[{"data":1,"prerenderedAt":1621},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":639,"faqItemsCollection":640,"faqTitle":62,"featured":6,"hashTags":62,"meta":642,"metaTitle":643,"ogImage":62,"publishedDate":644,"relatedBlogPostsCollection":645,"slug":1597,"stem":1598,"subtitle":62,"summary":1599,"synopsis":1610,"sys":1611,"tagsCollection":1614,"__hash__":1620},"blog/blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser.json","Want to discover the full extent of your SaaS sprawl? Embrace browser extensions ",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Luke Jennings","Luke","Vice President, R&D",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":238,"links":624},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,265,273,280,302,322,329,336,343,352,359,379,399,406,413,433,450,467,474,494,501,520,527,534,541,548,555,575,582,589,596,603,610,617],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","Security teams know they need full visibility into which SaaS platforms employees are using to even start focusing on SaaS management and security. Even better, they want to understand how employees are using them, right? ",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"Many people we talk to are starting to chip away at getting visibility into employee-adopted apps by using some combination of central information repositories such as email discovery, financial records, OAuth logs, SSO logs, web proxy logs, etc. So why would anyone want or need to use a browser extension? Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up. The browser also allows us to work with the user to guide them to use SaaS more securely right where they’re working - in the browser.",[],{},{"nodeType":243,"data":259,"content":260},{},[261],{"nodeType":247,"value":262,"marks":263,"data":264},"We’ll dig into this topic a bit more in this article and we’d love to hear questions, concerns, and have a healthy debate on our social media channels, so hit us up!",[],{},{"nodeType":266,"data":267,"content":268},"heading-2",{},[269],{"nodeType":247,"value":270,"marks":271,"data":272},"Introduction",[],{},{"nodeType":243,"data":274,"content":275},{},[276],{"nodeType":247,"value":277,"marks":278,"data":279},"Different approaches for discovering SaaS use have unique advantages and disadvantages and the most effective solution is usually to combine several approaches that complement one another. That being said, in the case of SaaS discovery, browser extensions have some really significant advantages that can’t be matched by other approaches - so if you could only pick one approach, then a browser extension is the way to go.",[],{},{"nodeType":243,"data":281,"content":282},{},[283,287,298],{"nodeType":247,"value":284,"marks":285,"data":286},"The first point to consider is that it is extremely common for SaaS solutions to be self-adopted by individual employees or teams within a business, without working with IT or following the established procurement process. ",[],{},{"nodeType":288,"data":289,"content":291},"hyperlink",{"uri":290},"https://track.g2.com/resources/shadow-it-statistics",[292],{"nodeType":247,"value":293,"marks":294,"data":297},"According to G2",[295],{"type":296},"underline",{},{"nodeType":247,"value":299,"marks":300,"data":301},", 80% of workers admit to using SaaS applications at work without getting approval from IT. Employees are likely to access SaaS however is easiest and most familiar for them. So, employees aren’t going to set up a full SSO connection with your own authentication provider (on the off chance that the app even provides SSO integration). They might not be using a social login using your M365/Google tenant and they might not even be using their company email to sign up/login - they could just be using a personal webmail account.",[],{},{"nodeType":243,"data":303,"content":304},{},[305,309,318],{"nodeType":247,"value":306,"marks":307,"data":308},"That leaves security teams with limited or no visibility of employee SaaS use using other centralized methods. We found that only around 30% of SaaS providers we analyzed support SSO and of those that do, many require paying for the highest cost enterprise plan in order to gain access to it - i.e. “",[],{},{"nodeType":288,"data":310,"content":312},{"uri":311},"https://sso.tax/",[313],{"nodeType":247,"value":314,"marks":315,"data":317},"The SSO tax",[316],{"type":296},{},{"nodeType":247,"value":319,"marks":320,"data":321},".” ",[],{},{"nodeType":243,"data":323,"content":324},{},[325],{"nodeType":247,"value":326,"marks":327,"data":328},"Many don’t support social logins and, if they do, you’ll find M365 social logins are much less commonly supported than Google, so if you’re a Microsoft house, that pushes users towards individual email/password logins, which are far less secure.",[],{},{"nodeType":266,"data":330,"content":331},{},[332],{"nodeType":247,"value":333,"marks":334,"data":335},"A comparison of data sources for SaaS discovery",[],{},{"nodeType":243,"data":337,"content":338},{},[339],{"nodeType":247,"value":340,"marks":341,"data":342},"We won’t do a deep dive of comparing data sources for SaaS discovery in this post, but here’s a quick and dirty overview. As we mentioned above, most companies (and off-the-shelf SaaS security and SaaS management tools) use some combination of the data sources depicted in the image below. ",[],{},{"nodeType":344,"data":345,"content":351},"embedded-entry-block",{"target":346},{"sys":347},{"id":348,"type":349,"linkType":350},"E8ThSCqbNNa9nggaKE3p1","Link","Entry",[],{"nodeType":243,"data":353,"content":354},{},[355],{"nodeType":247,"value":356,"marks":357,"data":358}," Now, it goes without saying that we’re a bit biased, but as we were deciding how to build our own SaaS discovery methods, we analyzed the pros and cons of each of these approaches before realizing that the most power was in the browser. Ease of deployment, you’ll notice, takes a bit more work than a couple other methods, but it’s worth it once you realize the powerful capabilities uniquely available in the browser. We’ll address the deployment and rollout challenges in a bit more detail later in this post. ",[],{},{"nodeType":243,"data":360,"content":361},{},[362,366,375],{"nodeType":247,"value":363,"marks":364,"data":365},"To dig into each of these approaches and how to potentially combine them to build your own SaaS discovery engine, check out ",[],{},{"nodeType":288,"data":367,"content":369},{"uri":368},"https://pushsecurity.com/blog/rolling-your-own-saas-discovery/",[370],{"nodeType":247,"value":371,"marks":372,"data":374},"this post.",[373],{"type":296},{},{"nodeType":247,"value":376,"marks":377,"data":378}," ",[],{},{"nodeType":243,"data":380,"content":381},{},[382,386,395],{"nodeType":247,"value":383,"marks":384,"data":385},"If you already know you don’t have the resources (time, team, budget) to build your own and you’re thinking about evaluating solutions, head over to ",[],{},{"nodeType":288,"data":387,"content":389},{"uri":388},"https://pushsecurity.com/blog/how-to-find-the-right-saas-security-solution-for-your-organization/",[390],{"nodeType":247,"value":391,"marks":392,"data":394},"this post",[393],{"type":296},{},{"nodeType":247,"value":396,"marks":397,"data":398}," to understand which might be the best fit for your company. ",[],{},{"nodeType":243,"data":400,"content":401},{},[402],{"nodeType":247,"value":403,"marks":404,"data":405},"Next, we’ll dig into how we manage our own SaaS security to provide some relevant context and we’ll explain where the browser extension fits