This past month, Adaptive Shield partnered with Panorays (a SaaS-based third-party security risk management platform) to produce a joint webinar Pinpoint Your SaaS App Risks: From Evaluation to Usage. These two security experts, Maor Bin, CEO of Adaptive Shield, and Demi Ben Ari, CTO OF Panorays, discussed the evolution of third-party apps, the tools used to secure them, and the best practices and processes for using these tools. Here are some of the highlights and key takeaways.
Meet the Experts
Maor Bin, CEO & Co-Founder at Adaptive Shield, brings over 16 years of experience in the cyber security industry. Before founding Adaptive Shield, Maor served as a cybersecurity intelligence officer in the IDF and later led SaaS Threat Detection Research at Proofpoint.
Demi Ben Ari, CTO & Co-Founder at Panorays, is a software engineer, entrepreneur, and international tech speaker. He has over 10 years of experience in building systems both from the field of near real-time applications and big data distributed systems.
Why is 3rd Party App Security Critical?
Demi Ben Ari: “The SaaS stack that you are using today is really your new attack surface”
As illustrated in Figure 1, the supply chain has become more complicated and complex due to many changes in the industry.
It's clear that 3rd party apps like Salesforce, Slack, and Monday are critical to businesses and have become an inseparable part of employee’s day to day. It’s also clear that proper risk assessment and security for these apps is vital.
Demi takes a moment to discuss how this risk is understood in today’s market:
“Think that today when we were speaking about third-party breaches that people speak about and echo in the media… it isn't really an attack, right? There is a vulnerability exposed to the world and a lot of hackers and a lot of malicious actors actually try to exploit them with the spray and pray attack. So most of it is not even really targeted.”
This signifies two things. The first being that most breaches are happening simply as a result of apps being poorly secured. The second is understanding that attackers are continuing to explore new means to access and exploit organization's data and this can be true for both targeted and non-targeted organizations, meaning hardening security settings for every app cannot be overstated.
For example, Salesforce is crucial to today's business but in order to operate, the app houses sensitive information that if leaked could potentially ruin a business. The 2022 SaaS Security Survey Report shows that while the investment in SaaS applications is growing, the investment in security tools and staff is lagging behind, as seen in Figure 2.
Organizations need a new tool set to secure the onboarding of new apps and other developments in their SaaS landscape. However, the process needed for organizations to secure their 3rd party apps goes far beyond just implementation; organizations need to evolve their security protocols to include a continuous and repetitive means of evaluating and hardening app security.
Demi: “We spoke about identification and how to know all the vulnerabilities, but it’s a process, and the process does not finish at ‘I'm installing something and this magic box will solve all of my problems’...the continuous monitoring aspect is really crucial.”
Initial and Continuous SaaS Security Assessment
Maor Bin: “We need to understand first of all what we need to do to create this [continuous assessment] process internally to work in a secure fashion.” Maor outlines the process of initial and continuous SaaS security assessment into three levels – discovering and assessing risks, obtaining and maintaining hygiene, and managing threats.
Figure 3 outlines the entire process that security teams should be conducting and repeating in order to keep their SaaS stack secure. While the details of this process should be customized to each organization's size, needs, and resources, the overall methodology is the key to create a continuously secure SaaS environment.
Discover and Assess Risks
The first step in securing one’s SaaS ecosystem is having comprehensive and robust discovery processes to learn of the potential apps’ digital footprint. Security teams need to understand where they have visibility and, more importantly, where they don't. Addressing blind spots should be a top priority to ensure risk can be discovered and reduced.
Then, throughout the onboarding process, from users, their permissions, and their devices, security teams can be hyper aware of all the moving parts that should be checked. Organizations also need to be able to identify and discover SaaS-to-SaaS applications, including ones that are connected without the security team’s knowledge. Today's workforce depends on apps that easily connect with the user's workspace.These 3rd-party applications, which can number in the thousands for larger organizations, all must be monitored and overseen by the security team.
Obtain and Maintain Hygiene
Once the initial assessment is complete, security teams must maintain (or increase) the level of hygiene. Security teams should focus on closing gaps that exist in their posture to remediate faster and reduce risk. This requires that security teams evaluate configurations, compliance requirements, and other changes in their SaaS estate not just once, but repeatedly.
The final step is threat management. Security teams must identify misconfigurations or vulnerabilities in a device or user that is causing risk and quickly remediate the issue.
Gartner recently named a new security discipline called Identity Threat Detection and Response (ITDR). ITDR incorporates detection mechanisms that investigate suspicious posture changes and activities, and responds to attacks to restore the integrity of the identity infrastructure.
ITDR incorporates strong SaaS Security IAM Governance methodologies and best practices that are found in SaaS Security Posture Management solutions (SSPM). This enables security teams to gain continuous and consolidated visibility of user accounts, permissions, and privileged activities across the SaaS stack, such as:
- Forensics related to user actions, focusing on privileged users
- Identifying who is accessing what and when, and with the right levels of privileges
- Role right-sizing by revoking unnecessary or unwanted access
- Roles' continuous and automated discovery and consolidation
Regardless of how secure an organization's SaaS posture is, new threats continue to emerge and security teams need the right tools to combat them.
Onboarding a New SaaS App
Demi Ben Ari: “It always starts from visibility and onboarding. Eventually when you end up with continuous monitoring, it’s also continuously onboarding all of these third-party engagements, and this can be on multiple layers.”
Salesforce can be used as an example of these layers and is considered the first layer. Next, a user may install 5 plug-in applications from the app exchange – apps that may not even be verified by a security expert – creating the second layer, also called SaaS-to-SaaS access or 3rd party app access. This second layer alone already introduces dozens of granted permissions into your environment, multiplying the attack surface. It doesn't stop there – an app connected in the second layer may have its own connected plug-ins which in turn create the third layer and so on and so forth. Security teams must have an assessment process for onboarding the entire entity from the core apps to all its plugins.
Maor iterates: the first step is to identify and discover all these applications and then understand what other apps are connected. History has taught us that many breaches happen as a result of attackers gaining access to small supported apps as opposed to the core SaaS workspace.
SSPM Enables Complete Control
Maor: “The idea, when we talk about security, is not just protecting one application or a handful of applications, it’s protecting your entire stack”.
The high volumes of apps, users, and settings makes maintaining a secure SaaS stack a near impossible challenge. Security teams need all-around visibility into different aspects of their SaaS stack while simultaneously implementing and maintaining continuous security assessments. SaaS Security Posture Management (SSPM) solutions enable security teams to gain complete control over their SaaS stack and significantly aid in implementing the continuous process of assessment.
SSPM combat the challenges existing in the SaaS landscape through:
- Misconfiguration Management: Deep visibility and control of all configurations, settings, and built-in security controls across all SaaS apps for all users
- SaaS-to-SaaS App Access: Monitoring and management of all third-party apps connected to the company's core SaaS stack
- Identity & Access Governance: Consolidation and validation of user identity and access (for example, identifying dormant accounts or external users with administrative access)
- Device-to-SaaS User Risk Management: Manage risks stemming from the SaaS user's device based on the device hygiene score, correlating the user, their permissions’ level, and the SaaS apps to which they have access.