Software-as-a-service (SaaS) applications have become the backbone of many modern businesses. With the myriad of functionalities they offer, they maximize collaboration, agility, scalability, and ultimately, profits. So it's no wonder that companies rely on an incredible hundreds of apps today, up from dozens just a few years ago.
But this rapid adoption has introduced brand-new vulnerabilities and elusive blind spots. 2024 saw many attacks originating from SaaS apps including those perpetrated by nation states. And the headlines about SaaS app attacks seem to be getting more ominous if that is even possible. The culprits behind the attacks come from outsiders, insiders, third parties, and even unintentional human errors or negligence.
The need to address this snowballing trend has reached a critical point. Given the scale and speed of app development and adoption, we are creating a larger attack surface for increasingly capable adversaries every day. In such a high-stakes environment, traditional security checks are no longer enough.
A Much-Needed Shift to a Contextual Approach
In the SaaS app world, everything is in constant motion—users change, employees leave, new projects are added, and so on. Different teams use different apps, sometimes even those that have not been sanctioned by IT and security teams. It can be too easy for employees to improperly set up the apps, cause a misconfiguration, share sensitive data, and at times stop using the app afterward.
If you were to embark on a SaaS app data inventory assessment exercise today, how confident would you be that you've identified all the third-party apps connected to your critical apps (App2App connectivity) and that all your apps are protected?
With so many moving pieces, the SaaS app environment cannot be captured and managed with a surface snapshot. You would need to consider the numerous layers of operations, connections, and data involved. You would need to recognize each layer individually and also understand how they interact and influence one another on an ongoing basis. If you stick to traditional, static security methods such as historical data and checklists, you won't get far. As a security leader, what you need is a new, dynamic approach – one that takes the changing context and priorities into account.
In an ideal scenario, your first step is to broadly categorize your SaaS apps into those that support critical processes and hold essential company data, and those that do not. The critical apps include Microsoft 365, Google Workspaces, Salesforce, Slack, and Zoom, as well as departmental tools like GitHub, Atlassian apps, and HubSpot. In the less critical category, consider niche apps used by employees for specific tasks, such as remote work, interviewing, product reviews, and the recent wave of generative AI (GenAI) apps.
This categorization will give you a great starting point but it's important to recognize that every organization has unique app usage patterns. For example, an app that's crucial at another company may not be significant for your company. To develop an effective approach, you'll want to consider which apps are critical for your specific business. What level of permissions are associated with these apps and accounts? What type of data is shared?
The answers to these questions are changing constantly. A SaaS app you deem non-critical today may pose the most outsized risks tomorrow. If all these answers could be integrated into a single source of truth, it would give you the context, help with prioritization, and ultimately simplify the management of the SaaS app sprawl.
A Deeper Look at Contextualization
Many people think of "contextualization" as an activity that takes place as part of "setting the stage" – something you do at the beginning of a project. For SaaS app security to be successful, we must return to the word's etymological meaning, "inter-weaving", and understand that context demands continuous attention across different elements and stages, across the entirety of the SaaS app spectrum. Effective contextualization is an ongoing effort and many dimensions need to be considered.
Take historical app data, for example. Has the app been breached before? How? Does the app meet SOC2 or CCPA and GDPR standards? What are its configuration weaknesses? While these questions are crucial, relying solely on their answers won't provide the full context. Vulnerabilities identified in the past can rapidly evolve, posing new or amplified risks. This was evident in the systematic targeting of Snowflake environments in May 2024, highlighting that even measures like MFA, which seem so obvious, can leave companies highly vulnerable if not consistently applied across all relevant platforms and apps.
Add to the mix current app usage and visibility. It would make sense to review user permissions, get real-time visibility into app usage, check for shadow IT, and detect whether an app powered by Gen-AI is training on your data. But again, an app that was secure six months ago might present new risks today due to changes in how it's used, how it's been updated, or what your employees do with it. Issues such as over-privileged accounts and unmonitored third-party integrations can introduce new risks at any time. One notable incident took place in September 2023, when MGM Resorts, one of the world's top casino operators with multiple properties in the Las Vegas strip, was struck by a major cyberattack through its IDP and social engineering on the help desk.
A third element involves potential attack vectors, etc. The news of an attack, alone, might not mean much or may cause too much unwarranted stress. Here again, putting the information in the relevant context would mean the continuous interweaving of external threat intelligence with internal data and gaps.
By combining these three elements – historical information, current usage, and potential attacks – you can get continuous context, which will help you to prioritize your responses.
Prioritization for a Proactive Approach
Prioritization is essential not because your security teams fail to detect threats and gaps, but because they often detect too many. With an overwhelming number of alerts, it's simply not feasible—either humanly or technically—to investigate every alarm that sounds. Prioritizing will allow you to focus on the most critical threats, ensuring that you can respond effectively without getting lost in a sea of alerts. It will allow you to respond before an issue becomes a real-world problem.
So, how do we prioritize risks effectively? The answer is through a dynamic and effective scoring system specifically adapted to the SaaS app environment. Such a system can provide a posture score for your overall SaaS security, a score for each critical application, and a detailed risk assessment that accounts for factors such as user dependency, application vulnerabilities, and historical data on breached apps.
In summary, to secure your SaaS applications and protect against data leaks and breaches, your strategy must include a contextual approach. It must take into account historical performance, changing trends, emerging threats, and the interplay between them. It must help you get the answers you need instantly and on an ongoing basis. It must give you a reliable way to prioritize risks and gaps and decide which actions to take – all this without creating extra work or burden on you or your team.
The Path Forward with Wing Security
To streamline and secure SaaS adoption and usage, Wing was the first in the industry to adapt the well-known MITRE framework CWSS (Common Weakness Scoring System) to SaaS security in order to score SaaS app weaknesses in a reliable way. This adapted CWSS is part of the Wing Security solution, creating a quantifiable language, and bringing clarity and focus to your SaaS security efforts. It provides a security health score, which delivers the context you need as well as tools for prioritization to streamline your efforts.
Wing Security offers a holistic, low-touch SaaS security solution that provides full visibility and control across the SaaS ecosystem, helping mid-market security teams minimize attack surfaces, improve security posture, and proactively detect and respond to threats. Unlike others, Wing includes built-in remediation, allowing teams to address risks with minimal effort through automated or manual processes. With its comprehensive approach, Wing simplifies SaaS security life-cycle management, ensuring data is secured and configurations are correctly managed for CISOs.
Note: This article, expertly written by Yoav Kalati, VP of Product at Wing Security, draws on his more than 15 years of experience in cyber defense at both the national and international levels. Yoav began his career in the Israeli military's 8200 unit, where he held various cyber-defense roles, eventually retiring after a successful tenure in the military's Cyber Threat Intelligence division. He has received numerous certificates of excellence, including recognition from the head of the Directorate of Military Intelligence and the head of the Cyber Defense Division.
Yoav Kalati — VP of Product Wing Security https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtCw_NKLhk28faT_XmhDnCov4XDtZVny6se9NL8oHaZ_9Tqe3EU7yKHMl5vRN0mwOje9YB_km1OMpSsyHpCs6vcg7XDy6AxNUqQVnYQ2xEXTVdISqxT3RFpV_lscSm8WMaFwPuQ8DxHoUsEwZm_Is3SXEq7l6-cPW1PIEZqyvEFzUTCax889VVf5wAbHg/s728-rw-e365/wing.png