in",[],{},{"nodeType":266,"data":407,"content":408},{},[409],{"nodeType":247,"value":410,"marks":411,"data":412},"A case study…with us!",[],{},{"nodeType":243,"data":414,"content":415},{},[416,420,429],{"nodeType":247,"value":417,"marks":418,"data":419},"To put this into context, we’ll use ourselves as an example, since we’re a fully SaaS-native company. Our entire business is SaaS security, we have no physical or virtual infrastructure to manage and we actively encourage our employees to self-adopt SaaS solutions to solve their own business needs. We’re also a Google workspace enterprise customer and we educate our employees to ",[],{},{"nodeType":288,"data":421,"content":423},{"uri":422},"https://pushsecurity.com/blog/should-i-let-my-employees-login-with-their-work-google-account",[424],{"nodeType":247,"value":425,"marks":426,"data":428},"always use Google social logins",[427],{"type":296},{},{"nodeType":247,"value":430,"marks":431,"data":432}," for SaaS solutions as the first choice when available ). ",[],{},{"nodeType":243,"data":434,"content":435},{},[436,440,446],{"nodeType":247,"value":437,"marks":438,"data":439},"We tuck all SaaS apps behind SSO, wherever we can and wherever our licenses will let us. And since we’re a fairly new company, we’ve been able to push social logins and “login with Google” to our employees since day one, so that’s a pretty clean and ideal world compared to the environments many security folks are working in. This means we really should be a best case example when it comes to centralized SaaS discovery methods. That said, we also use almost 100 different SaaS platforms across the company and, despite everything else above, 33% of these SaaS platforms are ",[],{},{"nodeType":247,"value":441,"marks":442,"data":445},"only ",[443],{"type":444},"italic",{},{"nodeType":247,"value":447,"marks":448,"data":449},"visible because we’re using a browser extension to discover them as our employees sign up.",[],{},{"nodeType":243,"data":451,"content":452},{},[453,457,463],{"nodeType":247,"value":454,"marks":455,"data":456},"A similar company without a browser extension ",[],{},{"nodeType":247,"value":458,"marks":459,"data":462},"could be missing out on a third of their SaaS platforms",[460],{"type":461},"bold",{},{"nodeType":247,"value":464,"marks":465,"data":466},". Once we look at similar stats for our customers, particularly M365 users, we see the percentage of SaaS platforms that are only discovered via the browser extension increase and this is sometimes even as high as 70-80%. If you’re serious about SaaS discovery, then you should really not settle for missing such a large percentage of platforms.",[],{},{"nodeType":266,"data":468,"content":469},{},[470],{"nodeType":247,"value":471,"marks":472,"data":473},"Why does a browser see so much more?",[],{},{"nodeType":243,"data":475,"content":476},{},[477,481,490],{"nodeType":247,"value":478,"marks":479,"data":480},"Since SaaS is often self-adopted, the problem can often be attributed to a decentralized problem. Many SaaS vendors even encourage this as they have a product-led growth (PLG) model and prefer the frictionless growth of a PLG model over the high-friction sales cycle in a centralized procurement model. We’ve got a ",[],{},{"nodeType":288,"data":482,"content":484},{"uri":483},"https://pushsecurity.com/webinar/securing-employee-adopted-saas-apps",[485],{"nodeType":247,"value":486,"marks":487,"data":489},"webinar with our co-founder",[488],{"type":296},{},{"nodeType":247,"value":491,"marks":492,"data":493}," on this topic if you want to explore further. ",[],{},{"nodeType":243,"data":495,"content":496},{},[497],{"nodeType":247,"value":498,"marks":499,"data":500},"Additionally, your average non-technical employee may not be familiar with SSO or social logins as access methods, but everyone knows how to sign-up for a website with an email address, username and password. Consequently, it’s just common for centralized data sources to end up missing a lot of SaaS use if they’re looking at logs, proxies, and other data sources.",[],{},{"nodeType":243,"data":502,"content":503},{},[504,508,516],{"nodeType":247,"value":505,"marks":506,"data":507},"Without SSO or social logins, you aren’t seeing anything via those data sources. If you use email discovery, you’ll have lots of false positives to deal with from marketing spam and you’ll only know about it for employees that used their corporate email address and for SaaS platforms that actively send out emails. If you’re relying on network data sources like web proxy data then you need to be capturing everything including home/mobile employees and even then most details will be hidden behind HTTPS connections. You could intercept and decrypt all HTTPS traffic via your proxy, but then you’d be introducing a huge security risk by decrypting all communications in one place. We’ve got a more thorough article on the topic of ",[],{},{"nodeType":288,"data":509,"content":510},{"uri":368},[511],{"nodeType":247,"value":512,"marks":513,"data":515},"SaaS discovery data sources ",[514],{"type":296},{},{"nodeType":247,"value":517,"marks":518,"data":519},"and their pros and cons to read up on, too. ",[],{},{"nodeType":243,"data":521,"content":522},{},[523],{"nodeType":247,"value":524,"marks":525,"data":526},"On the other hand, browsers are quickly becoming the main way people operate from a desktop environment, with the browser as the way they’re doing almost every task. Since they’re using the browser to access their apps, it makes sense to use data collected from the browser to get visibility of SaaS. It doesn’t matter if they use an SSO login, a social login, an email address/password login, a corporate email or a personal webmail account - as long as they login or access the SaaS platform from a browser, then a browser extension is best placed to see that. Wherever the user is in the world, whatever they are doing, the extension can keep an eye out.",[],{},{"nodeType":266,"data":528,"content":529},{},[530],{"nodeType":247,"value":531,"marks":532,"data":533},"There are so many other security benefits beyond basic visibility",[],{},{"nodeType":243,"data":535,"content":536},{},[537],{"nodeType":247,"value":538,"marks":539,"data":540},"We’ve covered general visibility of SaaS platforms (i.e. whether they are in use or not, what login method is in use and by who), but there’s much more useful information for managing SaaS security risks. To secure SaaS, you also need to know whether multi-factor authentication (MFA) is in use; If the password is secure; If passwords are shared between different accounts; If accounts are shared between users; If sensitive files are uploaded to a particular SaaS platform.",[],{},{"nodeType":243,"data":542,"content":543},{},[544],{"nodeType":247,"value":545,"marks":546,"data":547},"Some SaaS vendors may provide APIs and logs that can answer some of these questions, but this tends to be limited to the biggest or most security conscious vendors. It’s overwhelming to handle this manually because you need to consider separate integrations with all your different SaaS vendors, and that’s assuming you already know they are in use. It might be viable for some of the most important SaaS platforms you use (think Salesforce, Slack, Trello, etc.) , but it’s not easy to go much further when you have hundreds of different SaaS platforms to consider.",[],{},{"nodeType":243,"data":549,"content":550},{},[551],{"nodeType":247,"value":552,"marks":553,"data":554},"A browser extension, on the other hand, can see all the interactions between users