[{"data":1,"prerenderedAt":3437},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/manage-saas-risks-without-hindering-employees":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":2799,"content":2803,"_id":3432,"_type":3433,"_source":3434,"_file":3435,"_stem":3436,"_extension":3433},"/blog/manage-saas-risks-without-hindering-employees","blog",{"id":1280,"publishedAt":1281},"3PqX7fLrTIYhWjbEhHSRHG","2024-10-01T12:37:37.860Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"In this post, we're focusing on what to do after you've unearthed all the SaaS apps employees are using. SaaS discovery is only part of the process. What happens next is what leads to actual security improvements.","text","paragraph","document","5 steps to manage the risk of unsanctioned SaaS ","Manage the risk of unsanctioned SaaS in 5 steps","Learn some lightweight ways to manage the risks SaaS introduces without relying on restrictive policies that block employees from using their preferred tools.","2022-08-11T00:00:00.000Z","manage-saas-risks-without-hindering-employees",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"sys":1308,"name":1310},{"id":1309},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1312},[1313,1922,2398],{"__typename":1314,"sys":1315,"content":1317,"title":1896,"synopsis":1897,"hashTags":1898,"publishedDate":1904,"slug":1905,"tagsCollection":1906,"authorsCollection":1914},"BlogPosts",{"id":1316},"45iZ69EdPF4629gZ6yf7p5",{"json":1318},{"data":1319,"content":1320,"nodeType":1295},{},[1321,1328,1335,1343,1350,1357,1382,1389,1396,1403,1410,1422,1429,1469,1494,1501,1508,1525,1532,1539,1555,1562,1570,1586,1593,1600,1607,1615,1622,1629,1636,1666,1731,1738,1745,1752,1768,1776,1792,1799,1811,1818,1839,1848,1865],{"data":1322,"content":1323,"nodeType":1294},{},[1324],{"data":1325,"marks":1326,"value":1327,"nodeType":1293},{},[],"Over the past few years, there’s been massive growth in the number of SaaS apps used for work. With that comes new challenges – how do you allow employees to take advantage of all the SaaS the world has to offer without locking it all down and stifling innovation? How do you figure out if you can trust all these new third parties with access to your data? Well, the first step is figuring out which apps employees are actually using, so that’s where we’re starting.",{"data":1329,"content":1330,"nodeType":1294},{},[1331],{"data":1332,"marks":1333,"value":1334,"nodeType":1293},{},[],"We’ve compiled a list of various options and approaches we’ve seen people take to SaaS discovery, each with their own pros and cons. ",{"data":1336,"content":1337,"nodeType":1342},{},[1338],{"data":1339,"marks":1340,"value":1341,"nodeType":1293},{},[],"Why is SaaS discovery so hard?","heading-1",{"data":1344,"content":1345,"nodeType":1294},{},[1346],{"data":1347,"marks":1348,"value":1349,"nodeType":1293},{},[],"\nSomething to note straight off the bat is that with all the data-driven approaches we’re about to cover, you have to know how to extract SaaS use out of that data. That’s one of the reasons SaaS discovery is so hard. With the roll-your-own approaches in this post, you’ll be able to identify some common apps (like Trello, Slack, Dropbox, etc.), but what about all the new or lesser-known apps? Unfortunately, trying to keep track of all the SaaS apps that are available to employees is really difficult. There’s not really a great master list available on the Internet for you to cross-reference with your data.",{"data":1351,"content":1352,"nodeType":1294},{},[1353],{"data":1354,"marks":1355,"value":1356,"nodeType":1293},{},[],"That means that all of these roll-your-own approaches are dependent on you knowing what you’re looking for. If you must know what SaaS you’re looking for in order to determine if an asset is actually a SaaS app, you’re going to be left with quite a few blindspots given there seem to be new apps launching every day. ",{"data":1358,"content":1359,"nodeType":1294},{},[1360,1364,1369,1373,1378],{"data":1361,"marks":1362,"value":1363,"nodeType":1293},{},[],"The second hurdle with a roll-your-own discovery approach is differentiating between SaaS ",{"data":1365,"marks":1366,"value":1368,"nodeType":1293},{},[1367],{"type":312},"access",{"data":1370,"marks":1371,"value":1372,"nodeType":1293},{},[]," and SaaS ",{"data":1374,"marks":1375,"value":1377,"nodeType":1293},{},[1376],{"type":312},"usage",{"data":1379,"marks":1380,"value":1381,"nodeType":1293},{},[],". Just because an employee accesses a SaaS website, it doesn’t mean they’re using their app. Most of the data sources will produce a ton of domains, IPs, etc. for you to sift through, but differentiating access and usage based on this information alone will produce a large number of false positives unless you can correlate it with other data sources (we suggest some below). You will likely also want to know things like exactly who the users, owners and administrators of the app are which will be all but impossible from this “access” data alone.",{"data":1383,"content":1384,"nodeType":1294},{},[1385],{"data":1386,"marks":1387,"value":1388,"nodeType":1293},{},[],"If we ignore for the moment the difficulties in extracting information about SaaS usage, let’s run through your options for data sources and see which ones will give you the most useful data.",{"data":1390,"content":1391,"nodeType":1342},{},[1392],{"data":1393,"marks":1394,"value":1395,"nodeType":1293},{},[],"Collecting financial records",{"data":1397,"content":1398,"nodeType":1294},{},[1399],{"data":1400,"marks":1401,"value":1402,"nodeType":1293},{},[],"Looking through invoices can provide some visibility into paid SaaS apps, which is probably the lowest false positive data source. However, there are blind spots - you won’t see any free tier or trial accounts, nor will you get any useful business context about who’s using it, how they’re using it, if logins are secure, and what data it has access to. That said, it’s a quick and dirty way to get a partial view of SaaS usage, and might be the best place to start.",{"data":1404,"content":1405,"nodeType":1342},{},[1406],{"data":1407,"marks":1408,"value":1409,"nodeType":1293},{},[],"Network-level",{"data":1411,"content":1412,"nodeType":1294},{},[1413,1417],{"data":1414,"marks":1415,"value":1416,"nodeType":1293},{},[],"\n",{"data":1418,"marks":1419,"value":1421,"nodeType":1293},{},[1420],{"type":312},"Summary: Network level data is the standard old-school approach. If you already have great network monitoring in place it provides fairly broad visibility. There are some very key limitations especially around inferring usage from access, as well as outside the office visibility problems.",{"data":1423,"content":1424,"nodeType":1294},{},[1425],{"data":1426,"marks":1427,"value":1428,"nodeType":1293},{},[],"SaaS apps are accessed over a network - and so that seems like a sensible place to start looking for them. What if we just tried looking for all users accessing a SaaS app’s website? Let’s say we want to see if anyone is using e.g. Dropbox, so we do a Google search for all Dropbox domains and we find Dropbox.com, and a few regional domains as well. We then set about finding employees accessing those domains in our network logs - simple! Perhaps not so much…",{"data":1430,"content":1431,"nodeType":1294},{},[1432,1436,1440,1444,1449,1453,1457,1461,1465],{"data":1433,"marks":1434,"value":1435,"nodeType":1293},{},[],"As we mentioned in the intro, the best outcome you can hope for is to uncover SaaS ",{"data":1437,"marks":1438,"value":1368,"nodeType":1293},{},[1439],{"type":312},{"data":1441,"marks":1442,"value":1443,"nodeType":1293},{},[],", not ",{"data":1445,"marks":1446,"value":1448,"nodeType":1293},{},[1447],{"type":312},"usage.",{"data":1450,"marks":1451,"value":1452,"nodeType":1293},{},[]," This might seem like a subtle difference, but SaaS usage is what you want to find, not just information about which employees visited a SaaS website. If you’re looking at all app ",{"data":1454,"marks":1455,"value":1368,"nodeType":1293},{},[1456],{"type":312},{"data":1458,"marks":1459,"value":1460,"nodeType":1293},{},[],", you’ll wind up with a massive list of SaaS, with only a portion of it indicating SaaS ",{"data":1462,"marks":1463,"value":1377,"nodeType":1293},{},[1464],{"type":312},{"data":1466,"marks":1467,"value":1468,"nodeType":1293},{},[],".",{"data":1470,"content":1471,"nodeType":1294},{},[1472,1476,1481,1485,1490],{"data":1473,"marks":1474,"value":1475,"nodeType":1293},{},[],"Since you can’t discover app ",{"data":1477,"marks":1478,"value":1480,"nodeType":1293},{},[1479],{"type":312},"usage ",{"data":1482,"marks":1483,"value":1484,"nodeType":1293},{},[],"with network data, you’d have to tie network traffic to a single employee to identify the user, then reach out to each employee to understand the business context of how they’re using the app. A network data approach can work ",{"data":1486,"marks":1487,"value":1489,"nodeType":1293},{},[1488],{"type":312},"if",{"data":1491,"marks":1492,"value":1493,"nodeType":1293},{},[]," you have time to get that context by asking employees if they’re using the SaaS detected or by corroborating your findings with subscription invoices from the finance team. ",{"data":1495,"content":1496,"nodeType":1294},{},[1497],{"data":1498,"marks":1499,"value":1500,"nodeType":1293},{},[],"A few ways to collect SaaS data on the network level are ingesting firewall, web proxy and DNS and VPN logs. These inputs can give you some additional visibility into SaaS access, but you may still be left with significant blind spots to actual usage if you assume it all takes place on the corporate network using a VPN. It’s also a painfully tedious process. That said, a manual process still is better than having no SaaS visibility at all. ",{"data":1502,"content":1503,"nodeType":1342},{},[1504],{"data":1505,"marks":1506,"value":1507,"nodeType":1293},{},[],"Endpoint-level",{"data":1509,"content":1510,"nodeType":1294},{},[1511,1516,1520],{"data":1512,"marks":1513,"value":1515,"nodeType":1293},{},[1514],{"type":312},"Summary: Endpoint",{"data":1517,"marks":1518,"value":1519,"nodeType":1293},{},[]," ",{"data":1521,"marks":1522,"value":1524,"nodeType":1293},{},[1523],{"type":312},"data is hard to get, and of limited value. However, it may be useful if you already have this data available in a SIEM or if it’s otherwise easy to query.",{"data":1526,"content":1527,"nodeType":1294},{},[1528],{"data":1529,"marks":1530,"value":1531,"nodeType":1293},{},[],"Perhaps we’ll get closer to what we need (usage data instead of just access data and a low false positive rate) if we move up a level and get closer to the users? Users are going to be accessing the SaaS apps through some kind of endpoint and there are some things you could use to do