AppGov Score Blog

Check out our latest updates!

ENow App Governance Accelerator 2.2: Continuous Monitoring, Detection, and Alerting for Entra ID Apps to Improve SSPM

June 26, 2024 ENow Software

SaaS Security Posture Management

In today's rapidly evolving threat landscape, the need for robust SaaS Security Posture Management (SSPM) has never been more critical. High-profile incidents, such as Midnight Blizzard's (also known as Cozy Bear) attacks on Microsoft, have underscored the vulnerabilities in SaaS applications and their configurations. These incidents highlight the increasing sophistication of cyber threats and the necessity for continuous monitoring, detection, and alerting to safeguard enterprise environments.

SaaS Security Posture Management Improvements via Entra ID Application Governance and Security

Recent cybersecurity incidents, notably the attacks by Midnight Blizzard (also known as Cozy Bear), have shined a light on the critical need for vigilant SSPM. These incidents revealed how sophisticated adversaries exploit vulnerabilities in SaaS applications and take advantage of misconfigurations, emphasizing that even one compromised application can lead to significant breaches. With IBM reporting the average cost of a data breach at an all-time high of $4.45 million, and Verizon reporting a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years (a 180% increase), it's imperative for organizations to stay ahead of these SaaS threats. 

A Perfect Storm is Brewing for Adversaries

SaaS Application usage is increasing. On average, as of 2020, large enterprises use 288 SaaS applications. This increase is also evident in growing SaaS spending. Gartner reports a 20% growth in SaaS spending to total $247.2 billion in 2024.  

Users’ widespread adoption of SaaS apps increases the potential for security misconfiguration and vulnerabilities. To add to this complexity and increased attack surface, these apps are often integrated outside the purview of IT. Gartner predicts that “by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.”  

Without visibility into an organization’s SaaS application landscape, it’s nearly impossible for IT teams to secure and govern these highly integrated services.  

ENow's App Governance Accelerator 2.2 release focuses on Continuous Monitoring, Detection, and Alerting to address these challenges. These elements are vital for maintaining strong application governance and security: 

  • Continuous Monitoring: This ensures that all SaaS applications in Entra ID are consistently scrutinized for any changes or anomalies. This also helps organizations prevent configuration drift. 
  • Detection: Effective detection mechanisms identify when something is amiss, such as unauthorized access or misconfigurations. 
  • Alerting: Timely alerts notify security teams of potential threats, enabling swift responses to mitigate risks. 

Strengthen SaaS Security Posture Management:
Key Features and Benefits of ENow App Governance Accelerator 2.2
 

Our new release introduces a range of new monitoring reports and alerting features designed to enhance your organization's ability to manage and secure its SaaS applications: 

Alert on the Creation of ServicePrincipal/User with Elevated Permissions: 

This feature detects and alerts when a serviceprincipal or user is granted permissions and/or roles that could elevate its privileges, potentially adding a Microsoft Entra ID object or user account to an Admin directory role. 

Alert on the Configuration of an App Registration or Enterprise App with High-Risk Privileges and/or Roles and Added Credentials: 

This feature notifies when an app registration or Enterprise App is configured with high-risk privileges or roles and added credentials, which could be an indicator of compromise (IoC) of various threat actors. High-risk privileges are defined by Microsoft and input from the Microsoft security MVPs that govern the AppGov Score. 

Alert on the Configuration of Offline Access for a Recently Created Enterprise Application: 

This rule alerts when a user consents to provide a previously unknown Azure application with offline access via OAuth. Offline access allows the Azure app to access resources without requiring multifactor authentication. Consent to offline access is rare.  

Alert on Cozy Bear | UNC2452 Scenario: 

This rule is specifically designed to detect patterns, tactics, and behaviors that are indicators of compromise (IoCs) by Cozy Bear/Midnight Blizzard attacks, such as OAuth application abuse using the EWS.AccessAsUser.All Microsoft Graph API role or the Exchange Online ApplicationImpersonation role to enable access to email. This alert enhances your protection against this threat actor.   

New Report in App Registration Section - App Registrations API Permissions: 

This report provides detailed insights into app registrations and their API permissions, helping to identify and mitigate potential security risks. 


Take Control of Your Entra ID Application Landscape 

As the SaaS landscape expands, so do the associated security risks and organizations’ attack surfaces. Our latest SSPM enhancements are designed to provide comprehensive visibility, continuous monitoring, and effective detection and alerting mechanisms. By leveraging these new features, organizations can proactively manage their Entra ID SaaS environments, ensuring robust security and compliance. ENow App Governance Accelerator 2.2 empowers organizations to take control of their Entra ID application landscape, equipping them with the tools needed to proactively illuminate potential threats and streamline app management in Entra.

For a comprehensive overview of all features and improvements introduced in this release, please contact us to schedule a call. 


Stay Secure. Stay Ahead. 

Checkout our Community Forum and engage with our experts about Entra ID.  

The AppGov Community Forum is moderated by Microsoft Security & Identity MVPs and subject-matter experts to answer your questions around Entra ID, managing Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application's lifecycle. 

Do you know what apps are lurking in your tenant? ENow App Governance Accelerator helps organizations quickly get in control of their Entra ID apps and remain in control. It enables them to understand their current security posture, what they need to do to improve it, and accelerates making the necessary changes to get to their desired state. Get the ENow App Governance Accelerator Platform today!

Share This:

ENow Software

Written by ENow Software