6 days Ago
Galit Lubetzky Sharon was Head of the Stategic Center of the IDF's Cyber Defense Division and is now the Co-Founder & CEO of Wing Security . It's no secret that businesses become more SaaS-powered every year, and as a result, they also become more vulnerable to identity and access security risks. An Obsidian Security report found that SaaS breaches increased by 300% between September 2023 and September 2024, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures .
What can organizations do about it? Identity-based attacks specifically target user credentials, permissions and access rights rather than network infrastructure or devices. Attackers manipulate identity systems as the gateway to gain access to unauthorized information. Some of the most common types of identity-based attacks include: • Credential Stuffing: Hackers take stolen usernames and passwords from one website and try them on different applications, hoping users have reused their credentials.
• MFA Fatigue: Attackers bombard a user with repeated fake multifactor authentication requests until the user mistakenly approves one. • Phishing: Attackers send fake emails, messages or links to trick users into providing their login credentials or other sensitive information. • Password Spraying: Instead of guessing multiple passwords for a single account, attackers try a few common passwords across many accounts to avoid triggering security locks.
Once inside, attackers can move laterally through an organization's systems, both in the cloud and on internal networks, to breach sensitive data and escalate control. High-profile identity-based breaches continue to make the news, as even the largest enterprises struggle to mitigate identity risks. In January 2024, nation-state actor Midnight Blizzard exploited Microsoft misconfigurations in password spray attacks that successfully compromised an account without multifactor authentication (MFA) enabled.
It later attempted to use stolen data to infiltrate Microsoft's internal systems before the company finally thwarted the attack. Despite the clear and present threat, most SaaS security solutions only focus on posture management (SSPM), leaving organizations vulnerable to attacks that are underway. The next generation of SaaS security includes identity threat detection and response (ITDR) capabilities.
These types of attacks seemingly keep working for two main reasons. The more applications employees use, the more vulnerable a company is to undetected lateral movement, and the more alerts the system will get. Alert noise makes it hard for security teams to differentiate between routine behavior and real threats.
Attackers know this, and they exploit this weakness by bombarding systems with normal-looking behavior, hoping that organizations don't have the capacity to detect when alerts are actually flagging real threats. Identity threat prevention involves both safe employee practices and the security team's capabilities. For example, if employees skip two-factor authentication (2FA), then the company's attack surface is extremely exposed.
If security teams don't monitor SaaS app-to-app connectivity (shadow IT), then identity threat detection and response is severely limited. With the right policies and the right technology, organizations can dramatically reduce SaaS identity threats. Some important components of an effective strategy for SaaS identity security include: To put it simply, zero trust means that every access requires authentication—both for identities inside and outside of the organization.
Least-privilege access is the default, and abnormal user behavior is investigated as a breach. This policy should be adopted organization-wide and with no exceptions. Beyond username and password, require users to provide at least one additional verification factor for every login attempt to every SaaS application.
This reduces the risk of compromised credentials being used for unauthorized access. Implement role-based access control (RBAC) wherever possible and define the permissions granted to each role. Regularly check user permissions and remove any unnecessary access.
This minimizes the potential reach of a successful identity attack by limiting what a compromised account can do. Despite excellent policies, organizations are still vulnerable to stealthy tactics without the right tech. Implement a solution that continuously monitors and detects user activity across SaaS applications.
Establish baselines for normal behavior and configure alerts for deviations that could indicate a compromised account or insider threat. Leverage analytics to identify subtle anomalies that might otherwise go unnoticed. As enterprises continue to adopt SaaS applications at an exponential pace, identities—both human and nonhuman—will remain the linchpin of security.
Organizations that fail to integrate identity threat detection and response into their SaaS security strategy could find themselves increasingly vulnerable to sophisticated attacks that exploit these identity blind spots. The question isn't if organizations should strengthen their SaaS identity security, but how quickly they can do so before they become the next target. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.
Do I qualify?.
