September 10, 2025 • 17 mins
Behind every digital business lies an invisible web of trust: the OAuth tokens silently connecting your applications. What happens when these trusted connections become your greatest vulnerability?
A sophisticated attack campaign recently exploited these connections, bypassing traditional security measures to breach major cybersecurity companies including Cloudflare, Palo Alto Networks, and Proofpoint. Rather than directly attacking primary platforms, threat actors targeted Drift's OAuth integration tokens, effectively stealing the keys that allowed them to impersonate this trusted web chat tool when connecting to enterprise Salesforce instances.
The consequences were startling. Once inside, attackers rapidly extracted thousands of support case records using Salesforce's bulk API capabilities, then deleted the logs to cover their tracks. Cloudflare later discovered 104 of their own API tokens sitting in plain text within their compromised support cases - creating potential pivot points to even more critical systems. This wasn't just a data breach; it was what experts now call the "SaaS Domino Effect" - where one compromised connection can cascade into multiple system compromises.
Not all companies suffered equally. Okta successfully blocked the attackers through one crucial defense: enforcing inbound IP restrictions on their integrations. This contrast highlights how proper integration hygiene can make all the difference between a devastating breach and a thwarted attempt.
We unpack how Integrated Risk Management (IRM) provides a comprehensive framework for addressing these structural vulnerabilities, spanning technical controls, operational processes, enterprise risk modeling, and governance policies. Our discussion includes a practical 90-day roadmap with specific actions organizations can take to protect themselves.
Examine your own digital ecosystem today. What invisible connections might be putting your organization at risk? Understanding and securing these machine-to-machine relationships isn't just an IT concern - it's a critical business imperative in our interconnected world.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Jones (00:00):
Welcome to the Deep Dive.
We dig into the stories shapingour digital world, and today,
well, we've got one that reallyhits close to home about hidden
risks.
We're looking at a recent cybercampaign, but maybe not the
kind you first think of.
This wasn't about brute forcinga main entrance.
Instead, attackers exploitedtrust between apps, using one to
unlock another, and it hit somehuge names Cloudflare, palo
(00:24):
Alto Networks, proofpoint.
Ori Wellington (00:26):
Yeah, it's a fascinating case study.
It's like someone getting acopy of your valet key, you know
, and using it not just to drivethe car but to access the glove
box, maybe the trunk system,and then cleverly erasing the
car's trip log.
Sam Jones (00:38):
Exactly Pretty sneaky stuff.
So today we're exploring howthis tech called OOATH, which is
actually meant to make thingssafer, became the weak point.
It wasn't a flaw in a bigplatform like Salesforce itself.
The experts are calling it afailure of integration hygiene.
Ori Wellington (00:53):
That sounds clinical it does, but it points
to a real problem and ourmission today is to unpack how
this attack actually worked, seethe ripple effect it had and,
crucially, lay out a frameworkintegrated risk management or
IRM to help you understand anddefend against this.
We're drawing on a key articlewhen Tokens Turn Toxic the Sauce
(01:13):
Domino Effect plus insightsfrom companies directly involved
like Cloudflare, proofpoint,okta and others who confirmed
impacts or defenses.
Sam Jones (01:21):
Okay, let's dive in Passwords.
Most people get those.
Type it in, you're in Simple.
But tokens these are kind ofthe invisible keys doing work
behind the scenes.
Oh, open authorization.
Ori Wellington (01:33):
That's the tech, that's the one.
Think of it as the systemallowing apps to securely
interact on your behalf withoutyou handing over your main
password.
Like giving a specificlimited-use keycard not the
master key, okay.
Like giving a specific limiteduse key card, not the master key
.
Sam Jones (01:44):
Okay, limited use key card.
I like that, but there aredifferent types of these tokens,
aren't there?
Ori Wellington (01:51):
Yes, fundamentally, three key parts
to understand.
First, you've got access tokens.
These are short-lived, I think,maybe an hour.
They let an app make specificAPI calls for you right now.
Sam Jones (01:57):
So the do this specific thing now token.
What happens when it expiresafter an hour?
Do I have to log in againeverywhere?
Ori Wellington (02:05):
Good question.
What happens when it expiresafter an hour?
Do I have to log in againeverywhere?
Ah, good question.
That's where refresh tokenscome in.
These are much longer lived.
Their job is basically torequest new access tokens
silently behind the scenes whenthe old ones expire.