and any given SaaS platform, so it can provide insights that may not be visible via a SaaS vendor’s own APIs or logs. This is especially true for fairly standardized mechanisms such as web-based logins, where it provides an easy opportunity to provide password security checks and MFA checks. ",[],{},{"nodeType":243,"data":556,"content":557},{},[558,562,571],{"nodeType":247,"value":559,"marks":560,"data":561},"Being a decentralized model, this can all be achieved without sending lots of highly sensitive data (e.g. passwords) to a centralized point. Instead, the browser extension can just report individual security findings as necessary without feeding that private data to a central repository. The Push browser extension identifies weak passwords in use, MFA status, passwords shared between different SaaS platforms and even accounts being shared by multiple different users - none of this requires sending passwords or any other sensitive data to our central servers - just the findings themselves. You can find more information about what data we collect ",[],{},{"nodeType":288,"data":563,"content":565},{"uri":564},"https://pushsecurity.com/help/audience/administrators/docs/install-the-browser-extension",[566],{"nodeType":247,"value":567,"marks":568,"data":570},"here",[569],{"type":296},{},{"nodeType":247,"value":572,"marks":573,"data":574},". ",[],{},{"nodeType":266,"data":576,"content":577},{},[578],{"nodeType":247,"value":579,"marks":580,"data":581},"How do I roll out a browser extension to every single employee?",[],{},{"nodeType":243,"data":583,"content":584},{},[585],{"nodeType":247,"value":586,"marks":587,"data":588},"Traditionally, browser extensions have been focused on self-adoption by users via a browser extension store. In that case, the user makes the decision to install, rather than IT or security managing the deployment.",[],{},{"nodeType":243,"data":590,"content":591},{},[592],{"nodeType":247,"value":593,"marks":594,"data":595},"However, the major browser vendors have made it easy to install and manage browser extensions centrally, as well as making them more resilient to ensure they’re both secure and cannot induce significant performance issues in the browser.",[],{},{"nodeType":243,"data":597,"content":598},{},[599],{"nodeType":247,"value":600,"marks":601,"data":602},"Most larger organizations will be familiar with deploying desktop software remotely using central device management software, especially for endpoint security software like anti-virus and EDR. The same idea works with a browser extension using most of the common browser and operating system combinations. The Push browser extension can be deployed centrally on Chrome, Edge, Firefox and Brave, depending on the device management software and operating system in use. ",[],{},{"nodeType":243,"data":604,"content":605},{},[606],{"nodeType":247,"value":607,"marks":608,"data":609},"What’s more, browser extensions consist of JavaScript running in a tightly-controlled environment with additional performance controls in place by the browser and they even auto-update too. Compare this with the common case for endpoint security software of having an agent running as SYSTEM/root and users complaining it’s stealing all their CPU cycles and centralized browser deployment starts looking like a more attractive prospect than traditional endpoint agent deployment.",[],{},{"nodeType":266,"data":611,"content":612},{},[613],{"nodeType":247,"value":614,"marks":615,"data":616},"Conclusion",[],{},{"nodeType":243,"data":618,"content":619},{},[620],{"nodeType":247,"value":621,"marks":622,"data":623},"We’re pretty into browser extensions here, but it’s not just because that’s how our product works. We’re not trying to sell you a new thing just for the sake of building something novel. Browser extensions are going to become one of the most important methods of managing SaaS security going forward. They’ve got advantages that other approaches just can’t match and centralized deployment and management is now a slick, easy and - frankly - solved problem. ",[],{},{"entries":625},{"hyperlink":626,"inline":627,"block":628},[],[],[629],{"sys":630,"__typename":631,"title":632,"caption":633,"layoutMode":634,"file":635},{"id":348},"Image","SaaS discovery data source comparison","Strengths and weaknesses for finding employee SaaS use via commonly-used discovery data sources ","Centre aligned",{"url":636,"width":637,"height":638},"https://images.ctfassets.net/y1cdw1ablpvd/7FRyXaw4o4baUqG1cta41n/57a9476e83daf0386600c5bb8d4e827b/Screenshot_2023-04-24_at_9.09.16_AM.png",1796,1010,"json",{"items":641},[],{},"Use browser extension to see the extent of your SaaS sprawl","2023-04-25T00:00:00.000Z",{"items":646},[647,1003],{"__typename":648,"sys":649,"content":651,"title":981,"synopsis":982,"hashTags":62,"publishedDate":983,"slug":984,"tagsCollection":985,"authorsCollection":995},"BlogPosts",{"id":650},"4LOMe7ez5adQtwbPireIBc",{"json":652},{"data":653,"content":654,"nodeType":239},{},[655,662,684,691,698,705,712,719,726,733,740,747,754,761,768,784,791,798,805,812,819,826,844,851,858,865,871,878,886,921,929,962],{"data":656,"content":657,"nodeType":243},{},[658],{"data":659,"marks":660,"value":661,"nodeType":247},{},[],"As part of your larger cloud security strategy, you’ve likely been asked to focus on how to secure SaaS apps used in your company. The first step to securing SaaS is getting a real sense of what platforms employees are actually using, beyond those that you already know about. Since SaaS is so easy for employees to adopt and start using without any input from IT and security, they’re likely using hundreds of SaaS apps that aren’t even on your radar. The first step in securing something is getting full visibility into what you even need to secure in the first place. ",{"data":663,"content":664,"nodeType":243},{},[665,669,680],{"data":666,"marks":667,"value":668,"nodeType":247},{},[],"To help guide folks through how you might do SaaS discovery on your own, we wrote an ",{"data":670,"content":674,"nodeType":679},{"target":671},{"sys":672},{"id":673,"type":349,"linkType":350},"45iZ69EdPF4629gZ6yf7p5",[675],{"data":676,"marks":677,"value":678,"nodeType":247},{},[],"article","entry-hyperlink",{"data":681,"marks":682,"value":683,"nodeType":247},{},[]," about how to manually find what apps employees are using. In it, we explored how to analyze data that you already have on hand to find the unknown apps (shadow IT) used within your business. That’s a pretty significant manual effort, though, and most security teams don’t have the resources to do it. Plus, while these manual attempts can chip away at the SaaS discovery process, none are great at giving you a comprehensive view of SaaS use, nor do they keep up with the constant influx of apps employees are signing up for daily. ",{"data":685,"content":686,"nodeType":243},{},[687],{"data":688,"marks":689,"value":690,"nodeType":247},{},[],"To get truly broad coverage of what SaaS employees are using, you need a large dataset of SaaS apps, the domains associated with them, and this dataset must constantly be updated and expanded to include new apps that are launched every day. ",{"data":692,"content":693,"nodeType":243},{},[694],{"data":695,"marks":696,"value":697,"nodeType":247},{},[],"Unless you can find such a dataset, you must create it. And creating a constantly updated dataset is no small undertaking. That’s why there are so many off-the-shelf solutions and tools that focus solely on SaaS discovery these days. Many say that they are full-scale SaaS security platforms, but