On average, IT teams are only aware of 20% of the SaaS applications used in their organizations1. If standard controls could be easily applied to SaaS apps, then this number would be little cause for concern. However, the frequency of SaaS-related security incidents tells a different story, with frequent headlines on publicly visible PII, account takeover through hacked third parties and malicious exfiltration of entire customer databases. Clearly, current solutions are not enough.
How Prevalent are SaaS-based Breaches?
SaaS data breaches account for data exposure in four out of five organizations2, and almost half (43%) experience security incidents related to SaaS misconfigurations3. These numbers are not surprising if you consider that 98% of organizations are connected to breached third party vendors4, which may include APIs, plugins and other shadow SaaS services. With hundreds of SaaS applications used in organizations of all sizes, the attack surface becomes unwieldy to manage, and breach prevention seems nearly impossible.
What are some Common SaaS Breach Vectors?
Here are some common ways in which SaaS applications are breached:
- Supply chain attacks through a breached third-party SaaS tool – Think of an enterprise platform such as a CRM or a productivity application connected to a SaaS tool, such as a single-function app that improves grammar or helps schedule meetings. If the SaaS tool is breached, the threat actor gains access to sensitive information such as customer data and email correspondence through the breached SaaS tool.
- Stale API tokens and stale accounts – Many recent high-profile breaches were carried out by abusing a stale API token or stale user account whose existence was forgotten. Companies often connect a service to their enterprise ecosystem, use it for a while, and then stop. Now you have a connection to your enterprise that has long been forgotten and neglected, and a potential entry point for a threat actor. And when things start looking suspicious it may already be too late.
- Stale accounts with active API tokens – When an individual leaves a company, admins usually don’t investigate what APIs they connected to the organization’s SaaS ecosystem. This means that a webhook may still be transferring sensitive data from an internal application to an external one, for example, sending mobile text messages each time a message is posted on a Teams channel. This gives rise to a situation where the account is stale, the user can no longer log in, but the API token is still active.
- Legit-looking applications with a backdoor – Your company may be using a lightweight app, say a service that keeps email signatures uniform across the organization to promote different events. But if that little app has a backdoor, it can change the email signature to contain a link to a phishing website or malware infection point.
- Mobile consumer apps with excessive permissions – When an employee blindly accepts permissions of a mobile app they install, they may inadvertently approve permissions related to their corporate account rather than their personal one. For example, they may not notice that the app requires access to the entire list of contacts on their phone, which may include contacts from the corporate directory.
- Abandoned, deprecated and legacy applications – While this one may seem obvious, identifying applications that should no longer be used and revoking their credentials is anything but. SaaS services that are no longer being maintained are likely to contain vulnerabilities, while still being connected to your latest source code or customer data. This puts sensitive information at risk of falling into the wrong hands, as the abandoned app maintains access to your enterprise application and its data.
Why are Current Solutions Not Enough?
The SaaS security challenge is a complex one, as witnessed by the multi-faceted solutions on the market from cloud access security brokers (CASB) that are now part of Security Service Edge solutions (SSEs) to newly emerged SaaS Security Posture Management tools (SSPMs).
SSEs are effective in applying organizational policy specific to sanctioned applications (via API security) as well as the long tail of shadow IT (via inline security). However, they usually focus on user-to-app interaction.
SSPMs are an excellent way to reduce your SaaS attack surface, by ensuring identity permissions are aligned with real needs, and making it easy to remediate weak security settings and misconfigurations.
However, what both these solutions lack is visibility into SaaS-to-SaaS connections. Nor can they stop SaaS-to-SaaS attacks in real time, using a combination of machine learning and SaaS-specific threat intelligence.
Check Point Harmony SaaS – Transforming SaaS Security
Check Point Harmony SaaS is the most advanced solution for preventing SaaS-based threats.
Unlike conventional solutions, Harmony SaaS:
- Installs in minutes
- Discovers your SaaS applications
- Analyzes security posture gaps
- Provides single-click remediation
- Automatically stops SaaS attacks in their tracks
Harmony SaaS brings an ecosystem approach to SaaS security.
By studying SaaS-to-SaaS connections and monitoring their behavior with machine learning, Harmony SaaS severs risky connections in real time, keeping you safe from threats like data theft and account takeover.
The best part: Harmony SaaS requires no prior expertise, making it easy for anyone on the team to manage SaaS security.
It’s time to take the guesswork out of SaaS security and compliance.
Get started with the resources below:
- Demo Video
- Harmony SaaS – Solution Brief
- CISO’s Definitive Guide to SaaS Security – eBook
- Book a demo
- Start a free trial
1Source: Internal Check Point research (Atmosec)
2Source: https://financesonline.com/top-saas-security-risks-and-how-to-avoid-them/
3Source: https://www.resmo.com/blog/saas-security-statistics
4Source: https://www.cybersecuritydive.com/news/connected-breached-third-party/641857/