SaaS applications are the backbone of modern organizations, powering productivity and collaboration. However, they also introduce critical security risks—identity sprawl, misconfigurations, and an expanding attack surface. Identity providers have become a prime target for threat actors, prompting security teams to focus on protecting identities across multiple SaaS environments.
To mitigate these risks, many organizations adopt SaaS Security Posture Management (SSPM) to harden configurations, enforce least-privilege access, and maintain visibility over human and non-human identities. SSPM is an essential preventive tool that improves cyber hygiene by reducing the attack surface. Yet prevention alone is not enough in today’s evolving threat landscape. Identity Threat Detection and Response (ITDR) is crucial to bridge this gap and enable organizations to detect and respond fast to active threats targeting their identity infrastructure.
The Growing Threat to SaaS Identities#
The rise in identity-based attacks highlights the inherent weaknesses of traditional security measures. Exploitable misconfigurations, excessive permissions, and credential misuse remain key attack vectors. Stolen credentials and privileged access account for 61% of all data breaches. Attackers circumvent preventive measures by exploiting identity providers, OAuth tokens, and privileged accounts across various SaaS applications.
A notable instance from 2024 is the breach involving Microsoft's internal systems by the Russian state-sponsored group known as Midnight Blizzard. The attackers initially gained access through a password spray attack targeting a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled. Subsequently, they exploited a deprecated OAuth application with elevated permissions, allowing them to infiltrate Microsoft's Office 365 environment and access internal email correspondences of senior executives.
A compromise in one application often becomes a launching pad for lateral movement, allowing attackers to escalate privileges and access additional systems. Real-time detection and response are essential, not just to identify attacks, but to stop them before they have a huge impact on the organization.
SSPM and ITDR: A Multi-layered Defense#
SSPM and ITDR work together to secure the SaaS ecosystem:
- SSPM focuses on prevention, maintaining good hygiene, and a strong security posture by aligning roles, permissions, and configurations with best practices and security frameworks.
- ITDR complements SSPM by monitoring for suspicious activity, such as compromised accounts or privilege escalation, and enabling swift responses like isolating compromised accounts and revoking tokens.
This layered approach ensures both proactive risk reduction and rapid containment of active threats.
Building a Resilient SaaS Identity Security Strategy#
A strong identity security strategy must integrate both prevention and detection to combat modern attacks effectively. While security measures like multi-factor authentication (MFA) help reduce risk, attackers continuously find ways to bypass them, making layered defenses crucial. SSPM minimizes exposure by identifying and mitigating security gaps, such as weak authentication settings, while ITDR detects and responds to threats that manage to circumvent preventive controls. For example, adversary-in-the-middle (AiTM) phishing attacks have become a common tactic for bypassing MFA.
In one large-scale phishing campaign, attackers used AiTM techniques to intercept authentication credentials and session cookies, allowing them to compromise Microsoft 365 accounts and conduct business email compromise (BEC) attacks. This incident, which affected over 10,000 organizations, highlights the importance of a multi-layered defense strategy that combines SSPM to strengthen authentication policies with ITDR to detect and respond to real-time threats, such as suspicious access patterns and lateral movement.
A Comprehensive Solution for SaaS Identity Security#
At Wing Security, we provide a seamless security solution that integrates SSPM and ITDR, empowering security teams to manage risks efficiently without adding operational complexity. Our ITDR stands out by presenting a complete identity-based attack story, correlating scattered identity-related events into a clear timeline. This approach allows teams to connect the dots, quickly understand attack progression, and respond with precision.
In today’s threat landscape, identity security demands more than just prevention. By combining SSPM with ITDR, organizations can build a resilient defense—reducing exposure, detecting threats in real-time, and staying one step ahead of attackers.
About the author
Yoav Kalati, VP Product at Wing Security, has more than 15 years of cyber-defense experience on a national and international level. He started his career in the Israeli military's 8200 unit in various cyber-defense roles and retired after a successful service in the military's Cyber Threat Intelligence. Yoav is the recipient of various certificates of excellence, including from the head of the Directorate of Military Intelligence and the head of the Cyber Defense Division.
Yoav Kalati — VP of Product Wing Security https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtCw_NKLhk28faT_XmhDnCov4XDtZVny6se9NL8oHaZ_9Tqe3EU7yKHMl5vRN0mwOje9YB_km1OMpSsyHpCs6vcg7XDy6AxNUqQVnYQ2xEXTVdISqxT3RFpV_lscSm8WMaFwPuQ8DxHoUsEwZm_Is3SXEq7l6-cPW1PIEZqyvEFzUTCax889VVf5wAbHg/s1600/wing.png