what that means isn’t always clear, even after reading product marketing materials. If you were to look at a venn diagram of “SaaS security platforms,” you’d have a giant mess of interlocking circles, with some shared activities amongst all (or most) tools and then vastly different features from that core functionality.",{"data":699,"content":700,"nodeType":243},{},[701],{"data":702,"marks":703,"value":704,"nodeType":247},{},[],"How “good” they are at SaaS discovery really depends on what data they’re using, what they have access to within your environment, the quality of their proprietary datasets (breadth, depth, and timeliness of that data), and how they work with your existing data and tools. To help navigate this mess, we’re sharing some pros and cons of the categories of commercial tools on the market.",{"data":706,"content":707,"nodeType":243},{},[708],{"data":709,"marks":710,"value":711,"nodeType":247},{},[],"To determine which solution you need, you need to consider your tech stack, your specific needs, your risk tolerance, and your short and long term objectives. In this article, we’ll break down some major use cases and match them up with what solutions make the most sense to address them.",{"data":713,"content":714,"nodeType":266},{},[715],{"data":716,"marks":717,"value":718,"nodeType":247},{},[],"You’re a large enterprise interested in securing core SaaS platforms",{"data":720,"content":721,"nodeType":243},{},[722],{"data":723,"marks":724,"value":725,"nodeType":247},{},[],"\nWorking to only secure 20 or so core applications that have already been sanctioned by the security team? A cloud security posture management (CSPM) or SaaS security posture management (SSPM) solution might be the answer you’re looking for, particularly if you’re on the highest tier license for those apps. ",{"data":727,"content":728,"nodeType":243},{},[729],{"data":730,"marks":731,"value":732,"nodeType":247},{},[],"You can make the most of these tools during in-depth investigations or threat hunting exercises. Leverage them to enforce custom SaaS or cloud app policies as well. The caveat with this one is that you’ll need a fairly sophisticated security team to manage, customize, and run SSPM and CSPM tools.",{"data":734,"content":735,"nodeType":243},{},[736],{"data":737,"marks":738,"value":739,"nodeType":247},{},[],"An ideal environment for these solutions is one that has a full SOC capability so that you extend your existing security monitoring and threat hunting coverage into these core SaaS platforms. You’ll be able to secure a small handful of your business critical applications as long as they’re large and well-established platforms. ",{"data":741,"content":742,"nodeType":243},{},[743],{"data":744,"marks":745,"value":746,"nodeType":247},{},[],"The reason you’ll need top-level licenses and well-established SaaS platforms to make these solutions work is because they rely on API data from those SaaS platforms. Those mature APIs provide necessary information about those core apps that CSPMs and SSPMs use to provide security insights you need to manage the risks. Unfortunately, they won’t cover the dozens of smaller SaaS apps most organizations use, and are normally only available on top license tiers.",{"data":748,"content":749,"nodeType":266},{},[750],{"data":751,"marks":752,"value":753,"nodeType":247},{},[],"You’re a more traditional, on-prem enterprise interested in blocking unsanctioned SaaS",{"data":755,"content":756,"nodeType":243},{},[757],{"data":758,"marks":759,"value":760,"nodeType":247},{},[],"If your environment is traditional on-site internal networks and you have mature gateway monitoring technology in place already, a cloud access security broker (CASB) may be your best path to securing cloud apps. CASBs work best if you have no employees working from home or on the road or you’re forcing employees to only access work platforms and internet browsers through your corporate VPN.",{"data":762,"content":763,"nodeType":243},{},[764],{"data":765,"marks":766,"value":767,"nodeType":247},{},[],"CASBs typically pull network data such as DNS, SASE, VPN, proxy, and firewall logs. They may also require that you install an agent on each employees’ devices if you want coverage when they are out of the office. ",{"data":769,"content":770,"nodeType":243},{},[771,775,780],{"data":772,"marks":773,"value":774,"nodeType":247},{},[],"With those data sources, they provide good aggregate information about SaaS platforms that are accessed. What they ",{"data":776,"marks":777,"value":779,"nodeType":247},{},[778],{"type":444},"can’t do well",{"data":781,"marks":782,"value":783,"nodeType":247},{},[]," is provide any insight into how the SaaS app is being used, by which employees (you typically get IP addresses not user names), and for what purpose - as an example, they are typically not able to tell the difference between opening a SaaS product’s homepage, or actually logging into the application - so you are going to have a fairly large number of false positives. ",{"data":785,"content":786,"nodeType":243},{},[787],{"data":788,"marks":789,"value":790,"nodeType":247},{},[],"A CASB also really makes sense if you’re forced into complying with strict regulatory requirements to block everything until you’re able to do an in-depth due diligence process on each app. If your goal (or need) is to block access to unknown, unvetted, or unsanctioned SaaS at the network level with no exceptions, a CASB might be for you.",{"data":792,"content":793,"nodeType":266},{},[794],{"data":795,"marks":796,"value":797,"nodeType":247},{},[],"You’re a cloud-native company who wants to enable SaaS without introducing too much risk",{"data":799,"content":800,"nodeType":243},{},[801],{"data":802,"marks":803,"value":804,"nodeType":247},{},[],"For cloud-native companies that need better coverage, and are looking for more nuanced controls than network-level blocking, a solution that discovers and secures SaaS through the browser is the way to go. Since employees access SaaS through their browser, it’s a logical step to collect data about who is using what apps through a browser extension. ",{"data":806,"content":807,"nodeType":243},{},[808],{"data":809,"marks":810,"value":811,"nodeType":247},{},[],"The browser approach lets you do true SaaS discovery - so you can find what employees are actually using (not just accessing) and then go about securing those apps. You also don’t need to do much in terms of managing a browser-based solution once it’s set up. It simply runs in the background and surfaces employee SaaS use data into a dashboard. ",{"data":813,"content":814,"nodeType":243},{},[815],{"data":816,"marks":817,"value":818,"nodeType":247},{},[],"By combining browser-level data and robust security APIs from those core business platforms that SSPMs typically tap into, you can get broad visibility of SaaS use in your company for those large in number, but less mature, more up-and-coming apps, and the depth of security data you need for those few core apps that most employees are using. ",{"data":820,"content":821,"nodeType":243},{},[822],{"data":823,"marks":824,"value":825,"nodeType":247},{},[],"The other key benefit of a browser-based approach for SaaS discovery is that you can get incredibly powerful data about who is using the app, how they’re using it, if they’re using security features such as MFA, if they’re reusing passwords across multiple apps, if they’re sharing passwords, when they’ve used it last, and so on. That data is critical when it comes to securing SaaS because the devil truly is in the