Ever wondered what it takes to be a cybersecurity expert? The fragile borders between cyber offense and defense are intricately navigated by our guest, a retired colonel from the IDF's technological unit who shares fascinating insights from his journey. Galit Lubetzky takes us from the early exploration of HTTP protocols to leading an operation center. You'll be captivated by his transition into the private sector, where she identifies a glaring gap in tools designed to protect companies from cyberattacks. We'll also dive into the intriguing red vs. blue team dynamics in the world of cybersecurity.
As the game of defense and offense evolves, its battleground has shifted. Prepare to be taken on a riveting exploration of the critical importance of SaaS security in today's digital landscape. The discussion unravels the transformation of SaaS applications into the new frontline for attackers. Learn how to tackle these challenges head-on with Wings' SaaS security solution. Master the art of securing your systems by understanding application usage, identifying vulnerabilities, and managing third-party risks. Discover the power of minimizing attack surfaces through the strategic revocation of permissions from unused applications. Welcome aboard this enlightening journey through the realm of cybersecurity.
LinkedIn: https://www.linkedin.com/in/galit-lubetzky-2042501/
Website: https://wing.security/
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
1
00:00:00
Speaker 1: Well, how's it going?
00:00:00
If it feels like we have been planning this thing for what
00:00:06
seems to be forever, you know, but I'm really excited for you
00:00:11
to finally be on the podcast so we can dive into.
00:00:14
You know, your experience and what you're doing now.
00:00:18
Speaker 2: Thank you very much for having me, Joe.
00:00:19
I'm excited to be here.
00:00:22
Speaker 1: Yeah, absolutely, you know.
00:00:24
So you know it's interesting.
00:00:27
I have done about 150 of these episodes and I always start
00:00:33
people off with their background and I I literally haven't heard
00:00:37
the same background twice.
00:00:39
That includes interviewing other people from the 8200 group
00:00:44
.
00:00:44
You know, they all specialize in different things.
00:00:47
Like I talked to someone that reverse engineered malware, you
00:00:50
know, and this guy was talking like skies above my head, you
00:00:55
know, it was hard to understand.
00:00:56
So how did you get into IT, you know?
00:01:02
Did you?
00:01:02
Were you younger with an incline towards IT, towards
00:01:07
computers, or was it kind of?
00:01:10
You know just where you placed.
00:01:14
Speaker 2: That's a good one.
00:01:16
So I joined the IDF after studying electrical engineering
00:01:25
and it was the late 90s back then and I joined the
00:01:37
technological area of the unit at it, the unit at it 100, which
00:01:41
is the equivalent of the famous NSA, and very quickly I mean
00:01:51
within a year or two we discovered the opportunity that
00:01:55
varies in the HTTP protocols over the signals that we can
00:02:06
intercept, and one thing led to the other and I think that I
00:02:17
love opportunities.
00:02:18
I'm very curious, I want to check things and since the
00:02:27
potential was so huge, I was very fortunate to be in the very
00:02:35
, very, very early, very early stages of discovering those
00:02:42
protocols.
00:02:43
What's going on there?
00:02:44
What can you do with it?
00:02:46
And grew up to develop tools to manage development teams,
00:02:56
research teams, then moved on to operations.
00:03:01
I grew up, the management got wider, bigger teams, more
00:03:10
responsibility, some new aspects of cyber.
00:03:14
You know cyber has many aspects , but I was testing technology
00:03:22
from many aspects and then I was very fortunate to join the JCDD
00:03:31
, which is the cyber defense division of the IDF.
00:03:35
So I was in charge of an operation center and that was
00:03:43
actually in charge of the strategy, of how to protect such
00:03:49
a huge and complicated organization, and retired as a
00:03:57
colonel and thought, okay, I had such a wonderful career, what
00:04:05
am I going to do tomorrow?
00:04:07
And then, since you remember, I told you I love the
00:04:14
opportunities.
00:04:15
I saw the amazing adoption of SaaS applications by companies.
00:04:22
I didn't see that back then when I was in the IDF, because
00:04:26
the IDF is a very secure organization air gap, of course.
00:04:33
And once I saw all this goodness that there is out there
00:04:40
, with companies that need to move fast and want to move fast,
00:04:45
and usage of so many different applications in such an easy,
00:04:56
affordable, you know, rich way, but with the lack of tools to
00:05:10
discover, to control, to help you make a decision whether it's
00:05:16
risky, is it allowed, does it fit the policy of the
00:05:20
organization.
