[{"data":1,"prerenderedAt":5749},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/free-and-trial-saas-applications-are-even-riskier-than-paid-apps":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":5138,"content":5146,"_id":5744,"_type":5745,"_source":5746,"_file":5747,"_stem":5748,"_extension":5745},"/blog/free-and-trial-saas-applications-are-even-riskier-than-paid-apps","blog",{"id":1280,"publishedAt":1281},"RColcmPkti04JQrda9WOp","2025-04-28T18:10:09.620Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Free and trial SaaS accounts are often invisible to security teams and interact with real corporate data.","text","paragraph","document","Free and trial SaaS applications are even riskier than paid apps","SaaS security risks: Free and trial apps riskier than paid","Free and trial SaaS accounts are often invisible to security teams and still interact with real, live corporate data.","2023-07-11T00:00:00.000Z","free-and-trial-saas-applications-are-even-riskier-than-paid-apps",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1308,"name":1310},{"id":1309},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"items":1312},[1313,2810,4385],{"__typename":1314,"sys":1315,"content":1317,"title":2790,"synopsis":2791,"hashTags":118,"publishedDate":2792,"slug":2793,"tagsCollection":2794,"authorsCollection":2802},"BlogPosts",{"id":1316},"3ic4Ok5kwIE8UuUClhPFPn",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1329,1336,1343,1350,1357,1364,1371,1378,1423,1430,1437,1444,1452,1459,1468,1475,1482,1489,1497,1504,1511,1518,1525,1532,1539,1546,1568,1574,1581,1588,1601,1609,1616,1622,1629,1636,1642,1649,1658,1674,1698,1705,1712,1719,1726,1732,1739,1746,1753,1760,1767,1774,1794,1801,1808,1815,1822,1838,1871,1880,1887,1894,1901,1908,1915,1922,1929,1935,1942,1949,1956,1963,1970,1977,1997,2004,2010,2017,2040,2047,2054,2087,2094,2101,2108,2115,2128,2135,2206,2213,2220,2243,2249,2256,2263,2270,2303,2310,2711,2718,2737,2744,2753,2769,2776,2783],{"nodeType":1322,"data":1323,"content":1324},"heading-1",{},[1325],{"nodeType":1293,"value":1326,"marks":1327,"data":1328},"Introduction",[],{},{"nodeType":1294,"data":1330,"content":1331},{},[1332],{"nodeType":1293,"value":1333,"marks":1334,"data":1335},"Employees using a new work app used to be the final step of the software-onboarding process. ",[],{},{"nodeType":1294,"data":1337,"content":1338},{},[1339],{"nodeType":1293,"value":1340,"marks":1341,"data":1342},"Now it's the first. ",[],{},{"nodeType":1294,"data":1344,"content":1345},{},[1346],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"SaaS vendors bypass IT and security and hook employees with free apps and trials. This has led to sensitive data on shadow SaaS applications (more on this later) that is accessible via unmanaged cloud accounts (accounts that aren’t protected by SSO or logged into via social login accounts). Attackers exploit this unmonitored attack surface with new takes on old techniques that are going undetected.",[],{},{"nodeType":1294,"data":1351,"content":1352},{},[1353],{"nodeType":1293,"value":1354,"marks":1355,"data":1356},"Employees self-adopting apps might sound like a security nightmare, but it doesn’t have to be. In fact, it can be a really good thing that enables employees to be more productive and your business to be more competitive. And, frankly, there’s no way to stop it without causing a SaaS sprawl issue. ",[],{},{"nodeType":1294,"data":1358,"content":1359},{},[1360],{"nodeType":1293,"value":1361,"marks":1362,"data":1363},"What’s clear is that this new landscape has fundamentally changed the way software is brought into the business. The days of security acting as a gatekeeper that all apps must pass through before they can touch live data are over. The market forces driving self-service apps aren’t stopping, so the security industry needs to adapt.",[],{},{"nodeType":1294,"data":1365,"content":1366},{},[1367],{"nodeType":1293,"value":1368,"marks":1369,"data":1370},"Security teams need to regain visibility and control over company data and how it’s secured. ",[],{},{"nodeType":1294,"data":1372,"content":1373},{},[1374],{"nodeType":1293,"value":1375,"marks":1376,"data":1377},"In this guide I’ll show security teams: ",[],{},{"nodeType":1379,"data":1380,"content":1381},"unordered-list",{},[1382,1393,1403,1413],{"nodeType":1383,"data":1384,"content":1385},"list-item",{},[1386],{"nodeType":1294,"data":1387,"content":1388},{},[1389],{"nodeType":1293,"value":1390,"marks":1391,"data":1392},"What’s driving employee app self-adoption and the impact on security teams",[],{},{"nodeType":1383,"data":1394,"content":1395},{},[1396],{"nodeType":1294,"data":1397,"content":1398},{},[1399],{"nodeType":1293,"value":1400,"marks":1401,"data":1402},"Why the go-to solutions of policies and tools that block access to unsanctioned apps don’t work",[],{},{"nodeType":1383,"data":1404,"content":1405},{},[1406],{"nodeType":1294,"data":1407,"content":1408},{},[1409],{"nodeType":1293,"value":1410,"marks":1411,"data":1412},"What new approaches can work and how to apply them",[],{},{"nodeType":1383,"data":1414,"content":1415},{},[1416],{"nodeType":1294,"data":1417,"content":1418},{},[1419],{"nodeType":1293,"value":1420,"marks":1421,"data":1422},"The two aspects to address when securing SaaS and managing risk ",[],{},{"nodeType":1294,"data":1424,"content":1425},{},[1426],{"nodeType":1293,"value":1427,"marks":1428,"data":1429},"At the end of this book, we’ll link to a guide filled with practical guidance on how to manage those risks and quickly reduce your risk exposure. In that guide, we’ll also cover which data sources are available for SaaS security and why the choice is crucial.",[],{},{"nodeType":1294,"data":1431,"content":1432},{},[1433],{"nodeType":1293,"value":1434,"marks":1435,"data":1436},"The guidance provided here has been developed after talking with security leaders and CISOs that are already successfully embracing SaaS self-adoption while keeping a handle on risks. There are too many folks here to thank personally, but if you recognize some of this from our discussions, please accept my thanks, and hopefully there’s something new and useful here for you as well!",[],{},{"nodeType":1322,"data":1438,"content":1439},{},[1440],{"nodeType":1293,"value":1441,"marks":1442,"data":1443},"Why is it so easy for employees to self-adopt new apps without IT?",[],{},{"nodeType":1445,"data":1446,"content":1447},"heading-2",{},[1448],{"nodeType":1293,"value":1449,"marks":1450,"data":1451},"Memories of a simpler time",[],{},{"nodeType":1294,"data":1453,"content":1454},{},[1455],{"nodeType":1293,"value":1456,"marks":1457,"data":1458},"Before cloud computing was a thing, IT teams procured and managed hardware, software, networks and services for their businesses. The business was dependent on IT deploying new software across their on-prem network and managing it, so it was nearly impossible to bypass them. They became, in effect, the gatekeepers to the business’ IT environment. The onboarding process typically looked something like this:",[],{},{"nodeType":1460,"data":1461,"content":1467},"embedded-entry-block",{"target":1462},{"sys":1463},{"id":1464,"type":1465,"linkType":1466},"1Dw4V0Fd0wI8yB6juzyWjg","Link","Entry",[],{"nodeType":1294,"data":1469,"content":1470},{},[1471],{"nodeType":1293,"value":1472,"marks":1473,"data":1474},"IT asked Security to review a new app and its vendor to identify risks and determine if it should be adopted. At this point, security would specify which controls were required for it to be used securely. This all happened  before an app touched their network and interacted with any live data.",[],{},{"nodeType":1294,"data":1476,"content":1477},{},[1478],{"nodeType":1293,"value":1479,"marks":1480,"data":1481},"In return, Security could rely on IT to give them accurate information about all the businesses’ technology assets that needed to be protected. This process gave both teams great visibility across their total IT environment. Security and IT could maintain a high degree of control over how technology was used. ",[],{},{"nodeType":1294,"data":1483,"content":1484},{},[1485],{"nodeType":1293,"value":1486,"marks":1487,"data":1488},"In other words, life was wonderful and no one ever got hacked (maybe, it’s hard to remember now). Then the cloud happened and ruined everything.",[],{},{"nodeType":1294,"data":1490,"content":1491},{},[1492],{"nodeType":1293,"value":1493,"marks":1494,"data":1496},"Clearly I’m joking, but while very few orgs got it perfect, it was “good enough” at providing process-driven visibility of what enterprise software was being deployed for most.",[1495],{"type":312},{},{"nodeType":1445,"data":1498,"content":1499},{},[1500],{"nodeType":1293,"value":1501,"marks":1502,"data":1503},"The birth of the “as-a-Service” era",[],{},{"nodeType":1294,"data":1505,"content":1506},{},[1507],{"nodeType":1293,"value":1508,"marks":1509,"data":1510},"I jest, the cloud hasn’t ruined everything. It gave organizations the opportunity to be faster, more flexible and more efficient. Businesses no longer had to buy and manage all their own infrastructure and apps, they could just pay for what they used when they needed it. It led to a wave of “as-a-service” business models that stretched across infrastructure, platforms and software. ",[],{},{"nodeType":1294,"data":1512,"content":1513},{},[1514],{"nodeType":1293,"value":1515,"marks":1516,"data":1517},"Thousands of new software-as-a-service (SaaS) companies emerged with high quality apps that were easy to use over the internet. Essentially SaaS created software employees could use on-demand, which was a huge departure from the old days when IT and Security would do loads of security vetting upfront because they knew they’d be stuck with the software for years after deploying.",[],{},{"nodeType":1294,"data":1519,"content":1520},{},[1521],{"nodeType":1293,"value":1522,"marks":1523,"data":1524},"Leveraging great on-demand software tools boosted employee productivity and made their businesses more competitive. Tech-savvy employees, used to subscribing to on-demand software services in their personal lives, started to demand more autonomy over the technology they use at work. They were no longer satisfied with the generic suite of programs that IT could provide for them. Instead, they wanted the specialist tools designed and built for people like them by people like them. ",[],{},{"nodeType":1294,"data":1526,"content":1527},{},[1528],{"nodeType":1293,"value":1529,"marks":1530,"data":1531},"Despite users loving the software once they tried it, SaaS vendors were struggling to sell into large organizations with complicated procurement processes - it was too difficult to get their software in user's hands, and got more difficult the more niche and specialized the app was.",[],{},{"nodeType":1445,"data":1533,"content":1534},{},[1535],{"nodeType":1293,"value":1536,"marks":1537,"data":1538},"The rise of Product-Led Growth",[],{},{"nodeType":1294,"data":1540,"content":1541},{},[1542],{"nodeType":1293,"value":1543,"marks":1544,"data":1545},"Enter Wes Bush, a young SaaS marketer who published his book Product Led Growth in 2019. In it, he showed SaaS vendors how they can increase their sales revenues while reducing their sales cycles and costs by using their products as their primary go-to-market vehicle, as opposed to traditional sales teams. ",[],{},{"nodeType":1294,"data":1547,"content":1548},{},[1549,1553,1564],{"nodeType":1293,"value":1550,"marks":1551,"data":1552},"The premise is simple; prospective customers prefer to experience the value of a product rather than be told about it by sales people. Back in 2015 Forrester ",[],{},{"nodeType":1554,"data":1555,"content":1557},"hyperlink",{"uri":1556},"https://www.forrester.com/blogs/15-04-14-death_of_a_b2b_salesman/",[1558],{"nodeType":1293,"value":1559,"marks":1560,"data":1563},"reported",[1561],{"type":1562},"underline",{},{"nodeType":1293,"value":1565,"marks":1566,"data":1567}," that 75% of B2B buyers prefer a sales-rep-free buying process. The book became a phenomenon within the SaaS industry. Product-led growth (PLG) is now the norm for SaaS companies, and around 60% of SaaS companies now use PLG and that’s only going to increase.",[],{},{"nodeType":1460,"data":1569,"content":1573},{"target":1570},{"sys":1571},{"id":1572,"type":1465,"linkType":1466},"747PuaJ26IbolPB1ugxd2h",[],{"nodeType":1294,"data":1575,"content":1576},{},[1577],{"nodeType":1293,"value":1578,"marks":1579,"data":1580},"Why is PLG turning software adoption on its head? In order to establish a PLG go-to-market motion, SaaS vendors need end users to try their product, either as a free trial or a free version of the app, and quickly experience value from it so  they’re motivated to champion the internal business case through to a successful purchase. ",[],{},{"nodeType":1294,"data":1582,"content":1583},{},[1584],{"nodeType":1293,"value":1585,"marks":1586,"data":1587},"PLG not only relies upon end users as the initial adopters of a new app, but for them to experience meaningful value during that initial experience. This nearly always necessitates that the new app interacts with real data in a live environment. What’s more, it’s only the apps that end users want to use in a paid tier that are likely to ever get submitted to the app-onboarding process. The freemium and trial versions of apps that are just tried out are unlikely to ever be presented to IT and security. ",[],{},{"nodeType":1294,"data":1589,"content":1590},{},[1591,1595],{"nodeType":1293,"value":1592,"marks":1593,"data":1594},"This obviously poses a problem from an IT and security standpoint.",[],{},{"nodeType":1293,"value":1596,"marks":1597,"data":1600}," ",[1598],{"type":1599},"bold",{},{"nodeType":1294,"data":1602,"content":1603},{},[1604],{"nodeType":1293,"value":1605,"marks":1606,"data":1608},"SaaS vendors are deliberately bypassing the traditional software procurement processes that used to give IT and security teams visibility of the third party apps that had their data. ",[1607],{"type":1599},{},{"nodeType":1294,"data":1610,"content":1611},{},[1612],{"nodeType":1293,"value":1613,"marks":1614,"data":1615},"Instead, SaaS vendors are directly targeting employees with their apps and encouraging them to plug them straight into live environments before they’ve been vetted. Software onboarding now looks a lot more like this:",[],{},{"nodeType":1460,"data":1617,"content":1621},{"target":1618},{"sys":1619},{"id":1620,"type":1465,"linkType":1466},"61Oj6GzX4amLxEJ5fPDJCq",[],{"nodeType":1445,"data":1623,"content":1624},{},[1625],{"nodeType":1293,"value":1626,"marks":1627,"data":1628},"IT and security teams might be the last to know about PLG and miss the scale of the change",[],{},{"nodeType":1294,"data":1630,"content":1631},{},[1632],{"nodeType":1293,"value":1633,"marks":1634,"data":1635},"IT & security folks are usually ahead of the curve when it comes to technology shifts, but in this case many might have missed the scale or speed of the change. That’s because IT and security tools are among the least product-led of any sector. Most of our industry’s tools require heavy integrations, complicated setup, agent deployments, and so on. ",[],{},{"nodeType":1460,"data":1637,"content":1641},{"target":1638},{"sys":1639},{"id":1640,"type":1465,"linkType":1466},"2ldVELsUQIU0xaPSPJyXBR",[],{"nodeType":1294,"data":1643,"content":1644},{},[1645],{"nodeType":1293,"value":1646,"marks":1647,"data":1648},"Unfortunately, few security companies are making products as easy to set up and use as new tools for marketing, sales, finance, development, engineering design, legal, HR, and basically every other sector that can’t rely on a technical first user. ",[],{},{"nodeType":1294,"data":1650,"content":1651},{},[1652],{"nodeType":1293,"value":1653,"marks":1654,"data":1657},"This leads to a misconception in IT and Security teams that self-adopted apps are fringe and don’t contain significant sensitive data.",[1655,1656],{"type":312},{"type":1599},{},{"nodeType":1294,"data":1659,"content":1660},{},[1661,1665,1670],{"nodeType":1293,"value":1662,"marks":1663,"data":1664},"Most concerning for security teams is that ",[],{},{"nodeType":1293,"value":1666,"marks":1667,"data":1669},"the sheer number of apps in use has increased dramatically",[1668],{"type":1599},{},{"nodeType":1293,"value":1671,"marks":1672,"data":1673}," and will continue to do so. There are a couple reasons for this: ",[],{},{"nodeType":1675,"data":1676,"content":1677},"ordered-list",{},[1678,1688],{"nodeType":1383,"data":1679,"content":1680},{},[1681],{"nodeType":1294,"data":1682,"content":1683},{},[1684],{"nodeType":1293,"value":1685,"marks":1686,"data":1687},"The big old monolithic on-prem software is being replaced not by a single SaaS app, but an ecosystem of specialized apps. Each new app integrates and extends the functionality as the team using the stack learns what they need, so there is a one-to-many shift happening. ",[],{},{"nodeType":1383,"data":1689,"content":1690},{},[1691],{"nodeType":1294,"data":1692,"content":1693},{},[1694],{"nodeType":1293,"value":1695,"marks":1696,"data":1697},"Since apps are virtually zero-maintenance these days, the operating cost (if not the licensing cost) of running multiple apps is almost the same as one (compared to on-prem apps), so duplicate apps are far less of a problem. This also makes them pretty common and further multiplies the number of apps and vendors.",[],{},{"nodeType":1322,"data":1699,"content":1700},{},[1701],{"nodeType":1293,"value":1702,"marks":1703,"data":1704},"The impact of self-adoption on security",[],{},{"nodeType":1445,"data":1706,"content":1707},{},[1708],{"nodeType":1293,"value":1709,"marks":1710,"data":1711},"Loss of visibility",[],{},{"nodeType":1294,"data":1713,"content":1714},{},[1715],{"nodeType":1293,"value":1716,"marks":1717,"data":1718},"We’ve seen how SaaS vendors' move to PLG has led to greater employee self-adoption of work apps that don’t require IT or Security to be involved. The direct consequence of this is that Security teams have lost process-driven visibility of their company’s SaaS estate. This problem is often called “Shadow SaaS.” It is also the first problem to solve -  the old adage “you can’t secure what you don’t know about” is as true in the SaaS world as it is in any other security domain.",[],{},{"nodeType":1294,"data":1720,"content":1721},{},[1722],{"nodeType":1293,"value":1723,"marks":1724,"data":1725},"The lack of visibility means many IT and security teams missed the explosion of SaaS apps, plugins, extensions, and integrations that make up the modern IT stack.  