Pain Point #5: Insider Threats and Identity Challenges

Challenge: 

Our organization's resources are accessed from many locations and devices, so it’s difficult to know what identities exist, and what apps are in use, let alone deal with actual threats from risky identities. A few years ago, a former contractor exploited a misconfigured firewall. He went on to access our customer accounts and credit card applications. This data breach cost our company millions, and we’re still recovering.

Google Workspace is not foolproof to identity breaches: a recent vulnerability allowed hackers to bypass the email verification step when creating accounts, and impersonate legitimate account owners. Even more threatening is that Google’s domain-wide delegation can unintentionally give users unauthorized access to an entire Workspace domain.

It’s a constant headache to protect our sensitive data from being misused, exfiltrated, corrupted or deleted.

Solution:

DoControl connects the dots between all your SaaS apps, including Google Workspace, Slack, HRIS and IdPs, to provide your organization with a robust and secure ITDR (identity threat detection and response) solution.

DoControl’s Identity and Risk Management solution is based uniquely on enriched data context, and determines the risk profile for each identity in your SaaS ecosystem. With DoControl, you can automatically monitor and respond to any identity-initiated threats before they escalate into full-blown security incidents.

What are Identity Threats?

The increase of identities across SaaS apps has prompted a surge in identity-based attacks, making them a major threat to organizations. Most attacks, breaches and security incidents are identity-initiated since they use the identities of internal users. Identity infrastructure is not centrally controlled or localized, but it’s applied across the internet, connecting various third-party apps and services.

As more companies adopt cloud services, remote work, and bring-your-own-device policies, attackers try to exploit identities to gain the keys to your kingdom.

Identity threats range from common attacks–such as compromised or stolen credentials, phishing, and insider threats–to sophisticated attacks–such as Oktajacking, risky OAuth scopes, and stealing password manager secrets.

Identity-based attacks are particularly dangerous because they use legitimate credentials to access systems, making these breaches harder to detect with traditional security tools.

What's the Risk?

End users are the weakest link in your organization’s SaaS security chain, so it’s no surprise that most data breaches are identity-initiated. The cloud has become the locus for sensitive and valuable company data, but it’s also increased the scale of the identity attack surface. Apps are usually directly exposed on the internet, so the only thing needed to access them is identities.

Multiple identities across SaaS systems means there’s more than one way to breach your organization. With multi-faceted identity attack vectors, your security system needs to stay ten steps ahead.

Consider these identity attack statistics:

• 90% of organizations experienced an identity attack in the past year
• 81% of hacking-related breaches leveraged either stolen or weak passwords
• 68% of companies suffered direct business impact from an identity breach, losing on average millions of dollars

Top Identity Attack Vectors

Identity-initiated data breaches occur when internal users are exploited by attackers to gain entry into organizations, or insiders act maliciously to exfiltrate data.

Let’s take a closer look at identity attack vectors and some real-life examples to understand why organizations need an identity solution in place:

Account Takeover

Attackers often use phishing or social engineering techniques to steal credentials from unknowing employees – they do this by impersonating IT or executives to trick employees into revealing login information. Once obtained, these credentials can be used to access internal systems, and steal, expose and delete company data. Besides financial and reputational loss, organizations can also risk hefty compliance fines if sensitive data is exposed.

User behavior analysis of unusual patterns in data access helps to identify potential insider threats, and prevent sensitive data exfiltration and account takeover.

Real-life example: In 2020, hackers used a sophisticated phone-based spearphishing campaign to target Twitter employees. Initially, attackers sought information about internal systems and processes. Eventually, they found unknowing employees to target. After gaining access to support tools, the hackers accessed 130 high-profile Twitter accounts to promote a bitcoin scam.

Although this scam caused relatively little financial damage, it highlights how vulnerable employees are when it comes to revealing credentials and access mechanisms.

Insider Attacks

Disgruntled or departing employees who leave the company on bad terms pose a significant insider threat, as they may attempt to exfiltrate or destroy company data

A disgruntled employee might not be your organization’s biggest fan, and they can avenge their grievances by modifying, deleting or corrupting critical data repositories. 

Google Workspace security can be compromised by employees with legitimate access in several ways:

• Insider collusion - Disgruntled or about-to-leave employees are liable to share login credentials with unauthorized parties, and might collaborate with external attackers to compromise systems or steal data. In deliberate collusion, employees or contractors exploit legitimate access for malicious purposes, such as disclosing secret information to hackers or competitors, disrupting services by misconfiguring settings, or installing malware using their legitimate credentials. In unknowing collusion, internal users can be bribed or blackmailed to provide access to internal systems or sensitive data. 

• Over-permissioned employees - Sometimes internal users abuse their privileges by accessing data they shouldn't have permission to view, creating accounts for unauthorized users, and modifying access controls to give others inappropriate levels of access.

Real-life example: When the COVID-19 pandemic started, 81% of the global workforce found their workplace wholly or partially closed.

A vice president of a medical packaging company, Stradis Healthcare, was made redundant in 2020. Upset by his situation, he used a secret account to access the company’s shipping system. He then proceeded to delete critical shipping data, delaying deliveries of essential personal protective equipment (PPE).

This deletion of essential data was especially threatening, since the PPE supplies were earmarked for hospitals and healthcare workers fighting the COVID-19 outbreak.