It means the app keeps workingseamlessly for you without
constant logins.
Sam Jones (02:19):
Right, so that keeps things smooth.
And the third piece that'sscopes.
Ori Wellington (02:22):
Scopes define exactly what permissions that
token grants.
Can it read contacts, can itwrite opportunities, can it only
manage support cases?
It's about limiting what theapp can actually do.
Least privilege, ideally.
Sam Jones (02:34):
Okay, so Oath should be more secure no password
sharing, limited permissions.
It sounds great on paper, areal step up, but and there's
always a but, isn't there Inreality this creates this huge
tangled web of machineconnections app talking to app.
Ori Wellington (02:50):
Exactly, and that complexity is the attack
surface In this specificincident.
Attackers went after Drift'sintegration tokens, Drift being
a popular web chat tool.
Once they compromised thosetokens, they could essentially
impersonate drift or othertrusted apps connected via drift
to access salesforce data inmultiple companies impersonate
(03:12):
drift and the speed was alarming.
They used salesforce's bulk apiin at least one case.
That's built for handlingmassive data volumes to just
vacuum up thousands of caserecords super fast and then the
kicker and then, yeah, theydeleted the logs for those
actions right covering theirtracks, handling massive data
volumes to just vacuum upthousands of case records super
fast.
Sam Jones (03:30):
And then the kicker.
And then yeah, they deleted thelogs for those actions, Right,
Covering their tracks completely.
So back to your analogy.
The valet key gets copied.
They use it to rifle throughthe car systems, grab stuff and
then wipe the security logsinside the car.
You might not even know theywere there for a while.
Ori Wellington (03:39):
It's unnerving.
Sam Jones (03:40):
And this wasn't just one company hit right.
You mentioned Cloudflare, paloAlto Networks.
The impact spread.
What did that look like?
Ori Wellington (03:46):
It spread significantly.
Cloudflare, for example, wasquite public.
They found attackers got intotheir Salesforce case objects
and here's the reallyeye-opening part Inside those
case texts they found 104 oftheir own API tokens just
embedded there Plain text,basically.
Sam Jones (04:05):
Wait, 104 API tokens just sitting in support case
notes.
How does that even happen?
Ori Wellington (04:11):
It points to what the article calls opaque
data flows, sensitive dataending up in places it really
shouldn't, probably withoutanyone realizing it until it's
too late.
All those tokens had to berotated, obviously.
Sam Jones (04:22):
Yeah.
Ori Wellington (04:23):
Immediately.
Sam Jones (04:24):
Unbelievable.
What about the others?
Proofpoint.
Ori Wellington (04:26):
Proofpoint confirmed unauthorized access to
.
They took decisive action,actually removed the Drift
integration entirely afterSalesforce disabled the
connector across the board.
Palo Alto Networks and Zscaleralso confirmed some CRM exposure
, mostly limited to businesscontact details and case data,
they said.
Sam Jones (04:42):
So a range of impacts , but wasn't there one company
that managed to stop it Okta.
Ori Wellington (04:46):
Yes, okta is a really important counter example
here.
They reported, theysuccessfully blocked the
attempts.
Sam Jones (04:51):
How?
What did they do differently?
Ori Wellington (04:53):
Their key defense was enforcing inbound IP
restrictions.
Basically, they had rulessaying only allow connections
from these specific trusted IPaddresses.
So even if the attacker had avalid token, they couldn't use
it because they weren't comingfrom an approved location.
Sam Jones (05:09):
Huh, so a network level control actually stopped
the token abuse.
That raises a big question Areother companies just not doing
that, or is it complex?
Ori Wellington (05:20):
It can be complex to manage, especially
with lots of integrations, butOkta's case shows it's a
powerful proactive defense.
It's not just about the tokenitself, but also how it's
allowed to be used.
Sam Jones (05:32):
And Salesforce reacted quickly, too right.
They shut down the Driftconnector.
Ori Wellington (05:35):
They did.
On August 28th they disabledthe connections platform-wide
and pulled the app from theirmarketplace.
Swift action on their part.
Sam Jones (05:42):
It really drives home the point.
Even huge companies withtop-tier security aren't immune
if their third-party connectionscreate a vulnerability.
Makes you think about your owndependencies, doesn't it?
Now the article calls this thesauce domino effect.
That sounds dramatic, but itfeels right.
Why isn't this just a singlebreach?
What makes it a domino effect?
