Managed service providers (MSPs) have become a favored target of cyberaattackers, particularly for attempted wide-scale scores.
As a result, monitoring and segmenting events by severity has become more critical than ever for MSPs, witness the high-profile SUNBURST and Kaseya attacks that went after MSPs’ accounts to gain network access at bigger targets. But with proper monitoring, alerts that rise to the level of “critical” are very few in number in comparison to the total number of events. With the right monitoring approach and an accurate security configuration, security teams will not be overrun with the “noise” of incidental alerts.
The news comes via SaaS Alerts, a Wilmington, North Carolina software-as-a-service (SaaS) platform monitoring specialist, in the third annual edition of its SaaS Application Security Insights (SASI) report.
In fact, out of 976 million total alerts in 2022, SaaS Alerts saw:
- 14 million critical alerts for 1.4% of the total
- 13.5 million medium alerts for 1.4% of the total
- 942 million low severity alerts for 97.2% of the total
To gather data for the report, SaaS Alerts sifted information gleaned from the SaaS application security records of roughly 7,500 small and medium-sized businesses (SMBs), 728 MSP partners, and 980,000 end user accounts during the period January 1 to December 31, 2022.
A Deeper Dive into the Report
Key findings include:
- 53% of all attempted unauthorized logins originated from China, Vietnam, India, Brazil, and Korea. This year's report saw a notable decline in attempts from Russia, which could be a result of Russia's shifted focus on the war with Ukraine.
- On average, there were approximately 40,000 brute attacks per day against user accounts monitored by SaaS Alerts.
- 2022 saw a 61% increase in the rate of phishing attacks compared with 2021. Cybercriminals shifted their attacks to mobile and personal communication channels to reach users and showed a 50% increase in attacks on mobile devices. Scams and credential theft were at the top of the list of payloads.
- Outside approved locations accounted for over 55% of the most common critical alerts and occurred when there was a successful login to a user account from outside of an approved location or an approved IP address range. While this alert can be a false flag due to misconfiguration of approved locations or unexpected user travel, it is a serious alert, indicating a significant probability that a malicious actor has succeeded in compromising an account.
- Salesforce and Slack generated the most critical alerts on a per-user/per-alert basis. Of all logged Salesforce events, more than 8% of those events were critical alerts compared to 3.77% for Slack, 1.82% for Google Workspace, and 1.26% for Office 365.
- Compared to last year's data, the report found a 29% increase in the number of guest user accounts, which can have access to sensitive data and open access points for bad actors. Of the over 979,840 SaaS accounts monitored by SaaS Alerts in 2022, 54% were from guest user accounts versus licensed users.
MSSP Alert Interviews SaaS Alerts' Jim Lippie
MSSP Alert asked SaaS Alerts chief executive Jim Lippie to clarify some of the data in the SASI report. Below are his answers, submitted by email, regarding platform tools, MSPs, alerts and much more. Jessica C. Davis, CyberRisk Alliance editorial director, Channel Brands, conducted the interview.
MSSP Alert: Can you clarify how many platform tools that MSPs use and how many alerts were generated over the course of a year?
"We added VSA and CW Automate more than halfway through the year, so we did not include those numbers because they would not be fair "apples to apples" comparisons. That said, on average we monitor 15-30 different events per MSP tool.
"I should also highlight, just because a specific application throws off a lot of alerts it doesn't mean it's always a negative. Our MSPs have the ability to customize alert thresholds on every application. Generally speaking, MSPs set higher thresholds for their own tools (like NinjaOne or IT Glue) because they want to keep even a closer eye on the apps within their own operation.
"The other apps monitored throughout the year were, MSFT 365, Google Workspace, Salesforce, Slack and Dropbox."
MSSP Alert: Just to clarify then, the number of alerts are all based on how the MSP has tuned the tool for each individual application?
"There are a fixed number of events that we monitor, and the total number is now up to 254. There are three settings (Low, Medium, Critical). MSPs can set a customized alert threshold for each event. For example, if a certain "high risk" employee exceeds 25 GB of data downloaded out of OneDrive, an MSP can determine that event a "critical alert". However, there could be other employees that are allowed to download 300 GB of data."
8 SaaS Hygiene Practices
Based on the current and emerging SaaS application threat vectors SaaS Alerts recommends the following eight hygiene practices:
- Enable and enforce multi-factor authentication.
- Monitor all major SaaS productivity applications for unusual user behavior.
- Enforce proper configuration of all SaaS applications and monitor configurations for compliance.
- Monitor file sharing activity for data exfiltration and internal threat actors.
- Delete unnecessary guest user accounts on a regular basis.
- Monitor app to app integrations.
- Monitor MSP internal tools to mitigate supply chain attacks and reduce internal threats.
- Leverage automation to immediately respond to high probability threat sequences.
“The good news is that more MSPs are starting to monitor their internal own tools,” the report reads. “SaaS Alerts saw a 200% increase in the MSPs using our platform who are monitoring their own tools, with at least half now monitoring one or more tool.”