Written by: Zakk K, Security Architect at Attivo Networks – As the enterprise becomes more dependent on software delivered via an externally-hosted service that someone else maintains, it adds complexity to the security of what used to be a traditionally in-house application for the convenience and affordability of being able to consume software as a service. An example of this is when on-premise email servers are replaced with cloud-based Microsoft 365 (formerly known as Office 365) services, raising questions about the effectiveness of using traditional security controls hosted at the datacenter for protecting an externally hosted service.
Without control of the application, the enterprise finds itself more reliant on cloud-based authentication and security systems instead of traditional in-house directory servers typically hosted within the on-premise fortress. Vendors offering SaaS delivery models protect their underlying infrastructure and augment their services with compensating features. However, a security gap can remain at the enterprise side of the equation. Moving the email servers out of the data center, increases in remote workers and user endpoint devices suddenly operating remotely via the VPN, challenges the premise of monitoring network traffic. Network and operating system access attempts can also become more difficult to track. Additionally, SaaS-based attacks are mostly credential-based attacks, whereby the attacker’s activities don’t necessarily entail network and application-level reconnaissance to be successful. This type of attack involves impersonating the user. It only needs one valid credential to generate an initial compromise.
Another way to more effectively detect malicious activity on the endpoint could involve remotely monitoring for telltale signs of intrusion by committing to maintaining an EDR presence. Additionally, organizations should add preventive level endpoint controls regulating anything from host-based protection to data loss prevention, and device and application-level controls. It’s more challenging to detect credential theft when nearly all of the current security controls focus on preventing privilege escalation and memory scraping on the endpoint, but not identifying when attacker steal credentials.
Information security teams often respond to potential security events by sequentially piecing together related activities from multiple sources to obtain situational awareness. They may examine IDS logs indicating suspect network traffic from an IP address. They may also follow up on DLP events indicating an unexplainable data leakage or trace rogue firewall activity to an endpoint. However, they can’t explain why any of these occurred without further examining the suspect node or where the triage and conviction rate of security-related events require identifying indicators of compromise. Without this additional information, it becomes a more complex investigatory exercise of analyzing process and service level telemetry obtained from the endpoint. Collectively, this level of comprehensive logging across multiple platforms will ultimately paint a picture as to what may have transpired. But considering the amount of time and resources required, the overall value of the effort needs reviewing, especially considering that the process itself is very skill-dependent and susceptible to alert fatigue.
Moreover, many organizations, particularly the smaller ones, don’t always take advantage of the compensating features that SaaS vendors offer, and often leave user authentication for the application owners to manage. An example of this is when the sales department has a two-step manual process for adding or removing employees to the corporate CRM application, whereby HR and IT departments must provide instructions before adding user accounts in Salesforce.com. This manual process creates a synchronization gap between Active Directory and Salesforce.com, leaving the organization more vulnerable to privilege misuse and credential theft.
Attivo Solutions for Cloud Account Monitoring
By natively interfacing with cloud service providers using the oAuth2 authentication protocol, the Attivo Networks ThreatDefend® Platform can monitor the logs of supported cloud service providers for any authentication attempts using deceptive, deleted, or disabled user IDs belonging to the organization. This feature, called Cloud Account Monitoring, adds a new realm of detection for unauthorized access of applications delivered via SaaS. It extends visibility to detect unauthorized access using deceptive credentials across the cloud service provider’s platform and console, as it does within the enterprise. By enabling this feature, visibility gaps are removed across the cloud environment, and security teams can know if attackers are using deceptive breadcrumbs to access cloud-based resources.
How does the BOTsink Appliance’s Cloud Monitoring work?
The BOTsink appliance uses APIs provided by the cloud service providers to monitor the deceptive, deleted, and disabled accounts within the domain. It connects to cloud providers using the oAuth2 authentication protocol, detects unauthorized access, and raised events for all login activity of the user ID in question.
When an attacker attempts malicious access using the suspect credential, the BOTsink appliance cross-checks with a list of user accounts it maintains for monitoring purposes, detects the login activity, and generates alerts on the BOTsink dashboard and the SIEM.
How the ThreatDefend Platform Integrates with SaaS providers
Once the organization enables the integration with cloud service providers, the BOTsink starts monitoring for suspicious login activity using deceptive credentials across the cloud service providers’ platforms. Enabling this feature creates a deceptive server object, TS_AUTO_CLOUD_CONNECTOR. The organization can then add this object either as an addition to an existing ThreatStrike® profile or as a component of a new one. This profile can subsequently detect and monitor for Saas credential usage.
There are two ways to deploy:
Automatic Detection – The BOTsink appliance integrates with the Active Directory and polls it at configurable intervals to discover the SaaS user IDs it should detect.
Manual Detection – One could manually upload email accounts and user ID for detection
By leveraging the BOTsink appliance’s native Cloud Account Monitoring capabilities, organizations can gain visibility into suspicious or malicious activities targeting their cloud and SaaS accounts. In the era of an expanded remote workforce and reliance on external services to meet business needs, Attivo customers can quickly activate these features to better protect their organization from attackers targeting these accounts.