Story 4: Detecting compromised secrets & careless 3rd-party vendors

Join Astrix customers as they lead the non-human identity security frontier in this series “The Astrix stories: Real customer wins”. From building an automated process around NHI offboarding, to a collaboration between security and engineering to remove super-admin tokens in two hours – these real stories will help you understand what an NHI security strategy looks like for Astrix customers.

Chapter 1: Speed and agility come at a (security) cost

API keys and OAuth tokens are the standard for integration of technologies in the modern world where self-service is everything and the barrier of entry is low. These API keys, OAuth tokens, and other non-human identities (NHIs) are quickly outpacing their human counterparts. However, they are often overlooked, overprivileged, and unmonitored.  

This story shows how two companies from different industries leveraged proactive threat detection & behavior analysis not only to identify but actively protect against the constant threats that non-human identities create. 

A SaaS company faced significant security challenges due to its heavy use of SaaS-based technologies and integrations. The culture enabled dev and engineering teams to develop innovative solutions rapidly and allowed extensive use of internal and external integration points.

One such integration involved an internal Slack app with wide access to sensitive information across private channels and direct messages. This freedom came with risks… 

—–

A digital marketplace had a similar culture and set of challenges. 

In this case, the customer encountered issues with active visibility into their AWS environment. The lack of inventory and historical context obscured who had initial and persistent access – making it very difficult to manage and monitor NHIs effectively. 

Chapter 2: Catching compromised secrets & careless third-party vendors

Using Astrix’s anomaly detection, the SaaS provider detected suspicious activity from the Slack app. The activity included an unfamiliar calling IP and a binary suggestive of different usage patterns. The subsequent investigation revealed that the app developer’s lost laptop had locally stored secrets, which had been compromised and posed a significant threat to the integrity of the company’s access controls. The security team responded promptly by rotating tokens, adjusting permissions, and refining their policies. 

With regards to the digital marketplace, the same behavioral engine identified that several integrations initially thought to be internal, were actually linked to an external vendor’s secret scanning engine. The detection of anomalous accesses from a personal computer indicated local use of these secrets, raising immediate security concerns. Further investigation revealed that the external vendor’s employees were testing new capabilities using these secrets. The company swiftly contacted the vendor, demanding better practices and ensuring tighter security controls. 

The immediate alerts and detailed insights allowed both companies to act swiftly, preventing potential security breaches and reinforcing their overall security posture. The incidents also prompted both companies to re-evaluate their policies and procedures, ensuring that even in a fast-paced development environment, security is not compromised.

Chapter 3: Lessons learned

These parallel incidents underscore several important lessons for businesses integrating NHIs. Firstly, it is crucial to have robust monitoring and detection mechanisms in place.

Astrix’s advanced threat detection solutions played a pivotal role in identifying and mitigating the risks associated with both internal and external NHIs.

Secondly, companies need to find a balance between enabling rapid development and maintaining strong security controls. The SaaS company’s experience highlighted the risks of giving developers too much freedom without adequate oversight.

And lastly, transparency and control are vital when dealing with external integrations. The automotive marketplace’s situation demonstrated the potential dangers of not fully understanding or monitoring how external partners or vendors use their integrations. These scenarios both emphasize the need for firm security measures – especially in environments that prioritize rapid development & innovation.

Stay tuned for story 5…