Ori Wellington (06:02):
It's a domino effect because of underlying
structural issues in how weconnect SaaS apps.
It's not just one bad token.
It's how the system allows thatone bad token to knock over
other things.
There are a few key factors.
First, over-permissionconnectors.
We talked about scopes earlier.
Well, often apps ask for waybroader permissions, bigger
scopes, than they actually need.
Sam Jones (06:23):
So like a calendar widget asking for permission to
read and write all my emails?
Ori Wellington (06:32):
Exactly like that.
It gets far more access thannecessary.
If compromised, the damage ismuch wider.
Second factor refresh tokens,brawl.
These long-lived tokens oftenjust hang around.
They might not expire formonths or years, or sometimes
never, unless actively revoked.
That gives attackers persistentaccess once they get one.
Sam Jones (06:44):
Okay, so overly broad permissions and tokens that
live forever.
What else?
Ori Wellington (06:48):
Third, those opaque data flows we saw with
Cloudflare.
Sensitive stuff like API keysaccidentally getting logged or
embedded in places like CRM casetext or attachments.
Data flowing out of sight, outof mind, until it becomes a
liability.
Sam Jones (07:03):
The hidden data problem.
Ori Wellington (07:05):
Right.
And finally, there's vendorasymmetry.
Your own security might be FortKnox, but if you connect to a
vendor whose security is, shallwe say, less robust, well,
that's your weak link.
Attackers target that asymmetry, and that's what happened with
Drift.
Essentially, attackers targetthat asymmetry.
Sam Jones (07:18):
And that's what happened with Drift.
Essentially, Attackerspotentially saw them as a softer
target to get into these otherbig enterprise systems.
Ori Wellington (07:24):
That appears to be the pattern.
Yes, it's a supply chainvulnerability.
Sam Jones (07:28):
And the truly scary part, the real domino aspect, is
how that initial breach in oneapp like Drift could cascade.
They get into Salesforce, findan API key for I don't know your
cloud infrastructure Exactly,and suddenly the breach pivots
from SaaS CRM data topotentially compromising core
infrastructure.
That's the nightmare scenarioOne domino knocks over the next,
(07:50):
leading to a much biggerdisaster.
Ori Wellington (07:52):
That's the essence of the SaaS domino
effect One compromisedconnection becomes the key to
unlock entirely different,potentially more critical
systems.
Sam Jones (08:01):
It makes you pause and think, doesn't it For you
listening?
Consider all those little appsconnected to your main systems
your email, crm, project tools,each one potentially a domino
Right.
This feels like a deep systemicissue, so we need a systemic
fix.
The article proposes integratedrisk management IRM.
What is that exactly?
(08:22):
Is it just more compliancepaperwork?
Ori Wellington (08:24):
No, and that's a key point, irm isn't just a
checklist.
It's really a framework, a wayof thinking to tackle this
structural failure in managingmachine identities, these tokens
and all the sauce dependencies.
It's about applying anintegration lens across the
whole organization, looking athow these systems connect and
the risks they create together,not just in isolation.
Sam Jones (08:43):
An integration lens?
Okay, so how does that work dayto day?
The article mentioned an IRMnavigator model with different
layers.
Break that down for us.
Ori Wellington (08:50):
Sure, think of it in layers.
At the base you have technologyrisk management, trm.
This is the technical stuff,the nuts and bolts.
It means knowing what you havea full inventory of all OOAPs,
tokens, their scopes, who ownsthem.
Enforcing short lifespans fortokens, making sure they have
only the minimum necessarypermissions.
And deploying tools like SSPMSaaS security, posture
(09:13):
management and DLP data lossprevention to actively prevent
secrets ending up in places likeCRM notes.
Sam Jones (09:19):
So TRM is about the actual tech controls and
visibility.
Got it, what's next?
Ori Wellington (09:24):
Next up is operational risk management ORM.
This is about your processesand your response readiness.
How quickly can you react?
Like having a documentedrunbook to revoke and rotate
tokens within, say, two hours ofa vendor incident being
reported, mapping out all thoseconnections, every web widget,
every marketing tool, knowingexactly what SaaS platforms they
touch.
It also includes practicalthings like setting API rate
(09:45):
limits so attackers can't usethe bulk API to pull a huge
amounts of data unnoticed andalerting on weird activity.
Sam Jones (09:52):
Okay, tech controls then operational process and
response Makes sense, keep going.
Ori Wellington (09:56):
Then you zoom out further to enterprise risk
management, erm.
