AppOmni & Cribl boost SaaS security & data control against new threats
AppOmni has announced an integration with Cribl aimed at blocking UNC6395-style cyberattacks by providing enhanced SaaS security visibility and data management capabilities.
Recent cyber incidents involving groups such as UNC6395 and UNC6040 have drawn attention to the risks associated with the abuse of OAuth approvals, third-party integrations, and application access. These attackers have utilised valid application tokens for automated data exfiltration, lateral SaaS exposure, and credential harvesting. The effects of such supply-chain attacks range from intellectual property theft to exposure of sensitive customer data, underscoring the need for more robust security measures.
Expanding the security approach
Campaigns carried out by groups like UNC6395 and UNC6040 highlight deficiencies in current security strategies, particularly those that fail to address the expanding web of SaaS application connections and third-party integrations. Traditional security methods often overlook the intricacies of OAuth connections and the complexities inherent in the cloud-based software ecosystem.
AppOmni's solution is designed to address these complexities by providing continuous visibility across SaaS applications. According to AppOmni, the platform is able to detect and prevent issues such as data loss, unauthorised access, and attacker movement across SaaS environments.
AppOmni shared in a statement, "Our platform provides deep, continuous visibility into your SaaS applications, helping you detect and prevent data loss, lateral movement, and unauthorised access from attackers."
The platform includes features such as automatic inventory of connected SaaS applications, governance of user-granted OAuth permissions, and continuous monitoring of app permissions and behaviours. It also normalises SaaS activity logs, establishes behavioural baselines, and detects anomalies such as mass downloads or access attempts from unfamiliar locations.
AppOmni stated that these capabilities give security teams the necessary insight and control to proactively reduce the attack surface, improve threat response times, and work to prevent breaches.
Data management through Cribl integration
The integration of AppOmni with Cribl Stream provides additional control over security data for organisations. Cribl Stream allows for processing, enrichment, and routing of security data to multiple destinations in optimised formats, supporting a variety of use cases and compliance requirements.
One key benefit of Cribl Stream is data optimisation, filtering and transforming data to ensure only relevant information reaches downstream security tools or storage solutions, helping to reduce operational costs and improve efficiency. The architecture also supports flexible routing, permitting organisations to direct data to SIEM systems, data lakes, analytics platforms or other environments as needed.
Vendor neutrality is another feature, with Cribl's approach allowing organisations to integrate with security tools of their choosing without a dependence on any single provider.
According to the company, Cribl Stream can filter, reduce, and transform data, ensuring that only relevant and optimised information is sent to downstream security tools or storage, reducing costs and improving efficiency.
Improved incident response capability
The deployment of Cribl Cloud with AppOmni's SaaS telemetry data aims to enhance an organisation's incident response operations. Security data can be stored long term in Cribl Lake, enabling both compliance auditing and forensic investigations. Cribl Search allows for federated queries across multiple data sources - including Cribl Lake, data lakes, REST APIs, and SIEMs - without the need to move data, streamlining breach investigations and incident triage.
The unified workflow supports incident responders in their efforts to quickly determine the scope and impact of incidents, while also aiding longstanding compliance requirements.
AppOmni states, in the event of an incident, security teams can leverage this rich dataset to conduct thorough forensic investigations, understanding the scope and impact of the breach. Long-term storage in Cribl Lake helps organisations simplify compliance audits by providing a searchable trail of security activities.
Access to historical data also allows for proactive threat hunting and retrospective analysis to uncover previously undetected indicators of compromise. This is particularly important given the evolving tactics seen in UNC6395- and UNC6040-style attacks.
Other benefits cited include the ability to quickly identify the origins and progression of attacks, investigate underlying vulnerabilities, and inform future preventative measures.
SaaS risk and enterprise context
AppOmni and Cribl described this integration as delivering deep SaaS visibility and efficient data management, providing security teams with resources needed to stay ahead of evolving threats and to support compliance goals.
AppOmni concludes, "UNC6395 and UNC6040 remind us that SaaS isn't just another attack vector; it's now the operating system of the enterprise. With AppOmni and Cribl, organisations get visibility, control, and insights that are essential to protecting business-critical SaaS environments from modern threats."
