An Israel Colonel's Insight into Cybersecurity Challenges

Well, how's it going? If it feels like we have been planning this thing for what seems to be forever, you know, but I'm really excited for you to finally be on the podcast so we can dive into. You know, your experience and what you're doing now.

Thank you very much for having me, Joe. I'm excited to be here.

Yeah, absolutely, you know. So you know it's interesting. I have done about 150 of these episodes and I always start people off with their background and I I literally haven't heard the same background twice. That includes interviewing other people from the 8200 group. You know, they all specialize in different things. Like I talked to someone that reverse engineered malware, you know, and this guy was talking like skies above my head, you know, it was hard to understand. So how did you get into IT, you know? Did you? Were you younger with an incline towards IT, towards computers, or was it kind of? You know just where you placed.

That's a good one. So I joined the IDF after studying electrical engineering and it was the late 90s back then and I joined the technological area of the unit at it, the unit at it 100, which is the equivalent of the famous NSA, and very quickly I mean within a year or two we discovered the opportunity that varies in the HTTP protocols over the signals that we can intercept, and one thing led to the other and I think that I love opportunities. I'm very curious, I want to check things and since the potential was so huge, I was very fortunate to be in the very, very, very early, very early stages of discovering those protocols. What's going on there? What can you do with it? And grew up to develop tools to manage development teams, research teams, then moved on to operations. I grew up, the management got wider, bigger teams, more responsibility, some new aspects of cyber. You know cyber has many aspects, but I was testing technology from many aspects and then I was very fortunate to join the JCDD, which is the cyber defense division of the IDF.

So I was in charge of an operation center and that was actually in charge of the strategy, of how to protect such a huge and complicated organization, and retired as a colonel and thought, okay, I had such a wonderful career, what am I going to do tomorrow? And then, since you remember, I told you I love the opportunities. I saw the amazing adoption of SaaS applications by companies. I didn't see that back then when I was in the IDF, because the IDF is a very secure organization air gap, of course. And once I saw all this goodness that there is out there, with companies that need to move fast and want to move fast, and usage of so many different applications in such an easy, affordable, you know, rich way, but with the lack of tools to discover, to control, to help you make a decision whether it's risky, is it allowed, does it fit the policy of the organization. So I understood that there is the Huge gap there and that's how we established Wing. So, yeah, my background is mainly security Cyber.

That's. You know, it's really fascinating. Do you ever look back at you know the years that you spent getting into cyber and think like man, I was at the beginning of this thing called cybersecurity Like it wasn't even. You know it wasn't even a term back then. Right, like no one even thought that computers could be used. You know so maliciously. Right, like now we're seeing. You know nation state actors hacking other countries, that taking over you know critical services and critical infrastructure and whatnot. That wasn't even. I mean, that was science fiction, that was considered to be a science fiction movie, right, did you look? Do you ever look back and think like man, I was at the beginning? Like how immature were we to think that this wasn't going to go anywhere?

Yeah, I was actually writing some of those chapters. It's I was very fortunate to be at the right place at the right time, so I can tell you that each time it's each new chapter was so thrilling that, yeah, it was a very excited, exciting period. Yeah, it's where I am today. You know, thinking as an attacker always helps you understand as a, as a defender, as a in charge of protection and security, helps you focus on the, on the right things, or building the strategy. How do you want to approach this? You know this whole problem Because as an attacker, you always need, you know, one window open, but as a defender, you need to make sure that all the doors and all the windows are locked. So it's it's much more difficult. You need strategy, you need to method, you need, of course, tools.

Yeah, it's a good point. You know when. So I got my masters in cybersecurity and you know, along the path, right, you take a red teaming class and then you take a blue teaming class. You didn't think about the order of anything. You know you're told to take it one semester. You take it right, it's a very hands on program. So you know you're, you're actually you're learning, you know through a slide of okay, this is how I can do reconnaissance on a window server, this is what it looks like. And then you're actually doing it. You know, in a lab, like you're actually typing the commands and everything.

