Blog

Here’s what caused the Sisense data breach—and 5 tips for preventing it

by
Rohan Sathe
,
April 22, 2024
Here’s what caused the Sisense data breach—and 5 tips for preventing it Here’s what caused the Sisense data breach—and 5 tips for preventing it
Rohan Sathe
April 22, 2024
Icon - Time needed to read this article

From Uber in 2016 to Okta in 2023 to Sisense in 2024, it’s evident that there’s a pattern behind the tech industry’s most devastating breaches: Data sprawl. Let’s dive into how data sprawl played a part in last week’s Sisense breach, as well as how security teams can be proactive in defending against similar attacks. 

What is data sprawl, and how did it cause the Sisense breach?

In today’s cloud-based enterprise environments, it’s all too easy for employees and customers to include a social security number in a Slack message, or a driver’s license in a Zendesk ticket—or in Sisense’s case, an AWS S3 credential in GitLab

Imagine: A threat actor’s just gained access to a company’s cloud environment through social engineering or some other means. Rather than simply staying where they are, the threat actor will sift around in search of a way to advance their privileges further. And when companies sprawl their secrets across the cloud, it makes a threat actor’s mission that much easier. In Sisense’s case, the threat actor managed to pinpoint a credential stored in GitLab that provided them with access to Amazon S3 buckets, where they then “exfiltrate[d] several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.”

Such incidents are incredibly prevalent—and also preventable. So what can security professionals do to protect their secrets and prevent privilege escalation attacks? In short: Stop secret sprawl. 

What can security teams do to detect secrets and stop secret sprawl?

Secret sprawl is far and away the most dangerous form of data sprawl, as secrets can help threat actors to escalate their privileges. More likely than not, most enterprises have dozens, if not hundreds, of leaked secrets and credentials stored across their cloud environments. 

Tackling secret sprawl isn’t easy; it requires security teams to be strategic as they comb through their cloud apps. For instance, one might think that secrets are most likely to be found in code applications like GitHub and GitLab, when in fact, there are usually far more secrets to be found in non-code applications like Jira, Confluence, or Notion. Furthermore, secrets aren’t always written out as text; they can also be stored in images, such as screenshots. These two factors, among many others, can make it incredibly time-consuming to detect and remediate secrets across the enterprise. 

Learn more about the "State of Secrets" in SaaS apps.

While the secret sprawl problem may seem daunting at times, there are a number of strategies that security teams can put in place in order to minimize the blast radius of privilege escalation attacks, including:

  • Implementing a proactive data leak prevention (DLP) platform that scans for secrets in real time. For instance, Nightfall’s powerful generative AI detection engine can recognize and automatically delete, redact, or encrypt secrets across SaaS and AI apps as well as email and endpoints
  • Fine-tuning detectors for peak precision and recall. As enterprises scale, it’s crucial to have a detection platform with a high true positive rate so that security teams aren’t constantly sifting through false positive alerts (or, as a result, missing a high-priority true positive in the process).
  • Conducting regular audits of data at rest. Even if you have a DLP solution in place, it’s still worthwhile to perform historical scans on a weekly or monthly basis to ensure that no sensitive data slips through the cracks. 
  • Training employees to adopt better secret sharing practices. While annual training can be useful to impart overarching best practices, they can only go so far. Instead, DLP platforms like Nightfall send real-time Slack and email notifications to educate employees about policy violations and best practices.  
  • Encouraging employees to self-remediate their own policy violations. This not only frees up security teams to focus on more pressing issues, but also creates a stronger culture of security in the process.

TL;DR 

It’s now or never for enterprises to address secret sprawl. In order to secure secrets and prevent privilege escalation attacks, enterprises must implement a secret scanning solution that monitors a broad variety of channels and file types, exhibits high precision and accuracy, performs regular audits, and offers opportunities to coach employees in real time. While this is by no means an exhaustive list, it’s a starting point for cleaning up enterprise cloud environments.

Get a head start on tackling secret sprawl by signing up for a free risk assessment today. 

On this page
Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo