In today's rapidly evolving threat landscape, the need for robust SaaS Security Posture Management (SSPM) has never been more critical. High-profile incidents, such as Midnight Blizzard's (also known as Cozy Bear) attacks on Microsoft, have underscored the vulnerabilities in SaaS applications and their configurations. These incidents highlight the increasing sophistication of cyber threats and the necessity for continuous monitoring, detection, and alerting to safeguard enterprise environments.
Recent cybersecurity incidents, notably the attacks by Midnight Blizzard (also known as Cozy Bear), have shined a light on the critical need for vigilant SSPM. These incidents revealed how sophisticated adversaries exploit vulnerabilities in SaaS applications and take advantage of misconfigurations, emphasizing that even one compromised application can lead to significant breaches. With IBM reporting the average cost of a data breach at an all-time high of $4.45 million, and Verizon reporting a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years (a 180% increase), it's imperative for organizations to stay ahead of these SaaS threats.
SaaS Application usage is increasing. On average, as of 2020, large enterprises use 288 SaaS applications. This increase is also evident in growing SaaS spending. Gartner reports a 20% growth in SaaS spending to total $247.2 billion in 2024.
Users’ widespread adoption of SaaS apps increases the potential for security misconfiguration and vulnerabilities. To add to this complexity and increased attack surface, these apps are often integrated outside the purview of IT. Gartner predicts that “by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.”
Without visibility into an organization’s SaaS application landscape, it’s nearly impossible for IT teams to secure and govern these highly integrated services.
ENow's App Governance Accelerator 2.2 release focuses on Continuous Monitoring, Detection, and Alerting to address these challenges. These elements are vital for maintaining strong application governance and security:
Our new release introduces a range of new monitoring reports and alerting features designed to enhance your organization's ability to manage and secure its SaaS applications:
This feature detects and alerts when a serviceprincipal or user is granted permissions and/or roles that could elevate its privileges, potentially adding a Microsoft Entra ID object or user account to an Admin directory role.
This feature notifies when an app registration or Enterprise App is configured with high-risk privileges or roles and added credentials, which could be an indicator of compromise (IoC) of various threat actors. High-risk privileges are defined by Microsoft and input from the Microsoft security MVPs that govern the AppGov Score.
This rule alerts when a user consents to provide a previously unknown Azure application with offline access via OAuth. Offline access allows the Azure app to access resources without requiring multifactor authentication. Consent to offline access is rare.
This rule is specifically designed to detect patterns, tactics, and behaviors that are indicators of compromise (IoCs) by Cozy Bear/Midnight Blizzard attacks, such as OAuth application abuse using the EWS.AccessAsUser.All Microsoft Graph API role or the Exchange Online ApplicationImpersonation role to enable access to email. This alert enhances your protection against this threat actor.
This report provides detailed insights into app registrations and their API permissions, helping to identify and mitigate potential security risks.
As the SaaS landscape expands, so do the associated security risks and organizations’ attack surfaces. Our latest SSPM enhancements are designed to provide comprehensive visibility, continuous monitoring, and effective detection and alerting mechanisms. By leveraging these new features, organizations can proactively manage their Entra ID SaaS environments, ensuring robust security and compliance. ENow App Governance Accelerator 2.2 empowers organizations to take control of their Entra ID application landscape, equipping them with the tools needed to proactively illuminate potential threats and streamline app management in Entra.
For a comprehensive overview of all features and improvements introduced in this release, please contact us to schedule a call.
Stay Secure. Stay Ahead.
The AppGov Community Forum is moderated by Microsoft Security & Identity MVPs and subject-matter experts to answer your questions around Entra ID, managing Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application's lifecycle.
Do you know what apps are lurking in your tenant? ENow App Governance Accelerator helps organizations quickly get in control of their Entra ID apps and remain in control. It enables them to understand their current security posture, what they need to do to improve it, and accelerates making the necessary changes to get to their desired state. Get the ENow App Governance Accelerator Platform today!