#101 - SaaS Security Posture Management (with Ben Johnson)

Special Thanks to our podcast sponsor, Obsidian Security.  

We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics:

Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:  

1. How many clouds are we in?
2. What data are we sending to the cloud to help the business?
3. How do we know the cloud environments we are using are properly configured?

Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event.  First let’s look at the first question.  

How many clouds are we in?  It’s pretty common to find organizations still host data in on premises data centers.  This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location.  Example if you live in Florida you can expect a hurricane.  When this happens you might expect the data center to lose power and internet connectivity.  Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event.  We can think of our primary data center and our backup data center as an On-Premises cloud.  Therefore it’s the first cloud that we encounter.  

The second cloud we are likely to encounter is external.  Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba.  Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises.  Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment.  If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment.  Notice the difference between terms.  Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers.  If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms.  Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings.

So let’s say your organization uses on premises and AWS but not Azure or GCP.  Does that mean you only have two clouds?  Probably not.  You see there’s one more type of cloud hosted service that you need to understand how to defend.  The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode.  We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event.  So let’s look at SaaS Security in more depth.  

SaaS refers to cloud hosted solutions whereby vendors maintain most everything.  They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking.  It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services.  Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won’t add new sales revenue to the business.  

Now that you understand why SaaS is important you should ask yourself.  How many external SaaS providers are we sending sensitive data to?  Every company is different but most can expect to find dozens to hundreds of SaaS based solutions.  Examples of external SaaS solutions commonly encountered by most businesses include: 

• Service Now or Jira in use as a ticketing service, 
• Salesforce for customer relationship management
• Workday for HR information
• G Suite or Microsoft Office 365 in use to send emails and create important documents
• Github as a source code repository for developers
• Zoom for virtual teleconferences
• Slack for instant messaging like conversations
• Okta for Identity and Access Management

Once you build out an inventory of your third parties hosted SaaS solutions, you need to understand the second question.  What kind of data is being sent to each service?  Most likely it’s sensitive data.  Customer PII and PCI data might be stored in Salesforce, Diversity or Medical information for employees is stored in Workday, Sensitive Algorithms and proprietary software code is stored in GitHub, etc. 

OK so if it is data that we care about then we need to ensure it doesn’t get into the wrong hands.  We need to understand why we care about SaaS based security which is commonly known as SaaS Security Posture Management.  Let’s consider the 4 major benefits of adopting this type of service.  

1. Detection of Account Compromise.  Today bad actors use man in the middle attacks to trick users to give their passwords and MFA tokens to them.  These attacks also provide the session cookie credentials that allow a website to know a user has already been authenticated.  If attackers replay these session cookie credentials there’s no malware on the endpoints.  This means that Antivirus and EDR tools don’t have the telemetry they need to detect account compromise.  Therefore, you need log data from the SaaS providers to see anomalous activity such as changing IP addresses on the application.  Note we talked about this attack in much more detail on episode 87 From Hunt Team to Hunter with Bryce Kunze.  
2. In addition to detecting account compromises, we see that SaaS security posture management solutions also improve detection times and response capabilities.  Let’s just say that someone in your organization has their login credentials to Office 365 publicly available on the dark web.  So a bad actor finds those credentials and logs into your Office 365 environment.  Next the bad actor begins downloading every sensitive file and folder they can find.  Do you have a solution that monitors Office 365 activity for Data Loss Prevention?  If not, then you are probably going to miss that data breach.  So be sure to implement solutions that both log and monitor your SaaS providers so you can improve your SaaS incident detection and response capabilities.
3. A third benefit we have seen is improvements to configuration and compliance.  You can think of news articles where companies were publicly shamed when they lost sensitive data by leaving it in a Public Amazon S3 bucket when it should have been private.  Similarly there are settings by most SaaS solutions that need to be configured properly.  The truth is many of these settings are not secure by default.  So if you are not looking at your SaaS configurations then access to sensitive data can become a real issue.  Here’s an all too common scenario.  Let’s say your company hires an intern to write a custom Salesforce page that shows customer documents containing PII.  The new intern releases updates to that webpage every two weeks.  Unfortunately the intern was never trained on all of the Salesforce best practices and creates a misconfiguration that allows customer invoices to be discovered by other customers.  How long would this vulnerability be in production before it’s detected by a bad actor?  If you think the answer is < 90 days, then performing yearly penetration tests is probably too slow to address the brand damage your company is likely to incur.  You need to implement a control that finds vulnerabilities in hours or days not months.  This control might notify you of compliance drift in real time when your Salesforce configuration stopped meeting a CIS benchmark.  Now you could pay a penetration testing provider thousands of dollars each week to continually assess your Salesforce environment, but that would become too cost prohibitive.  So focus on being proactive by switching from manual processes such as penetration testing to things that can be automated via tooling
4. The fourth major benefit that we observe is proper access and privilege management. Here’s one example.  For critical business applications you often need to enforce least privilege and prevent the harm that one person can cause.  Therefore, it’s common to require two or more people to perform a function.  Example: One developer writes the new code for a customer facing website, another developer reviews the code to detect if there’s any major bugs or glaring issues that might cause brand damage.  Having a solution that helps mitigate privilege creep ensures that developers don’t increase their access.  Another example of the importance to proper access management occurs when bad employees are fired.  When a bad employee is fired, then the company needs to immediately remove their access to sensitive data and applications.  This is pretty easy when you control access via a Single Sign On solution.  Just disable their account in one place.  However many SaaS providers don’t integrate with SSO/SAML.  Additionally the SaaS website is generally internet accessible so people can work from home even if they are not on a corporate VPN.  Therefore it’s common to encounter scenarios where bad employees are fired and their account access isn’t removed in a timely manner.  The manager probably doesn’t remember the 15 SaaS accounts they granted to an employee over a 3 year time frame.  When fired employees are terminated and access isn’t removed you can generally expect an audit finding, especially if it’s on a SOX application.  

OK so now that we talked about the 4 major drivers of SaaS Security Posture Management (detection of account compromise, improved detection and response times, improvements to configuration and compliance, and proper access and privilege management) let’s learn from our guest who can tell us some best practices with implementation.

Now I’m excited to introduce today’s guest:  Ben Johnson
Live Interview

Well thanks again for taking time to listen to our show today.  We hoped you learning about the various clouds we are in (On Premises, Cloud Computing Vendors, and SaaS), Understanding the new Gartner Magic Quadrant category known as SaaS Security Posture Management.  So if you want to improve your company’s ability on SaaS based services to:

1. detect account compromise, 
2. improve detection and response times, 
3. improve configuration and compliance, and 
4. proper access and privilege management 

Remember if you liked today’s show please take the 5 seconds to leave us a 5 star review with your podcast provider.  Thanks again for your time and Stay Safe out there.