SaaS applications have become the most dangerous and widespread threat vector for businesses of all sizes. A key issue in keeping them secure is that many software companies DO NOT include security log data in their APIs, which inhibits user behavior monitoring inside those applications.

SaaS Alerts is circulating a petition — it isn’t clear to who — to ask software companies to include security log data in their APIs. This is, in some ways, an odd petition. Very few people want to directly consume this type of data unless they already run a SIEM or syslog server, in which case they typically expect the data in a format their SIEM or syslog can already ingest.

I understand the petition as asking for a Restful API (although I expect SaaS Alerts would use a syslog feed if that was all that was available). I’ll assume that SaaS Alerts would like the ability to have events pushed (i.e., webhooks) and searchable. It’s what I’d want.

At its most basic, this is a petition to give SaaS Alerts more business — which is fine by me; JM Addington Technology Solutions was their 4th customer as we love working with them. Beyond that there are a lot of reasons to like the idea.

First, the security events for most SaaS applications are completely opaque. Vendors like Intuit, Keap, Zoom, Huntress, and most Kaseya products do not offer much — if any — visibility into IAM events that take place. You don’t know if there are unsuccessful logins (unless you are locked out), who accessed what and when, or deleted something, or created something, or created a new user, and so on. The SaaS Alerts petition is a request to change this, to ask these vendors to give us visibility into the security events on the platforms we use every day.

The second reason I like the idea is that it greatly expands the services MSPs like mine can offer to clients. I think it would be a huge win to be able to offer monitoring — and remediation — for SaaS products. Security around their entire data perimeter.

Third, it would let us build out a new class of products. Today, JM Addington Technology Solutions and CyberSecureRIA have built a custom reporting and compliance tool that includes reporting for M365 and G Suite, two platforms that do have security log data in their APIs. I would absolutely love to expand that to a broader range of products.

Finally, it would add accountability. With no transparency into the inner workings of most SaaS applications, we have to pray and hope that platforms are not only protecting their infrastructure but our own tenants as well.

Why an API and Not Syslog?

Because JSON APIs are easily consumable today. All modern programming languages support them, often nativeily. Syslogs are also one way, you either consumed it at the time the info was sent or you lost it. The ability to search and request items that were not successfully sent is helpful.