This looks at the biggerpicture, the strategic and
financial impact.
This involves actually modelingthe potential cost of these
integration pivot scenarioswhere a SaaS breach leads to
something worse like a cloudcompromise, and then setting
clear risk boundaries.
Based on that, for example, apolicy might say no single
(10:19):
connector can write to more thantwo sensitive data objects
without a formal exception,setting real guardrails.
Sam Jones (10:25):
So understanding the business impact and setting top
level rules.
What's the final layer?
Ori Wellington (10:30):
Finally, there's policy and compliance GRC.
This covers governancecontracts, the rules of
engagement, things like updatingvendor contracts to require
rapid incident notification,maybe 24 hours, and explicit
support for token revocation,plus ensuring they keep forensic
logs.
It's also about moving beyondjust annual check-the-box
compliance to continuousassurance, using automation to
verify controls are working allthe time.
Sam Jones (10:52):
Wow Okay.
So IRM is really comprehensive.
It's tech process, financestrategy, legal.
It touches everything.
It's not just an IT problem,it's a business risk problem
strategy legal.
Ori Wellington (11:01):
It touches everything.
It's not just an IT problem,it's a business risk problem.
Precisely, it reframes theentire issue.
It's about managing theseintegrations proactively across
the board.
Sam Jones (11:08):
And the good news is the article doesn't just say do
IRM, it gives practical stepsright A 30, 60, 90 day plan.
Ori Wellington (11:15):
Exactly.
It provides a very concreteroadmap to get started, which is
incredibly helpful.
Sam Jones (11:19):
Okay, walk us through that.
What should someone listeningbe thinking about for the first
30 days?
Ori Wellington (11:24):
First 30 days are about immediate triage and
visibility.
Get that inventory built.
Know all yourmachine-to-machine identities in
Salesforce.
Other key sauce apps Actimmediately on known issues like
revoke and rotate alldrift-related stuff.
Now, given this incident,enable those inbound IP
restrictions wherever you canremember Okta and actively scan
(11:45):
for and clean out any sensitivedata like API keys hiding in
places like CRM case text.
Get the immediate risks off thetable.
Sam Jones (11:52):
Right.
Stop the bleeding and figureout what's connected.
Then what?
Ori Wellington (11:56):
Days 31 to 60.
Now you start hardening andbuilding controls.
Enforce shorter token lifetimesTTLs and really clamp down on
permissions.
Least privilege everywhere.
Implement those API rate limitsand bulk API monitoring we
talked about, Get alerted tounusual activity and,
importantly, start updatingthose vendor contracts to
include the securityrequirements you need, like
(12:17):
token revocation and forensiclogs.
Sam Jones (12:19):
Okay, hardening controls, setting expectations
with vendors.
What about the final phase,days 61 to 90?
Ori Wellington (12:26):
This is about embedding it strategically.
Quantify those top integrationpivot risks.
Put potential dollar figures onthem and use that to justify
security investments.
Start reporting upwards.
Publish board-level metrics ontoken hygiene, how fast you can
revoke tokens.
Detection of data anomaliesmake it visible and, crucially,
run tabletop exercises.
Simulate a drift style breach.
(12:47):
Test your runbooks.
Test your teams.
See how you actually performunder pressure.
Sam Jones (12:51):
That 90-day plan feels really achievable.
It breaks down a big probleminto manageable steps.
It's about taking back control,step by step.
Ori Wellington (12:58):
It is.
It's a practical path forward.
Sam Jones (12:59):
So, wrapping this up, let's reiterate the main point
this whole episode, this wholeincident, it wasn't really about
Salesforce failing.
It was about how organizationsmanage, or fail to manage, the
connections between their tools,specifically these Outh tokens.
We saw how powerful theseinvisible keys are, how they can
create that shocking dominoeffect, but also how a
(13:21):
structured approach likeintegrated risk management
provides a way to manage thatrisk.
Ori Wellington (13:24):
Exactly and the specific company examples really
paint the picture.
Cloudflare finding those 104API keys shows the danger of
data just leaking intounexpected places.
Proofpoint's decisive actionshows the need to be ready to
cut ties, and Okta's successwith IP restrictions proves that
proactive, sometimessimple-sounding network controls
can be incredibly effective atcontaining the blast radius,
(13:47):
even if a token itself getscompromised.
Sam Jones (13:49):
Right.