discovery if you have some monitoring capability on that endpoint.",{"data":1533,"content":1534,"nodeType":1294},{},[1535],{"data":1536,"marks":1537,"value":1538,"nodeType":1293},{},[],"For example, many SaaS apps have desktop or mobile clients (thick clients) you install. You could look for e.g. the Slack client, or the OneDrive sync agent installed on the endpoint. However, many users prefer the in-browser version, so they may not have even installed the thick client and you wouldn’t see their usage by looking at their endpoint data. ",{"data":1540,"content":1541,"nodeType":1294},{},[1542,1546,1551],{"data":1543,"marks":1544,"value":1545,"nodeType":1293},{},[],"All the good data, the application level data, is in the browser, which is technically on the endpoint but not really accessible ",{"data":1547,"marks":1548,"value":1550,"nodeType":1293},{},[1549],{"type":312},"through the endpoint",{"data":1552,"marks":1553,"value":1554,"nodeType":1293},{},[]," without doing something very hacky. Perhaps we need to go a level deeper - either closer to the application or get inside the browser.",{"data":1556,"content":1557,"nodeType":1342},{},[1558],{"data":1559,"marks":1560,"value":1561,"nodeType":1293},{},[],"Application-level",{"data":1563,"content":1564,"nodeType":1294},{},[1565],{"data":1566,"marks":1567,"value":1569,"nodeType":1293},{},[1568],{"type":312},"Summary: Application level integrations are very useful for discovering unsanctioned SaaS apps that are integrated with the SaaS apps you already know about. But when used in isolation, they have massive blind spots. Application-level data is also a goldmine for finding out how securely employees use the app.",{"data":1571,"content":1572,"nodeType":1294},{},[1573,1577,1582],{"data":1574,"marks":1575,"value":1576,"nodeType":1293},{},[],"Focusing on the SaaS app directly makes a lot of sense if you need to get really high quality usage data. The challenge is that you need to integrate with the SaaS app to get at this data. And you can’t just integrate with an app like Slack or Trello. In general, these integrations must be within a specific account or tenant that your employees are using if you want to see any of their usage or security data. So, if you must already know about the tenant to discover the SaaS - is this approach useless for detecting unknown SaaS? Maybe, ",{"data":1578,"marks":1579,"value":1581,"nodeType":1293},{},[1580],{"type":312},"but ",{"data":1583,"marks":1584,"value":1585,"nodeType":1293},{},[],"there are some very useful edge cases.",{"data":1587,"content":1588,"nodeType":1294},{},[1589],{"data":1590,"marks":1591,"value":1592,"nodeType":1293},{},[],"For instance, integrations with SaaS apps that are known and sanctioned can be very useful, especially with those apps that are identity providers, like Microsoft Azure/365 and Google Workspace. Lots of SaaS apps let users login with another SaaS app, which is called social login or sometimes single sign-on (SSO). When a user does “login using Google” on Salesforce using their corporate Google account, they are actually integrating (in a very limited way) Salesforce with Google Workspace. If you have application-level access (normally by calling the APIs) to known SaaS apps, you can discover these social logins (among other) integrations with other SaaS apps. These SaaS-to-SaaS links then become very useful as a discovery mechanism.",{"data":1594,"content":1595,"nodeType":1294},{},[1596],{"data":1597,"marks":1598,"value":1599,"nodeType":1293},{},[],"Something else to keep in mind, application-level access to known SaaS can also be incredibly useful for security beyond simple SaaS discovery. You could check authentication controls, like which users don’t have MFA enabled, sharing settings (perhaps the SaaS allows you to share documents publicly), unusual login events, other anomalous behavior, and so on. ",{"data":1601,"content":1602,"nodeType":1342},{},[1603],{"data":1604,"marks":1605,"value":1606,"nodeType":1293},{},[],"Browser-level  ",{"data":1608,"content":1609,"nodeType":1294},{},[1610],{"data":1611,"marks":1612,"value":1614,"nodeType":1293},{},[1613],{"type":312},"Summary: Browser data is as good as you can get for SaaS discovery, but with the downside that you must build and deploy a browser extension to get at it.",{"data":1616,"content":1617,"nodeType":1294},{},[1618],{"data":1619,"marks":1620,"value":1621,"nodeType":1293},{},[],"What if I told you, you could get application level usage-data beyond what events the applications expose through their APIs without needing to know about the app first or fighting network encryption? The other methods in this guide allow you to get at the data using normal log processing techniques, SIEM queries, or even hacky scripts that call APIs, but there’s one reasonable option for SaaS discovery.",{"data":1623,"content":1624,"nodeType":1294},{},[1625],{"data":1626,"marks":1627,"value":1628,"nodeType":1293},{},[],"The only real viable way to get at this SaaS usage data is through a browser extension. The big hurdle with this approach is that browser extensions require you to develop an extension and a backend where it can send data…AND you need to deploy that extension to all employees. ",{"data":1630,"content":1631,"nodeType":1294},{},[1632],{"data":1633,"marks":1634,"value":1635,"nodeType":1293},{},[],"Deploying that browser extension might be as simple as setting the extension to default install itself in all managed browsers - that’s possible if you’re using Google Workspace. In other environments, it may be a bit more of a challenge. Fortunately, browser extensions don’t have the complexity of normal endpoint agents. They don’t have runtime dependencies, aren’t platform dependent, don’t need admin permissions to install, have automatic update mechanisms built-in, and don’t affect performance. At the end of the day, they’re just a special piece of JavaScript running in the browser.",{"data":1637,"content":1638,"nodeType":1294},{},[1639,1643,1649,1653,1662],{"data":1640,"marks":1641,"value":1642,"nodeType":1293},{},[],"If you ",{"data":1644,"marks":1645,"value":1648,"nodeType":1293},{},[1646],{"type":1647},"bold","are",{"data":1650,"marks":1651,"value":1652,"nodeType":1293},{},[]," able to get access to the data in the browser (spoiler alert: we provide an easy - and free - out-of-the-box ",{"data":1654,"content":1656,"nodeType":1661},{"uri":1655},"/features/saas-discovery/",[1657],{"data":1658,"marks":1659,"value":1660,"nodeType":1293},{},[],"browser extension for SaaS discovery","hyperlink",{"data":1663,"marks":1664,"value":1665,"nodeType":1293},{},[],"), there is almost limitless scope to what you can do with this data. You can observe not only access to SaaS websites, you can also see:",{"data":1667,"content":1668,"nodeType":1730},{},[1669,1680,1690,1700,1710,1720],{"data":1670,"content":1671,"nodeType":1679},{},[1672],{"data":1673,"content":1674,"nodeType":1294},{},[1675],{"data":1676,"marks":1677,"value":1678,"nodeType":1293},{},[],"the user login,","list-item",{"data":1681,"content":1682,"nodeType":1679},{},[1683],{"data":1684,"content":1685,"nodeType":1294},{},[1686],{"data":1687,"marks":1688,"value":1689,"nodeType":1293},{},[],"whether that login was successful,",{"data":1691,"content":1692,"nodeType":1679},{},[1693],{"data":1694,"content":1695,"nodeType":1294},{},[1696],{"data":1697,"marks":1698,"value":1699,"nodeType":1293},{},[],"whether they used MFA to login, ",{"data":1701,"content":1702,"nodeType":1679},{},[1703],{"data":1704,"content":1705,"nodeType":1294},{},[1706],{"data":1707,"marks":1708,"value":1709,"nodeType":1293},{},[],"which email they used to login, ",{"data":1711,"content":1712,"nodeType":1679},{},[1713],{"data":1714,"content":1715,"nodeType":1294},{},[1716],{"data":1717,"marks":1718,"value":1719,"nodeType":1293},{},[],"whether they are the owner/administrator of the SaaS app tenant, and ",{"data":1721,"content":1722,"nodeType":1679},{},[1723],{"data":1724,"content":1725,"nodeType":1294},{},[1726],{"data":1727,"marks":1728,"value":1729,"nodeType":1293},{},[],"all their behavior and settings in the app. ","unordered-list",{"data":1732,"content":1733,"nodeType":1294},{},[1734],{"data":1735,"marks":1736,"value":1737,"nodeType":1293},{},[],"Best of all, there is no need to stream all this data to a single collection point where it becomes a privacy nightmare. By writing rules in the extension to look for specific issues, you can flag only security relevant events, redacted or anonymized as far as makes sense. You can even limit the scope to only monitor the app use when the employee logs into the SaaS app using their work account to further avoid employee privacy concerns. ",{"data":1739,"content":1740,"nodeType":1294},{},[1741],{"data":1742,"marks":1743,"value":1744,"nodeType":1293},{},[],"There’s a quick and easy solution to get the best out of the application and browser data approaches we’ve written about in the last two sections - and that’s with our free tool.",{"data":1746,"content":1747,"nodeType":1342},{},[1748],{"data":1749,"marks":1750,"value":1751,"nodeType":1293},{},[],"How can Push help?",{"data":1753,"content":1754,"nodeType":1294},{},[1755,1759,1764],{"data":1756,"marks":1757,"value":1758,"nodeType":1293},{},[],"We found that the most comprehensive approach is to collect data from ",{"data":1760,"marks":1761,"value":1763,"nodeType":1293},{},[1762],{"type":312},"both ",{"data":1765,"marks":1766,"value":1767,"nodeType":1293},{},[],"the application and browser level to give you full visibility and actionable security information. With our browser extension, we get full breadth of coverage so you can discover all SaaS usage and with our APIs, you get the depth of coverage you need to understand how employees are using SaaS and if they’re doing so securely. Our combined approach captures SaaS logins and adoption, in real-time, and provides the best visibility and context for security teams. ",{"data":1769,"content":1770,"nodeType":1775},{},[1771],{"data":1772,"marks":1773,"value":1774,"nodeType":1293},{},[],"Fixing SaaS security issues automatically by partnering with employees  ","heading-2",{"data":1777,"content":1778,"nodeType":1294},{},[1779,1783,1788],{"data":1780,"marks":1781,"value":1782,"nodeType":1293},{},[],"\nWhat we then do with that data is where the magic happens… we can automatically guide employees via ChatOps (Slack and Teams for now, more to come!) to improve SaaS security. Some of those messages will help us enrich our data by asking employees questions they’ll actually know the answers to (",{"data":1784,"marks":1785,"value":1787,"nodeType":1293},{},[1786],{"type":312},"“You logged into Slack from Mexico just now. Are you in Mexico?”",{"data":1789,"marks":1790,"value":1791,"nodeType":1293},{},[],"), which