Drill down into the security posture of the apps in your SaaS stack and prioritize application configuration weaknesses.

Let’s get technical

Falcon Shield delivers app-specific security scores, helping you prioritize high risk apps. It’s the only SSPM that integrates with 150+ apps out-of-the-box, able to connect with any application, including custom applications within your SaaS stack.

Each app contains:

• Hygiene/risk score based on the number of security checks passed and weighted by their severity.
• Security check details and remediation steps.
• Most affected security domains within the app.
• Compliance-related aspects by application.
• Number of devices, users, and third-party apps connected to the app.

How this helps:

• Security Prioritization
  Make data-driven decisions on the apps by risk severity.
• App Owner Collaboration
  Easily manage and remediate configurations together with the app owner.
• Full Risk Breakdown
  Identify risks by security domain and compliance.

Analyze data by domain, pinpointing risk across your entire SaaS stack.

SaaS posture by security domain

The Security Domain view provides a clear assessment of your SaaS app posture based on every app’s configurations and security domains. Each domain card includes a risk score, identifies the most affected apps, and flags apps that violate compliance frameworks.

The platform tracks 17 domains, analyzing misconfigurations by:

• Access control, auditing, data leakage protection, endpoint protection, GenAI, key management, malware protection, MFA, mobile security, operational resilience, password management, permissions, phishing protection, privacy control, secure baseline, spam protection, and spoofing protection.

How this helps

• Improve visibility across your SaaS stack
  Prioritize and easily manage security aspects based on different domains.
• Check against compliance standards and best practices
  Identify domains that negatively impact compliance scores and target them for improvement.
• App-specific misconfigurations
  Discover which app security postures are most impacted by specific security domains.

SaaS posture by organization domain

Quickly assess your SaaS security posture by department or business unit. The Organization Domain Landscape assigns a security score based on team app usage, with drill-down views into app-level checks, user activity, devices, and connected applications to uncover and address risks.

How this helps

• Optimize resource allocation
  Assess team needs and provide targeted guidance to security of their apps.
• Establish benchmarks and best practices
  Identify top-performing teams and use their strategies as a model for others.
• Focus training initiatives
  Pinpoint teams that require improved cybersecurity knowledge and tailor training activities to meet their needs.

Measure compliance of your SaaS stack against industry standards and create custom standards.

Let’s get technical

Many organizations must follow industry compliance standards, while others define their own. Falcon Shield simplifies compliance by measuring your SaaS stack against 23 built-in industry standards and by integrating custom policies, enabling you to maintain control and help you stay protected.

Built-in standards include:

• SOC 2 Type 2
• ISO/IEC 27001
• NIST CSF
• CIS Microsoft 365 Foundations Benchmark
• HIPAA

Easily compare each SaaS application’s security settings to various compliance standards. Our intuitive interface aligns with compliance requirements, simplifying posture assessments. Export PDFs and CSV files for seamless monitoring, reporting, and sharing.

How this helps

• Compliance Reporting
  Demonstrate SaaS compliance for regulatory bodies, partners, and internal stakeholders.
• App Compliance
  Ensure that specific applications address required compliance standards.
• Domain Compliance
  Check organizational compliance levels across specific domains, such as Access Control or MFA.

Enterprises manage hundreds to thousands of SaaS settings that must be configured to reduce risk. Falcon Shield automates checks, comparing settings to industry benchmarks and company policies, assigning pass/fail scores. Teams can quickly spot misconfigurations and follow remediation steps to stay secure.

Let’s get technical

Each security check includes:

• Security Domain
  Area of the application that the setting impacts, such as Access Control, Data Leak Protection, and Malware Protection.
• Impact Level
  Risk level of the misconfiguration.
• Affected Users
  Users who are affected by the misconfiguration.
• Current Status
  Passed/Failed/Dismissed.
• Remediation Plan
  Step-by-step instructions to secure the configuration and ticketing process.
• Reason for Alert
  Detailed explanation of the potential risk of the misconfiguration.
• History Log
  Detailed log, including comments about the security check.

