Nowadays data-driven products in the cloud are delivered faster, IT resources become more responsive and productive with lower costs and higher performance for data operations.
Causing Cyber Security risks involved in accessing sensitive data and regulatory compliance requirements.
Join us virtually for our upcoming "Why 2024 will become the Year of SaaS Security" Meetup to learn how to resolve SaaS security posture management with AI tools and how to secure your cloud attack surface.
Agenda:
17:00 - 17:10 - 'Opening Words' - by Gidi Farkash (Pipl Security)
17:10 - 17:50 - 'How to Resolve SaaS Security Posture Management with GEN AI' - by Ofer Klein (Reco)
17:50 - 18:20 - 'Foundation of Cloud Monitoring' - by Moshe Ferber (Cloud Security Alliance Israel)
18:20 - 19:00 - 'AI in the Hands of the Cyber Protectors' - by Tal Shapira, P.h.D (Reco)
5. March,
2023
April,
2023
May,
2023
June,
2023
July,
2023
September,
2023
October,
2023
How do you ensure the configuration of your
SaaS apps is secured and compliant?
“+90% of breaches in 2023 were the result of an unsecured SaaS app. >55% of orgs
experienced at least one SaaS breach in the past two years, with 12% unsure of their
security status.”
2023 SaaS Security Survey Report by Cloud Security Alliance
December,
2023
Confidential
6. More and more apps use GenAI
Confidential
Reference: AI Multiple, “Top 100+ Generative AI Applications”
7. SaaS is the fastest growing attack surface
GenAI
App
SaaS Ecosystem
Cloud Ecosystem, End-User
Devices, Data Center
Confidential
8. The MGM Resorts Breach
techniques attackers used
to gain highly privileged
access to Okta
Confidential
9. AI-powered SaaS security (SSPM) solution
Protect
From Exposure
Discover
Apps, Identities, Data
Control
Access &
Permissions
Confidential
10. Anomaly Detection
App Discovery &
Consolidation
Reco: Harnessing AI to seamlessly secure SaaS
Mapping Misalignment of
User Permission & Role
Identities Interaction Graph
Detecting Risky Users
Detecting Personal
Email Accounts
11. Applications
Service Accounts
Users: Admins, employees,
contractors
Unified identity across SaaS
apps
Identity consolidation with the Reco Identities Interaction Graph
Identities in the SaaS world
Confidential
18. Improve your SaaS security posture
Posture
Score
Without Reco
High Risk, Manual Maintenance,
High Cost of Ownership
Posture
Score
With Reco
Low Risk, Automatic Maintenance,
Low Cost of Ownership
1 month
Confidential
20. We monitor a large data set across
SaaS apps and identities
100B+
Interactions analyzed
10k+
3rd-party apps discovered
1K+
Violations detected
2M+
SaaS users protected
12M+
Insights generated
23. 23
www.onlinecloudsec.com
Foundations of Cloud monitoring
When the winds of change blow, some people build walls
and others build windmills.
Chinese Proverb
Moshe Ferber
CCSK, CCSP, CCAK, ACSP
“
”
25. 25
www.onlinecloudsec.com
About myself
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule
Founder, partner and investor at various cyber initiatives and
startups
Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT,
INFOSEC and more)
Co-hosting the Silverlining IL podcast – security engineering
Founding committee member for ISC2 CCSP , CSA CCSK, ISACA
CCAK certifications
Member of the board at Macshava Tova – Narrowing societal gaps
Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Information security professional for over 20 years
26. 26
www.onlinecloudsec.com
01 Global, not-for-profit organization
02
Building security best practices for
next generation IT
03 Research and Educational Programs
04
Cloud providers & security
professionals Certifications
05 Awareness and Marketing
06
The globally authoritative source for
Trust in the Cloud
26
www.onlinecloudsec.com
About the Cloud Security Alliance
To promote the use of best practices for providing
security assurance within Cloud Computing, and provide
education on the uses of Cloud Computing to help secure
all other forms of computing
“
”
CSA Israel:
Community of security professional promoting
responsible cloud adoption.
28. 28
www.onlinecloudsec.com
Monitoring Tool set
CSPM Cloud Security
Posture Management
• Protect management
dashboard
• Monitor for
Compliance breachs,
misconfiguration,
Identity permissions
CWPP - Cloud
Workload Protection
Platform
• Protect Workloads
(VM’s, Containers,
serverless
• Traditional end-point
security (AV, VA )
ASPM - Application
Security Posture
Management
• Orchestration the
SDLC process, from
development to
deployment and
testing
CIEM - Cloud Identity
& entitlement
management
• Monitor Identity
information
• Identity is more then
humans - include
services, workloads
and more
DSPM – Data Security
Posture management
• Govern and monitor
of data silos across
organizations
• Support multiple
services
SSPM / CASB– SaaS
security posture
management
• Evaluating SaaS
providers
• Focus on posture and
compliance
Cloud native application
protection platform
(CNAPP)
IaaS/PaaS SaaS
29. 29
www.onlinecloudsec.com
CNAPP
CSPM Cloud Security Posture
Management
• Protect management dashboard
• Monitor for Compliance breaks,
misconfiguration, Identity
permissions
CWPP - Cloud Workload
Protection Platform
• Protect Workloads (VM’s,
Containers, serverless
• Traditional end-point security (AV,
VA )
• Should support new workloads
(K8’s, FaaS)
Cloud native application protection
platform (CNAPP)
Focus on IaaS/PaaS
All cloud providers got
internal solutions
A must have solution
How compliant I am with IS27001? Do I have misconfiguration issues?
