The massive Snowflake breach disclosed recently, involving hundreds of millions of stolen customer records, is a stark wake-up call for organizations to proactively manage their SaaS security.
No doubt the downside of the disruptive SaaS trend is the expansion of the cyber-attack surface, with threat actors heavily targeting SaaS identities. In 2023, 82% of security breaches involved data stored in the cloud, according to Security Intelligence.
Human error is consistently identified in research as the top cause of data breaches.
In the Snowflake data breach, the company said the threat campaign targeted users whose accounts were secured with single-factor authentication. This is a type of human error caused by a misconfigured security setting: the lack of multifactor authentication (MFA) enforcement or policy in the companies impacted. Threat actors leveraged credentials they had either purchased previously or obtained using malware.
The Snowflake case brings to light the challenge of enterprises to shift from the role of passive SaaS customers to taking preventive measures to reduce human error, as well as having active threat detection defenses to minimize the damage of a breach in a SaaS environment in case an attack occurs.
Here are two key lessons to be learned from the Snowflake breach based on what we know thus far:
1. Misconfiguration Management is a Must (But Not Enough)
Misconfigurations are a primary cause of SaaS security incidents and data breaches, as we saw in the MFA meltdown in the Snowflake case. Business-critical applications have hundreds of settings each, which means an organization’s SaaS stack can have thousands of configurations that should be monitored and managed. This is a task that requires a high level of sophisticated automation, especially when most of the app owners and admins sit outside of IT and don’t have cybersecurity expertise.
An emerging and growing technology, SaaS Security Posture Management (SSPM) has been specifically developed over the past few years to automate monitoring and management of cybersecurity for SaaS applications.
While managing misconfigurations is the “101” of SaaS security, there are other important aspects that are not directly related to misconfigurations. Organizations need to have the ability to monitor non-human identities connected to the SaaS stack. In addition, they need to govern human identities—from entitlement management to the categorization of external users, dormant users, and active users who should have been off-boarded after leaving the company. User devices are an additional attack vector, especially for privileged users who log into their apps through a compromised device.
Introducing an SSPM into a SaaS environment goes a long way toward preventing breaches.
Indeed, in the cybersecurity community, across all industries, the benefits of SSPM are being widely recognized, according to a recent survey conducted by the Cloud Security Alliance. The survey found that 65% of organizations are currently using or planning to deploy an SSPM solution within 18 months.
2. Threat Detection Capabilities are a Necessity
Threat detection capabilities add an additional layer of identity protection for an organization’s SaaS security program. When threat actors get through the initial defenses, having a robust Identity Threat Detection and Response (ITDR) system in place as a part of identity security can prevent massive breaches.
In Snowflake’s June 3 update, the company said the issue originated with targeted attacks coming from a range of IP addresses.
Once inside, the company lacked any meaningful threat detection capability, which enabled the threat actors to exfiltrate over 560 million customer records.
A SaaS-centric ITDR mechanism most likely would have alerted security teams that massive amounts of data were being downloaded by an account that had accessed the application through an atypical IP address.
ITDR combines several elements to detect SaaS threats. It monitors events from across the SaaS stack, and uses login information, device data, and user behavior to identify behavioral anomalies that indicate a threat. Each anomaly is considered an indicator of compromise (IOC), and when those IOCs reach a predefined threshold, the ITDR triggers an alert.
An ITDR system can also detect sophisticated identity attacks using other tactics. These include:
- MFA attacks: These include adversary-in-the-middle attacks, which trick users into doing the multifactor authentication interaction. An ITDR system can detect multiple failed MFA attacks.
- Token theft: A growing non-human identity attack vector that has impacted vendors such as GitHub, token theft occurs when unauthorized individuals gain access to security tokens, used to authenticate identity and authorize access to systems and data.
- OAuth consent phishing: Another bypass attack is OAuth consent phishing, where targeted users are asked to grant permission to a malicious app that can exfiltrate data.
- Account hijacking through compromised user devices.
Conclusion: SaaS Security is a Shared Responsibility
Now, Snowflake has announced it is working on new capabilities for the product to feature an option for Snowflake admins to require MFA for all users in an account. This move will allow admins to enforce MFA security.
Through this type of shared responsibility for SaaS security, providers offer robust security capabilities within their SaaS applications to harden the environment, but ultimately organizations must have their own policies and actively protect and defend their own data.
Major incidents like the Snowflake breach could be prevented by implementing effective monitoring and hardening tools. Beyond prevention, which is fundamental to SaaS security, having threat detection and response capabilities tailored for SaaS applications could have identified the Indicators of Compromise (IoCs) and halted the attack at the SaaS perimeter.
Adding a SaaS-specific ITDR system, working alongside a preventive SaaS Security Posture Management (SSPM) solution, enables enterprises to proactively cover attack vectors across their SaaS ecosystem.
About the Author
Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political science and Philosophy (PPE). Oh, and he loves mountain climbing.
Hananel can be reached online at his LinkedIn and at our company website www.adaptive-shield.com.