The Sisense breach: Our key takeaways & offer to help any affected organization

Echoing the SolarWinds breach of a couple of years ago, we’ve got news of a data breach in the systems of Sisense, a data analysis company. In this article, we analyze this breach through our expertise in securing non-human identities (NHIs), and extend an offer to help organizations that are victims of the breach.

What is Sisense?

Sisense is a data analytics platform for digital products. It helps organizations understand usage patterns for the applications they build. This helps them drive revenue and optimize resources & business operations. It can analyze millions of rows of data across disparate reporting tools and pull all this data together to give you a unified picture of how your products are being used and more. 

To gain value out of a tool like Sisense it needs to be integrated with as many tools you use in your organization. Sisense boasts that it works with any cloud, and has a wide range of integration options in its documentation. It integrates with SaaS tools like Salesforce, Snowflake, Teradata, Qubole, BigQuery, and Athena to name a few. It integrates with many cloud vendor services, notably Azure Active Directory, enabling access to a variety of tools including tokens, SSH keys, certificates, and more.

The attack: 

On April 11th , 2024, Sisense found that their system had been breached and data had been exfiltrated to an external server. Sisense hasn’t released a public statement yet, but have been sending emails to their customer base with details on the breach. CISA (Cybersecurity and Infrastructure Security Agency) has released a report advising all Sisense customers to change their passwords and tokens. Krebs On Security has a detailed report on the incident. 

Key facts behind the breach:

It all began when attackers gained access to a GitLab repository of Sisense. GitLab is a widely-used code repository tool similar to GitHub. Sisense uses the on-premise version of GitLab, not the managed cloud-based version. This means Sisense is responsible for the security of its GitLab repos. The repo that was exposed, however, had hard coded secret credentials to one or more of Sisense’s AWS S3 buckets. These buckets contained many terabytes of Sisense’s customer data that was exposed. Much of this data is in the form of non-human identities, tokens, certificates, SSH keys, API keys, and more. These keys were used to connect Sisense with other tools and access data from them. 

4 key takeaways from the incident

Social media and tech circles are abuzz with news of this breach with every kind of reaction from praise for Sisense’s quick response to anger at their carelessness and everything in between. Here are some of the key discussion points around the incident:

1. Scan Git repositories for accidental credential insertion

It seems the start of the incident was a developer checking in a credential to an AWS S3 bucket. This could have been prevented had Sisense been using a tool capable of scanning every commit to code repositories for any exposed secrets. It’s a given that developers, being human, would mistakenly insert these credentials once in a while. The onus is on the organization to implement tools that can scan every commit and make sure there are no exposed secrets that can be used to access you production environment or customer data.

2. Is self-hosted really better than managed SaaS?

Sisense, for whatever reason, decided to self-host their GitLab repositories. The usual belief is that self-hosted is safer than vendor-managed. However, as we can see in this case, going the self-hosted way requires a lot of security protocols to be followed by the organization. This would involve hiring talent, and constantly setting up and evolving security practices to keep pace with security requirements. Most organizations are unable to dedicate this time for security alongside the demands of running their own products and services. 

3. Encrypt data at rest

The terrabytes of data in the S3 buckets were stored unencrypted in plain text format. This is another oversight by Sisense. Now, despite encrypting data, attackers may still be able to find the encryption keys and decrypt all the data – there’s no guarantee. However, that’s an additional step that would show the diligence of the organization responsible for the data at the least.

4. Non-human Identities need oversight

Non-human identities serve as the programmatic access keys, facilitating authentication and interactions between machine to machine, powering every API call, database, or storage account access. In simple words, they’re the building blocks that make up a cloud application. The non-human Identities credentials are secrets, access tokens, SSH keys, certificates, and more. In this incident, a secret, which is the credential of non-human Identity was found in a GitLab repo led to a cascading compromise of another serviceS3 bucket, which in turn, held secrets that could access innumerable customer services like Salesforce, Snowflake and more. As you can see, secrets exposure usually sets off a chain reaction, and it can keep attackers busy for years in the future. This is why non-human Identities and secrets need to be secured end-to-end to nip any threat in the bud.

Source: Pixabay

These are the kinds of things we obsess about at Entro as we’ve built a NHIM (non-human identities management) solution to handle attacks stemming from secrets exposures. We’re out to secure non-human Identities for organizations of all sizes and types. 

Taking remedial action

As the CISA and Sisense have advised, if you’re a Sisense customer it is necessary to change all secrets, tokens, keys, and other access credentials related to your Sisense account, and other SaaS accounts connected with it. This does not guarantee that your systems are safe, but it may limit the potential for damage. 

It is also important to take stock of your cloud ecosystems and check for signs of suspicious activity in any part of your systems. Beyond a one-time report, you’ll need to watch over the coming days and weeks for any such signs of a breach. Note that attackers today are adept at concealing their activities, and this is no small feat. 

Entro lends a helping hand

Entro’s CEO, Itzik Alvas, has posted on LinkedIn about this attack and has offered to assist organizations impacted by it with “no strings attached.” Entro would scan your system going back 90 days to check for any signs of a breach. If you’re a Sisense customer, or have had your data exposed to Sisense in any way, do reach out to us. Here are ways Entro can help secure your systems post-breach:

Track user access to non-human Identities

Entro will give you deep visibility into who is using your non-human Identities both internally and externally to access your cloud and on-prem services. It will surface any anomalies and help you zero in on issues.

Prioritize issues

Entro is able to tell the difference between a high and low-priority asset with the contextual data it gathers about your system. It then prioritizes the list of threats so you can respond to the highest priority ones first.

Secrets rotation en masse

At a time like this, you’ll need to rotate hundreds if not thousands of secrets. This is not a trivial feat. Entro gives you superpowers to track exactly when a secret was last changed or rotated. You can start with secrets that guard your most valuable resources and work your way down, or you can start with the oldest secrets in your system. Entro integrates with any vault service you use to give you full visibility into secrets rotation and protection from anomalous activities.

360-degree visibility into non-human Identities

Entro gives you a 360-degree view of your non-human identities. Even if you are confident that your systems are not affected by the Sisense breach (which you shouldn’t be if you’re a customer), we encourage you to take advantage of the Entro offer to gain a more holistic and deeper view of your systems. 

The Sisense breach is unfortunate for the organization and for every affected customer. However, these moments present us with another opportunity to assess our security protocols and take action so we don’t end up being the next news headline.