provides you with a good snapshot of SaaS usage in your business and lets you make informed security decisions about SaaS use to better manage risks.",{"data":1793,"content":1794,"nodeType":1294},{},[1795],{"data":1796,"marks":1797,"value":1798,"nodeType":1293},{},[],"Employees can also make immediate improvements to your overall security posture. In case you’re curious about what that looks like, some of the prompts we push to employees are things like: ",{"data":1800,"content":1801,"nodeType":1294},{},[1802,1807],{"data":1803,"marks":1804,"value":1806,"nodeType":1293},{},[1805],{"type":312},"“We noticed this SaaS app you’re using has access to all your emails, are you still using it?” Y/N.",{"data":1808,"marks":1809,"value":1810,"nodeType":1293},{},[]," If not, they can click a button to remove it and you’ll get an immediate reduction of your attack surface. ",{"data":1812,"content":1813,"nodeType":1294},{},[1814],{"data":1815,"marks":1816,"value":1817,"nodeType":1293},{},[],"Or ",{"data":1819,"content":1820,"nodeType":1294},{},[1821,1826,1830,1835],{"data":1822,"marks":1823,"value":1825,"nodeType":1293},{},[1824],{"type":312},"“It looks like you’re not using MFA for your account on this SaaS app. Can we get this set up really quickly?”",{"data":1827,"marks":1828,"value":1829,"nodeType":1293},{},[]," or “",{"data":1831,"marks":1832,"value":1834,"nodeType":1293},{},[1833],{"type":312},"An app you installed called ‘Dropbox’ is not the official Dropbox app, click here to remove it and install the verified app instead.”",{"data":1836,"marks":1837,"value":1838,"nodeType":1293},{},[]," ",{"data":1840,"content":1846,"nodeType":1847},{"target":1841},{"sys":1842},{"id":1843,"type":1844,"linkType":1845},"27MpbzErmDfAC3bA4dBibv","Link","Entry",[],"embedded-entry-block",{"data":1849,"content":1850,"nodeType":1294},{},[1851,1855,1862],{"data":1852,"marks":1853,"value":1854,"nodeType":1293},{},[],"If you’re interested in learning more, check out how we can ",{"data":1856,"content":1857,"nodeType":1661},{"uri":1655},[1858],{"data":1859,"marks":1860,"value":1861,"nodeType":1293},{},[],"help you discover SaaS use and secure it",{"data":1863,"marks":1864,"value":1468,"nodeType":1293},{},[],{"data":1866,"content":1867,"nodeType":1294},{},[1868,1872,1880,1884,1892],{"data":1869,"marks":1870,"value":1871,"nodeType":1293},{},[],"We’ll also be publishing a SaaS Discovery Evaluation Guide that will explore all the off-the-shelf tools you may consider and evaluate which one is the best fit for your needs as this really does depend on your tech stack. In that, we’ll share our experiences with those products and discuss what additional coverage and context they can provide, as well as where they fall short. Subscribe to our mailing list and follow us on ",{"data":1873,"content":1875,"nodeType":1661},{"uri":1874},"https://twitter.com/PushSecurity",[1876],{"data":1877,"marks":1878,"value":1879,"nodeType":1293},{},[],"Twitter @pushsecurity",{"data":1881,"marks":1882,"value":1883,"nodeType":1293},{},[]," or ",{"data":1885,"content":1887,"nodeType":1661},{"uri":1886},"https://www.linkedin.com/company/push-security",[1888],{"data":1889,"marks":1890,"value":1891,"nodeType":1293},{},[],"LinkedIn",{"data":1893,"marks":1894,"value":1895,"nodeType":1293},{},[]," to get a head’s up when that’s live so you can have a read.","How to roll-your-own SaaS discovery","We’ve compiled some methods for discovering SaaS. Lets explore each approach and learn new ways to discover unknown SaaS, capture SaaS use, and secure it.",[1899,1900,1901,1902,1903],"itassetdiscovery","saassecurity","saasdiscovery","sass","cloudfirst","2022-05-03T00:00:00.000+01:00","rolling-your-own-saas-discovery",{"items":1907},[1908,1910],{"sys":1909,"name":1306},{"id":1305},{"sys":1911,"name":1913},{"id":1912},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1915},[1916],{"fullName":1917,"firstName":1918,"jobTitle":1919,"profilePicture":1920},"Jacques Louw","Jacques","Co-founder / CRO",{"url":1921},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":1314,"sys":1923,"content":1925,"title":2378,"synopsis":2379,"hashTags":118,"publishedDate":2380,"slug":2381,"tagsCollection":2382,"authorsCollection":2390},{"id":1924},"6yiDFGYTMw79qmErstqRqp",{"json":1926},{"data":1927,"content":1928,"nodeType":1295},{},[1929,1963,1967,1974,1981,1987,1994,2010,2017,2024,2044,2103,2106,2113,2184,2200,2207,2214,2234,2241,2262,2269,2276,2283,2290,2297,2304,2310,2317,2324,2340,2343,2361],{"data":1930,"content":1931,"nodeType":1294},{},[1932,1936,1946,1950,1959],{"data":1933,"marks":1934,"value":1935,"nodeType":1293},{},[],"Despite measures by Microsoft to address the issue, ",{"data":1937,"content":1939,"nodeType":1661},{"uri":1938},"https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/",[1940],{"data":1941,"marks":1942,"value":1945,"nodeType":1293},{},[1943],{"type":1944},"underline","consent phishing is still on the rise",{"data":1947,"marks":1948,"value":1949,"nodeType":1293},{},[],". (Not sure what consent phishing is? ",{"data":1951,"content":1953,"nodeType":1661},{"uri":1952},"https://pushsecurity.com/blog/consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa/",[1954],{"data":1955,"marks":1956,"value":1958,"nodeType":1293},{},[1957],{"type":1944},"Read more here",{"data":1960,"marks":1961,"value":1962,"nodeType":1293},{},[],"). Although prevention is best, how do you check this hasn’t already happened? ",{"data":1964,"content":1965,"nodeType":1966},{},[],"hr",{"data":1968,"content":1969,"nodeType":1294},{},[1970],{"data":1971,"marks":1972,"value":1973,"nodeType":1293},{},[],"First, a bit of background on how OAuth apps work in Microsoft 365.",{"data":1975,"content":1976,"nodeType":1294},{},[1977],{"data":1978,"marks":1979,"value":1980,"nodeType":1293},{},[],"When you install an OAuth app in Microsoft 365, you see something like the familiar consent screen below, which shows the app's name and the permissions it's asking for. Once you've given your consent, behind the scenes a “service principal” is created in your tenant - this is your instance of the app. When the app does whatever the app is supposed to do (e.g. inspect your calendar, manage your to-do list etc.), it does it via this service principal.",{"data":1982,"content":1986,"nodeType":1847},{"target":1983},{"sys":1984},{"id":1985,"type":1844,"linkType":1845},"6nPueTKEjLphqlytbQ0gcx",[],{"data":1988,"content":1989,"nodeType":1294},{},[1990],{"data":1991,"marks":1992,"value":1993,"nodeType":1293},{},[],"The app is able to authenticate to do this using a token that it is sent during the consent process. If you look closely at the URL you visit to get to the consent screen (example below), you’ll see there is a reply URL parameter - this is telling Microsoft where to send the token when a user consents:",{"data":1995,"content":1996,"nodeType":1294},{},[1997,2001,2006],{"data":1998,"marks":1999,"value":2000,"nodeType":1293},{},[],"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=\u003Cclient_id>&response_type=code&",{"data":2002,"marks":2003,"value":2005,"nodeType":1293},{},[2004],{"type":1647},"redirect_uri=https%3A%2F%pushsecurity.com ",{"data":2007,"marks":2008,"value":2009,"nodeType":1293},{},[],"&response_mode=query&scope=https%3A%2F%2Fgraph.microsoft.com%2F calendars.read%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.send&state=12345",{"data":2011,"content":2012,"nodeType":1294},{},[2013],{"data":2014,"marks":2015,"value":2016,"nodeType":1293},{},[],"The app uses this token to authenticate as the service principal to then do whatever it’s supposed to do. In case your hacker brain is getting ahead of itself, you can’t change the reply URL to any old value to steal tokens. The app developer specifies a list of URLs that are allowed to be used here in the app’s manifest - more on that later.",{"data":2018,"content":2019,"nodeType":1294},{},[2020],{"data":2021,"marks":2022,"value":2023,"nodeType":1293},{},[],"Until recently, this ecosystem was a bit of a wild west. Although you can publish apps in the official app store, you don’t have to. Attackers were able to create an app on their tenant and then send consent URLs encouraging victims to grant them access, often having great success. ",{"data":2025,"content":2026,"nodeType":1294},{},[2027,2031,2040],{"data":2028,"marks":2029,"value":2030,"nodeType":1293},{},[],"In October 2020, ",{"data":2032,"content":2034,"nodeType":1661},{"uri":2033},"https://techcommunity.microsoft.com/t5/azure-active-directory-identity/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374",[2035],{"data":2036,"marks":2037,"value":2039,"nodeType":1293},{},[2038],{"type":1944},"Microsoft released “Publisher verification”",{"data":2041,"marks":2042,"value":2043,"nodeType":1293},{},[],", allowing developers to be vetted by Microsoft and get a badge of approval on their consent screens. The following month, Microsoft changed policies so users, by default, weren't allowed to consent to apps that didn't come from a verified publisher. This makes a consent phishing attack much more difficult for attackers who are now left with the following options:",{"data":2045,"content":2046,"nodeType":1730},{},[2047,2070,2093],{"data":2048,"content":2049,"nodeType":1679},{},[2050],{"data":2051,"content":2052,"nodeType":1294},{},[2053,2057,2066],{"data":2054,"marks":2055,"value":2056,"nodeType":1293},{},[],"Find a tenant that allows users to consent to non-verified apps. The default should have been changed for all to not allow this but you can change it back (in case you’re curious, ",{"data":2058,"content":2060,"nodeType":1661},{"uri":2059},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[2061],{"data":2062,"marks":2063,"value":2065,"nodeType":1293},{},[2064],{"type":1944},"see how to check your own settings here",{"data":2067,"marks":2068,"value":2069,"nodeType":1293},{},[],").",{"data":2071,"content":2072,"nodeType":1679},{},[2073],{"data":2074,"content":2075,"nodeType":1294},{},[2076,2080,2089],{"data":2077,"marks":2078,"value":2079,"nodeType":1293},{},[],"Go through the publisher verification process anyway: the process is ",{"data":2081,"content":2083,"nodeType":1661},{"uri":2082},"https://docs.