Different outcomes based ondifferent levels of visibility
and control.
Ori Wellington (13:53):
And that's where integrated risk management
really shifts the perspective.
When you treat these SaaSintegrations as managed assets
under this holistic IRM umbrella, linking the tech risk, the
operational risk, the enterpriserisk, the policy risk, you can
genuinely contain these dominoeffects.
You reduce that blast radiusand build real, measurable
(14:13):
confidence that you can handlethese inevitable supply chain
attacks.
Sam Jones (14:16):
So the final thought for you, our listener Think
about your own digital house.
Ori Wellington (14:21):
What are the invisible keys, the Othuth
tokens, the API integrationsoperating behind the scenes?
Where are your hiddendependencies?
What potential dominoes aresitting there in your third
party connections just waitingfor a nudge?
And, maybe more importantly,what steps will you start taking
, maybe even today, to find themand secure them?
Welcome to the Deep Dive.
We dig into the stories shapingour digital world, and today,
well, we've got one that reallyhits close to home about hidden
risks.
We're looking at a recent cybercampaign, but maybe not the
kind you first think of.
This wasn't about brute forcinga main entrance.
Instead, attackers exploitedtrust between apps, using one to
unlock another, and it hit somehuge names Cloudflare, palo
(00:24):
Alto Networks, proofpoint.
Ori Wellington (00:26):
Yeah, it's a fascinating case study.
It's like someone getting acopy of your valet key, you know
, and using it not just to drivethe car but to access the glove
box, maybe the trunk system,and then cleverly erasing the
car's trip log.
Sam Jones (00:38):
Exactly Pretty sneaky stuff.
So today we're exploring howthis tech called OOATH, which is
actually meant to make thingssafer, became the weak point.
It wasn't a flaw in a bigplatform like Salesforce itself.
The experts are calling it afailure of integration hygiene.
Ori Wellington (00:53):
That sounds clinical it does, but it points
to a real problem and ourmission today is to unpack how
this attack actually worked, seethe ripple effect it had and,
crucially, lay out a frameworkintegrated risk management or
IRM to help you understand anddefend against this.
We're drawing on a key articlewhen Tokens Turn Toxic the Sauce
(01:13):
Domino Effect plus insightsfrom companies directly involved
like Cloudflare, proofpoint,okta and others who confirmed
impacts or defenses.
Sam Jones (01:21):
Okay, let's dive in Passwords.
Most people get those.
Type it in, you're in Simple.
But tokens these are kind ofthe invisible keys doing work
behind the scenes.
Oh, open authorization.
Ori Wellington (01:33):
That's the tech, that's the one.
Think of it as the systemallowing apps to securely
interact on your behalf withoutyou handing over your main
password.
Like giving a specificlimited-use keycard not the
master key, okay.
Like giving a specific limiteduse key card, not the master key
.
Sam Jones (01:44):
Okay, limited use key card.
I like that, but there aredifferent types of these tokens,
aren't there?
Ori Wellington (01:51):
Yes, fundamentally, three key parts
to understand.
First, you've got access tokens.
These are short-lived, I think,maybe an hour.
They let an app make specificAPI calls for you right now.
Sam Jones (01:57):
So the do this specific thing now token.
What happens when it expiresafter an hour?
Do I have to log in againeverywhere?
Ori Wellington (02:05):
Good question.
What happens when it expiresafter an hour?
Do I have to log in againeverywhere?
Ah, good question.
That's where refresh tokenscome in.
These are much longer lived.
Their job is basically torequest new access tokens
silently behind the scenes whenthe old ones expire.
It means the app keeps workingseamlessly for you without
constant logins.
Sam Jones (02:19):
Right, so that keeps things smooth.
And the third piece that'sscopes.
Ori Wellington (02:22):
Scopes define exactly what permissions that
token grants.
Can it read contacts, can itwrite opportunities, can it only
manage support cases?
It's about limiting what theapp can actually do.
Least privilege, ideally.
Sam Jones (02:34):
Okay, so Oath should be more secure no password
sharing, limited permissions.
It sounds great on paper, areal step up, but and there's
always a but, isn't there Inreality this creates this huge
tangled web of machineconnections app talking to app.
Ori Wellington (02:50):
Exactly, and that complexity is the attack
surface In this specificincident.
Attackers went after Drift'sintegration tokens, Drift being
a popular web chat tool.