And I didn't think the importance of it until I got to the blue team class and they said, okay, you know, your final project is to protect this environment against the red team class. And you know, if no one gets into your sector, you get an A right, and if someone gets in but they can't get very far, it's a B. If they can get the secret, it's an F, like there's like no in between on it. You know, and that was extremely interesting because you know everyone in the program went red team first. You know so to see, to see like just what, what we were doing, how we were attacking the problems first and prioritizing it. You know, I think we had like 24 hours to like secure our, secure our network. You know, and it was really, it was fascinating. But you don't realize it until you go through the red team side. It's like, oh okay, like I'm used to thinking that other way, this is what I would do if I was trying to get in.

Right, right. I think it's very beneficial.

Hmm, yeah, it's all. It's all about a mindset too. When I have like red teamers on, it really is all about a mindset of thinking, oh okay, that didn't work, let's try this other thing over here. Is that, is that something that is taught, you know, in the 8200 group, or is that something that's kind of, just like you, you grow to have it right, like it's not something that's taught or mentioned or anything like that, but it's something that it's like a, it's an attribute that you grow to to have. Does that make sense?

Yeah, but I think you know it's like tackling complicated problems, so you try one thing and if it doesn't work then you don't give up. Right, you have a mission. You can't not solve it, so you try one thing, and if it doesn't work then you try another thing, and if that doesn't work then you try another thing, and then you you make it.

I don't know any other ways. I mean, in many cases it's not the first thing that works, but you learn a lot and you develop, you evolve and you get better and you understand that you, you find your way.

Yeah, it's. You know I asked that question right Because I know that there's going to be someone out there that's trying to get into cybersecurity. And I get this question a lot Like how, how can I gain a cybersecurity without failing? You know, and it's like a, it's an impossible task. You wouldn't want the end result of that. You would want to fail as much as possible.

You know, in the beginning of my career, before I was even in cybersecurity, you know there was a couple of situations where I like completely destroyed a customer's database and we had to restore it from, like the Postgres, you know, edit logs, right, the user logs to get the data back right, and I it was twofold I learned what not to do. And then I learned a really interesting way of how to recover someone's data If I really messed it up. Yeah, like it's looking back on it. It's really helpful, right, and I've used that maybe once or twice since, but it was really helpful to just experience that, because it's like oh, I'm getting fired today. I didn't realize that. And then, you know, my VP is like no, you better fix it. Like, we need you to fix it.

Of course.

I think that you know we learn more, of course, from our complicated situation, and since the real world is complicated enough to provide enough opportunities to learn, then each of us in the I think, in almost everything we do we need to cope with situations that are not easy, and security teams are at the frontline because it's not something rare, and so you need to deal with the security situation.

And since the world is getting more and more and more complicated and security teams need to have they need to be all around players right. They have the users and their endpoints, and those users now use so many SaaS applications and now they need to cover different aspects of the organization. And if it's still not be in the no-no position, then this is very challenging and that's why I think that the solutions that we also see in the domain evolved and we see more and more solutions, specifically in the complicated domain of security and specifically in the SaaS security, that try to push you towards understanding, assessing, right. You need to cover, so collect enough information so you will have the ability to make decisions and then focus on the major ones. Of course, there are always priorities, so you need to focus on the major ones. And then you know, the better the solution, the simpler or maybe the opportunity to solve those situations in a fast and easy way to help you move on to the next thing. But from any incident like this you learn.

You investigate, you learn you know for the next time how to react? Yeah, that's the story overall, right, right. Yeah, it's a good point.

You talk about SaaS applications kind of being the new frontline, almost right. Is that a change or a shift that you saw, you know, potentially in the 8200 group, where you were looking more at SaaS applications than other areas or other attack paths, when you got the idea for wing security? Because, at least from my end, right, the defender side in cloud security, like SaaS applications, are the things that frustrate me the most. Right, Because anyone with a credit card can not only just start up a cloud account. They could start up a SaaS you know, application account and start putting my data or the company's data into this application that may not be secured the way that we needed to be secured and now we're in a situation that we didn't intend to be in, we didn't expect to be in, that we didn't even know we were in. Is that an attack path that you saw develop potentially?

