Securing SaaS Applications

With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO’s architectural strategy?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Our guest is Steve Zalewski , who is the other host of Defense in Depth.

Are SaaS applications becoming less secure or are we just having difficulty understanding how to secure them? “SaaS doesn’t stay secure over time,” said Misha Seltzer of Atmosec (Acquired by Check Point) . " An organization's SaaS ecosystem becomes more complex and difficult to understand as it grows larger.” We are seeing improvements in SaaS security, but that’s being offset by our ability to manage them. "SaaS security by design is getting better, while security and privacy by default is falling woefully short," said Simon Goldsmith of OVO . Don’t fall victim to these trends. Look to vendors aiming to support your efforts. “A good vendor will not only continuously monitor their environment but also share the results continuously with you," said Abhishek Singh of Araali Networks .

CASB has its limitations for understanding SaaS. One of those is your ability to deploy it correctly. "CASB solutions were introduced to help us identify usage of SaaS and maybe even detect security events in our SaaS apps but they don’t prevent the misconfiguration in the first place,” said Jerich Beason , commercial CISO for Capital One . “Most orgs have hundreds of sanctioned and unsanctioned apps with unique configuration and user management options." "Ensure your web endpoint protection, gateways, proxies, and/or firewalls are feeding telemetry to your CASB,” added Marcos Marrero , CISO for H.I.G. Capital . “I cannot overstate how critical this step is. It’s going to give you your SaaS usage baseline.”

Methodically securing your SaaS apps may not be moving at the speed of business. Duane Gran of Converge Technology Solutions Corp. has been using DNS for discovery to sniff out frequently used applications. From there he and his team work with the business units to see if they’re applying the appropriate security. Gran’s concern is “This is slow and I worry that new applications emerge quicker than our efforts to secure them.” When the damage occurs, it’ll be quick. “SaaS data leakage gaps are not extended kill chain events and are much more likely to be simplistic ‘smash and grab’ operations,” said Harold Byun of AppOmni . “What this means is that traditional tooling and threat detection do not apply and will only provide visibility after the data has already been taken." For those who simply don’t have the time and are looking for a far simpler strategy, Andrew Sweet of AppOmni suggests you "target your top three largest SaaS deployments, operationalize there, and build a solid foundation to standardize and scale from."

What happens when a third-party application gets compromised? "What technical controls can you put in place to mitigate risk from apps you deem risky,” asked Gaurav Banga of Balbix . “Assume one of these third-party vendors is breached. How will your controls limit your data and operational exposure?"

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

HUGE thanks to our sponsor AppOmni

?Join us TOMORROW, Friday [07-28-23], for "Hacking Bad Permissions"

Please join us tomorrow, Friday, July 28th, 2023 for?Super Cyber Friday.

Our topic of discussion will be “Hacking Bad Permissions: An hour of critical thinking about the domino effect of unknown access settings.”

We’re setting up an awesome show with:?

Tarek Khaled , founding sales engineer,? Veza David Tyburski , vp of information security and CISO,? Wynn Resorts

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face to face.

Register

Thanks to our Super Cyber Friday sponsor, Veza

Cyber Security Headlines - Week in Review?

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter?Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be?TC Niedzialkowski?, CISO,?Nextdoor.

Thanks to our?Cyber Security Headlines sponsor,?AppOmni

How is Cyber Security Headlines Part of Your Daily Routine?

We’re just a few weeks away (August 17th, 2023) from celebrating the three-year anniversary of Cyber Security Headlines, the fastest growing and most popular show on CISO Series.

Listeners tell us it's part of their daily routine (morning coffee, commute, working out, or winding down).

As part of our anniversary, we want to share your routine with the community.

Please send us any of the following:

• WRITE how Cyber Security Headlines is part of your day.
• TAKE A PHOTO of yourself where you listen to Cyber Security Headlines.
• SHOOT A VIDEO of yourself where you listen to Cyber Security Headlines.

In all cases, please tell us how Cyber Security Headlines made you a better a better cybersecurity professional.

Go here for all the ways to submit you story.

Jump in on these conversations

"What are your pain points in cybersecurity?"?(More here)

"Best training/certification to learn how attacks work?"?(More here)

"In your experience, what were some unconventional signs that there's a malware inside your network?"?(More here)

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [07-28-23] Hacking Bad Permissions
• [08-18-23] Hacking Conferences

Save your spot and register now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.