The Ultimate Guide to SaaS Ransomware Protection

What’s Unique about Ransomware in SaaS Environments?

Yeah, so a couple of things related specifically to SaaS environments is, number one, I would say it provides an expanded attack service for adversaries.

So, you know, obviously, adversaries are going to go where the data is, and most companies are utilizing a variety of SaaS applications, including extremely critical ones, like Google Workspace™ or Microsoft 365 that are critical to their business functions.

So since that’s where the data is, that’s what adversaries are going to attack.

And at the same time with that expanded attack surface, you can reach your SaaS environment from anywhere you have an internet connection, which adds to that risk.

Additionally, what’s inherent to these SaaS environments is that it promotes collaboration and data sharing.

You know, it makes our lives easier working within our businesses that we can collaborate and share things, but from a risk perspective, when it comes to ransomware, multiple users often have shared access to files and documents, and if one user’s account is compromised, that ransomware can spread throughout the SaaS environment.

And then one last thing I would note is, it provides a risk to the SaaS environment and that is a bit unique to that are the proliferation of integrations and third party apps.

So within our SaaS applications, going back to those examples of Google Workspace™ in Microsoft 365, you know, and users are plugging in different applications and extensions, and one of those becomes compromised, it could become the vector for a ransomware attack.

How does ransomware infiltrate and spread within SaaS environments?

Sure, and I will talk through a traditional example, which we have a graphic for here, where we’ll talk about the common infiltration method, which, you know, most folks are going to be aware of with fishing emails.

So in this case, a user receiving a fishing email becomes compromised where the ransomware virus automatically spreads to the computer.

At that point, all files on the computer are encrypted, including items within their Google Drive™.

Now, in this case, referring to a Google Wordspace example, many users will have active files sync going on from their end device to the Google G Suite Cloud.

And in that case, that synchronization is actually going to spread that ransomware attack where files within Google Drive™ are already placed with their infected versions.

So within those steps, I’ve talked about how it infiltrates and spreads.

I’d also like to talk about typical ways that we respond to an attack like that.

So it’s very imperative that you have some type of automated detection going on, where at Spin we’re looking at both known ransomware signatures, as well as performing file behavior monitoring.

So it’s not just important that you’re looking at new signatures, but looking at behaviors that are indicative of a ransomware attack, which could be mass encryption of files, replacement of files, or deletion of files, and done so in a way that doesn’t mimic typical human behavior.

So your very first step is finding that source, which, in my example, was a local to cloud example, and user device is compromised, syncs to the cloud, you could also have a cloud to cloud example, where one of those integrations or applications within your SaaS environment becomes the attack vector.

In either of those two examples, the most important first step is detecting and revoking access of whatever that compromised source is.

And after that, it’s very important to also have automation when it comes to both identifying impacted files, as well as automatically restoring that back to the user in production.

So we want to automatically detect those, automatically restore those files, and do so in a way that limits the and user downtime

Why are backups alone not effective protection against ransomware attacks?

Yeah, that’s a great question, and there’s a few metrics that I found recently about both backups, as well as time to restore the data.

So, first off with backups, an interesting metric is that although 92% of businesses record having backups, more than one in four businesses failed to restore data from them during a ransomware attack.

So that really emphasizes the need to regularly test these processes and the efficacy of both making sure that your backups are in place, that it’s backing up data as frequently as it should.

But secondly, testing your restore process, which leads me to the second metric around average downtime, even for those companies that have backups in place, is around three weeks.

And a reason for that is you may have your backups in place, but you have to consider the time it takes to restore that data.

And one of the things that could impede that are API limits that are associated with your provider that is backing up your data.

So you as a business, you need to take that into account because obviously, you want to minimize that downtime for the impact it has on your business.

If, for instance, your critical files are not available to your end users

What are some proven risk mitigation strategies for SaaS ransomware attacks?

Sure, like most defenses within cybersecurity, it’s going to be a mix of things.

I’ll talk about some administrative as well as technical measures. 

From an administrative perspective number one is collaborating with your SaaS provider, making sure that you have a good understanding of the security measures they have in place, SLAs, as well as where their responsibilities end and yours begin.

So you want to have a tight collaboration and understanding there.

Secondly, from an administrative perspective is developing an incident response plan.

So making sure that all of the key players in place know what their responsibilities are, you execute against those responsibilities and have automation and other processes in place, but most importantly, that you regularly test this, you know, table topics exercises, other things like that, to make sure that your plan is current and effective.

But then, additionally from an administrative perspective, just the regular security training and awareness for your end users when it comes to fishing, social engineering, how to manage data within the cloud, all those different types of things .

From a technical perspective, a lot of these are going to be examples of, you know, typical, good Tech hygiene practices that we do to limit security risks.

So going back to posture management, making sure that we have MFA in place for our administrators, robust access controls, logging, regularly updating and patching software, as well as, you know, we’ve talked about backing up data, but having tools in place to automatically detect attacks.

And then, with all of these control measures in place, just like it’s important to test our incident response plan, it’s important to test our processes, testing our backups, doing penetration testing, within our cloud environment, and, of course, going through regular security audits to test those.

Why is automation critical to protecting your SaaS data?

Yeah, I would say that the main role for automation is going to be, you know, a good example.

And I talked earlier about our example of a ransomware attack.

Automation is going to play a role in detection, you know, doing that monitoring to find not just known signatures and grant some more attacks, but behavior that mimics that, which, you know, is very difficult for a human to do on their own.

So you want to have automation in place in the AI to find these different types of attacks.

But secondly, with that, you, once we found that attack, we want to use our automation to identify impacted files and users, we can restore all of those back.

And then, going back to the posture management example, making sure that we’re utilizing automation to detect configurations that have become out of sync with those control standards, as well as posture management around those applications that may flag different types of risk for your environment.