Absolutely, absolutely. I think that this is the vector that we already see and we will see more and more in the future. Applications, saas applications, are the new way. It's not new in terms of, you know, this year, but we see this market growing in a fast pace. Last I heard 18% per year. So it's a I don't know a $200 billion market growing in a fast pace. So we understand that it's dynamic, it's growing, everyone can use it, just as you said, and we see that there are two potential.

There are many, but in the examples that you took us there, there are two things that we will see. One of them is the applications that are not naive Rogok applications. You know that there are about 50 applications that are disguised or close or pretend to be chat GPT like, with a very similar name, with a very similar logo. So there are about 50 applications that are not a gen AI solution, not the open and original chat GPT. And now that people in the organization upload their data maybe code, maybe information related to customers now this data resides over this app and who is doing the process of making sure that this app is safe enough to hold the company's information?

So that's one thing, and the other thing is, since the domain is so active, applications are being breached and we have visibility to hundreds, hundreds of companies 84 of the companies that we see were using, on average, three and a half applications that's been breached in the last three months. So, since we are talking about big numbers, organizations with hundreds of employees, 200, 300, 500 years, nearly 1,000 applications, 800, 900 applications With that number, of course, some of them may be risky, some of them may be breached. So that's absolutely the new attack surface and we see this phenomenon growing, both by attackers to use the potential that they have now, and I believe that we will see this growing in 2024, 2025, and so on. Maybe it's the new channel for phishing that way.

That's an interesting way of looking at it. When you heard about the Microsoft Outlook breach, to me that sounds like a SaaS breach and they denied that there was any data breach, that people just took over email accounts and whatnot. But that doesn't make sense to me, being a defensive person, because if you take over someone's email account, you have their data 100%. You have their emails and whatnot. But the way that these attackers seem to have done it seems to be a bit more. I guess it was precise in the accounts that they intentionally took over, but the way that they did it basically could have impacted anyone on that platform. What was your thoughts when you saw the breach from Microsoft?

Well, look, I'm not surprised because we cover as a core business of Wings, since we are SaaS experts. We we've built a huge database of SAS applications, more than 280,000 SAS applications covered in the database. We collect information about applications, the vendors, all the time, and part of it are vulnerabilities, which is any information that can add to the security assessment of the application and the vendor. So we will be able to provide our customers with the insights on their SAS application usage and to focus them on their major risks. So we see applications being breached all the time. Those applications are connected by the employees in the company. It's what they do all the time.

Outlook is a major application, major one, I mean. If that's the email platform, everyone in the organization will use it. But since we talk about big numbers, hundreds of applications being used in a company, it's not only those big applications that everyone is aware of and everyone is using, but also the applications that are used by a small number of employees or the applications that are connected to your internal assets. Think of the third-party applications that are connected to your maybe outlook or to your Slack or to your Salesforce. And that's one of the major challenges of protecting the SAS domain, the usage, the safe usage of SAS applications. So I was not surprised.

We see that all the time and, as I mentioned, the statistics also supported. That's why security teams need to have a tool that will help them cover this new attack surface all the time. So you'll have the list of all your applications, You'll know all the applications that are being used by your employees and this is your attack surface. The very, very, very basic thing is to know. Then you can respond. If you know that one of the applications that is being used by your employees has been breached, you can assess what is the risk, what data was shared over this app, what permissions did this application get to your internal assets, and respond, of course, maybe remove the permissions, maybe block the usage, maybe change the credentials, but first of all, you have to know that you can respond.

So that's interesting. Like you said, the first step is to see what is out there, what's being used. So how does your solution do that? Do you look for key identifiers of a company within these SaaS applications through your integrations and say, if something matches I don't know the company's name or the company's IP or something like that then we'll list it and categorize it and go about it like that? Or how do you create that list? That's probably actually the hardest part for me personally is actually creating that list of even just knowing what's out there.

