Why SaaS Application Monitoring Is Key for Cybersecurity

Software-as-a-service (SaaS) adoption keeps growing every year. One survey estimates 99% of all organizations are already using one or more SaaS apps. Unfortunately, increased adoption increases the risk of cyberattacks too.

‍

In this article, you’ll learn about SaaS application monitoring from a cybersecurity perspective. You'll see why it's essential for every SaaS customer, the capabilities that differentiate a good monitoring solution, and a case study involving Salesforce.

‍

An Overview of SaaS Application Monitoring for Cybersecurity

‍

Before SaaS became popular, the process of getting software was centralized and time-consuming. Departments requested them through their organization’s information technology. Once procured, the software was deployed at on-premise data centers.

‍

The SaaS ecosystem disrupted this process by decentralizing software purchases. SaaS pricing plans allowed teams to spend from their discretionary budgets. By 2021, organizations were subscribing to as many as 110 SaaS services on average.

‍

While SaaS benefits productivity, it complicates cybersecurity. Unlike on-premises software, cybersecurity responsibilities are not solely with the customer. Instead, the shared responsibility model of SaaS requires both the customer and the provider to implement different aspects of cybersecurity for the same software system.

‍

SaaS application monitoring is an essential part of the customer’s side of this responsibility. Instead of implementing it on their own, they outsource it to a SaaS application monitoring service. 

‍

We’ll focus on the cybersecurity aspects of monitoring rather than application performance monitoring (APM) and show you why monitoring is essential.

‍

Why SaaS Application Monitoring Is Key to Security

Organizations that don’t set up security monitoring of their SaaS usage may face some serious business and financial consequences:

‍

Threats to Your Data Security

‍

The data you store on a SaaS faces a wide range of threats like:

‍

• Data breaches
• Data theft
• Supply chain attacks (where dependencies are attacked to get to your data)
• Malicious modifications to business-critical data

‍

They may come from external hackers, malicious insiders, or advanced persistent threats like hostile intelligence agencies. To prevent such attacks, or at least detect them, you need SaaS application monitoring.

‍

Financial Losses From Cyberattacks

‍

Following a cyberattack, your organization may suffer financial losses due to ransom payments, lost revenue during outages, ransom payments, recovery costs, or legal actions. On average, a ransomware attack can cost $1.85 million while a data breach can incur $3.61–$4.80 million. Good SaaS monitoring tools can avoid such losses.

‍

Regulatory Penalties

‍

Industries like healthcare and financial services expect compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI-DSS).

‍

Other regulations like the California Consumer Privacy Act (CCPA) apply to almost all organizations that store any data about people.

‍

All these regulations expect organizations to follow certain cybersecurity practices, including ensuring the security of the SaaS services they’re using. Lack of compliance with their standards can incur fines. So, a capable SaaS application monitoring solution is key to ensure compliance and avoid penalties.

‍

Risks to Your Clients

‍

Your SaaS accounts, credentials, or data may be misused to launch cyberattacks on your clients. These are called supply chain attacks and can potentially result in losing an important client, losing revenues, inviting legal action, breaching service level agreements (SLA), or damaging your reputation. SaaS monitoring can reduce such risks.

‍

Reputational Damage

‍

Reputational damage is an unavoidable consequence of all these risks. Its effects aren't easy to quantify, but they can include losing customers or acquisition deals. By using a good SaaS monitoring solution, you can reduce the risks of such damage.

‍

How SaaS Application Monitoring Strengthens Your Cybersecurity

How exactly can a good SaaS application monitoring service improve your organization’s cybersecurity? Let’s look at the key features needed for this:

‍

Knowledge About SaaS Concepts

‍

Security vulnerabilities can lurk in the simplest of features. In-depth knowledge and attention to little details can protect your organization.

‍

So, the key feature of an excellent SaaS monitoring service is deep knowledge about the domain, concepts, and relationships of the SaaS it’s monitoring. For example:

‍

• To secure GitHub usage effectively, it should know about Git repositories and workflows. 
• To correctly monitor Salesforce security, it should understand the nuances of records, objects, and fields.

‍

Continuous Monitoring of SaaS Security Events

‍

Security logs record important events related to actions by SaaS users and client applications. For example, they record:

‍

• Authentication events, like an employee logging in using two-factor authentication
• Administrator actions, like elevating a user’s permissions
• User actions, like sharing a file with an external party
• Client application actions, like authenticating using an OAuth access token (OAuth is an authentication protocol designed for SaaS.)
• Application programming interface (API) calls to the SaaS from client applications

‍

Most service providers publish these security events through API URLs. A good SaaS security service:

‍

• Continuously fetches the latest events by querying the URLs
• Is aware of the characteristic indicators of compromise (IoC) for various vulnerabilities and threats known to target a particular SaaS
• Analyzes long sequences of events looking for those IoCs
• Sends notifications to the security team immediately

‍

Continuous Monitoring of SaaS Configurations

‍

Some SaaS are so feature-packed and customizable that the average user can’t keep track of, or even know about, all the settings that may make it vulnerable. Misconfiguration of a SaaS is a major reason for cyberattacks. To make matters worse, some SaaS use insecure default configurations.

‍

Plus, the average employee doesn't understand or cares about cybersecurity all that much. They just want the SaaS to simplify their tasks so they can get work done. They shouldn’t have to deal with cybersecurity responsibilities too.