Which Workload has critical
vulnerability ?
30. 30
www.onlinecloudsec.com
ASPM
Application Security Posture
Management
• Orchestration of the SDLC process, from
development to deployment & testing and ongoing
operations
• Integrates with CI/CD , testing tools and workflow
tools for developers' friendly integration
Focus on IaaS/PaaS
Foundation for
devsecops
The newest solution
What are my most vulnerable
applications?
Which sensitive data is exposed?
What is the status of CI/CD security
testing ?
31. 31
www.onlinecloudsec.com
CIEM
Cloud Identity & entitlement
management
• Monitor Identity information
• Identity is more then humans - include services,
workloads and more
Oriented at multicloud
Considered to be a niche
Identity is most
challenging aspect in
cloud
Which users don’t have MFA? Which user has over privileges? Which user has hidden privileges?
32. 32
www.onlinecloudsec.com
DSPM
Data Security Posture Management
• Govern and monitor of data silos across
organizations
• From discovery & classification to realtime
monitoring
• Support multiple cloud platforms
IaaS/PaaS/SaaS
Considered to be a niche
Has similar aspects to
CIEM
Do I have public PII? Where are my sensitive files? Who can access project X files?
33. 33
www.onlinecloudsec.com
SSPM
SaaS Security Posture Management
• Detect misconfiguration , excessive permission,
compliance risks
• A mixture of posture + online monitoring
• Need to support multiple services
Focus on SaaS GRC
Mostly identity and
compliance
We used to call it CASB
DO I have misconfigurations? Which 3rd party apps connected? Which SaaS application do we use?
34. 34
www.onlinecloudsec.com
SSPM – important capabilities
SaaS Security Posture Management
• Directly integrated to the SaaS service
• Provide additional visibility, analysis and automation
• Required features:
• eDiscovery and classification
• Logs analysis
• Integration with SASE / SSE/ Secure browsing
DO I have misconfigurations? Which 3rd party apps connected? Which SaaS application do we use?
38. AI in the Hands of the Cyber
Protectors
41
January 24, 2024
Tal Shapira, PhD
CTO & Co-founder, Reco AI
39. About me
Researching GenAI in the context of cybersecurity for over a decade
Tal Shapira
Academia Industry/Business
40. My Research Focus - CyberSec & AI
GEN-AI
NLP
Knowledge
Graph
Learning
Encrypted Internet
Traffic
Classification
41. How Malicious Actors Can use GenAI?
• Data/intel. collection - e.g. "list all the System Admins in Acme”
• Advanced social engineering attacks - e.g. leveraging GenAI for phishing
campaign - scale & dynamic
• Dynamic malwares - e.g. generating polymorphic shellcode using GenAI
And many more…
42. GenAI & Cybersecurity Opportunities
• Improve cybersecurity programs
• Data enrichment (threat intel)
• Discover unknown threats in real-time,
• e.g. An unknown shadow app that uses GenAI in real-time
• Phishing/malware detection
• Policy/automation auto-generation
GenAI can improve productivity & reduce the risk of data exposure
Additional Reference: Jim Reavis, CEO of the CSA: “Hi ChatGPT, please help Cybersecurity”
44. Anomaly Detection
App Discovery &
Consolidation
Reco: Harnessing AI to Seamlessly Secure SaaS
Mapping Misalignment of
User Permission & Role
Real Time Interaction Graph
Detecting Risky Users
Detecting Personal
Email Accounts
46. SaaS Session Hijacking
• Malware and phishing techniques, like man-in-the-middle (MITM) attacks,
can bypass login credentials and MFA, enabling attackers to gain direct
control of an active session
• Hijacking a session token allow an attacker access to authorized
resources and administrative permissions granted to the user, facilitating
lateral movement across applications
47. 1
How to Obtain a Session Token?
User logs into the IPD with
credentials and ideally MFA
Server provides authentication token
to verify that user has proven identity.
(Session token)
IDP uses authentication token for SSO
logins to connected applications.
1
2 3
48. The attacker will attempt to insert themselves between the user and IDP, to get
into the middle of the process
How to Hijack a Session?