Once they compromised thosetokens, they could essentially
impersonate drift or othertrusted apps connected via drift
to access salesforce data inmultiple companies impersonate
(03:12):
drift and the speed was alarming.
They used salesforce's bulk apiin at least one case.
That's built for handlingmassive data volumes to just
vacuum up thousands of caserecords super fast and then the
kicker and then, yeah, theydeleted the logs for those
actions right covering theirtracks, handling massive data
volumes to just vacuum upthousands of case records super
fast.
Sam Jones (03:30):
And then the kicker.
And then yeah, they deleted thelogs for those actions, Right,
Covering their tracks completely.
So back to your analogy.
The valet key gets copied.
They use it to rifle throughthe car systems, grab stuff and
then wipe the security logsinside the car.
You might not even know theywere there for a while.
Ori Wellington (03:39):
It's unnerving.
Sam Jones (03:40):
And this wasn't just one company hit right.
You mentioned Cloudflare, paloAlto Networks.
The impact spread.
What did that look like?
Ori Wellington (03:46):
It spread significantly.
Cloudflare, for example, wasquite public.
They found attackers got intotheir Salesforce case objects
and here's the reallyeye-opening part Inside those
case texts they found 104 oftheir own API tokens just
embedded there Plain text,basically.
Sam Jones (04:05):
Wait, 104 API tokens just sitting in support case
notes.
How does that even happen?
Ori Wellington (04:11):
It points to what the article calls opaque
data flows, sensitive dataending up in places it really
shouldn't, probably withoutanyone realizing it until it's
too late.
All those tokens had to berotated, obviously.
Sam Jones (04:22):
Yeah.
Ori Wellington (04:23):
Immediately.
Sam Jones (04:24):
Unbelievable.
What about the others?
Proofpoint.
Ori Wellington (04:26):
Proofpoint confirmed unauthorized access to
.
They took decisive action,actually removed the Drift
integration entirely afterSalesforce disabled the
connector across the board.
Palo Alto Networks and Zscaleralso confirmed some CRM exposure
, mostly limited to businesscontact details and case data,
they said.
Sam Jones (04:42):
So a range of impacts , but wasn't there one company
that managed to stop it Okta.
Ori Wellington (04:46):
Yes, okta is a really important counter example
here.
They reported, theysuccessfully blocked the
attempts.
Sam Jones (04:51):
How?
What did they do differently?
Ori Wellington (04:53):
Their key defense was enforcing inbound IP
restrictions.
Basically, they had rulessaying only allow connections
from these specific trusted IPaddresses.
So even if the attacker had avalid token, they couldn't use
it because they weren't comingfrom an approved location.
Sam Jones (05:09):
Huh, so a network level control actually stopped
the token abuse.
That raises a big question Areother companies just not doing
that, or is it complex?
Ori Wellington (05:20):
It can be complex to manage, especially
with lots of integrations, butOkta's case shows it's a
powerful proactive defense.
It's not just about the tokenitself, but also how it's
allowed to be used.
Sam Jones (05:32):
And Salesforce reacted quickly, too right.
They shut down the Driftconnector.
Ori Wellington (05:35):
They did.
On August 28th they disabledthe connections platform-wide
and pulled the app from theirmarketplace.
Swift action on their part.
Sam Jones (05:42):
It really drives home the point.
Even huge companies withtop-tier security aren't immune
if their third-party connectionscreate a vulnerability.
Makes you think about your owndependencies, doesn't it?
Now the article calls this thesauce domino effect.
That sounds dramatic, but itfeels right.
Why isn't this just a singlebreach?
What makes it a domino effect?
Ori Wellington (06:02):
It's a domino effect because of underlying
structural issues in how weconnect SaaS apps.
It's not just one bad token.
It's how the system allows thatone bad token to knock over
other things.
There are a few key factors.
First, over-permissionconnectors.
We talked about scopes earlier.
Well, often apps ask for waybroader permissions, bigger
scopes, than they actually need.
Sam Jones (06:23):
So like a calendar widget asking for permission to
read and write all my emails?
Ori Wellington (06:32):
Exactly like that.
It gets far more access thannecessary.
If compromised, the damage ismuch wider.
Second factor refresh tokens,brawl.
These long-lived tokens oftenjust hang around.
They might not expire formonths or years, or sometimes
never, unless actively revoked.
That gives attackers persistentaccess once they get one.
Sam Jones (06:44):
Okay, so overly broad permissions and tokens that
live forever.
What else?
