All organizations are pushing more data and functions into SaaS, however, in MWR's experience few organizations are consuming or using those logs, except when investigating an incident (which can be difficult if logs were not configured well prior to the incident). One particular challenge with SaaS logs is that there is a wide range of what data different SaaS vendors offer (and some make logs available only at certain price tiers). This effectively means that companies doing protective monitoring of SaaS need to manually evaluate the logs of every SaaS vendor being used.
MWR uses Slack for some internal messaging and when onboarding the logs we noticed that they give good user agent information, including specific versions of browsers and mobile devices. A challenge MWR (and others) has had is that iOS updates require users to be on WiFi and with a certain battery level meaning that users often need to be involved for the update to go through. As such, (people being busy) the logs confirmed our suspicions that there were a number of outdated devices in MWR's mobile fleet.
Whilst we suspected there may be a few, we were surprised by the number, around 20%. Investigation of a few cases found a mix of reasons why automatic updates might not be working. For iOS, the requirements for WiFi and a certain battery level meant that as many employees never used WiFi, never triggered the updates. Another common cause for lackadaisical patching was that a number of our consultants run Linux with Chrome (or chromium) and it turns out that both Chromium lags behind Chrome in patches, and several Linux distributions then take time to update their repositories.
"Chatops" is starting to get traction as an idea: using bots integrated into messaging systems such as Slack, Microsoft Teams, or Symphony to confirm actions, remind users, or otherwise benefit security. Jacques Louw, our Technical Director for MWR-ZA, wrote a Slack Bot that integrates with our monitoring to ask users to update and produced internal stats showing which offices were better and worse.
We ran this for a few weeks and occasionally teased encouraged offices that were lagging behind until one Friday:
Jacques' Bot only took a couple of days to write and then a few weeks to get us to our goal. As such, we're now looking at other ways we can use SaaS logs and chatops for preventative security. There will be a balance eventually where we do not want to bug users with so many chatops messages that they become alert blind and start to ignore it, however if that can be avoided the potential for scaling a security team's efforts is huge.