Hybrid SaaS Discovery

H
Written By Threat NG Staff

Hybrid SaaS Discovery in the context of cybersecurity refers to the method of identifying an organization’s use of Software-as-a-Service (SaaS) applications by combining external (outside-in) and internal (inside-out) data sources and detection techniques. This approach aims to achieve a more complete and accurate inventory of cloud services than either method can provide on its own.

External (Outside-In) Discovery

The external component focuses on the digital footprint visible to a potential attacker. Techniques used here include:

  • DNS Analysis: Scanning DNS records, particularly CNAMEs, to find pointers to known third-party vendor platforms (e.g., Slack, Shopify, Zendesk).

  • Web Fingerprinting: Analyzing external-facing assets like websites and subdomains for tell-tale signs, such as specific HTTP headers, website code (JavaScript libraries), or public-facing documentation that indicate the use of a particular SaaS vendor.

  • Open Source Intelligence (OSINT): Searching public code repositories, dark web forums, and search engines for mentions of the organization's domain alongside SaaS configuration files or leaked credentials.

Internal (Inside-Out) Discovery

The internal component leverages privileged access to the corporate network and systems. Techniques used here include:

  • Network Traffic Monitoring: Analyzing firewall and proxy logs to see which domains employees are accessing, which can reveal both sanctioned and unsanctioned (Shadow IT) applications.

  • Endpoint Detection and Response (EDR) Data: Inspecting endpoint application lists and browser history to find locally installed or frequently accessed cloud clients.

  • Configuration Management Databases (CMDBs) & Financial Records: Reviewing internal IT documentation and expense reports to identify subscribed services that may not have an obvious external footprint.

Why the Hybrid Approach is Essential

A purely external view often misses sanctioned but privately configured SaaS instances, while a strictly internal view might miss externally discoverable, development- or marketing-related services that are vulnerable. By fusing these two data sets, the hybrid approach provides the most accurate context for Governance, Risk, and Compliance (GRC) assessment, allowing security teams to link external exposure risks to internal asset owners and policy violations.

ThreatNG's capabilities focus on the External GRC Assessment and External SaaS Identification (SaaSqwatch), which directly address the external component of Hybrid SaaS Discovery and provide critical risk and compliance data that can be combined with internal findings for a comprehensive view.

ThreatNG's Role in External SaaS Discovery

External Discovery

ThreatNG performs purely external unauthenticated discovery to identify the organization's attack surface, including all associated cloud and SaaS services. This process is the foundation for the platform's External GRC Assessment and for discovering exposed assets and digital risks from an attacker's perspective.

Investigation Modules

The primary module relevant to SaaS discovery is Cloud and SaaS Exposure, which is home to SaaSqwatch (SaaS Discovery and Identification).

  • Detailed Examples of Discovery:

    • SaaSqwatch identifies externally identifiable SaaS implementations across categories like Identity and Access Management (e.g., Azure Active Directory, Duo, Okta) and Collaboration and Productivity (e.g., Slack, Asana, Zoom, Monday.com).

    • It differentiates between Sanctioned Cloud Services and Unsanctioned Cloud Services. Unsanctioned services, or "Shadow IT," are a core focus of hybrid discovery.

    • It identifies critical risks, such as open exposed cloud buckets on AWS, Microsoft Azure, and Google Cloud Platform.

External Assessment and Security Ratings

The discovered SaaS applications and cloud exposure are fed into specific security ratings to quantify the risk.

  • Detailed Examples of Risk Assessment:

    • Data Leak Susceptibility: The rating is derived, in part, from uncovering Externally Identifiable SaaS applications and Cloud Exposure (exposed open cloud buckets).

    • Supply Chain & Third-Party Exposure: This rating (A-F) is based on SaaS Identification (all vendors identified within Cloud and SaaS Exposure) and the Technology Stack. This quantifies the risk introduced by the vast array of external services identified.

    • External GRC Assessment: This capability provides a continuous, outside-in evaluation of the GRC posture by mapping exposed assets and risks directly to GRC frameworks such as PCI DSS, HIPAA, GDPR, NIST CSF, and POPIA.

Intelligence Repositories

The extensive vendor and technology knowledge base is essential for accurate identification during the external discovery phase.

  • Detailed Examples of Intelligence Support:

    • The Technology Stack investigation module provides an exhaustive, unauthenticated discovery of nearly 4,000 technologies. It details subcategories like Identity & Access Management (11 technologies) and Collaboration & Document Management (31 technologies), enabling precise external fingerprinting.

Continuous Monitoring and Reporting

ThreatNG offers Continuous Monitoring of the external attack surface and digital risk, ensuring that any new or newly exposed SaaS application is immediately detected.

  • Reporting Examples: The External GRC Assessment Mappings reports provide the necessary output to address compliance concerns stemming from exposed SaaS assets, clearly showing how external risks violate specific regulations (e.g., HIPAA, GDPR).

Cooperation with Complementary Solutions

ThreatNG's external, high-certainty view is highly effective when paired with internal data sources to complete the hybrid discovery picture.

Example of ThreatNG Helping:

ThreatNG provides the external component of the discovery by identifying an unsanctioned HR service, like Greenhouse, via its SaaSqwatch feature and immediately flagging it as a potential risk due to a lack of proper governance. The External GRC Assessment further clarifies that this shadow IT creates a compliance gap against NIST CSF.

Example of ThreatNG and Complementary Solutions Cooperation:

  1. ThreatNG's external discovery identifies a high-risk external exposure, such as an exposed GitHub code repository (using its Code Repository Exposure module), containing an AWS Access Key ID.

  2. A complementary solution used for Internal Discovery—such as an organization's internal Network Traffic Monitoring system—could use ThreatNG's findings. It could then search its internal logs for the specific exposed AWS Key ID or the associated developer's ID (found via Code Repository Exposure) to trace the internal network activity related to the leak.

  3. The fusion of the external proof (from ThreatNG's Legal-Grade Attribution and exposed code) and the internal access logs (from the complementary system) completes the hybrid discovery, linking the exposed external finding to the internal source of the risk with high certainty, enabling immediate, targeted internal policy changes and remediation.

Threat NG Staff
Previous

Hybrid SaaS Discovery Model
Next

SaaS GRC Assessment