Supply Chain Attacks

Employees using unsanctioned Google Workspace shadow apps can unknowingly open the backdoor to malicious supply chain attacks. These attacks bypass traditional defenses by leveraging legitimate access paths or tampered software updates.

A supply chain attack exploits vulnerabilities in third-party vendors, such as an unsanctioned shadow app, to compromise trusted identities, gain unauthorized access to an organization's Google Workspace, and then expose sensitive information.

Real-life example: In 2023, attackers exploited an unauthorized third-party integration of CircleCI to compromise software delivery pipelines. The shadow integration of CircleCI granted attackers excessive API access to GitHub repositories, creating an unmonitored attack surface.

After breaching CircleCI's internal systems, attackers stole customer API tokens and cryptographic keys. Using stolen credentials, they pushed malicious code updates directly to GitHub repositories and contaminated the supply chain, by delivering malware through software updates.

The adverse effects of supply chain attacks don’t just apply to your company, they also wreak havoc on your customers.

Data Exfiltration

SaaS organizations struggle to monitor and mitigate unauthorized data exfiltration, which can be caused by internal or external parties. About-to-leave and former employees are the most risky insider threat:

• Internal data exfiltration - Employees with authorized access often share sensitive data with external collaborators, including their own personal emails. With legitimate access, it’s easy for internal users to download sensitive data from Google Drive to private cloud storage devices, and then share confidential information with any user outside the organization. 
  
  • Insiders can also expose sensitive information more than necessary or accidentally make sensitive documents publicly accessible.
  • Departing employees who don’t leave on good terms are especially risky since they might try to exfiltrate or destroy company data.

External data exfiltration - Users outside your organization, including former employees and contractors, can access and exfiltrate sensitive assets. This can happen if a Google Workspace user was not terminated, and still has access to your organization’s SaaS apps.

Real-life example: 

In 2022, an about-to-leave research scientist at Yahoo stole proprietary information about Yahoo’s AdLearn product. He downloaded 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the stolen data would benefit him in his new job.

Yahoo brought three separate charges against the former employee, including theft of IP data, and claimed that these malicious actions divested Yahoo of the exclusive control of its trade secrets, giving competitors a major advantage.

Introducing DoControl’s Identities Module

With DoControl's Identity Risk Management solution, you can discover, monitor and automatically retrieve your SaaS identities to protect your organization from identity threats. DoControl aggregates user data into a single identity for organization-wide risk posture management, enabling you to:

• Monitor, track, and manage risky users across SaaS identities
• Compare user behavior, login activities, and authentication patterns to detect access anomalies and potential threats
• Get notified for any unusual or anomalous activity, such as login attempts from strange locations, or dramatic changes in a user’s risk score. You can then remediate overexposure in real-time.

DoControl leverages these tools to automatically monitor, mitigate and remediate the risks associated with identities across your SaaS apps:

• Single identity posture
• Automatic watchlist monitoring
• Playbooks for identity risk management
• Identity data retrieval

Single Identity Posture

DoControl aggregates all user data into a single identity posture. The risk profile for each identity is based on comprehensive data collection, user permissions, IP access locations, and relevant business context. 

Strong benchmarking data enables you to correlate abnormal identity activity with posture. DoControl monitors excessive file sharing–like when a user publicly shares assets, performs massive downloads, and installs shadow apps. Using department benchmarking and HRIS metadata, DoControl indicates whether this file sharing is a standard part of a user’s role, or if it's something more suspicious.

Automatic Watchlist Monitoring

With DoControl's watchlist, you can proactively monitor internal users, and detect potential threats before they escalate into security incidents. Internal users who warrant watchlist monitoring include:

• Users with a history of suspicious behavior or terms of service violations
• Employees who are assigned to a performance improvement plan (PIP)
• Users who have demonstrated unusual usage patterns that require closer scrutiny

DoControl's identity watchlist is an early warning system that flags unusual behavior patterns among your users. It gives you instant visibility into account compromise or insider threats for high-risk users.

There’s no need to manually search and investigate risky users at regular intervals. DoControl’s watchlist prioritizes your investigation efforts by focusing on users who pose the greatest potential risk.

Playbooks for Identity Risk Management

Simply detecting an identity threat is not enough. DoControl allows you to respond in real time to identity-initiated breaches and security incidents with automated playbooks:

• Get instant notification whenever a user’s risk score changes, and the user becomes risky 
• Add potentially risky users to a watchlist to monitor their behavior and risk score
• Monitor and remediate overexposure that’s initiated by watchlist users, especially if they share assets with their own personal email, or they download files containing sensitive content

To address multiple use cases of identity risk management across various SaaS apps, you can define automated workflows with DoControl's out-of-the-box playbooks. 

Identity Data Retrieval

You can retrieve identity data for any internal user with DoControl's automated workflows. Identity metadata is retrieved from multiple sources and includes both personal and risk exposure data.

If an employee in your organization is on the identity watchlist, and externally or publicly shares a sensitive asset, you can retrieve the user's current risk status to determine if the employee has behaved in other suspicious or potentially risky ways. The enriched identity data allows you to take smarter and more timely decisions to protect your organization’s data assets.

Final Thoughts

With DoControl, you can discover and monitor your SaaS identities to protect your organization from any single identity threat that pops up. Discover who your risky internal users are, and take steps to automatically detect and respond to identity-initiated breaches before they escalate into security incidents. 

‍