49. The Trigger: Phishing
In the simple MITM scenario, the
attacker creates a persuasive
phishing message to trick the user
into clicking on a malicious link
The email redirect the user to a
seemingly legitimate login screen,
which proxies the traffic through
evilginx, allowing successful
authentication and access using MS
as an IDP
To the user, everything appears
normal
50. The Redirect link
The actor-controlled domain uses a domain-generation
algorithm (DGA) pattern and a .XYZ top-level domain
The “Keep My Password” button in points to a URL with
a trusted domain followed by parameters, with the
actor-controlled domain (c-hi[.]xyz) hidden in plain sight
52. The Result
• The attacker intercepts a number of sensitive details, including the user’s
IP address, credentials, and most importantly, the session token
• This allows the attacker to authenticate into the user session without ever
needing login credentials or an MFA token
54. Why Is It So Hard to Detect?
• SaaS session hijacking is often
executed discreetly
• It’s difficult to detect because
attackers reuse legitimate tokens
and can establish persistence in
connected applications
55. Current Common Detection Methods
• Impossible travel activity
• Irregular time pattern
• Log-in from an unrecognized device
• Suspicious mail flow activity
56. Problem with the Existing Solutions
We are living in an hybrid workforce environment
• Devices /UAs - unmanaged, multiple (mobile + desktop), multiple
clients (apps + browsers)
• IPs - Multiple networks (ISPs, organization VPN), 3rd-party apps
• Working from home, working from office, working on-the-fly
• Working all the time :)
As a result → lots of False Positives (Alert Fatigue)
57. Example
CA, USA
IP
App to App
connectivity
Via OAuth2
Company
AWS VPN
West Europe
Office
Static IP
NY, USA
Phone
ISP
Home
Wifi
NC, USA TX, USA
Desktop
App
Outlook
via Browser
Legitimate usages, but can trigger false session hijacking alerts
M365
Active
Directory
58. Identity-Focused Solution
We need to build a user baseline and organization baseline
How?
• Building a Temporal Organization Knowledge Graph
based on entities and activities from the vast core
SaaS applications
• Identity Consolidation - by correlating all the identities
(person, services, and apps) with their related accounts,
across the entire SaaS environment (multiple apps)
• Using Graph Machine Learning models to correlate identities
with their activities, IPs, location, devices, 3rd-party apps,
build a baseline and look for major changes over time
60. Two Primary Forms of Usage
Human (manual) - both by employees and 3rd parties, e.g.
vendors/contractors.
Machine - SaaS to SaaS connectivity and shadow applications.
It became very easy to connect, multiple libraries/plugins that allow the
connection.
Therefore, it requires an Access Control Policy and App Governance
Procedures
61. Recap
• Generative AI is a type of artificial intelligence technology that can
produce various types of content, including text, imagery, audio and
synthetic data
• Retrieval-Augmented Generation (RAG) is an AI framework for retrieving
facts from an external knowledge base to ground large language models
(LLMs) on the most accurate, up-to-date information and to give users
insight into LLMs' generative process
Additional Reference: “What is generative AI? Everything you need to know” By George Lawton
62.
63.
64. Solution: Using GenAI to Detect GenAI Apps
More specifically - using Retrieval-Augmented Generation (RAG)
Reference: AI Multiple, “Reimagining Contextualized SaaS Security with Generative AI”
68. Why Is Consolidation So Important?
• Cross-App Analysis -
• While on an account-level perspective an activity can be legitimate, on
an identity-level perspective usually is not
• E.g. a user is logged-in to multiple accounts (Google, MS, Zoom, Slack)
via Israel, while a single-account (Salesforce) is suddenly being
logged-in via Russia
• Being able to build a baseline to remove noise - 3rd-party apps used by the
identity, baselines IPs, organization's VPNs, etc.
70. Knowledge Graph (KG) Representation Learning
• A process in ML where algorithms
extract meaningful patterns from raw
KGs to create representations that are
easier to understand and process
• These representations can be designed
for interpretability, reveal hidden
features, or be used for transfer
learning
74. Baseline Representation
• Identity representation observed at time t -
• Organization baseline measured at time t -
• Looking for major changes (using dynamic threshold)- three approaches:
• Via Graph Representation Learning
• Via Knowledge Graph Representation Learning
79. Key Takeaways
• Attackers cleverly insert themselves between users and IDPs through persuasive
phishing tactics, as a result they can bypass login credentials and MFA, and gain
control on active sessions
• This discreet method is hard to detect, as attackers reuse legitimate tokens,
compromising entire SaaS environments.
• Due to the dynamic nature of current organizations and hybrid workflows, current
solutions result with many False Positives
• Using AI technology and in-particular (knowledge) graph representation learning can
help detect SaaS Session Hijacking and other sophisticated attacks in near real-time