Ori Wellington (06:48):
Third, those opaque data flows we saw with
Cloudflare.
Sensitive stuff like API keysaccidentally getting logged or
embedded in places like CRM casetext or attachments.
Data flowing out of sight, outof mind, until it becomes a
liability.
Sam Jones (07:03):
The hidden data problem.
Ori Wellington (07:05):
Right.
And finally, there's vendorasymmetry.
Your own security might be FortKnox, but if you connect to a
vendor whose security is, shallwe say, less robust, well,
that's your weak link.
Attackers target that asymmetry, and that's what happened with
Drift.
Essentially, attackers targetthat asymmetry.
Sam Jones (07:18):
And that's what happened with Drift.
Essentially, Attackerspotentially saw them as a softer
target to get into these otherbig enterprise systems.
Ori Wellington (07:24):
That appears to be the pattern.
Yes, it's a supply chainvulnerability.
Sam Jones (07:28):
And the truly scary part, the real domino aspect, is
how that initial breach in oneapp like Drift could cascade.
They get into Salesforce, findan API key for I don't know your
cloud infrastructure Exactly,and suddenly the breach pivots
from SaaS CRM data topotentially compromising core
infrastructure.
That's the nightmare scenarioOne domino knocks over the next,
(07:50):
leading to a much biggerdisaster.
Ori Wellington (07:52):
That's the essence of the SaaS domino
effect One compromisedconnection becomes the key to
unlock entirely different,potentially more critical
systems.
Sam Jones (08:01):
It makes you pause and think, doesn't it For you
listening?
Consider all those little appsconnected to your main systems
your email, crm, project tools,each one potentially a domino
Right.
This feels like a deep systemicissue, so we need a systemic
fix.
The article proposes integratedrisk management IRM.
What is that exactly?
(08:22):
Is it just more compliancepaperwork?
Ori Wellington (08:24):
No, and that's a key point, irm isn't just a
checklist.
It's really a framework, a wayof thinking to tackle this
structural failure in managingmachine identities, these tokens
and all the sauce dependencies.
It's about applying anintegration lens across the
whole organization, looking athow these systems connect and
the risks they create together,not just in isolation.
Sam Jones (08:43):
An integration lens?
Okay, so how does that work dayto day?
The article mentioned an IRMnavigator model with different
layers.
Break that down for us.
Ori Wellington (08:50):
Sure, think of it in layers.
At the base you have technologyrisk management, trm.
This is the technical stuff,the nuts and bolts.
It means knowing what you havea full inventory of all OOAPs,
tokens, their scopes, who ownsthem.
Enforcing short lifespans fortokens, making sure they have
only the minimum necessarypermissions.
And deploying tools like SSPMSaaS security, posture
(09:13):
management and DLP data lossprevention to actively prevent
secrets ending up in places likeCRM notes.
Sam Jones (09:19):
So TRM is about the actual tech controls and
visibility.
Got it, what's next?
Ori Wellington (09:24):
Next up is operational risk management ORM.
This is about your processesand your response readiness.
How quickly can you react?
Like having a documentedrunbook to revoke and rotate
tokens within, say, two hours ofa vendor incident being
reported, mapping out all thoseconnections, every web widget,
every marketing tool, knowingexactly what SaaS platforms they
touch.
It also includes practicalthings like setting API rate
(09:45):
limits so attackers can't usethe bulk API to pull a huge
amounts of data unnoticed andalerting on weird activity.
Sam Jones (09:52):
Okay, tech controls then operational process and
response Makes sense, keep going.
Ori Wellington (09:56):
Then you zoom out further to enterprise risk
management, erm.
This looks at the biggerpicture, the strategic and
financial impact.
This involves actually modelingthe potential cost of these
integration pivot scenarioswhere a SaaS breach leads to
something worse like a cloudcompromise, and then setting
clear risk boundaries.
Based on that, for example, apolicy might say no single
(10:19):
connector can write to more thantwo sensitive data objects
without a formal exception,setting real guardrails.
Sam Jones (10:25):
So understanding the business impact and setting top
level rules.
What's the final layer?
Ori Wellington (10:30):
Finally, there's policy and compliance GRC.
This covers governancecontracts, the rules of
engagement, things like updatingvendor contracts to require
rapid incident notification,maybe 24 hours, and explicit
support for token revocation,plus ensuring they keep forensic
logs.
It's also about moving beyondjust annual check-the-box
compliance to continuousassurance, using automation to
verify controls are working allthe time.
