Programmatically monitoring disparate SaaS environments

Optimizing the use, visibility and security of environments that span multiple complex cloud and SaaS environments.

Download this research paper

Security blind spots have developed outside of the local enterprise network as organizations embrace cloud applications and enterprise networks become more distributed. SaaS applications are one such blind spot, because data on user interactions with SaaS applications may contain critical security insights that are not accessible to IT security teams.

Where these data are accessible they come from a number of third-party providers, but each provider focuses on a different aspect of the data, has their own approach to security and auditing, and has a different API.

Darktrace SaaS Modules aim to illuminate this blind spot by retrieving and combining disparate data.

As an example, Salesforce make audit data on interactions with system records (such as create, delete) available from an API on a per-object basis. The dataset updates in near real time, though it captures only a small sample of user behavior.

Salesforce also creates chunked event logs of certain file interactions (such as downloads), but only makes them available for download at large intervals. So, to get a fuller picture of Salesforce data it is necessary to retrospectively associate these events with the time-series data on record interactions.

SaaS Modules use intelligent hashing to detect duplication and combine metrics from many events into a single notice that better represents a user’s actions. Then, they assign metrics to each notice using an extractor framework to provide normalized data, which can be analyzed by Darktrace’s machine-learning algorithms when combined with existing local-network data.

Combining data from SaaS applications with data from the local network provides a data set that is richer than the sum of its parts. It enables detection of malicious activity within individual SaaS applications, and of activity that crosses from one SaaS application to another, or from a SaaS application to a local network.

Anomalous behaviors within SaaS applications can be detected, irrespective of login location, to give security operators better insight into emerging threats more quickly.