Could SaaS logs and "chatops" get you to 100% patched user devices?

All organizations are pushing more data and functions into SaaS, however, in MWR's experience few organizations are consuming or using those logs, except when investigating an incident (which can be difficult if logs were not configured well prior to the incident). One particular challenge with SaaS logs is that there is a wide range of what data different SaaS vendors offer (and some make logs available only at certain price tiers). This effectively means that companies doing protective monitoring of SaaS need to manually evaluate the logs of every SaaS vendor being used.

MWR uses Slack for some internal messaging and when onboarding the logs we noticed that they give good user agent information, including specific versions of browsers and mobile devices. A challenge MWR (and others) has had is that iOS updates require users to be on WiFi and with a certain battery level meaning that users often need to be involved for the update to go through. As such, (people being busy) the logs confirmed our suspicions that there were a number of outdated devices in MWR's mobile fleet.

piechart of outdated devices

historic 7 day chart device patching over time

Whilst we suspected there may be a few, we were surprised by the number, around 20%. Investigation of a few cases found a mix of reasons why automatic updates might not be working. For iOS, the requirements for WiFi and a certain battery level meant that as many employees never used WiFi, never triggered the updates. Another common cause for lackadaisical patching was that a number of our consultants run Linux with Chrome (or chromium) and it turns out that both Chromium lags behind Chrome in patches, and several Linux distributions then take time to update their repositories.

"Chatops" is starting to get traction as an idea: using bots integrated into messaging systems such as Slack, Microsoft Teams, or Symphony to confirm actions, remind users, or otherwise benefit security. Jacques Louw, our Technical Director for MWR-ZA, wrote a Slack Bot that integrates with our monitoring to ask users to update and produced internal stats showing which offices were better and worse.

Screenshot of bot message on Slack

We ran this for a few weeks and occasionally teased encouraged offices that were lagging behind until one Friday:

piechart showing current outdated devices

current 7 day chart showing device patching over time

Jacques'  Bot only took a couple of days to write and then a few weeks to get us to our goal. As such, we're now looking at other ways we can use SaaS logs and chatops for preventative security. There will be a balance eventually where we do not want to bug users with so many chatops messages that they become alert blind and start to ignore it, however if that can be avoided the potential for scaling a security team's efforts is huge.


Key takeaways:

  1. If you aren’t already, then you may want to consider reviewing your SaaS logs to see what information is present in them and could be used beyond detective monitoring.
  2. You may be surprised, as MWR was, to see how many devices aren’t running the latest/safest version of critical software.
  3. You may also want to try experimenting with security chat bots, the effort doesn’t have to be huge but has the potential to scale a security team’s efforts (or at least outsource nagging!)



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.