00:05:21
So I understood that there is the Huge gap there and that's
00:05:30
how we established Wing.
00:05:31
So, yeah, my background is mainly security Cyber.
00:05:39
Speaker 1: That's.
00:05:39
You know, it's really fascinating.
00:05:42
Do you ever look back at you know the years that you spent
00:05:47
getting into cyber and think like man, I was at the beginning
00:05:51
of this thing called cybersecurity Like it wasn't
00:05:55
even.
00:05:55
You know it wasn't even a term back then.
00:05:57
Right, like no one even thought that computers could be used.
00:06:02
You know so maliciously.
00:06:03
Right, like now we're seeing.
00:06:05
You know nation state actors hacking other countries, that
00:06:09
taking over you know critical services and critical
00:06:13
infrastructure and whatnot.
00:06:15
That wasn't even.
00:06:16
I mean, that was science fiction, that was considered to
00:06:19
be a science fiction movie, right, did you look?
00:06:22
Do you ever look back and think like man, I was at the
00:06:24
beginning?
00:06:25
Like how immature were we to think that this wasn't going to
00:06:29
go anywhere?
00:06:30
Speaker 2: Yeah, I was actually writing some of those chapters.
00:06:33
It's I was very fortunate to be at the right place at the right
00:06:41
time, so I can tell you that each time it's each new chapter
00:06:49
was so thrilling that, yeah, it was a very excited, exciting
00:06:57
period.
00:06:58
Yeah, it's where I am today.
00:07:01
You know, thinking as an attacker always helps you
00:07:09
understand as a, as a defender, as a in charge of protection and
00:07:18
security, helps you focus on the, on the right things, or
00:07:27
building the strategy.
00:07:28
How do you want to approach this?
00:07:31
You know this whole problem Because as an attacker, you
00:07:37
always need, you know, one window open, but as a defender,
00:07:45
you need to make sure that all the doors and all the windows
00:07:48
are locked.
00:07:49
So it's it's much more difficult.
00:07:53
You need strategy, you need to method, you need, of course,
00:07:56
tools.
00:07:59
Speaker 1: Yeah, it's a good point.
00:08:00
You know when.
00:08:01
So I got my masters in cybersecurity and you know,
00:08:05
along the path, right, you take a red teaming class and then you
00:08:09
take a blue teaming class.
00:08:10
You didn't think about the order of anything.
00:08:14
You know you're told to take it one semester.
00:08:16
You take it right, it's a very hands on program.
00:08:18
So you know you're, you're actually you're learning, you
00:08:23
know through a slide of okay, this is how I can do
00:08:26
reconnaissance on a window server, this is what it looks
00:08:28
like.
00:08:29
And then you're actually doing it.
00:08:30
You know, in a lab, like you're actually typing the commands
00:08:33
and everything.
00:08:35
And I didn't think the importance of it until I got to
00:08:38
the blue team class and they said, okay, you know, your final
00:08:42
project is to protect this environment against the red team
00:08:45
class.
00:08:46
And you know, if no one gets into your sector, you get an A
00:08:51
right, and if someone gets in but they can't get very far,
00:08:54
it's a B.
00:08:54
If they can get the secret, it's an F, like there's like no
00:08:58
in between on it.
00:08:59
You know, and that was extremely interesting because
00:09:04
you know everyone in the program went red team first.
00:09:07
You know so to see, to see like just what, what we were doing,
00:09:14
how we were attacking the problems first and prioritizing
00:09:18
it.
00:09:18
You know, I think we had like 24 hours to like secure our,
00:09:22
secure our network.
00:09:23
You know, and it was really, it was fascinating.
00:09:27
But you don't realize it until you go through the red team side
00:09:30
.
00:09:30
It's like, oh okay, like I'm used to thinking that other way,
00:09:35
this is what I would do if I was trying to get in.
00:09:39
Speaker 2: Right, right.
00:09:40
I think it's very beneficial.
00:09:43
Speaker 1: Hmm, yeah, it's all.
00:09:46
It's all about a mindset too.
00:09:47
When I have like red teamers on , it really is all about a
00:09:52
mindset of thinking, oh okay, that didn't work, let's try this
00:09:57
other thing over here.
00:09:58
Is that, is that something that is taught, you know, in the
00:10:05
8200 group, or is that something that's kind of, just like you,
00:10:09
you grow to have it right, like it's not something that's taught
00:10:13
or mentioned or anything like that, but it's something that
00:10:16
it's like a, it's an attribute that you grow to to have.
