External SaaS Identification

External SaaS Identification, in the context of cybersecurity and External Attack Surface Management (EASM), is the practice of discovering and identifying the Software-as-a-Service (SaaS) applications and cloud platforms that an organization uses, specifically from the perspective of an unauthenticated external attacker.

Purpose and Scope

The primary purpose of this activity is to accurately map an organization's digital footprint beyond its core network infrastructure. It focuses on identifying all third-party services publicly linked to or associated with the organization's domain names, subdomains, and employees. This is a critical process for understanding and managing "Shadow IT" and supply chain risk.

Key elements of the scope include:

• Discovery of Associated Subdomains: Identifying subdomains whose Canonical Name (CNAME) records point to external service providers (e.g., pointing to a specific instance on Salesforce, Heroku, or GitHub Pages).

• Technology Fingerprinting: Analyzing public records, server headers, and website content to identify the specific SaaS vendors and technologies in use, which could range from CRM and IAM systems to email marketing and project management tools.

• Impersonation Detection: Identifying instances where an attacker may have registered a service or domain using the organization's name or brand to conduct phishing or brand damage campaigns.

Cybersecurity Significance

External SaaS Identification is vital for a strong security posture because every external service an organization uses introduces a potential risk vector:

• Supply Chain Risk: Each identified SaaS vendor is a third-party partner, and the organization could inherit its security flaws or vulnerabilities.

• Data Leakage: Improperly configured SaaS instances, such as open cloud storage buckets, can expose sensitive data to the public internet.

• Vulnerability Assessment: Knowing which specific technologies are in use allows security teams to cross-reference them against intelligence feeds for known vulnerabilities (CVEs) or configuration weaknesses.

• Compliance: The use of specific, often unsanctioned SaaS applications can create compliance gaps under regulations such as GDPR or HIPAA if sensitive data is processed or stored there.

By proactively identifying and inventorying these external SaaS assets, security teams gain the visibility needed to prioritize security investments and accelerate remediation of externally exposed risks.

ThreatNG's External SaaS Identification capability, branded as SaaSqwatch, is a fundamental component of its all-in-one External Attack Surface Management and Digital Risk Protection solution. It systematically helps an organization manage the risks associated with third-party software and cloud services by identifying and assessing them from an outside-in, unauthenticated perspective.

External Discovery

ThreatNG begins by performing purely external unauthenticated discovery. This process leads to the SaaSqwatch capability, uncovering externally identifiable SaaS applications. The goal is to identify all SaaS implementations associated with the target organization, including both Sanctioned Cloud Services and Unsanctioned Cloud Services (Shadow IT), as well as any Cloud Service Impersonations.

Investigation Modules

The process is managed under the Cloud and SaaS Exposure investigation module.

Detailed Examples of Investigation Findings:

This module provides a detailed inventory of discovered SaaS implementations:

• Identity and Access Management: Such as Azure Active Directory and Duo.

• Customer Relationship Management (CRM): For example, Salesforce.

• Human Resources: Including platforms like Greenhouse.

• IT Service Management: Such as ServiceNow.

• Data Analytics and Observability: Identifying services like Splunk and Snowflake.

Crucially, the module also identifies security risks by discovering open, exposed cloud buckets across major providers such as AWS, Microsoft Azure, and Google Cloud Platform.

External Assessment and Security Ratings

The findings from SaaS Identification serve as a primary input for multiple security ratings, providing the organization with a quantifiable measure of risk.

Supply Chain & Third-Party Exposure Security Rating:

This A-F rating (A being good and F being bad) is based directly on the findings from SaaS Identification, which encompasses all vendors identified in Cloud and SaaS Exposure. By enumerating the vendors within domain records, ThreatNG assesses the risk exposure from reliance on those third parties.

Example of External Assessment:

Suppose the platform detects a subdomain pointing to an exposed cloud environment on Microsoft Azure or identifies a widely Externally Identifiable SaaS application used by the organization. In that case, it factors this into the final risk calculation for the organization's supply chain exposure.

Continuous Monitoring and Reporting

ThreatNG provides Continuous Monitoring of the digital risk and security ratings. This ensures that if a new, unsanctioned SaaS application is adopted or a sanctioned service is misconfigured and becomes exposed, the platform detects it quickly.

Reporting Examples:

The discovered SaaS exposures and their associated risks are communicated through various reporting mechanisms. A risky finding, such as an exposed cloud bucket discovered by the SaaSqwatch capability, would appear in a Prioritized Report (categorized as High, Medium, Low, or Informational) and would contribute to the overall letter grade in the Security Ratings Report.

Intelligence Repositories

ThreatNG’s ability to identify a vast array of SaaS vendors is supported by its intelligence repositories, particularly the data that underpins the Technology Stack module. This module provides an exhaustive overview of technologies, including a classification of SaaS-related subcategories.

Example of Intelligence Repositories:

The Technology Stack module details the number of technologies it can uncover across categories relevant to SaaS, such as Identity & Access Management platforms and Collaboration & Productivity tools. This deep knowledge base is what enables the accurate and exhaustive identification of the specific SaaS vendor in SaaSqwatch.

Cooperation with Complementary Solutions

ThreatNG's unique value, including Contextual Risk Intelligence and Legal-Grade Attribution, makes its SaaS identification findings exceptionally useful when used with complementary security solutions.

Example of ThreatNG Helping:

ThreatNG helps by performing an External GRC Assessment that maps exposed digital risks, including those identified via SaaSqwatch, to relevant GRC frameworks. This allows the organization to identify and address external compliance gaps related to standards such as PCI DSS, HIPAA, and GDPR.

Example of ThreatNG and Complementary Solutions Cooperation:

If SaaSqwatch identifies an external service, such as a video conferencing platform like Zoom, and ThreatNG subsequently finds a known vulnerability (from its NVD and actively exploited KEV intelligence sources) associated with that technology on a subdomain, a complementary Vulnerability Management Solution could use this finding. The external vulnerability management solution could automatically elevate remediation priority because ThreatNG has provided Legal-Grade Attribution and confirmed the risk from the attacker’s perspective, enabling faster resource allocation to protect digital assets.