Identity, Application security

NIST understands detecting SaaS breaches involves monitoring behavior

Password protection concept

SaaS security is composed of two parts: SaaS Security Posture Management (SSPM), which prevents threat actors from accessing the application, and Identity Threat Detection & Response (ITDR), which detects unauthorized users who were able to make their way past the preventive security measures put in place.

SSPM and ITDR form a strong bulwark against attackers. They detect misconfigurations, identify user issues, and inform on third-party risks, as well as monitor for anomalous user behavior that could indicate a threat.

The National Institute of Standards and Technology (NIST) just released version 2.0 of its Cybersecurity Framework (CSF). The functions, categories, and subcategories of NIST CSF 2.0 were intentionally developed to be technology-neutral; yet they form a natural fit to the needs of SaaS security.

Identify and Protect are used to prevent unauthorized access to SaaS applications. Detect, Respond, and Recover detect breaches and trigger the responses required to secure the application. The Govern function, introduced in the new NIST CSF 2.0 release, lends its support to both prevention and detection activities.

Read about how to apply the NIST 2.0 guidelines to your SaaS stack.

Threat prevention through the NIST framework

As mentioned above, Identify and Protect, together with Govern, form the core of threat prevention. Organizations must be able to identify the internal stakeholders. In SaaS applications, where applications are owned by business units and managed by business users, that requires collaboration between security team members and the app owners.

NIST 2.0 recognizes the dangers of changing configurations. SSPM protects against that risk, by monitoring settings and alerting users in the event of configuration drifts. NIST also points out the importance of inventories. Taken from a SaaS perspective, that requires deep visibility into users, devices that access SaaS apps, integrated third-party apps, and data resources that are stored in SaaS applications.

Prevention is especially important at the user level. MFA and strong passwords play an important role in the NIST framework. It also recommends reducing the attack surface by following the principle of least privilege (POLP). That way, even if an account is breached, it’s likely that the threat actor will have limited access.  

Detection, ITDR, and NIST

SaaS breaches don’t begin with a bang. They involve threat actors sneaking into an application, gaining access, and slowly exfiltrating data. As understood by NIST, detection begins with identifying users and continually monitoring their behavior.

When ITDR tools detect unusual access, anomalous behavior, or access that contains indications of compromise (IOC), they trigger alerts within the organization. This enables the security team to take the necessary steps, such as removing access to a user, before damage can be done. 

A welcome update

In the six years since NIST updated its framework to version 1.1, we’ve seen a tremendous change in the way organizations use SaaS. In 2018, SaaS was making inroads; today it is a popular software model used by nearly every organization. NIST CSF 2.0 clearly has SaaS security in mind as it guides users to upgrade their security posture.  

Learn more about the NIST 2.0 update and its relation to SaaS security

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.