00:10:19
Does that make sense?
00:10:23
Speaker 2: Yeah, but I think you know it's like tackling
00:10:30
complicated problems, so you try one thing and if it doesn't
00:10:35
work then you don't give up.
00:10:36
Right, you have a mission.
00:10:38
You can't not solve it, so you try one thing, and if it doesn't
00:10:44
work then you try another thing , and if that doesn't work then
00:10:47
you try another thing, and then you you make it.
00:10:51
I don't know any other ways.
00:10:52
I mean, in many cases it's not the first thing that works, but
00:10:58
you learn a lot and you develop, you evolve and you get better
00:11:06
and you understand that you, you find your way.
00:11:13
Speaker 1: Yeah, it's.
00:11:14
You know I asked that question right Because I know that
00:11:19
there's going to be someone out there that's trying to get into
00:11:21
cybersecurity.
00:11:22
And I get this question a lot Like how, how can I gain a
00:11:27
cybersecurity without failing?
00:11:28
You know, and it's like a, it's an impossible task.
00:11:33
You wouldn't want the end result of that.
00:11:36
You would want to fail as much as possible.
00:11:39
You know, in the beginning of my career, before I was even in
00:11:42
cybersecurity, you know there was a couple of situations where
00:11:45
I like completely destroyed a customer's database and we had
00:11:49
to restore it from, like the Postgres, you know, edit logs,
00:11:53
right, the user logs to get the data back right, and I it was
00:12:00
twofold I learned what not to do .
00:12:03
And then I learned a really interesting way of how to
00:12:05
recover someone's data If I really messed it up.
00:12:09
Yeah, like it's looking back on it.
00:12:12
It's really helpful, right, and I've used that maybe once or
00:12:15
twice since, but it was really helpful to just experience that,
00:12:19
because it's like oh, I'm getting fired today.
00:12:22
I didn't realize that.
00:12:23
And then, you know, my VP is like no, you better fix it.
00:12:27
Like, we need you to fix it.
00:12:30
Speaker 2: Of course.
00:12:31
I think that you know we learn more, of course, from our
00:12:37
complicated situation, and since the real world is complicated
00:12:49
enough to provide enough opportunities to learn, then
00:12:54
each of us in the I think, in almost everything we do we need
00:13:00
to cope with situations that are not easy, and security teams
00:13:07
are at the frontline because it's not something rare, and so
00:13:14
you need to deal with the security situation.
00:13:20
And since the world is getting more and more and more
00:13:24
complicated and security teams need to have they need to be all
00:13:31
around players right.
00:13:32
They have the users and their endpoints, and those users now
00:13:40
use so many SaaS applications and now they need to cover
00:13:46
different aspects of the organization.
00:13:48
And if it's still not be in the no-no position, then this is
00:13:58
very challenging and that's why I think that the solutions that
00:14:04
we also see in the domain evolved and we see more and more
00:14:13
solutions, specifically in the complicated domain of security
00:14:22
and specifically in the SaaS security, that try to push you
00:14:30
towards understanding, assessing , right.
00:14:34
You need to cover, so collect enough information so you will
00:14:41
have the ability to make decisions and then focus on the
00:14:48
major ones.
00:14:49
Of course, there are always priorities, so you need to focus
00:14:55
on the major ones.
00:14:56
And then you know, the better the solution, the simpler or
00:15:04
maybe the opportunity to solve those situations in a fast and
00:15:13
easy way to help you move on to the next thing.
00:15:16
But from any incident like this you learn.
00:15:25
You investigate, you learn you know for the next time how to
00:15:31
react?
00:15:31
Yeah, that's the story overall, right, right.
00:15:36
Yeah, it's a good point.
00:15:42
Speaker 1: You talk about SaaS applications kind of being the
00:15:48
new frontline, almost right.
00:15:48
Is that a change or a shift that you saw, you know,
00:15:54
potentially in the 8200 group, where you were looking more at
00:15:58
SaaS applications than other areas or other attack paths,
00:16:05
when you got the idea for wing security?
00:16:08
Because, at least from my end, right, the defender side in
00:16:14
cloud security, like SaaS applications, are the things
00:16:18
that frustrate me the most.
00:16:19
Right, Because anyone with a credit card can not only just
00:16:22
start up a cloud account.
00:16:23
They could start up a SaaS you know, application account and
00:16:28
start putting my data or the company's data into this
00:16:32
application that may not be secured the way that we needed
00:16:35
to be secured and now we're in a situation that we didn't intend
00:16:39
to be in, we didn't expect to be in, that we didn't even know
00:16:41
we were in.
