SaaS Alerts, a cybersecurity firm tailored for MSPs to safeguard and capitalise on their clients' SaaS applications, has released the latest findings from its SaaS Application Security Insights (SASI) Report.
This report, published every six months and freely available for download, is unique in its analysis of around 136 million SaaS security events across 2,100 small and medium businesses worldwide, uncovering cyber trends posing risks to these enterprises.
SASI Report Findings
The recent SASI report offers a comprehensive examination of security events from over 120,000 user accounts spanning January 1st to December 31st, 2021. A significant majority of attacks on top SaaS platforms—such as Microsoft 365, Google Workspace, Slack, and Dropbox—were found to originate from Russia and China. This considerable dataset assists solution providers in managing SaaS application portfolios, aligning defensive IT security measures as necessary.
Analysis indicates that these countries may be coordinating their attack efforts
Analysis indicates that these countries may be coordinating their attack efforts. SaaS Alerts reports significant activity increase from these nations, with consistent levels of both attempted and successful cyberattacks. Comparisons between attack trends from Russia and China reveal near-identical patterns, while deviations from patterns in countries like Germany support this hypothesis of coordinated efforts.
Cyber Threat Landscape
The Brookings Institute notes that the US National Security Strategy classifies Russia and China as the two primary threats to its national security.
It states, "Russia’s increasingly close relationship with China represents an ongoing challenge for the United States." SaaS Alerts monitored over 136 million security events within the same timeframe to discern cyberattack patterns targeting popular SaaS applications used by SMBs.
Key Findings of the Report
1) The analysis revealed an average of about 10,000 Brute Force Attacks per day on monitored user accounts.
2) Potential attack origins include China, Vietnam, Russia, Korea, and Brazil, with unauthorised login attempts originating from these regions.
3) Successful logins using legitimate user credentials were traced back to actors in the same countries.
4) Common critical security alerts stem from:
- Successful logins from unapproved locations trigger alerts for user accounts accessible from outside approved areas.
- SaaS Integration alerts highlight risk from third-party application connections sharing data between SaaS Apps.
- Multiple Account Lockouts are recorded when accounts face repeated lock attempts, suggesting programmatic password testing by malicious actors.
5) The report also highlights significant threat vectors, including the use of Guest User Accounts by SMBs, with 42% of monitored accounts being guest users. It emphasises the risk associated with third-party OAuth app integrations and risky file-sharing behaviour, noting that 19% of cloud-based file sharing occurs externally rather than internally, potentially facilitating malicious access if unmanaged.
Managing Security in an Uncertain Cyber-Environment
"In the uncertain cyber-climate we all reside in today, detailed SaaS security oversight and robust defences are a requirement for ensuring high resiliency and business continuity," said Jim Lippie, CEO of SaaS Alerts. He added that data loss, theft, or corruption could severely impact SMBs reliant on uninterrupted operations, a target for threat actors for years. The report serves to offer businesses and the MSPs supporting them, valuable insights into their security environment.
Focus on Security Management and Compliance
For MSPs, the security management and compliance of SaaS applications used by SMBs have become increasingly crucial. Emphasising the importance of SaaS-optimised security controls, building a security-oriented employee culture focusing on these controls, as well as procedural compliance, can significantly mitigate the risk of successful attacks.
SaaS Alerts, the cybersecurity company purpose-built for MSPs to protect and monetise their customers’ business SaaS applications unveiled the findings of its latest edition of the SaaS Application Security Insights (SASI) Report.
Published semi-annually, the free downloadable report is the only one of its kind to analyse approximately 136 million SaaS security events across 2,100 small and medium businesses (SMBs) globally and identify cyber trends negatively impacting businesses.
SASI report
The statistically significant findings of the latest SASI report take into account security events occurring across more than 120,000 user accounts from January 1st to December 31st, 2021, and show that the vast majority of attacks on top SaaS platforms such as Microsoft 365, Google Workspace, Slack and Dropbox are originating from the countries of Russia and China.
The data set is statistically significant and enables solution providers to manage a portfolio of SaaS applications with pertinent data and trends to support defencive IT security re-alignments as required.
