When news broke that attackers linked to ShinyHunters had breached Salesforce environments at major enterprises such as Google, Chanel, and Qantas, many security leaders asked the obvious question:“Could this happen to us?” The answer, unfortunately, is a resounding: yes.So, why do our SaaS providers still make it so hard to find out?Salesforce stresses that the breaches were not because of a vulnerability in its platform, but were the result of social engineering/vishing to compromise customer credentials and install malicious look-alike OAuth apps. That’s true, but it ignores a deeper issue. Customers often don’t have access to the forensic data they need to detect or respond to these attacks in the first place.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The uncomfortable truth coming to light here is that too many SaaS providers still put security behind a paywall.How the shared responsibility/fate model breaks downThe industry loves to talk about shared responsibility or fate, but in practice, the model breaks down when customers are expected to detect threats coming from third-party SaaS apps with no visibility or control over them.For example, if we want to access the logs that show whether an OAuth app has exported sensitive data, that may require an upgraded license to access those types of logs. Or if we try to detect API abuse, we might need to file a support ticket and wait.Sadly, the recent attacks on Salesforce customers surfaced a threat greater than ShinyHunters or any other group. The bigger issue here, reports our research team: 50% of SaaS vendors either charge extra or require manual approval to access detailed security logs. This amounts to a SaaS security logging tax, and it puts every customer’s SaaS ecosystem at risk.The indicators of compromise are there, but SaaS vendors need to provide customers with better logs. In the Salesforce attacks, the threat actors used social engineering to impersonate trusted tools and register malicious OAuth apps. They bypassed MFA, abused API access, and used stolen tokens to move laterally.And the signs were there. The suspicious activity was visible, but only for those who had access to the right logs:If security teams don’t have access to detailed SaaS security logs, they have no way to monitor for IOCs coming from their SaaS connections. If they have to submit service tickets and wait days or even weeks for log access, they are left performing an autopsy rather than a life-saving surgery. The damage has already been done. If we killed the single sign-on tax, it’s time to kill the logging taxA few years ago, the security community came together to say that single sign-on (SSO) shouldn’t be a premium feature. It was a basic control that everyone needed. And vendors mostly listened.Now, it’s time to do the same with SaaS security log access.If SaaS providers expect customers to take responsibility for their security posture, they need to offer access to the data that supports it. Customers should have immediate and frictionless access, without having to upgrade service tiers or submitting support tickets.We should never make SaaS security transparency an upcharge.Shared fate means shared accountabilityThe industry has to make SaaS security about protecting the entire ecosystem, including users, applications, integrations, data flows, and machine identities. It requires a broader strategy that secures everything connected to and flowing through your SaaS environment. To accomplish this at a global scale, SaaS providers have a responsibility to empower customers, not hold them back.As SaaS ecosystems grow more interconnected and complex, and attacks become more subtle and sophisticated, the ability to detect and respond in real time becomes table stakes. That means:Shared fate means both providers and customers are equally invested in visibility, accountability, and defense across the entire SaaS ecosystem.The ShinyHunters campaign has made a lot of noise right now, but it’s not the last time we’ll see these type of attacks. The 2024 Snowflake breaches come to mind, with a similar story of compromised credentials and some overlap in the threat actors involved. If we want to shift the advantage back to defenders, we need to remove the barriers to detection. And that starts by eliminating the SaaS security logging tax.Let’s stop making customers choose between visibility and budget. Let’s start treating security transparency as a basic expectation.Because in securing today’s SaaS ecosystem, we should all be part of the solution.Amir Khayat, co-founder and CEO, VorlonSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Unusual query volumes.
- OAuth app impersonation.
- API access from TOR IPs.
- Lateral movement to other platforms like Okta and Microsoft 365.
- No more delays in accessing logs.
- No more paywalls for visibility.
- No more excuses.
