In recent weeks, we've seen another wave of high-profile security incidents at SaaS providers in IT infrastructure, security, and developer spaces. CircleCI and LastPass are the latest to join a growing list of companies (Okta, Twilio, Mailgun) in these spaces that have been the target of recent attacks.
These types of SaaS services are used to build, deliver, and secure other SaaS services. Along with IaaS and PaaS, they create the foundation for our modern SaaS economy. So, when one experiences a data breach, it can create a ripple effect of risk across the entire SaaS supply chain.
This leads to too many wild goose chases in the aftermath of a SaaS provider breach. For example, if you woke up to the news of the recent CircleCI security incident and wanted to assess your impact, your process might have looked something like this:
Check your system of record (that one spreadsheet you maintain) to see if CircleCI is one of your official suppliers.
Double check by sending this email or chat message to your security, dev, or IT org (or maybe all): “Hey, do you know if anyone is using CircleCI?”
Sift through the non-helpful responses pontificating on the relative value of the service to find some leads: “Maybe check with Maria. I think she was looking at it a while back.”
Track down these leads over the course of the day, knowing that some users might be hesitant to admit they were using a service without an official blessing from procurement.
If that’s not enough of a hassle, you might also rummage through your old vendor security questionnaires to see if any of your suppliers were using the service at the time of procurement.
This is a highly inefficient process and difficult to run, especially when your C-Suite is asking you for rapid updates.
Is anyone in my organization using a SaaS service that has recently been breached?
Do any of my SaaS providers use a SaaS service that has recently been breached?
Have any of my 3rd- or 4th-party SaaS providers had a data breach recently?
Here’s how you can use Nudge Security today to assess the impact of the CircleCI incident.
Step 1: Create a free account with Nudge Security.
If you haven’t already signed up for a free 14-day trial of Nudge Security, now would be a great time to get started. It takes just a few minutes to set up and doesn’t involve any network configs, agents to deploy, or integrations with your known SaaS providers. You can learn more about how it works here.
Step 2: Check to see if CircleCI is used in your organization.
Nudge Security discovers every cloud and SaaS asset ever created by employees in your organization. You can search by SaaS application name or SaaS category (we auto-categorize for you.)
Step 3: Identify the account owners for the service in question.
For every SaaS application, you see how many accounts and users are in your organization, the age of the accounts, who the first user was (often the default administrator), and what authentication methods are used to access the application. You can nudge the users to take some security measures during a breach, and you can set up notifications to monitor adoption of the service or service category.
Step 4: See what other services are connected.
Nudge Security provides visibility into OAuth grants, so you can see which other SaaS applications are connected to the service in question and the scopes granted. In the CircleCI example, this is especially useful given that the organization is advising customers to rotate tokens granted to other services, such as Github, Slack, and Jira.
Step 5: Review recent SaaS supply chain breaches.
Nudge Security provides information on publicly disclosed security incidents for your SaaS suppliers and as well as your extended SaaS supply chain or 4th-party suppliers, so you can effectively monitor your SaaS attack surface. Nudge Security will send you email notifications whenever we identify a new security incident in your SaaS supply chain.
If you have any questions about how Nudge Security works, how to get the most out of your free trial, or navigating the steps above, feel free to schedule time with our team.