Businesses rely heavily on third-party web-based apps and services. Countless online accounts are created and used by employees each day on SaaS (Software-as-a-Service) cloud platforms to tackle each task that the business requires.
For instance, the marketing team has access to newsletter services, online creative tools, and social media tools; HR has access to job portals and HR software; the sales team utilizes CRMs and lead generation tools.
Most of these accounts are created ad-hoc by employees, which means that they are unmanaged and unknown, creating a tremendous amount of risk and IT management overhead.
Shadow IT refers to resources utilized without the knowledge of the company's IT department. This can include hardware and software, though it mainly refers to cloud-based SaaS applications. Shadow IT is a hotbed for malicious activity against corporate resources. Attack techniques such as credential stuffing, password spraying, and account takeover are mainly successful due to Shadow IT and password reuse.
Unlike corporate accounts—such as Active Directory (AD)—these are mostly unknown to IT.
If employees leave the company, they may still have access to these accounts.
Users don't like passwords—they tend to either use weak ones or reuse corporate credentials.
According to reports, billions of accounts are breached every year ending up in combo lists.
Leaked credentials can be used to gain unauthorized access to corporate resources (credential stuffing).
Breaches and password reuse are the main culprits for account takeover attacks.
These accounts are often shared among employees, creating ownership issues.
If an audit is required, it's almost impossible to manually collect the usage data of web accounts.
The vast majority of such accounts are used for short periods, left unused and unmonitored forever.
Overlapping and orphaned accounts can result in unnecessary expenses.
Download our Datasheet
Scirge provides a unique approach to unveiling and gaining control of unmanaged third-party web applications used by employees or business units, without the oversight of IT or security departments. It reveals unknown web apps and manages password hygiene issues such as shared accounts, weak passwords or account reuse for employees using corporate email addresses as credentials. Scirge enables you to have control and visibility over your company’s SaaS usage to help you reduce the IT operational overhead and cost relating to unsanctioned Shadow IT usage.
Scirge - Explained in Two Minutes
Cloud Consumption Trends
Configurable tags with custom thresholds give you insight into application usage trends amongst all employees. Underutilized or abandoned applications will unveil the need for changes in business requirements or unnecessary subscriptions. Discovering overlapping subscriptions and widely adopted applications help your C-level executives understand the progress and potential flaws of cloud adoption and digital transformation.
Deep Visibility into Shadow IT
Inventories include deep insights of applications, including metadata collected directly from browsers, such as privacy policies, terms and conditions, and social links. HCI provides intelligence, including domain reputation, country of origin, as well as revealing potential phishing or unwanted sites. Scirge also correlates usage trends to discover which services have been popular, trending, or abandoned by your employees, enabling decision-makers to figure out what tools users are missing or if users prefer a better digital experience.
- Detect Any Web App
- Automatic Metadata Collection
- User-level App and Account Inventory
- Abandoned App and Account Detection
- Underutilized App and Account Detection
- Trending and Popular App Tagging
- Application Usage Intelligence
- Web App Reputation
According to NCSC, "Passwords need to be protected within your system, even if the information on the protected system is relatively unimportant." The number one challenge for this is controlling employee-created accounts on third-party websites. This is why each password entered into a browser is rigorously checked for weaknesses by Scirge. Custom password complexity rules are available to match regulatory requirements, and the algorithmic password strength is also calculated at the endpoints. Passwords are hashed locally on the endpoint, so their cleartext form is never sent or stored anywhere else—only industry standard secure hashes are stored at the Central Server database, so password reuse, password sharing, or the use of already breached passwords can become visible to your security departments.
Active Directory Password Protection
In-browser user authentication enables AD/LDAP passwords to go through the same hygiene process, enabling compliance requirements that are often heavier than what AD and other directory services' configurations allow. Identifying Active Directory passwords that are reused in third-party web applications is a red flag indicator of account security, because stolen Active Directory accounts allow seemingly legitimate access to local networks and other integrated cloud services. Protecting your Active Directory accounts should be your top priority, as industry analysts agree that stolen credentials are used in 80% of successful attacks.
Alerts may be configured to trigger based on policy matches, password strength, complexity violations, or the detection of auto-filled passwords. The combination of awareness messages with policy rules for the appropriate account usage – such as blocking distributed emails or blacklisting VIP email addresses for registrations – allows you to protect high-value assets while constantly reminding users of the expected behavior and corporate policies.
Awareness and Education
In-browser awareness messages allow for an immediate response when employees are accessing unwanted services, or using blacklisted emails (such as VIP, internal, or distributed email accounts) with weak credentials. You can also set up automated awareness campaigns for specific use-cases via our API integrations, ensuring that your employees are warned and educated on multiple channels, such as email or even SMS. Users learn immediately, gaining knowledge based on their actions, rather than classroom-based formal education covering general policies. Scirge also provides metrics showing overall password hygiene, as well as the exact metrics for measuring the success of these training efforts.
