The news that hacking group Lapsus$ gained unauthorized access to a Single Sign-On (SSO) provider through a third-party support account sent chills through infosec professionals everywhere. Enterprises have adopted SSO solutions to enable a modern workforce that is increasingly reliant on secure access to cloud-hosted applications to perform critical business functions.We call on every organization to delve in to understand the risks associated with moving critical authentication services to third party providers and ensure that sufficient controls are implemented to minimize the risk. Managed security service providers play a lead role in helping to maintain a close eye on SSO data sources. For organizations that use an SSO provider, a tailored monitoring, detection and response strategy is required. The Sumo Logic Threat Labs and Global Operations Center (GOC) teams have been there before and understand what it is like to be caught without the right logs while struggling to interpret a new log source and spending countless hours pondering how to distill the nuanced signals of an intrusion. In this post, we’ve distilled a monitoring, detection, and response strategy that can allow you to stay ahead of changing attack surfaces as it relates to SSO sources.First things first, If you are using a popular SSO identity provider and not sending the logs to a SIEM or log management platform, stop reading this. Go and enable logging (make sure you double check the log levels) and then forward to a SIEM or log management system immediately. Most identity providers will retain logs for some period of time but forwarding these critical events to a secure, long-term storage solution, like Sumo Logic Cloud SIEM or other relevant platform, is highly recommended.SSO configuration hygiene requirements:
By Sumo Logic Threat Labs and Sumo Logic Global Operations Center (GOC). Read more Sumo Logic guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
- Enforce Multi-Factor Authentication (MFA) as part of the authentication process; FIDO hard tokens are the most secure, mobile push notifications are the next best option but are increasingly under attack. SMS codes are considered the least secure but are better than nothing at all.
- Review security features that can be enabled (some at no cost, others require a subscription) to provide additional layers of security.
- Assess built-in settings to disable support access, you should disable access, only enabling it when support is required.
- Enable logging and set to the appropriate log level.
- Deliver logs to a SIEM or log management tool. Ensure log retention meets regulator or organizational requirements.