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview#requirements",[2084],{"data":2085,"marks":2086,"value":2088,"nodeType":1293},{},[2087],{"type":1944},"detailed here",{"data":2090,"marks":2091,"value":2092,"nodeType":1293},{},[],". It’s probably possible to trick but requires mocking a real company which is going to be expensive and hard to scale.",{"data":2094,"content":2095,"nodeType":1679},{},[2096],{"data":2097,"content":2098,"nodeType":1294},{},[2099],{"data":2100,"marks":2101,"value":2102,"nodeType":1293},{},[],"Compromise an already verified publisher: definitely adds cost and complexity to an attack but would be an extremely valuable and effective approach - how much do you trust the security of all your app publishers?",{"data":2104,"content":2105,"nodeType":1966},{},[],{"data":2107,"content":2108,"nodeType":1294},{},[2109],{"data":2110,"marks":2111,"value":2112,"nodeType":1293},{},[],"So let’s look for some malicious apps...",{"data":2114,"content":2115,"nodeType":1294},{},[2116,2120,2129,2133,2142,2146,2155,2159,2168,2172,2180],{"data":2117,"marks":2118,"value":2119,"nodeType":1293},{},[],"The Azure AD interface to inspect OAuth apps, or service principals, is the ",{"data":2121,"content":2123,"nodeType":1661},{"uri":2122},"https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/",[2124],{"data":2125,"marks":2126,"value":2128,"nodeType":1293},{},[2127],{"type":1944},"Enterprise Applications blade",{"data":2130,"marks":2131,"value":2132,"nodeType":1293},{},[]," but it’s lacking key information you need for this exercise like the reply URLs and publisher status. You might be able to see similar info if you have the licenses for ",{"data":2134,"content":2136,"nodeType":1661},{"uri":2135},"https://docs.microsoft.com/en-gb/cloud-app-security/what-is-cloud-app-security",[2137],{"data":2138,"marks":2139,"value":2141,"nodeType":1293},{},[2140],{"type":1944},"Cloud App Security",{"data":2143,"marks":2144,"value":2145,"nodeType":1293},{},[]," but they’re expensive - you can also get full information about service principals from ",{"data":2147,"content":2149,"nodeType":1661},{"uri":2148},"https://docs.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0",[2150],{"data":2151,"marks":2152,"value":2154,"nodeType":1293},{},[2153],{"type":1944},"Graph API",{"data":2156,"marks":2157,"value":2158,"nodeType":1293},{},[],", or ",{"data":2160,"content":2162,"nodeType":1661},{"uri":2161},"https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadserviceprincipal?view=azps-6.3.0",[2163],{"data":2164,"marks":2165,"value":2167,"nodeType":1293},{},[2166],{"type":1944},"PowerShell",{"data":2169,"marks":2170,"value":2171,"nodeType":1293},{},[]," (is it too early to say that ",{"data":2173,"content":2175,"nodeType":1661},{"uri":2174},"/features/secure-oauth-permissions-and-applications/",[2176],{"data":2177,"marks":2178,"value":2179,"nodeType":1293},{},[],"Push can also solve this problem",{"data":2181,"marks":2182,"value":2183,"nodeType":1293},{},[]," for you in only a few button clicks?)",{"data":2185,"content":2186,"nodeType":1294},{},[2187,2191,2196],{"data":2188,"marks":2189,"value":2190,"nodeType":1293},{},[],"Right off the bat, ",{"data":2192,"marks":2193,"value":2195,"nodeType":1293},{},[2194],{"type":1647},"we can disregard a lot of the information presented by the app",{"data":2197,"marks":2198,"value":2199,"nodeType":1293},{},[],". The app’s name, home page, logo can all be anything an attacker says so if they’re trying to trick a user this will most likely look convincing and legitimate. The best you can do here is sanity check that this app makes sense in the context of your organisation or this user. ",{"data":2201,"content":2202,"nodeType":1294},{},[2203],{"data":2204,"marks":2205,"value":2206,"nodeType":1293},{},[],"So what is useful?",{"data":2208,"content":2209,"nodeType":1775},{},[2210],{"data":2211,"marks":2212,"value":2213,"nodeType":1293},{},[],"What can the app do?",{"data":2215,"content":2216,"nodeType":1294},{},[2217,2221,2230],{"data":2218,"marks":2219,"value":2220,"nodeType":1293},{},[],"Start by prioritising apps by the permissions they’ve been granted. Attackers will often target access to mail, files, or admin functionality so any app that requests these should be subject to more scrutiny and looked at first. As with any security exercise, you’ll know best for what’s sensitive to your organisation so apply that logic here. If you are unsure what a specific permission means, ",{"data":2222,"content":2224,"nodeType":1661},{"uri":2223},"https://docs.microsoft.com/en-us/graph/permissions-reference",[2225],{"data":2226,"marks":2227,"value":2229,"nodeType":1293},{},[2228],{"type":1944},"here's a full reference",{"data":2231,"marks":2232,"value":2233,"nodeType":1293},{},[],". ",{"data":2235,"content":2236,"nodeType":1775},{},[2237],{"data":2238,"marks":2239,"value":2240,"nodeType":1293},{},[],"Access to all data or just specific users?",{"data":2242,"content":2243,"nodeType":1294},{},[2244,2248,2259],{"data":2245,"marks":2246,"value":2247,"nodeType":1293},{},[],"It’s important to understand the difference between app permissions and delegated permissions. In short, app permissions grant tenant-wide access, delegated permissions grant access as the user. For example, if the app permission Mail.Read was granted to an app, it could read everyone’s email. If the delegated permission Mail.Read was granted to an app, it could only read the mail of the person who granted permission. ",{"data":2249,"content":2253,"nodeType":2258},{"target":2250},{"sys":2251},{"id":2252,"type":1844,"linkType":1845},"16568b78-3c85-451f-bb62-9d50148ca1b9",[2254],{"data":2255,"marks":2256,"value":2257,"nodeType":1293},{},[],"Learn more about app vs. delegated permissions here","entry-hyperlink",{"data":2260,"marks":2261,"value":1468,"nodeType":1293},{},[],{"data":2263,"content":2264,"nodeType":1775},{},[2265],{"data":2266,"marks":2267,"value":2268,"nodeType":1293},{},[],"How many users have installed this app?",{"data":2270,"content":2271,"nodeType":1294},{},[2272],{"data":2273,"marks":2274,"value":2275,"nodeType":1293},{},[],"If you are the victim of consent phishing, hopefully the attacker only managed to dupe a small number of users, so common advice would be prioritise apps with a low install count. Although this makes sense, it’s often not that practical since, unless you’ve been running a tight ship, you’ll probably find a lot of apps used by one or two people.",{"data":2277,"content":2278,"nodeType":1294},{},[2279],{"data":2280,"marks":2281,"value":2282,"nodeType":1293},{},[],"On the flip side, app permissions can only be approved by an admin; admins can also consent to delegated permissions on behalf of all users. So apps with these permissions - effectively tenant-wide access - have also probably been approved by only a single user. Hopefully you have more faith in your admins’ ability to spot a phish but you should still treat these as having only been vetted by a single user.",{"data":2284,"content":2285,"nodeType":1775},{},[2286],{"data":2287,"marks":2288,"value":2289,"nodeType":1293},{},[],"Where the tokens go - the thing you can’t spoof",{"data":2291,"content":2292,"nodeType":1294},{},[2293],{"data":2294,"marks":2295,"value":2296,"nodeType":1293},{},[],"The only piece of information an app can’t lie about is its reply URLs. As mentioned above, these are the URLs that Microsoft is allowed to send an access token to when a user consents. If the app publisher doesn’t own these domains, they won’t ever receive their token and they can’t use the app’s access. If you can confirm all the reply URLs specified by the app are legitimately owned by the organisation the app is supposed to be from, you can be fairly confident the app is owned by them.",{"data":2298,"content":2299,"nodeType":1294},{},[2300],{"data":2301,"marks":2302,"value":2303,"nodeType":1293},{},[],"In the interests of keeping this short(er), a guide on domain analysis is probably out of scope. However, here’s a real-world example malicious OAuth app that was pretending to be Salesforce related, using a pretty suspicious looking URL, so you won’t always need deep analysis:",{"data":2305,"content":2309,"nodeType":1847},{"target":2306},{"sys":2307},{"id":2308,"type":1844,"linkType":1845},"1oSdJPeXHsGlAXeX6Q2UOs",[],{"data":2311,"content":2312,"nodeType":1775},{},[2313],{"data":2314,"marks":2315,"value":2316,"nodeType":1293},{},[],"Is it verified? Does it matter?",{"data":2318,"content":2319,"nodeType":1294},{},[2320],{"data":2321,"marks":2322,"value":2323,"nodeType":1293},{},[],"You might be tempted to trust any app that is verified by Microsoft. The stamp of verification is clearly worth something but, as mentioned earlier, don’t discount the possibility of a determined attacker compromising a verified publisher to publish their own malicious app or edit an existing one. ",{"data":2325,"content":2326,"nodeType":1294},{},[2327,2331,2336],{"data":2328,"marks":2329,"value":2330,"nodeType":1293},{},[],"Likewise, you might also find a lot of your service principals, even ones by seemingly reputable publishers, are reported as not verified. This is because the service principal is an instance of the app at the time of install - if the publisher wasn’t verified at that point, the service principal won’t be (even if the publisher has since been verified). Since Microsoft only introduced publisher verification in 2020, all apps installed before this date will report as unverified. For reference, 78% of the service principals we’ve looked at report as having unverified publishers so this isn’t ",{"data":2332,"marks":2333,"value":2335,"nodeType":1293},{},[2334],{"type":312},"necessarily",{"data":2337,"marks":2338,"value":2339,"nodeType":1293},{},[]," something to worry about. ",{"data":2341,"content":2342,"nodeType":1966},{},[],{"data":2344,"content":2345,"nodeType":1294},{},[2346,2350,2357],{"data":2347,"marks":2348,"value":2349,"nodeType":1293},{},[],"If you find apps that look like they don't belong and you're worried they're the result of consent phishing, as well as removing the app's access (you can do this on the app's Properties page in the ",{"data":2351,"content":2353,"nodeType":1661},{"uri":2352},"https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps",[2354],{"data":2355,"marks":2356,"value":2128,"nodeType":1293},{},[],{"data":2358,"marks":2359,"value":2360,"nodeType":1293},{},[],"), you should investigate how the app got there in the first place. A detailed walkthrough of how to fully investigate is coming soon.",{"data":2362,"content":2363,"nodeType":1294},{},[2364,2368,2375],{"data":2365,"marks":2366,"value":2367,"nodeType":1293},{},[],"You can gather information about the apps in your Microsoft 365 tenant with only a few clicks using the Push platform. See which apps are installed on your tenant, what kind of access they have and if we think any look suspicious. It only takes a few minutes and is totally free! ",{"data":2369,"content":2370,"nodeType":1661},{"uri":2174},[2371],{"data":2372,"marks":2373,"value":2374,"nodeType":1293},{},[],"Check it out.",{"data":2376,"marks":2377,"value":37,"nodeType":1293},{},[],"How to find a malicious OAuth app on Microsoft 365 ","How do you find a malicious Microsoft 365 OAuth app? Learn what to look for, and what to ignore, when checking your users haven't been consent