The SaaS market has grown over 1,000% in the last 12 years to the point where the average organization now has some 843 SaaS applications. Unfortunately, the cybersecurity of most organizations has not been able to keep up.
While administrators are trained to be vigilant about third-party applications in general, they generally consider major business systems to be safe from intrusion, assuming everything in Microsoft’s application garden remains safe and secure.
Lulled into complacency, they are often unaware of exactly which applications are connected to the corporate system. Salesforce users can, for example, “plug in” an app without actually installing it. Although they can use the app, the information is logged for the user, not the app, making it difficult to track or troubleshoot.
So if a user reinstalls an app without logging out first, this usually doesn’t invalidate the old API key. If the key has been lost, leaked, or stolen, reinstalling the application will not remove the vulnerability. The old tokens are now also hidden and not easily accessible to the user through the interface, so the product owner may even be unaware of their existence. Administrators need to be aware of lost, leaked, or stolen keys so that they can be revoked immediately.
However, most organizations lack the macro and micro visibility necessary to fully secure their systems. The security team needs macro visibility to see what Shadow SaaS services they have at any given time. Most companies rarely have a complete picture of all their connected third-party apps or where API tokens are shared. Security teams also need microvisibility to understand what each SaaS service does and what permissions it has. For example, read and write access to a sales enablement tool can be seamlessly synced with Salesforce.
Without this visibility, admins don’t have a clear picture of how their rapidly expanding app ecosystem is behaving and whether they’re missing malicious activity. This problem is now much more pervasive than most administrators realize. North Carolina State University recently scanned 13% of all public GitHub repositories and found that over 100,000 of them contained API keys and cryptographic tokens, which hackers can use to extract data from those respective systems.
Threat actors have long managed to compromise users of even the most well-known and trusted systems to execute attacks from third-party experts. In 2019, a misconfiguration in the popular project management software Jira exposed vast amounts of data from hundreds of companies; Among those exposed were NASA, Google, Yahoo, Gojek, HipChat, Zendesk, Sapient, Dubsmash, Western Union, Lenovo, 1Password, Informatica, the United Nations, and the governments of Canada and Brazil. Worse yet, the exposed URLs were crawled by Google, and that’s how a whistleblower discovered the sensitive data.
What is now known as “Ghost SaaS” has become much more common than most cybersecurity professionals realize. Dozens of online platforms, both SaaS and social media, have merged, changed addresses, or closed completely over the years. There is an active and ongoing darknet market for defunct online platform sales open to threat actors of all types looking for entry points into all types of organization. The stock of redundant platforms is constantly renewed as services go out of business, sell their assets, or simply forget to renew a domain.
Security teams should start by discovering which SaaS services staff are actually using. Then determine if those services (their purpose, location, ownership) have changed. If that’s the case, then check them out one more time. If they are insecure, security teams have no choice but to stop their use in the organization immediately.
While security teams should communicate directly with staff to exercise caution when dealing with all kinds of third-party applications, they should consider using an automated intelligent system that will examine all connections inside and outside the organization’s network, even connecting to phantom domains. SaaS platforms.
The argument for encouraging staff to use SaaS applications from trusted developers has become overwhelming in terms of increased efficiency and cost control. But in doing so, companies in all industries expose themselves to countless unforeseen vulnerabilities to today’s increasingly professional and well-organized cybercriminals. In the future, it is now essential that all types of organizations carry out immediate, complete and continuous monitoring of all SaaS applications connected to the corporate network.
Misha Seltzer, Co-Founder and CTO, Atmosec