00:16:42
Is that an attack path that you saw develop potentially?
00:16:49
Speaker 2: Absolutely, absolutely.
00:16:51
I think that this is the vector that we already see and we will
00:17:00
see more and more in the future .
00:17:02
Applications, saas applications , are the new way.
00:17:10
It's not new in terms of, you know, this year, but we see this
00:17:16
market growing in a fast pace.
00:17:19
Last I heard 18% per year.
00:17:24
So it's a I don't know a $200 billion market growing in a fast
00:17:33
pace.
00:17:34
So we understand that it's dynamic, it's growing, everyone
00:17:40
can use it, just as you said, and we see that there are two
00:17:49
potential.
00:17:52
There are many, but in the examples that you took us there,
00:17:58
there are two things that we will see.
00:18:01
One of them is the applications that are not naive Rogok
00:18:10
applications.
00:18:10
You know that there are about 50 applications that are
00:18:27
disguised or close or pretend to be chat GPT like, with a very
00:18:34
similar name, with a very similar logo.
00:18:37
So there are about 50 applications that are not a gen
00:18:45
AI solution, not the open and original chat GPT.
00:18:49
And now that people in the organization upload their data
00:18:54
maybe code, maybe information related to customers now this
00:19:01
data resides over this app and who is doing the process of
00:19:08
making sure that this app is safe enough to hold the
00:19:13
company's information?
00:19:15
So that's one thing, and the other thing is, since the domain
00:19:20
is so active, applications are being breached and we have
00:19:27
visibility to hundreds, hundreds of companies 84 of the
00:19:32
companies that we see were using , on average, three and a half
00:19:40
applications that's been breached in the last three
00:19:44
months.
00:19:44
So, since we are talking about big numbers, organizations with
00:19:52
hundreds of employees, 200, 300, 500 years, nearly 1
00:19:58
applications, 800, 900 applications With that number,
00:20:04
of course, some of them may be risky, some of them may be
00:20:12
breached.
00:20:13
So that's absolutely the new attack surface and we see this
00:20:22
phenomenon growing, both by attackers to use the potential
00:20:33
that they have now, and I believe that we will see this
00:20:41
growing in 2024, 2025, and so on .
00:20:45
Maybe it's the new channel for phishing that way.
00:20:58
Speaker 1: That's an interesting way of looking at it.
00:21:00
When you heard about the Microsoft Outlook breach, to me
00:21:11
that sounds like a SaaS breach and they denied that there was
00:21:17
any data breach, that people just took over email accounts
00:21:21
and whatnot.
00:21:22
But that doesn't make sense to me, being a defensive person,
00:21:29
because if you take over someone's email account, you
00:21:32
have their data 100%.
00:21:34
You have their emails and whatnot.
00:21:36
But the way that these attackers seem to have done it
00:21:42
seems to be a bit more.
00:21:44
I guess it was precise in the accounts that they intentionally
00:21:51
took over, but the way that they did it basically could have
00:21:56
impacted anyone on that platform.
00:21:59
What was your thoughts when you saw the breach from Microsoft?
00:22:09
Speaker 2: Well, look, I'm not surprised because we cover as a
00:22:19
core business of Wings, since we are SaaS experts.
00:22:24
We we've built a huge database of SAS applications, more than
00:22:33
280 SAS applications covered in the database.
00:22:39
We collect information about applications, the vendors, all
00:22:44
the time, and part of it are vulnerabilities, which is any
00:22:53
information that can add to the security assessment of the
00:23:00
application and the vendor.
00:23:01
So we will be able to provide our customers with the insights
00:23:10
on their SAS application usage and to focus them on their major
00:23:14
risks.
00:23:14
So we see applications being breached all the time.
00:23:19
Those applications are connected by the employees in
00:23:25
the company.
00:23:25
It's what they do all the time.
00:23:28
Outlook is a major application, major one, I mean.
00:23:38
If that's the email platform, everyone in the organization
00:23:43
will use it.
00:23:44
But since we talk about big numbers, hundreds of
00:23:51
applications being used in a company, it's not only those big
00:23:56
applications that everyone is aware of and everyone is using,
00:24:00
but also the applications that are used by a small number of
00:24:05
employees or the applications that are connected to your
00:24:09
internal assets.
00:24:10
Think of the third-party applications that are connected
00:24:14
to your maybe outlook or to your Slack or to your Salesforce.
