Security Advisories
5 minutes

Obsidian Outlook: 2023 SaaS Security Predictions

SaaS security goes prime time in 2023

High-profile cyber attacks at Okta, Hubspot, and others in 2022 suggest bad actors are continuing to put more energy into targeting SaaS. Indeed, it is common for organizations to rely heavily on SaaS applications for business critical workflows and to have a complex web of integrations between them.  What makes defending SaaS even more challenging is the distance between the application owners sitting in different business units and the (often) centralized enterprise security team.

In addition to the growing threatscape surrounding SaaS, new privacy laws are coming that will penalize companies when sensitive data stored in SaaS is not appropriately protected.

As we head into 2023, these SaaS risk and threat realities are causing teams to take a hard look at protecting SaaS apps like Microsoft 365, Salesforce, and Google Workspace. Fortunately organizations like ours are here to partner in enabling SaaS threat detection, posture hardening, and integration management.

What else are we expecting in 2023? Here are our predictions:

The SaaS surface area will be a key target in at least five of the year’s top 10 breaches

SaaS attacks were already on the rise, as witnessed in 2022 from high-profile breaches at Okta, Slack, and elsewhere. This in addition to SaaS instances breached at other high profile companies.  We’re also seeing increasingly advanced phishing techniques and malware as well as session hijacking activities that help bad actors obtain legitimate credentials.

MFA bypass techniques, such as MFA push fatigue and token theft will grow in popularity among the attacker community

CISA and security teams have done a good job increasing MFA coverage. Adversaries, however, still want to get in, so they will continue to find ways to still get in. And with many instances already observed that utilized MFA fatigue and SIM swapping techniques, we expect this trend to continue into 2023.

HR and ERP platforms will see an increase in targeting for financial gain

We’ve observed attacks against HR systems to modify direct deposit information, and systems like ERP contain useful information to allow better targeting of critical information and workflows within enterprises. We expect these systems to be targeted even more to redirect funds and commit fraud and impersonation attacks.

Incident response engagements will include the SaaS surface area by default

We’ve mentioned our collaboration with CrowdStrike and how their incident response (IR) teams use Obsidian.  We have great partnerships with other IR firms as well. Having speed of threat suppression can limit potential damages, and with most attacks having a SaaS application (or many) in scope, it’ll be time to deploy “EDR for SaaS” when the phone rings.

Organizations will push for more decentralized security, through embedded champions, moving aspects of the security program into other functions, and finding other ways to be effective and efficient through distribution

ESG research found 45% organizations say they have a problematic shortage of cybersecurity skills.”  This suggests that culture and collaboration will be big this year along with opportunities to increase automation and managed security services. CISOs must focus on conflict resolution and prioritization because big changes come with some product owners gaining more power, while others may be gone.

Macro economic factors will force organizations to be even more efficient with IT and security tooling, favoring fewer but better vendors and tooling that can help multiple teams (don’t we say this every year?)

Even though 65% of organizations are planning to increase cybersecurity spending in 2023, efficiency is really the key word for CISOs this year. We all need to make sure we are utilizing the available cyber defense value that is inherent in our people, processes, and technology.

U.S. federal government mandates for software bill of materials (SBOM) will drive major awareness of third-party integration risks.

The U.S. federal government is already issuing guidance to protect businesses from increasingly potent supply-chain attacks, which will bring more attention to these kinds of attacks.

CISA will expand their focus on SCuBA, secure cloud business applications for the US federal government

The enormity of the amount of data the U.S. federal government protects has led them to implement best-practice frameworks to protect that data.  SCuBA is a reference architecture that agencies should consider as they migrate to cloud-based technologies.  They will be releasing guidelines for popular apps including recommendations for Office 365.

More than 10 U.S. states will introduce new privacy legislation

Not only do security leaders have to contend with hackers, they increasingly will have to adhere to a new batch of privacy regulations intended to protect consumer data. In 2023, new GDPR-style laws will go on the books in California, Virginia, Colorado, Connecticut, and Utah. We think this is just the beginning.

Concluding security prediction thoughts

2023 is already off to an interesting start with economic uncertainty, high-profile breaches, and new privacy laws in effect. Will these predictions come true or are they off base? Regardless of what happens, we know this year will continue the theme of working together for a more collective, collaborative defense of our enterprises, organizations, and agencies, and we must all continue to raise the bar against a seemingly endless amount of threats and risks to our businesses. Let’s do what we can as defenders to enable our companies to execute against their missions in as safe a way as possible. #shieldsup