Guido Vrola - Fotolia

SaaS activity alerts can mitigate manual misconfigurations

SaaS activity management is becoming more important for infosec teams to combat issues of insider theft and unintentional exposure of sensitive data, BetterCloud's David Politis says.

External threats can actually be the easier security issue to combat compared to the potential of an insider stealing data, which makes access management and awareness vital for IT.

More and more sensitive data is being stored in the cloud and improper access controls or limited visibility can lead to unintended data exposures or even insider theft. However, better SaaS activity alerts can help mitigate these issues.

BetterCloud CEO and founder David Politis spoke with SearchSecurity about the dangers of cloud misconfigurations and having too many admins, as well as how SaaS activity can be monitored automatically to avoid security breaches.

Editor's note: This conversation has been edited for length and clarity.

You have said that it is functionally impossible to monitor SaaS activity manually, so what are the programmatic options for security?

David Politis: The most important thing we have is this framework that we recreated with our customers. The first step is centralizing all of the data that you have across these applications because data sprawl is one of the biggest issues.

David Politis, CEO and founder, BetterCloudDavid Politis

Once you've centralized that data, programmatically you have to go into all the different APIs that are available from these applications and you need to bring all the settings and the configuration and the entitlements and everything into a single place because part of the problem is going app by app. That's not scalable.

Once you've centralized all of that, you need to be able to go and discover against that centralized repository of all the entitlements and settings you have, because once you centralize, what you'll find is you have, depending on the size of your organization, millions -- I'm not exaggerating -- millions of data points that you're having to report against or audit.

So you centralize then you do discovery and discovery means: Let me look at all my groups or email distribution lists that are set like this, or I have a rule in my organization where I need to be able to see all the files that are shared in this way. Now, still, that's a massive data set and somehow you need that to be surfaced more real time because the changes in the settings and the entitlements are changing all the time. They're literally changing every day, all day. People are working in these applications; they're sharing files; they're creating Slack channels; they're adding folders in DropBox; they're doing X, Y, Z in Salesforce. It's changing on a regular basis.

So after centralizing and being able to discover -- that really helps you retroactively -- then you need something that surfaces the insights on a more regular basis that says, 'Hey, when we catch this needle in the haystack, surface that.'

The last step is you want to be able to do something about that because if you're just surfacing data all day long, what we hear from IT is that they have this kind of fatigue of alerts, they have a fatigue of trying to put out fires all day long. And so there needs to be a system that not only brings all the data, centralizes it, makes it discoverable, surfaces insight and the items that need to get the exposures, the risk, and then ultimately be able to remediate that and take some kind of an action against that and enforce that.

What are the new features BetterCloud is introducing to enable SaaS activity monitoring?

Politis: The new service that we're launching now, that we just started layering into the product, is our activity-based alerting. Basically, all the things that you and I just talked about the last 20 minutes, that's all based on what I would call 'state-based' settings or configurations are entitlements -- is a user set as an end user or an admin? Is this email distribution set to public or is it set to private? -- that's the state that is in.

We are now starting to do 'activity-based' monitoring and alerting and triggers for our workflows, and that is at a completely different level. If somebody just downloads 500 files in a matter of 30 minutes, that's a next level deeper in terms of looking at user behavior and user activities within these platforms. Did somebody just create 100 users that are all super admin? Were there suspicious logins to this platform outside of the IP range?

So, you start getting more into the activity-based stuff, which is either a faster indicator of misconfigurations that are mistakes, or that's actually a faster indication -- and probably more likely, frankly -- of malicious behavior. And so we really extended the platform to start looking at user behavior, user activity in these platforms.

The number one request I've gotten for the last year from customers is: I want to know when people are downloading files from Dropbox, Box, Slack, Salesforce [and/or] Google. File downloads has been the number one requested activity to monitor since I can't even remember because as you can imagine, that starts to be a little bit more malicious. And that's when IT can really be taken out of an organization.

I think the Uber/Waymo example is a great one. That is just someone at Waymo, at Google downloading a bunch of files out of Google Drive and leaving. Now, if you were looking at their activity in Google Drive, you would have noticed that they downloaded all the files from the confidential folder, and you can flag that, you could block, you could follow up with security.

It's as it's happening versus the states that things are in. File download is not a state the file has. So by looking at all the states of the file, you don't know that it was downloaded 100 times by this person in a 30-minute window by seeing that someone successfully logged in, you don't see that has 100 failed logins from 100 different IP addresses.

What platforms do you support with these SaaS activity alerts?

Politis: We have it fully integrated for Okta, Dropbox and Google. We're layering it in for Box and Salesforce, so over the next couple months we'll have the same functionality available across all the applications that we support.

And, this is actually an interesting indication because a lot of the SaaS platforms that we work with, five years ago, three years ago, they didn't make this kind of activity streams available via their API. Now they're making it available because how do companies protect themselves against this stuff? The only way is for the platforms themselves to make this information available via API, make this information available programmatically to their customers, to their partners. And so we're taking advantage of that. Dropbox's API that we're using is a new API available for their enterprise customers for exactly this purpose, but their customers don't know how to utilize that. What we're doing is we're doing that for the customer, we're going out to the different SaaS platforms connecting to these activity streams, and then making sense of them. Otherwise, it's just a stream of data.

But to that first part of the discussion: People keying in on this is what I've been waiting for, for many years. Because people have been [saying], 'OK, I don't see this problem in the news. And now it's starting.'

I think it's only the beginning. I think you're going to see what I'm seeing with some of our really large organizations that these misconfigurations are going to come out more and more and more and the impact that they're having on organizations is bigger than people know yet.

Dig Deeper on Application and platform security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close