Securing Your SaaS: Netskope Recommends SSPM, Real-World Coaching to Stymie SaaS-Based Attacks
As Software-as-a-Service (SaaS) becomes a staple in the business world, it’s likely part of your operations, too. Your organisation could be using a solitary app or several of them. Either way, you should tell your staff to be very careful and vigilant.
SaaS use has grown exponentially over the years, with organisations using as many as 130 of these apps on average as of 2022, compared to just 8 in 2015. It is easy to see why companies are gravitating towards utilising SaaS platforms, as doing so allows organisations to focus on their core vision and gives them operational flexibility with their choice of ready-made solutions for various business functions, including customer support and marketing.
No time-consuming coding. No need to design a solution from scratch. No hassles.
But there is a trade-off for all that convenience. There always is.
One of the trade-offs is an increased attack surface that makes your business more vulnerable to threat actors. Several Twilio customers—163 in total out of over 270,000 clients, according to the company itself—found this out the hard way in 2022 after cybercriminals used phishing to gain unauthorised access to the communication platform’s internal systems and steal customer data. Twilio owned up to the incident and promised to do better, even though the whole breach was essentially due to staff members falling for the age-old trick of phishing.
SaaS Security Is a Shared Responsibility, Too
This leads us to a critical point raised by Steve Riley, VP & Field CTO at Netskope, in an exclusive virtual interview with Cybersecurity Asia (CSA): That SaaS platforms are generally secure, with companies like Twilio, for instance, doing their best to implement security measures that would make these applications safe to use. However, the ways these services are actually used make them a risk to the organisations that rely on them so much.
“SaaS applications themselves are more difficult for attackers to target than an infrastructure setup, either on-premises or in the cloud, because especially [in the case of] the really well-known SaaS applications, [they] have done a pretty decent job of securing themselves,” Riley told CSA. “The thing that kind of concerns me about SaaS application security is about the application itself as there’s no standardised way for vendors to report when someone tried to breach the application. There’s no mechanism for CVEs or anything like that because it’s not something that customers have to download.”
Ultimately, according to Riley, customers play a big part in making sure the SaaS solutions they use are not being exploited by threat actors as points of attack. But what exactly can customers do? What falls under their purview of control?
It turns out, quite a lot, actually.
“The SaaS application is continuously updated, and when something has changed, a customer might receive a notice about that. So, what we’re concerning ourselves more along the lines is, ‘What is it that customers can control?’ Riley noted. “They can control whether the SaaS apps they subscribe to become, for example, a source of malware. What else customers can control? Customers can control what data is going into and out of a SaaS application. Customers can control their ability to detect threats that might be stored in or are being transmitted by the SaaS application.”
For instance, organisations can implement security policies to control data movement across third-party services, like OneDrive (or SharePoint), or prevent their employees from downloading sensitive data from their SaaS solutions and uploading the same to their personal clouds (one of the top reasons for data loss today). Business leaders can also train their staff to recognise and avoid phishing attempts, which is a bigger challenge than it seems considering how 68% of organisations surveyed by Proofpoint admitted to falling victim to this social engineering ploy.
Coaching, Not Training, Is Key
Riley, though, would rather eschew traditional training methods given in annual security training—the kind where employees “watch some kind of scenario with second-rate actors and poorly contrived stories” and are then asked to answer a quiz to supposedly check what they have learned. A better alternative, according to the Netskope executive is what he calls “coaching,” where employees are guided during actual real-world situations and not by merely watching videos and presentations (which, if you really think about it, is actually just rote memorisation).
“So, if someone is uploading sensitive data to a private LLM, that’s fine because the model is private. Nobody outside the company can see it,” Riley explained. “But if someone’s uploading some information and a little bit of it is sensitive to, let’s say, public chat GPT, what we can do is put a prompt on the screen that reminds the person that this is a public service, that sensitive data doesn’t belong in public services, that sensitive data will be redacted, but all other data can go to the public model.”
Again, real-world guidance. In real time. And involving real people.
“This is how adults learn. Because they see the message, they realise something they just did trigger that message, and then they’ll remember that” he added. “We can actually rewire the neurons in humans’ brains when we can create these sorts of teachable moments. And then, because they’ve had that moment and they remember it, they’ll know in the future to be more careful about what they’re doing with SaaS applications.”
Setting Policies Matters Just the Same
But for all the good coaching can do, it always helps to have a combination of policies and technologies complementing it. This combination of technologies and policies is at the core of SaaS Security Posture Management (SSPM), which refers to a set of tools and practices designed to continuously assess, monitor, and manage the security risks associated with using SaaS applications.
Netskope SSPM is a prime example, continuously checking organisations’ security posture by comparing their SaaS app settings with security policies and industry benchmarks, including those set by the National Institute of Standards and Technology, Health Insurance Portability and Accountability Act, Cloud Security Alliance, and General Data Protection Regulation. Just as important, this SSPM complements Netskope’s industry-leading Cloud Access Security Broker, providing powerful graph-based detections and visualisations that help expose hidden risks and security gaps.
According to Riley, Netskope SSPM generates alerts and remediation instructions whenever risky configurations or policy drifts are detected—enabling coaching and preventing potential incidents at the same time.
“What we can do with this feature in our product is look at how a person’s current SaaS application is configured, compare that to what we would suggest as good starting points, and then generate a report that says, okay, go do these five things in the configuration to reduce these five kinds of risk,” Riley said when asked specifically about what organisations can do to protect their SaaS use. “After that, the customer should configure Netskope so that all the SaaS traffic passes through us. And our customers can then write policies that control the circumstances under who interacts with which data at what times for what reasons.”
Basically, Netskope lets you determine who uses your SaaS applications and how and then relies on these preset criteria to monitor your SaaS situation. Anything that goes astray from said policies is flagged, repelling attackers and keeping your SaaS use safe and secure.
And with SaaS-based attacks rising, that is all you can ever ask for—the chance to use your SaaS applications in peace and with peace of mind. It takes a lot of work, but the trade-off is worth it.