Recent activity
The vast volumes of data analysed suggest these countries may even be coordinating attack efforts
Additionally, over the last several weeks, SaaS Alerts has seen a sharp rise in activity from countries with consistently high levels of both attempted and successful attacks originating within their borders — Russia and China.
The vast volumes of data analysed suggest these countries may even be coordinating attack efforts. Per analysis available from SaaS Alerts, attack trend lines that compare Russia and China show almost the same pattern. Juxtaposed to a chart from Germany indicates that it is not even close to the same pattern, leading to educated speculation that these countries could be coordinating efforts.
A mixture of cooperation and competition
According to the Brookings Institute, “The U.S. National Security Strategy declares Russia and China the two top threats to U.S. national security. At the best of times, U.S.-Russia ties are a mixture of cooperation and competition, but today they are largely adversarial."
"Russia’s increasingly close relationship with China represents an ongoing challenge for the United States."
SaaS application security data
From January 1st to December 31st, 2021, SaaS Alerts monitored more than 136 million SaaS security events
"While there is little that Washington can do to draw Moscow away from Beijing, it should not pursue policies that drive the two countries closer together, such as the trade war with China and rafts of sanctions against Russia.”
During the period ranging from January 1st to December 31st, 2021, SaaS Alerts monitored more than 136 million SaaS security events, collecting and analysing the anonymous SaaS application security data to identify a breakdown of cyberattacks on the most popular SaaS applications in use by SMBs today.
Key findings of the report
1) On average, SaaS Alerts is seeing approximately 10,000 Brute Force Attacks per day against the user accounts monitored by SaaS Alerts.
2) The origin of potential attacks can be traced back to specific countries with current data indicating that Attempted Unauthorised Logins are coming from actors located in China, Vietnam, Russia, Korea, and Brazil.
3) Successful Unauthorised Logins are originating in Russia, China, Vietnam, Korea, and Brazil. These are countries where an actor has successfully logged in using a valid user’s credentials.
4) The report finds that the Three Most Common Critical SaaS Application Security Alerts stem from:
- Alert: “User Location Outside Approved Location” is an alert that is triggered when there’s a successful login to a user account from outside of an approved location or an approved IP address range.
- Alert: “SaaS Integration” which indicates that account credentials have been used to connect to a third-party application which may lead to data and other account information sharing between SaaS Apps. Users often establish these connections for convenience without consideration of potential security violations.
- Alert: “Multiple Account Lockouts” which is recorded when an account is locked out 4 or more times within 12 hours. Often indicating that malicious actors are actively (typically programmatically) trying password combinations to gain access to the account and have succeeded in validating a correct account name.
5) Other key findings from the report focus on common threat vectors that are putting SMBs at risk including a shocking ratio of Guest User Accounts (versus Licenced Accounts) being leveraged by SMBs with 42% of the over 129,000 monitored SaaS accounts being Guest User Accounts, the report also identifies the top five Third-party OAuth App Integrations being leveraged by SMB users and details a threat vector around Risky File Sharing Behavior with 19% of cloud-based file sharing activity being to external sources versus internal file-sharing. Each of these activities poses a significant threat vector as they potentially open pathways for malicious attacks if not properly monitored and managed.
Uncertain cyber-climate
“In the uncertain cyber-climate we all reside in today, detailed SaaS security oversight and robust defences are a requirement for ensuring high resiliency and business continuity,” said Jim Lippie, CEO, of SaaS Alerts.
“The loss, theft or corruption of mission-critical or sensitive customer data can be operationally and financially troublesome for SMBs that depend on continuous and unrestricted business operations to bolster revenues which have been the target of threat actors for years. We offer this useful threat level breakdown to assist businesses and the MSPs that support them with highly accurate insights about the security landscape they reside in.”
Security management and compliance
The security management and compliance of SaaS applications in use by SMBs have become a greater concern for MSPs as the deployment of cyber defences takes centre stage. Protection of both the SaaS application and data is critical and must receive SaaS-optimised security controls.
Building a security-minded employee culture that centres on security controls, SaaS-native cyber defences, and procedural compliance can play a significant role in reducing the risk of a successful attack.
