SaaSy detection: purple teaming Software-as-a-Service platforms

Presented at Blue Team Con 2022, Aug. 27, 2022, 6:10 p.m. (30 minutes)

This talk will present an approach to developing attack detection capability across cloud-based Software as a Service (SaaS) solutions. This approach is drawn from real world experience across a wide variety of enterprise environments and focuses on the use of purple team methodologies to identify and execute likely attack paths, evaluate telemetry and build effective detections. Historically cloud security research has focused on cloud infrastructure providers, but the use of SaaS solutions has increased dramatically, and become deeply ingrained in how organizations operate day-to-day. Microsoft 365, GitHub, and Slack are good examples of SaaS solutions used by the majority of organizations today. The fast-paced development of these new technologies has seen a divergent approach to security within the solutions themselves. Perhaps more notably, organizations' rapid adoption of these technologies has seen engineering efforts far outpace security development and understanding. Over the past 18 months the presenters have been helping organizations understand what attacks against SaaS look like and building an approach for building and validating detection through emulation of these threats. The dynamic nature of SaaS solutions and the cloud environments they inhabit mean that building an effective long-term framework for keeping up with these changes is more important than the individual detections themselves. Attendees will leave the talk with a clearer understanding of: - What real-world SaaS attacks look like - How SaaS detection differs from more conventional detection - How to approach designing, implementing and evaluating their SaaS detection capability


  • Chris Philipov - Security Consultant, WithSecure
    Chris is a security consultant in the cloud security team at WithSecure. When he is not trying to help people figure out what to do with their logs, he enjoys researching into security-related issues in Microsoft Azure or Google Cloud and learning about any cool new services they offer. In the little free time between those two activities, Chris likes to work on internal scripts and tooling to help out his fellow colleagues. Chris has previously presented at fwd:cloudsec, and holds Azure Administrator Associate and Azure Security Engineer Associate.
  • Nick Jones - Principal Security Consultant, WithSecure
    Nick Jones is a principal security consultant at WithSecure where he leads the cloud security team. Nick focuses on AWS security in cloud-native organizations and large enterprises, and in helping organizations build detection capability against cloud-native attacks. He has previously spoken on the topic at RSA, fwd:cloudsec, DEF CON Cloud Village, t2 and others, and maintains Leonidas, an open source cloud attack simulation framework.

Similar Presentations: