Industry Perspectives

Approach and Challenges for Incident Response in SaaS Cloud Applications

Nowadays many organizations rely on the Software as a Service (SaaS) delivery model for cloud applications they use to manage key business functions, including their ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), HR (Human Resource) Payroll, Communication, and Travel and Expense Management solutions.

Those applications are considered high-value targets by threat actors, as they can contain valuable data such as employee PII, suppliers’ and clients’ data, and financial and business data.

Understanding the shared responsibility of the SaaS delivery model for cloud applications is critical for organizations to develop an efficient strategy to be prepared for responding to cyber security incidents affecting their SaaS applications in the cloud.

Understanding the Shared Responsibility Model of Software as a Service (SaaS) Applications

Figure 1: Cloud Shared Responsibility model

For the Software as a Service (SaaS) delivery model, the customer is responsible for the security of the data, endpoint, account, access and sometimes identity, while the other components are in the scope of the cloud service provider.

That means from an incident response perspective, organizations using a SaaS application should develop a strategy to detect, monitor and respond to cyber security incidents affecting the application architecture components under their responsibility. These organizations should also develop a process to evaluate cloud service providers and make sure they have the capabilities to manage cyber security incidents in the scope of their responsibilities.

Managing SaaS Applications Cyber Security Incidents in the Scope of the Organization’s Responsibility

For detecting malicious activities affecting data, accounts or access, organizations can leverage the audit and access logs features often available in SaaS applications to gain visibility of unauthorized accesses, data exfiltration or data manipulation activities. Besides the common privileged and regular user access, SaaS applications often also provide APIs that can be used for integration with other solutions. The scope of the logging strategy should also include those APIs, as these can be abused by attackers to perform malicious activities.

For monitoring activities, organizations can evaluate whether the SaaS application logs available can be integrated within their SIEM or CASB solutions. Monitoring activities can then be implemented within those platforms by establishing use cases and alerts for common cyber security incidents affecting data, accounts or accesses (i.e., data exfiltration/loss, account compromised or improper usage). Moreover, some cloud services providers also provide built-in security monitoring and alerting features in their SaaS applications, including the "Transaction Security Policy" for Salesforce, "Instance Security Center" for ServiceNow, or Dropbox "Activity Reports."

For response, developing procedures to investigate and remediate cyber security incidents affecting application architecture components under the organization’s responsibility can help to have a consistent and efficient approach when responding to incidents. The steps to perform the following activities can be defined in order to facilitate incident response activities:

  • Revoking access
  • Restricting access based on IP address ranges or type of user devices
  • Resetting account passwords
  • Developing encryption at rest strategy
  • Implementing data backups and recovery plan

Depending on the Identity and Access Management (IAM) strategy implemented (i.e., cloud based, SSO), some activities could be performed by the organization autonomously within the SaaS applications or enterprise IAM solution. Otherwise, the involvement of the cloud service provider might be required; in that case, the procedure to execute those activities should be documented and outlined in the contractual agreements that will be reviewed during the vendor onboarding process.

Managing SaaS Applications Cyber Security Incidents in the Scope of the Cloud Service Provider’s Responsibility

For the SaaS application architecture components managed by the cloud service provider, organizations can use an evaluation process to make sure the vendor has the capabilities to respond to cyber security incidents affecting the vendor application, network, operating system, hardware and datacenter.

Typically, the evaluation process of the cloud service provider incident response capabilities will consist of reviewing the clauses of the contractual agreements related to the incident response activities and eventually requesting documentation (i.e., Information Security policies, standards, procedures), reports (i.e., SOC 2, CAIQ) or certifications (i.e., ISO2700x).

For detecting malicious activities, organizations can make sure that the cloud service provider has formalized and implemented a logging and monitoring standard. The scope of the standard should include the SaaS application architecture components under the vendor responsibility such as logging requirements for servers, databases and network devices. Moreover, technology stacks (i.e., SIEM, IDS) and processes leveraged to monitor the logs should be outlined.

Finally, for reviewing vendor response capabilities, organizations can verify that a Cyber Security Incident Management procedure is formalized and tested by the cloud service provider. A clear and well-defined notification procedure to report and provide incident details to customers will also give visibility to organizations in order to evaluate the impact and outcome of an incident affecting their SaaS applications vendors.

Let FireEye Help