With the SaaS market on pace to grow by nearly 19 percent annually and become a $900 billion dollar industry by 2030, it’s easy to see why SaaS applications and ecosystems have become such attractive targets for bad actors to exploit.
Several recent breaches such as CircleCI and MOVEit have demonstrated this targeting of SaaS ecosystems, exposing hundreds of organizations and potentially affecting millions of individuals.
Given today’s threat landscape, it’s no wonder that nearly 90 percent of enterprises are responding by making SaaS application protection a top priority for the foreseeable future, according to the Enterprise Strategy Group.
However, as every seasoned information security leader well knows, protecting SaaS applications and environments goes beyond fortification. As threats will continue exploiting human error to breach enterprise SaaS ecosystems, it’s imperative to invest in a robust incident response (IR) strategy.
Understanding your exposure
Mounting an effective incident response starts by first ascertaining the extent of your SaaS surface area. Traditionally, many organizations have underestimated the scope and sprawl of their SaaS applications or the risks from interconnectedness. In fact, it’s estimated that 9000 applications on average have access to any given enterprise SaaS ecosystem.
To determine the extent of your SaaS exposure, take the following steps:
- Create a detailed inventory of all your sanctioned SaaS applications such as Microsoft 365, Google Workspace, Dropbox, and Salesforce, including applications adopted by departments who have the autonomy to adopt their own solutions.
- Analyze all third-party integrations to understand application interconnections, whether via integrations or APIs, as these connections facilitate lateral threat movements. On average, these interconnections will number in the tens of thousands.
- Catalog all credentials, including tokens and API keys, for people and devices to enable rapid revocation for those involved in an incident.
Establish appropriate controls
As your enterprise is likely subject to multiple internal and external compliance requirements, your next objective is implementing controls. Fortunately, many federal and state regulations are based on the Cloud Security Alliance’s Cloud Controls Matrix (CCM), making it a recommended resource for developing your framework.
Be certain to develop a process for continuously updating your controls, which enables you to stay current with regulatory changes. For example, today’s compliance trends are mandating the use of encryption and making breach notification requirements 72 hours, or less.
Assess your response capabilities
Next up is assessing how quickly you can respond to an incident. Naturally, the faster you can respond to a SaaS breach, the fewer damaging consequences you’ll have—and even the potential for avoiding them altogether. Your response speed will depend upon:
- Context capabilities, which is your ability to detect and analyze an attack and which apps are compromised. It includes activity logging for rapidly identifying anomalies.
- Containment capabilities, such as rapidly suspending suspicious accounts or revoking credentials.
- Eradication capabilities and processes, which include policies and procedures as well as adjacent security technologies like identity and access management (IAM), endpoint detection and response (EDR), and others.
8 ways SSPM solves SaaS IR challenges
As the volume and intensity of IR challenges within today’s SaaS landscape continue to rapidly grow, leading enterprises are automating their SaaS IR practices end-to-end by adopting SaaS Security Posture Management (SSPM) solutions like Obsidian.
Both a proactive tool and a rapid response solution, Obsidian’s comprehensive SSPM platform helps streamline, simplify, and accelerate IR preparation, detection, and mitigation.
Developed and evolved in close partnership with leading enterprises, the mature machine learning-powered Obsidian platform combines data engineering, data science, and threat research to speed SaaS incident response times by 90 percent, on average. Here’s how:
- Identifying security gaps to provide your IT, security, and operations IT teams with intuitive dashboards for uncovering and visualizing any existing security shortfalls.
- Automating SaaS application inventories and controls for being proactive about incident responses and meeting compliance requirements.
- Reducing third-party integration risks using automation to manage interconnections between applications at scale.
- Leveraging machine learning for real-time visibility into activity and correlating data insights to more rapidly and accurately pinpoint threats.
- Detecting new and emerging SaaS threats such as token compromise, OAuth compromise, and device code flow abuse.
- Pinpointing anomalies to permit rapidly suspending accounts, revoking credentials, or disabling tokens.
- Integrating smoothly with adjacent security stack solutions and supplying them with visibility, such as enabling CrowdStrike to trace an endpoint breach into a SaaS environment for rapid mitigation.
- Adapting to new threats continuously by using machine learning to anonymously evaluate threat data from every user in the database and instantly applying the insights across all enterprises. This accelerates responses for each user, providing every customer with an increased level of protection.
Checklist for gaining real-time IR insights
By providing your security teams with real-time insights into activity within and across your SaaS ecosystem, Obsidian’s intelligent SSPM platform fundamentally reduces your risk from today’s advanced threats, while significantly accelerating your IR capabilities.
As you build out your enterprise SaaS security solutions, you can learn more about selecting an SSPM to improve your IR strategy by consulting the white paper Accelerating SaaS Incident Response: A Checklist for Success.
