2023-10-07 –, Track 1
SaaS has been described as the operating system of business. Therefore it’s essential to protect the sensitive data that is stored and processed in SaaS systems by monitoring for any anomalous or malicious activity. Traditional security monitoring focuses heavily on endpoint, network, and infrastructure audit logs, with a vast amount of resources available to guide network defense priorities. However, network defenders must now shift their focus to also include monitoring for tens to hundreds of SaaS applications, each with its own unique challenges and nuances involving collection, schema, and visibility, without established standards or resources to guide the way.
This problem led to the creation of the Event Maturity Matrix: a comprehensive knowledge base dedicated to SaaS application audit logging. Its purpose is to serve as a fundamental resource for security professionals to gain a clear understanding of the capabilities and nuances surrounding SaaS audit logging. By leveraging this knowledge base, security practitioners can obtain visibility into the types of user activity actions that are logged, see real-world examples of how SaaS applications log user activity, and use these insights to inform their security operations and compliance objectives.
When threat hunting, researching a detection hypothesis, or responding to a security incident for a specific SaaS application, have you ever asked yourself any of these questions as a Security Operations practitioner?
- What applications do we suspect that a compromised user accessed?
- Are we collecting events from these applications? If not, what are the requirements for event collection? - What log sources should I prioritize?
- What activities do these applications log? How much context or metadata is available within the audit logs?
- Are there other log sources from that application that we should be analyzing?
These questions led to the conception of the Event Maturity Matrix, and wanting to build a knowledge base to help security teams quickly understand the monitoring and visibility capabilities of SaaS products and services.
During this talk we will showcase Event Maturity Matrix, the different components as well as how to utilize it within your environment. To do so, we will discuss 3 different attack use cases targeting SaaS, reviewing the TTPs utilized and audit logs generated from each SaaS platform. By discussing the adversary’s objective, techniques utilized, and how each action is manifested in SaaS audit logging, we’ll highlight the challenges and opportunities that exist with modern SaaS audit logging and how the Event Maturity Matrix can be utilized to support security operations.
Finally, we will spend the remaining time highlighting the newly released Event Maturity Matrix knowledge base website, quickly demoing the layout which includes:
- Per SaaS vendor documentation for audit logs, including links to API and schema documentation
- A thorough overview regarding the accessibility of vendor audit logs, including cost/licensing, latency, and vendor hosted retention considerations
- A description of observations of vendor audit logs, including complexities or nuances that exist with analysis or audit log collection
- A heat map matrix of how SaaS audit log event sources align with basic audit log event types that are often required by Security Operation teams, including providing real world examples of sample events. For example:
- Successful and failed authentication events
- Successful and failed MFA verification events
- Modifying a user account or security role
- Modifying a user’s MFA enrollment settings
- Modifying a global security configuration, such as a Password Policy
- Downloading a Resource such as a File or Report
Lastly, the concluding remarks will lay out the next steps for the Event Maturity Matrix, including the addition of more SaaS applications and encouraging community feedback via Github.
I've worked in Information Security for approximately 15 years with concentrated focuses on detection, response, application, and network security. I've also worked in security roles across multiple industries including Software, Defense, Retail, and Healthcare. I'm passionate about security, most specifically building and improving defensive capabilities.
Josh Rickard is a Senior Software Engineer at AppOmni focused on threat detection at scale. He is an expert in PowerShell and Python, and has presented at multiple conferences including DerbyCon, ShowMeCon, BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded an SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. You can find information about open-source projects that Josh creates on GitHub at https://github.com/MSAdministrator