Read some the cybersecurity headlines and you'll notice a trend: They increasingly involve business applications.
For example, the email tool Mailchimp says intruders broke into its customer accounts via an "internal tool." Marketing automation software HubSpot got infiltrated. Corporate password wallet Okta was compromised. Project management tool Jira made an update that accidentally exposed the private information of clients like Google and NASA.
This is one of cybersecurity's newest fronts: your internal tools.
It's only logical that malicious actors would intrude here next, or that employees would accidentally leave doors open. The average organization now has 843 SaaS applications and increasingly relies on them to run its core operations. I was curious about what administrators can do to keep these apps secure, so I interviewed an old colleague, Misha Seltzer, a CTO and co-founder of Atmosec, who is working in this space.
Why Business Applications Are Particularly Vulnerable
The users of business applications tend not to think about security and compliance. Partly, because that's not their job, says Misha. They're already plenty busy. And partly, it's because these teams try to purchase their systems outside of IT's purview.
Meanwhile, the apps themselves are designed to be easy to launch and integrate. You can launch many of them without a credit card. And users can often integrate this software with some of their most vital systems of record like the CRM, ERP, support system, and human capital management (HCM) with as little as one click.
This is true of most apps offered within those major vendors' app stores. Misha points out that Salesforce users can "connect" an app from the Salesforce AppExchange without actually installing it. That means there's no scrutiny, it can access your customer data, and its activities are logged under the user profile, making it difficult to track.
So, that's the first issue. It's very easy to connect new, potentially insecure apps to your core apps. The second issue is that most of these systems haven't been designed for administrators to observe what goes on within them.
- Salesforce offers many wonderful DevOps tools, but no native way to track integrated apps, extend API keys, or compare orgs to detect suspicious changes.
- NetSuite's changelog doesn't provide detail on who changed what — only that something changed, making it difficult to audit.
- Jira's changelog is equally sparse, and Jira is often integrated with Zendesk, PagerDuty, and Slack, which contain sensitive data.
This makes it difficult to know what's configured, which applications have access to what data, and who has been in your systems.
What You Can Do About It
The best defense is an automatic defense, says Misha, so talk to your cybersecurity team about how they can roll monitoring your business applications into their existing plans. But for complete awareness and coverage, they, too, are going to need deeper insight into what's happening within and between these applications than what these tools natively provide. You'll need to build or buy tools that can help you:
- Identify your risks: You'll need the ability to view everything that's configured in each application, to save snapshots in time, and to compare those snapshots. If a tool can tell you the difference between yesterday's configuration and today's, you can see who has done what — and detect intrusions or the potential for intrusions.
- Probe, monitor, and analyze for vulnerabilities: You need a way to set alerts for changes to your most sensitive configurations. These will need to go beyond traditional SaaS security posture management (SSPM) tools, which tend to monitor only one application at a time, or to only provide routine recommendations. If something connects to Salesforce or Zendesk and alters an important workflow, you need to know.
- Develop a response plan: Adopt a Git-like tool that allows you to "version" your business applications to store prior states which you can then revert to. It won't fix every intrusion, and may cause you to lose metadata, but it's an effective first line of remediation.
- Maintain your SaaS security hygiene: Deputize someone on the team with keeping your orgs up to date, deactivating unnecessary users and integrations, and ensuring that security settings that were turned off are turned back on — e.g., if someone disables encryption or TLS to configure a webhook, check that it was re-enabled.
If you can put all that together, you can start to identify areas that malicious actors could get in — such as through Slack's webhooks, as Misha points out.
Your Role in Business System Security
It's not up to administrators alone to secure these systems, but you can play an important role in locking some of the obvious open doors. And the better you're able to see into these systems — a chore which they aren't always natively built to allow — the better you'll know if someone hacked a business application.