How this helps

• Itemized security checks
  Each check provides a clear path to harden security posture.
• Tailor to your security policy
  Use out-of-the-box settings or customize policy and severity levels to meet your internal security policy and industry expectations.
• Accountability log journal
  Provides an audit trail with user actions and comments.

When SaaS security misconfigurations occur, your data is at risk. Falcon Shield’s alert system informs you of configuration drifts as they happen. Quickly review changes, evaluate risk, see which users are impacted, and take appropriate action.

Let’s get technical

Activity Monitor analyzes actions and presents a complete picture of every privileged activity within your SaaS stack.

Security teams can see activity logs of:

• Configuration Drift — a configuration changed from pass to fail.
• Security Check Degradation — an existing failed check that has been degraded.
• Integration Issue — Falcon Shield did not integrate with a specific application.

Alerts are automatically triggered by changes and delivered to designated personnel over email, Splunk, Slack, Teams, or other preferred communication channels.

How this helps

• Eliminate alert fatigue
  Alerts are triggered by actual configuration failures. Customize existing alerts or create your own logic.
• Immediate remediation
  Prioritize high-risk configurations.
• Clear call to action
  Security and app teams know exactly what they need to do.

Know every internal and external user accessing your SaaS stack. Manage access, permissions, admin activity monitoring, or any user-centric security aspect that poses a risk.

Let’s get technical

The User Inventory enables full monitoring and management of all users and offers special insights into privileged roles and user-specific security checks. Click on any user to see:

• Risk level associated with the user based on role and existing configurations.
• Activated/deactivated users.

How this helps

• Privileged Roles
  Identify users with the highest permissions within each application to prioritize misconfiguration management, device management, and third-party app access.
• Permission Trimming
  Check that each SaaS user has the right level of access needed to enable business operations while preventing unnecessary access to sensitive data.

Employees often connect SaaS applications without security team approval, risking exposure to high-privilege access or malicious apps. Falcon Shield identifies connected apps, empowering security teams to minimize risks and mitigate threats.

Let’s get technical

Falcon Shield detects all apps connected to business-critical SaaS applications like Microsoft 365, Google Workspace, Salesforce, Github, your IDP, and more. This includes information on their risk-severity level and the scopes granted, enabling you to automatically block or revoke access based on your policy.

Main capabilities:

• Vendor name and verification status.
• Installation date of the app.
• Description of the application.
• Users who gave consent to the app.
• Scopes granted to the app and their risk severity.
• Last used date, including a summary of the occurrences in which the apps actualized the scopes.
• Auto-remediation based on policy.

How this helps

• Visibility and full management of connected apps
  Measure your risk and attack surface with an unprecedented view into apps connected to your SaaS stack, analyzed by severity and more.
• Malicious app threat detection
  Discover unknown applications that pose a real threat to your operations and data.
• Manage access
  Identify high-risk or dormant connected apps and automatically or manually adjust access.

List public and externally shared files, repositories, boards, and more to identify resources that are at risk of unwanted exposure.

Let’s get technical

Falcon Shield’s Data Inventory alerts users when resources are at risk of exposure, preventing data leakage. It tracks resources, providing at-a-glance visibility into their share settings. At-risk resources are classified as public, meaning they are accessible to anyone, or external, meaning they are shared with users from an outside domain.

Vulnerable files and resources include:

• Documents and resources shared publicly with anyone with a link.
• Documents and resources shared externally with unknown domains.
• Shared documents and resources that have outlived their business needs.

How this helps

• Sensitive document resource security
  Identify confidential and sensitive documents and resources that have been shared.
• Publicly accessible calendars
  Prevent outsiders from accessing videoconference links, passwords, agendas, or from conducting social engineering attacks with calendar information.
• Discover external users accessing repositories
  Monitor which external domains are accessing shared repositories and audit user access.
• User and department board sharing
  See which specific users or departments are sharing boards as a way to detect insider threats or develop resource-sharing policies.

Discover overpermissioned users, compare user permissions, and conduct user audits.

