How to secure the modern cyber supply chain and surge in third-party risks amid AI automation

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Anna Sarnek, Director of Strategic Alliances, Valence Security

• The number of data compromises linked to third-party integrations surged in 2023, significantly impacting organizations due to the interconnected nature of modern SaaS (software as a service) environments.
• Organizations must adopt comprehensive SaaS security strategies, including asset identification, configuration management and integration auditing, to mitigate vulnerabilities and data breaches.
• Integration of AI and SaaS application adoption means robust third-party risk management practices have become paramount for securing critical business data and applications.

The year 2023 ended as another record breaker for the number of data compromises organizations face. In the last year, 41% of the organizations that suffered a material incident say a third party caused it. In the United States, over a thousand entities were affected due to a successful attack on just 87 organizations, highlighting the level of cyber risk that third parties create today.

While most organizations are keenly aware of the risk that third parties present, third-party risk management focuses on assessing cyber security postures or cyber hygiene without the additional context of how these third parties are connected to the organization – i.e. what the cyber supply chain looks like.

Modern distributed infrastructure, which relies heavily on software as a service (SaaS) usage, creates endless new opportunities for unmonitored access to corporate data and processes. To exploit cloud environments, adversaries leverage misconfigurations, human error, social engineering, credential theft and other attack methods to compromise critical business data and applications.

SaaS applications have decentralized the procurement of IT as each business unit adopts its own productivity tools, leading to an explosion of application administrators sitting outside of IT and security teams. These SaaS applications come with a unique set of security features that must be independently configured, making them prone to human errors and leading to misconfigurations, creating a massive vulnerability for the organization.

As more and more applications participate in sensitive data workflows and are integrated with critical business applications, the likelihood of a data compromise increases.

Protection amid AI-accelerated automation

In addition to an increase in third-party breaches, 2023 has brought artificial intelligence (AI) into the innovation spotlight. Decades of AI and machine learning innovation have centred on automating processes to increase productivity, a technology that relies on third-party integration in software and technologies.

This year, 2024, will continue to shine the light on the benefit of incorporating AI into the modern workforce, a benefit that will accelerate and increase the third-party vulnerabilities that are already exploited today.

It is of the utmost importance that organizations focus on establishing strong SaaS security to contain third-party risk prior to further incorporating the benefit of AI into the organization.

Recommendation 1: Know your assets

SaaS application adoption has rapidly increased by 41% over the past two years, becoming a top vulnerability concern for chief information and security officers. Breaches and misconfigurations across applications such as Okta, Circle CI, Salesforce and Google Workspace indicate the challenges that organizations face, from core business to security SaaS applications.

For example, the Okta attack impacted 100% of its customer base, indicating that when it comes to SaaS-based third-party breaches, just one can have a ripple effect on thousands of organizations.

Far too often, organizations assume that solutions such as multi-factor authentication, developed to manage cloud-native assets, are fully deployed. Yet, every organization has at least 1% of their SaaS accounts not protected by multi-factor authentication, creating active risks.

While this may seem like a small risk, the Drizly credential stuffing attack highlighted how it just takes one account with weak authentication to lead to a major compromise. Furthermore, SaaS applications have evolved into platforms that store and share company data, increasing their susceptibility to human-error-led data exposure.

The distributed nature of SaaS procurement means that now more than ever, organizations need to have a good grasp of what their SaaS assets are, who manages them, and what information is stored in them to manage their security properly.

Recommendation 2: Manage and monitor the configurations

SaaS applications often come with a multitude of configuration options. Many security configurations are not turned on by default, leaving the application administrators responsible for proper security configurations. With the application administrators residing outside the IT business unit, many administrators inadvertently create risk for data exposure through weak access security.

The decentralized nature of SaaS application procurement means that the IT and the security organizations are not always aware of new application deployment in advance to catch the configuration risks created within the organization.

It is paramount for organizations to have a complete inventory of their SaaS applications and regularly monitor the security configurations to both ensure proper enforcement of security policy and mitigate any changes in the configurations over time that may make applications less secure.

Recommendation 3: Inventory and audit the integrations

One of the benefits of SaaS applications is plug-and-play and low-code or no-code integrations – the same thing that creates frictionless service interoperability also creates new exposure to vulnerabilities.

A key benefit of SaaS products is their ability to plug and play with other applications by connecting through integrations to consolidate and simplify data access and application functionality. However, this same functionality that creates interoperability creates vulnerabilities by introducing a spaghetti bowl of entry points into applications that house critical business and customer data.

On average, SaaS platforms have hundreds of integrations available that create an authorized handshake between multiple platforms. A typical organization has over 50% inactive integrations. These integrations create an authorized path for attackers to silently access critical SaaS applications that can lead to a wider compromise. Moreover, organizations have an average of 21 integrations with organization-wide access, paving a global path for systemic compromise.

Many of the inactive integrations within organizations stem from remnants of old vendors and no longer used proofs of concept, creating a shadow risk. To minimize such risk, organizations must actively monitor where the third-party integrations are created between applications and the level of access the integrations have. Periodic audits of SaaS applications should also enforce the rotation of secrets and authentication tokens to minimize the risk of credential theft over time.

By proactively understanding, managing and auditing SaaS assets, their configurations and integrations, organizations can fortify their defences against third-party risks and safeguard critical data in the modern digital ecosystem.