More crucially, they’ve missed the movement of company data into these apps. Complicating matters further, many of these apps are duplicate, abandoned or unmanaged - an issue often called “SaaS sprawl.”",[],{},{"nodeType":1460,"data":1727,"content":1731},{"target":1728},{"sys":1729},{"id":1730,"type":1465,"linkType":1466},"5NfrrDeIPs7TE213UYly7E",[],{"nodeType":1445,"data":1733,"content":1734},{},[1735],{"nodeType":1293,"value":1736,"marks":1737,"data":1738},"Increasing incidents and impacts",[],{},{"nodeType":1294,"data":1740,"content":1741},{},[1742],{"nodeType":1293,"value":1743,"marks":1744,"data":1745},"Though security teams have lost direct visibility, they’ve not lost complete visibility and many are finding out about at least a fraction of these apps - typically by working with finance teams once employees want apps to go from free-tier to licensed plans. And all too often, security teams find out about shadow SaaS apps in the worst way possible - when something has already gone wrong and security is asked to respond to an incident on a SaaS platform.",[],{},{"nodeType":1294,"data":1747,"content":1748},{},[1749],{"nodeType":1293,"value":1750,"marks":1751,"data":1752},"In both cases, security is getting visibility too late to be of much value. Once a team has been using an app (even on a free tier) for a year, there is very little Security can do that will convince them to move to a more secure app, or for multiple teams to use a single app. Typically, this intervention from Security needs to happen very early - long before finance is involved - in order to make a positive impact. ",[],{},{"nodeType":1294,"data":1754,"content":1755},{},[1756],{"nodeType":1293,"value":1757,"marks":1758,"data":1759},"Incident Response is necessary, of course, when a SaaS account is breached (or an ex-employee SaaS account that was never properly offboarded), but cannot recover the lost data after the proverbial horse has bolted. It’s now possible to get into the process early, so security teams can get ahead of the problem to reduce the risk.",[],{},{"nodeType":1294,"data":1761,"content":1762},{},[1763],{"nodeType":1293,"value":1764,"marks":1765,"data":1766},"Another situation that is increasingly pressing, and difficult for security teams to deal with is the increasingly regular: “App X has just had a major breach, are we using AppX, is any of our data there?” It’s an embarrassing situation to not be able to answer these questions.",[],{},{"nodeType":1445,"data":1768,"content":1769},{},[1770],{"nodeType":1293,"value":1771,"marks":1772,"data":1773},"Core problem",[],{},{"nodeType":1294,"data":1775,"content":1776},{},[1777,1781,1790],{"nodeType":1293,"value":1778,"marks":1779,"data":1780},"Once teams get visibility into the scope of the Shadow SaaS and sprawl problem, they find that Security no longer dictates the pace of adoption. They’re also typically surprised by the sheer volume of apps employees have adopted. A ",[],{},{"nodeType":1554,"data":1782,"content":1784},{"uri":1783},"https://ascendixtech.com/number-saas-companies-statistics/",[1785],{"nodeType":1293,"value":1786,"marks":1787,"data":1789},"report from Ascendix",[1788],{"type":1562},{},{"nodeType":1293,"value":1791,"marks":1792,"data":1793}," claims that “by the end of 2023, there will be anywhere from 30,000-72,000 SaaS companies in operation.” Clearly these aren’t all work apps or hyper specialized, but there should be no doubt that we aren’t talking about a few dozen apps being adopted.",[],{},{"nodeType":1294,"data":1795,"content":1796},{},[1797],{"nodeType":1293,"value":1798,"marks":1799,"data":1800},"Once teams get visibility of the pace that news apps are added they realize they need to risk assess dozens of apps a month instead of the dozen a year that were going through IT in the old, managed and controlled process. To deal with this massive influx of new apps, security teams feel they must either radically increase the headcount, cut corners or drastically increase acceptable risk levels for data security. None of these are pleasant options.",[],{},{"nodeType":1445,"data":1802,"content":1803},{},[1804],{"nodeType":1293,"value":1805,"marks":1806,"data":1807},"Temptation to revert to the old ways of block-first",[],{},{"nodeType":1294,"data":1809,"content":1810},{},[1811],{"nodeType":1293,"value":1812,"marks":1813,"data":1814},"When the idea of the options above proves daunting or impossible, Security often tries to revert to the old process - regain the ability to set the pace of adoption by re-establishing the gate. Practically, this means that you’re deploying technical controls to try block all SaaS apps until they are approved (and marked as allowed) by IT or Security. Cloud Access Security Brokers (CASBs) were built to do exactly this - help security teams control (and block) access to “unsanctioned” SaaS that IT hasn’t approved (incidentally I think this explains why the CASB segment has failed). ",[],{},{"nodeType":1294,"data":1816,"content":1817},{},[1818],{"nodeType":1293,"value":1819,"marks":1820,"data":1821},"Technically, this makes total sense. But the unforeseen consequence is that it positions Security as blockers (aka the “department of no”), and puts them at odds with the rest of the business, rather than working towards a shared goal. ",[],{},{"nodeType":1294,"data":1823,"content":1824},{},[1825,1829,1834],{"nodeType":1293,"value":1826,"marks":1827,"data":1828},"This block-everything-until-security-approves-it position requires incredible executive support to maintain. For all but the most risk-sensitive organizations (read .gov), this position also normalizes employee behavior to bypass Security in favor of working quickly and effectively. In the end, Security actually ",[],{},{"nodeType":1293,"value":1830,"marks":1831,"data":1833},"loses visibility",[1832],{"type":312},{},{"nodeType":1293,"value":1835,"marks":1836,"data":1837}," into employee SaaS use and effectively loses control, rather than locking it down. On behalf of all the employees out there, I want to make a point to say employees aren’t trying to break rules Security put in place, they’re just trying to get their jobs done, and might try and find ways around things they see as unreasonably slowing them down or preventing them from reaching their targets. Seen in this light, it’s no surprise that:",[],{},{"nodeType":1379,"data":1839,"content":1840},{},[1841,1851,1861],{"nodeType":1383,"data":1842,"content":1843},{},[1844],{"nodeType":1294,"data":1845,"content":1846},{},[1847],{"nodeType":1293,"value":1848,"marks":1849,"data":1850},"If you block websites, employees bypass network controls, ",[],{},{"nodeType":1383,"data":1852,"content":1853},{},[1854],{"nodeType":1294,"data":1855,"content":1856},{},[1857],{"nodeType":1293,"value":1858,"marks":1859,"data":1860},"if you block social logins, employees use passwords, ",[],{},{"nodeType":1383,"data":1862,"content":1863},{},[1864],{"nodeType":1294,"data":1865,"content":1866},{},[1867],{"nodeType":1293,"value":1868,"marks":1869,"data":1870},"if you stop them using work devices to sign up to apps, they use personal devices.",[],{},{"nodeType":1294,"data":1872,"content":1873},{},[1874],{"nodeType":1293,"value":1875,"marks":1876,"data":1879},"Each blocking action leads to a worse security outcome, and blinds the security team further - losing control rather than regaining it.",[1877,1878],{"type":312},{"type":1599},{},{"nodeType":1294,"data":1881,"content":1882},{},[1883],{"nodeType":1293,"value":1884,"marks":1885,"data":1886},"You can attempt to delay this process by blocking, or you can adapt.",[],{},{"nodeType":1445,"data":1888,"content":1889},{},[1890],{"nodeType":1293,"value":1891,"marks":1892,"data":1893},"Surely there’s a better way",[],{},{"nodeType":1294,"data":1895,"content":1896},{},[1897],{"nodeType":1293,"value":1898,"marks":1899,"data":1900},"Of course we think there’s a better way, or we wouldn’t have written this. And don’t call me Shirley. ",[],{},{"nodeType":1294,"data":1902,"content":1903},{},[1904],{"nodeType":1293,"value":1905,"marks":1906,"data":1907},"The first thing we need to do as an industry is agree that we don’t want to be the blockers. We don’t want to stop employees from self-adopting apps. We understand they are best placed to find and select the tools that are going to allow them to be more productive and help your company succeed. We need to embrace SaaS app self-adoption. Stop asking employees to adapt to fit our legacy processes and meet them halfway. Security can no longer be a gate with a default stance of “No, until.” Instead Security needs to be a business enablement partner that says “Yes, unless.”",[],{},{"nodeType":1445,"data":1909,"content":1910},{},[1911],{"nodeType":1293,"value":1912,"marks":1913,"data":1914},"Yes, unless?",[],{},{"nodeType":1294,"data":1916,"content":1917},{},[1918],{"nodeType":1293,"value":1919,"marks":1920,"data":1921},"To adapt to this new SaaS-first world, security must move from saying “No, until we’ve had time to fully vet and onboard this app officially” to “Yes! You can use that app, unless we quickly identify security risks that outweigh the value of the tool.” I understand this is deeply uncomfortable for many security practitioners (as it still is for me), but let me explain why I think this leads to a better long-term outcome.",[],{},{"nodeType":1294,"data":1923,"content":1924},{},[1925],{"nodeType":1293,"value":1926,"marks":1927,"data":1928},"Obviously, self-adoption of SaaS is fundamentally different to IT/Security adopted and managed from a risk perspective. With SaaS, there’s no giant commitment upfront. SaaS apps aren’t forever - quite the opposite! Apps aren’t just unused and not-adopted and then suddenly fully-adopted. Just like adopting software was a process for Security and IT back in the day, employees follow a (less rigid) process with SaaS - from testing > to using > to finding value > to inviting teammates, etc. The risk grows as we proceed through the adoption process as employees add more data into the app and integrate it with other apps. ",[],{},{"nodeType":1460,"data":1930,"content":1934},{"target":1931},{"sys":1932},{"id":1933,"type":1465,"linkType":1466},"2nzyuXDxjBGZN0YMvskGak",[],{"nodeType":1294,"data":1936,"content":1937},{},[1938],{"nodeType":1293,"value":1939,"marks":1940,"data":1941},"The upside for Security is that because SaaS adoption is a process over time, we can use that time to assess the risk of the app before it’s fully adopted, as long as we know about the app from the start. Luckily, many apps employees are using might ultimately be very low risk, so not every app will require a full security vetting like you would have done in the old-school process.",[],{},{"nodeType":1294,"data":1943,"content":1944},{},[1945],{"nodeType":1293,"value":1946,"marks":1947,"data":1948},"Our role as Security is to catch those apps that are high risk, either because the data going into them (or that will be) is high risk or because the app can perform some high-risk action (like managing your inventory or sending emails to customers or your behalf). Security can focus their efforts on these high-risk vendors and apps to make sure they can be trusted with their data. But the key thing is that Security needs to get involved early in the adoption process. ",[],{},{"nodeType":1294,"data":1950,"content":1951},{},[1952],{"nodeType":1293,"value":1953,"marks":1954,"data":1955},"I’m getting into the details now - so this feels like a good time to take a step back and think about the elements that make up a SaaS security program.",[],{},{"nodeType":1322,"data":1957,"content":1958},{},[1959],{"nodeType":1293,"value":1960,"marks":1961,"data":1962},"What’s a good SaaS security program?",[],{},{"nodeType":1294,"data":1964,"content":1965},{},[1966],{"nodeType":1293,"value":1967,"marks":1968,"data":1969},"The shared-responsibility model between cloud platforms and their customers is a great place to start, as it helps customers understand what their responsibilities are, and which responsibilities they’re delegating to their cloud provider.",[],{},{"nodeType":1445,"data":1971,"content":1972},{},[1973],{"nodeType":1293,"value":1974,"marks":1975,"data":1976},"Delegate to the cloud provider when you can ",[],{},{"nodeType":1294,"data":1978,"content":1979},{},[1980,1984,1993],{"nodeType":1293,"value":1981,"marks":1982,"data":1983},"It’s ",[],{},{"nodeType":1554,"data":1985,"content":1987},{"uri":1986},"https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model",[1988],{"nodeType":1293,"value":1989,"marks":1990,"data":1992},"generally preferable",[1991],{"type":1562},{},{"nodeType":1293,"value":1994,"marks":1995,"data":1996}," to delegate as much responsibility as possible to the cloud provider, so it’s no surprise that the SaaS model is the most common and fastest growing sector.",[],{},{"nodeType":1294,"data":1998,"content":1999},{},[2000],{"nodeType":1293,"value":2001,"marks":2002,"data":2003},"The following summary table produced by the National Cyber Security Centre (NCSC) does a great job at showing how much of the balance of security responsibility is outsourced to the SaaS provider. For reference, IaaS = infrastructure-as-a-service; PaaS = platform-as-a-service; SaaS = software-as-a-service:",[],{},{"nodeType":1460,"data":2005,"content":2009},{"target":2006},{"sys":2007},{"id":2008,"type":1465,"linkType":1466},"17rMTpxgCAU5ropjkGIIjK",[],{"nodeType":1294,"data":2011,"content":2012},{},[2013],{"nodeType":1293,"value":2014,"marks":2015,"data":2016},"According to NCSC, the customer is responsible only for:",[],{},{"nodeType":1675,"data":2018,"content":2019},{},[2020,2030],{"nodeType":1383,"data":2021,"content":2022},{},[2023],{"nodeType":1294,"data":2024,"content":2025},{},[2026],{"nodeType":1293,"value":2027,"marks":2028,"data":2029},"The configuration of the SaaS app and ",[],{},{"nodeType":1383,"data":2031,"content":2032},{},[2033],{"nodeType":1294,"data":2034,"content":2035},{},[2036],{"nodeType":1293,"value":2037,"marks":2038,"data":2039},"Making sure that the identity and access control features provided by the vendor are used properly.",[],{},{"nodeType":1294,"data":2041,"content":2042},{},[2043],{"nodeType":1293,"value":2044,"marks":2045,"data":2046},"It’s worth pointing out here that the way application configuration is presented here is a bit of a red herring. The vast majority of SaaS apps (and especially self-adopted apps) allow very little, if any, configuration. Sure, the big core apps like Salesforce, Google Workspace, Microsoft 365 do (and often require a dedicated team or partner to run them), but they are highly unlikely to be self-adopted by employees.  As far as configuration is concerned, Security teams will often be limited to enabling “force MFA for all users” or “disallow public sharing” type of controls that are accessible even to non-technical users.",[],{},{"nodeType":1294,"data":2048,"content":2049},{},[2050],{"nodeType":1293,"value":2051,"marks":2052,"data":2053},"For the vast majority of apps in the organization, Security’s responsibility will boil down to:",[],{},{"nodeType":1379,"data":2055,"content":2056},{},[2057,2067,2077],{"nodeType":1383,"data":2058,"content":2059},{},[2060],{"nodeType":1294,"data":2061,"content":2062},{},[2063],{"nodeType":1293,"value":2064,"marks":2065,"data":2066},"Account security, i.e. making sure MFA and SSO (where available) is in place. ",[],{},{"nodeType":1383,"data":2068,"content":2069},{},[2070],{"nodeType":1294,"data":2071,"content":2072},{},[2073],{"nodeType":1293,"value":2074,"marks":2075,"data":2076},"Ensuring  employees are using strong passwords, especially if MFA and/or SSO aren’t available.",[],{},{"nodeType":1383,"data":2078,"content":2079},{},[2080],{"nodeType":1294,"data":2081,"content":2082},{},[2083],{"nodeType":1293,"value":2084,"marks":2085,"data":2086},"Removing external accounts (and accounts for those that have left the company) when no longer needed.",[],{},{"nodeType":1294,"data":2088,"content":2089},{},[2090],{"nodeType":1293,"value":2091,"marks":2092,"data":2093},"Isn’t it risky to delegate responsibility? While delegating security responsibilities is great and takes a huge load off your team, we do, unfortunately, need to consider who we’re delegating it to. Those gray boxes in the diagram above need to be taken care of.",[],{},{"nodeType":1294,"data":2095,"content":2096},{},[2097],{"nodeType":1293,"value":2098,"marks":2099,"data":2100},"This is what’s sometimes understood as “supply chain” security. You need to trust the SaaS vendor to uphold their end of the bargain and, more often than not, also the SaaS/cloud vendors they use (their sub-processors) as well.",[],{},{"nodeType":1294,"data":2102,"content":2103},{},[2104],{"nodeType":1293,"value":2105,"marks":2106,"data":2107},"This sounds a lot scarier than it is and in practice many SaaS vendors do a great job, with many providing easy-to-audit, externally-verified, policies through a framework such as SOC2, and most do regular penetration tests and have bug bounty programs etc.",[],{},{"nodeType":1294,"data":2109,"content":2110},{},[2111],{"nodeType":1293,"value":2112,"marks":2113,"data":2114},"There are exceptions when it makes sense to think more carefully about whether a third party can be trusted. Common reasons Push customers have cited for not trusting third parties include; ",[],{},{"nodeType":1379,"data":2116,"content":2117},{},[2118],{"nodeType":1383,"data":2119,"content":2120},{},[2121],{"nodeType":1294,"data":2122,"content":2123},{},[2124],{"nodeType":1293,"value":2125,"marks":2126,"data":2127},"The data going into these apps is simply too high risk. Many organizations have very sensitive customer information or intellectual property that they simply aren’t willing to entrust to a third party. Many don’t trust a third party with administrative access to the systems where this data is held.",[],{},{"nodeType":1294,"data":2129,"content":2130},{},[2131],{"nodeType":1293,"value":2132,"marks":2133,"data":2134},"If the data in the app, or the access the app has represents some significant (but not unacceptable) risk, you may also care about:",[],{},{"nodeType":1379,"data":2136,"content":2137},{},[2138,2186,2196],{"nodeType":1383,"data":2139,"content":2140},{},[2141],{"nodeType":1294,"data":2142,"content":2143},{},[2144,2148,2157,2161,2170,2173,2182],{"nodeType":1293,"value":2145,"marks":2146,"data":2147},"Vendors who’ve had a string of repeated breaches or security incidents. This is troubling because it’s a fairly common pattern for attackers to breach apps in ways that don’t impact customer information, but then use the information they learn from these breaches to launch far more successful breaches in future. Consider the string of breaches at ",[],{},{"nodeType":1554,"data":2149,"content":2151},{"uri":2150},"https://www.bleepingcomputer.com/search/?q=lastpass+breach",[2152],{"nodeType":1293,"value":2153,"marks":2154,"data":2156},"LastPass",[2155],{"type":1562},{},{"nodeType":1293,"value":2158,"marks":2159,"data":2160},", ",[],{},{"nodeType":1554,"data":2162,"content":2164},{"uri":2163},"https://www.bleepingcomputer.com/search/?q=okta+breach",[2165],{"nodeType":1293,"value":2166,"marks":2167,"data":2169},"Okta",[2168],{"type":1562},{},{"nodeType":1293,"value":2158,"marks":2171,"data":2172},[],{},{"nodeType":1554,"data":2174,"content":2176},{"uri":2175},"https://www.bleepingcomputer.com/search/?q=twilio+breach",[2177],{"nodeType":1293,"value":2178,"marks":2179,"data":2181},"Twilio",[2180],{"type":1562},{},{"nodeType":1293,"value":2183,"marks":2184,"data":2185}," (and many others) or as a typical example of this.",[],{},{"nodeType":1383,"data":2187,"content":2188},{},[2189],{"nodeType":1294,"data":2190,"content":2191},{},[2192],{"nodeType":1293,"value":2193,"marks":2194,"data":2195},"Products that don’t offer adequate security features. Customers expect features such as MFA, SSO (either social login through OIDC or, ideally, SAML), and the ability to enforce these controls. This is especially important on platforms where the data is high-risk.",[],{},{"nodeType":1383,"data":2197,"content":2198},{},[2199],{"nodeType":1294,"data":2200,"content":2201},{},[2202],{"nodeType":1293,"value":2203,"marks":2204,"data":2205},"The vendor operates in a sanctioned country or may not have the resources to adequately protect your data. Clearly vendors operating from (or that have close ties with) sanctioned or politically-complicated countries represent additional risk, as do vendors that are “one man bands” or are so small that it is hard to imagine they can afford to spend significant resources on security.",[],{},{"nodeType":1445,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2212},"The two questions you need to ask to assess risk ",[],{},{"nodeType":1294,"data":2214,"content":2215},{},[2216],{"nodeType":1293,"value":2217,"marks":2218,"data":2219},"The essence of the shared-responsibility model can summarized as two questions:",[],{},{"nodeType":1675,"data":2221,"content":2222},{},[2223,2233],{"nodeType":1383,"data":2224,"content":2225},{},[2226],{"nodeType":1294,"data":2227,"content":2228},{},[2229],{"nodeType":1293,"value":2230,"marks":2231,"data":2232},"Should we be using this app?",[],{},{"nodeType":1383,"data":2234,"content":2235},{},[2236],{"nodeType":1294,"data":2237,"content":2238},{},[2239],{"nodeType":1293,"value":2240,"marks":2241,"data":2242},"Are we using it securely?",[],{},{"nodeType":1460,"data":2244,"content":2248},{"target":2245},{"sys":2246},{"id":2247,"type":1465,"linkType":1466},"ToDXz2MBbEygwtJjiIKRX",[],{"nodeType":1294,"data":2250,"content":2251},{},[2252],{"nodeType":1293,"value":2253,"marks":2254,"data":2255},"A successful SaaS security program must address both these questions. We can’t spend all our time doing risk assessments and due diligence exercises on our supply chain while dropping the ball on account security. Similarly, we can’t just focus on making sure all accounts have MFA in place when the vendor is leaving the back door open.",[],{},{"nodeType":1322,"data":2257,"content":2258},{},[2259],{"nodeType":1293,"value":2260,"marks":2261,"data":2262},"When shared responsibility goes wrong",[],{},{"nodeType":1294,"data":2264,"content":2265},{},[2266],{"nodeType":1293,"value":2267,"marks":2268,"data":2269},"The following is an extract of some well-covered recent(ish) breaches of SaaS companies. As we go through it, pay attention to which side is dropping the ball in terms of the shared responsibility. The same organization can be:",[],{},{"nodeType":1379,"data":2271,"content":2272},{},[2273,2283,2293],{"nodeType":1383,"data":2274,"content":2275},{},[2276],{"nodeType":1294,"data":2277,"content":2278},{},[2279],{"nodeType":1293,"value":2280,"marks":2281,"data":2282},"the source of a breach, ",[],{},{"nodeType":1383,"data":2284,"content":2285},{},[2286],{"nodeType":1294,"data":2287,"content":2288},{},[2289],{"nodeType":1293,"value":2290,"marks":2291,"data":2292},"the ultimate target that motivated a breach at a partner that was a softer target, ",[],{},{"nodeType":1383,"data":2294,"content":2295},{},[2296],{"nodeType":1294,"data":2297,"content":2298},{},[2299],{"nodeType":1293,"value":2300,"marks":2301,"data":2302},"or simply the unlucky victim of a breach further down its supply chain.",[],{},{"nodeType":1294,"data":2304,"content":2305},{},[2306],{"nodeType":1293,"value":2307,"marks":2308,"data":2309},"That’s the thing about supply chain attacks, organizations are the attacker’s stepping stones. Where they are in the attack chain determines how we label their victims. ",[],{},{"nodeType":2311,"data":2312,"content":2313},"table",{},[2314,2341,2422,2479,2522,2648],{"nodeType":2315,"data":2316,"content":2317},"table-row",{},[2318,2330],{"nodeType":2319,"data":2320,"content":2321},"table-cell",{},[2322],{"nodeType":1294,"data":2323,"content":2324},{},[2325],{"nodeType":1293,"value":2326,"marks":2327,"data":2329},"Date",[2328],{"type":1599},{},{"nodeType":2319,"data":2331,"content":2332},{},[2333],{"nodeType":1294,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2340},"SaaS attack",[2339],{"type":1599},{},{"nodeType":2315,"data":2342,"content":2343},{},[2344,2354],{"nodeType":2319,"data":2345,"content":2346},{},[2347],{"nodeType":1294,"data":2348,"content":2349},{},[2350],{"nodeType":1293,"value":2351,"marks":2352,"data":2353},"April 2021",[],{},{"nodeType":2319,"data":2355,"content":2356},{},[2357,2385],{"nodeType":1294,"data":2358,"content":2359},{},[2360,2363,2372,2376,2381],{"nodeType":1293,"value":37,"marks":2361,"data":2362},[],{},{"nodeType":1554,"data":2364,"content":2366},{"uri":2365},"https://about.codecov.io/security-update/",[2367],{"nodeType":1293,"value":2368,"marks":2369,"data":2371},"Backdoors inserted into some Codecov.io",[2370],{"type":1562},{},{"nodeType":1293,"value":2373,"marks":2374,"data":2375}," (a software development SaaS) tools after a credential breach grants access to their ",[],{},{"nodeType":1293,"value":2377,"marks":2378,"data":2380},"Google Cloud Project",[2379],{"type":1599},{},{"nodeType":1293,"value":2382,"marks":2383,"data":2384}," (cloud infrastructure SaaS).  ",[],{},{"nodeType":1294,"data":2386,"content":2387},{},[2388,2392,2401,2405,2410,2414,2418],{"nodeType":1293,"value":2389,"marks":2390,"data":2391},"This breach ",[],{},{"nodeType":1554,"data":2393,"content":2395},{"uri":2394},"https://www.twilio.com/blog/response-to-the-codecov-vulnerability",[2396],{"nodeType":1293,"value":2397,"marks":2398,"data":2400},"affected multiple customers",[2399],{"type":1562},{},{"nodeType":1293,"value":2402,"marks":2403,"data":2404},", including ",[],{},{"nodeType":1293,"value":2406,"marks":2407,"data":2409},"Atlassian",[2408],{"type":1599},{},{"nodeType":1293,"value":2411,"marks":2412,"data":2413}," (a developer and collaboration SaaS platform) and ",[],{},{"nodeType":1293,"value":2178,"marks":2415,"data":2417},[2416],{"type":1599},{},{"nodeType":1293,"value":2419,"marks":2420,"data":2421}," (communications tooling SaaS company).  ",[],{},{"nodeType":2315,"data":2423,"content":2424},{},[2425,2435],{"nodeType":2319,"data":2426,"content":2427},{},[2428],{"nodeType":1294,"data":2429,"content":2430},{},[2431],{"nodeType":1293,"value":2432,"marks":2433,"data":2434},"Jan 2022",[],{},{"nodeType":2319,"data":2436,"content":2437},{},[2438],{"nodeType":1294,"data":2439,"content":2440},{},[2441,2445,2449,2458,2462,2467,2471,2475],{"nodeType":1293,"value":2166,"marks":2442,"data":2444},[2443],{"type":1599},{},{"nodeType":1293,"value":2446,"marks":2447,"data":2448}," (identity provider SaaS) ",[],{},{"nodeType":1554,"data":2450,"content":2452},{"uri":2451},"https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/",[2453],{"nodeType":1293,"value":2454,"marks":2455,"data":2457},"systems breached",[2456],{"type":1562},{},{"nodeType":1293,"value":2459,"marks":2460,"data":2461}," through a breach at ",[],{},{"nodeType":1293,"value":2463,"marks":2464,"data":2466},"Sitel",[2465],{"type":1599},{},{"nodeType":1293,"value":2468,"marks":2469,"data":2470},", a support partner - attackers got access to Okta’s instances of ",[],{},{"nodeType":1293,"value":2406,"marks":2472,"data":2474},[2473],{"type":1599},{},{"nodeType":1293,"value":2476,"marks":2477,"data":2478}," Jira, Slack, Splunk, RingCentral, and support tickets through Salesforce.  ",[],{},{"nodeType":2315,"data":2480,"content":2481},{},[2482,2492],{"nodeType":2319,"data":2483,"content":2484},{},[2485],{"nodeType":1294,"data":2486,"content":2487},{},[2488],{"nodeType":1293,"value":2489,"marks":2490,"data":2491},"March 2022",[],{},{"nodeType":2319,"data":2493,"content":2494},{},[2495],{"nodeType":1294,"data":2496,"content":2497},{},[2498,2502,2506,2510,2519],{"nodeType":1293,"value":2499,"marks":2500,"data":2501},"“0ktapus” phishing toolkit targeting ",[],{},{"nodeType":1293,"value":2166,"marks":2503,"data":2505},[2504],{"type":1599},{},{"nodeType":1293,"value":2507,"marks":2508,"data":2509}," customers ",[],{},{"nodeType":1554,"data":2511,"content":2513},{"uri":2512},"https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/",[2514],{"nodeType":1293,"value":2515,"marks":2516,"data":2518},"is released",[2517],{"type":1562},{},{"nodeType":1293,"value":37,"marks":2520,"data":2521},[],{},{"nodeType":2315,"data":2523,"content":2524},{},[2525,2535],{"nodeType":2319,"data":2526,"content":2527},{},[2528],{"nodeType":1294,"data":2529,"content":2530},{},[2531],{"nodeType":1293,"value":2532,"marks":2533,"data":2534},"Aug 2022",[],{},{"nodeType":2319,"data":2536,"content":2537},{},[2538,2579,2606,2621,2641],{"nodeType":1294,"data":2539,"content":2540},{},[2541,2545,2549,2553,2557,2566,2570,2575],{"nodeType":1293,"value":2178,"marks":2542,"data":2544},[2543],{"type":1599},{},{"nodeType":1293,"value":2546,"marks":2547,"data":2548}," (one such ",[],{},{"nodeType":1293,"value":2166,"marks":2550,"data":2552},[2551],{"type":1599},{},{"nodeType":1293,"value":2554,"marks":2555,"data":2556}," customer) ",[],{},{"nodeType":1554,"data":2558,"content":2560},{"uri":2559},"https://www.twilio.com/blog/august-2022-social-engineering-attack",[2561],{"nodeType":1293,"value":2562,"marks":2563,"data":2565},"was again breached",[2564],{"type":1562},{},{"nodeType":1293,"value":2567,"marks":2568,"data":2569}," and attackers used access to one of their products (",[],{},{"nodeType":1293,"value":2571,"marks":2572,"data":2574},"Authy",[2573],{"type":1599},{},{"nodeType":1293,"value":2576,"marks":2577,"data":2578},", an MFA mobile app) to bypass MFA for some of their customers. ",[],{},{"nodeType":1294,"data":2580,"content":2581},{},[2582,2586,2590,2593,2602],{"nodeType":1293,"value":2583,"marks":2584,"data":2585},"Attackers appear to also have used ",[],{},{"nodeType":1293,"value":2178,"marks":2587,"data":2589},[2588],{"type":1599},{},{"nodeType":1293,"value":1596,"marks":2591,"data":2592},[],{},{"nodeType":1554,"data":2594,"content":2596},{"uri":2595},"https://www.bleepingcomputer.com/news/security/okta-one-time-mfa-passcodes-exposed-in-twilio-cyberattack/",[2597],{"nodeType":1293,"value":2598,"marks":2599,"data":2601},"to gain access to SMS’s",[2600],{"type":1562},{},{"nodeType":1293,"value":2603,"marks":2604,"data":2605}," that were delivering Okta MFA codes to customers: ",[],{},{"nodeType":1294,"data":2607,"content":2608},{},[2609,2613,2617],{"nodeType":1293,"value":2610,"marks":2611,"data":2612},"This leads to a breach at",[],{},{"nodeType":1293,"value":1596,"marks":2614,"data":2616},[2615],{"type":1599},{},{"nodeType":1293,"value":2618,"marks":2619,"data":2620},"Mailchimp (email marketing SaaS), which in turn affects many upstream customers like Digital Ocean (infrastructure hosting SaaS) and Signal Messenger",[],{},{"nodeType":1294,"data":2622,"content":2623},{},[2624,2628,2637],{"nodeType":1293,"value":2625,"marks":2626,"data":2627},"Klaviyo (another email marketing SaaS) ",[],{},{"nodeType":1554,"data":2629,"content":2631},{"uri":2630},"https://www.bleepingcomputer.com/news/security/email-marketing-firm-hacked-to-steal-crypto-focused-mailing-lists/",[2632],{"nodeType":1293,"value":2633,"marks":2634,"data":2636},"is also impacted",[2635],{"type":1562},{},{"nodeType":1293,"value":2638,"marks":2639,"data":2640},". ",[],{},{"nodeType":1294,"data":2642,"content":2643},{},[2644],{"nodeType":1293,"value":2645,"marks":2646,"data":2647},"Breaches on these email marketing SaaS apps lead to even more downstream breaches for customers in finance and crypto spaces, such as Trezor, Edge Wallet, Cointelegraph, Ethereum FESP, Messari and Decrypt.",[],{},{"nodeType":2315,"data":2649,"content":2650},{},[2651,2661],{"nodeType":2319,"data":2652,"content":2653},{},[2654],{"nodeType":1294,"data":2655,"content":2656},{},[2657],{"nodeType":1293,"value":2658,"marks":2659,"data":2660},"Sept and Dec 2022",[],{},{"nodeType":2319,"data":2662,"content":2663},{},[2664],{"nodeType":1294,"data":2665,"content":2666},{},[2667,2671,2680,2684,2688,2692,2707],{"nodeType":1293,"value":2668,"marks":2669,"data":2670},"Product source code ",[],{},{"nodeType":1554,"data":2672,"content":2674},{"uri":2673},"https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/",[2675],{"nodeType":1293,"value":2676,"marks":2677,"data":2679},"stolen from the Github repositories",[2678],{"type":1562},{},{"nodeType":1293,"value":2681,"marks":2682,"data":2683}," of ",[],{},{"nodeType":1293,"value":2166,"marks":2685,"data":2687},[2686],{"type":1599},{},{"nodeType":1293,"value":2689,"marks":2690,"data":2691}," and ",[],{},{"nodeType":1554,"data":2693,"content":2695},{"uri":2694},"https://www.bleepingcomputer.com/news/security/auth0-warns-that-some-source-code-repos-may-have-been-stolen/",[2696,2702],{"nodeType":1293,"value":2697,"marks":2698,"data":2701},"Auth0",[2699,2700],{"type":1562},{"type":1599},{},{"nodeType":1293,"value":2703,"marks":2704,"data":2706}," (an Okta subsidiary",[2705],{"type":1562},{},{"nodeType":1293,"value":2708,"marks":2709,"data":2710}," that is also an identity provider SaaS platform)",[],{},{"nodeType":1294,"data":2712,"content":2713},{},[2714],{"nodeType":1293,"value":2715,"marks":2716,"data":2717},"This is a very shallow summary of a small sample of events during this time frame, but it’s interesting how interrelated these SaaS services are. Many are part of each other’s supply chains (for example, Twilio is targeted as an Okta customer itself, and used to compromise Okta customer MFA codes that are delivered by Twilio to other Okta customers) and so breaches in one SaaS have rippling effects that sometimes take months or even years to materialize after a breach occurs.",[],{},{"nodeType":1294,"data":2719,"content":2720},{},[2721,2725,2733],{"nodeType":1293,"value":2722,"marks":2723,"data":2724},"There’s an interesting trend to call out here: breaches at a SaaS vendor appear to lead to (or correlate with) further breaches, such as the string of breaches at ",[],{},{"nodeType":1554,"data":2726,"content":2728},{"uri":2727},"https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html",[2729],{"nodeType":1293,"value":2153,"marks":2730,"data":2732},[2731],{"type":1562},{},{"nodeType":1293,"value":2734,"marks":2735,"data":2736},". But it’s incredibly unclear how to balance the risk of using these vendors, especially when some of these companies (like Okta) are a big part of many organization’s security strategies.",[],{},{"nodeType":1294,"data":2738,"content":2739},{},[2740],{"nodeType":1293,"value":2741,"marks":2742,"data":2743},"Ultimately, though… ",[],{},{"nodeType":1294,"data":2745,"content":2746},{},[2747],{"nodeType":1293,"value":2748,"marks":2749,"data":2752},"The root of most of these networks of supply chain attacks are simple account compromises. ",[2750,2751],{"type":1599},{"type":312},{},{"nodeType":1294,"data":2754,"content":2755},{},[2756,2760,2765],{"nodeType":1293,"value":2757,"marks":2758,"data":2759},"While most organizations think of the supply chain aspect (should we be using this app?) as the majority of the problem, or at least the first problem to solve - ",[],{},{"nodeType":1293,"value":2761,"marks":2762,"data":2764},"account security",[2763],{"type":312},{},{"nodeType":1293,"value":2766,"marks":2767,"data":2768}," is ultimately at the heart of the problem. A developer or support engineer with a weak password or missing MFA is all it takes for them to get phished, kicking off this string of attacks. Unlike the complex supply chain risk questions, account security issues are straightforward to fix. We’d be a whole lot closer to securing the whole supply chain if we could improve account security for all employees across all the SaaS apps they use. ",[],{},{"nodeType":1322,"data":2770,"content":2771},{},[2772],{"nodeType":1293,"value":2773,"marks":2774,"data":2775},"Where do we go from here?",[],{},{"nodeType":1294,"data":2777,"content":2778},{},[2779],{"nodeType":1293,"value":2780,"marks":2781,"data":2782},"So we’ve discussed the domino-like string of effects from SaaS sales, to PLG, to self-adoption, to shadow SaaS, to growing SaaS risks and the news stories we read about.",[],{},{"nodeType":1294,"data":2784,"content":2785},{},[2786],{"nodeType":1293,"value":2787,"marks":2788,"data":2789},"We’ve unpacked the shared responsibility model - and I hope I’ve convinced you that we need to look at both the supply chain and account security side equally (and in parallel!) to manage this risk. ",[],{},"SaaS sprawl isn't a problem - if you completely change your approach","Employees using a new work app used to be the final step of the software-onboarding process. Now it's the first. Security must adapt to secure business data. \n","2023-06-22T00:00:00.000Z","saas-has-changed-how-we-adopt-software-how-should-security-adapt",{"items":2795},[2796,2800],{"sys":2797,"name":2799},{"id":2798},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2801,"name":1310},{"id":1309},{"items":2803},[2804],{"fullName":2805,"firstName":2806,"jobTitle":2807,"profilePicture":2808},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2809},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":1314,"sys":2811,"content":2813,"title":4371,"synopsis":4372,"hashTags":118,"publishedDate":4373,"slug":4374,"tagsCollection":4375,"authorsCollection":4381},{"id":2812},"tkUfN6TKuYyVNYDpsGWrE",{"json":2814},{"nodeType":1295,"data":2815,"content":2816},{},[2817,2823,2844,2851,2858,2870,2877,2884,2927,2934,2941,2946,2953,2960,2967,2972,2995,3002,3009,3016,3023,3030,3139,3146,3153,3160,3173,3180,3187,3194,3201,3207,3214,3221,3228,3234,3242,3249,3256,3263,3270,3277,3284,3290,3297,3304,3311,3318,3324,3331,3374,3380,3387,3410,3417,3440,3447,3454,3461,3468,3475,3585,3591,3598,3607,3614,3621,3628,3635,3642,3649,3655,3662,3669,3689,3696,3703,3710,3716,3723,3730,3737,3770,3777,3784,3791,3798,3805,3812,3819,3826,3833,3840,3883,3890,3896,3918,3925,3932,3939,3946,3953,3960,3967,3974,3981,3988,3995,4002,4009,4050,4057,4064,4080,4096,4103,4110,4117,4124,4131,4138,4145,4152,4159,4165,4172,4179,4185,4192,4199,4206,4213,4222,4229,4236,4299,4305,4312,4319,4325,4332,4339,4346,4352,4364],{"nodeType":1322,"data":2818,"content":2819},{},[2820],{"nodeType":1293,"value":1326,"marks":2821,"data":2822},[],{},{"nodeType":1294,"data":2824,"content":2825},{},[2826,2830,2840],{"nodeType":1293,"value":2827,"marks":2828,"data":2829},"Here’s hoping you’ve read my previous blog: ",[],{},{"nodeType":2831,"data":2832,"content":2835},"entry-hyperlink",{"target":2833},{"sys":2834},{"id":1316,"type":1465,"linkType":1466},[2836],{"nodeType":1293,"value":2790,"marks":2837,"data":2839},[2838],{"type":312},{},{"nodeType":1293,"value":2841,"marks":2842,"data":2843},"If you haven’t, the key takeaway of that piece is that SaaS vendors have changed how software is adopted into a business. Now, the majority of SaaS vendors build their products on a product-led growth model - which simply means they want users (your employees) to self-adopt their apps, start using them (and integrating with your data to do so), and become a useful tool for the employee. ",[],{},{"nodeType":1294,"data":2845,"content":2846},{},[2847],{"nodeType":1293,"value":2848,"marks":2849,"data":2850},"Vendors want to bypass the security and IT software-onboarding processes we’d all gotten used to in the past. They know if they prove their tool is valuable with the user from the start, it’s much easier and quicker for them to gain traction and customers than it was waiting for security and IT teams to audit (and potentially refuse) their software.",[],{},{"nodeType":1294,"data":2852,"content":2853},{},[2854],{"nodeType":1293,"value":2855,"marks":2856,"data":2857},"This self-adoption has turned the product-adoption process on its head - leaving security and IT teams blind to which apps sensitive company data is flowing into. ",[],{},{"nodeType":1294,"data":2859,"content":2860},{},[2861,2866],{"nodeType":1293,"value":2862,"marks":2863,"data":2865},"How do you make sure your data stays secure in this new software-adoption flow?",[2864],{"type":1599},{},{"nodeType":1293,"value":2867,"marks":2868,"data":2869}," ",[],{},{"nodeType":1294,"data":2871,"content":2872},{},[2873],{"nodeType":1293,"value":2874,"marks":2875,"data":2876},"In this book, we’ll offer some practical guidance on how to manage supply chain risk without slowing down the business.",[],{},{"nodeType":1294,"data":2878,"content":2879},{},[2880],{"nodeType":1293,"value":2881,"marks":2882,"data":2883},"We’ll cover how to:",[],{},{"nodeType":1379,"data":2885,"content":2886},{},[2887,2897,2907,2917],{"nodeType":1383,"data":2888,"content":2889},{},[2890],{"nodeType":1294,"data":2891,"content":2892},{},[2893],{"nodeType":1293,"value":2894,"marks":2895,"data":2896},"Split SaaS risk into supply chain risk and account compromise risk so you can tackle them in parallel.",[],{},{"nodeType":1383,"data":2898,"content":2899},{},[2900],{"nodeType":1294,"data":2901,"content":2902},{},[2903],{"nodeType":1293,"value":2904,"marks":2905,"data":2906},"Tap into the SaaS self adoption process in real time so you can manage supply chain risk without being a blocker. ",[],{},{"nodeType":1383,"data":2908,"content":2909},{},[2910],{"nodeType":1294,"data":2911,"content":2912},{},[2913],{"nodeType":1293,"value":2914,"marks":2915,"data":2916},"How to prioritize account security controls and prevent the most common SaaS attacks.",[],{},{"nodeType":1383,"data":2918,"content":2919},{},[2920],{"nodeType":1294,"data":2921,"content":2922},{},[2923],{"nodeType":1293,"value":2924,"marks":2925,"data":2926},"Better choose a SaaS security product by looking at the data these tools are built on.",[],{},{"nodeType":1322,"data":2928,"content":2929},{},[2930],{"nodeType":1293,"value":2931,"marks":2932,"data":2933},"\nThe two halves of SaaS Security",[],{},{"nodeType":1294,"data":2935,"content":2936},{},[2937],{"nodeType":1293,"value":2938,"marks":2939,"data":2940},"It’s useful to consider the shared-responsibility model to understand the two main parts of SaaS security. Consider the following diagram that shows the customer’s responsibility in various as-a-Service models:",[],{},{"nodeType":1460,"data":2942,"content":2945},{"target":2943},{"sys":2944},{"id":2008,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":2947,"content":2948},{},[2949],{"nodeType":1293,"value":2950,"marks":2951,"data":2952},"In this SaaS model, we’re delegating a lot of responsibility for security to the vendor. That’s great because it takes the load off of us - the customer - and the vendor is better placed to secure their software. However, this requires far greater trust in the vendor.",[],{},{"nodeType":1294,"data":2954,"content":2955},{},[2956],{"nodeType":1293,"value":2957,"marks":2958,"data":2959},"While we’re offloading a lot to the SaaS vendor, we aren’t offloading everything. You still need to