You're not the only one. I can tell you that it's a very common problem and you are right, it's not easy to do and I would even say that it is impossible to do in a manual way Because it's changing all the time. All the time new applications are being used. Applications that have been used two months ago are not used anymore, and this is one of the challenges in this domain, that it's so dynamic and so wide. So the way we do that. First of all, as I mentioned, we have the database of SAS applications.

It is extremely important because without that, discovering the applications that you use will be almost meaningless. It will be like flat data without the means to do anything with it. Think of a list of hundreds of applications. Of course, the major 50, you know. Maybe you heard of something from the next 50. But if you're a company with 600, 800 applications, it is almost meaningless to have this list of fascinating names without the context of what this app is about.

Who's the vendor? Is it a big one? Is it a small one? What are the compliances that this vendor? This is actually, since it's your attack surface. This is your way of assessing the third party risk that you have as a company. This is actually part of the compliance that each of the companies. It's the basic, basic layer of being secure. Just the fundamentals of compliance are covered in the discovery piece. So how do we do that? We connect through integration to the applications that are being used by the company. We collect the data about the users, the permissions, the applications, the roles of the users. All that data is aggregated into a very simple list of assets, of SaaS assets, that is correlated to the information that we have about the vendor, about the breaches, the intelligence threads. Everything is combined together and that's your list of applications.

What did you not get through this approach? You did not get the applications that are accessed directly by the employees, not through the major single sign-on or the major access management, and applications that are used with the credit card, just as you mentioned, may not be discovered that way. So we have an additional capability to query the endpoints. It's not an agent, it's not persistent, but we query the endpoints and we collect the additional information that is missing through the first approach, and these are all aggregated into unified SaaS asset management. Now you can manage it, now that you have the list.

I can tell you that 30 percent of the applications. They have access but they are not being used for weeks and months. Easily, you can make a decision to remove the permissions and to minimize your attack surface. We can help you see or focus on the applications that are not following your security policy. The nice thing that you may find interesting, and maybe it will make you very happy, is that you can do it for free. You can access our website and we have a tool that helps you with discovering and the same thing, the applications of your company.

So you can do it super easily.

No human in touch, just try it.

That's really interesting. You bring up a situation where employees going on their own to access these applications potentially do it outside of a company network. I think that's what you were talking about. To me it feels like if it gets that far, it's a breakdown in probably so many other controls that may not even exist In the cloud. For some reason it feels like people just completely forgot that DLP is a thing. Almost. It opens up the organization to a lot of different risks. Do you also provide recommendations around that In your report? Potentially say, hey, we caught it, but this isn't potentially the primary source that you should be resolving. You should probably be looking at this other domain that you don't even have in the environment.

Okay, so there are many aspects of the DLP challenge or problem, but you're right, the major thing that we care about is the data of the company. That's the essence. That's what we want to look at the company's intellectual property. Of course, we must protect the data of our customers. Data leakage is one of the greatest fears or one of the major things that a security team wants to protect.

The SAS domain is challenging in that aspect as well, because data is stored by users, by our employees, on these applications. Not only that, employees want to work, they want to get their job done. They share the data with sometimes other collaborators because they need to do their job. They have an e-mail, they need to do something. They share information and, you're right, it's a risk.

So part of the solution for securing the SAS domain should provide discovery of the data that is stored on these applications. Since, with huge numbers of lines of file names or other types of data that also you will not be able to do anything with it, then a good solution should focus you on the major risks. For example, sensitive files that are shared and maybe risky, so you don't want to share them with external collaborators, or the way you share them is not the right way, or maybe shared on public select channels in an environment that many external guests have access to. So a good SPM solution should also provide insights about data and the capability to minimize the attack surface in that aspect as well. Yes, you're absolutely right.