00:24:19
And that's one of the major challenges of protecting the SAS
00:24:28
domain, the usage, the safe usage of SAS applications.
00:24:33
So I was not surprised.
00:24:35
We see that all the time and, as I mentioned, the statistics
00:24:41
also supported.
00:24:42
That's why security teams need to have a tool that will help
00:24:52
them cover this new attack surface all the time.
00:24:58
So you'll have the list of all your applications, You'll know
00:25:03
all the applications that are being used by your employees and
00:25:07
this is your attack surface.
00:25:08
The very, very, very basic thing is to know.
00:25:13
Then you can respond.
00:25:16
If you know that one of the applications that is being used
00:25:21
by your employees has been breached, you can assess what is
00:25:26
the risk, what data was shared over this app, what permissions
00:25:33
did this application get to your internal assets, and respond,
00:25:39
of course, maybe remove the permissions, maybe block the
00:25:45
usage, maybe change the credentials, but first of all,
00:25:50
you have to know that you can respond.
00:25:55
Speaker 1: So that's interesting .
00:25:57
Like you said, the first step is to see what is out there,
00:26:03
what's being used.
00:26:04
So how does your solution do that?
00:26:08
Do you look for key identifiers of a company within these SaaS
00:26:13
applications through your integrations and say, if
00:26:18
something matches I don't know the company's name or the
00:26:20
company's IP or something like that then we'll list it and
00:26:24
categorize it and go about it like that?
00:26:28
Or how do you create that list?
00:26:30
That's probably actually the hardest part for me personally
00:26:35
is actually creating that list of even just knowing what's out
00:26:39
there.
00:26:41
Speaker 2: You're not the only one.
00:26:42
I can tell you that it's a very common problem and you are
00:26:51
right, it's not easy to do and I would even say that it is
00:26:56
impossible to do in a manual way Because it's changing all the
00:27:02
time.
00:27:02
All the time new applications are being used.
00:27:05
Applications that have been used two months ago are not used
00:27:10
anymore, and this is one of the challenges in this domain, that
00:27:16
it's so dynamic and so wide.
00:27:22
So the way we do that.
00:27:25
First of all, as I mentioned, we have the database of SAS
00:27:31
applications.
00:27:32
It is extremely important because without that,
00:27:37
discovering the applications that you use will be almost
00:27:40
meaningless.
00:27:41
It will be like flat data without the means to do anything
00:27:48
with it.
00:27:48
Think of a list of hundreds of applications.
00:27:55
Of course, the major 50, you know.
00:27:59
Maybe you heard of something from the next 50.
00:28:04
But if you're a company with 600, 800 applications, it is
00:28:11
almost meaningless to have this list of fascinating names
00:28:17
without the context of what this app is about.
00:28:20
Who's the vendor?
00:28:21
Is it a big one?
00:28:22
Is it a small one?
00:28:23
What are the compliances that this vendor?
00:28:27
This is actually, since it's your attack surface.
00:28:31
This is your way of assessing the third party risk that you
00:28:39
have as a company.
00:28:42
This is actually part of the compliance that each of the
00:28:47
companies.
00:28:48
It's the basic, basic layer of being secure.
00:28:52
Just the fundamentals of compliance are covered in the
00:29:00
discovery piece.
00:29:01
So how do we do that?
00:29:03
We connect through integration to the applications that are
00:29:13
being used by the company.
00:29:17
We collect the data about the users, the permissions, the
00:29:23
applications, the roles of the users.
00:29:25
All that data is aggregated into a very simple list of
00:29:36
assets, of SaaS assets, that is correlated to the information
00:29:42
that we have about the vendor, about the breaches, the
00:29:48
intelligence threads.
00:29:49
Everything is combined together and that's your list of
00:29:55
applications.
00:29:55
What did you not get through this approach?
00:29:58
You did not get the applications that are accessed
00:30:03
directly by the employees, not through the major single sign-on
00:30:09
or the major access management, and applications that are used
00:30:17
with the credit card, just as you mentioned, may not be
00:30:21
discovered that way.
00:30:22
So we have an additional capability to query the
00:30:26
endpoints.
00:30:26
It's not an agent, it's not persistent, but we query the
00:30:30
endpoints and we collect the additional information that is
00:30:35
missing through the first approach, and these are all
00:30:39
aggregated into unified SaaS asset management.
00:30:46
Now you can manage it, now that you have the list.
00:30:51
I can tell you that 30 percent of the applications.
00:30:57
They have access but they are not being used for weeks and
00:31:02
months.