details. ",{"data":827,"content":828,"nodeType":243},{},[829,833,841],{"data":830,"marks":831,"value":832,"nodeType":247},{},[],"If we’ve piqued your interest and you’re curious to see what we can discover about SaaS in your business, ",{"data":834,"content":836,"nodeType":288},{"uri":835},"https://login.pushsecurity.com/",[837],{"data":838,"marks":839,"value":840,"nodeType":247},{},[],"try the free browser extension",{"data":842,"marks":843,"value":572,"nodeType":247},{},[],{"data":845,"content":846,"nodeType":266},{},[847],{"data":848,"marks":849,"value":850,"nodeType":247},{},[],"Consider their data sources  ",{"data":852,"content":853,"nodeType":243},{},[854],{"data":855,"marks":856,"value":857,"nodeType":247},{},[],"The critical thing to understand when you’re evaluating if a solution will work for you would be understanding what their data sources are, what weaknesses those data sources inherently have, and what aligns best with your goals. We’ve tried to surface some of that information within the use cases in this article.",{"data":859,"content":860,"nodeType":243},{},[861],{"data":862,"marks":863,"value":864,"nodeType":247},{},[],"So if you’re looking at an EDR that says they can discover SaaS usage, they’ll likely be leveraging endpoint data to detect SaaS use. If you’re looking at CASBs that integrate with your proxy, they’re probably looking at network level data – you get the idea.  ",{"data":866,"content":867,"nodeType":266},{},[868],{"data":869,"marks":870,"value":614,"nodeType":247},{},[],{"data":872,"content":873,"nodeType":243},{},[874],{"data":875,"marks":876,"value":877,"nodeType":247},{},[],"To wrap this up, we’re going to summarize some key points and provide some questions to ask yourself, your team, or even the vendor of the solution you’re evaluating, as you consider what combination of efforts or what tool is right for you. ",{"data":879,"content":880,"nodeType":243},{},[881],{"data":882,"marks":883,"value":885,"nodeType":247},{},[884],{"type":461},"Does this solution provide SaaS discovery?",{"data":887,"content":888,"nodeType":920},{},[889,900,910],{"data":890,"content":891,"nodeType":899},{},[892],{"data":893,"content":894,"nodeType":243},{},[895],{"data":896,"marks":897,"value":898,"nodeType":247},{},[],"Will this tool find what SaaS apps employees are using, including those you don’t already know about? If so, how? ","list-item",{"data":901,"content":902,"nodeType":899},{},[903],{"data":904,"content":905,"nodeType":243},{},[906],{"data":907,"marks":908,"value":909,"nodeType":247},{},[],"Will the tool be able to differentiate between a user visiting a SaaS website, and actually logging into the app? How will it determine who the user is?",{"data":911,"content":912,"nodeType":899},{},[913],{"data":914,"content":915,"nodeType":243},{},[916],{"data":917,"marks":918,"value":919,"nodeType":247},{},[],"If the tool doesn’t provide you with SaaS discovery (finding Shadow IT and the apps employees are using that aren’t on your radar), how will you deal with those apps employees are using without your knowledge?","unordered-list",{"data":922,"content":923,"nodeType":243},{},[924],{"data":925,"marks":926,"value":928,"nodeType":247},{},[927],{"type":461},"Does the tool provide enough context so you can manage SaaS risk?",{"data":930,"content":931,"nodeType":920},{},[932,942,952],{"data":933,"content":934,"nodeType":899},{},[935],{"data":936,"content":937,"nodeType":243},{},[938],{"data":939,"marks":940,"value":941,"nodeType":247},{},[],"Are you getting context about how your users are using apps (are they logging in with social logins or passwords, do they have MFA enabled, are they admins on the app, etc.), or is it only providing generic information about the app?",{"data":943,"content":944,"nodeType":899},{},[945],{"data":946,"content":947,"nodeType":243},{},[948],{"data":949,"marks":950,"value":951,"nodeType":247},{},[],"How will you engage employees that already rely on these SaaS platforms, or want to adopt new apps, can you handle that though email or in-person - or do you need something more scalable?",{"data":953,"content":954,"nodeType":899},{},[955],{"data":956,"content":957,"nodeType":243},{},[958],{"data":959,"marks":960,"value":961,"nodeType":247},{},[],"Do you need the ability to apply progressive controls, or simply need the ability to block apps entirely?",{"data":963,"content":964,"nodeType":243},{},[965,969,977],{"data":966,"marks":967,"value":968,"nodeType":247},{},[],"\nIf you aren’t sure about these questions, why not consider what a ",{"data":970,"content":972,"nodeType":288},{"uri":971},"/product",[973],{"data":974,"marks":975,"value":976,"nodeType":247},{},[],"user-powered security approach",{"data":978,"marks":979,"value":980,"nodeType":247},{},[]," might look like for your organization.","How to find the right SaaS security solution for your organization ","In this guide, we’ll break down some major SaaS use cases and match them up with solutions that can address them, covering pros and cons for each.\n","2022-07-25T00:00:00.000Z","how-to-find-the-right-saas-security-solution-for-your-organization",{"items":986},[987,991],{"sys":988,"name":990},{"id":989},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"sys":992,"name":994},{"id":993},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":996},[997],{"fullName":998,"firstName":999,"jobTitle":1000,"profilePicture":1001},"Jacques Louw","Jacques","Co-founder / CRO",{"url":1002},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":648,"sys":1004,"content":1005,"title":1575,"synopsis":1576,"hashTags":1577,"publishedDate":1583,"slug":1584,"tagsCollection":1585,"authorsCollection":1593},{"id":673},{"json":1006},{"data":1007,"content":1008,"nodeType":239},{},[1009,1016,1023,1031,1038,1045,1070,1077,1084,1091,1098,1110,1117,1157,1182,1189,1196,1213,1220,1227,1243,1250,1258,1274,1281,1288,1295,1303,1310,1317,1324,1352,1415,1422,1429,1436,1452,1459,1475,1482,1494,1501,1521,1527,1544],{"data":1010,"content":1011,"nodeType":243},{},[1012],{"data":1013,"marks":1014,"value":1015,"nodeType":247},{},[],"Over the past few years, there’s been massive growth in the number of SaaS apps used for work. With that comes new challenges – how do you allow employees to take advantage of all the SaaS the world has to offer without locking it all down and stifling innovation? How do you figure out if you can trust all these new third parties with access to your data? Well, the first step is figuring out which apps employees are actually using, so that’s where we’re starting.",{"data":1017,"content":1018,"nodeType":243},{},[1019],{"data":1020,"marks":1021,"value":1022,"nodeType":247},{},[],"We’ve compiled a list of various options and approaches we’ve seen people take to SaaS discovery, each with their own pros and cons. ",{"data":1024,"content":1025,"nodeType":1030},{},[1026],{"data":1027,"marks":1028,"value":1029,"nodeType":247},{},[],"Why is SaaS discovery so hard?","heading-1",{"data":1032,"content":1033,"nodeType":243},{},[1034],{"data":1035,"marks":1036,"value":1037,"nodeType":247},{},[],"\nSomething to note straight off the bat is that with all the data-driven approaches we’re about to cover, you have to know how to extract SaaS use out of that data. That’s one of the reasons SaaS discovery is so hard. With the roll-your-own approaches in this post, you’ll be able to identify some common apps (like Trello, Slack, Dropbox, etc.), but what about all the new or lesser-known apps? Unfortunately, trying to keep track of all the SaaS apps that are available to employees is really