Yeah, that's the thing with this space, right? It's like an ever-growing and evolving space and it's only going to become a bigger issue. It's only going to become more important and personally, from being in cloud security, I feel like cloud security will turn into its own security team in terms of having the different domains and different teams specializing in the different areas of the cloud, and SAS being one of them. As soon as I hear SAS, it's like oh no, I don't think I want to know this information. Do we have to go over this? Like as soon as I hear that, because it opens up such a different can of worms, it's not only not your computer that you're storing your data on.

You also don't really have the ability to determine the type of storage mechanism your data is on or the format that your data is in to determine. Ok, if I decide to leave I don't know Microsoft, for some reason can I even recover my data? I mean, who knows who else has done it with X solution, whatever it might be. Do you also provide insights with your solution to say, hey, your vendor lock-in with this SAS application is a little bit higher than other applications? Or can I go to your solution and let's say I'm looking to use some SAS application, can I go to your service and have your service give me like a rundown on that SAS application and say, oh, it's OK to use or these are the things that you have to be thinking about and whatnot? Do you provide that sort of guidance?

Yes, absolutely. First of all, we provide you insights about the vendor. As I mentioned, some information business-wise what this app and vendor is all about, the size of the company and so on, but also the compliances that this vendor has and a final risk scoring that is based on the many attributes that we collect per vendor that are calculated into security risk for you. So once you have visibility about the applications that you use, you also have it embedded inside the security risk scoring that we gave to the vendors. But now let's assume that you want to check on a new app, whether it's safe enough, whether you want to allow your A plus 3sit or not. We also have this lookup in this huge database that we have. So our customers can also explore and get information about applications that they're not using, and we also provide some alternatives. So if you look at this app and you're interested in what are the other solutions that are in the same category or you want to compare to, then we also provide some alternatives.

So you can see also the other security scoring that the alternatives have.

Yeah, it's an interesting area in the space that I feel is often overlooked Actually being able to do an assessment to some degree of a SaaS application. I feel like it's almost viewed as a closed off door, like yeah, it's there, you know it's there and you can't go behind it for whatever reason, which opens up the organization to a lot of different risks that they normally wouldn't be in.

Right. That's part of the reason why compliances SOC and ISO. They ask for the third party risk assessment chapter, so they want you to list your vendors and they ask you to collect enough information to make sure that you know that you can trust those vendors. And since we don't want to make it a headache for you it may be a headache if you have to go over dozens of vendors and try to collect the data and assess yourself whether you can trust them or not Then having a tool that summarizes it all for you in one place that you can also use that information as an evidence as part of your compliance procedure is very beneficial. And one last thing that I want to say is that I truly relate to the way you approach it.

You don't want to get into something that will be more of a headache than of a solution, and I couldn't agree more, because we, as security teams, we have already so much on our plate. We have so many things we need to take care of All the time. There are only more and more aspects of cyber that are added, and we're just this function that needs to make sure that the business can run as fast as possible towards being a successful business, and if you find the right tools, with the right approach to make sure that you can keep the SAS usage safe, but still without an army of employees in your team that need to go over all these applications and make sure that all the permissions are right and all that, then this is a good solution. So I advise all the audience that check for solutions to the SAS domain to look for solutions that automate the process, that make sure that the load of work that is needed is something that you can do with your own team and not add or recruit or increase your team to support.

Yeah, absolutely so. We're unfortunately at the end of our time here. Before I let you go, why don't you tell my audience where they could find you, where they could find your company, if they're interested in reaching out and learning more? And before we dive into that, I really enjoyed our conversation too. Like I thought that it was always interesting talking to someone. With your experience, you never really know what you're going to get in terms of an interview, in terms of the content of the interview, and it was a fascinating conversation. I really appreciate you being on.

Thank you very much, joe. I enjoyed it myself. It was amazing, and you can reach me at galit, at wingsecurity, and you can explore our solution on our website, wwwwingsecurity, and we're waiting for you. Come and explore Awesome.

Awesome. Well, thanks everyone. I hope you enjoyed this episode.