Everyone loves the double-agent plot twist in a spy movie, but it’s a different story when it comes to securing company data. Whether intentional or unintentional, insider threats are a legitimate concern. According to CSA research, 26% of companies who reported a SaaS security incident were struck by an insider.
The challenge for many is detecting those threats before they lead to full breaches. Many security professionals assume there is nothing they can do to protect themselves from a legitimate managed user who logs in with valid credentials using a company MFA method. Insiders can log in during regular business hours, and can easily justify their access within the application.
Cue the plot twist: With the right tools in place, businesses can protect themselves from the enemy from within (and without).
Learn how to secure your entire SaaS stack from both internal and external threats
Subduing Identity-Centric Threats with ITDR #
In SaaS security, an Identity Threat Detection & Response (ITDR) platform looks for behavioral clues that indicate an app has been compromised. Every event in a SaaS application is captured by the application’s event logs. Those logs are monitored, and when something suspicious takes place, it raises a red flag, called an Indicator of Compromise (IOC).
With outside threats, many of these IOCs relate to login methods and devices, as well as user behavior once they’ve gained access. With insider threats, IOCs are primarily behavioral anomalies. When IOCs reach a predetermined threshold, the system recognizes that the application is under threat.
Most ITDR solutions primarily address endpoint and on-prem Active Directory protection. However, they are not designed to address SaaS threats, which require deep expertise in the application and can only be achieved by cross-referencing and analyzing suspicious events from multiple sources.
Examples of Insider Threats in the World of SaaS#
- Data Theft or Data Exfiltration: Excessive downloading or sharing of data or links, particularly when sent to personal email addresses or third parties. This may occur after an employee has been laid off and believes the information could be useful in their next role, or if the employee is very unhappy and has malicious intentions. The stolen data may include intellectual property, customer information, or proprietary business processes.
- Data Manipulation: The deletion or modification of critical data within the SaaS application, potentially causing financial loss, reputational damage, or operational disruption.
- Credential Misuse: Sharing of login credentials with unauthorized users, either intentionally or unintentionally, allowing access to sensitive areas of the SaaS application.
- Privilege Abuse: A privileged user takes advantage of their access rights to modify configurations, bypass security measures, or access restricted data for personal gain or malicious intent.
- Third-Party Vendor Risks: Contractors or third-party vendors with legitimate access to the SaaS application misuse their access.
- Shadow Apps: Insiders install unauthorized software or plugins within the SaaS environment, potentially introducing vulnerabilities or malware. This is unintentional but is still introduced by an insider.
Each of these IOCs on their own doesn’t necessarily indicate an insider threat. There may be legitimate operational reasons that can justify each action. However, as IOCs accumulate and reach a predefined threshold, security teams should investigate the user to understand why they are taking these actions.
Take a deeper look at how ITDR works together with SSPM
How ITDR and SSPM Work Together to Prevent and Detect Insider Threats#
The Principle of Least Privilege (PoLP) is one of the most important approaches in the fight against insider threats, as most employees typically have more access than required.
SaaS Security Posture Management (SSPM) and ITDR are two parts of a comprehensive SaaS security program. SSPM focuses on prevention, while ITDR focuses on detection and response. SSPM is used to enforce a strong Identity-First Security strategy, prevent data loss by monitoring share settings on documents, detect shadow apps used by users and monitor compliance with standards designed to detect insider threats. Effective ITDRs enable security teams to monitor users engaging in suspicious activity, enabling them to stop insider threats before they can cause significant harm.