phished.","2021-09-06T00:00:00.000+01:00","how-to-find-a-malicious-oauth-app-on-microsoft-365",{"items":2383},[2384,2386],{"sys":2385,"name":1913},{"id":1912},{"sys":2387,"name":2389},{"id":2388},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2391},[2392],{"fullName":2393,"firstName":2394,"jobTitle":2395,"profilePicture":2396},"Andy Waugh","Andy","VP Product",{"url":2397},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":1314,"sys":2399,"content":2401,"title":2779,"synopsis":2780,"hashTags":2781,"publishedDate":2787,"slug":2788,"tagsCollection":2789,"authorsCollection":2795},{"id":2400},"4j5GhBaGwP92nz5p6gmQyi",{"json":2402},{"data":2403,"content":2404,"nodeType":1295},{},[2405,2412,2419,2426,2432,2439,2446,2453,2486,2493,2500,2519,2525,2532,2539,2557,2563,2570,2589,2595,2631,2659,2665,2680,2707,2713,2720,2727,2733,2759,2766,2773],{"data":2406,"content":2407,"nodeType":1775},{},[2408],{"data":2409,"marks":2410,"value":2411,"nodeType":1293},{},[],"What are user delegated OAuth tokens?",{"data":2413,"content":2414,"nodeType":1294},{},[2415],{"data":2416,"marks":2417,"value":2418,"nodeType":1293},{},[],"When users want to integrate a 3rd party app (like Zoom, Slack, Zapier, etc. etc.) with Google Workspace (or Office 365, or almost any SaaS platform these days really), they provide that app with a token (an OAuth2 token to be specific). This token can be used by the 3rd party to connect to your Workspace to gain access to that user’s data instead of a password.",{"data":2420,"content":2421,"nodeType":1294},{},[2422],{"data":2423,"marks":2424,"value":2425,"nodeType":1293},{},[],"You might recognise screens like this which actually do the job of granting these tokens.",{"data":2427,"content":2431,"nodeType":1847},{"target":2428},{"sys":2429},{"id":2430,"type":1844,"linkType":1845},"1jj3BNK8zO0Pm83LwzLUJp",[],{"data":2433,"content":2434,"nodeType":1294},{},[2435],{"data":2436,"marks":2437,"value":2438,"nodeType":1293},{},[],"That list of permissions is a human readable version of what are called scopes. Scopes limit what the 3rd party can do with the token. There are a number of ways you can limit the 3rd parties and scopes your users can authorise, and we’ll cover those in future blog posts - for now we are focussing on the existing tokens that have already been granted.",{"data":2440,"content":2441,"nodeType":1775},{},[2442],{"data":2443,"marks":2444,"value":2445,"nodeType":1293},{},[],"Why would you want to review these apps and tokens?",{"data":2447,"content":2448,"nodeType":1294},{},[2449],{"data":2450,"marks":2451,"value":2452,"nodeType":1293},{},[],"Essentially there are quite a few things that can go wrong here, which is not unexpected when we are talking about granting 3rd parties access to a core business platform like Workspace - and perhaps in something like an ordering of obviousness they are things like:",{"data":2454,"content":2455,"nodeType":1730},{},[2456,2466,2476],{"data":2457,"content":2458,"nodeType":1679},{},[2459],{"data":2460,"content":2461,"nodeType":1294},{},[2462],{"data":2463,"marks":2464,"value":2465,"nodeType":1293},{},[],"Consent phishing - where an attacker uses a malicious app linked in an email to trick users into giving them access to the user's data.",{"data":2467,"content":2468,"nodeType":1679},{},[2469],{"data":2470,"content":2471,"nodeType":1294},{},[2472],{"data":2473,"marks":2474,"value":2475,"nodeType":1293},{},[],"Useful but malicious apps - as we’ve seen recently in browser extensions (especially chrome), mobile apps (especially android, pattern forming here?), PC software, etc. etc. there are a number of criminals who develop legitimately useful (or at least vaguely useful looking) software that is also used to get backdoor access to your data. This is even harder to spot in SaaS applications, because unlike browser extensions or mobile apps, you can’t inspect the code. And because Almost no SaaS apps expose good logs of what is done using these tokens, you can’t inspect what they are doing.",{"data":2477,"content":2478,"nodeType":1679},{},[2479],{"data":2480,"content":2481,"nodeType":1294},{},[2482],{"data":2483,"marks":2484,"value":2485,"nodeType":1293},{},[],"Supply chain - while supply chain attacks are all the rage these days, we’ve yet to see a really clear attack where an attacker has stolen specifically OAuth tokens from one of these 3rd parties and used them against their customers - at least to my knowledge (please tweet my wrongness @jacques_sec). This does not however mean this can’t or won’t happen - and in fact I’d be super surprised if this doesn’t happen in the next few years.",{"data":2487,"content":2488,"nodeType":1294},{},[2489],{"data":2490,"marks":2491,"value":2492,"nodeType":1293},{},[],"While there are a lot of things you might want to look at when reviewing an OAuth app, you will at least want to know who owns/publishes the app (who have you delegated access too), what permissions or access the 3rd party has to your data, and whether Google has reviewed and verified the app - so let’s use this blog to focus on that starting point.",{"data":2494,"content":2495,"nodeType":1775},{},[2496],{"data":2497,"marks":2498,"value":2499,"nodeType":1293},{},[],"Getting the basic token details",{"data":2501,"content":2502,"nodeType":1294},{},[2503,2507,2515],{"data":2504,"marks":2505,"value":2506,"nodeType":1293},{},[],"As a user you can look at ",{"data":2508,"content":2510,"nodeType":1661},{"uri":2509},"https://myaccount.google.com/permissions",[2511],{"data":2512,"marks":2513,"value":2514,"nodeType":1293},{},[],"your own Workspace tokens",{"data":2516,"marks":2517,"value":2518,"nodeType":1293},{},[]," - where you’ll see a box like this for each integrated app:",{"data":2520,"content":2524,"nodeType":1847},{"target":2521},{"sys":2522},{"id":2523,"type":1844,"linkType":1845},"4uswW6ogq8Gqn6ithrAa5d",[],{"data":2526,"content":2527,"nodeType":1294},{},[2528],{"data":2529,"marks":2530,"value":2531,"nodeType":1293},{},[],"You’ll see things like the authorised domain (diagrams.net in this case), the homepage of the app, and a description of the permissions granted by the scopes (though not the raw scopes themselves). Unfortunately, fairly basic information, like if the app has been verified by google is not available.",{"data":2533,"content":2534,"nodeType":1294},{},[2535],{"data":2536,"marks":2537,"value":2538,"nodeType":1293},{},[],"This page is also only available to view your own apps. Rather than trying to teach each of your users how to review OAuth apps, you may want to review these on behalf of your users, and let them get on with their jobs leaving your relationship with them intact. Google anticipated this, and actually allows you to get a list of these apps (or rather the tokens that grant them access) through the admin console in a couple of ways.",{"data":2540,"content":2541,"nodeType":1294},{},[2542,2545,2553],{"data":2543,"marks":2544,"value":1642,"nodeType":1293},{},[],{"data":2546,"content":2548,"nodeType":1661},{"uri":2547},"https://admin.google.com/ac/users",[2549],{"data":2550,"marks":2551,"value":2552,"nodeType":1293},{},[],"open a user’s profile in the admin console",{"data":2554,"marks":2555,"value":2556,"nodeType":1293},{},[]," and click “connected applications” you’ll get something like this:",{"data":2558,"content":2562,"nodeType":1847},{"target":2559},{"sys":2560},{"id":2561,"type":1844,"linkType":1845},"5EyCKXIf9ODUsVakm4bhnn",[],{"data":2564,"content":2565,"nodeType":1294},{},[2566],{"data":2567,"marks":2568,"value":2569,"nodeType":1293},{},[],"Beyond having to do this one user at a time - this is useful to see the display name for the application and the services which the app has access to. Unfortunately there is no information to show if the app has been verified by Google, and even worse nothing that links it to a specific publisher. At Push we publish quite a few apps ourselves I can tell you that the display name (“Google APIs Explorer” or “Slack” in the above example) is anything the author chooses, and so isn’t reliable at all unless the app has been verified (I’m assuming Google would reject look-alike or spoofed names here), but again you can’t tell here if the app has been verified by google - so on we go!",{"data":2571,"content":2572,"nodeType":1294},{},[2573,2577,2585],{"data":2574,"marks":2575,"value":2576,"nodeType":1293},{},[],"The admin console also provides ",{"data":2578,"content":2580,"nodeType":1661},{"uri":2579},"https://admin.google.com/ac/reporting/audit/token",[2581],{"data":2582,"marks":2583,"value":2584,"nodeType":1293},{},[],"security reports on token grants",{"data":2586,"marks":2587,"value":2588,"nodeType":1293},{},[]," that look something like this:",{"data":2590,"content":2594,"nodeType":1847},{"target":2591},{"sys":2592},{"id":2593,"type":1844,"linkType":1845},"6BygfA5C7GNzYZVkfP8du",[],{"data":2596,"content":2597,"nodeType":1294},{},[2598,2602,2610,2614,2619,2623,2627],{"data":2599,"marks":2600,"value":2601,"nodeType":1293},{},[],"Here we can see the raw scopes (you can find more info about the actual scopes in ",{"data":2603,"content":2605,"nodeType":1661},{"uri":2604},"https://developers.google.com/identity/protocols/oauth2/scopes",[2606],{"data":2607,"marks":2608,"value":2609,"nodeType":1293},{},[],"Google's API docs",{"data":2611,"marks":2612,"value":2613,"nodeType":1293},{},[],"), the app name (display name as above) and the all important ",{"data":2615,"marks":2616,"value":2618,"nodeType":1293},{},[2617],{"type":312},"client_id",{"data":2620,"marks":2621,"value":2622,"nodeType":1293},{},[]," that is, as far as I can tell, the closes we get to uniquely identifying an app under the hood. As a side note, it turns out that the first number sequence of the ",{"data":2624,"marks":2625,"value":2618,"nodeType":1293},{},[2626],{"type":312},{"data":2628,"marks":2629,"value":2630,"nodeType":1293},{},[]," is actually the project number of the Google Cloud Project which hosts the app (or technically which hosts the OAuth consent screen for the app). Still no verification status, and no way to figure out who published the app. Further down the rabbit hole we go.",{"data":2632,"content":2633,"nodeType":1294},{},[2634,2638,2643,2647,2655],{"data":2635,"marks":2636,"value":2637,"nodeType":1293},{},[],"Workspace Admin also has an API, and fortunately there is a ",{"data":2639,"marks":2640,"value":2642,"nodeType":1293},{},[2641],{"type":312},"tokens",{"data":2644,"marks":2645,"value":2646,"nodeType":1293},{},[]," resource (see Google docs for ",{"data":2648,"content":2650,"nodeType":1661},{"uri":2649},"https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens/list",[2651],{"data":2652,"marks":2653,"value":2654,"nodeType":1293},{},[],"Admin Directory API",{"data":2656,"marks":2657,"value":2658,"nodeType":1293},{},[],") and