00:31:02
Easily, you can make a decision to remove the permissions and
00:31:08
to minimize your attack surface.
00:31:10
We can help you see or focus on the applications that are not
00:31:22
following your security policy.
00:31:24
The nice thing that you may find interesting, and maybe it
00:31:35
will make you very happy, is that you can do it for free.
00:31:38
You can access our website and we have a tool that helps you
00:31:43
with discovering and the same thing, the applications of your
00:31:52
company.
00:31:53
Speaker 1: So you can do it super easily.
00:31:59
Speaker 2: No human in touch, just try it.
00:32:06
Speaker 1: That's really interesting.
00:32:07
You bring up a situation where employees going on their own to
00:32:15
access these applications potentially do it outside of a
00:32:20
company network.
00:32:21
I think that's what you were talking about.
00:32:24
To me it feels like if it gets that far, it's a breakdown in
00:32:32
probably so many other controls that may not even exist In the
00:32:39
cloud.
00:32:39
For some reason it feels like people just completely forgot
00:32:42
that DLP is a thing.
00:32:44
Almost.
00:32:45
It opens up the organization to a lot of different risks.
00:32:51
Do you also provide recommendations around that In
00:33:01
your report?
00:33:01
Potentially say, hey, we caught it, but this isn't potentially
00:33:08
the primary source that you should be resolving.
00:33:12
You should probably be looking at this other domain that you
00:33:16
don't even have in the environment.
00:33:23
Speaker 2: Okay, so there are many aspects of the DLP
00:33:34
challenge or problem, but you're right, the major thing that we
00:33:41
care about is the data of the company.
00:33:44
That's the essence.
00:33:48
That's what we want to look at the company's intellectual
00:33:52
property.
00:33:52
Of course, we must protect the data of our customers.
00:33:57
Data leakage is one of the greatest fears or one of the
00:34:05
major things that a security team wants to protect.
00:34:10
The SAS domain is challenging in that aspect as well, because
00:34:16
data is stored by users, by our employees, on these applications
00:34:23
.
00:34:23
Not only that, employees want to work, they want to get their
00:34:28
job done.
00:34:28
They share the data with sometimes other collaborators
00:34:33
because they need to do their job.
00:34:37
They have an e-mail, they need to do something.
00:34:40
They share information and, you're right, it's a risk.
00:34:52
So part of the solution for securing the SAS domain should
00:35:01
provide discovery of the data that is stored on these
00:35:08
applications.
00:35:09
Since, with huge numbers of lines of file names or other
00:35:20
types of data that also you will not be able to do anything with
00:35:23
it, then a good solution should focus you on the major risks.
00:35:28
For example, sensitive files that are shared and maybe risky,
00:35:36
so you don't want to share them with external collaborators, or
00:35:42
the way you share them is not the right way, or maybe shared
00:35:51
on public select channels in an environment that many external
00:35:57
guests have access to.
00:35:58
So a good SPM solution should also provide insights about data
00:36:05
and the capability to minimize the attack surface in that
00:36:11
aspect as well.
00:36:12
Yes, you're absolutely right.
00:36:18
Speaker 1: Yeah, that's the thing with this space, right?
00:36:20
It's like an ever-growing and evolving space and it's only
00:36:25
going to become a bigger issue.
00:36:28
It's only going to become more important and personally, from
00:36:35
being in cloud security, I feel like cloud security will turn
00:36:39
into its own security team in terms of having the different
00:36:45
domains and different teams specializing in the different
00:36:49
areas of the cloud, and SAS being one of them.
00:36:53
As soon as I hear SAS, it's like oh no, I don't think I want
00:37:00
to know this information.
00:37:02
Do we have to go over this?
00:37:03
Like as soon as I hear that, because it opens up such a
00:37:09
different can of worms, it's not only not your computer that
00:37:12
you're storing your data on.
00:37:14
You also don't really have the ability to determine the type of
00:37:20
storage mechanism your data is on or the format that your data
00:37:24
is in to determine.
00:37:26
Ok, if I decide to leave I don't know Microsoft, for some
00:37:31
reason can I even recover my data?
00:37:33
I mean, who knows who else has done it with X solution,
00:37:41
whatever it might be.
00:37:42
Do you also provide insights with your solution to say, hey,
00:37:47
your vendor lock-in with this SAS application is a little bit
00:37:51
higher than other applications?
