Adam Bateman of Push Security examined the growing issue many organizations still underestimate – employee-enrolled SaaS apps.
If there’s a recurring theme of the last three decades, it’s the way that cybercriminals always seem to spot risky trends in new technology adoption before defenders are even aware the problem exists.
In the 1980s, malware writers used the floppy drive ‘sneakernet’ to spread nuisance boot sector viruses. A decade later, email systems proved an easy way to spread worms at incredible speed. By the 2000s, the popularity of USB sticks and the tendency of employees to lose them turned parking lots into sites for a wave of corporate data breaches.
Then came the mother trend of them all - shadow IT - as employees started using the latest devices, apps and web services the security team knew nothing about. But just because every CISO today has heard of shadow IT doesn’t mean the problem has gone away.
In his presentation at ISC2 SECURE London, Securing Employee-Adopted SaaS Apps, Adam Bateman, co-founder and CEO of Push Security, offered stark insight into how this new stage in the shadow IT phenomenon has the potential to dwarf the risks of employees using unsanctioned devices.
Adopt Your Own Software
Employee SaaS is exactly what it sounds like – employees signing up for SaaS applications and accounts without following regular processes, effectively behind the backs of the security team or IT. Organizations know that SaaS accounts are a risk but focus overwhelmingly on controlling the ones they can see such as Google Workspace, Office 365 or Azure. However, employee SaaS is the shadow side of this issue, the SaaS you can’t see.
“There are literally thousands of SaaS apps at the moment,” said Bateman. “They [employees] will sign up for one, start adding company data to it, and then they start inviting colleagues.”
They then try another four and invite five colleagues to each, creating 25 identities that now exist indefinitely, hugely expanding the attack surface criminals can aim at as part of what Bateman called “SaaS-native attacks.”
The existence of these identities shifts the security perimeter to the endpoint. Cybercriminals know this is a weak point because by compromising endpoint accounts such as SaaS, at a stroke they bypass whole layers of network security. This is what is meant by the phrase “identities are the new perimeter,” said Bateman.
SaaS applications fall into different categories, starting with standalone financial apps, social media aggregators, password vaults, EDRs and management apps. A second type are integrated platforms for marketing and HR, CRM and software development, which can contain critical information such as API keys and access tokens.
In theory, application policies and mandates on approved software should outlaw the use of these unvetted SaaS applications. In reality, employees are more likely to engage with this approval process only once they’ve already tried out a selection of apps and services by which time the identities and their risk has existed for some time. What caused the spike in SaaS use was a combination of the rise of remote work and the sales phenomenon called product-led growth (PLG), an idea that has spread like wildfire in the software industry.
How Are Apps Compromised?
The main danger lies with password re-use, which is almost inevitable when employees are using or trying out multiple SaaS apps, with identity provider Auth0 reporting in 2022 that 34% of traffic and authentication events on its platform were attempted credential stuffing attacks. Once they have gained access, attackers utilize compromised accounts to social engineer other employees, for example by sending malicious links or redirecting them to SSO phishing pages.
In a growing number of incidents, these credentials are relayed in real time through adversary-in-the middle proxies, not only giving attackers access to the genuine SSO and a way past MFA but a long-term access token to gain persistence. At this stage, attackers can start misusing automation platforms that Bateman characterized as being like PowerShell for the cloud. These are installed into compromised accounts to set up automations to do things such as stealing information.
“If you see these apps in the organization, you really want to defend them because they are super powerful.”
Bateman’s first recommendation is to gain visibility on the SaaS identities being used inside an organization as long as this is done as quickly as possible after they have been created. Waiting months risks the employee being less amenable to having controls imposed upon them, said Bateman.
How can visibility be achieved? Logs and proxy can do the job in principle, but it can be difficult to make sense of the URLs flying around in traffic. A simpler approach is email scanning. Because every SaaS application involves a confirmation email plus marketing follow up, this can be a good indicator that a SaaS is being used.
Bateman argued against adopting the traditional centralized approach to application and identity management, where onboarding and offboarding is managed in one place by a single team. This will almost certainly prove impractical.
“Decentralized It is where we are now. If you’re decentralizing IT, decentralize the security too,” said Bateman.
He also recommended moving to user-centric security. This makes it easier to distinguish between a malicious user and the genuine user because the security team can quiz them directly about unusual actions. In addition, for extra visibility security teams can deploy a new generation of browser extensions that are able to detect login screens as a way of logging possible SaaS sign-ups.
However, using a browser extension will only protect you from the day you install it on endpoints. Older accounts – possibly stretching back years – will still be out there, including ones that have been abandoned but still lose a risk. The only way to look backwards at shadow SaaS is to use email scanning to hunt down the original signs-ups.
Ultimately, rather than resisting the rise of self-service SaaS, it is better to develop a culture that allows it while encouraging employees not to hide what they are signing up to from IT, argued Bateman.
“You’re paving a safe road for people to walk on rather than locking everything down.”
- ISC2 Security Congress takes place October 25-27 2023 in Nashville, TN and virtually. More information and registration can be found here.
- ISC2 SECURE Washington, DC takes place in-person on December 1, 2023 at the Ronald Reagan Building and International Trade Center. The agenda and registration details are here.
- ISC2 SECURE Asia Pacific takes place in-person on December 6-7, 2023 at the Marina Bay Sands Convention Centre in Singapore. Find out more and register here.