take care of your responsibilities, limited as they are!",[],{},{"nodeType":1294,"data":2961,"content":2962},{},[2963],{"nodeType":1293,"value":2964,"marks":2965,"data":2966},"This gets us to the two halves of SaaS security:",[],{},{"nodeType":1460,"data":2968,"content":2971},{"target":2969},{"sys":2970},{"id":2247,"type":1465,"linkType":1466},[],{"nodeType":1379,"data":2973,"content":2974},{},[2975,2985],{"nodeType":1383,"data":2976,"content":2977},{},[2978],{"nodeType":1294,"data":2979,"content":2980},{},[2981],{"nodeType":1293,"value":2982,"marks":2983,"data":2984},"Supply chain risk - can you trust the product, the vendor, and the vendor’s sub processors to secure your data and the access you grant them to your systems?",[],{},{"nodeType":1383,"data":2986,"content":2987},{},[2988],{"nodeType":1294,"data":2989,"content":2990},{},[2991],{"nodeType":1293,"value":2992,"marks":2993,"data":2994},"Customer responsibility - how can you make sure you’re using the product securely? You’ll need to focus here specifically on account security and application configuration.",[],{},{"nodeType":1294,"data":2996,"content":2997},{},[2998],{"nodeType":1293,"value":2999,"marks":3000,"data":3001},"Let’s look at each of these in turn.",[],{},{"nodeType":1322,"data":3003,"content":3004},{},[3005],{"nodeType":1293,"value":3006,"marks":3007,"data":3008},"Manage supply-chain risk",[],{},{"nodeType":1294,"data":3010,"content":3011},{},[3012],{"nodeType":1293,"value":3013,"marks":3014,"data":3015},"Security due diligence or app risk assessments are typically how you answer the question “should we use this app?” These are standard processes for most organizations as part of a software procurement process.",[],{},{"nodeType":1294,"data":3017,"content":3018},{},[3019],{"nodeType":1293,"value":3020,"marks":3021,"data":3022},"However, security no longer controls the cadence of software adoption - employees are self-adopting the tools they want without oversight - so we must work to find serious risks as soon as possible once the self-adoption process begins (normally by the first employee creating an account on the app).",[],{},{"nodeType":1294,"data":3024,"content":3025},{},[3026],{"nodeType":1293,"value":3027,"marks":3028,"data":3029},"The security relevant areas of this risk assessment can typically be broken into:",[],{},{"nodeType":1379,"data":3031,"content":3032},{},[3033,3066,3129],{"nodeType":1383,"data":3034,"content":3035},{},[3036,3043],{"nodeType":1294,"data":3037,"content":3038},{},[3039],{"nodeType":1293,"value":3040,"marks":3041,"data":3042},"Product risk ",[],{},{"nodeType":1379,"data":3044,"content":3045},{},[3046,3056],{"nodeType":1383,"data":3047,"content":3048},{},[3049],{"nodeType":1294,"data":3050,"content":3051},{},[3052],{"nodeType":1293,"value":3053,"marks":3054,"data":3055},"Does the product have the necessary security features (MFA, SSO, etc.) to protect our data, and ",[],{},{"nodeType":1383,"data":3057,"content":3058},{},[3059],{"nodeType":1294,"data":3060,"content":3061},{},[3062],{"nodeType":1293,"value":3063,"marks":3064,"data":3065},"Has the product security been technically verified (e.g. through a third party penetration test)?",[],{},{"nodeType":1383,"data":3067,"content":3068},{},[3069,3076],{"nodeType":1294,"data":3070,"content":3071},{},[3072],{"nodeType":1293,"value":3073,"marks":3074,"data":3075},"Vendor risk ",[],{},{"nodeType":1379,"data":3077,"content":3078},{},[3079,3089,3099,3109,3119],{"nodeType":1383,"data":3080,"content":3081},{},[3082],{"nodeType":1294,"data":3083,"content":3084},{},[3085],{"nodeType":1293,"value":3086,"marks":3087,"data":3088},"Does the vendor have the resources to secure the product? ",[],{},{"nodeType":1383,"data":3090,"content":3091},{},[3092],{"nodeType":1294,"data":3093,"content":3094},{},[3095],{"nodeType":1293,"value":3096,"marks":3097,"data":3098},"Have they invested in a security team and implemented appropriate security processes?",[],{},{"nodeType":1383,"data":3100,"content":3101},{},[3102],{"nodeType":1294,"data":3103,"content":3104},{},[3105],{"nodeType":1293,"value":3106,"marks":3107,"data":3108},"Have those processes been independently audited (e.g. SOC2)? ",[],{},{"nodeType":1383,"data":3110,"content":3111},{},[3112],{"nodeType":1294,"data":3113,"content":3114},{},[3115],{"nodeType":1293,"value":3116,"marks":3117,"data":3118},"Does the vendor operate in a high risk region?",[],{},{"nodeType":1383,"data":3120,"content":3121},{},[3122],{"nodeType":1294,"data":3123,"content":3124},{},[3125],{"nodeType":1293,"value":3126,"marks":3127,"data":3128},"Does the vendor have a history of repeated security incidents?",[],{},{"nodeType":1383,"data":3130,"content":3131},{},[3132],{"nodeType":1294,"data":3133,"content":3134},{},[3135],{"nodeType":1293,"value":3136,"marks":3137,"data":3138},"Vendor sub processors - the majority of SaaS applications are build on other *-as-a-Service platforms. These vendors are also part of your supply chain. Just because you don’t directly use a tool or app doesn’t mean you’re not affected when they’re popped. Realistically, you’re probably not going to be able to go very deep here, but when you’re wondering whether you’re affected by a breach in the news, you may want to know whether your vendors are using the affected SaaS app. ",[],{},{"nodeType":1294,"data":3140,"content":3141},{},[3142],{"nodeType":1293,"value":3143,"marks":3144,"data":3145},"Ultimately, how much you care about any of the above comes down to the risk of the data in the application or the level of access you grant this application into the rest of your infrastructure (often through integrations with other SaaS apps). ",[],{},{"nodeType":1294,"data":3147,"content":3148},{},[3149],{"nodeType":1293,"value":3150,"marks":3151,"data":3152},"Therefore, a useful first step to knowing where to prioritize your time is to understand the sensitivity of the data and access granted to the app (or that will likely be granted by employees in future to make the app work as expected).",[],{},{"nodeType":1294,"data":3154,"content":3155},{},[3156],{"nodeType":1293,"value":3157,"marks":3158,"data":3159},"For self-adopted SaaS apps, aspects that are typically very important for software procurement like legal agreements (terms and conditions, master service agreements etc.), spend (through licensing cost etc.), and uptime and availability (SLAs etc.) are typically dealt with after the app has been adopted. Often, this comes up once employees need to upgrade to a paid account or higher license tier, or once it makes financial sense to commit to longer term agreements. ",[],{},{"nodeType":1294,"data":3161,"content":3162},{},[3163,3167],{"nodeType":1293,"value":3164,"marks":3165,"data":3166},"For that reason, ",[],{},{"nodeType":1293,"value":3168,"marks":3169,"data":3172},"I recommend you keep the security risk assessment focused on the direct security aspects initially so you reduce the work required to ask “is there a security reason to stop our employees from using this app right now?”",[3170,3171],{"type":1599},{"type":312},{},{"nodeType":1294,"data":3174,"content":3175},{},[3176],{"nodeType":1293,"value":3177,"marks":3178,"data":3179},"All of the above is relatively straightforward advice, but there are some very practical non-obvious lessons learned from others who've walked this path already that are worth highlighting, so let’s jump into those.",[],{},{"nodeType":1445,"data":3181,"content":3182},{},[3183],{"nodeType":1293,"value":3184,"marks":3185,"data":3186},"Focus on the new stuff first",[],{},{"nodeType":1294,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":3191,"marks":3192,"data":3193},"It’s both technically, and politically, very difficult to migrate users away from apps, especially when users have invested significant time into setting up an app and love how it works. It’s hard to spend the goodwill you’ve built up on something like this unless there really is a truly unacceptable risk or compliance issue.",[],{},{"nodeType":1294,"data":3195,"content":3196},{},[3197],{"nodeType":1293,"value":3198,"marks":3199,"data":3200},"There is an exception to this - if you get in before employees have sunk too much time and effort into an app they are far more open to input and steering. This is why we recommend that you focus your risk assessment efforts on new apps and integrations, rather than spending the majority of your time working through the backlog of already-adopted work apps.",[],{},{"nodeType":1460,"data":3202,"content":3206},{"target":3203},{"sys":3204},{"id":3205,"type":1465,"linkType":1466},"49tL50Pga47pnhp1WMHfPY",[],{"nodeType":1294,"data":3208,"content":3209},{},[3210],{"nodeType":1293,"value":3211,"marks":3212,"data":3213},"If you focus on apps that are still in the testing phases, it's much easier to steer the course towards lower-risk alternatives or pump the brakes when there really is significant risk to the business.",[],{},{"nodeType":1322,"data":3215,"content":3216},{},[3217],{"nodeType":1293,"value":3218,"marks":3219,"data":3220},"Buy yourself time",[],{},{"nodeType":1294,"data":3222,"content":3223},{},[3224],{"nodeType":1293,"value":3225,"marks":3226,"data":3227},"Remember, even the newest apps will only be new for a brief time. Once employees have invested significant time into an app (learning how it works, putting data into it, etc) they will be resistant to considering alternatives and will push to accept risks rather and make exceptions to policies rather than moving to an alternative app. This is just natural, but it does mean that there is a clock running for you and your team as soon as an employee creates an account on a new SaaS app.",[],{},{"nodeType":1460,"data":3229,"content":3233},{"target":3230},{"sys":3231},{"id":3232,"type":1465,"linkType":1466},"6HzSQ8wPVn9RfDSFWGaCh8",[],{"nodeType":1294,"data":3235,"content":3236},{},[3237],{"nodeType":1293,"value":3238,"marks":3239,"data":3241},"Your goal is to give your security team as much time to assess the app before the employee decides for sure they want to use it for work. ",[3240],{"type":1599},{},{"nodeType":1294,"data":3243,"content":3244},{},[3245],{"nodeType":1293,"value":3246,"marks":3247,"data":3248},"It’s far less useful if you discover an app once the team is talking to finance about upgrading to a paid subscription. At that point, so much time and effort has been invested that it’s very difficult to motivate employees/teams to move to a lower-risk app. In this scenario, you’ll be stuck in a “let’s do as much as we can to secure this” mode, which isn’t ideal.",[],{},{"nodeType":1294,"data":3250,"content":3251},{},[3252],{"nodeType":1293,"value":3253,"marks":3254,"data":3255},"The way to give the security team as much time as possible is to reduce the delta between an employee signing up for an account and the IT and security teams finding out about it. You need a way to find out about new apps being adopted in real-time or within hours, rather than days or weeks. The tools to do this exist, but more on how you should choose the right tool in the “importance of choosing the right data source” section.",[],{},{"nodeType":1445,"data":3257,"content":3258},{},[3259],{"nodeType":1293,"value":3260,"marks":3261,"data":3262},"You need accurate data to take action",[],{},{"nodeType":1294,"data":3264,"content":3265},{},[3266],{"nodeType":1293,"value":3267,"marks":3268,"data":3269},"To discover SaaS apps and simply inventory which apps are being used for reporting purposes, you won’t need perfect accuracy and you’ll be able to live with some false positives.",[],{},{"nodeType":1294,"data":3271,"content":3272},{},[3273],{"nodeType":1293,"value":3274,"marks":3275,"data":3276},"Most security teams start out just by getting visibility of what SaaS is being used across their business. Then you know what you’re dealing with. The downside is that you’ll want to use this data to spin off a risk assessment process. If you are kicking off risk assessments based on false positives, that’s just pure wasted effort.",[],{},{"nodeType":1294,"data":3278,"content":3279},{},[3280],{"nodeType":1293,"value":3281,"marks":3282,"data":3283},"You will likely also want to get in touch with the employee that adopted the app, for example to understand their intended use-case and the data that might be going into the app. Employees will also notice quickly if the security team can’t tell the difference between accessing an app website or using an app and get annoyed with the interruptions from your team.",[],{},{"nodeType":1460,"data":3285,"content":3289},{"target":3286},{"sys":3287},{"id":3288,"type":1465,"linkType":1466},"5winuguRBMaNKNnkDakMWv",[],{"nodeType":1294,"data":3291,"content":3292},{},[3293],{"nodeType":1293,"value":3294,"marks":3295,"data":3296},"Many tools will use things like scanning employee email inboxes or network-level data to “discover employee SaaS use,” but this leads to a frustrating rate of false positives for your team. If the security team needs to first confirm if a data point is a false-positive through some unspecified process, then that seriously increases the work needed to take action. ",[],{},{"nodeType":1294,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3303},"At the risk of sounding like a broken record, accurate data is the thing that turns this problem from something that’s impossible to something which is manageable, even at scale.",[],{},{"nodeType":1322,"data":3305,"content":3306},{},[3307],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"Customer responsibility for self-adopted SaaS",[],{},{"nodeType":1294,"data":3312,"content":3313},{},[3314],{"nodeType":1293,"value":3315,"marks":3316,"data":3317},"As a reminder, I’m referring in this section to your responsibility as a customer (highlighted in purple) in terms of NCSC’s shared-responsibility model shown below:",[],{},{"nodeType":1460,"data":3319,"content":3323},{"target":3320},{"sys":3321},{"id":3322,"type":1465,"linkType":1466},"4jeDpoYQzPmg5TFApeopSA",[],{"nodeType":1294,"data":3325,"content":3326},{},[3327],{"nodeType":1293,"value":3328,"marks":3329,"data":3330},"Let’s start with the bulk of the work, which for self-adopted SaaS is account security. This includes all the usual suspects like ensuring that, you’re:",[],{},{"nodeType":1379,"data":3332,"content":3333},{},[3334,3344,3354,3364],{"nodeType":1383,"data":3335,"content":3336},{},[3337],{"nodeType":1294,"data":3338,"content":3339},{},[3340],{"nodeType":1293,"value":3341,"marks":3342,"data":3343},"Enabling MFA for all accounts",[],{},{"nodeType":1383,"data":3345,"content":3346},{},[3347],{"nodeType":1294,"data":3348,"content":3349},{},[3350],{"nodeType":1293,"value":3351,"marks":3352,"data":3353},"Encouraging employees to use strong passwords (ideally through a password manager)",[],{},{"nodeType":1383,"data":3355,"content":3356},{},[3357],{"nodeType":1294,"data":3358,"content":3359},{},[3360],{"nodeType":1293,"value":3361,"marks":3362,"data":3363},"Using SSO, where possible and practical",[],{},{"nodeType":1383,"data":3365,"content":3366},{},[3367],{"nodeType":1294,"data":3368,"content":3369},{},[3370],{"nodeType":1293,"value":3371,"marks":3372,"data":3373},"Reviewing access delegated to third-parties (through e.g. OAuth integrations) ",[],{},{"nodeType":1460,"data":3375,"content":3379},{"target":3376},{"sys":3377},{"id":3378,"type":1465,"linkType":1466},"2T7DtBRBBITb4Wy8unQHZV",[],{"nodeType":1294,"data":3381,"content":3382},{},[3383],{"nodeType":1293,"value":3384,"marks":3385,"data":3386},"In contrast to SaaS apps like Office 365 or Salesforce that are extraordinarily configurable and often have teams managing and securing them, there’s some mixed news when it comes to self-adopted SaaS apps. The bad news is that many of these apps provide virtually no security features or configurable settings that can be hardened. The good news is that this means there is now very little work to do here. When they exist, configuration settings are typically around:",[],{},{"nodeType":1379,"data":3388,"content":3389},{},[3390,3400],{"nodeType":1383,"data":3391,"content":3392},{},[3393],{"nodeType":1294,"data":3394,"content":3395},{},[3396],{"nodeType":1293,"value":3397,"marks":3398,"data":3399},"Forcing the above controls for all users (e.g. force MFA)",[],{},{"nodeType":1383,"data":3401,"content":3402},{},[3403],{"nodeType":1294,"data":3404,"content":3405},{},[3406],{"nodeType":1293,"value":3407,"marks":3408,"data":3409},"Configuring external or public-sharing settings",[],{},{"nodeType":1294,"data":3411,"content":3412},{},[3413],{"nodeType":1293,"value":3414,"marks":3415,"data":3416},"Finally, though not mentioned explicitly in the NCSC’s version of the shared-responsibility model, it’s worth remembering that things go wrong even if all the above is in place. That’s where security monitoring comes in. In practice, though, few self-adopted SaaS apps offer audit trails or similar options that can be integrated with SIEM infrastructure. However, you can monitor things like:",[],{},{"nodeType":1379,"data":3418,"content":3419},{},[3420,3430],{"nodeType":1383,"data":3421,"content":3422},{},[3423],{"nodeType":1294,"data":3424,"content":3425},{},[3426],{"nodeType":1293,"value":3427,"marks":3428,"data":3429},"Breached passwords in passwords dumps (think haveibeenpwned.com)",[],{},{"nodeType":1383,"data":3431,"content":3432},{},[3433],{"nodeType":1294,"data":3434,"content":3435},{},[3436],{"nodeType":1293,"value":3437,"marks":3438,"data":3439},"Typical post-exploitation or persistence techniques (e.g. OAuth integrations or API keys being created, forwarding rules, etc.)",[],{},{"nodeType":1294,"data":3441,"content":3442},{},[3443],{"nodeType":1293,"value":3444,"marks":3445,"data":3446},"These are the controls that fall into that “easy to understand, easy to recommend, but pretty hard to do at scale” category. Very few organizations have account security controls in place across the bulk of SaaS apps, and especially the apps that were self-adopted. The reality is that most companies still don’t even know about those self-adopted apps. So where should we start?",[],{},{"nodeType":1294,"data":3448,"content":3449},{},[3450],{"nodeType":1293,"value":3451,"marks":3452,"data":3453},"I think the most sane approach is to avoid speculation and focus on the techniques that are actually being used to attack SaaS apps today. I’ll cut to the chase - it’s credential stuffing we need to prevent. ",[],{},{"nodeType":1445,"data":3455,"content":3456},{},[3457],{"nodeType":1293,"value":3458,"marks":3459,"data":3460},"Start with preventing credential stuffing",[],{},{"nodeType":1294,"data":3462,"content":3463},{},[3464],{"nodeType":1293,"value":3465,"marks":3466,"data":3467},"The most common attack against SaaS today is credential stuffing – where attackers use tools that automate the process of taking a list of breached passwords (from public password dumps or traded on underground crime marketplaces) and retargeting those credentials against different apps. ",[],{},{"nodeType":1294,"data":3469,"content":3470},{},[3471],{"nodeType":1293,"value":3472,"marks":3473,"data":3474},"Slightly more sophisticated attackers might even try expanding their targets by using marketing and advertising services to match private accounts to work accounts in case employees re-used similar passwords. In the example for acme.com in the graphic below, we see how this plays out to get access to a company’s MailChimp. At this point, attackers are able to start sending scam emails to your customers from your domain in emails that look completely legit. This type of attack where compromised SaaS apps are used to send customers malicious emails are something we’ve seen play out a few times recently:",[],{},{"nodeType":1379,"data":3476,"content":3477},{},[3478,3500,3521,3543,3564],{"nodeType":1383,"data":3479,"content":3480},{},[3481],{"nodeType":1294,"data":3482,"content":3483},{},[3484,3488,3497],{"nodeType":1293,"value":3485,"marks":3486,"data":3487},"In this ",[],{},{"nodeType":1554,"data":3489,"content":3491},{"uri":3490},"https://www.bleepingcomputer.com/news/security/chipotle-s-marketing-account-hacked-to-send-phishing-emails/",[3492],{"nodeType":1293,"value":3493,"marks":3494,"data":3496},"Chipotle