Sam Jones (10:52):
Wow Okay.
So IRM is really comprehensive.
It's tech process, financestrategy, legal.
It touches everything.
It's not just an IT problem,it's a business risk problem
strategy legal.
Ori Wellington (11:01):
It touches everything.
It's not just an IT problem,it's a business risk problem.
Precisely, it reframes theentire issue.
It's about managing theseintegrations proactively across
the board.
Sam Jones (11:08):
And the good news is the article doesn't just say do
IRM, it gives practical stepsright A 30, 60, 90 day plan.
Ori Wellington (11:15):
Exactly.
It provides a very concreteroadmap to get started, which is
incredibly helpful.
Sam Jones (11:19):
Okay, walk us through that.
What should someone listeningbe thinking about for the first
30 days?
Ori Wellington (11:24):
First 30 days are about immediate triage and
visibility.
Get that inventory built.
Know all yourmachine-to-machine identities in
Salesforce.
Other key sauce apps Actimmediately on known issues like
revoke and rotate alldrift-related stuff.
Now, given this incident,enable those inbound IP
restrictions wherever you canremember Okta and actively scan
(11:45):
for and clean out any sensitivedata like API keys hiding in
places like CRM case text.
Get the immediate risks off thetable.
Sam Jones (11:52):
Right.
Stop the bleeding and figureout what's connected.
Then what?
Ori Wellington (11:56):
Days 31 to 60.
Now you start hardening andbuilding controls.
Enforce shorter token lifetimesTTLs and really clamp down on
permissions.
Least privilege everywhere.
Implement those API rate limitsand bulk API monitoring we
talked about, Get alerted tounusual activity and,
importantly, start updatingthose vendor contracts to
include the securityrequirements you need, like
(12:17):
token revocation and forensiclogs.
Sam Jones (12:19):
Okay, hardening controls, setting expectations
with vendors.
What about the final phase,days 61 to 90?
Ori Wellington (12:26):
This is about embedding it strategically.
Quantify those top integrationpivot risks.
Put potential dollar figures onthem and use that to justify
security investments.
Start reporting upwards.
Publish board-level metrics ontoken hygiene, how fast you can
revoke tokens.
Detection of data anomaliesmake it visible and, crucially,
run tabletop exercises.
Simulate a drift style breach.
(12:47):
Test your runbooks.
Test your teams.
See how you actually performunder pressure.
Sam Jones (12:51):
That 90-day plan feels really achievable.
It breaks down a big probleminto manageable steps.
It's about taking back control,step by step.
Ori Wellington (12:58):
It is.
It's a practical path forward.
Sam Jones (12:59):
So, wrapping this up, let's reiterate the main point
this whole episode, this wholeincident, it wasn't really about
Salesforce failing.
It was about how organizationsmanage, or fail to manage, the
connections between their tools,specifically these Outh tokens.
We saw how powerful theseinvisible keys are, how they can
create that shocking dominoeffect, but also how a
(13:21):
structured approach likeintegrated risk management
provides a way to manage thatrisk.
Ori Wellington (13:24):
Exactly and the specific company examples really
paint the picture.
Cloudflare finding those 104API keys shows the danger of
data just leaking intounexpected places.
Proofpoint's decisive actionshows the need to be ready to
cut ties, and Okta's successwith IP restrictions proves that
proactive, sometimessimple-sounding network controls
can be incredibly effective atcontaining the blast radius,
(13:47):
even if a token itself getscompromised.
Sam Jones (13:49):
Right.
Different outcomes based ondifferent levels of visibility
and control.
Ori Wellington (13:53):
And that's where integrated risk management
really shifts the perspective.
When you treat these SaaSintegrations as managed assets
under this holistic IRM umbrella, linking the tech risk, the
operational risk, the enterpriserisk, the policy risk, you can
genuinely contain these dominoeffects.
You reduce that blast radiusand build real, measurable
(14:13):
confidence that you can handlethese inevitable supply chain
attacks.
Sam Jones (14:16):
So the final thought for you, our listener Think
about your own digital house.
Ori Wellington (14:21):
What are the invisible keys, the Othuth
tokens, the API integrationsoperating behind the scenes?
Where are your hiddendependencies?
What potential dominoes aresitting there in your third
party connections just waitingfor a nudge?
And, maybe more importantly,what steps will you start taking
, maybe even today, to find themand secure them?
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!