Why network monitoring can’t effectively detect SaaS sprawl

In a world of distributed teams, the tools of the past simply can’t find shadow IT.

As we lay out in our article about Nudge Security’s discovery method, SaaS is the boon of our time—a magic wand that turns weeks of work into hours. Never have we had more purpose-built tools so readily at our fingertips to make us more productive. But with this massive gain in productivity, we’ve also lost a major point of control used by security teams. Centralized teams no longer have consistent access to—or even awareness of—all the systems being used to run their critical processes. Even at a mid-sized enterprise of 1,000 employees, a new SaaS account is created roughly every 20 minutes, according to Nudge Security data.

When thinking about discovering these unknown accounts and systems, or “Shadow IT,” people often reach for the tools of the past—monitoring the network and mining expense reports. Essentially, forensic approaches where we take a mass of data and try to extract meaningful signals from it—days, weeks or months after we need it.  But the basic premise of these approaches is difficult to accept in our modern work environment, where SaaS apps can be added without detection by either method. 

When assessing network monitoring as a solution, a few fundamental issues emerge. First is the consistency of network use. Gone are the days when we drove to work and had our workstations plugged into the local network. We work from laptops, from phones, tablets in our office, our kitchen and our cars. The very promise of modern SaaS is one of working from anywhere on anything—one that does not require a particular device or network locality. Need to make a customer call from the airport? Pull up Salesforce on your phone! Need to review the next press release after dinner? Review it on your tablet sitting on the couch! 

Further limiting network monitoring as a control is the granularity of action one can observe. Past the network resolution of a domain name, there is little more you can rely upon. In the past, we’ve relied upon SSL decryption to gain visibility into the activity of an individual. There are two challenges here: certificate pinning and certificate transparency (CT). These days, more and more SaaS providers are using pinning or CT logs to prevent man in the middle (MITM) attackers—even corporate-sponsored ones! These mechanisms prevent your browser from accepting certificates that have not been previously established as trusted for that site (pinning) or have not been publicly recorded in a certificate log as a valid certificate for that site (CT logs). Both of these mechanisms cut down the effectiveness of SSL-decrypting proxies. Even with a magic wand to make our world a wash of unencrypted traffic, we are faced with the Sisyphean challenge of reverse-engineering the network protocol of the 24,000 or so SaaS providers to identify security-critical events. 

In thorny cases like these, where we’re faced with immutable obstacles, we need what’s called a “side-channel attack.” And there is indeed one consistent side effect of every SaaS account: email. That’s right, the one universal communication tool on the internet is reliably used by every SaaS provider to communicate with its customers. At Nudge Security, we figured out that with a simple integration into your corporate email account, you can access the history of all of your SaaS accounts. 

Read more about Nudge Security’s approach to discovering SaaS sprawl.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors