Could SaaS logs and "chatops" get you to 100% patched user devices?

Dr David Chismon, Security Consultant
January, 2019
3 mins read

We’ve discovered one particular challenge with Software-as-a-Service (SaaS) logs is that there is a wide range of what data different SaaS vendors offer (and some make logs available only at certain price tiers). This effectively means that companies doing protective monitoring of SaaS need to manually evaluate the logs of every SaaS vendor being used.

F-Secure Consulting uses Slack for some internal messaging. When onboarding the logs we noted that they give good user agent information, including specific versions of browsers and mobile devices. One challenge that some organizations have found is that iOS updates require users to be on WiFi and with a certain battery level for the update to go through. This means that user involvement is often required. As a result, the logs confirmed our suspicions that there were a number of outdated devices in F-Secure Consulting’s mobile fleet. While we suspected there may be a few, we were surprised by the number, around 20%. 



Investigation of a few cases found a mix of reasons why automatic updates might not be working. For iOS, the requirements for WiFi and a certain battery level meant that as many employees never used WiFi, the updates were never triggered. Another common cause for lackadaisical patching was that a number of our consultants run Linux with Chrome (or Chromium); Chromium lags behind Chrome in patches, and several Linux distributions then take time to update their repositories.


The concept of "ChatOps" is gaining traction. This refers to using bots integrated into messaging systems such as Slack, Microsoft Teams, or Symphony to confirm actions, remind users, or otherwise benefit security. Jacques Louw, our Technical Director for F-Secure Consulting in South Africa, wrote a Slack Bot that integrates with our monitoring to ask users to update and produced internal stats showing which offices were better and worse.



We ran this for a few weeks and occasionally encouraged offices that were lagging behind until one Friday:



Jacques' Bot only took a couple of days to write and then a few weeks to get us to our goal. As such, we're now looking at other ways we can use SaaS logs and ChatOps for preventative security. There will be a balance eventually where we do not want to bug users with so many ChatOps messages that they become habituated to the alerts and start to ignore them. However, if that can be avoided, the potential for scaling a security team's efforts is huge.


Key takeaways:

  1. Consider reviewing your SaaS logs to see what information is present in them and could be used beyond detective monitoring.
  2. You may be surprised to see how many devices aren’t running the latest/safest version of critical software.
  3. Try experimenting with security chat bots. The rewards for  the security team may be well worth the effort invested.
Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs