In what has become an annual rite of spring in the cybersecurity world, Verizon recently published its 15th annual Data Breach Investigations Report. One of the most authoritative and well-documented studies of breaches and security incidents affecting both public and private sectors, the DBIR establishes clear benchmarks and key data points that the information security community relies on for understanding the global threat landscape and planning defensive measures to improve security postures in the future. Some of the expected findings include:
- Stolen credentials remain the primary threat vector malicious actors use to access systems and carry out exploits such as data exfiltration and denial of service (DoS) attacks.
- The role of ransomware in breaches continues its upward trend, with an almost 13% increase—a rise as big as the last five years combined—coming into play with a total of 25% of breaches this year.
- When it comes to data breaches, external actors are consistently more common than internal, with 80% of breaches being caused by those external to the organization.
Where the DBIR gets interesting is in regard to the explosive growth in incidents related to partners and the supply chain: “2021 illustrated how one key supply chain breach can lead to wide ranging consequences. Supply chain was responsible for 62% of System Intrusion incidents this year.” Broadly speaking, these designations include the risks associated with ungoverned and unseen integrations between third-party SaaS applications and core SaaS applications such as Salesforce, Slack, Microsoft 365 and Google Workspace using API keys, end-user OAuth tokens, and no/low code workflows.
In the System Intrusion data set Verizon researchers compiled, the category of “Partner” moved from its previous position as somewhat of a novelty issue (showing up in less than 1% of the data in years past) to the main attack vector in 2021. The authors point to the SolarWinds attack of late 2020, and the cascade of data breach incidents in 2021 that flowed from that initial hack, as the ignition point for this change in the threat landscape. But they also assert that this trend is indicative of larger forces at work, and likely portends a needed shift in cybersecurity priorities going forward.
The multiple supply chain breaches occurring in just the first few months of 2022–including the GitHub and Okta (LAPSUS$) breaches–certainly reinforce this line of thinking.
To quote the report on the initial SolarWinds hack and its larger implications: “While this incident might seem like an anomalous one-off, it may actually be representative of larger trends that we’ve been seeing in the industry, in terms of the interconnected risks that exist between the vendors, partners and third parties we work with on a daily basis.” Indeed, for the first time, the vulnerabilities posed by complex partner relationships in the cloud, reliance on third-party vendors, and extended supply chains have come into sharp focus.
IT Democratization Increases SaaS Supply Chain Risks
The findings in the DBIR, along with recent attacks targeting third-party integrations with core SaaS, dovetail with and bolster our understanding of the state of the threat environment we’re currently facing. Consider that the democratization of IT and the widespread adoption of cloud apps began several years ago, accelerated through the COVID pandemic, and now has become a primary IT concern.
It was a process through which many organizations became hyperconnected, expanding to operate dozens of SaaS applications, with identities and privileges (human and machine) distributed throughout business units and departments across the organization. Significantly, the democratization of IT empowered business users across organizations to manage best-of-breed SaaS applications directly, without IT security review or governance. All this significantly increased enterprises' dependency on supply chain third-party vendors.
It’s a trend that has greatly reduced deployment time and enhanced business agility, productivity and collaboration within countless organizations. SaaS applications are increasingly interconnected to maximize their benefits by automating business processes and data exchange.
Yet as business users indiscriminately connect their SaaS applications, so grows the risk of unvetted supply chain access to business-critical applications. As these SaaS-to-SaaS third-party integrations increasingly grow, it becomes a challenge for security and compliance teams to ensure proper coverage of their third-party risk management (TPRM) programs since they lack context and visibility into which vendors have access to their applications and the scope/exposure of such access. The lack of continuous governance over SaaS-to-SaaS integrations results in a sprawl of unnecessary third-party access. Without security oversight, business owners can generate over-privileged API tokens that significantly increase the blast radius of any supply chain vendor breach.
No doubt, the 2022 Verizon DBIR sets out some alarming new trends confronting the IT security community. Heightened awareness of the fact that as organizations grow and scale, so does the number of SaaS-to-SaaS integrations and the range of their new and ungoverned risk surface, will provide the appropriate foundation for new and effective solutions to emerge. Looking forward, it’s clear that fully securing your sanctioned and unsanctioned business-critical SaaS apps from partners and SaaS supply chain attacks requires both third-party integration attack surface and blast radius minimization.