attack",[3495],{"type":1562},{},{"nodeType":1293,"value":37,"marks":3498,"data":3499},[],{},{"nodeType":1383,"data":3501,"content":3502},{},[3503],{"nodeType":1294,"data":3504,"content":3505},{},[3506,3509,3518],{"nodeType":1293,"value":3485,"marks":3507,"data":3508},[],{},{"nodeType":1554,"data":3510,"content":3512},{"uri":3511},"https://www.bleepingcomputer.com/news/security/doordash-discloses-new-data-breach-tied-to-twilio-hackers/",[3513],{"nodeType":1293,"value":3514,"marks":3515,"data":3517},"DoorDash attack",[3516],{"type":1562},{},{"nodeType":1293,"value":37,"marks":3519,"data":3520},[],{},{"nodeType":1383,"data":3522,"content":3523},{},[3524],{"nodeType":1294,"data":3525,"content":3526},{},[3527,3531,3540],{"nodeType":1293,"value":3528,"marks":3529,"data":3530},"In this",[],{},{"nodeType":1554,"data":3532,"content":3534},{"uri":3533},"https://www.bleepingcomputer.com/news/security/namecheaps-email-hacked-to-send-metamask-dhl-phishing-emails/",[3535],{"nodeType":1293,"value":3536,"marks":3537,"data":3539}," attack against domain registrar NameCheap",[3538],{"type":1562},{},{"nodeType":1293,"value":37,"marks":3541,"data":3542},[],{},{"nodeType":1383,"data":3544,"content":3545},{},[3546],{"nodeType":1294,"data":3547,"content":3548},{},[3549,3552,3561],{"nodeType":1293,"value":3485,"marks":3550,"data":3551},[],{},{"nodeType":1554,"data":3553,"content":3555},{"uri":3554},"https://www.bleepingcomputer.com/news/security/hacked-sendgrid-accounts-used-in-phishing-attacks-to-steal-logins/",[3556],{"nodeType":1293,"value":3557,"marks":3558,"data":3560},"SendGrid attack",[3559],{"type":1562},{},{"nodeType":1293,"value":37,"marks":3562,"data":3563},[],{},{"nodeType":1383,"data":3565,"content":3566},{},[3567],{"nodeType":1294,"data":3568,"content":3569},{},[3570,3573,3582],{"nodeType":1293,"value":3485,"marks":3571,"data":3572},[],{},{"nodeType":1554,"data":3574,"content":3576},{"uri":3575},"https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/",[3577],{"nodeType":1293,"value":3578,"marks":3579,"data":3581},"MailChimp attack",[3580],{"type":1562},{},{"nodeType":1293,"value":37,"marks":3583,"data":3584},[],{},{"nodeType":1460,"data":3586,"content":3590},{"target":3587},{"sys":3588},{"id":3589,"type":1465,"linkType":1466},"o6eDG116P2tdWdq4oNllR",[],{"nodeType":1294,"data":3592,"content":3593},{},[3594],{"nodeType":1293,"value":3595,"marks":3596,"data":3597},"PLG and the increase in employee-adopted apps has led to employees creating more accounts, on more apps and without the guiding hand of security to make sure strong identity and access controls are in place. ",[],{},{"nodeType":1294,"data":3599,"content":3600},{},[3601],{"nodeType":1293,"value":3602,"marks":3603,"data":3606},"Opportunistic attackers now have a huge, unmonitored attack surface to target using low effort/cost techniques that generate reliable results for them. ",[3604,3605],{"type":1599},{"type":312},{},{"nodeType":1445,"data":3608,"content":3609},{},[3610],{"nodeType":1293,"value":3611,"marks":3612,"data":3613},"Why SSO is not the answer to our SaaS account security prayers",[],{},{"nodeType":1294,"data":3615,"content":3616},{},[3617],{"nodeType":1293,"value":3618,"marks":3619,"data":3620},"Many security teams are leaning on SSO to address this issue. They’ll require that apps used in their company use SSO, specifically SAML (Security Assertion Markup Language) before they can be approved or used. This works really, really well for the apps that provide this functionality. It’s the gold standard for authentication. ",[],{},{"nodeType":1294,"data":3622,"content":3623},{},[3624],{"nodeType":1293,"value":3625,"marks":3626,"data":3627},"With SAML SSO, there’s just one account, just one password, and you can centrally deprovision accounts when employees leave the organization. In fact, you’re probably already paying for a SAML IdP (Identity Provider) like Google Directory or Azure AD. Many others are using tools like Okta.   ",[],{},{"nodeType":1294,"data":3629,"content":3630},{},[3631],{"nodeType":1293,"value":3632,"marks":3633,"data":3634},"There’s one obvious point we need to make here: SSO isn’t going to help you discover which apps employees are using. But, once you discover them and determine they support SAML, you can integrate them with your solution.",[],{},{"nodeType":1294,"data":3636,"content":3637},{},[3638],{"nodeType":1293,"value":3639,"marks":3640,"data":3641},"But here lies the problem…when we reviewed 500 of the most popular apps that Push supports, we found that: ",[],{},{"nodeType":1445,"data":3643,"content":3644},{},[3645],{"nodeType":1293,"value":3646,"marks":3647,"data":3648},"Only around 30% of apps offer SSO and, of those, very few make it available on their lower-priced tiers.",[],{},{"nodeType":1460,"data":3650,"content":3654},{"target":3651},{"sys":3652},{"id":3653,"type":1465,"linkType":1466},"56nd8Na4I0efwOf9pfmB8s",[],{"nodeType":1294,"data":3656,"content":3657},{},[3658],{"nodeType":1293,"value":3659,"marks":3660,"data":3661},"We also noticed that the more modern, newer apps were less likely to offer SAML support than the larger, more established business apps. So if your strategy is to block access to any app that doesn’t offer SSO integrations, you’re going to have to block the majority of self-adopted apps your employees are using. ",[],{},{"nodeType":1294,"data":3663,"content":3664},{},[3665],{"nodeType":1293,"value":3666,"marks":3667,"data":3668},"There are some other complications and nuances around SAML. Sometimes the SAML integration will only cover one tenant or instance and not the entire app. In this case, every time you find a new workspace or instance, you need to integrate it again. Worse, you can often only integrate one workspace or instance with your SAML IdP. ",[],{},{"nodeType":1294,"data":3670,"content":3671},{},[3672,3676,3685],{"nodeType":1293,"value":3673,"marks":3674,"data":3675},"Then there’s the ethically dubious issue of “",[],{},{"nodeType":1554,"data":3677,"content":3679},{"uri":3678},"https://sso.tax/",[3680],{"nodeType":1293,"value":3681,"marks":3682,"data":3684},"SSO tax",[3683],{"type":1562},{},{"nodeType":1293,"value":3686,"marks":3687,"data":3688},"” where vendors that do offer SSO reserve it only for their enterprise tiers designed for organizations buying huge volumes of licenses, which makes this impractical for many if not most of us.",[],{},{"nodeType":1445,"data":3690,"content":3691},{},[3692],{"nodeType":1293,"value":3693,"marks":3694,"data":3695},"A game plan for preventing credential stuffing",[],{},{"nodeType":1294,"data":3697,"content":3698},{},[3699],{"nodeType":1293,"value":3700,"marks":3701,"data":3702},"I like the idea of going passwordless as much as the next security person, but that’s not practical for many apps right now. So we’re going to rely on passwords as well, at least for the foreseeable future. Strong, unique passwords, coupled with MFA, are very effective identity and access controls, so it’s not the end of the world.",[],{},{"nodeType":1294,"data":3704,"content":3705},{},[3706],{"nodeType":1293,"value":3707,"marks":3708,"data":3709},"To prevent credential stuffing attacks (and a whole host of other attacks to boot) you will need to implement the following controls:",[],{},{"nodeType":1460,"data":3711,"content":3715},{"target":3712},{"sys":3713},{"id":3714,"type":1465,"linkType":1466},"JU64Zj7eiqS1s5OfWmZyo",[],{"nodeType":1294,"data":3717,"content":3718},{},[3719],{"nodeType":1293,"value":3720,"marks":3721,"data":3722},"It’s useful to note from the requirements that you must be in a position to discover SaaS apps being onboarded, but also discover how these apps are accessed.",[],{},{"nodeType":1294,"data":3724,"content":3725},{},[3726],{"nodeType":1293,"value":3727,"marks":3728,"data":3729},"There’s only one place where we can get data about who is using which SaaS apps, as well as the ability to inspect passwords and check MFA status for each user. And that’s in the employee’s browsers.",[],{},{"nodeType":1294,"data":3731,"content":3732},{},[3733],{"nodeType":1293,"value":3734,"marks":3735,"data":3736},"This is the reason we have chosen to build our solution using a browser extension. It allows us to:",[],{},{"nodeType":1379,"data":3738,"content":3739},{},[3740,3750,3760],{"nodeType":1383,"data":3741,"content":3742},{},[3743],{"nodeType":1294,"data":3744,"content":3745},{},[3746],{"nodeType":1293,"value":3747,"marks":3748,"data":3749},"Observe username and password logins, ",[],{},{"nodeType":1383,"data":3751,"content":3752},{},[3753],{"nodeType":1294,"data":3754,"content":3755},{},[3756],{"nodeType":1293,"value":3757,"marks":3758,"data":3759},"Assess their strength and whether they are being shared or reused, and ",[],{},{"nodeType":1383,"data":3761,"content":3762},{},[3763],{"nodeType":1294,"data":3764,"content":3765},{},[3766],{"nodeType":1293,"value":3767,"marks":3768,"data":3769},"Allow security teams to fix any accounts that don’t meet their policies or expectations.",[],{},{"nodeType":1294,"data":3771,"content":3772},{},[3773],{"nodeType":1293,"value":3774,"marks":3775,"data":3776},"More on that in a moment, but first, the last piece of advice:",[],{},{"nodeType":1322,"data":3778,"content":3779},{},[3780],{"nodeType":1293,"value":3781,"marks":3782,"data":3783},"Tackle risk assessment and account security in parallel",[],{},{"nodeType":1294,"data":3785,"content":3786},{},[3787],{"nodeType":1293,"value":3788,"marks":3789,"data":3790},"Quite often when I talk to security leaders, they’re fixated on supply chain risk and the risk of account compromise is an afterthought. This is understandable - these are the attacks that are widely reported, and require high-level decision making, so this feels like the natural first step. They’re aware that employees are using unvetted apps, but they don’t feel like they’re in a position to secure the employee account until they have identified and vetted all the apps in use. ",[],{},{"nodeType":1294,"data":3792,"content":3793},{},[3794],{"nodeType":1293,"value":3795,"marks":3796,"data":3797},"It seems logical to want to approve apps first and then secure the accounts. It might make sense if you are starting from zero, however, when organizations get visibility of SaaS apps in use, they usually see hundreds on the list that employees are already using. In this case, waiting to get through the entire backlog of app risk assessment first is counter productive. Regardless of whether an app is approved yet, if it’s in use there is the risk of an attacker compromising a weak employee account with a credential stuffing attack, which is arguably a greater risk than a SaaS vendor being compromised in a supply chain attack. That’s because attacks against employee SaaS accounts are more common, just reported less often than supply chain attacks.",[],{},{"nodeType":1294,"data":3799,"content":3800},{},[3801],{"nodeType":1293,"value":3802,"marks":3803,"data":3804},"The best way to bring down as much SaaS risk as quickly as possible is to tackle both streams independently and in parallel. But to do this, you need the right tools.  ",[],{},{"nodeType":1294,"data":3806,"content":3807},{},[3808],{"nodeType":1293,"value":3809,"marks":3810,"data":3811},"Push collects usage data from the same place we collect account security data so we can also identify password and MFA data about the employee’s SaaS account. We don’t require you to integrate Push with each app you discover. Instead, usage and security data are collected at the same time we’re discovering the app because we’re using a browser extension. The extension gives us relevant security context so you can address both risks together. On that note, let’s dig into the data that SaaS security tools use.",[],{},{"nodeType":1322,"data":3813,"content":3814},{},[3815],{"nodeType":1293,"value":3816,"marks":3817,"data":3818},"Choose the right data source",[],{},{"nodeType":1294,"data":3820,"content":3821},{},[3822],{"nodeType":1293,"value":3823,"marks":3824,"data":3825},"Since we’ve moved from a world in which we as security teams got visibility through process (IT or procurement) to a world where we rely on technology to give us that visibility (for e.g. self-adopted apps) - we’re going to need tooling, and that’s where things get complicated.",[],{},{"nodeType":1294,"data":3827,"content":3828},{},[3829],{"nodeType":1293,"value":3830,"marks":3831,"data":3832},"The list of SaaS security product categories and tools is growing almost weekly, from Cloud Access Security Broker (CASBs), Security Service Edge (SSEs), SaaS Security Posture Management (SSPMs) and any number of other new buzzwords. The only thing growing faster is the promises they make, so it’s no surprise that it’s very difficult to identify solutions that can actually deliver what’s required.",[],{},{"nodeType":1294,"data":3834,"content":3835},{},[3836],{"nodeType":1293,"value":3837,"marks":3838,"data":3839},"One critical factor to consider when choosing tooling is the data that these tools build on. The requirements we’ve identified for doing SaaS security in the previous section are that we need to be able to:",[],{},{"nodeType":1379,"data":3841,"content":3842},{},[3843,3853,3863,3873],{"nodeType":1383,"data":3844,"content":3845},{},[3846],{"nodeType":1294,"data":3847,"content":3848},{},[3849],{"nodeType":1293,"value":3850,"marks":3851,"data":3852},"Discover new SaaS apps being adopted (and self-adopted).",[],{},{"nodeType":1383,"data":3854,"content":3855},{},[3856],{"nodeType":1294,"data":3857,"content":3858},{},[3859],{"nodeType":1293,"value":3860,"marks":3861,"data":3862},"Keep a low rate of false positives, in other words we need to be able to tell the difference between, for example, accessing a SaaS app website or actually login into the app.",[],{},{"nodeType":1383,"data":3864,"content":3865},{},[3866],{"nodeType":1294,"data":3867,"content":3868},{},[3869],{"nodeType":1293,"value":3870,"marks":3871,"data":3872},"Get insight into the identities or accounts used to access these apps - we need to know which users are authenticating to these apps and how (SSO, Social Logins, Local passwords)",[],{},{"nodeType":1383,"data":3874,"content":3875},{},[3876],{"nodeType":1294,"data":3877,"content":3878},{},[3879],{"nodeType":1293,"value":3880,"marks":3881,"data":3882},"Identify account security issues such as disabled MFA, weak, reused and breached passwords.",[],{},{"nodeType":1294,"data":3884,"content":3885},{},[3886],{"nodeType":1293,"value":3887,"marks":3888,"data":3889},"The following is a summary of the most common data sources SaaS security tools are built on, and how they stack up in terms of the requirements above:",[],{},{"nodeType":1460,"data":3891,"content":3895},{"target":3892},{"sys":3893},{"id":3894,"type":1465,"linkType":1466},"E8ThSCqbNNa9nggaKE3p1",[],{"nodeType":1294,"data":3897,"content":3898},{},[3899,3903,3914],{"nodeType":1293,"value":3900,"marks":3901,"data":3902},"Each data source has pros and cons, but let’s take a look at the most common sources to see what the high-level trade-offs are. We’ve got a short ",[],{},{"nodeType":2831,"data":3904,"content":3908},{"target":3905},{"sys":3906},{"id":3907,"type":1465,"linkType":1466},"45iZ69EdPF4629gZ6yf7p5",[3909],{"nodeType":1293,"value":3910,"marks":3911,"data":3913},"blog post ",[3912],{"type":1562},{},{"nodeType":1293,"value":3915,"marks":3916,"data":3917},"on this topic if you want to share with your teammates and peers.",[],{},{"nodeType":1445,"data":3919,"content":3920},{},[3921],{"nodeType":1293,"value":3922,"marks":3923,"data":3924},"Financial records",[],{},{"nodeType":1294,"data":3926,"content":3927},{},[3928],{"nodeType":1293,"value":3929,"marks":3930,"data":3931},"Looking through invoices can provide some visibility into paid SaaS apps, which is why it has a very low false positive rate. However, there are blind spots - you won’t see any free tier or trial accounts, nor will you get any useful business context about who’s using it, how they’re using it, if logins are secure, and what data it has access to. That said, it’s a quick and dirty way to get a partial view of SaaS usage and might be the best place to start. ",[],{},{"nodeType":1294,"data":3933,"content":3934},{},[3935],{"nodeType":1293,"value":3936,"marks":3937,"data":3938},"The main downside of using finance as a data source is that it will discover apps very slowly, most apps will only move to a paid tier once employees have already been using the app for a while on free-tier and have become reliant enough on it that they need additional features or users. This is often too late to steer these users to a different app if there are critical risks identified with the app or vendor.",[],{},{"nodeType":1445,"data":3940,"content":3941},{},[3942],{"nodeType":1293,"value":3943,"marks":3944,"data":3945},"Email analytics",[],{},{"nodeType":1294,"data":3947,"content":3948},{},[3949],{"nodeType":1293,"value":3950,"marks":3951,"data":3952},"You can look at all the emails every employee receives and match these emails to different SaaS apps and vendors and based on that information make some statistical guesses about which employees are using which apps. This improves on finance records in a significant metric - speed of detection, but the trade-off is a high rate of false positives. One aspect that email detection is great for that isn’t included in the table is the ability to detect historic SaaS apps.",[],{},{"nodeType":1294,"data":3954,"content":3955},{},[3956],{"nodeType":1293,"value":3957,"marks":3958,"data":3959},"Unfortunately, except for some very limited edge cases it’s not possible to broadly detect account security issues using email, so at best this is a first-step data source.",[],{},{"nodeType":1445,"data":3961,"content":3962},{},[3963],{"nodeType":1293,"value":3964,"marks":3965,"data":3966},"Network data",[],{},{"nodeType":1294,"data":3968,"content":3969},{},[3970],{"nodeType":1293,"value":3971,"marks":3972,"data":3973},"This is the old-school approach that tools like CASBs use to do SaaS discovery, taking data from edge devices like firewalls, proxies, or DNS relays. This makes it very difficult to implement for companies that are distributed and cloud-native. There are now solutions that are more appropriate for distributed teams that work either by collecting network data from the endpoint with an agent, or perhaps your organization is very office-based and has excellent network telemetry - in which case these solutions might be easier to deploy.",[],{},{"nodeType":1294,"data":3975,"content":3976},{},[3977],{"nodeType":1293,"value":3978,"marks":3979,"data":3980},"While network data is relatively well understood, it’s not a great source for discovering SaaS use (as opposed to detecting when an employee simply accesses SaaS app websites - false positives galore) or for finding account security issues. It’s useful to get an idea of which apps might be used and indications on who might be using the app. But network data doesn’t provide the level of detail needed to discover account security issues. This is why CASB solutions have almost all started including API integrations to augment this data and make it useful - though this has its own problems.",[],{},{"nodeType":1294,"data":3982,"content":3983},{},[3984],{"nodeType":1293,"value":3985,"marks":3986,"data":3987},"If you’re looking to get a quick outline of which SaaS may be in use, a finance or email-based solution would likely be much easier to deploy and more cost effective. If you want to discover and remediate problems and actually reduce SaaS risk, you need to look elsewhere.",[],{},{"nodeType":1445,"data":3989,"content":3990},{},[3991],{"nodeType":1293,"value":3992,"marks":3993,"data":3994},"Application API data",[],{},{"nodeType":1294,"data":3996,"content":3997},{},[3998],{"nodeType":1293,"value":3999,"marks":4000,"data":4001},"Many of the more established SaaS apps (especially those that are almost Platform-as-a-Service or PaaS) like 365, Salesforce, Slack, Github etc. offer APIs that expose security-relevant data. However, for apps that do support these APIs, this is an amazing data source that typically provides the ability to extract user-lists or check account security controls like MFA are enabled for all users, or list third-party integrations. Audit log feeds also provide a useful data source for ingestion into SIEM systems. ",[],{},{"nodeType":1294,"data":4003,"content":4004},{},[4005],{"nodeType":1293,"value":4006,"marks":4007,"data":4008},"However, APIs as a data source for doing SaaS security has 2 major limitations:",[],{},{"nodeType":1675,"data":4010,"content":4011},{},[4012,4031],{"nodeType":1383,"data":4013,"content":4014},{},[4015],{"nodeType":1294,"data":4016,"content":4017},{},[4018,4022,4027],{"nodeType":1293,"value":4019,"marks":4020,"data":4021},"No