there is even an API explorer (which - strange loop warning - also uses OAuth tokens to grant itself access to the API), which give you the following:",{"data":2660,"content":2664,"nodeType":1847},{"target":2661},{"sys":2662},{"id":2663,"type":1844,"linkType":1845},"1zbptRPMoy5F9eexuoqdBh",[],{"data":2666,"content":2667,"nodeType":1294},{},[2668,2672,2676],{"data":2669,"marks":2670,"value":2671,"nodeType":1293},{},[],"Which actually gives you all the tokens for a user you specify. Not much here that is useful beyond what we got from the token report - we still just have display name, scopes, and the ",{"data":2673,"marks":2674,"value":2618,"nodeType":1293},{},[2675],{"type":312},{"data":2677,"marks":2678,"value":2679,"nodeType":1293},{},[]," - however, we can now at least automate the process of pulling all apps for all users without having to figure out which are still active after grants and revokes in the audit report.",{"data":2681,"content":2682,"nodeType":1294},{},[2683,2687,2691,2695,2703],{"data":2684,"marks":2685,"value":2686,"nodeType":1293},{},[],"At this point I was worried whether this would be possible as I couldn’t find any APIs that actually resolved the ",{"data":2688,"marks":2689,"value":2618,"nodeType":1293},{},[2690],{"type":312},{"data":2692,"marks":2693,"value":2694,"nodeType":1293},{},[]," to something more useful, so I started looking at ways to restrict installing apps instead. This led me to the ",{"data":2696,"content":2698,"nodeType":1661},{"uri":2697},"https://admin.google.com/ac/owl/list",[2699],{"data":2700,"marks":2701,"value":2702,"nodeType":1293},{},[],"Security > API controls > App access control",{"data":2704,"marks":2705,"value":2706,"nodeType":1293},{},[]," panel in the admin console. This panel shows a list of all the trusted apps (which includes all the installed apps), and crucially if you click on the app you get something like the following:",{"data":2708,"content":2712,"nodeType":1847},{"target":2709},{"sys":2710},{"id":2711,"type":1844,"linkType":1845},"3zM9a2NGzAdRVjQ0EN4Ult",[],{"data":2714,"content":2715,"nodeType":1294},{},[2716],{"data":2717,"marks":2718,"value":2719,"nodeType":1293},{},[],"Huzzah! - finally we have verification status, as well as an email address and links to various policies which can be used to identify the actual publisher of the app (my assumption here is that if the app is verified we can trust this information, but that might be something worth digging into a bit deeper, especially for apps that are not requesting sensitive or restricted scopes, both of which have increasingly thorough vetting).",{"data":2721,"content":2722,"nodeType":1294},{},[2723],{"data":2724,"marks":2725,"value":2726,"nodeType":1293},{},[],"Unfortunately this is not the end of the story. There are still a couple of problems here, firstly we can’t see which users granted which tokens - only how many users have active tokens. We could correlate this with the information in the user’s profile, but then you could have multiple apps using the same name as below:",{"data":2728,"content":2732,"nodeType":1847},{"target":2729},{"sys":2730},{"id":2731,"type":1844,"linkType":1845},"2fSxeH8UZCC5cZ6vggwck",[],{"data":2734,"content":2735,"nodeType":1294},{},[2736,2740,2744,2748,2755],{"data":2737,"marks":2738,"value":2739,"nodeType":1293},{},[],"This can be solved by referencing the ",{"data":2741,"marks":2742,"value":2618,"nodeType":1293},{},[2743],{"type":312},{"data":2745,"marks":2746,"value":2747,"nodeType":1293},{},[]," with the ",{"data":2749,"content":2750,"nodeType":1661},{"uri":2649},[2751],{"data":2752,"marks":2753,"value":2754,"nodeType":1293},{},[],"admin.directory.tokens.list",{"data":2756,"marks":2757,"value":2758,"nodeType":1293},{},[]," API (as discussed above), but that brings us to my final problem - it’s going to be painful cross referencing as the data in the screenshot above is not available in any API I can find, so to automate this I guess we’re going screen scraping 🤦. If you know a better way - please tweet me (again @jacques_sec).",{"data":2760,"content":2761,"nodeType":1775},{},[2762],{"data":2763,"marks":2764,"value":2765,"nodeType":1293},{},[],"Next up",{"data":2767,"content":2768,"nodeType":1294},{},[2769],{"data":2770,"marks":2771,"value":2772,"nodeType":1293},{},[],"I’m planning to write future posts on this subject before I forget it all, and these will likely focus on understanding exactly what is possible using specific scopes in a more automated way than paging through endless docs, and more detail on doing in-depth security reviews of OAuth apps. Get in touch if either of these (or something related) would be of interest to you and we might re-prioritise!",{"data":2774,"content":2775,"nodeType":1294},{},[2776],{"data":2777,"marks":2778,"value":1416,"nodeType":1293},{},[],"Investigating user delegated OAuth tokens in Google Workspace - a ride along","Introduction to OAuth tokens in Google Workspace, how they are used, reasons you might want to review them, and a discussion of how you might go about it. ",[2782,2783,2784,2785,2786],"#oauth","#oauth2","#cloud-apps","#google","#workspace","2021-07-15T00:00:00.000+01:00","investigating-user-delegated-oauth-tokens-in-google-workspace-a-ride-along",{"items":2790},[2791,2793],{"sys":2792,"name":2389},{"id":2388},{"sys":2794,"name":1913},{"id":1912},{"items":2796},[2797],{"fullName":1917,"firstName":1918,"jobTitle":1919,"profilePicture":2798},{"url":1921},{"items":2800},[2801],{"fullName":1917,"firstName":1918,"jobTitle":1919,"profilePicture":2802},{"url":1921},{"json":2804,"links":3420},{"nodeType":1295,"data":2805,"content":2806},{},[2807,2819,2826,2833,2840,2847,2876,2883,2902,2909,2929,2936,2942,3081,3088,3095,3102,3154,3161,3180,3187,3194,3201,3208,3215,3222,3229,3236,3243,3250,3257,3264,3288,3295,3302,3309,3316,3323,3330,3337,3344,3351,3358,3365,3372,3379,3386,3393,3396,3403,3406,3413],{"nodeType":1294,"data":2808,"content":2809},{},[2810,2814],{"nodeType":1293,"value":2811,"marks":2812,"data":2813},"SaaS is exploding and making employees more productive than ever. If your security strategy relies on simply blocking all SaaS that hasn’t been sanctioned by your security team, you’re also blocking your coworkers from all the productivity gains that SaaS brings to the table. Not only that, but blocking through official channels doesn’t effectively stop employees from accessing the SaaS apps they want to use – you just can’t see it because they may have turned off the endpoint agent you’re using to manage SaaS policies, bypass the proxy, or change proxy settings. And now you’ve got a “Shadow IT problem!” *",[],{},{"nodeType":1293,"value":2815,"marks":2816,"data":2818},"Dread ensues*",[2817],{"type":312},{},{"nodeType":1294,"data":2820,"content":2821},{},[2822],{"nodeType":1293,"value":2823,"marks":2824,"data":2825},"Some folks even choose to block or turn off app stores to limit SaaS adoption by employees. The issue with this is that you’re blocking them from using productivity tools they want to do their work. You think you’re preventing risk (though we know employees find ways to adopt and use SaaS regardless of your controls), but you’re also restricting employees from being productive, flexible, and, frankly, you’re ticking them off. These kinds of actions widen the divide between security and the rest of the company, which is never a good thing. ",[],{},{"nodeType":1294,"data":2827,"content":2828},{},[2829],{"nodeType":1293,"value":2830,"marks":2831,"data":2832},"Stay cool, stay calm, we’ve got this. To manage SaaS, you need some sense of control over what employees are using and how they’re using it, right? By working with employees and doing the legwork to understand their needs, you can start to repair relationships there, which makes your job much easier in the long run.",[],{},{"nodeType":1294,"data":2834,"content":2835},{},[2836],{"nodeType":1293,"value":2837,"marks":2838,"data":2839},"However, before we go down the path of understanding how employees are using SaaS, you first need to know which apps they’re using.",[],{},{"nodeType":1342,"data":2841,"content":2842},{},[2843],{"nodeType":1293,"value":2844,"marks":2845,"data":2846},"How do I find the SaaS apps employees are actually using?",[],{},{"nodeType":1294,"data":2848,"content":2849},{},[2850,2854,2859,2863,2872],{"nodeType":1293,"value":2851,"marks":2852,"data":2853},"You can discover the apps employees are using in a couple ways: 1) manually, using the data you already have access to or, 2) using a pre-existing tool (oh hey, we have one you can ",[],{},{"nodeType":1293,"value":2855,"marks":2856,"data":2858},"use for free",[2857],{"type":1944},{},{"nodeType":1293,"value":2860,"marks":2861,"data":2862},"). We wrote a ",[],{},{"nodeType":1661,"data":2864,"content":2866},{"uri":2865},"https://pushsecurity.com/blog/rolling-your-own-saas-discovery/",[2867],{"nodeType":1293,"value":2868,"marks":2869,"data":2871},"guide",[2870],{"type":1944},{},{"nodeType":1293,"value":2873,"marks":2874,"data":2875}," about how you might do the manual approach for SaaS discovery, though fair warning… this manual effort isn’t for the faint of heart.",[],{},{"nodeType":1294,"data":2877,"content":2878},{},[2879],{"nodeType":1293,"value":2880,"marks":2881,"data":2882},"For the purposes of this guide, we’re going to assume you’ve taken care of the SaaS discovery process already and you’re now facing a list of SaaS - potentially a very large one - you didn’t know employees were using. ",[],{},{"nodeType":1294,"data":2884,"content":2885},{},[2886,2890,2898],{"nodeType":1293,"value":2887,"marks":2888,"data":2889},"If you haven’t discovered the unknown SaaS in your organization, we suggest you ",[],{},{"nodeType":1661,"data":2891,"content":2893},{"uri":2892},"https://login.pushsecurity.com/u/signup",[2894],{"nodeType":1293,"value":2895,"marks":2896,"data":2897},"sign up",[],{},{"nodeType":1293,"value":2899,"marks":2900,"data":2901},", let us do the heavy lifting for you to discover SaaS, then use that list as a starting point for this next phase of the process…",[],{},{"nodeType":1342,"data":2903,"content":2904},{},[2905],{"nodeType":1293,"value":2906,"marks":2907,"data":2908},"I’ve found some SaaS apps I didn’t know about. Now what?",[],{},{"nodeType":1294,"data":2910,"content":2911},{},[2912,2916,2925],{"nodeType":1293,"value":2913,"marks":2914,"data":2915},"You’ve found the apps (hooray!), so now you’re on the hook to figure out what risks those apps might pose to the company (wasn’t ignorance bliss?). Does it help to know that most organizations find a large list of unknown apps so you’re not alone? A ",[],{},{"nodeType":1661,"data":2917,"content":2919},{"uri":2918},"https://track.g2.com/resources/shadow-it-statistics",[2920],{"nodeType":1293,"value":2921,"marks":2922,"data":2924},"report",[2923],{"type":1944},{},{"nodeType":1293,"value":2926,"marks":2927,"data":2928}," from