difficult. There’s not really a great master list available on the Internet for you to cross-reference with your data.",{"data":1039,"content":1040,"nodeType":243},{},[1041],{"data":1042,"marks":1043,"value":1044,"nodeType":247},{},[],"That means that all of these roll-your-own approaches are dependent on you knowing what you’re looking for. If you must know what SaaS you’re looking for in order to determine if an asset is actually a SaaS app, you’re going to be left with quite a few blindspots given there seem to be new apps launching every day. ",{"data":1046,"content":1047,"nodeType":243},{},[1048,1052,1057,1061,1066],{"data":1049,"marks":1050,"value":1051,"nodeType":247},{},[],"The second hurdle with a roll-your-own discovery approach is differentiating between SaaS ",{"data":1053,"marks":1054,"value":1056,"nodeType":247},{},[1055],{"type":444},"access",{"data":1058,"marks":1059,"value":1060,"nodeType":247},{},[]," and SaaS ",{"data":1062,"marks":1063,"value":1065,"nodeType":247},{},[1064],{"type":444},"usage",{"data":1067,"marks":1068,"value":1069,"nodeType":247},{},[],". Just because an employee accesses a SaaS website, it doesn’t mean they’re using their app. Most of the data sources will produce a ton of domains, IPs, etc. for you to sift through, but differentiating access and usage based on this information alone will produce a large number of false positives unless you can correlate it with other data sources (we suggest some below). You will likely also want to know things like exactly who the users, owners and administrators of the app are which will be all but impossible from this “access” data alone.",{"data":1071,"content":1072,"nodeType":243},{},[1073],{"data":1074,"marks":1075,"value":1076,"nodeType":247},{},[],"If we ignore for the moment the difficulties in extracting information about SaaS usage, let’s run through your options for data sources and see which ones will give you the most useful data.",{"data":1078,"content":1079,"nodeType":1030},{},[1080],{"data":1081,"marks":1082,"value":1083,"nodeType":247},{},[],"Collecting financial records",{"data":1085,"content":1086,"nodeType":243},{},[1087],{"data":1088,"marks":1089,"value":1090,"nodeType":247},{},[],"Looking through invoices can provide some visibility into paid SaaS apps, which is probably the lowest false positive data source. However, there are blind spots - you won’t see any free tier or trial accounts, nor will you get any useful business context about who’s using it, how they’re using it, if logins are secure, and what data it has access to. That said, it’s a quick and dirty way to get a partial view of SaaS usage, and might be the best place to start.",{"data":1092,"content":1093,"nodeType":1030},{},[1094],{"data":1095,"marks":1096,"value":1097,"nodeType":247},{},[],"Network-level",{"data":1099,"content":1100,"nodeType":243},{},[1101,1105],{"data":1102,"marks":1103,"value":1104,"nodeType":247},{},[],"\n",{"data":1106,"marks":1107,"value":1109,"nodeType":247},{},[1108],{"type":444},"Summary: Network level data is the standard old-school approach. If you already have great network monitoring in place it provides fairly broad visibility. There are some very key limitations especially around inferring usage from access, as well as outside the office visibility problems.",{"data":1111,"content":1112,"nodeType":243},{},[1113],{"data":1114,"marks":1115,"value":1116,"nodeType":247},{},[],"SaaS apps are accessed over a network - and so that seems like a sensible place to start looking for them. What if we just tried looking for all users accessing a SaaS app’s website? Let’s say we want to see if anyone is using e.g. Dropbox, so we do a Google search for all Dropbox domains and we find Dropbox.com, and a few regional domains as well. We then set about finding employees accessing those domains in our network logs - simple! Perhaps not so much…",{"data":1118,"content":1119,"nodeType":243},{},[1120,1124,1128,1132,1137,1141,1145,1149,1153],{"data":1121,"marks":1122,"value":1123,"nodeType":247},{},[],"As we mentioned in the intro, the best outcome you can hope for is to uncover SaaS ",{"data":1125,"marks":1126,"value":1056,"nodeType":247},{},[1127],{"type":444},{"data":1129,"marks":1130,"value":1131,"nodeType":247},{},[],", not ",{"data":1133,"marks":1134,"value":1136,"nodeType":247},{},[1135],{"type":444},"usage.",{"data":1138,"marks":1139,"value":1140,"nodeType":247},{},[]," This might seem like a subtle difference, but SaaS usage is what you want to find, not just information about which employees visited a SaaS website. If you’re looking at all app ",{"data":1142,"marks":1143,"value":1056,"nodeType":247},{},[1144],{"type":444},{"data":1146,"marks":1147,"value":1148,"nodeType":247},{},[],", you’ll wind up with a massive list of SaaS, with only a portion of it indicating SaaS ",{"data":1150,"marks":1151,"value":1065,"nodeType":247},{},[1152],{"type":444},{"data":1154,"marks":1155,"value":1156,"nodeType":247},{},[],".",{"data":1158,"content":1159,"nodeType":243},{},[1160,1164,1169,1173,1178],{"data":1161,"marks":1162,"value":1163,"nodeType":247},{},[],"Since you can’t discover app ",{"data":1165,"marks":1166,"value":1168,"nodeType":247},{},[1167],{"type":444},"usage ",{"data":1170,"marks":1171,"value":1172,"nodeType":247},{},[],"with network data, you’d have to tie network traffic to a single employee to identify the user, then reach out to each employee to understand the business context of how they’re using the app. A network data approach can work ",{"data":1174,"marks":1175,"value":1177,"nodeType":247},{},[1176],{"type":444},"if",{"data":1179,"marks":1180,"value":1181,"nodeType":247},{},[]," you have time to get that context by asking employees if they’re using the SaaS detected or by corroborating your findings with subscription invoices from the finance team. ",{"data":1183,"content":1184,"nodeType":243},{},[1185],{"data":1186,"marks":1187,"value":1188,"nodeType":247},{},[],"A few ways to collect SaaS data on the network level are ingesting firewall, web proxy and DNS and VPN logs. These inputs can give you some additional visibility into SaaS access, but you may still be left with significant blind spots to actual usage if you assume it all takes place on the corporate network using a VPN. It’s also a painfully tedious process. That said, a manual process still is better than having no SaaS visibility at all. ",{"data":1190,"content":1191,"nodeType":1030},{},[1192],{"data":1193,"marks":1194,"value":1195,"nodeType":247},{},[],"Endpoint-level",{"data":1197,"content":1198,"nodeType":243},{},[1199,1204,1208],{"data":1200,"marks":1201,"value":1203,"nodeType":247},{},[1202],{"type":444},"Summary: Endpoint",{"data":1205,"marks":1206,"value":1207,"nodeType":247},{},[]," ",{"data":1209,"marks":1210,"value":1212,"nodeType":247},{},[1211],{"type":444},"data is hard to get, and of limited value. However, it may be useful if you already have this data available in a SIEM or if it’s otherwise easy to query.",{"data":1214,"content":1215,"nodeType":243},{},[1216],{"data":1217,"marks":1218,"value":1219,"nodeType":247},{},[],"Perhaps we’ll get closer to what we need (usage data instead of just access data and a low false positive rate) if we move up a level and get closer to the users? Users are going to be accessing the SaaS apps through some kind of endpoint and there are some things you could use to do discovery if you have some monitoring capability on that endpoint.",{"data":1221,"content":1222,"nodeType":243},{},[1223],{"data":1224,"marks":1225,"value":1226,"nodeType":247},{},[],"For