SaaSqwatch
SaaSqwatch is the brand name ThreatNG uses for its SaaS Discovery and Identification capability within the Cloud and SaaS Exposure investigation module.
In the context of cybersecurity, SaaSqwatch functions as a critical component for External Attack Surface Management by identifying which Software-as-a-Service (SaaS) applications are associated with the organization under investigation. This is done through an external, unauthenticated discovery process.
The main goal of SaaSqwatch is to uncover potential digital risks associated with the use of these third-party services. The capability identifies both Sanctioned Cloud Services and Unsanctioned Cloud Services (Shadow IT), which are crucial for assessing the organization's supply chain and third-party exposure. It also detects Cloud Service Impersonations.
Identified SaaS Categories and Examples
SaaSqwatch comprehensively identifies the presence of SaaS implementations across a wide range of categories, including:
Business Intelligence and Data Analytics: Such as Looker, Amplitude, Mode, and Snowflake.
Collaboration and Productivity: Including Atlassian and Slack.
Content Management and Collaboration: Services like Aha, Box, Brandfolder, and SharePoint.
Customer Relationship Management (CRM): For instance, Salesforce.
Customer Service and Support: Including Kustomer.
Data Analytics and Observability: Such as Axonious, Splunk, and Snowflake.
Endpoint Management: Including Axonious and JAMF.
Enterprise Resource Planning (ERP): For example, Workday.
Human Resources: Such as BambooHR and Greenhouse.
Identity and Access Management (IAM): Including Azure Active Directory, Duo, and Okta.
Incident Management: Such as PagerDuty.
IT Service Management: Including Axonious and ServiceNow.
Project Management: For example, Aha and Asana.
Video Conferencing: Such as Zoom.
Work Operating System: For instance, Monday.com.
Role in Security Ratings
The information gathered by SaaSqwatch is a key input for calculating the Supply Chain & Third-Party Exposure Security Rating. This rating uses the enumeration of vendors within domain records and the total number of identified technologies to assess risk. The identification of all vendors through SaaSqwatch contributes directly to this rating, providing an A-F grade (A being good and F being bad) to quantify the level of third-party risk exposure.
SaaSqwatch helps organizations to better use their security resources by providing actionable intelligence on their exposure to external risks associated with the SaaS applications they use.
The SaaSqwatch capability is a specific, branded feature within the ThreatNG platform that plays a crucial role in the ThreatNG platform's overall External Attack Surface Management (EASM) and Digital Risk Protection solution. It focuses on externally identifying the Software-as-a-Service (SaaS) applications associated with an organization.
SaaSqwatch within ThreatNG Capabilities
1. External Discovery
SaaSqwatch is fundamentally an external discovery mechanism. It is branded as "SaaSqwatch" for SaaS Discovery and Identification. It performs purely external, unauthenticated discovery to identify which SaaS implementations are associated with the organization under investigation. This discovery uncovers Sanctioned Cloud Services, Unsanctioned Cloud Services (Shadow IT), and Cloud Service Impersonations.
2. External Assessment and Security Ratings
The findings from SaaSqwatch are directly fed into ThreatNG’s external assessment capabilities to generate risk-based security ratings.
Supply Chain & Third-Party Exposure Security Rating: SaaSqwatch is a key data source for this rating. It enumerates vendors in domain records and identifies all vendors in Cloud and SaaS Exposure. The rating itself is an A-F grade (A being good and F being bad) that assesses the risk from third-party reliance.
Detailed Examples of Assessed SaaS/Cloud Vendors: The platform identifies a broad range of SaaS platforms.
Customer Relationship Management (CRM): Salesforce.
Identity and Access Management (IAM): Azure Active Directory, Duo, Okta.
Data Analytics: Snowflake, Splunk.
Productivity: Slack, Asana, Zoom, Workday.
Cloud Hosting: AWS, Microsoft Azure, and Google Cloud Platform buckets.
3. Investigation Modules
SaaSqwatch is specifically housed within the Cloud and SaaS Exposure Investigation Module.
Detailed Examples of SaaSqwatch Findings: This module uncovers:
Open Exposed Cloud Buckets across major platforms, including AWS, Microsoft Azure, and Google Cloud Platform.
Externally Identifiable SaaS applications.
The list of SaaS implementations includes Workday (ERP), Greenhouse (HR), PagerDuty (Incident Management), and ServiceNow (IT Service Management).
4. Intelligence Repositories
While SaaSqwatch is the discovery tool, the underlying technical identification of the cloud and SaaS providers relies on the Intelligence Repositories.
Detailed Example of Intelligence Support: The discovery process often involves cross-referencing information against the Technology Stack repository. This repository is an exhaustive collection of technologies, including:
Identity & Access Management: IAM platforms (11), Multi-Factor Authentication (1), Single Sign-On (4).
Collaboration & Productivity: Productivity Suite (3), Communication & Workflow (32).
E-commerce & Payment: E-commerce (125), Payment Processing (59).
5. Continuous Monitoring and Reporting
The discovery of SaaS instances is not a one-time event. ThreatNG provides Continuous Monitoring of the external attack surface and digital risk. This ensures that new SaaS instances or changes in their exposure are constantly tracked. The identified exposure and its associated risk are then included in various Reporting formats.
Reporting Examples: The risk associated with exposed SaaS configurations (e.g., an open AWS cloud bucket) would be featured in Prioritized Reports (High, Medium, Low, and Informational) and contribute to the overall Security Ratings Report (A-F).
6. Complementary Solutions
ThreatNG's focus on providing Legal-Grade Attribution and Contextual Risk Intelligence makes the high-certainty data generated by SaaSqwatch highly effective when working with complementary solutions.
Working with Vulnerability Management Solutions: When ThreatNG identifies a known vulnerability on an asset associated with a sanctioned cloud service, it also provides the associated Legal-Grade Attribution. A complementary vulnerability management solution could then leverage this context to accelerate patching and remediation, automatically escalating fixes for the exposed cloud environment because ThreatNG has definitively resolved the Attribution Chasm.
Working with Governance, Risk, and Compliance (GRC) Platforms: ThreatNG conducts an External GRC Assessment and maps findings to frameworks such as PCI DSS, HIPAA, and GDPR. If SaaSqwatch identifies an unsanctioned SaaS application that transmits protected data, a complementary GRC platform could leverage ThreatNG's specific compliance gap mapping to automatically open a remediation case file, streamlining continuous evaluation of the compliance posture.
Example of ThreatNG Helping: ThreatNG can discover an exposed subdomain hosted on a PaaS like Vercel and confirm its susceptibility to subdomain takeover by performing a specific validation check for an inactive or unclaimed resource. This confirms the "dangling DNS" state and prioritizes the risk.
Example of ThreatNG and Complementary Solutions Cooperation: ThreatNG detects a Compromised Credential from the Dark Web repository (DarCache Dark Web) associated with an email address linked to a discovered Slack Webhook in a mobile app. A complementary Security Orchestration, Automation, and Response (SOAR) solution could use this high-fidelity finding from ThreatNG, which includes the certainty of the leaked secret, to immediately revoke the exposed Slack Webhook token and notify the IAM platform (Okta or Azure Active Directory identified by SaaSqwatch) to force a password reset for the associated user account.