G2 Crowd stated that the average company has 975 unknown cloud services and that 67% of teams have introduced their own collaboration tools into an organization.",[],{},{"nodeType":1294,"data":2930,"content":2931},{},[2932],{"nodeType":1293,"value":2933,"marks":2934,"data":2935},"Even though you’re not alone, you still need to protect employee and company data from unnecessary third-party risk. Here’s a quick rundown of what you need to do next to get a handle on SaaS without restricting its use.",[],{},{"nodeType":1847,"data":2937,"content":2941},{"target":2938},{"sys":2939},{"id":2940,"type":1844,"linkType":1845},"TgFACpcpdooMuPLPXvlk4",[],{"nodeType":2943,"data":2944,"content":2945},"ordered-list",{},[2946,3004,3019,3034,3049],{"nodeType":1679,"data":2947,"content":2948},{},[2949,2961],{"nodeType":1294,"data":2950,"content":2951},{},[2952,2957],{"nodeType":1293,"value":2953,"marks":2954,"data":2956},"Ensure basic account security controls are in place across all SaaS. ",[2955],{"type":1647},{},{"nodeType":1293,"value":2958,"marks":2959,"data":2960},"To get at this information, you’ll need either a tool (we got you!) or you’ll need to go directly to employees to get necessary information about how they’re accessing and using SaaS. You’ll need to know:",[],{},{"nodeType":2943,"data":2962,"content":2963},{},[2964,2974,2984,2994],{"nodeType":1679,"data":2965,"content":2966},{},[2967],{"nodeType":1294,"data":2968,"content":2969},{},[2970],{"nodeType":1293,"value":2971,"marks":2972,"data":2973},"Are employees using multi-factor authentication (MFA) or two-factor authentication (2FA) where available? ",[],{},{"nodeType":1679,"data":2975,"content":2976},{},[2977],{"nodeType":1294,"data":2978,"content":2979},{},[2980],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"What about strong passwords and password policies? ",[],{},{"nodeType":1679,"data":2985,"content":2986},{},[2987],{"nodeType":1294,"data":2988,"content":2989},{},[2990],{"nodeType":1293,"value":2991,"marks":2992,"data":2993},"Are they sharing passwords across multiple apps? ",[],{},{"nodeType":1679,"data":2995,"content":2996},{},[2997],{"nodeType":1294,"data":2998,"content":2999},{},[3000],{"nodeType":1293,"value":3001,"marks":3002,"data":3003},"Are they sharing login credentials as a team - some teams will do this to stay on a free or trial tier by only having a “single” user. ",[],{},{"nodeType":1679,"data":3005,"content":3006},{},[3007],{"nodeType":1294,"data":3008,"content":3009},{},[3010,3015],{"nodeType":1293,"value":3011,"marks":3012,"data":3014},"Try to identify SaaS that is no longer needed/used and remove it. ",[3013],{"type":1647},{},{"nodeType":1293,"value":3016,"marks":3017,"data":3018},"You won't believe how quickly you build up SaaS baggage as users move to the newest hottest thing.",[],{},{"nodeType":1679,"data":3020,"content":3021},{},[3022],{"nodeType":1294,"data":3023,"content":3024},{},[3025,3030],{"nodeType":1293,"value":3026,"marks":3027,"data":3029},"Identify apps that are used to create and store data you care about. ",[3028],{"type":1647},{},{"nodeType":1293,"value":3031,"marks":3032,"data":3033},"Then prioritize them for some additional scrutiny.",[],{},{"nodeType":1679,"data":3035,"content":3036},{},[3037],{"nodeType":1294,"data":3038,"content":3039},{},[3040,3045],{"nodeType":1293,"value":3041,"marks":3042,"data":3044},"Identify apps that integrate with those core apps. ",[3043],{"type":1647},{},{"nodeType":1293,"value":3046,"marks":3047,"data":3048},"They’re also processing that same data you care about. These are usually called OAuth applications or third-party integrations like apps and bots that add functionality and features to the core app.",[],{},{"nodeType":1679,"data":3050,"content":3051},{},[3052,3068],{"nodeType":1294,"data":3053,"content":3054},{},[3055,3059,3064],{"nodeType":1293,"value":3056,"marks":3057,"data":3058},"Where your additional scrutiny identifies risks you can't live with, ",[],{},{"nodeType":1293,"value":3060,"marks":3061,"data":3063},"stop new users adopting those apps (by giving them a better alternative)",[3062],{"type":1647},{},{"nodeType":1293,"value":3065,"marks":3066,"data":3067}," and migrate existing users over to that alternative, approved app. ",[],{},{"nodeType":2943,"data":3069,"content":3070},{},[3071],{"nodeType":1679,"data":3072,"content":3073},{},[3074],{"nodeType":1294,"data":3075,"content":3076},{},[3077],{"nodeType":1293,"value":3078,"marks":3079,"data":3080},"To do this, you’ll need to look for secure alternatives to the SaaS employees are using that you have deemed too risky. This is important, albeit time-consuming. Offering an alternative sweetens the process for using more secure platforms before you outright block the bad ones. It also lets your colleagues know you’re considering their needs and not just restricting their work.",[],{},{"nodeType":1294,"data":3082,"content":3083},{},[3084],{"nodeType":1293,"value":3085,"marks":3086,"data":3087},"Beyond just the security of the technology itself, you need to ensure employees are doing their part in using the app securely. ",[],{},{"nodeType":1342,"data":3089,"content":3090},{},[3091],{"nodeType":1293,"value":3092,"marks":3093,"data":3094},"How to prioritize which apps require additional scrutiny",[],{},{"nodeType":1294,"data":3096,"content":3097},{},[3098],{"nodeType":1293,"value":3099,"marks":3100,"data":3101},"There’s no right or wrong approach for how to prioritize the apps you find during the discovery process, but we’ve found that most our customers prioritize apps based on if the app is:",[],{},{"nodeType":1730,"data":3103,"content":3104},{},[3105,3115,3125,3144],{"nodeType":1679,"data":3106,"content":3107},{},[3108],{"nodeType":1294,"data":3109,"content":3110},{},[3111],{"nodeType":1293,"value":3112,"marks":3113,"data":3114},"used by many people in the company, and",[],{},{"nodeType":1679,"data":3116,"content":3117},{},[3118],{"nodeType":1294,"data":3119,"content":3120},{},[3121],{"nodeType":1293,"value":3122,"marks":3123,"data":3124},"requesting access to highly sensitive data to work or integrating with SaaS that have data you don’t want exposed. This might be a cloud drive containing all sorts of documents, a CRM that uses customer data inputs, a billing platform, an app that’s used for signing legal documents, an HR platform, etc.",[],{},{"nodeType":1679,"data":3126,"content":3127},{},[3128],{"nodeType":1294,"data":3129,"content":3130},{},[3131,3135,3140],{"nodeType":1293,"value":3132,"marks":3133,"data":3134},"one you’ve never heard of before. Larger SaaS apps built for businesses (Salesforce, Microsoft, Google, etc.) are ",[],{},{"nodeType":1293,"value":3136,"marks":3137,"data":3139},"more likely",[3138],{"type":312},{},{"nodeType":1293,"value":3141,"marks":3142,"data":3143}," to be secure than some of the smaller, newer SaaS apps who haven’t gone through the same levels of security reviews before going to market. ",[],{},{"nodeType":1679,"data":3145,"content":3146},{},[3147],{"nodeType":1294,"data":3148,"content":3149},{},[3150],{"nodeType":1293,"value":3151,"marks":3152,"data":3153},"used by high profile employees or employees with access to very sensitive corporate information (C-level executives, finance, legal, HR, etc.). ",[],{},{"nodeType":1294,"data":3155,"content":3156},{},[3157],{"nodeType":1293,"value":3158,"marks":3159,"data":3160},"For example, if you have a whole team using a single app that you’ve never heard of, add that app to the top of your priorities list for investigation. It’s likely business critical and serving a need for that team, so taking it away won’t be a good idea if you’re trying to build bridges between security and employees. Plus, more users probably means more data is stored within the app. Those users might also have integrated a lot of third-party apps or bots (OAuth) to that core application. ",[],{},{"nodeType":1294,"data":3162,"content":3163},{},[3164,3168,3176],{"nodeType":1293,"value":3165,"marks":3166,"data":3167},"Once you’ve determined which apps need investigation and prioritized them, head over to the National Cyber Security Centre’s ",[],{},{"nodeType":1661,"data":3169,"content":3171},{"uri":3170},"https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/lightweight-approach-to-cloud-security",[3172],{"nodeType":1293,"value":3173,"marks":3174,"data":3175},"lightweight approach to cloud security",[],{},{"nodeType":1293,"value":3177,"marks":3178,"data":3179}," article. They offer some great guidance for how to reasonably access the risk of a SaaS app with limited time and resources. ",[],{},{"nodeType":1294,"data":3181,"content":3182},{},[3183],{"nodeType":1293,"value":3184,"marks":3185,"data":3186},"A big missing piece most companies have in their SaaS security strategy, though, is that they’re not working with employees to understand how they’re using SaaS. Before you roll your eyes, hear us out…",[],{},{"nodeType":1342,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":3191,"marks":3192,"data":3193},"Secure SaaS by working with employees",[],{},{"nodeType":1294,"data":3195,"content":3196},{},[3197],{"nodeType":1293,"value":3198,"marks":3199,"data":3200},"Remember, employees are the owners of SaaS in your company - they’ve adopted and used SaaS tools in your environment, so they know better than anyone else how they’re using it, if they’re still using it, what the additional integrations in the app offer, and what it does for them. You, as their security lead, know how to determine if they’re logging in securely, if the data the app is requesting access to is an acceptable risk, if they’ve enabled built-in common sense security features like 2FA/MFA, and if the third-party integrations they’ve added are too high risk or requesting excessive permissions.",[],{},{"nodeType":1294,"data":3202,"content":3203},{},[3204],{"nodeType":1293,"value":3205,"marks":3206,"data":3207},"By working with employees, you can get the full picture of SaaS use within the company and understand what your colleagues need and coach them to improve the security of how they’re accessing and using the tools they prefer. The problem is that it’s really difficult to do manually in a real world environment because it’s just so time-consuming to reach out to each employee and ask a series of questions to get the context you need. ",[],{},{"nodeType":1294,"data":3209,"content":3210},{},[3211],{"nodeType":1293,"value":3212,"marks":3213,"data":3214},"If an entire team is using an app you weren’t aware of, you can talk to the technical owner or administrator of the app to understand how they’re using it. What doesn’t work at scale with manual outreach, however, is