved in vendor selection when it comes to what Csps or Sas applications the business uses. It’s not always possible, but it should absolutely be a thing that’s looked into, because when it comes to security, they have the ability to make sure that those vendors have the appropriate certifications like, for example, a sock, 2, type 2, or the NIST equivalent, or the iso equivalent. These are a way for you to have some
08:55 Adam Koblentz: sense of.
08:57 Adam Koblentz: I guess I I want to say some, some sense of a warm, fuzzy feeling that they are taking this seriously enough to have your data
09:04 Adam Koblentz: again. This is always trust, but verify. 3rd party risk assessments, etc, are required, but that all requires that security be involved in the selection of vendors inside of the Sas. Applications that are useful by the company.
09:16 Adam Koblentz: Robust access controls this ties into with the Sspm. How do you ensure that? Not just from a posture perspective, but also the ability for you to automatically have a workflow that enables or disables people based on onboarding and or off boarding. Or if there’s some our back that you need to have access to or should be regional based on, who has access to which kind of information?
09:36 Adam Koblentz: Some of the people we’ve talked with have had concerns over even employees in the same office, having access to different levels of data based on who they are or what you know what their actual role is, and those kinds of things. We we need to make sure that you have those those access controls because everything that you’re doing with Sas.
09:53 Adam Koblentz: or the vast majority of what you’re doing with Sas is really tied to just keeping things where they are and making sure only certain people have access.
09:59 Adam Koblentz: I mean Mfa. Phishing, resistant Mfa, etc, are all a key part of that, and that all ties into the access controls.
10:06 Adam Koblentz: Now, also, like I said, about the audit login.
10:10 Adam Koblentz: you have to make sure that you have the logs, and that there’s somewhere they can actually be used because the other challenge with this is from a detection standpoint. You’re really limited. Things like, Aw, like Aws have guard duty. They have detective. They have cloud trail with some built in things there, that’s great. But you still need to have all the logs, either from the alerts and the audit logs, or at least just the audit logs, because you need those to help drive
10:33 Adam Koblentz: your SIM and your sock to understand what’s going on in the environment. And without those logs, and be able to search across, for example, your Sso. Logs and your Sas app logs. You’re kind of in losing an extra visibility layer there.
10:47 Adam Koblentz: and
10:48 Adam Koblentz: we also think it’s really important to look at what the authenticated identities are doing
10:53 Adam Koblentz: in those logs. Because, for example, someone who has an Mfa bypass, or, you know bad guy does. Mfa bypass. They’re they’re still going to show up as that authenticated, trusted user inside of the application.
11:05 Adam Koblentz: And because of that, we’re going to have an issue of trying to identify. You know the good normal usage versus the anomalous or malicious usage.
11:15 Adam Koblentz: I mean, we can’t rely on things like like geolocation, impossible travel, etc, because
11:22 Adam Koblentz: 1st off, everyone does bring your own device.
11:24 Adam Koblentz: The the apts know how to use Vpns. People are traveling all over the world. Now, you know, we’re doing a remote 1st work culture in a lot of ways.
11:34 Adam Koblentz: And if you can’t look and see what the authentic identities are doing inside the applications. You’re losing everything except for the initial access layer.
11:43 Adam Koblentz: So
11:44 Adam Koblentz: this is where we reveal security comes in. We help you detect attacks in your Saas applications. We monitor continuously audit logs from those applications to then actively detect and respond to suspicious activity inside and across your application estate. Your csps single sign on idp, etc.
12:01 Adam Koblentz: Thank you.
12:02 Adam Koblentz: Have a great day.
