While COVID-19 undeniably shifted the perception of remote work, it was the vast availability of Software-as-a-Service (SaaS) products that made it possible. From Google Docs and HubSpot to Slack and Zoom, the average company uses hundreds of SaaS apps. From HR to marketing to R&D – everyone needs a SaaS app to help them get work done.
An unseen challenge
These SaaS applications have become commonplace, and most organizations do not view them with the same security eye they do other platforms. Many fail to realize that SaaS applications can offer hackers with a hidden door into financial records, customer information, intellectual property, valuable assets and an organization’s infrastructure.
For example, cybercriminals gained access into the Slack channel for Electronic Arts, the popular video game production company behind popular titles like the annual Madden football simulation. These hackers tricked an IT team member via Slack to provide a multi-factor authentication token, which they then used to steal the source code for FIFA 21 – one of Electronic Arts’ most popular games.
In total, the hackers took approximately 780GB of data and advertised it for sale on various underground forums. The hackers gained access into the Slack channel by purchasing stolen cookies for $10 and went to work from there.
As the reliance on SaaS applications continues to rise, so will the number of attacks. Hackers have taken advantage of the seemingly relaxed attitude around these tools. How can a communications tool to message co-workers or a spellchecker become a cyber risk?
There’s also the technical challenge. While the information technology team may know and administer many of these tools, employees often use unapproved or approved solutions in poorly governed setups.
The assumption of safety often leads to failure. Many people assume that the SaaS app they use every day is safe because the service provider who created it made sure to include all the necessary security measures. However, the role of security does not fall on just the vendor or the user: it’s a shared responsibility that both sides must contribute to find success.
Think of driving a luxury top-class vehicle with all the safety and security measures in place and then driving it at 100-miles-per-hour into a brick wall. Inevitably, the vehicle will crash. I’d also argue it's also the driver’s (user’s) responsibility to drive safely.
So what’s the solution? Here are three ideas:
- Take the time to fully grasp the totality of the apps in use. That includes all SaaS products – from the ones we mentioned above to critical business-mission tools, as well as the most esoteric SaaS app used by the average employee. To start addressing security, one must first know and understand what and who comprised their SaaS estate.
- Remediate the security issues. Once applications and their usage patterns are mapped, security teams must remediate the security issues that were found. Whether the security team wants to involve the users in the loop, or take a stronger approach by setting up stronger internal safeguards, it’s important for remediation to become an integral part of the process and not left behind.
- Automate the company’s security processes. Security automation removes human error from many processes and can help ensure security never gets overlooked or neglected. Automation will hep the company get ahead of the attacker and substantially minimize risks.
Businesses today must cope with the accelerated shift and movement into cloud- based applications that introduced a new and growing attack surface. To do that they must take a holistic and proactive approach they can only achieve by deploying a new kind of SaaS security platform.
Organizations need to kill the cyber-kill chain of hackers. They need to follow best practices, but also govern SaaS use more heavily to keep track of threats. Hackers want to access end data and they will seek to take advantage of every path to it.
Understand that these SaaS products offer a new opportunity for hackers to gain access to the company’s systems. Start with gaining full visibility into the organization’s SaaS estate, find the security gaps, and make sure all these issues are handled. For ongoing, timely and streamlined security, make sure the security team automates remediation whenever and wherever it can.
Noam Shaar, co-founder and CEO, Wing Security