teissTalk: Detecting imposters and rogue insiders in SaaS applications

teissTalk host Thom Langford was joined by odd Wade, Chief Information Security Officer, Lloyds Intelligence; Aderonke Thompson, Research Scientist, Applied Cybersecurity Team, VTT, Finland - ERCIM Fellow (2022); Adam Koblentz, Field CTO, Reveal Security.

 

Views on news

Software as a Service (SaaS) research has found that large companies had an average of 5.5 million assets stored in SaaS applications. The vulnerabilities covered in the report are broken down into five different categories: insider threats; external actors and access, third-party to fourth-party data sharing; outdated permissions; and third party applications.

 

The higher vulnerability of SaaS apps is mostly down to the shared responsibility model. Also, several applications are just unknown to the security team thanks to shadow IT practices. These applications won’t even have single sign-ons. Therefore, security can’t be held responsible for the vulnerabilities of these apps. The root of the problem often lies in procurement.

 

Why have these apps been bought without going through the security channel in the first place? Earlier, there were much more robust approval processes in place. The problem, to some extent, can be managed by network segregation and discovery. Another pitfall is that businesses buy SaaS solutions without considering what sort of data including PII is kept in them. 

 

Managing shadow IT and the access privileges of former employees

There are now solution on the market that will tell you if you have SaaS apps on your network that you’re unaware of. Risk assessment is an essential first step that no company should miss out on. If businesses followed established standards (AUP, change management processes, NIST800-53, Zeo Trust Architecture) , most of the problems that security expert have to face would vanish. Sometimes even colleagues who work for similar purposes such as security and compliance, speak different jargons and the same word may mean different things for them.

 

There are some very interesting solutions in the sector to detect social engineering. Today businesses have many point solutions that security may or may not have visibility into or write logs for, with different versions of a shared responsibility model. When talking to the C-suit, security experts need to make them understand what is at risk when a particular risk materialises.

 

The panel’s advice

Statistically, 20 % of employees would never steal data, 60% might do it if the circumstances are right and 20% will do it, no matter what.

In businesses with tight security, it’s more likely that employees will circumvent it to get their jobs done.
You can write rules only against the bad things that you are aware of. 

Always drill down to the causes of an incident.