00:37:53
Or can I go to your solution and let's say I'm looking to use
00:37:59
some SAS application, can I go to your service and have your
00:38:03
service give me like a rundown on that SAS application and say,
00:38:07
oh, it's OK to use or these are the things that you have to be
00:38:12
thinking about and whatnot?
00:38:13
Do you provide that sort of guidance?
00:38:16
Speaker 2: Yes, absolutely.
00:38:17
First of all, we provide you insights about the vendor.
00:38:21
As I mentioned, some information business-wise what
00:38:26
this app and vendor is all about , the size of the company and so
00:38:33
on, but also the compliances that this vendor has and a final
00:38:42
risk scoring that is based on the many attributes that we
00:38:49
collect per vendor that are calculated into security risk
00:38:55
for you.
00:38:55
So once you have visibility about the applications that you
00:39:02
use, you also have it embedded inside the security risk scoring
00:39:08
that we gave to the vendors.
00:39:10
But now let's assume that you want to check on a new app,
00:39:14
whether it's safe enough, whether you want to allow your A
00:39:20
plus 3sit or not.
00:39:21
We also have this lookup in this huge database that we have.
00:39:32
So our customers can also explore and get information
00:39:37
about applications that they're not using, and we also provide
00:39:42
some alternatives.
00:39:43
So if you look at this app and you're interested in what are
00:39:48
the other solutions that are in the same category or you want to
00:39:59
compare to, then we also provide some alternatives.
00:40:06
So you can see also the other security scoring that the
00:40:12
alternatives have.
00:40:15
Speaker 1: Yeah, it's an interesting area in the space
00:40:17
that I feel is often overlooked Actually being able to do an
00:40:23
assessment to some degree of a SaaS application.
00:40:26
I feel like it's almost viewed as a closed off door, like yeah,
00:40:32
it's there, you know it's there and you can't go behind it for
00:40:37
whatever reason, which opens up the organization to a lot of
00:40:42
different risks that they normally wouldn't be in.
00:40:46
Speaker 2: Right.
00:40:46
That's part of the reason why compliances SOC and ISO.
00:40:54
They ask for the third party risk assessment chapter, so they
00:41:01
want you to list your vendors and they ask you to collect
00:41:08
enough information to make sure that you know that you can trust
00:41:13
those vendors.
00:41:15
And since we don't want to make it a headache for you it may be
00:41:22
a headache if you have to go over dozens of vendors and try
00:41:27
to collect the data and assess yourself whether you can trust
00:41:32
them or not Then having a tool that summarizes it all for you
00:41:38
in one place that you can also use that information as an
00:41:42
evidence as part of your compliance procedure is very
00:41:48
beneficial.
00:41:48
And one last thing that I want to say is that I truly relate to
00:41:58
the way you approach it.
00:42:00
You don't want to get into something that will be more of a
00:42:06
headache than of a solution, and I couldn't agree more,
00:42:14
because we, as security teams, we have already so much on our
00:42:20
plate.
00:42:20
We have so many things we need to take care of All the time.
00:42:24
There are only more and more aspects of cyber that are added,
00:42:31
and we're just this function that needs to make sure that the
00:42:39
business can run as fast as possible towards being a
00:42:45
successful business, and if you find the right tools, with the
00:42:50
right approach to make sure that you can keep the SAS usage safe
00:42:59
, but still without an army of employees in your team that need
00:43:07
to go over all these applications and make sure that
00:43:10
all the permissions are right and all that, then this is a
00:43:14
good solution.
00:43:14
So I advise all the audience that check for solutions to the
00:43:25
SAS domain to look for solutions that automate the process, that
00:43:31
make sure that the load of work that is needed is something
00:43:39
that you can do with your own team and not add or recruit or
00:43:48
increase your team to support.
00:43:51
Speaker 1: Yeah, absolutely so.
00:43:55
We're unfortunately at the end of our time here.
00:43:57
Before I let you go, why don't you tell my audience where they
00:44:02
could find you, where they could find your company, if they're
00:44:05
interested in reaching out and learning more?
00:44:07
And before we dive into that, I really enjoyed our conversation
00:44:12
too.
00:44:12
Like I thought that it was always interesting talking to
00:44:17
someone.
00:44:17
With your experience, you never really know what you're going
00:44:21
to get in terms of an interview, in terms of the content of the
00:44:25
interview, and it was a fascinating conversation.
00:44:29
I really appreciate you being on.
00:44:31
Speaker 2: Thank you very much, joe.
00:44:32
I enjoyed it myself.