Let’s get technical

Get an accurate view of user risk and trim permissions to fit company policy. Falcon Shield’s Permissions Inventory enables security experts and app administrators to manage user permissions from a single screen. It captures every permission granted within an application, including group profiles and entitlements given at the individual user level.

Capabilities include:

• View user by profile.
• View permissions by user.
• Compare users side-by-side.
• Manage all tenants in a unified view.
• Discover active users to offboard.
• In Salesforce, visibility into users’ entitlements from their profiles, permission sets, and custom permissions.
• In Workday, visibility into users’ entitlements from their security group and domain.

How this helps

• Certification Campaign
  Review and validate user permissions to align with the principle of least privilege access as part of an annual user audit.
• Identity Hardening
  Discover overprivileged user accounts and remove unnecessary permissions.
• Privilege Creep Prevention
  Continually assess permissions to identify those that expand beyond corporate policy.
• Unified Cross-platform Visibility
  Gain insight into user permissions from across the SaaS stack to better understand risk coming from any individual.

Monitor user devices that access your SaaS stack and review their vulnerabilities and misconfigurations.

Let’s get technical

Falcon Shield integrates with existing EDR, device management, and vulnerability management platforms for a 360-degree Device-to-SaaS-User picture.

The Device Inventory feature includes:

• All SaaS-user managed devices listed by owner.
• Device posture from endpoint services in place (for example: CrowdStrike – Zero Trust Score).
• Details of device platform and OS.
• Reporting if the device is managed and is compliant.
• Orphan or dormant devices.

Drill down to see device user data, including:

• User name.
• SaaS app access.
• Privileged roles.
• Other devices associated with the user.
• If the device is within the organization’s MDM and whether it poses any risk.

How this helps

Role-based access control (RBAC) empowers app owners with tailored access to their SaaS apps, enabling them to view and complete required security checks to maintain a strong security posture.

Let’s get technical

Security teams can grant app owners access to view and manage their owned applications within Falcon Shield based on the following roles:

• Scoped User — read-only access to their applications.
• Scoped Admin — complete access to their applications, enabling them to manage security checks and entities as needed.

How this helps

• Align Communication
  Streamline remediation by aligning app owners and security teams to protect processes and reduce risks.
• App Owner Focus
  App owners stay focused on their apps, streamlining remediation without distractions from the full SaaS stack.
• Harden Security Measures
  Limit app owner access to activities that fall within their scope, reinforcing security and control.

See how your SaaS security posture has evolved over time, evaluating your security score by application or full SaaS stack.

Let’s get technical

Review your historical security posture through multiple views and compare different metrics such as Security Check Status, Apps, Security Domains, and Compliance Standards.

How this helps

• Benchmark Security
  Track posture scores for individual SaaS applications against individual apps or your overall SaaS stack.
• Measure Goals
  Quantify progress and measure your achievements vs. your goals.

Don’t just identify misconfigurations, remediate failed security checks via step-by-step instructions or quick-fix capabilities.

Let’s get technical

The security team and app owner remediation process includes:

• Alerting
  Alert the relevant team on any security drift that requires fixing through the platform, email, or any event management system.
• Security Check Remediation
  Address each misconfiguration with the help of the step-by-step directions.
• Ticket Creation
  Send remediation instructions automatically to app owners or security personnel through a ticketing system of choice or via email.
• Collaboration
  Correspond with your app owners and document notes on a specific security check.

How this helps

• Optimize resources
  Assign configuration updates to app owners with step-by-step directions.
• Upgrade SaaS security faster
  Make updates without researching configuration fixes.
• Close faps with confidence
  Follow remediation steps created by our team of SaaS security experts.

Create and schedule automated custom reports directly from Falcon Shield to monitor every SaaS event.

Reporting

Falcon Shield’s reporting functionality keeps stakeholders informed on the status of your SaaS security. Reports are fully configurable, allowing users to adapt the design and content based on their reporting needs.

Use pre-made reports or create your own with data from security checks, compliance, users, devices, apps, permissions, data, and domains.

How this helps

• Leadership Reporting
  Share SaaS risk level with your CISO, executives, and other stakeholders.
• GRC SaaS Compliance Reports
  Automate daily, weekly, or monthly compliance reports based on over 20 compliance and regulatory standards.
• Monitor Changes
  Track configuration posture, user permissions, data leakage risk, and other critical factors over time.

