A Look Inside Wing Safety’s Layered SaaS Identification Protection

Intro: Why hack in when you possibly can log in?

SaaS purposes are the spine of contemporary organizations, powering productiveness and operational effectivity. However each new app introduces crucial security dangers by means of app integrations and a number of customers, creating easy accessibility factors for risk actors. In consequence, SaaS breaches have elevated, and in line with a Could 2024 XM Cyber report, id and credential misconfigurations brought on 80% of security exposures.

Delicate indicators of a compromise get misplaced within the noise, after which multi-stage assaults unfold undetected as a consequence of siloed options. Consider an account takeover in Entra ID, then privilege escalation in GitHub, together with information exfiltration from Slack. Every appears unrelated when seen in isolation, however in a linked timeline of occasions, it is a harmful breach.

Wing Safety’s SaaS platform is a multi-layered resolution that mixes posture administration with real-time id risk detection and response. This enables organizations to get a real id map of their SaaS ecosystem, detect and reply quickly to threats, and stop future assaults.

Getting began with SaaS visibility and protection

You may’t defend what you do not know. The vast majority of current options (IAM, PAM, IAM, and so forth.) don’t cowl SaaS purposes or lack the depth wanted to detect SaaS threats. Because of this step one is to beat shadow IT and get full visibility into the group’s stack, together with all apps, accounts, and all of the hidden third-party integrations that security groups don’t have any clue about.

Wing’s discovery method is non-intrusive, with out brokers or proxies. It merely connects by means of APIs to main IdPs (like Okta, Google Workspace, and Azure AD) and to business-critical SaaS purposes (from Microsoft 365 and Salesforce to Slack, GitHub, and so forth).

Wing discovers:

• Human (customers) and non-human (service accounts, API keys, and so forth.) identities.
• App-to-app connectivity and third-party integrations and their permission scopes.
• AI-powered purposes and information utilization.
• MFA standing, admins within the totally different SaaS purposes (together with stale admins)

Visibility alone is not sufficient. Understanding id conduct in SaaS apps is essential to detecting and responding to actual threats in time. That is the place Wing’s identity-centric risk detection layer is available in.

Need to see Wing in motion? Request a demo with one in all our security specialists.

SaaS Identification Menace Detection — From scattered logs to a transparent assault story

Wing maps id occasions and IoCs to characterize how attackers suppose. It then correlates them with MITRE ATT&CK methods to remodel lengthy and messy SaaS logs into one clear assault story – simplifying investigations, decreasing alert fatigue, and dashing up median time to decision (MTTR).

Each detection is enriched with risk intelligence for context: IP status (geolocation and privateness), VPN/Tor utilization, and extra. So, as an alternative of digging by means of uncooked logs for days, analysts can perceive the attacker’s playbook in a couple of minutes.

An actual-life instance of how hackers attempt to exploit identities:

• Step 1 – Password spray try: A password spray assault concentrating on a number of consumer accounts throughout the Entra ID setting. The attacker tried to log in utilizing credential-based assaults to compromise a number of consumer accounts with out triggering lockout mechanisms.
• Step 2 – Cross-account consumer agent overlap: Login makes an attempt throughout a number of accounts from the identical consumer agent (UA) confirmed that the attacker was systematically testing credentials at scale in the course of the reconnaissance part.
• Step 3 – Profitable login post-reconnaissance: The attacker efficiently logged in to an account. This login matched the identical consumer agent used in the course of the reconnaissance part, indicating that credentials had been compromised by way of the sooner password spraying exercise.
• Step 4 – Privilege escalation by way of function project: The attacker escalated the compromised account’s privileges by assigning it administrative roles in Entrad ID. This granted the attacker broader visibility and management, together with entry to OAuth-connected third-party companies like GitHub.
• Step 5 – Data exfiltration from GitHub: With elevated privileges, the attacker leveraged the Entra ID account’s linked GitHub entry to infiltrate inside repositories. Exercise logs point out that non-public repositories had been downloaded, together with tasks that will include supply code, API keys, or inside documentation. The attacker used this foothold to exfiltrate delicate mental property immediately from GitHub.

Attack path timeline

The risk timeline (Ref. Picture #2) is extra helpful than logs alone, because it presents all SaaS detections with context. Every detection has an in depth context on the affected id, the set off, and the place and when it occurred (app, timestamp, geolocation).

The assault path timeline helps security operations groups:

• Visualize how the assault unfolded with a chronological view of associated detections.
• Map every detection to MITRE ATT&CK methods, like lively scanning, legitimate accounts, account manipulation, and so forth.
• Enrich the alert with context and IoCs, IPs, consumer brokers, geolocation, VPN/Tor, and proof.
• Join anomalies with routine exercise (e.g., permission adjustments after a profitable brute drive).

Prioritize threats

Not all security threats are created equal. Each risk is assigned a breach confidence rating, quantifying the chance {that a} risk will end in a profitable breach. This metric is calculated based mostly on components reminiscent of:

• The kind of detections (i.e., password spray, spike in exercise, and so forth.)
• The variety of detections per risk (i.e., one id has 4 detections)
• The tactic of the assault based mostly on MITRE ATT&CK (i.e., preliminary entry, exfiltration, and so forth.)

SecOps can kind and deal with essentially the most crucial threats first. For instance, a single failed login from a brand new IP may be low precedence when seen by itself, however a profitable login adopted by information exfiltration would get the next confidence rating. Within the dashboard, you possibly can see a prioritized risk queue, with high-severity threats on the prime that deserve quick consideration and lower-risk ones additional down, reducing by means of alert fatigue and offering actual risk detection.

Need to see Wing in motion? Request a demo with one in all our security specialists.

Monitor risk standing & progress

Wing’s monitoring construction helps SecOps keep organized and keep away from threats slipping by means of the cracks. Groups can replace statuses and observe each risk from creation to decision.

Fundamental functionalities:

• Flag threats for follow-up for environment friendly prioritization or for monitoring particular instances.
• Flag threats to set off a webhook occasion in order that they’ll seem in exterior methods like SIEM or SOAR and never be missed.
• Replace risk standing based mostly on the investigations carried out by the SOC and IR groups.

Resolve quick with concise mitigation guides

When SecOps drill down into a particular risk, they get a custom-made mitigation playbook with steps tailor-made to the precise assault kind and SaaS software. The mitigation guides embody:

• Tailor-made suggestions for every detection kind
• Related documentation (e.g., the best way to configure Okta insurance policies)
• Greatest practices for addressing root trigger and stopping recurrence (posture)

Prevention: Checking for the basis trigger

After the risk has been stopped, you will have to ask your self what facilitated this risk to succeed and how are you going to ensure it will not occur once more.

Safety groups ought to verify if these occasions are associated to underlying threat components within the group’s SaaS configurations, so they are not simply treating the signs (the lively breach) however are addressing the basis trigger.

That is doable as a result of Wing’s platform is layered, combining SaaS security posture administration (SSPM) with id risk detection capabilities. Wing constantly displays for misconfigurations (based mostly on CISA’s SCuBA framework), pinpointing these dangerous settings – like accounts with out MFA or admin tokens that by no means expire​.

Wrap-up: Closing the security loop

Wing Safety brings readability to SaaS chaos by means of a multi-layered security platform that mixes deep visibility, prioritized threat administration, and real-time detection. By combining posture administration (SSPM) and id risk detection and response (ITDR), organizations can cut back threat publicity, reply to threats with context, and keep forward of SaaS identity-based assaults.

Ebook a demo with Wing to seek out blind spots, catch threats early, and repair what places your online business in danger.