discovery features. ",[],{},{"nodeType":1293,"value":4023,"marks":4024,"data":4026},"You must already know that an app is in use",[4025],{"type":1599},{},{"nodeType":1293,"value":4028,"marks":4029,"data":4030}," (or more specifically know about every app tenant in use) before you can integrate it with your SaaS security solutions (typically SSPM tools). This means you need some other data source to discover SaaS apps and tenants.",[],{},{"nodeType":1383,"data":4032,"content":4033},{},[4034],{"nodeType":1294,"data":4035,"content":4036},{},[4037,4041,4046],{"nodeType":1293,"value":4038,"marks":4039,"data":4040},"Lack of support. These APIs are typically available ",[],{},{"nodeType":1293,"value":4042,"marks":4043,"data":4045},"only for “core” SaaS platforms",[4044],{"type":1599},{},{"nodeType":1293,"value":4047,"marks":4048,"data":4049},", and a very small minority of the types of SaaS apps employees might self-adopt will other these security monitoring integrations.",[],{},{"nodeType":1445,"data":4051,"content":4052},{},[4053],{"nodeType":1293,"value":4054,"marks":4055,"data":4056},"Browser extensions",[],{},{"nodeType":1294,"data":4058,"content":4059},{},[4060],{"nodeType":1293,"value":4061,"marks":4062,"data":4063},"The idea behind using browser extensions for SaaS security is simple: if all the data you care about monitoring exists in your employees’ browsers, let’s analyze the data in the browser. Browser extensions allow you to deeply inspect users' interactions with SaaS apps. This means you can get close to perfect accuracy in terms of discovering which apps are in-use (vs browser the website) because you can actually observe the login process directly. ",[],{},{"nodeType":1294,"data":4065,"content":4066},{},[4067,4071,4076],{"nodeType":1293,"value":4068,"marks":4069,"data":4070},"Since you observe the login process with the extension, it’s easy to discover account security issues like weak passwords or missing MFA. You can also tell when employees are logging into apps without using SSO. Best of all you don’t need to create a dragnet and collect all this data centrally creating a privacy nightmare, instead ",[],{},{"nodeType":1293,"value":4072,"marks":4073,"data":4075},"you can analyze this data where it already exists, inside the safe confines of the browser sandbox",[4074],{"type":1599},{},{"nodeType":1293,"value":4077,"marks":4078,"data":4079},". The only data you report out is a flag when you find an issue.",[],{},{"nodeType":1294,"data":4081,"content":4082},{},[4083,4087,4092],{"nodeType":1293,"value":4084,"marks":4085,"data":4086},"Another benefit of browser extensions is that they are not passive. ",[],{},{"nodeType":1293,"value":4088,"marks":4089,"data":4091},"You can easily add active features to extensions that do things like warn users before they even set bad passwords",[4090],{"type":1599},{},{"nodeType":1293,"value":4093,"marks":4094,"data":4095}," - preventing these issues from occurring in the first place.",[],{},{"nodeType":1294,"data":4097,"content":4098},{},[4099],{"nodeType":1293,"value":4100,"marks":4101,"data":4102},"The downside is that you need to deploy these browser extensions to employees. This used to be a much bigger issue in the past, but these days it’s easy to deploy extensions to your whole fleet of Chrome, Edge, Firefox, Safari, Brave and Opera browsers using an MDM or GPO policy. Another nice thing about extensions, is that unlike endpoint agents, extensions are cross platform (they don’t care if you are on Windows, Mac or Linux), are isolated to the browser and automatically update through the browser extension store.",[],{},{"nodeType":1294,"data":4104,"content":4105},{},[4106],{"nodeType":1293,"value":4107,"marks":4108,"data":4109},"I’m sure I’m not doing a great job of hiding my enthusiasm for browser extensions as a platform to build SaaS security tools on, but they truly do provide the kind of fast, accurate and detailed data we need to solve both the supply-chain and customer responsibility sides of SaaS security.",[],{},{"nodeType":1445,"data":4111,"content":4112},{},[4113],{"nodeType":1293,"value":4114,"marks":4115,"data":4116},"Push uses a browser extension and APIs ",[],{},{"nodeType":1294,"data":4118,"content":4119},{},[4120],{"nodeType":1293,"value":4121,"marks":4122,"data":4123},"That’s why we decided to build Push on a browser extension. To discover and provide security-relevant data about the integrations to your core cloud platforms, we also use APIs. Together, these two data sources provided a full view of the SaaS apps employees are using.",[],{},{"nodeType":1322,"data":4125,"content":4126},{},[4127],{"nodeType":1293,"value":4128,"marks":4129,"data":4130},"How can Push help?",[],{},{"nodeType":1294,"data":4132,"content":4133},{},[4134],{"nodeType":1293,"value":4135,"marks":4136,"data":4137},"It probably won’t come as a surprise to find out that we’ve designed Push so security teams can get a handle on employee-adopted SaaS apps without needing to block them.",[],{},{"nodeType":1294,"data":4139,"content":4140},{},[4141],{"nodeType":1293,"value":4142,"marks":4143,"data":4144},"Here’s a quick rundown of how Push can help you:",[],{},{"nodeType":1445,"data":4146,"content":4147},{},[4148],{"nodeType":1293,"value":4149,"marks":4150,"data":4151},"Get visibility of shadow SaaS apps and unmanaged cloud accounts",[],{},{"nodeType":1294,"data":4153,"content":4154},{},[4155],{"nodeType":1293,"value":4156,"marks":4157,"data":4158},"If you’re going to get a handle on employee-adopted SaaS apps, you need to get visibility of them first. Push uses data from our browser extension to find SaaS apps that are logged into with usernames and passwords and SSO (OIDC). This gives you complete visibility of your SaaS environment, including shadow SaaS apps and cloud accounts that are not managed by IT. ",[],{},{"nodeType":1460,"data":4160,"content":4164},{"target":4161},{"sys":4162},{"id":4163,"type":1465,"linkType":1466},"2PW9tNBBo0ohoqXYZ04kxA",[],{"nodeType":1445,"data":4166,"content":4167},{},[4168],{"nodeType":1293,"value":4169,"marks":4170,"data":4171},"Detect the new apps and integrations employees are adopting in real time",[],{},{"nodeType":1294,"data":4173,"content":4174},{},[4175],{"nodeType":1293,"value":4176,"marks":4177,"data":4178},"Push detects employees signing up to new apps, or integrating third-party apps to your core work platforms in real-time. That allows you to step in at the earliest opportunity to vet the app for critical issues and guide the employee through the appropriate app onboarding steps. This allows you to focus on the new stuff and buy yourself time as I recommended earlier. ",[],{},{"nodeType":1460,"data":4180,"content":4184},{"target":4181},{"sys":4182},{"id":4183,"type":1465,"linkType":1466},"1hqMZl60NhvhHIfnO7FttV",[],{"nodeType":1445,"data":4186,"content":4187},{},[4188],{"nodeType":1293,"value":4189,"marks":4190,"data":4191},"Avoid wasting time on false-positives",[],{},{"nodeType":1294,"data":4193,"content":4194},{},[4195],{"nodeType":1293,"value":4196,"marks":4197,"data":4198},"You need to trust your data if you want to take action based on the visibility you have of what apps employees are using and how they’re using them. Doing risk assessments or chasing employees about apps they’re not using wastes time and burns goodwill. ",[],{},{"nodeType":1294,"data":4200,"content":4201},{},[4202],{"nodeType":1293,"value":4203,"marks":4204,"data":4205},"Throughout this piece I’ve banged on about how critical it is to have the right data. Good data allows you to quickly and accurately identify new SaaS apps and integrations as employees adopt them. Good data is also required to identify the security issues that attackers can exploit to compromise your data through common attacks like Credential Stuffing. The best foundational data to lean on for SaaS visibility and risk is browser extension data.",[],{},{"nodeType":1294,"data":4207,"content":4208},{},[4209],{"nodeType":1293,"value":4210,"marks":4211,"data":4212},"Push collects data directly from the app using a browser extension, rather than guessing possible use from other sources like network traffic or email. ",[],{},{"nodeType":1294,"data":4214,"content":4215},{},[4216],{"nodeType":1293,"value":4217,"marks":4218,"data":4221},"That makes Push the only SaaS security solution that can directly observe all SaaS use and the only solution that can identify account security issues across hundreds of apps - completely automatically. No need for API support, no need for an admin account. It just works.",[4219,4220],{"type":1599},{"type":312},{},{"nodeType":1445,"data":4223,"content":4224},{},[4225],{"nodeType":1293,"value":4226,"marks":4227,"data":4228},"Identify account security risks and discover shadow SaaS at the same time",[],{},{"nodeType":1294,"data":4230,"content":4231},{},[4232],{"nodeType":1293,"value":4233,"marks":4234,"data":4235},"Supply chain risk is important, but I’d argue account compromise risks are greater for most organizations. Push can identify account security issues that make it possible for attackers to compromise your employees accounts using credential stuffing, brute forcing and phishing attacks. These include:",[],{},{"nodeType":1379,"data":4237,"content":4238},{},[4239,4249,4259,4269,4279,4289],{"nodeType":1383,"data":4240,"content":4241},{},[4242],{"nodeType":1294,"data":4243,"content":4244},{},[4245],{"nodeType":1293,"value":4246,"marks":4247,"data":4248},"Compromised passwords",[],{},{"nodeType":1383,"data":4250,"content":4251},{},[4252],{"nodeType":1294,"data":4253,"content":4254},{},[4255],{"nodeType":1293,"value":4256,"marks":4257,"data":4258},"Guessable passwords",[],{},{"nodeType":1383,"data":4260,"content":4261},{},[4262],{"nodeType":1294,"data":4263,"content":4264},{},[4265],{"nodeType":1293,"value":4266,"marks":4267,"data":4268},"Account-sharing between multiple employees",[],{},{"nodeType":1383,"data":4270,"content":4271},{},[4272],{"nodeType":1294,"data":4273,"content":4274},{},[4275],{"nodeType":1293,"value":4276,"marks":4277,"data":4278},"Sharing passwords across multiple accounts",[],{},{"nodeType":1383,"data":4280,"content":4281},{},[4282],{"nodeType":1294,"data":4283,"content":4284},{},[4285],{"nodeType":1293,"value":4286,"marks":4287,"data":4288},"Missing MFA",[],{},{"nodeType":1383,"data":4290,"content":4291},{},[4292],{"nodeType":1294,"data":4293,"content":4294},{},[4295],{"nodeType":1293,"value":4296,"marks":4297,"data":4298},"Password manager use",[],{},{"nodeType":1460,"data":4300,"content":4304},{"target":4301},{"sys":4302},{"id":4303,"type":1465,"linkType":1466},"3hR2N6WoP5WDyD6O6zdJP1",[],{"nodeType":1294,"data":4306,"content":4307},{},[4308],{"nodeType":1293,"value":4309,"marks":4310,"data":4311},"We identify these issues at the same time we discover shadow SaaS apps, so you can tackle account compromise at the same time as supply chain risk to reduce your SaaS security risk exposure faster.",[],{},{"nodeType":1294,"data":4313,"content":4314},{},[4315],{"nodeType":1293,"value":4316,"marks":4317,"data":4318},"How do we actually reduce the risks? We engage employees directly via Slack or MS Teams, explain the account security issue we’ve identified in a way they’ll understand, and help them understand how it’s putting them and the business at risk. Then we guide them on how to fix it...",[],{},{"nodeType":1460,"data":4320,"content":4324},{"target":4321},{"sys":4322},{"id":4323,"type":1465,"linkType":1466},"7Hgf81IlfZKoUMOp26ZXmq",[],{"nodeType":1445,"data":4326,"content":4327},{},[4328],{"nodeType":1293,"value":4329,"marks":4330,"data":4331},"Use Push to secure accounts that aren’t under SSO",[],{},{"nodeType":1294,"data":4333,"content":4334},{},[4335],{"nodeType":1293,"value":4336,"marks":4337,"data":4338},"In an ideal world, you could stick all your SaaS under your SSO solution, but we’ve already explained why that’s not practical for all apps. For apps and accounts that can’t use SSO, Push makes sure employees are using strong, unique passwords that aren’t published on a password breach list. We’ll also guide employees to use MFA when possible. ",[],{},{"nodeType":1294,"data":4340,"content":4341},{},[4342],{"nodeType":1293,"value":4343,"marks":4344,"data":4345},"In some instances, we can prevent account security issues from occurring in the first place. When Push detects an employee creating a new account in their browser, we’ll guide them to set up strong identity and access controls on their account, at the first signup...",[],{},{"nodeType":1460,"data":4347,"content":4351},{"target":4348},{"sys":4349},{"id":4350,"type":1465,"linkType":1466},"44U1ByoQns6vTqCSS3XrJf",[],{"nodeType":1445,"data":4353,"content":4354},{},[4355,4359],{"nodeType":1293,"value":4356,"marks":4357,"data":4358},"Get a handle on employee-adopted apps ",[],{},{"nodeType":1293,"value":4360,"marks":4361,"data":4363},"without being a blocker",[4362],{"type":312},{},{"nodeType":1294,"data":4365,"content":4366},{},[4367],{"nodeType":1293,"value":4368,"marks":4369,"data":4370},"By using Push, you can have complete visibility of all SaaS apps in your environment, including those adopted by employees without the oversight of IT and Security. We’ll automatically find the security issues that put your data at risk and enlist the support of employees to fix them. This allows you to embrace app self-adoption and adopt a default allow approach that enables your business while scaling security so you don’t lose control of SaaS security risks.  ",[],{},"The no-jargon guide to solving shadow SaaS ","Adapt your thinking to secure your data. Security needs to move from being the Department of No to the Department of Yes, Unless... ","2023-06-27T00:00:00.000Z","protect-your-data-across-all-your-apps-even-the-ones-employees-use-without",{"items":4376},[4377,4379],{"sys":4378,"name":1306},{"id":1305},{"sys":4380,"name":1310},{"id":1309},{"items":4382},[4383],{"fullName":2805,"firstName":2806,"jobTitle":2807,"profilePicture":4384},{"url":2809},{"__typename":1314,"sys":4386,"content":4388,"title":5122,"synopsis":5123,"hashTags":118,"publishedDate":5124,"slug":5125,"tagsCollection":5126,"authorsCollection":5132},{"id":4387},"6ppEa7WXiKcgLQ9yGn7q3k",{"json":4389},{"nodeType":1295,"data":4390,"content":4391},{},[4392,4399,4405,4412,4421,4428,4433,4440,4445,4452,4459,4466,4473,4480,4486,4493,4499,4506,4521,4528,4535,4540,4546,4552,4568,4587,4594,4601,4608,4615,4622,4629,4649,4656,4663,4670,4677,4684,4691,4698,4705,4719,4749,4758,4764,4771,4778,4785,4808,4815,4822,4829,4836,4843,4850,4857,4864,4869,4876,4883,4890,4902,4909,4916,4923,4928,4935,4941,4948,4971,4978,4984,4991,5007,5014,5021,5028,5085,5090,5097,5104,5111,5116],{"nodeType":1294,"data":4393,"content":4394},{},[4395],{"nodeType":1293,"value":4396,"marks":4397,"data":4398},"Employees using a new work SaaS application used to be the final step of the software-onboarding process. ",[],{},{"nodeType":1294,"data":4400,"content":4401},{},[4402],{"nodeType":1293,"value":1340,"marks":4403,"data":4404},[],{},{"nodeType":1294,"data":4406,"content":4407},{},[4408],{"nodeType":1293,"value":4409,"marks":4410,"data":4411},"SaaS providers bypass IT and security and hook employees with free apps and trials. This has led to sensitive data on shadow SaaS applications that’s accessible via unmanaged cloud accounts – all those accounts that aren’t protected by SSO or logged into via social login accounts. This leads to security threats because attackers know SaaS is a blind spot for most organizations.",[],{},{"nodeType":1294,"data":4413,"content":4414},{},[4415],{"nodeType":1293,"value":4416,"marks":4417,"data":4420},"Attackers exploit this unmonitored attack surface with new takes on old techniques that are going undetected.",[4418,4419],{"type":1599},{"type":312},{},{"nodeType":1294,"data":4422,"content":4423},{},[4424],{"nodeType":1293,"value":4425,"marks":4426,"data":4427},"We’ve gone from this:",[],{},{"nodeType":1460,"data":4429,"content":4432},{"target":4430},{"sys":4431},{"id":1464,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":4434,"content":4435},{},[4436],{"nodeType":1293,"value":4437,"marks":4438,"data":4439},"To this: ",[],{},{"nodeType":1460,"data":4441,"content":4444},{"target":4442},{"sys":4443},{"id":1620,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":4446,"content":4447},{},[4448],{"nodeType":1293,"value":4449,"marks":4450,"data":4451},"Security is now coming in at the end of their old software procurement process and needs to figure out how to regain control of their data. ",[],{},{"nodeType":1322,"data":4453,"content":4454},{},[4455],{"nodeType":1293,"value":4456,"marks":4457,"data":4458},"You don’t want to stop employees from adopting SaaS apps… ",[],{},{"nodeType":1294,"data":4460,"content":4461},{},[4462],{"nodeType":1293,"value":4463,"marks":4464,"data":4465},"Employees self-adopting SaaS platforms might sound like a security nightmare, but it doesn’t have to be. This actually enables employees to be more productive and your business to be more competitive. ",[],{},{"nodeType":1294,"data":4467,"content":4468},{},[4469],{"nodeType":1293,"value":4470,"marks":4471,"data":4472},"This new landscape has fundamentally changed how software is brought into the business. The days of security acting as a gatekeeper that all apps must pass through before they can touch live data are over. The market forces driving self-service apps aren’t stopping, so the security industry needs to adapt.",[],{},{"nodeType":1322,"data":4474,"content":4475},{},[4476],{"nodeType":1293,"value":4477,"marks":4478,"data":4479},"What’s the impact of self-adoption on security?",[],{},{"nodeType":1445,"data":4481,"content":4482},{},[4483],{"nodeType":1293,"value":1709,"marks":4484,"data":4485},[],{},{"nodeType":1294,"data":4487,"content":4488},{},[4489],{"nodeType":1293,"value":4490,"marks":4491,"data":4492},"Most SaaS providers have moved to the product-led growth (PLG) model as the fastest and easiest way to get users for their apps. They want employees to start using SaaS without going through IT and security teams’ lengthy approval processes. This SaaS vendor sales model has had a massive impact on security and introduced SaaS security risks, but most security teams are unaware of the scale and scope of the problem because they can’t get necessary visibility into all the tools and apps their employees are using.",[],{},{"nodeType":1445,"data":4494,"content":4495},{},[4496],{"nodeType":1293,"value":1040,"marks":4497,"data":4498},[],{},{"nodeType":1294,"data":4500,"content":4501},{},[4502],{"nodeType":1293,"value":4503,"marks":4504,"data":4505},"This problem is often called “Shadow SaaS” and it’s also the first problem to solve -  the old adage “you can’t secure what you don’t know about” is as true in the SaaS world as it is in any other security domain.",[],{},{"nodeType":1294,"data":4507,"content":4508},{},[4509,4513,4518],{"nodeType":1293,"value":4510,"marks":4511,"data":4512},"The lack of visibility means many IT and security teams missed the explosion of SaaS apps, plugins, extensions, and integrations that make up the modern IT stack. More crucially,",[],{},{"nodeType":1293,"value":4514,"marks":4515,"data":4517}," they’ve missed the movement of company data into these apps.",[4516],{"type":312},{},{"nodeType":1293,"value":2867,"marks":4519,"data":4520},[],{},{"nodeType":1445,"data":4522,"content":4523},{},[4524],{"nodeType":1293,"value":4525,"marks":4526,"data":4527},"SaaS Sprawl",[],{},{"nodeType":1294,"data":4529,"content":4530},{},[4531],{"nodeType":1293,"value":4532,"marks":4533,"data":4534},"Complicating matters further, many of these apps are duplicate, abandoned or unmanaged - an issue often called “SaaS sprawl.”",[],{},{"nodeType":1460,"data":4536,"content":4539},{"target":4537},{"sys":4538},{"id":1730,"type":1465,"linkType":1466},[],{"nodeType":1445,"data":4541,"content":4542},{},[4543],{"nodeType":1293,"value":1736,"marks":4544,"data":4545},[],{},{"nodeType":1294,"data":4547,"content":4548},{},[4549],{"nodeType":1293,"value":1743,"marks":4550,"data":4551},[],{},{"nodeType":1294,"data":4553,"content":4554},{},[4555,4559,4564],{"nodeType":1293,"value":4556,"marks":4557,"data":4558},"In both cases, ",[],{},{"nodeType":1293,"value":4560,"marks":4561,"data":4563},"Security is getting visibility too late to be of much