Intro: Why can I log in?
SaaS applications are the backbone of modern organizations, driving productivity and operational efficiency. However, all new apps introduce critical security risks through app integration and multiple users, creating simple access points for threat access stakeholders. As a result, SaaS breaches increased, and according to the May 2024 XM Cyber Report, misconceptions of identity and qualifications caused 80% of security exposure.
Subtle signs of compromise are lost in noise, and then multi-stage attacks become undetected due to the siloed solution. Think about account takeovers with Entra IDs, escalating privileges on GitHub, and removing data from Slack. While each appears to be irrelevant when viewed alone, it is a dangerous violation in the connected timeline of events.
Wing Security’s SaaS platform is a multi-layered solution that combines attitude management with real-time identity threat detection and response. This allows organizations to obtain the true identity map of the SaaS ecosystem, quickly detect and respond to threats, and prevent future attacks.
Get started with SaaS visibility and coverage
You cannot protect what you don’t know. Most of the existing solutions (IAM, PAM, IAM, etc.) do not cover SaaS applications or lack the depth needed to detect SaaS threats. This is to overcome the shadows and give your organization a full visualization of your organization’s stack, including all hidden third-party integrations that don’t have clues for every app, account, and security team.
Wing’s discovery approach is out of the way without agents and proxies. Connect to your major IDPs (such as Okta, Google Workspace, Azure AD) and business criticism SaaS applications (such as Microsoft 365 and Salesforce to Slack, GitHub) via APIs.
Wing Discovery:
Human (user) and non-human (service accounts, API keys, etc.) identities. App and app connectivity and third-party integration and their permissions will gain scope. Using AI-powered applications and data. MFA status, administrators of various SaaS applications (including old administrators)
Vision alone is not enough. Understanding identity behavior in SAAS apps is key to detecting and responding to actual threats in time. That’s where Wing’s identity-centric threat detection layer appears.
Want to see the wings working? Request a demo with one of our security experts.
SaaS Identity Threat Detection – From scattered logs to clear attack stories
Wing maps ID events to IOCs to represent the attacker’s mindset. Next, correlate them with the Miter ATT & CK technique to transform long, messy SaaS logs into one clear attack story. Simplify your investigation, reduce alert fatigue, and speed up median time to resolution (MTTR).
All detections are rich in context threat intelligence: IP reputation (geography and privacy), VPN/TOR use, and more. Therefore, analysts can understand the attacker’s playbook in minutes.
Real-life examples of how hackers try to leverage their identity:
Step 1 – Password Spray Trial: Password Spray Attack that targets multiple user accounts in an Entra ID environment. The attacker attempted to log in using a credential-based attack without triggering a lockout mechanism. Step 2 – Cross-account user agent overlap: Login attempts across multiple accounts from the same user agent (UA) confirmed that the attacker systematically tested their credentials at scale during the reconnaissance phase. Step 3 – After logging in after logging in: The attacker has successfully logged in to his account. This login matches the same user agent used during the reconnaissance phase, indicating that the credentials were compromised via previous password spray activity. Step 4 – Privilege Escalation by Role Assignment: The attacker escalated privileges on the compromised account by assigning the IT admin role with the Entrad ID. This gave attackers a wide range of visibility and control, including access to OAUTH-connected third-party services like GitHub. Step 5 – Data Removal from Github: The attacker leveraged linked Github access in Entra ID accounts to infiltrate the internal repository by leveraging linked Github access in Entra ID accounts. The activity log indicates that a private repository has been downloaded, including a project that contains source code, API keys, or internal documents. The attacker used this scaffold to remove sensitive intellectual property directly from GitHub.
Attack pass timeline
The Threat Timeline (Reference Image #2) is more convenient than just logs because it presents all SaaS detections in context. Each detection has a detailed context for the affected identity, trigger, and where it occurred (APP, timestamp, geolocation).
The Attack Pass Timeline assists the security operations team.
Visualize how the attacks unfold in the timeline view of related detections. Map each detection to Miter ATT & CK techniques, including active scans, enabled accounts, and account operations. Enhance your alerts with context and IOCs, IPS, user agents, geolocation, VPN/TOR, and evidence. Connect anomalies to daily activities (for example, permission changes after successful brute force).
Prioritize threats
Not all security threats are created equally. All threats are assigned a violation trust score to quantify the likelihood that the threat will succeed. This metric is calculated based on factors such as:
Attack tactics based on the type of detection (i.e. password spray, activity spikes, etc.) number of detections per threat (i.e., one identity has four detections)
Secops can be first sorted and focused on the most important threats. For example, a single failed login from a new IP may have a lower priority if it appears on its own, but the login will be successful and subsequent data removal will result in a higher reliability score. On the dashboard you can see the highest priority threat queues. There is a high-strength threat at the top, which is immediately worthy of attention, and a lower-risk threat further downwards to clear up alert fatigue and provide real threat detection.
Want to see the wings working? Request a demo with one of our security experts.
Track threat status and progress
Wing’s tracking structure helps Secops remain organized and avoid threats slipping through the cracks. Teams can update their status and track all threats from creation to resolution.
Main features:
Flag threats for efficient prioritization or follow-up to monitor specific cases. Triggering Flag Threat Webhook events, so they appear on external systems such as Siem and Soar, and are not overlooked. Update your threat status based on investigations conducted by the SOC and IR teams.
A quick solution with a simple mitigation guide
When Secops drills holes in a particular threat, you get a customized mitigation playbook with steps tailored to a particular attack type and SaaS application. The mitigation guide includes:
Adjusted recommendations for each detection type Related documentation (e.g., how to configure OKTA policies) Best practices to address root causes and prevent recurrence (pose)
Prevention: Check the root cause
Once the threat has stopped, we need to ask ourselves why this threat was promoted to succeed, and how to prevent it from happening again.
Security teams need to check whether these events are related to the risk factors underlying the organization’s SAAS configuration, so they are not only treating symptoms, but addressing the underlying causes.
This is possible because Wing’s platform is layered and combines SaaS Security Posure Management (SSPM) with identity threat detection. WING continuously monitors incorrect monitors (based on the CISA scuba framework) and identifies these dangerous settings, such as MFA and accounts without administrative tokens.
Summary: Close the security loop
Wing Security brings clarity to SaaS Chaos through a multi-tier security platform that combines deep visibility, prioritized risk management and real-time detection. By combining attitude management (SSPM) with identity threat detection and response (ITDR), organizations reduce risk exposure, respond to threats in context, and prevail SAAS identity-based attacks.
Book a winged demo to find blind spots, catch threats early, and fix any that puts your business at risk.
Source link
