Vorlon Blog

A Si(xth)Sense For Breaches

Written by Lauren Lee | Apr 18, 2024 6:29:12 PM

Overview

In this article, we delve into the recent Sisense data breach, a significant cybersecurity incident that has impacted numerous organizations globally.

Our overview will summarize the key details of the breach thus far, including the nature of the data exposed and the immediate steps recommended for affected entities. Additionally, we will explore how Vorlon can assist organizations in navigating the aftermath of the breach.

This article aims to not only inform you of the breach's specifics and its implications but also to offer guidance on how Vorlon can support your organization during this critical time. 

Breach Overview - What Happened?

Last week, Sisense, a leading provider of data dashboard and analytics solutions, confirmed a significant breach that compromised extensive customer data. This incident has not only raised alarms across various sectors but has also drawn the attention of major cybersecurity agencies such as CISA.

The security breach resulted in unauthorized access to Sisense customer data. According to reports from KrebsonSecurity, the breach led to the theft of terabytes of data, including millions of access tokens, email account passwords, and SSL certificates. This breach poses a serious threat due to the sensitive nature of the data involved, which spans multiple high-stakes industries including healthcare, technology, and government.

Extent and Impact

The breach's impact is extensive, affecting Sisense’s global customer base of over a thousand organizations. The stolen data includes critical credentials and vast amounts of proprietary and operational data, making the breach especially alarming for all affected entities.

Technical Details of the Breach

Initial investigations reported by KrebsonSecurity suggest that hackers gained access to Sisense’s GitLab code repository. It appears that this repository contained credentials for Sisense's Amazon S3 account, enabling attackers to extract a substantial amount of data.

What Can You Do If You Think You Are Affected?

In response to the breach, Sisense has urged all affected customers to take immediate action to secure their systems. Recommended steps include:

  • Resetting all keys, tokens, and credentials used within the Sisense application.
  • Changing passwords and logging out of all Single Sign-On accounts.
  • Rotating web access tokens and resetting user parameters.
  • These measures are crucial for mitigating the risk of further data exposure and potential exploitation.

Third-Party Breach Remediation: A Complicated Challenge

The ongoing Sisense breach is a good example of a third-party data breach impacting numerous customers who must swiftly scope the impact to their own organization and take steps to remediate any issues. In such early stages of a breach, organizations often find themselves navigating the remediation process alone. This process is typically resource intensive and takes a lot of time.

For the Sisense breach, the recommended course of action is to rotate all Sisense credentials. This task, however, poses substantial challenges for many organizations that integrate Sisense credentials into various business processes.  

Particularly challenging is the scenario where organizations are not keeping track of where tokens are used. This can make the task of ensuring all tokens are rotated almost impossible. Organizations are then confronted with a dilemma: should they revoke and replace every token, potentially disrupting ongoing operations? Or should they first attempt to map out and understand these processes before taking action?

And then there’s the added risk of attackers exploiting compromised credentials or tokens to extract information from other third-party applications. For instance, if Sisense credentials integrated into Github were compromised, it could lead to unauthorized access to all related source code. 

We recognize the complexities and challenges that organizations face with third-party application breaches and Vorlon is purpose built for these exact scenarios. Our experienced team understands the critical nature of these issues given our platform sets out to solve this problem – and like all security vendors, we also rely on third-party applications.  

So, How Can Vorlon Help?

Vorlon provides organizations with a continuous near real-time view of your data in motion between third-party applications, including Vorlon itself (since it is technically a third-party application as well). 

Vorlon provides organizations with the ability to keep a detailed inventory of third-party apps, secrets, and sensitive data, so security teams can better understand their third-party attack surface and respond to incidents quickly. 

In this case, organizations can use Vorlon for the following: 

Scope and Investigate:

  • Identify if Sisense is connecting to any of your third-party applications/entities, including unknown or suspicious IP addresses. 
  • Provide visibility into sensitive data or PII consumed by any unknown entities. 
  • Check API traffic for IOCs. 

Remediate: 

  • Alert on anomalous API activity and provide response recommendations. 
  • Revoke and rotate affected secrets. 
  • Create ITSM tickets for additional actions. 

Continued Monitoring:

  • Behavioral alerting for further anomalous activity such as new secret creation and unknown source IP/geolocations.

If you and your organization are worried about the Sisense breach, contact us here or call +1 (650) 456-2701.