Software-as-a-service (SaaS) applications enable businesses to reach unseen levels of productivity, but they bring significant cybersecurity challenges.
Today’s digital perimeters grant authorized users anytime/anywhere access to sensitive business data. Because of this, SaaS-heavy IT environments introduce a higher complexity to threat detection and response efforts. User activity on SaaS accounts can be quite varied, occurring on multiple endpoints and from a variety of locations. Businesses must distinguish between legitimate and potentially illicit user activity on busy networks. What’s more, the onus isn’t on the SaaS provider to secure user data should an account compromise occur. In light of these and other challenges, SaaS applications require continuous, carefully calibrated monitoring.
Continuous Monitoring for SaaS Applications
Most SaaS applications generate large volumes of event data from user, administrator, and application back-end activities. These activity logs need to be monitored around the clock for potential indicators of compromise.
The following checklist identifies some of the core security-related SaaS activities that must be continuously monitored and associates them to the types of incidents that may be detected.
User and Administrator Access
To detect credential theft and user and administrator account compromises, companies must monitor:
- Login successes and failures
- Logins by time and location
- Logins by device type and attributes
- Repeated login failures followed by login success
- SSO activity, AD activity
- Repeated user and/or data deletions
- Addition of privileged users
- Changes to network permissions
- Changes to audit logging configuration
- Changes to policy controls
Organizations also need to keep a sharp eye on user activities as well to detect malicious insiders, data exfiltration attempts, use of unapproved shadow IT applications, and more. They must monitor:
- User file activity (download, delete, print, copy, move)
- Sharing files with external collaborators
- Creating open/shared links (public access)
- Unauthorized/untrusted mobile device activity
- Network traffic activity
Third-Party API Access
Application program interfaces (APIs) enable third-party software to interact with SaaS apps, but are often abused and used in “Man-in-the-Middle” (MITM) attacks. To detect such abuse, cybersecurity personnel must monitor:
- Changes to API access permissions
- OAuth certificate activity
- OAuth token activity