value",[4562],{"type":312},{},{"nodeType":1293,"value":4565,"marks":4566,"data":4567},". Once a team has been using an app (even on a free tier) for a year, there’s not much Security can do that will convince employees/teams to move to a more secure app. ",[],{},{"nodeType":1294,"data":4569,"content":4570},{},[4571,4577,4582],{"nodeType":1293,"value":4572,"marks":4573,"data":4576},"To change that, Security needs to intervene and get involved very early in the app adoption process ",[4574,4575],{"type":1599},{"type":312},{},{"nodeType":1293,"value":4578,"marks":4579,"data":4581},"- long before finance is involved.",[4580],{"type":312},{},{"nodeType":1293,"value":2867,"marks":4583,"data":4586},[4584,4585],{"type":1599},{"type":312},{},{"nodeType":1294,"data":4588,"content":4589},{},[4590],{"nodeType":1293,"value":4591,"marks":4592,"data":4593},"Incident Response is necessary, of course, when a SaaS account is breached, but can’t recover the lost data after attackers have had access to it. ",[],{},{"nodeType":1445,"data":4595,"content":4596},{},[4597],{"nodeType":1293,"value":4598,"marks":4599,"data":4600},"Holy S*it - there are so many apps!",[],{},{"nodeType":1294,"data":4602,"content":4603},{},[4604],{"nodeType":1293,"value":4605,"marks":4606,"data":4607},"Once teams get visibility into the scope of the Shadow SaaS and sprawl problem, they’re usually surprised by the sheer volume of apps employees have adopted. \n\nThen they realize they need to do risk assessments on dozens of apps a month instead of the dozen a year that were going through IT in the old, managed and controlled process. To deal with this massive influx of new apps, security teams feel they must either radically increase the headcount, cut corners or drastically increase acceptable risk levels for data security. Neither of these are great options.",[],{},{"nodeType":1445,"data":4609,"content":4610},{},[4611],{"nodeType":1293,"value":4612,"marks":4613,"data":4614},"This is why SSPMs and CASBs exist, right?",[],{},{"nodeType":1294,"data":4616,"content":4617},{},[4618],{"nodeType":1293,"value":4619,"marks":4620,"data":4621},"SaaS Security Posture Management (SSPMs) and Cloud Access Security Brokers (CASBs) are the most common categories of solutions meant to attack this visibility blindspot issue, but none of these tools are getting the full picture of the problem. ",[],{},{"nodeType":1294,"data":4623,"content":4624},{},[4625],{"nodeType":1293,"value":4626,"marks":4627,"data":4628},"At best, they simply chip away at the problem and make security feel like they’ve got a handle on employee-adopted SaaS. At worst, they give a false sense of security while only actually covering a small portion of the SaaS apps where business data actually lives. ",[],{},{"nodeType":1294,"data":4630,"content":4631},{},[4632,4636,4646],{"nodeType":1293,"value":4633,"marks":4634,"data":4635},"The key thing to consider about any of these solutions is what data sources they’re using to collect (typically network data, financial records, email data, application or endpoint data). We won’t dig into the full list of pros and cons of these types of tools, but we encourage you to read about them more ",[],{},{"nodeType":2831,"data":4637,"content":4640},{"target":4638},{"sys":4639},{"id":3907,"type":1465,"linkType":1466},[4641],{"nodeType":1293,"value":4642,"marks":4643,"data":4645},"here",[4644],{"type":1562},{},{"nodeType":1293,"value":2638,"marks":4647,"data":4648},[],{},{"nodeType":1294,"data":4650,"content":4651},{},[4652],{"nodeType":1293,"value":4653,"marks":4654,"data":4655},"SSPM tools typically don’t do SaaS discovery - they don’t find apps employees log into, but they do tackle the application hardening and monitoring problem because they focus on policy enforcement and log-monitoring through APIs. ",[],{},{"nodeType":1294,"data":4657,"content":4658},{},[4659],{"nodeType":1293,"value":4660,"marks":4661,"data":4662},"Both SSPMs and CASBs make sense logically as a way to regain control of the situation. But we’d like to challenge the thinking that regaining control has to mean enforcing rigid security policies and restricting app access. ",[],{},{"nodeType":1322,"data":4664,"content":4665},{},[4666],{"nodeType":1293,"value":4667,"marks":4668,"data":4669},"Adjust your thinking to secure SaaS",[],{},{"nodeType":1445,"data":4671,"content":4672},{},[4673],{"nodeType":1293,"value":4674,"marks":4675,"data":4676},"Resist the temptation to revert to the old ways ",[],{},{"nodeType":1294,"data":4678,"content":4679},{},[4680],{"nodeType":1293,"value":4681,"marks":4682,"data":4683},"When the idea of the options above proves daunting or impossible, Security often tries to revert to the old process - putting security measures in place to regain the ability to set the pace of adoption by re-establishing the gate. ",[],{},{"nodeType":1294,"data":4685,"content":4686},{},[4687],{"nodeType":1293,"value":4688,"marks":4689,"data":4690},"Practically, this means that you’re deploying technical controls to try block all SaaS apps until they are approved (and marked as allowed) by IT or Security. Technically, this makes total sense. But the unforeseen consequence is that it positions Security as blockers (aka the “Department of No”) and puts them at odds with the rest of the business, rather than working towards a shared goal. ",[],{},{"nodeType":1445,"data":4692,"content":4693},{},[4694],{"nodeType":1293,"value":4695,"marks":4696,"data":4697},"Why being the “Department of No” doesn’t work ",[],{},{"nodeType":1294,"data":4699,"content":4700},{},[4701],{"nodeType":1293,"value":4702,"marks":4703,"data":4704},"This block-everything-until-security-approves-it position requires incredible executive support to maintain. For all but the most risk-sensitive organizations (read .gov), this position also normalizes employee behavior to bypass Security in favor of working quickly and effectively. ",[],{},{"nodeType":1294,"data":4706,"content":4707},{},[4708,4712,4716],{"nodeType":1293,"value":4709,"marks":4710,"data":4711},"In the end, Security actually ",[],{},{"nodeType":1293,"value":1830,"marks":4713,"data":4715},[4714],{"type":312},{},{"nodeType":1293,"value":1835,"marks":4717,"data":4718},[],{},{"nodeType":1379,"data":4720,"content":4721},{},[4722,4731,4740],{"nodeType":1383,"data":4723,"content":4724},{},[4725],{"nodeType":1294,"data":4726,"content":4727},{},[4728],{"nodeType":1293,"value":1848,"marks":4729,"data":4730},[],{},{"nodeType":1383,"data":4732,"content":4733},{},[4734],{"nodeType":1294,"data":4735,"content":4736},{},[4737],{"nodeType":1293,"value":1858,"marks":4738,"data":4739},[],{},{"nodeType":1383,"data":4741,"content":4742},{},[4743],{"nodeType":1294,"data":4744,"content":4745},{},[4746],{"nodeType":1293,"value":1868,"marks":4747,"data":4748},[],{},{"nodeType":1294,"data":4750,"content":4751},{},[4752],{"nodeType":1293,"value":4753,"marks":4754,"data":4757},"Each blocking action leads to a worse security outcome and blinds the security team further - losing control rather than regaining it.",[4755,4756],{"type":1599},{"type":312},{},{"nodeType":1294,"data":4759,"content":4760},{},[4761],{"nodeType":1293,"value":1884,"marks":4762,"data":4763},[],{},{"nodeType":1445,"data":4765,"content":4766},{},[4767],{"nodeType":1293,"value":4768,"marks":4769,"data":4770},"Don’t worry, there’s a better way, but you must adapt your thinking",[],{},{"nodeType":1294,"data":4772,"content":4773},{},[4774],{"nodeType":1293,"value":4775,"marks":4776,"data":4777},"The first thing we need to do as an industry is agree that we don’t want to be the blockers. We don’t want to stop employees from self-adopting apps. We understand they are best placed to find and select the tools that are going to allow them to be more productive and help your company succeed. ",[],{},{"nodeType":1294,"data":4779,"content":4780},{},[4781],{"nodeType":1293,"value":4782,"marks":4783,"data":4784},"We need to:",[],{},{"nodeType":1379,"data":4786,"content":4787},{},[4788,4798],{"nodeType":1383,"data":4789,"content":4790},{},[4791],{"nodeType":1294,"data":4792,"content":4793},{},[4794],{"nodeType":1293,"value":4795,"marks":4796,"data":4797},"embrace SaaS app self-adoption, and ",[],{},{"nodeType":1383,"data":4799,"content":4800},{},[4801],{"nodeType":1294,"data":4802,"content":4803},{},[4804],{"nodeType":1293,"value":4805,"marks":4806,"data":4807},"stop asking employees to adapt to fit our legacy processes. ",[],{},{"nodeType":1294,"data":4809,"content":4810},{},[4811],{"nodeType":1293,"value":4812,"marks":4813,"data":4814},"Security can no longer be a gate with a default stance of “No, until.” Instead Security needs to be a partner that says “Yes, unless.”",[],{},{"nodeType":1445,"data":4816,"content":4817},{},[4818],{"nodeType":1293,"value":4819,"marks":4820,"data":4821},"From the “Department of No” to the “Department of Yes, Unless?”",[],{},{"nodeType":1294,"data":4823,"content":4824},{},[4825],{"nodeType":1293,"value":4826,"marks":4827,"data":4828},"To adapt to this new SaaS-first world, security must move from saying “No, until we’ve had time to fully vet and onboard this app officially” to “Yes! You can use that app, unless we quickly identify security risks that outweigh the value of the tool.”",[],{},{"nodeType":1294,"data":4830,"content":4831},{},[4832],{"nodeType":1293,"value":4833,"marks":4834,"data":4835},"We know this is deeply uncomfortable for many security practitioners, but it will lead to a better long-term outcome.",[],{},{"nodeType":1322,"data":4837,"content":4838},{},[4839],{"nodeType":1293,"value":4840,"marks":4841,"data":4842},"How to regain control of the SaaS explosion",[],{},{"nodeType":1445,"data":4844,"content":4845},{},[4846],{"nodeType":1293,"value":4847,"marks":4848,"data":4849},"Step 1: Understand how employees typically test drive and eventually adopt SaaS",[],{},{"nodeType":1294,"data":4851,"content":4852},{},[4853],{"nodeType":1293,"value":4854,"marks":4855,"data":4856},"Obviously, self-adoption of SaaS is fundamentally different to IT/Security adopted and managed from a risk perspective. With SaaS, there’s no giant commitment upfront. Apps don’t (usually) just go from unknown and unused to adopted in a day. Just like adopting software was a process for Security and IT back in the day, employees follow a (less rigid) process with SaaS - from testing > to using > to finding value > to inviting teammates, etc. ",[],{},{"nodeType":1294,"data":4858,"content":4859},{},[4860],{"nodeType":1293,"value":4861,"marks":4862,"data":4863},"The risk grows as we proceed through the adoption process as employees add more data into the app and integrate it with other apps. The workflow below outlines a fairly typical SaaS testing and adopting process for employees:",[],{},{"nodeType":1460,"data":4865,"content":4868},{"target":4866},{"sys":4867},{"id":1933,"type":1465,"linkType":1466},[],{"nodeType":1445,"data":4870,"content":4871},{},[4872],{"nodeType":1293,"value":4873,"marks":4874,"data":4875},"Step 2: Get involved early to have a real security impact",[],{},{"nodeType":1294,"data":4877,"content":4878},{},[4879],{"nodeType":1293,"value":4880,"marks":4881,"data":4882},"The upside for Security is that because SaaS adoption is a process over time, we can use that time to assess the risk of the app before it’s fully adopted, as long as we know about the app from the start. ",[],{},{"nodeType":1294,"data":4884,"content":4885},{},[4886],{"nodeType":1293,"value":4887,"marks":4888,"data":4889},"The goal is to catch those apps that are high risk, either because the data going into them (or that will be) is high risk or because the app can perform some high-risk action (like managing your inventory or sending emails to customers or your behalf). Security can focus their efforts on these high-risk vendors and apps to make sure they can be trusted with their data. ",[],{},{"nodeType":1294,"data":4891,"content":4892},{},[4893,4897],{"nodeType":1293,"value":4894,"marks":4895,"data":4896},"But this is key: ",[],{},{"nodeType":1293,"value":4898,"marks":4899,"data":4901},"Security needs to get involved early in the adoption process. ",[4900],{"type":312},{},{"nodeType":1445,"data":4903,"content":4904},{},[4905],{"nodeType":1293,"value":4906,"marks":4907,"data":4908},"Step 3: Get real-time visibility into SaaS apps and risks as employees sign up for them",[],{},{"nodeType":1294,"data":4910,"content":4911},{},[4912],{"nodeType":1293,"value":4913,"marks":4914,"data":4915},"You guessed it - Push can help!",[],{},{"nodeType":1294,"data":4917,"content":4918},{},[4919],{"nodeType":1293,"value":4920,"marks":4921,"data":4922},"We detect employees signing up to new apps and integrating third-party apps to your core work platforms in real-time. That allows you to step in at the earliest opportunity to vet the app for critical issues and guide the employee through the appropriate app onboarding steps. This allows you to focus on the new stuff and buy yourself time. ",[],{},{"nodeType":1460,"data":4924,"content":4927},{"target":4925},{"sys":4926},{"id":4183,"type":1465,"linkType":1466},[],{"nodeType":1445,"data":4929,"content":4930},{},[4931],{"nodeType":1293,"value":4932,"marks":4933,"data":4934},"Step 4: Avoid wasting time on false-positives",[],{},{"nodeType":1294,"data":4936,"content":4937},{},[4938],{"nodeType":1293,"value":4196,"marks":4939,"data":4940},[],{},{"nodeType":1294,"data":4942,"content":4943},{},[4944],{"nodeType":1293,"value":4945,"marks":4946,"data":4947},"Good data allows you to:",[],{},{"nodeType":1379,"data":4949,"content":4950},{},[4951,4961],{"nodeType":1383,"data":4952,"content":4953},{},[4954],{"nodeType":1294,"data":4955,"content":4956},{},[4957],{"nodeType":1293,"value":4958,"marks":4959,"data":4960},"Quickly and accurately identify new SaaS apps and integrations as employees adopt them. ",[],{},{"nodeType":1383,"data":4962,"content":4963},{},[4964],{"nodeType":1294,"data":4965,"content":4966},{},[4967],{"nodeType":1293,"value":4968,"marks":4969,"data":4970},"Identify the security issues that attackers can exploit to compromise your data through common attacks like Credential Stuffing. ",[],{},{"nodeType":1445,"data":4972,"content":4973},{},[4974],{"nodeType":1293,"value":4975,"marks":4976,"data":4977},"Step 5: Use Browser extension data to get the most accurate and useful data for SaaS visibility and risk ",[],{},{"nodeType":1294,"data":4979,"content":4980},{},[4981],{"nodeType":1293,"value":4210,"marks":4982,"data":4983},[],{},{"nodeType":1294,"data":4985,"content":4986},{},[4987],{"nodeType":1293,"value":4988,"marks":4989,"data":4990},"That makes Push the only SaaS security solution that can directly observe all SaaS use and the only solution that can identify account security issues across hundreds of apps - completely automatically. ",[],{},{"nodeType":1294,"data":4992,"content":4993},{},[4994,4998,5003],{"nodeType":1293,"value":4995,"marks":4996,"data":4997},"No need for API support, no need for an admin account. It just works. For ",[],{},{"nodeType":1293,"value":4999,"marks":5000,"data":5002},"all",[5001],{"type":1599},{},{"nodeType":1293,"value":5004,"marks":5005,"data":5006}," your SaaS.",[],{},{"nodeType":1445,"data":5008,"content":5009},{},[5010],{"nodeType":1293,"value":5011,"marks":5012,"data":5013},"Step 6: Identify account security risks and discover shadow SaaS at the same time",[],{},{"nodeType":1294,"data":5015,"content":5016},{},[5017],{"nodeType":1293,"value":5018,"marks":5019,"data":5020},"Of course you need to start by discovering SaaS and getting a reliable inventory - but this on its own won’t stop accounts on those apps from getting breached. The most common way SaaS accounts are breached is through attacks like credential stuffing that target weak, breached or shared passwords on accounts that don’t have MFA enabled. ",[],{},{"nodeType":1294,"data":5022,"content":5023},{},[5024],{"nodeType":1293,"value":5025,"marks":5026,"data":5027},"Push can identify account security issues to prevent these common attacks. These include:",[],{},{"nodeType":1379,"data":5029,"content":5030},{},[5031,5040,5049,5058,5067,5076],{"nodeType":1383,"data":5032,"content":5033},{},[5034],{"nodeType":1294,"data":5035,"content":5036},{},[5037],{"nodeType":1293,"value":4246,"marks":5038,"data":5039},[],{},{"nodeType":1383,"data":5041,"content":5042},{},[5043],{"nodeType":1294,"data":5044,"content":5045},{},[5046],{"nodeType":1293,"value":4256,"marks":5047,"data":5048},[],{},{"nodeType":1383,"data":5050,"content":5051},{},[5052],{"nodeType":1294,"data":5053,"content":5054},{},[5055],{"nodeType":1293,"value":4266,"marks":5056,"data":5057},[],{},{"nodeType":1383,"data":5059,"content":5060},{},[5061],{"nodeType":1294,"data":5062,"content":5063},{},[5064],{"nodeType":1293,"value":4276,"marks":5065,"data":5066},[],{},{"nodeType":1383,"data":5068,"content":5069},{},[5070],{"nodeType":1294,"data":5071,"content":5072},{},[5073],{"nodeType":1293,"value":4286,"marks":5074,"data":5075},[],{},{"nodeType":1383,"data":5077,"content":5078},{},[5079],{"nodeType":1294,"data":5080,"content":5081},{},[5082],{"nodeType":1293,"value":4296,"marks":5083,"data":5084},[],{},{"nodeType":1460,"data":5086,"content":5089},{"target":5087},{"sys":5088},{"id":4303,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":5091,"content":5092},{},[5093],{"nodeType":1293,"value":5094,"marks":5095,"data":5096},"We identify these issues at the same time we discover shadow SaaS apps, so you can tackle account compromise at the same time as SaaS discovery to reduce your SaaS security risk exposure faster.",[],{},{"nodeType":1445,"data":5098,"content":5099},{},[5100],{"nodeType":1293,"value":5101,"marks":5102,"data":5103},"Step 7: Automatically reduce the risks we find by engaging employees",[],{},{"nodeType":1294,"data":5105,"content":5106},{},[5107],{"nodeType":1293,"value":5108,"marks":5109,"data":5110},"How do we actually reduce the risks? We engage employees directly via Slack or MS Teams, explain the account security issue we’ve identified in a way they’ll understand, and help them understand how it’s putting them and the business at risk. Then we guide them on how to fix it.",[],{},{"nodeType":1460,"data":5112,"content":5115},{"target":5113},{"sys":5114},{"id":4323,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":5117,"content":5118},{},[5119],{"nodeType":1293,"value":37,"marks":5120,"data":5121},[],{},"7 Steps to secure your data across shadow SaaS apps","Attackers commonly target SaaS apps because they know employees sign up without running them past IT first. Learn how to adjust to secure your data.