Context Is Key: What the Salesloft Drift Breach Reveals About SaaS Security Gaps

In this interview, Adam Koblentz, Field CTO of Reveal Security, breaks down how identity behavior analytics can distinguish malicious actions from edge cases in SaaS. 

With senior roles at Mandiant, Verodin, and Carbon Black, Koblentz brings deep expertise in detection strategy and identity analytics. His experience now shapes SaaS and application-layer threat defense.

He explains how detection pivots when logs come from apps rather than SIEMs, what subtle behaviors reveal insider abuse, and why drift stabilization is critical for accuracy. 

Koblentz details containment steps that preserve service levels, metrics to measure detection quality, and identity-first defense against account takeover.

Vishwa: In identity behavior analytics, what discriminates malicious deviations from legitimate edge cases in business workflows?

Adam: The shift to remote and hybrid work has upended anomaly detection. Traditional signals, like “impossible travel” between logins in different geographies, are no longer sufficient on their own. With distributed teams, contractors, and employees logging in from varied devices and networks, edge cases look like anomalies, and anomalies look like edge cases.

To separate legitimate edge cases from malicious events, detection must focus on contextualizing impactful actions rather than chasing surface-level anomalies. 

Key differentiators include:

• Sequence of activity: Is a login followed by routine tasks, or by unusual high-risk actions like bulk data export or privilege escalation?
• Business impact awareness: A login anomaly tied to low-value read actions is noise; the same anomaly followed by a permissions change is a red flag.
• Cross-application context: “Impossible travel” only matters if it coincides with abnormal file sharing in Google Drive or mass record queries in Salesforce.
• Administrative activity context: Alerting whenever administrative activity occurs is messy, noisy, and ineffective, but combining the impact of adding a new domain administrator with unusual activity from an identity provider and the rest of the context throughout the identity’s actions provides clarity and accuracy.

Applying a security lens that blends behavioral analytics with business semantics makes it possible to identify what’s truly risky rather than alerting on every deviation. The Salesloft Drift breach illustrates this: abnormal Salesforce SOQL queries looked routine until contextualized against their impact: large-scale data exfiltration.

Vishwa: How should detection pivot when telemetry comes primarily from application logs rather than Security Information and Event Management (SIEM) events?

Adam: Application and cloud provider logs differ fundamentally from traditional infrastructure logs. While firewalls or endpoints tend to share broadly consistent schemas, Salesforce, Google Drive, and ServiceNow all log user activity differently, with no unified taxonomy. 

This fragmentation makes it difficult for security teams to interpret events across SaaS ecosystems.

To pivot effectively:

• Normalize heterogeneous logs into structured “who-what-when-where” schemas, leveraging a solution like Open Cybersecurity Schema Framework (OCSF) is one option.
• Reconstruct user journeys across systems (SaaS, IdP, CSP, etc.)  to see context that single logs obscure.
• Enrich events with business semantics, mapping technical actions to security-relevant outcomes (e.g., “SOQL query” → data exfiltration attempt).
• Cluster activity sequences so legitimate edge cases are incorporated while isolating malicious deviations.

This approach allows teams to build SIEM-like consistency in a SaaS-first world, where taxonomy mismatches are the rule. 

The Salesloft Drift breach, where attackers abused OAuth tokens to exfiltrate Salesforce data, demonstrated why raw app logs alone are insufficient without normalization and contextualization. 

Vishwa: Insider threats mimic routine tasks; which behavioral features signal privilege abuse within systems like SAP or ServiceNow?

Adam: Advanced groups like Scattered Spider (UNC3944) excel at blending into normal workflows by reusing valid accounts, but even when their actions look routine, subtle behavioral signals betray privilege abuse. 

In systems like ServiceNow or SAP, strong indicators include:

• Privilege escalation in context – A user who normally handles IT tickets suddenly adds or modifies access control lists, elevates their own privileges, or accesses HR/Finance modules outside their scope.
• Unusual record enumeration – Abnormal surges in queries or “record counts” across modules, a tactic highlighted by the Count(er) Strike flaw (CVE-2025-3648), which allowed data inference from ServiceNow with minimal visibility.
• Chains – Moving from IT workflows into HR, finance, or configuration modules in rapid succession, suggesting lateral movement rather than normal work.
• Timing and access deviations – Off-hours logins or sudden bursts of privileged actions (e.g., hundreds of ACL checks) that don’t align with the user’s historical patterns.
• Data access beyond norms – Exporting entire knowledge bases, ticket attachments, or configuration files – these are behaviors that have led to real exposures in misconfigured ServiceNow instances.

APT groups like Scattered Spider compress attack timelines to under 24 hours, making these subtle privilege-abuse signals critical for early detection before an intrusion escalates.

Vishwa: Many detections degrade under drift; how do you stabilize baselines across seasonality, releases, and role changes?

Adam: Stabilization requires adaptive baselining:

• Continuous updating of the understanding of normal, so new workflows or seasonal patterns become part of the baseline.
• Compare identity activities across the environment to cut down on false positives for new identities or temporary responsibility shifts, such as covering for an administrator on vacation.
• Uncertainty-aware models that distinguish benign drift from genuine anomalies

Without these, SaaS detection suffers from false positives, especially as application logs lack consistent taxonomies, making drift harder to contextualize across systems.

Vishwa: Response is difficult inside business applications; what containment actions work without breaking critical processes or Service Level Agreements (SLAs)?

Adam: Containment must be tiered, context-aware, and minimally disruptive:

• Stepwise interventions (alerts, invalidating sessions, privilege de-escalation).
• Risk-ranked escalation (monitor low-confidence anomalies, revoke tokens for high-confidence).
• Policy-driven enforcement (preserve SLA-critical flows while restricting risky actions like mass export).

During the Salesloft Drift breach, organizations revoked OAuth tokens for the app without taking Salesforce offline -- an example of targeted containment that preserved business continuity. 

Vishwa: Many organizations track mean time to detect; what metric better captures detection quality for application layer threats?

Adam: MTTD is insufficient alone. Better metrics include:

• Actionable alert rate – signals that drive real response.
• Context completeness – whether alerts contain enough detail for triage.
• Response effectiveness (TTR) – measures both speed and quality of containment.

This is especially important as SaaS breaches surged in 2024, highlighting the cost of both false positives and false negatives.

Vishwa: Given account takeover and session hijacking against SaaS business applications, which cybersecurity tools are suitable for preventing threats?

Adam: Preventing Account Takeover (ATO) and session hijacking requires identity-aware, taxonomy-bridging defenses:

• Identity Behavior Analytics & UEBA – normalize SaaS logs into a shared schema and detect anomalies across Salesforce, Google Drive, and beyond.
• Phishing-resistant MFA (FIDO/WebAuthn) – stronger against SIM-swap and helpdesk impersonation.
• CASB & Zero-Trust Access – enforce granular SaaS access policies.
• SSPM (SaaS Security Posture Management) – reduce risk from overprivileged accounts.
• Micro-containment – terminate risky sessions or revoke tokens in real-time.

Groups like Scattered Spider (UNC3944) prove why this matters: in 2025, they cut attack time-to-encryption to under 24 hours, using SIM-swaps, vishing, and SaaS token hijacking to move quickly across cloud environments (reveal.security blog)

Closing Notes:

SaaS breaches are on the rise, and credential-based attacks drive ~38% of breaches, outpacing phishing or software exploits. The taxonomy gap in SaaS logs makes identity-driven detection and normalization essential.

Incidents like Salesloft Drift and groups like Scattered Spider demonstrate that the battleground has shifted squarely into SaaS and identity security.