understanding how securely employees are logging in and accessing SaaS. ",[],{},{"nodeType":1294,"data":3216,"content":3217},{},[3218],{"nodeType":1293,"value":3219,"marks":3220,"data":3221},"You can automate this process with the right tool, using things like ChatOps and browser notifications, and just sit back and watch as employees improve their own security over time. This is particularly useful when it comes to some of the security hygiene basics, like using strong passwords and enabling MFA, which make a significant impact on overall security posture for very little effort.",[],{},{"nodeType":1342,"data":3223,"content":3224},{},[3225],{"nodeType":1293,"value":3226,"marks":3227,"data":3228},"What will I gain from working with employees?",[],{},{"nodeType":1294,"data":3230,"content":3231},{},[3232],{"nodeType":1293,"value":3233,"marks":3234,"data":3235},"Now that you know that working directly with employees to secure SaaS isn’t a pipe dream, nor does it have to be a manual effort or a one-off security campaign, what impact should you expect from these efforts? And how do you measure that impact?",[],{},{"nodeType":1294,"data":3237,"content":3238},{},[3239],{"nodeType":1293,"value":3240,"marks":3241,"data":3242},"Here are some of the most obvious wins…",[],{},{"nodeType":1775,"data":3244,"content":3245},{},[3246],{"nodeType":1293,"value":3247,"marks":3248,"data":3249},"Reduce your attack surface",[],{},{"nodeType":1294,"data":3251,"content":3252},{},[3253],{"nodeType":1293,"value":3254,"marks":3255,"data":3256},"Say you discover your marketing team is using Trello to manage projects, while the sales team is using Asana. Once you have this information, you can talk to the heads of each department to see if they’ll agree on a single solution. ",[],{},{"nodeType":1294,"data":3258,"content":3259},{},[3260],{"nodeType":1293,"value":3261,"marks":3262,"data":3263},"Without management, you’re likely to wind up using multiple (often dozens) of chat, project management, calendar-sharing apps and so on within your company. The issue with this is that it opens you up to unnecessary risk, with your data being held on the systems of hundreds of third parties outside of your traditional perimeter. By connecting users to each other and consolidating the SaaS apps in your company, you can dramatically reduce your attack surface. ",[],{},{"nodeType":1294,"data":3265,"content":3266},{},[3267,3271,3280,3284],{"nodeType":1293,"value":3268,"marks":3269,"data":3270},"Similarly, removing dormant apps and accounts can have a huge impact. In a ",[],{},{"nodeType":1661,"data":3272,"content":3274},{"uri":3273},"https://productiv.com/blog/less-than-half-of-company-saas-applications-are-regularly-used-by-employees/",[3275],{"nodeType":1293,"value":3276,"marks":3277,"data":3279},"recent report",[3278],{"type":1944},{},{"nodeType":1293,"value":1519,"marks":3281,"data":3283},[3282],{"type":1944},{},{"nodeType":1293,"value":3285,"marks":3286,"data":3287},"by Productiv, they found that on average only 45% of the apps an organization or its employees have an account with are regularly engaged with. That means that potentially half of your SaaS attack surface is totally unnecessary.",[],{},{"nodeType":1294,"data":3289,"content":3290},{},[3291],{"nodeType":1293,"value":3292,"marks":3293,"data":3294},"Working with employees to find out what apps they are using (and which they are no longer) will allow you to eliminate attacker opportunities to access your data or steal employee account credentials.  ",[],{},{"nodeType":1775,"data":3296,"content":3297},{},[3298],{"nodeType":1293,"value":3299,"marks":3300,"data":3301},"Reduce supply chain risk",[],{},{"nodeType":1294,"data":3303,"content":3304},{},[3305],{"nodeType":1293,"value":3306,"marks":3307,"data":3308},"Every third-party SaaS app that your employees use is a supplier and therefore contributes to your overall supply chain risk exposure. Traditionally all technology and software providers will have been reviewed by security teams to ensure that they do not present excessive risk to your organization. However, the explosion in SaaS use has made this more challenging; 1) Most organizations have a large number of SaaS suppliers and its growing, 2) SaaS suppliers are now responsible for more aspects of security than on-prem software suppliers ever were (such as infrastructure security) so there is more to review and assure. ",[],{},{"nodeType":1294,"data":3310,"content":3311},{},[3312],{"nodeType":1293,"value":3313,"marks":3314,"data":3315},"Every time a duplicate or dormant SaaS app is removed, you’re removing a supplier whose security practices and posture need assuring. This saves your security team bags of time and reduces your overall cyber risk exposure. ",[],{},{"nodeType":1294,"data":3317,"content":3318},{},[3319],{"nodeType":1293,"value":3320,"marks":3321,"data":3322},"However, for the third-parties you need to continue to work with, you’ll want to perform due diligence to make sure you aren’t exposing yourself to the risk of a supply chain attack. ",[],{},{"nodeType":1294,"data":3324,"content":3325},{},[3326],{"nodeType":1293,"value":3327,"marks":3328,"data":3329},"Before you can trust a SaaS vendor with your data, you have to be assured the vendor is committed to maintaining an appropriate security standard and has the resources and capabilities to deliver against it. And you need to know how the vendor will secure your data when it is in transit, use and at rest. Understand how the vendor secures their network, monitors for malicious activity, what they’ll do in the event of an incident, and whether they have an adequate business continuity and disaster recovery plan. ",[],{},{"nodeType":1294,"data":3331,"content":3332},{},[3333],{"nodeType":1293,"value":3334,"marks":3335,"data":3336},"To speed up the due diligence process, you might rely on the vendor providing certification of a recognized standard, such as ISO27001, which demonstrates a solid security baseline.",[],{},{"nodeType":1775,"data":3338,"content":3339},{},[3340],{"nodeType":1293,"value":3341,"marks":3342,"data":3343},"Establish security as a business enabler",[],{},{"nodeType":1294,"data":3345,"content":3346},{},[3347],{"nodeType":1293,"value":3348,"marks":3349,"data":3350},"One thing to note, if you’re removing an app, it’s always a good idea to notify the employee(s) using it and suggest secure alternatives. Security teams are often seen as a blocker to be avoided and worked around. During that conversation, you can ask them what they were using the app for and then do some research to offer an alternative option that isn’t as risky to the company. ",[],{},{"nodeType":1294,"data":3352,"content":3353},{},[3354],{"nodeType":1293,"value":3355,"marks":3356,"data":3357},"Being able to recommend useful tools that can help your colleagues with their jobs (as opposed to just saying no or blocking unsanctioned apps) is  the difference between being seen as a business enabler rather than a business blocker. Once your security team is known for promoting innovative new technology as well as managing risk, employee engagement will increase. ",[],{},{"nodeType":1775,"data":3359,"content":3360},{},[3361],{"nodeType":1293,"value":3362,"marks":3363,"data":3364},"Greater productivity and competitiveness",[],{},{"nodeType":1294,"data":3366,"content":3367},{},[3368],{"nodeType":1293,"value":3369,"marks":3370,"data":3371},"SaaS has empowered employees to self-adopt the tools that will help them do their jobs better. This is something that should be harnessed, not resisted. A more productive workforce creates a more competitive company. Security’s job is to manage the risks it introduces to a level that the business can accept, not to eliminate those risks altogether. ",[],{},{"nodeType":1294,"data":3373,"content":3374},{},[3375],{"nodeType":1293,"value":3376,"marks":3377,"data":3378},"Balancing productivity returns with cyber risk requires employees and security to work together to understand the trade-off and make the best decision for the whole organization. If you can facilitate this collaboration to make better decisions, faster as to what technology and tools your organization can safely take advantage of, then your organization will be more competitive and more successful.  ",[],{},{"nodeType":1342,"data":3380,"content":3381},{},[3382],{"nodeType":1293,"value":3383,"marks":3384,"data":3385},"You can secure SaaS without pissing off employees",[],{},{"nodeType":1294,"data":3387,"content":3388},{},[3389],{"nodeType":1293,"value":3390,"marks":3391,"data":3392},"We’ll end this blog with a single key takeaway: ",[],{},{"nodeType":1966,"data":3394,"content":3395},{},[],{"nodeType":1294,"data":3397,"content":3398},{},[3399],{"nodeType":1293,"value":3400,"marks":3401,"data":3402},"To keep employees happy and productive while still securing corporate data, you need to work with them to understand what they need and point them at the most secure SaaS alternative. ",[],{},{"nodeType":1966,"data":3404,"content":3405},{},[],{"nodeType":1294,"data":3407,"content":3408},{},[3409],{"nodeType":1293,"value":3410,"marks":3411,"data":3412},"One of the big wins that’s really hard to measure or quantify is that by working with employees, you position yourself as a business enabler. The more you know about the tools employees are choosing to use, the more you understand their needs and desires so that you can find a balanced solution.",[],{},{"nodeType":1294,"data":3414,"content":3415},{},[3416],{"nodeType":1293,"value":3417,"marks":3418,"data":3419},"We would never recommend that you just open the gates to SaaS and leave employees to sign up with wild abandon, but strictly locking down SaaS clearly doesn’t work. With more SaaS apps coming to market daily, the only approach that can scale and keep up with employees’ needs for productivity and flexibility is one that makes them part of the conversation. You’ve got to work with the SaaS users and empathize with their needs. Only then can you really create a cloud security strategy that’s going to work in the real world. With new tools that can do the heavy lifting for you, a user-powered approach finally makes sense. You got this.",[],{},{"entries":3421},{"hyperlink":3422,"inline":3423,"block":3424},[],[],[3425],{"sys":3426,"__typename":3427,"title":3428,"caption":118,"layoutMode":118,"file":3429},{"id":2940},"Image","SaaS Risk checklist",{"url":3430,"width":3431,"height":3431},"https://images.ctfassets.net/y1cdw1ablpvd/3k9PBx2owoAsp0IUd6roHE/80898d4779f70c75d3e619c0568c6200/checklist-v5__1_.png",730,"content:blog:manage-saas-risks-without-hindering-employees.json","json","content","blog/manage-saas-risks-without-hindering-employees.json","blog/manage-saas-risks-without-hindering-employees",1776359994409]