Saas Alerts releases alarming report on application security trends and announces new partnership

The partnership is with MSP-focused cyber insurance provider FifthWall Solutions, to provide cyberinsurance for VARs and their customers.

Jim Lippie, co-founder and CEO of SaaS Alerts

Today, SaaS Alerts, a cybersecurity company which makes a platform with a rules engine purpose-built for MSPs to stop unauthorized activity in customer SaaS applications, is making a pair of announcements. First they have released their fourth Annual SaaS Application Security Insights (SASI) Report. Secondly, They have announced a new partnership with MSP-focused cyber insurance provider FifthWall Solutions.

The 2024 SASI report analyzed SaaS application security records of more than 18,000 SMBs and nearly 2 million end-user accounts last year, and demonstrated that there is a significant opportunity for MSPs to help their small and mid-market business clients. This comes in a context where hackers concentrated on brute-force attacks, as well as developed new, more efficient techniques for breaching systems, such as token hijacking, PhaaS, and IP address localization.

“The threats have evolved over time, and we are real life data – not surveys – about this,” said Jim Lippie, co-founder and CEO of SaaS Alerts. “The first year we could demonstrate any remediation data, and show how many instances of compromise are caught using our Remediation Module. Threat actors have declined, but that is because they have found more efficient ways to gain access to the environment.”

One highlight Lippie noted was that SaaS Alerts now has 528 MSPs using their Response module, which caught over 7,900 incidents of compromise last year.

Lippie also said that the report’s most alarming finding was the continued low adoption of multi-factor authentication (MFA) among MSPs’ customers. Among the end-user accounts included in the 2024 report, only 35% enabled MFA, which is a slight 3% increase over the findings in the 2023 SASI Report. This threat is exacerbated by the fact that more users are using OAuth to log into other SaaS applications with their same Microsoft 365 or Google Workspace credentials.

The report also revealed a 75% increase in guest user accounts. Guest users accounts are created on the fly when sharing documents externally and are often left dormant and unmonitored, increasing exposure to data breaches and exfiltration.

In 2023, SaaS Alerts monitored more than 2.5 billion SaaS events. Most of those events (97.5%) were low severity, leaving more than 60 million medium-severity and critical events to address. The most common high-severity threats included successful logins from outside approved locations, and files opened or downloaded outside an approved location.

Microsoft 365 and Google Workspace remain the most widely-used SaaS applications in the dataset, so they naturally were the most active sources of critical alerts last year. However, only about 1% of alerts from M365 and Google required immediate attention. Meanwhile, Slack was more problematic, with 12% of related alerts identified as critical. That’s also an almost nine-point jump from Slack’s critical alerts ratio of 3.77% last year.

“A higher percentage of alerts around Slack are critical because Slack doesn’t have security built into it in the same way as Microsoft and Google,” Lippie said. “People think its innocuous but there is a lot of file sharing information available there.”

In addition to traditional brute-force attacks, the report warns MSPs to be prepared for increased attacks with these methods:

PhaaS is where hackers provide a list of email addresses with messages and logos of the companies they’re trying to impersonate to a PhaaS platform. The hacking software sets up a virtual server and runs the hack on autopilot. The program then sends back the stolen credentials.

Token hijacking, which allows hackers to bypass MFA and Conditional Access, happens when bad actors set up a server between the end-user’s login screen and the SaaS service being logged into, such as Microsoft 365, and allows them to intercept a user’s access token to then access the end-user’s account.

IP address localization allows hackers to get around geolocation fencing by localizing their IP addresses to bypass foreign login flags.

The second announcement is a partnership with Wexford, PA-based FifthWall Solutions to offer its new Beltex cyber insurance solution to SaaS Alerts’ MSPs and their customers.  Beltex is a customized, turnkey insurance product for the MSP channel, to be bundled with SaaS Alerts. MSPs that deploy SaaS Alerts to their customers will have access to a customized Beltex link for customers to verify eligibility and, in many cases, receive a direct quote and coverage within minutes. Beltex manages the entire process from start to finish.

Reid Wellock, FifthWall Solutions’ President

“Our company has been around for the better part of a decade, as a cyberinsurance wholesaler,” said Reid Wellock, FifthWall Solutions’ President. “We were the first national one focused on cyber. We pivoted three years ago to work with the MSP channel. We have been in the channel for some time, and I have known Jim [Lippie] for a year and a half. Our approach is we are bringing something we have listened to and seen leveraged. A good insurance partner can validate what needs to be done, and we work with specific vendors whose partner base represents a lower risk pool.”

Wellock said that many MSPs are typically higher risk for FifthWall.

“We try and work with MSPs to mystify what cyberinsurance actually does,” he said. “It’s a good situation to help MSPs’ sales results and MRR.”

Wellock noted that in the commercial space – in relation to all other lines of insurance they pay – cyberinsurance is still very inexpensive.

“That has changed somewhat since four years ago,” he said. “Rates are going up but it’s still a small piece of the pie. Generalist agents often overlook it because it provides the least return on their portfolio.

“We are launching this with the intent to adapt based on feedback we get,” Wellock concluded. “We are determined to get the right peg in the right hole.”