Cyber risks in your daily business applications
Read any cybersecurity headlines and you’ll notice a trend: They increasingly involve business applications.
For example, email tool Mailchimp says intruders broke into its customer accounts via an “internal tool.” Marketing automation software HubSpot was infiltrated. Corporate password wallet Okta was compromised. Project management tool Jira made an update that accidentally exposed the private information of customers like Google and NASA.
This is one of cyber security’s newest fronts: your internal tools.
It’s only logical that malicious actors would intrude here next, or that employees would accidentally leave doors open. The average organization now has 843 SaaS applications and is increasingly dependent on them to run their core business. I was curious about what administrators can do to keep these apps secure, so I interviewed an old colleague, Misha Seltzer, a CTO and co-founder of Atmosec, who works in this area.
Why business applications are particularly vulnerable
The users of business applications tend not to think about security and compliance. Partly because it is not their job, says Misha. They are already very busy. And in part it’s because these teams are trying to buy their systems outside of IT.
Meanwhile, the apps themselves are designed to be easy to launch and integrate. You can start many of them without a credit card. And users can often integrate this software with some of their most vital systems such as CRM, ERP, support system and Human Capital Management (HCM) with as little as one click.
This applies to most apps offered in the major suppliers’ app stores. Misha points out that Salesforce users can “connect” an app from the Salesforce AppExchange without actually installing it. That means there is no scrutiny, it can access your customer data, and its activities are logged under the user profile, making it difficult to trace.
So that’s the first problem. Connecting new, potentially insecure apps to your core apps is very easy. The second problem is that most of these systems are not designed for administrators to be able to observe what is going on in them.
- Salesforce offers many great DevOps tools, but no native way to track integrated apps, extend API keys, or compare organizations to detect suspicious changes.
- NetSuite’s changelog does not provide details about who changed what – only that something changed, making it difficult to revise.
- Jira’s changelog is similarly sparse, and Jira is often integrated with Zendesk, PagerDuty and Slack, which contain sensitive data.
This makes it difficult to know what is configured, which applications have access to which data, and who has been in your systems.
What you can do with it
The best defense is an automatic defense, says Misha, so talk to your cybersecurity team about how they can roll monitoring of your business applications into their existing plans. But for complete awareness and coverage, they will also need deeper insight into what’s happening in and between these applications than these tools naturally provide. You need to build or buy tools that can help you:
- Identify your risks: You need the ability to see everything configured in each application, save snapshots in time and compare them. If a tool can tell you the difference between yesterday’s configuration and today’s, you can see who did what—and detect intrusions or the potential for intrusions.
- Investigate, monitor and analyze for vulnerabilities: You need a way to set alerts for changes to your most sensitive configurations. These must go beyond traditional SaaS security posture management (SSPM) tools, which tend to monitor only one application at a time, or only provide routine recommendations. If something connects to Salesforce or Zendesk and changes an important workflow, you need to know.
- Create a response plan: Use a Git-like tool that allows you to “version” your business applications to store previous states that you can then revert to. It won’t fix all intrusions, and may cause you to lose metadata, but it’s an effective first line of remediation.
- Maintain your SaaS security hygiene: Assign someone on the team to keep your organizations up to date, disable unnecessary users and integrations, and ensure that security settings that were turned off are turned back on – for example, if someone disables encryption or TLS to set up a webhook, check that it was enabled on new.
If you can put all of this together, you can start to identify areas that malicious actors can get into — for example, through Slack’s webhooks, as Misha points out.
Your role in Business System Security
It’s not up to administrators alone to secure these systems, but you can play an important role in locking down some of the obvious open doors. And the better you’re able to look into those systems—a task they’re not always built to allow—the better you’ll know if someone hacked a business application.