Software as a service (SaaS) apps are ubiquitous, hybrid work is the new normal, and protecting them and the important data they store is a big challenge for organizations. Today, 59 percent of security professionals find the SaaS sprawl challenging to manage1 and have identified cloud misconfigurations as the top risk in their environment.2
To combat these attacks effectively, security teams need a new approach that protects their data within cloud apps beyond the traditional scope of cloud access security brokers (CASBs). That’s why Microsoft Defender for Cloud Apps is now delivering full protection of SaaS applications. This includes new investments in SaaS Security Posture Management (SSPM), advanced threat protection as part of Microsoft’s extended detection and response (XDR) solution, and app-to-app protection—while continuing to build upon other powerful CASB capabilities like Shadow IT discovery and information protection.
Today, we are excited to announce that Defender for Cloud Apps is extending its SSPM capabilities to some of the most critical apps organizations use today, including Microsoft 365, Salesforce,3 ServiceNow,4 Okta,5 GitHub, and more.
A holistic SaaS security approach
Historically, CASBs have been the main tool to address SaaS security needs with Shadow IT discovery, visibility into cloud app usage, and protection against app-based threats as the main use cases. However, the uptick in app usage combined with employees accessing company resources outside of the corporate perimeter has introduced new attack vectors. That’s why Defender for Cloud Apps now delivers capabilities to address these new attack vectors across prevention and protection for a more holistic approach throughout the app usage lifecycle. The addition of SSPM enables security teams to improve the organization’s security posture; app-to-app protection addresses a new threat scenario where apps exchange data directly; and the integration into the Microsoft 365 Defender XDR solution enables powerful correlation of signal and visibility across the full kill chain of advanced attacks. These new sets of capabilities, combined with the traditional CASB scenarios, make up the Microsoft approach to holistic SaaS security and will help organizations effectively protect against app-based threats.
In a recent research paper, Omdia applauds Microsoft’s vision of a broader security offering for SaaS and suspects that other vendors will need to emulate its offering, analyst firm Omdia recognized this new approach, confirming the need for a holistic strategy to protect cloud apps.
SaaS Security Posture Management is critical to prevention
Prevention and optimizing their organization’s security posture has become a critical focus area for security teams to limit the number of breaches. A key challenge in securing SaaS apps, however, is that security teams need to research configuration best practices for each app individually, which creates significant overhead. To streamline this process, Defender for Cloud Apps launched SSPM in June 2022 to surface misconfigurations and provide recommendations to strengthen an app’s posture.
In preview starting today, Defender for Cloud Apps now provides security posture management for Microsoft 365, Salesforce, ServiceNow, Okta, GitHub, and more. Not only are we expanding the breadth of app coverage but also the depth of assessments and capabilities for each application. Here is what to expect:
- Seamless integration with the Defender for Cloud Apps connector experience: If you have already connected any of these apps to Defender for Cloud, the new SSPM capabilities automatically light up without any additional deployment.
- Alignment to best practices and benchmarks: We recommend actions based on industry standards like the Center for Internet Security and follow best practices set by the specific app provider (for example, Salesforce Security Health Check).
Protect inter-app data exchange with application governance
In recent years, there has been an increase in attacks involving OAuth applications. Back in April 2022, Github fell victim to a campaign where an attacker used stolen OAuth app tokens to gain access to private user code repositories and began cloning them to exfiltrate data.6 The main challenge with an OAuth app is that it’s difficult to see the level of permissions and the type of data it can access. They often behave unnoticed while still having extensive permissions to access data in other apps on behalf of an employee, which makes them easily susceptible to a compromise.
Defender for Cloud Apps recognizes this open attack vector and the need for stronger app-to-app protection. With the main issue being visibility and governing these apps, upkeeping app hygiene is critical. To help organizations fill this gap, we will soon release a new capability that will allow security teams to gain visibility into unused apps, credentials, and expired credentials. Identified by Microsoft Azure Active Directory, they will be able to see these vulnerabilities and implement a predefined policy with detailed remediation actions, to easily resolve these potential risks.
Unused OAuth apps and credentials can be a backdoor for an adversary to gain access to an organization’s environment to exfiltrate data or use privileged credentials to access sensitive data in another app. By using these new capabilities in Defender for Cloud Apps, organizations will be able to drastically reduce their potential OAuth attack surface.
Defend against advanced attacks using app signal in Microsoft XDR
While cloud apps continue to be a target for adversaries trying to exfiltrate corporate data, sophisticated attacks often cross modalities—moving laterally from email as the most common entry point, to compromise endpoints, and identities, before ultimately gaining access to in-app data. While CASBs address alert security operations center (SOC) teams by identifying anomalies like a mass download activity, this approach leaves SOC teams without enough context to prioritize their investigation effectively.
That’s why Defender for Cloud Apps is natively integrated into Microsoft 365 Defender. The XDR technology correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities like automatic attack disruption. The integration of SaaS security into an XDR experience gives SOC teams full kill chain visibility and improves operational efficiency with better prioritization and shorter response times to ultimately protect the organization more effectively.
As an integral part of the Microsoft 365 Defender XDR solution, organizations can satisfy both: their SaaS security use cases, as well as leverage the SaaS signals and insights for effective SOC processes.
Get started on your SaaS security journey with Microsoft
It is critical that you protect data and assets by implementing SaaS security principles in your security strategy while empowering users to stay productive.
Microsoft’s unique approach helps security professionals easily start no matter where they are in their app protection journey. Learn how to protect your organization’s apps across the SaaS app management lifecycle through a set of simple steps and best practices:
- Explore Microsoft Defender for Cloud Apps.
- Deep dive into SSPM and app hygiene capabilities.
- Join our upcoming Ask Microsoft Anything session to engage directly with the product team.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
12023 State of SaaSOps, Better Cloud. 2023.
2Top 7 SaaS Security Risks (and How to Fix Them), Catherine Chipeta. June 13, 2022.
3Connect Salesforce to Microsoft Defender for Cloud Apps, Microsoft Learn. February 5, 2023.
4Connect ServiceNow to Microsoft Defender for Cloud Apps, Microsoft Learn. February 5, 2023.
5Connect Okta to Microsoft Defender for Cloud Apps, Microsoft Learn. February 5, 2023.
6Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators, Mike Hanley. April 15, 2022.