example, many SaaS apps have desktop or mobile clients (thick clients) you install. You could look for e.g. the Slack client, or the OneDrive sync agent installed on the endpoint. However, many users prefer the in-browser version, so they may not have even installed the thick client and you wouldn’t see their usage by looking at their endpoint data. ",{"data":1228,"content":1229,"nodeType":243},{},[1230,1234,1239],{"data":1231,"marks":1232,"value":1233,"nodeType":247},{},[],"All the good data, the application level data, is in the browser, which is technically on the endpoint but not really accessible ",{"data":1235,"marks":1236,"value":1238,"nodeType":247},{},[1237],{"type":444},"through the endpoint",{"data":1240,"marks":1241,"value":1242,"nodeType":247},{},[]," without doing something very hacky. Perhaps we need to go a level deeper - either closer to the application or get inside the browser.",{"data":1244,"content":1245,"nodeType":1030},{},[1246],{"data":1247,"marks":1248,"value":1249,"nodeType":247},{},[],"Application-level",{"data":1251,"content":1252,"nodeType":243},{},[1253],{"data":1254,"marks":1255,"value":1257,"nodeType":247},{},[1256],{"type":444},"Summary: Application level integrations are very useful for discovering unsanctioned SaaS apps that are integrated with the SaaS apps you already know about. But when used in isolation, they have massive blind spots. Application-level data is also a goldmine for finding out how securely employees use the app.",{"data":1259,"content":1260,"nodeType":243},{},[1261,1265,1270],{"data":1262,"marks":1263,"value":1264,"nodeType":247},{},[],"Focusing on the SaaS app directly makes a lot of sense if you need to get really high quality usage data. The challenge is that you need to integrate with the SaaS app to get at this data. And you can’t just integrate with an app like Slack or Trello. In general, these integrations must be within a specific account or tenant that your employees are using if you want to see any of their usage or security data. So, if you must already know about the tenant to discover the SaaS - is this approach useless for detecting unknown SaaS? Maybe, ",{"data":1266,"marks":1267,"value":1269,"nodeType":247},{},[1268],{"type":444},"but ",{"data":1271,"marks":1272,"value":1273,"nodeType":247},{},[],"there are some very useful edge cases.",{"data":1275,"content":1276,"nodeType":243},{},[1277],{"data":1278,"marks":1279,"value":1280,"nodeType":247},{},[],"For instance, integrations with SaaS apps that are known and sanctioned can be very useful, especially with those apps that are identity providers, like Microsoft Azure/365 and Google Workspace. Lots of SaaS apps let users login with another SaaS app, which is called social login or sometimes single sign-on (SSO). When a user does “login using Google” on Salesforce using their corporate Google account, they are actually integrating (in a very limited way) Salesforce with Google Workspace. If you have application-level access (normally by calling the APIs) to known SaaS apps, you can discover these social logins (among other) integrations with other SaaS apps. These SaaS-to-SaaS links then become very useful as a discovery mechanism.",{"data":1282,"content":1283,"nodeType":243},{},[1284],{"data":1285,"marks":1286,"value":1287,"nodeType":247},{},[],"Something else to keep in mind, application-level access to known SaaS can also be incredibly useful for security beyond simple SaaS discovery. You could check authentication controls, like which users don’t have MFA enabled, sharing settings (perhaps the SaaS allows you to share documents publicly), unusual login events, other anomalous behavior, and so on. ",{"data":1289,"content":1290,"nodeType":1030},{},[1291],{"data":1292,"marks":1293,"value":1294,"nodeType":247},{},[],"Browser-level  ",{"data":1296,"content":1297,"nodeType":243},{},[1298],{"data":1299,"marks":1300,"value":1302,"nodeType":247},{},[1301],{"type":444},"Summary: Browser data is as good as you can get for SaaS discovery, but with the downside that you must build and deploy a browser extension to get at it.",{"data":1304,"content":1305,"nodeType":243},{},[1306],{"data":1307,"marks":1308,"value":1309,"nodeType":247},{},[],"What if I told you, you could get application level usage-data beyond what events the applications expose through their APIs without needing to know about the app first or fighting network encryption? The other methods in this guide allow you to get at the data using normal log processing techniques, SIEM queries, or even hacky scripts that call APIs, but there’s one reasonable option for SaaS discovery.",{"data":1311,"content":1312,"nodeType":243},{},[1313],{"data":1314,"marks":1315,"value":1316,"nodeType":247},{},[],"The only real viable way to get at this SaaS usage data is through a browser extension. The big hurdle with this approach is that browser extensions require you to develop an extension and a backend where it can send data…AND you need to deploy that extension to all employees. ",{"data":1318,"content":1319,"nodeType":243},{},[1320],{"data":1321,"marks":1322,"value":1323,"nodeType":247},{},[],"Deploying that browser extension might be as simple as setting the extension to default install itself in all managed browsers - that’s possible if you’re using Google Workspace. In other environments, it may be a bit more of a challenge. Fortunately, browser extensions don’t have the complexity of normal endpoint agents. They don’t have runtime dependencies, aren’t platform dependent, don’t need admin permissions to install, have automatic update mechanisms built-in, and don’t affect performance. At the end of the day, they’re just a special piece of JavaScript running in the browser.",{"data":1325,"content":1326,"nodeType":243},{},[1327,1331,1336,1340,1348],{"data":1328,"marks":1329,"value":1330,"nodeType":247},{},[],"If you ",{"data":1332,"marks":1333,"value":1335,"nodeType":247},{},[1334],{"type":461},"are",{"data":1337,"marks":1338,"value":1339,"nodeType":247},{},[]," able to get access to the data in the browser (spoiler alert: we provide an easy - and free - out-of-the-box ",{"data":1341,"content":1343,"nodeType":288},{"uri":1342},"/features/saas-discovery/",[1344],{"data":1345,"marks":1346,"value":1347,"nodeType":247},{},[],"browser extension for SaaS discovery",{"data":1349,"marks":1350,"value":1351,"nodeType":247},{},[],"), there is almost limitless scope to what you can do with this data. You can observe not only access to SaaS websites, you can also see:",{"data":1353,"content":1354,"nodeType":920},{},[1355,1365,1375,1385,1395,1405],{"data":1356,"content":1357,"nodeType":899},{},[1358],{"data":1359,"content":1360,"nodeType":243},{},[1361],{"data":1362,"marks":1363,"value":1364,"nodeType":247},{},[],"the user login,",{"data":1366,"content":1367,"nodeType":899},{},[1368],{"data":1369,"content":1370,"nodeType":243},{},[1371],{"data":1372,"marks":1373,"value":1374,"nodeType":247},{},[],"whether that login was successful,",{"data":1376,"content":1377,"nodeType":899},{},[1378],{"data":1379,"content":1380,"nodeType":243},{},[1381],{"data":1382,"marks":1383,"value":1384,"nodeType":247},{},[],"whether they used MFA to login, ",{"data":1386,"content":1387,"nodeType":899},{},[1388],{"data":1389,"content":1390,"nodeType":243},{},[1391],{"data":1392,"marks":1393,"value":1394,"nodeType":247},{},[],"which email they used to login, ",{"data":1396,"content":1397,"nodeType":899},{},[1398],{"data":1399,"content":1400,"nodeType":243},{},[1401],{"data":1402,"marks":1403,"value":1404,"nodeType":247},{},[],"whether they