\n","2023-06-26T00:00:00.000Z","3-steps-to-secure-your-data-across-shadow-saas-apps",{"items":5127},[5128,5130],{"sys":5129,"name":1310},{"id":1309},{"sys":5131,"name":1306},{"id":1305},{"items":5133},[5134],{"fullName":5135,"firstName":5135,"jobTitle":118,"profilePicture":5136},"The Push Team",{"url":5137},"https://images.ctfassets.net/y1cdw1ablpvd/7xpR9kiHAQWtZBj2rpOmmU/052ddfbb96afb37962278062047ab16d/Twitter_Linkedin_icon_white.png",{"items":5139},[5140],{"fullName":5141,"firstName":5142,"jobTitle":5143,"profilePicture":5144},"Sally Soulliere","Sally","Head of Brand & Content",{"url":5145},"https://images.ctfassets.net/y1cdw1ablpvd/7Gh4SbbEj6Zsbd6OzGto8Q/885041a4ddeccc5ef3045c0e22975ef4/T016S22KZ96-U036FPETQRH-330f87708d26-192.jpeg",{"json":5147,"links":5713},{"nodeType":1295,"data":5148,"content":5149},{},[5150,5157,5164,5171,5188,5195,5200,5207,5214,5221,5228,5246,5253,5258,5265,5272,5295,5302,5309,5316,5323,5328,5335,5342,5351,5359,5366,5373,5380,5387,5394,5406,5413,5420,5427,5452,5485,5501,5512,5519,5526,5530,5537,5544,5551,5558,5565,5572,5579,5586,5593,5600,5607,5614,5621,5628,5635,5651,5670,5677,5684,5707],{"nodeType":1294,"data":5151,"content":5152},{},[5153],{"nodeType":1293,"value":5154,"marks":5155,"data":5156},"The way we’ve adopted software in our businesses has shifted dramatically over the years due to the rise of the product-led growth (PLG) movement. ",[],{},{"nodeType":1322,"data":5158,"content":5159},{},[5160],{"nodeType":1293,"value":5161,"marks":5162,"data":5163},"What is PLG and how does it lead SaaS sprawl?",[],{},{"nodeType":1294,"data":5165,"content":5166},{},[5167],{"nodeType":1293,"value":5168,"marks":5169,"data":5170},"In PLG, SaaS providers offer free trials and free versions to entice employees to sign up and immediately start using and testing their SaaS applications. SaaS vendors know they can close deals quicker if they can prove the value of their tool with their users - your employees - and “become sticky” with those users. ",[],{},{"nodeType":1294,"data":5172,"content":5173},{},[5174,5178,5184],{"nodeType":1293,"value":5175,"marks":5176,"data":5177},"If vendors can make their cloud apps useful enough for employees to rely on them, ",[],{},{"nodeType":1293,"value":5179,"marks":5180,"data":5183},"it’s much harder for IT and security teams to swoop in and force a move to a more secure or similar SaaS application",[5181,5182],{"type":312},{"type":1599},{},{"nodeType":1293,"value":5185,"marks":5186,"data":5187}," that another team in the company is already using. ",[],{},{"nodeType":1294,"data":5189,"content":5190},{},[5191],{"nodeType":1293,"value":5192,"marks":5193,"data":5194},"This isn’t malicious, mind you - it’s just that vendors know that SaaS security audits and due diligence can extend their sales cycles and complicate their deals. Their quickest win is to get in with your employee and turn them into their champion within your company. Here’s a quick visual for how software onboarding typically flows in this PLG-ruled world:",[],{},{"nodeType":1460,"data":5196,"content":5199},{"target":5197},{"sys":5198},{"id":1620,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":5201,"content":5202},{},[5203],{"nodeType":1293,"value":5204,"marks":5205,"data":5206},"Because of this shift to adoption or free trials as the first step of a “software onboarding process,” Security and IT are left with huge visibility gaps, with shadow SaaS and shadow IT growing exponentially with each employee sign up. Those shadow apps are what we’re talking about when we discuss SaaS sprawl and the risks these unmonitored accounts introduce.",[],{},{"nodeType":1322,"data":5208,"content":5209},{},[5210],{"nodeType":1293,"value":5211,"marks":5212,"data":5213},"The impact on SaaS security",[],{},{"nodeType":1294,"data":5215,"content":5216},{},[5217],{"nodeType":1293,"value":5218,"marks":5219,"data":5220},"This Saas provider shift toward pushing employees to sign up for SaaS apps without your oversight has already been happening and it’ll continue to grow in the years to come. That’s because PLG works! It’s helping SaaS vendors grow their businesses exponentially and more and more SaaS providers are going to start following suit.",[],{},{"nodeType":1322,"data":5222,"content":5223},{},[5224],{"nodeType":1293,"value":5225,"marks":5226,"data":5227},"How big of a problem is this, really?",[],{},{"nodeType":1294,"data":5229,"content":5230},{},[5231,5235,5242],{"nodeType":1293,"value":5232,"marks":5233,"data":5234},"Back in 2015, Forrester ",[],{},{"nodeType":1554,"data":5236,"content":5237},{"uri":1556},[5238],{"nodeType":1293,"value":1559,"marks":5239,"data":5241},[5240],{"type":1562},{},{"nodeType":1293,"value":5243,"marks":5244,"data":5245}," that 75% of B2B buyers prefer a no-sales-rep buying process. Product-led growth (PLG) is now the norm for SaaS companies, with around 60% of SaaS companies using this model now.  ",[],{},{"nodeType":1294,"data":5247,"content":5248},{},[5249],{"nodeType":1293,"value":5250,"marks":5251,"data":5252},"Here are just a few examples of common business SaaS applications sold via the PLG model, which you’ll definitely recognize. One thing you’ll quickly notice is that most of these apps are built for sales, marketing, and customer support:",[],{},{"nodeType":1460,"data":5254,"content":5257},{"target":5255},{"sys":5256},{"id":1572,"type":1465,"linkType":1466},[],{"nodeType":1322,"data":5259,"content":5260},{},[5261],{"nodeType":1293,"value":5262,"marks":5263,"data":5264},"SaaS sprawl: A massive increase in the number of SaaS applications businesses use ",[],{},{"nodeType":1294,"data":5266,"content":5267},{},[5268],{"nodeType":1293,"value":5269,"marks":5270,"data":5271},"Adding to the shadow SaaS and SaaS sprawl storm, the sheer number of apps in use has increased dramatically over the years, and will continue to do so. There are a couple reasons for this: ",[],{},{"nodeType":1675,"data":5273,"content":5274},{},[5275,5285],{"nodeType":1383,"data":5276,"content":5277},{},[5278],{"nodeType":1294,"data":5279,"content":5280},{},[5281],{"nodeType":1293,"value":5282,"marks":5283,"data":5284},"The big old monolithic on-prem software is being replaced not by a single SaaS app, but an ecosystem of specialized apps. ",[],{},{"nodeType":1383,"data":5286,"content":5287},{},[5288],{"nodeType":1294,"data":5289,"content":5290},{},[5291],{"nodeType":1293,"value":5292,"marks":5293,"data":5294},"Since apps are virtually zero-maintenance these days, the operating cost of running multiple apps is almost the same as running one giant on-prem or SaaS platform. This further multiplies the number of apps and vendors used in your business.",[],{},{"nodeType":1322,"data":5296,"content":5297},{},[5298],{"nodeType":1293,"value":5299,"marks":5300,"data":5301},"Security SaaS applications don’t use PLG ",[],{},{"nodeType":1294,"data":5303,"content":5304},{},[5305],{"nodeType":1293,"value":5306,"marks":5307,"data":5308},"IT & security folks are usually ahead of the curve when it comes to technology shifts, but in this case many might have missed the scale or speed of the change. ",[],{},{"nodeType":1294,"data":5310,"content":5311},{},[5312],{"nodeType":1293,"value":5313,"marks":5314,"data":5315},"That’s because IT and security tools are among the least product-led of any sector. Most of our industry’s tools require heavy integrations, complicated setup, agent deployments, and so on. ",[],{},{"nodeType":1294,"data":5317,"content":5318},{},[5319],{"nodeType":1293,"value":5320,"marks":5321,"data":5322},"Note the difference between these common SaaS platforms for security and the ones for the rest of the company above:",[],{},{"nodeType":1460,"data":5324,"content":5327},{"target":5325},{"sys":5326},{"id":1640,"type":1465,"linkType":1466},[],{"nodeType":1294,"data":5329,"content":5330},{},[5331],{"nodeType":1293,"value":5332,"marks":5333,"data":5334},"Notice how all those “Sign up now” buttons have morphed into “Get a demo” buttons? This is the “old-school” way of procuring software. You work with sales and get a live demo with the sales rep, rather than signing up and trying it for yourself. Then you do still have to do your due diligence and work directly with the vendor to vet whether they’ll responsibly protect your corporate and/or customer data, that they’re SOC2 compliant, and so on.",[],{},{"nodeType":1294,"data":5336,"content":5337},{},[5338],{"nodeType":1293,"value":5339,"marks":5340,"data":5341},"Unfortunately, few security companies are making products as easy to set up and use as new tools for marketing, sales, finance, development, engineering design, legal, HR, and basically every other sector.",[],{},{"nodeType":1294,"data":5343,"content":5344},{},[5345],{"nodeType":1293,"value":5346,"marks":5347,"data":5350},"This leads to a misconception that self-adopted apps are rare and don’t contain sensitive data. ",[5348,5349],{"type":1599},{"type":312},{},{"nodeType":1294,"data":5352,"content":5353},{},[5354],{"nodeType":1293,"value":37,"marks":5355,"data":5358},[5356,5357],{"type":1599},{"type":312},{},{"nodeType":1322,"data":5360,"content":5361},{},[5362],{"nodeType":1293,"value":5363,"marks":5364,"data":5365},"Free trials interact with real, live corporate data",[],{},{"nodeType":1294,"data":5367,"content":5368},{},[5369],{"nodeType":1293,"value":5370,"marks":5371,"data":5372},"It’s not just the paid, fully-adopted apps that introduce third-party, supply-chain and SaaS application security risks to your organization. Even those free trials before an app is officially “adopted” can pose a significant security risk. ",[],{},{"nodeType":1294,"data":5374,"content":5375},{},[5376],{"nodeType":1293,"value":5377,"marks":5378,"data":5379},"For PLG to work, users need to experience meaningful value during that initial experience. To do that, users/your employees almost always need to connect the app to your live environment where it interacts with real data. ",[],{},{"nodeType":1322,"data":5381,"content":5382},{},[5383],{"nodeType":1293,"value":5384,"marks":5385,"data":5386},"Security and IT only see a few of the apps employees are testing and signing up for",[],{},{"nodeType":1294,"data":5388,"content":5389},{},[5390],{"nodeType":1293,"value":5391,"marks":5392,"data":5393},"To make matters worse, only a small subset of those apps ever get submitted to finance or any official app-onboarding process. Typically, this happens when an employee outgrows the free or trial tier and needs to upgrade to a paid account. ",[],{},{"nodeType":1294,"data":5395,"content":5396},{},[5397,5403],{"nodeType":1293,"value":5398,"marks":5399,"data":5402},"The freemium and trial versions of apps are unlikely to ever be presented to IT and security.",[5400,5401],{"type":312},{"type":1599},{},{"nodeType":1293,"value":2867,"marks":5404,"data":5405},[],{},{"nodeType":1294,"data":5407,"content":5408},{},[5409],{"nodeType":1293,"value":5410,"marks":5411,"data":5412},"Most agree that only about 2-5% of folks on freemium/free tiers become paying customers. With conversions from free to paid happening only at a very very low rate, it’s very likely that a lot of your employees are using a lot of free tier apps for at least some significant timeframe.",[],{},{"nodeType":1294,"data":5414,"content":5415},{},[5416],{"nodeType":1293,"value":5417,"marks":5418,"data":5419},"As mentioned earlier, real live data is often still input into those free apps. So, if you’re relying on finance records to tell you which apps employees are using, you’re going to miss all those free apps, which may never reach finance. And those free apps present just as much risk as the paid apps, more if you consider that you have no visibility into the majority of them. ",[],{},{"nodeType":1322,"data":5421,"content":5422},{},[5423],{"nodeType":1293,"value":5424,"marks":5425,"data":5426},"Losing direct visibility into SaaS apps means Security is getting in too late",[],{},{"nodeType":1294,"data":5428,"content":5429},{},[5430,5434,5439,5443,5448],{"nodeType":1293,"value":5431,"marks":5432,"data":5433},"Though security teams have lost ",[],{},{"nodeType":1293,"value":5435,"marks":5436,"data":5438},"direct visibility",[5437],{"type":312},{},{"nodeType":1293,"value":5440,"marks":5441,"data":5442},", they’ve not lost ",[],{},{"nodeType":1293,"value":5444,"marks":5445,"data":5447},"complete visibility.",[5446],{"type":312},{},{"nodeType":1293,"value":5449,"marks":5450,"data":5451}," Many are finding out about at least a fraction of these apps, though things like:",[],{},{"nodeType":1379,"data":5453,"content":5454},{},[5455,5465,5475],{"nodeType":1383,"data":5456,"content":5457},{},[5458],{"nodeType":1294,"data":5459,"content":5460},{},[5461],{"nodeType":1293,"value":5462,"marks":5463,"data":5464},"Pulling expense reports once employees need to move from a free to paid tier of an app",[],{},{"nodeType":1383,"data":5466,"content":5467},{},[5468],{"nodeType":1294,"data":5469,"content":5470},{},[5471],{"nodeType":1293,"value":5472,"marks":5473,"data":5474},"Scanning employee email inboxes for key phrases like, “Thanks for signing up for [app]”",[],{},{"nodeType":1383,"data":5476,"content":5477},{},[5478],{"nodeType":1294,"data":5479,"content":5480},{},[5481],{"nodeType":1293,"value":5482,"marks":5483,"data":5484},"And, unfortunately, when something has already gone wrong and they’re asked to respond to an incident on a SaaS platform",[],{},{"nodeType":1294,"data":5486,"content":5487},{},[5488,5491,5497],{"nodeType":1293,"value":4556,"marks":5489,"data":5490},[],{},{"nodeType":1293,"value":5492,"marks":5493,"data":5496},"security is getting visibility too late to be of much value",[5494,5495],{"type":312},{"type":1599},{},{"nodeType":1293,"value":5498,"marks":5499,"data":5500},". As I mentioned earlier, once a team has been using an app (even on a free tier) for a year, it’s a huge challenge for Security to convince them to move to a more secure app or to consolidate apps when they find multiple teams using very similar apps. ",[],{},{"nodeType":1294,"data":5502,"content":5503},{},[5504,5509],{"nodeType":1293,"value":5505,"marks":5506,"data":5508},"This intervention needs to happen very early - long before finance is involved - in order to make a positive impact.",[5507],{"type":312},{},{"nodeType":1293,"value":2867,"marks":5510,"data":5511},[],{},{"nodeType":1294,"data":5513,"content":5514},{},[5515],{"nodeType":1293,"value":5516,"marks":5517,"data":5518},"Incident Response is necessary, of course, when a SaaS account is breached, but cannot recover the lost data after a successful attack. ",[],{},{"nodeType":1294,"data":5520,"content":5521},{},[5522],{"nodeType":1293,"value":5523,"marks":5524,"data":5525},"All of this obviously poses a problem from an IT and security standpoint. Don’t sound the alarms yet, though, there’s a way to regain some control over your corporate data without having to play bad cop with your entire company.",[],{},{"nodeType":5527,"data":5528,"content":5529},"hr",{},[],{"nodeType":1322,"data":5531,"content":5532},{},[5533],{"nodeType":1293,"value":5534,"marks":5535,"data":5536},"First steps to reclaiming control",[],{},{"nodeType":1294,"data":5538,"content":5539},{},[5540],{"nodeType":1293,"value":5541,"marks":5542,"data":5543},"This is a very high-level take on where to start when it comes to SaaS sprawl and security and building out a strong SaaS and cloud security program. But, it’s a start!",[],{},{"nodeType":1445,"data":5545,"content":5546},{},[5547],{"nodeType":1293,"value":5548,"marks":5549,"data":5550},"1. Shift your perspective ",[],{},{"nodeType":1294,"data":5552,"content":5553},{},[5554],{"nodeType":1293,"value":5555,"marks":5556,"data":5557},"To regain visibility and control, you need to work with employees, rather than focusing on blocking them from their favorite tools.",[],{},{"nodeType":1294,"data":5559,"content":5560},{},[5561],{"nodeType":1293,"value":5562,"marks":5563,"data":5564},"You can rein this in, but you must shift from the old way of thinking - you can no longer be the “Department of No” and have to shift to becoming the “Department of Yes, Unless….”",[],{},{"nodeType":1445,"data":5566,"content":5567},{},[5568],{"nodeType":1293,"value":5569,"marks":5570,"data":5571},"2. Get in early",[],{},{"nodeType":1294,"data":5573,"content":5574},{},[5575],{"nodeType":1293,"value":5576,"marks":5577,"data":5578},"Do yourself a favor and buy yourself time to do due diligence on the multiple SaaS applications employees sign up for on their own. ",[],{},{"nodeType":1294,"data":5580,"content":5581},{},[5582],{"nodeType":1293,"value":5583,"marks":5584,"data":5585},"Getting involved before an employee or team are fully reliant on an app is the best way to make a positive impact on your SaaS security posture.",[],{},{"nodeType":1294,"data":5587,"content":5588},{},[5589],{"nodeType":1293,"value":5590,"marks":5591,"data":5592},"To do this, you need…",[],{},{"nodeType":1445,"data":5594,"content":5595},{},[5596],{"nodeType":1293,"value":5597,"marks":5598,"data":5599},"3. Get real-time visibility into the SaaS and cloud apps your employees are signing up for",[],{},{"nodeType":1294,"data":5601,"content":5602},{},[5603],{"nodeType":1293,"value":5604,"marks":5605,"data":5606},"This can be a noisy mess, but it doesn’t have to be. Look for solutions with options that work with your existing workflow. Tools that send a ChatOps message to security whenever an employee signs up for a new app is a great start.",[],{},{"nodeType":1294,"data":5608,"content":5609},{},[5610],{"nodeType":1293,"value":5611,"marks":5612,"data":5613},"To cut through the noise, rely on a SaaS security solution that also provides security-relevant information that tells you when you should dig into an app further or when an app only poses minimal risk and can be ignored.",[],{},{"nodeType":1445,"data":5615,"content":5616},{},[5617],{"nodeType":1293,"value":5618,"marks":5619,"data":5620},"4. Find and fix account security issues at the same time",[],{},{"nodeType":1294,"data":5622,"content":5623},{},[5624],{"nodeType":1293,"value":5625,"marks":5626,"data":5627},"We suggest you focus on account security issues since this is where the attacks are happening - at the account level. ",[],{},{"nodeType":1294,"data":5629,"content":5630},{},[5631],{"nodeType":1293,"value":5632,"marks":5633,"data":5634},"Getting SaaS visibility is crucial, but it’s not useful if the data leads to false positives. Tracking down cloud apps that aren’t actually in use is a massive waste of your time.",[],{},{"nodeType":1294,"data":5636,"content":5637},{},[5638,5642,5647],{"nodeType":1293,"value":5639,"marks":5640,"data":5641},"To get the most accurate visibility into shadow SaaS, consider a browser extension. Why, yes, we ",[],{},{"nodeType":1293,"value":5643,"marks":5644,"data":5646},"are ",[5645],{"type":312},{},{"nodeType":1293,"value":5648,"marks":5649,"data":5650},"biased! But we built our product on top of a combo of API data and browser data because that’s where employees are accessing and signing up for their SaaS and cloud apps. ",[],{},{"nodeType":1294,"data":5652,"content":5653},{},[5654,5658,5666],{"nodeType":1293,"value":5655,"marks":5656,"data":5657},"We dig into this SaaS discovery data source topic in much more detail ",[],{},{"nodeType":1554,"data":5659,"content":5661},{"uri":5660},"https://pushsecurity.com/blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser/",[5662],{"nodeType":1293,"value":4642,"marks":5663,"data":5665},[5664],{"type":1562},{},{"nodeType":1293,"value":5667,"marks":5668,"data":5669},", so that’s worth a read when you’re ready to start prioritizing SaaS security and evaluating solutions. ",[],{},{"nodeType":1445,"data":5671,"content":5672},{},[5673],{"nodeType":1293,"value":5674,"marks":5675,"data":5676},"5. Work with employees to reduce the burden on your security team ",[],{},{"nodeType":1294,"data":5678,"content":5679},{},[5680],{"nodeType":1293,"value":5681,"marks":5682,"data":5683},"No, you don’t want employees making security decisions, but you will need to find a way to help them secure the SaaS accounts they have at a user-level.",[],{},{"nodeType":1379,"data":5685,"content":5686},{},[5687,5697],{"nodeType":1383,"data":5688,"content":5689},{},[5690],{"nodeType":1294,"data":5691,"content":5692},{},[5693],{"nodeType":1293,"value":5694,"marks":5695,"data":5696},"To keep up with the scale of SaaS adoption and SaaS sprawl in your attack surface, which will continue to grow weekly, you’ll need to automate the information-gathering part of the process. ",[],{},{"nodeType":1383,"data":5698,"content":5699},{},[5700],{"nodeType":1294,"data":5701,"content":5702},{},[5703],{"nodeType":1293,"value":5704,"marks":5705,"data":5706},"When possible, equip employees to self-remediate issues and complete tasks (like signing up for MFA in the app) that your team would otherwise have to do. ",[],{},{"nodeType":1294,"data":5708,"content":5709},{},[5710],{"nodeType":1293,"value":37,"marks":5711,"data":5712},[],{},{"entries":5714},{"hyperlink":5715,"inline":5716,"block":5717},[],[],[5718,5727,5736],{"sys":5719,"__typename":5720,"title":5721,"caption":5722,"layoutMode":118,"file":5723},{"id":1620},"Image","New way of procuring software due to PLG","The new way of procuring software due to PLG",{"url":5724,"width":5725,"height":5726},"https://images.ctfassets.net/y1cdw1ablpvd/1bwMESg7gXQ5XsSYJax69u/664c3d2a124535c98c68e6d20432ce02/image__32_.png",1412,634,{"sys":5728,"__typename":5720,"title":5729,"caption":5730,"layoutMode":5731,"file":5732},{"id":1572},"PLG apps ","all those highlighted buttons are pure PLG, thanks Wes!","Centre aligned",{"url":5733,"width":5734,"height":5735},"https://images.ctfassets.net/y1cdw1ablpvd/MV2eQBx7w1P93Iy1bUKVZ/c4145800c0d7bd807a355c776b830cc0/image9.png",1999,662,{"sys":5737,"__typename":5720,"title":5738,"caption":5739,"layoutMode":5731,"file":5740},{"id":1640},"Security apps aren't PLG","Security apps definitely aren't PLG",{"url":5741,"width":5742,"height":5743},"https://images.ctfassets.net/y1cdw1ablpvd/5YlsuwLiMkAh8cGII7XKMK/0c3399eb63990cb92dd813bdd2ba0b52/image6.png",1864,718,"content:blog:free-and-trial-saas-applications-are-even-riskier-than-paid-apps.json","json","content","blog/free-and-trial-saas-applications-are-even-riskier-than-paid-apps.json","blog/free-and-trial-saas-applications-are-even-riskier-than-paid-apps",1776359991736]