Activity Monitor

Falcon Shield’s Monitor collects and normalizes SaaS logs, providing security teams with an intuitive UI to detect threats and indicators of compromise (IOCs) across apps and users. Filtering tools help quickly pinpoint suspicious activities, enabling fast detection of insider threats and enhanced SaaS security.

The Falcon Shield Monitor displays:

• Name, description, and location of each event.
• Categorization of events, including IOC and Threat.
• Actors and applications involved in each event.
• Severity level of each threatening event.
• Actor activity profile.

From there, security teams can take a deep dive into the events’ history and further investigate.

How this helps

• Protect against compromised user accounts
  Identify and manage accounts with suspicious or inadequate activity.
• Internal threat
  Identify unusual user behavior.
• Build an audit trail
  Gather forensics and further investigate the case.
• Export normalized data
  Send event data to external BI systems for further analysis.

Falcon Shield’s Threat Center collects data from multiple sources and identifies the most sophisticated and subtle threats, to avoid ransomware attacks, data breaches, and corporate espionage.

From threat prevention to protection

As a means of prevention, SSPM operates as the security layer in the Identity Fabric to establish robust user governance. As a second layer of threat protection, ITDR provides extensive coverage in detecting SaaS-related threats, such as password-based attacks, IP behavior anomalies, OAuth-based attacks, unauthorized document access, unusual user agent activities, and more.

How this helps

• Tactics, Techniques, and Procedures (TTP)
  Identify attacks or compromises on your SaaS apps by detecting Indicators of Compromise (IOCs) and analyzing adversary TTPs. Falcon Shield uses UEBA to cross-reference activities, flagging suspicious events like unusual geolocations, brute force attempts, API anomalies, malware, and more.
• MITRE ATT&CK Mapping
  Improve threat detection and incident response based on the MITRE ATT&CK framework.
• Alerts, SIEM, & SOAR Integrations
  Receive timely notifications in multiple channels such as email, Slack, or Teams, indicating potential threats that require immediate investigation or response. Seamlessly integrate with your existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools, to improve threat correlation and incident response efficiency.
• Remediation Guidance
  Get actionable insights and step-by-step guidance to address and mitigate vulnerabilities, weaknesses, or compromises in the event of a security incident.

Threat Detection: Selected Examples

• Payment Received
  When a threat actor changed an invoice’s account payment information to redirect the funds to their own account, Faclon Shield detected the change and helped prevent payment from going to the wrong account.
• Two Places at Once
  IP geographical data indicated a user accessed their CRM from Baltimore at the same time they were logged into their email account from Paris. Falcon Shield detected the anomaly and recognized that the Paris login was using an unusual OS. The company blocked the Paris login and reset the user’s login credentials for all applications.
• Wrong VPN Accesses Application
  A user who always logged into their applications through the company’s standard VPN was detected logging in through a private VPN. While this alone wasn’t enough to indicate a threat, the suspicious login took place at a time when it was unusual for the user to be logged in. The combination of factors led the security team to discover that the account had been compromised.

Secure custom apps, niche apps, and any SaaS application that isn’t integrated out-of-the-box with the Integration Builder. Manage configurations, monitor users, and gain visibility into devices that access your SaaS stack.

Let’s get technical

The Integration Builder enables you to achieve full SaaS stack visibility over every application, including on-prem and home-grown apps.

• True Risk Visibility
  Quantify security posture for every app in the stack.
• Identity Security
  Manage internal and external users and service accounts to govern access, roles, permissions, and more.
• Simplified Integration
  Connect via REST API.
• Enrich Threat Detection Data
  Monitoring more applications delivers more data to the threat-detection engine.

How this helps

• Single Dashboard Security
  Manage SaaS security for all integrated apps from a single dashboard.
• Normalize SaaS App Security
  Implement standards and policies that can be applied to integrated applications equally.
• Improved Compliance and Reporting
  Enable custom apps to meet company compliance standards.