A Powerful Approach to SaaS ITDR – Avoiding False Positives on Improbable Travel

In the world of SaaS ITDR, the journey taken matters. Traditional ITDR solutions often generate noise due to a lack of understanding of SaaS applications, leading to false alerts. Adaptive Shield's deep understanding of SaaS activity and misconfigurations enables more accurate ITDR, reducing false alerts and enhancing security.

Zehava Musahanov, Content Manager Manager

In the world of SaaS ITDR, the journey taken matters. There are solutions that began from an ITDR perspective. They built threat-hunting capabilities to parse through any data set, look for anomalies, and flag any activity that looks suspicious. 

It’s a reasonable approach taken by security organizations that lack a deep understanding of SaaS applications and users. Problems arise, however, when these ITDRs start raising alerts. Their poor understanding of the SaaS user leads to false alerts and more noise for security teams to contend with.  

Other solutions, like that of Adaptive Shield, take a different approach to ITDR. We started by understanding SaaS activity and misconfiguration management. From there, our capabilities expanded into user behavior, devices, and third-party connected applications. With a solid SaaS foundation, we began working on ITDR. Here is one ITDR use case where our deep understanding of SaaS makes all the difference.

A (Not So) Simple Use Case – The Problem of False Alerts 

Most people understand the improbable traveler use case. An ITDR recognizes that one user logged into an application from two different locations during a time frame where travel between those locations would be impossible. A user logging into Salesforce at 3 PM from New York and at 4 PM from Italy would trigger an alert. 

On the surface, the alert is legitimate. The SOC team immediately disables the account, protecting company SaaS data. However, when the SOC team investigates they find that the employee is indeed in Italy, and was using a VPN to connect which made it look like they were in New York. 

If this were a rare occurrence, it wouldn’t be a big deal. However, for companies that simply apply their ITDR capabilities to any dataset, this is just one of thousands of false positives. After investigating a few dozen of these alerts and finding they are all false, the SOC team develops alert fatigue and tunes out all improbable traveler alerts. 

Improbable Travel from a Different Angle

As mentioned earlier, Adaptive Shield’s journey to ITDR began on its deep foundation of SSPM. The statistical models developed to detect improbable travelers recognize the different ways users connect to their SaaS stack.   

It identifies patterns and the way users access their apps, including looking at whether it’s likely that a user is in a new country, making it a far more effective solution. Furthermore, it takes context into consideration. Mobile IP addresses may be in different regions or cities than their wi-fi connected laptops. If they are on a roaming plan while abroad, their IP may appear from their home country.

Depending on the location of the cellular carrier, a user can be logged into an application from New York City and Brooklyn at the exact same time without raising a flag. Or, they may be using a virtual proxy server over Azure, which gives off the appearance of one user being on two different continents at the same time. 

Adaptive Shield’s deep understanding of SaaS user behavior allows it to enrich its understanding of user location, in a far more precise way than a company starting from an ITDR perspective. When Adaptive Shield triggers an improbable traveler alarm, it’s because something far outside the norm is taking place and is likely identifying an upcoming threat. 

Far Richer ITDR

Adaptive Shield’s ITDR is far richer than most in the market. The platform identifies anomalies from across the entire SaaS stack rather than from a single application. It can detect when a user logs into Google Workspace from Los Angeles and connects to the company’s Box account from Tokyo, and identify users who accessed the stack through a password spray attack. Adaptive Shield’s ITDR is built on the widest SaaS app coverage in the market today, covering over 140 applications.

Adaptive Shield recognizes when logged-in users are following known techniques, tactics, and procedures (TTP) of threat actors, and flags these behaviors as indicators of compromise. It also identifies anomalous behaviors of users and integrated third-party applications, and monitors for suspicious behavior after a spike in failed logins from across the SaaS stack.

About the writer

Zehava Musahanov, Content Manager Manager

After completing her BA in Communications, Zehava began her career diving into the world of content writing. She recently joined Adaptive Shield as Content Manager bursting with ideas to create engaging discussion around SaaS security and the rapidly developing world of SSPM. Oh, and she does portrait drawings.