Centrally-managed policies based on:
- Corporate Email Domains
- Corporate Email Addresses
- Target URLs
Password Hygiene Checks:
- Password Complexity Validation
- Password Strength Metering
- Password Reuse Detection (AD/Web)
- Password Autofill Detection
- Password Expiration Tracking
- Password Breach Tracking
- Custom Password Blacklist
Awareness and User Education:
- Popup Message
- Banner Message
- Browser Redirection
- Multiple Trigger Rules
- Email and API-based Alerting
Check Out Our Blog for Interesting Articles on Shadow IT
Scirge detects when the accounts of VIP users, ex-employees, or otherwise important users' accounts are being accessed by others, unveiling potential impersonation and insider threats. When multiple employees are using the same credentials, conflicts over the segregation of duties arise in the breach of several regulatory requirements. These shared accounts are highly relevant for internal web applications, as well – especially in the financial and HR departments, but also for high-privilege users and IT staff. Users accessing an unusually high number of apps or providing a lower-than-required password strength may also be flagged, either for review of conduct or assignment to further training.
Automatic Terms Collection
Scirge collects privacy policies and T&Cs from all applications that employees access which are monitored via policies. By combining usage trends, such as popularity, with geographic data and reputation, compliance departments can identify which services are potentially critical or risky. Terms of these services may then be evaluated and integrated with existing corporate policies, while users may be warned and educated for proper use. Illuminating shadow IT turns it into a controlled and manageable part of your technological ecosystem, lowering your regulatory exposure.
- Shared Account Detection
- Power User Detection
- Active Directory Password Reuse Detection
- Inactive & Disabled AD Account Reuse Detection
- Identity Misuse Detection
- User Authentication
- Automatic T&C Collection
- Blocking Capability
Want to See It in Action?
Endpoint Browser Extension
A browser extension is deployed to endpoints, which can be done manually or centrally (via GPO, for instance). The Endpoint Browser Extension component fetches active configuration and policies and monitors the web account registrations and logins based on those specifications. It might block such action or warn the user; alternatively, it can silently log or ignore the action.
The browser extension securely communicates with the Central Server to fetch active configuration and policies in order to send logs back. The Central Server collects, stores, and processes the data to provide useful, detailed log entries and analytics. The Central Server is where Administrators and IT Security Officers can create policies to set the behavior of the system.
Evaluation and Update
As time goes and data is collected and analyzed, policies can be fine-tuned to match the environment and business needs. There are numerous options to specify the policies—creating exceptions and global catch-all rules is simple.
Scirge is easy to deploy and manage. The Central Server—deployed as a local Virtual Appliance—is responsible for the management, while information is collected from Chrome, Edge, or Firefox browsers via our Endpoint Browser Extension (EBE), without needing a full-blown endpoint agent.
The Scirge EBE monitors and collects company-related credentials and all the relevant information from websites, and it does this based on centrally-managed policies. Users may be warned or redirected to awareness training via in-browser alerts when they are at risk or if they breach policies.
Data collected on the Central Server is enriched with usage-related metadata based on custom threshold values and rules. Accounts and securely hashed passwords are correlated to discover password reuse, account sharing, and indicators of potential internal fraud or misconduct, all without ever storing cleartext passwords. Intelligence comes into play in the form of easy-to-read tags that can be used for correlation and investigation.
With the help of the Horizon Cloud Intelligence (HCI) service, further metadata enrichment is available, including domain reputation and blacklist checks. HCI also verifies hashed passwords against known database breaches and common password lists or combo lists, further securing your accounts against account takeover attempts and brute-force attacks.
- Syslog Integration
- SMTP Integration
- LDAP Integration
- API Integration
- Role Based Access Control
- 4-eye Principle
- Audit Logs
- PII Anonymization
- Endpoint Authorization
- Double-Encrypted Communication
On-demand Product Tour
Download our Datasheet
Download our 4 Steps to Conquer Shadow IT Flyer
Download our Understanding Tags Guide
Check Out our Blog
Register for Webinars
On-demand Product Demo
Try it for FREE
What happens if a colleague registers to a web app on a different machine where the extension is not deployed?
- If the colleague later logs in to the web app from a monitored endpoint then we'll catch and record it.
- As in most cases when it comes to IT Security, there is no way to provide 100% coverage, and that's not even the plan. The main idea is to educate the employees about the risks and to uncover as many unmanaged web accounts as possible.