Organizations are transitioning to cloud-based services in record numbers to save on operational costs and IT expenses. Moving to cloud services can be beneficial from a cybersecurity perspective too, as it’s one less component of your IT infrastructure to worry about supporting and patching. Additionally, the providers for most business-level Software as a Service, or SaaS, applications and infrastructure have invested a lot of resources to focus on security for the actual platforms.
Securing the front door and APIs into the applications, however, is still the responsibility of the organizations using them. The challenge is that SaaS applications don’t sit behind the organizational firewall. Anyone and everyone has access to the front door and can probably make some good guesses about account names an organization might use. In this blog, we’ll look at the attack surface posed by SaaS applications and how you can reduce your risk.
The primary risk to address is that of account takeover. With open access to the front door, anyone can take a crack at impersonating one of your users or applications. In January 2020 alone, Microsoft identified 1.2 million compromised accounts. Based on the total accounts, this suggests that .5 percent will be compromised every month. If your organization has 2,500 users, for example, that works out to about 12 accounts per month.
Don’t start unplugging those SaaS applications yet, though. There are straightforward steps you can take to reduce that attack surface.
Tactics Behind Account Compromise
First, it’s important to understand the tactics behind account compromises. This will give more context to the solutions you can put in place. There are three main approaches adversaries use to accomplish an account compromise:
- Password Spraying Attacks: Password spraying attacks use common password lists and dictionary attacks are attempts to guess passwords by using well-known words or phrases, like words in a dictionary. Anyone can find and use simple scripts for this. Almost all (99 percent) of password spraying attacks go after legacy authentication (SMTP, POP, IMAP). These protocols don’t allow for inserting user challenges like multi-factor authentication (MFA) or capturing information such as which client is using the protocol.
- Password Replay Attacks: Stolen and replayed or recycled passwords are another common tactic that attackers use. People often use the same password for hundreds of different websites and applications, including their work accounts. Attackers can choose from a variety of simple tools to run through and validate passwords for accounts they can then compromise.
- Phishing Attacks: Phishing attacks target users en masse or individually (via targeted spear phishing) to give up their credentials. Attackers send legitimate-looking emails to individuals. These emails often appear as though they come from an internal user or someone they know, and may direct the user to a web page that resembles a known website or familiar service like Office 365. In reality, the user is directed to a fake site that harvests user credentials.
How to Reduce the Likelihood of Account Compromise
There are several steps you can take to quickly and dramatically reduce the likelihood of an account compromise in your SaaS applications. Most of these recommendations revolve around modernizing your identity and access capabilities beyond simple password-based authentication.
- Turn off Legacy Authentication: Older authentication that relies on passwords alone without any other context about the user, the application being used or the ability to insert a multi-factor challenge is considered legacy. You probably have SMTP, POP or IMAP for email accounts. You may have applications logging in through your directory or remote apps on employee devices that use legacy authentication to a SaaS app used by the field teams. These are ripe for the password spray or replay attacks above. A popular vendor has a feature that allows your admins to disable all legacy authentication using conditional access rules, ensuring that nothing unknown is beyond your view. With Motorola Solutions’ ActiveEyeTM security platform, you can view logs from any application that’s connected via API and identify any legacy authentication still in use. Our Security Operations Center (SOC) analysts have configured ActiveEye Playbooks (logic that automates the processing of security events) to raise the priority level of suspicious log-on activity when legacy authentication is in use.
- Enable and Enforce Multi-Factor Authentication: The follow-on step here is to enable Multi-Factor Authentication (MFA) that ensures a password breach or guess alone will not allow account compromise. More than 99 percent of the account compromises identified by the same popular vendor did not have MFA. Using push notifications to mobile devices makes MFA as straightforward as tapping a button on a mobile phone. This is simple enough for any executive or non-technology savvy employee to understand and use. If you introduce MFA, perhaps you can make a trade off and simplify passwords. Several studies suggest requiring users to change passwords every month and forcing complexity of characters results in less secure passwords. You can find more information in the National Institute of Standards and Technology’s Digital Identity Guidelines.
- Centralize Authentication (and Provisioning): If you haven’t done so already, look at centralizing authentication for ALL of your SaaS applications. A centralized authentication provider will also have the capability to enable the MFA in the step above. Any business-focused SaaS application will support federated authentication and plug easily into the authentication service. Simply redirect that app back to your centralized authentication source and you can ensure only users you provision are allowed into those SaaS apps. There are several vendors that offer several options for this. The basic functionality across the vendors is similar, so select the one that aligns best with your broader IT approach. ActiveEye can collect logs from this authentication service and monitor for account takeover across the user base.
- Audit SaaS Apps for Orphaned Accounts: You want to avoid the risk and embarrassment of an ex-employee or one in a new role accessing data or manipulating data with an account you forgot about. At a minimum, the user accounts in these SaaS apps need to be audited regularly. The good news is that if you are centralizing authentication as noted above, disabling a terminated user in the central authentication service will ensure they cannot access any SaaS app. ActiveEye will log all access and retain events for a year or more. If you need records of who accessed what and when you’ll have a simple view of that information.
- Monitor Cloud Apps 24/7 with a Security Partner: When account compromises do occur, the key is to detect them quickly before data can be removed or social engineering can take place across the organization. A centralized detection and response capability natively integrated to cloud applications is critical to uncovering these attacks and taking response actions quickly. ActiveEye will identify anomalous user access via unusual locations, known malicious IPs, unusual post-logon activity and more. A common scenario uncovered by our SOC analysts is configuration of email forwarding or processing rules after account takeover so the attacker can perform socially-engineered activity from the account without the user being aware.
While cloud-based services can be beneficial in many ways and do come with some built in security, it’s ultimately up to your organization to secure the front door and prevent account takeover and compromise. The tactics outlined in this blog should give you a good head start to reduce the attack surface and your risk. It is a lot to implement and will be difficult to accomplish all at once.
Plan your rollout gradually and deploy by department so as not to impact all users at once. Authentication is tricky and you will uncover applications you were not aware of that will cause delays so don’t get too aggressive with your schedule. In the end, you will have the security you need to let the business move forward quickly (and securely).
Learn more about how the experts at Motorola Solutions can meet your cloud security and cybersecurity needs here.