are the owner/administrator of the SaaS app tenant, and ",{"data":1406,"content":1407,"nodeType":899},{},[1408],{"data":1409,"content":1410,"nodeType":243},{},[1411],{"data":1412,"marks":1413,"value":1414,"nodeType":247},{},[],"all their behavior and settings in the app. ",{"data":1416,"content":1417,"nodeType":243},{},[1418],{"data":1419,"marks":1420,"value":1421,"nodeType":247},{},[],"Best of all, there is no need to stream all this data to a single collection point where it becomes a privacy nightmare. By writing rules in the extension to look for specific issues, you can flag only security relevant events, redacted or anonymized as far as makes sense. You can even limit the scope to only monitor the app use when the employee logs into the SaaS app using their work account to further avoid employee privacy concerns. ",{"data":1423,"content":1424,"nodeType":243},{},[1425],{"data":1426,"marks":1427,"value":1428,"nodeType":247},{},[],"There’s a quick and easy solution to get the best out of the application and browser data approaches we’ve written about in the last two sections - and that’s with our free tool.",{"data":1430,"content":1431,"nodeType":1030},{},[1432],{"data":1433,"marks":1434,"value":1435,"nodeType":247},{},[],"How can Push help?",{"data":1437,"content":1438,"nodeType":243},{},[1439,1443,1448],{"data":1440,"marks":1441,"value":1442,"nodeType":247},{},[],"We found that the most comprehensive approach is to collect data from ",{"data":1444,"marks":1445,"value":1447,"nodeType":247},{},[1446],{"type":444},"both ",{"data":1449,"marks":1450,"value":1451,"nodeType":247},{},[],"the application and browser level to give you full visibility and actionable security information. With our browser extension, we get full breadth of coverage so you can discover all SaaS usage and with our APIs, you get the depth of coverage you need to understand how employees are using SaaS and if they’re doing so securely. Our combined approach captures SaaS logins and adoption, in real-time, and provides the best visibility and context for security teams. ",{"data":1453,"content":1454,"nodeType":266},{},[1455],{"data":1456,"marks":1457,"value":1458,"nodeType":247},{},[],"Fixing SaaS security issues automatically by partnering with employees  ",{"data":1460,"content":1461,"nodeType":243},{},[1462,1466,1471],{"data":1463,"marks":1464,"value":1465,"nodeType":247},{},[],"\nWhat we then do with that data is where the magic happens… we can automatically guide employees via ChatOps (Slack and Teams for now, more to come!) to improve SaaS security. Some of those messages will help us enrich our data by asking employees questions they’ll actually know the answers to (",{"data":1467,"marks":1468,"value":1470,"nodeType":247},{},[1469],{"type":444},"“You logged into Slack from Mexico just now. Are you in Mexico?”",{"data":1472,"marks":1473,"value":1474,"nodeType":247},{},[],"), which provides you with a good snapshot of SaaS usage in your business and lets you make informed security decisions about SaaS use to better manage risks.",{"data":1476,"content":1477,"nodeType":243},{},[1478],{"data":1479,"marks":1480,"value":1481,"nodeType":247},{},[],"Employees can also make immediate improvements to your overall security posture. In case you’re curious about what that looks like, some of the prompts we push to employees are things like: ",{"data":1483,"content":1484,"nodeType":243},{},[1485,1490],{"data":1486,"marks":1487,"value":1489,"nodeType":247},{},[1488],{"type":444},"“We noticed this SaaS app you’re using has access to all your emails, are you still using it?” Y/N.",{"data":1491,"marks":1492,"value":1493,"nodeType":247},{},[]," If not, they can click a button to remove it and you’ll get an immediate reduction of your attack surface. ",{"data":1495,"content":1496,"nodeType":243},{},[1497],{"data":1498,"marks":1499,"value":1500,"nodeType":247},{},[],"Or ",{"data":1502,"content":1503,"nodeType":243},{},[1504,1509,1513,1518],{"data":1505,"marks":1506,"value":1508,"nodeType":247},{},[1507],{"type":444},"“It looks like you’re not using MFA for your account on this SaaS app. Can we get this set up really quickly?”",{"data":1510,"marks":1511,"value":1512,"nodeType":247},{},[]," or “",{"data":1514,"marks":1515,"value":1517,"nodeType":247},{},[1516],{"type":444},"An app you installed called ‘Dropbox’ is not the official Dropbox app, click here to remove it and install the verified app instead.”",{"data":1519,"marks":1520,"value":376,"nodeType":247},{},[],{"data":1522,"content":1526,"nodeType":344},{"target":1523},{"sys":1524},{"id":1525,"type":349,"linkType":350},"27MpbzErmDfAC3bA4dBibv",[],{"data":1528,"content":1529,"nodeType":243},{},[1530,1534,1541],{"data":1531,"marks":1532,"value":1533,"nodeType":247},{},[],"If you’re interested in learning more, check out how we can ",{"data":1535,"content":1536,"nodeType":288},{"uri":1342},[1537],{"data":1538,"marks":1539,"value":1540,"nodeType":247},{},[],"help you discover SaaS use and secure it",{"data":1542,"marks":1543,"value":1156,"nodeType":247},{},[],{"data":1545,"content":1546,"nodeType":243},{},[1547,1551,1559,1563,1571],{"data":1548,"marks":1549,"value":1550,"nodeType":247},{},[],"We’ll also be publishing a SaaS Discovery Evaluation Guide that will explore all the off-the-shelf tools you may consider and evaluate which one is the best fit for your needs as this really does depend on your tech stack. In that, we’ll share our experiences with those products and discuss what additional coverage and context they can provide, as well as where they fall short. Subscribe to our mailing list and follow us on ",{"data":1552,"content":1554,"nodeType":288},{"uri":1553},"https://twitter.com/PushSecurity",[1555],{"data":1556,"marks":1557,"value":1558,"nodeType":247},{},[],"Twitter @pushsecurity",{"data":1560,"marks":1561,"value":1562,"nodeType":247},{},[]," or ",{"data":1564,"content":1566,"nodeType":288},{"uri":1565},"https://www.linkedin.com/company/push-security",[1567],{"data":1568,"marks":1569,"value":1570,"nodeType":247},{},[],"LinkedIn",{"data":1572,"marks":1573,"value":1574,"nodeType":247},{},[]," to get a head’s up when that’s live so you can have a read.","How to roll-your-own SaaS discovery","We’ve compiled some methods for discovering SaaS. Lets explore each approach and learn new ways to discover unknown SaaS, capture SaaS use, and secure it.",[1578,1579,1580,1581,1582],"itassetdiscovery","saassecurity","saasdiscovery","sass","cloudfirst","2022-05-03T00:00:00.000+01:00","rolling-your-own-saas-discovery",{"items":1586},[1587,1589],{"sys":1588,"name":990},{"id":989},{"sys":1590,"name":1592},{"id":1591},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":1594},[1595],{"fullName":998,"firstName":999,"jobTitle":1000,"profilePicture":1596},{"url":1002},"want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser","blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser",{"json":1600},{"data":1601,"content":1602,"nodeType":239},{},[1603],{"data":1604,"content":1605,"nodeType":243},{},[1606],{"data":1607,"marks":1608,"value":1609,"nodeType":247},{},[],"Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up. The browser also allows us to work with the user to guide them to use SaaS more securely right where they’re working - in the browser.","Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up. ",{"id":1612,"publishedAt":1613},"19dT3oWX2H3EYtZIT3J5UO","2026-01-30T09:39:06.711Z",{"items":1615},[1616,1618],{"sys":1617,"name":990},{"id":989},{"sys":1619,"name":1592},{"id":1591},"kHZ1KXJf60CdGdFBW5-X9K7OOZRvOX3KyjVsNH9yQXQ",1784196731952]