SaaSy Detection: Purple Teaming Software-as-a-Service Platforms

OVERVIEW

This talk will present an approach to developing attack detection capability across cloud-based Software as a Service (SaaS) solutions. This approach is drawn from real world experience across a wide variety of enterprise environments and focuses on the use of purple team methodologies to identify and execute likely attack paths, evaluate telemetry and build effective detections.

Historically cloud security research has focused on cloud infrastructure providers, but the use of SaaS solutions has increased dramatically, and become deeply ingrained in how organizations operate day-to-day. Microsoft 365, GitHub, and Slack are good examples of SaaS solutions used by the majority of organizations today. The fast-paced development of these new technologies has seen a divergent approach to security within the solutions themselves. Perhaps more notably, organizations’ rapid adoption of these technologies has seen engineering efforts far outpace security development and understanding.

Over the past 18 months the presenters have been helping organizations understand what attacks against SaaS look like and building an approach for building and validating detection through emulation of these threats. The dynamic nature of SaaS solutions and the cloud environments they inhabit mean that building an effective long-term framework for keeping up with these changes is more important than the individual detections themselves.

Attendees will leave the talk with a clearer understanding of:

• What real-world SaaS attacks look like
• How SaaS detection differs from more conventional detection
• How to approach designing, implementing and evaluating their SaaS detection capability