‍

That's why automated security monitoring is helpful for maintaining your cybersecurity. A good SaaS monitoring service continuously monitors SaaS configuration as follows:

‍

• Reads the complete configuration periodically
• Compares it to the previous configuration or a known secure configuration
• Determines the changes that were made
• Infers potential vulnerabilities and risks based on the changes

‍

24x7 Handling of SaaS Vulnerabilities

Security professionals around the world are constantly on the lookout for vulnerabilities and evidence that they’ve been exploited. Detected vulnerabilities are shared with security teams around the world through global databases. In response, security teams are expected to take detection and mitigation steps in their respective organizations.

‍

But not every security team may be in a position to do so due to resource and time constraints. A better approach is for SaaS security specialists to implement them correctly and share them with all other security teams in a ready-to-use condition.

‍

A SaaS application monitoring service does exactly that — it focuses only on SaaS vulnerabilities, quickly designs correct mitigation strategies, and pushes the solutions to its subscribers. As a result, the response times are drastically lower.

‍

‍

Preventing Common Attacks

‍

Most cyberattacks on your SaaS data are initiated through common attack vectors like:

‍

• Weak passwords
• Stolen authentication credentials
• Lack of two-factor and multi-factor authentication
• Insecure credential storage
• Wrong access permissions
• Sharing internal links externally
• Malware in email attachments
• Phishing
• Ransomware
• Missing updates for system components and libraries

‍

A good SaaS monitoring solution has built-in detection and mitigation steps for all such common security threats.

‍

Actionable Findings

Based on its monitoring of logs, configurations, and vulnerabilities, a good SaaS monitoring service provides actionable insights to its customers’ security teams. Given the resource and time constraints of most security teams, the recommendations must be simple and actionable.

‍

Automated Remediation and Workflows

‍

An excellent SaaS monitoring service goes one step further by automatically applying remedial steps to solve vulnerabilities reliably and reversibly without causing operational disruptions. It additionally supports custom security workflows to notify IT teams and other departments about any additional actions they need to take.

‍

Case Study: Salesforce Flow

‍

Let’s understand all this better through a case study. One of the many customer management tools in the Salesforce suite is Salesforce Flow, a process automation component that comes with a low-code, point-and-click, visual editor tool. 

‍

It enables sales and marketing employees to do things like create a customer survey, store the survey data in a database, and set up dashboards for data visualization. 

‍

Salesforce's simple user experience — targeted at non-technical employees — can lull users into thinking security isn’t a concern. But in reality, it has complex security aspects. Valuable customer data can be easily lost to malicious actors if a business and its employees aren’t vigilant. 

‍

This case study helps you understand why reliable automated SaaS monitoring is a much more effective cybersecurity strategy.

‍

1. Managing Complicated Access Management in Salesforce Flow

‍

Access management is important because flows can potentially read or modify critical customer information. Ideally, the access management should be intuitive and provide a good user experience. 

‍

Unfortunately, in Salesforce Flow, the interplay of multiple configurations that determine who can access a flow and what data it can access is anything but simple. Consider some of these access rules:

‍

• A flow runs in a user context. But there’s also a system context and combinations of context and sharing to consider.
• Permission to run a flow is normally granted granularly through a user’s profile and permission sets.
• Some configurations like “manage flows” and “run flows” effectively override that access control.
• When there are hundreds of flows to manage, a busy administrator may be tempted to take the easy way out and assign foot guns like “manage flows” to all users instead of assigning granularly. Such psychological patterns are common in the real world and could result in breaches by malicious insiders.
• As if these four settings weren’t complicated enough, there are flow user licenses, user group permissions, organization-wide sharing settings, object-level access control, and field-level access controls to consider.

‍

It’s completely unrealistic to expect end users to wade through this complex set of access rules and manually work out a combination of secure settings that enables an employee to work productively.

‍

A SaaS monitoring service can easily manage complex access rules like these. If a risky configuration is necessary, its automated workflow features ensure that the permission is automatically revoked.

‍

2. Detecting Risky Configurations in Salesforce Flow

‍

Certain access settings like “manage flows” and “run flows” can act as keys to the castle, overriding all granular permissions and enabling less-privileged users to access confidential business data. 

‍

A good SaaS monitoring service will have in-depth knowledge of such SaaS-specific nuances and will be on the lookout for such dangerous settings.

‍

3. Security Event Monitoring for Salesforce

‍

Salesforce publishes an extensive set of security events like:

‍

• Changes in permission sets
• Login events with locations
• Data access events with timestamps
• Administrator actions
• Attempts to use a large number of credentials in a short period

‍

A SaaS monitoring service continuously watches this event stream to detect any indicators of ongoing or past cyberattacks.

‍

4. Configuration Monitoring for Salesforce

‍

Salesforce provides a setup audit trail that extensively tracks even small changes in its configuration. These changes include:

‍

• Security settings
• Profile changes
• Data management configuration
• Flow settings
• Customizations
• Application administration changes
• Metrics collection

‍

Some of these changes may directly affect your security posture. Or, a particular sequence of changes may indicate an attempted or successful cyberattack. All these possibilities are detected by a SaaS application monitoring service.

‍

ThreatKey’s SaaS Application Monitoring

Capable SaaS application monitoring is essential for helping businesses to manage the complex security implications of their SaaS usage and avoid cyberattacks.

‍

ThreatKey offers continuous, real-time SaaS monitoring, looking for misconfigurations, vulnerabilities, and evidence of cyberattacks in your SaaS usage. Our in-depth knowledge of SaaS security enables us to integrate with SaaS applications like Salesforce, Google Workspace, Microsoft 365, Slack, Box, GitHub, Okta, and more. Try ThreatKey for free today.

‍