00:44:35
It was amazing, and you can reach me at galit, at
00:44:41
wingsecurity, and you can explore our solution on our
00:44:48
website, wwwwingsecurity, and we're waiting for you.
00:44:57
Come and explore Awesome.
00:45:01
Speaker 1: Awesome.
00:45:01
Well, thanks everyone.
00:45:03
I hope you enjoyed this episode .
Speaker 1: Well, how's it going?
00:00:00
If it feels like we have been planning this thing for what
00:00:06
seems to be forever, you know, but I'm really excited for you
00:00:11
to finally be on the podcast so we can dive into.
00:00:14
You know, your experience and what you're doing now.
00:00:18
Speaker 2: Thank you very much for having me, Joe.
00:00:19
I'm excited to be here.
00:00:22
Speaker 1: Yeah, absolutely, you know.
00:00:24
So you know it's interesting.
00:00:27
I have done about 150 of these episodes and I always start
00:00:33
people off with their background and I I literally haven't heard
00:00:37
the same background twice.
00:00:39
That includes interviewing other people from the 8200 group
00:00:44
.
00:00:44
You know, they all specialize in different things.
00:00:47
Like I talked to someone that reverse engineered malware, you
00:00:50
know, and this guy was talking like skies above my head, you
00:00:55
know, it was hard to understand.
00:00:56
So how did you get into IT, you know?
00:01:02
Did you?
00:01:02
Were you younger with an incline towards IT, towards
00:01:07
computers, or was it kind of?
00:01:10
You know just where you placed.
00:01:14
Speaker 2: That's a good one.
00:01:16
So I joined the IDF after studying electrical engineering
00:01:25
and it was the late 90s back then and I joined the
00:01:37
technological area of the unit at it, the unit at it 100, which
00:01:41
is the equivalent of the famous NSA, and very quickly I mean
00:01:51
within a year or two we discovered the opportunity that
00:01:55
varies in the HTTP protocols over the signals that we can
00:02:06
intercept, and one thing led to the other and I think that I
00:02:17
love opportunities.
00:02:18
I'm very curious, I want to check things and since the
00:02:27
potential was so huge, I was very fortunate to be in the very
00:02:35
, very, very early, very early stages of discovering those
00:02:42
protocols.
00:02:43
What's going on there?
00:02:44
What can you do with it?
00:02:46
And grew up to develop tools to manage development teams,
00:02:56
research teams, then moved on to operations.
00:03:01
I grew up, the management got wider, bigger teams, more
00:03:10
responsibility, some new aspects of cyber.
00:03:14
You know cyber has many aspects , but I was testing technology
00:03:22
from many aspects and then I was very fortunate to join the JCDD
00:03:31
, which is the cyber defense division of the IDF.
00:03:35
So I was in charge of an operation center and that was
00:03:43
actually in charge of the strategy, of how to protect such
00:03:49
a huge and complicated organization, and retired as a
00:03:57
colonel and thought, okay, I had such a wonderful career, what
00:04:05
am I going to do tomorrow?
00:04:07
And then, since you remember, I told you I love the
00:04:14
opportunities.
00:04:15
I saw the amazing adoption of SaaS applications by companies.
00:04:22
I didn't see that back then when I was in the IDF, because
00:04:26
the IDF is a very secure organization air gap, of course.
00:04:33
And once I saw all this goodness that there is out there
00:04:40
, with companies that need to move fast and want to move fast,
00:04:45
and usage of so many different applications in such an easy,
00:04:56
affordable, you know, rich way, but with the lack of tools to
00:05:10
discover, to control, to help you make a decision whether it's
00:05:16
risky, is it allowed, does it fit the policy of the
00:05:20
organization.
00:05:21
So I understood that there is the Huge gap there and that's
00:05:30
how we established Wing.
00:05:31
So, yeah, my background is mainly security Cyber.
00:05:39
Speaker 1: That's.
00:05:39
You know, it's really fascinating.
00:05:42
Do you ever look back at you know the years that you spent
00:05:47
getting into cyber and think like man, I was at the beginning
00:05:51
of this thing called cybersecurity Like it wasn't
00:05:55
even.
00:05:55
You know it wasn't even a term back then.
00:05:57
Right, like no one even thought that computers could be used.
00:06:02
You know so maliciously.
00:06:03
Right, like now we're seeing.
00:06:05
You know nation state actors hacking other countries, that
00:06:09
taking over you know critical services and critical
00:06:13
infrastructure and whatnot.
00:06:15
That wasn't even.
00:06:16
I mean, that was science fiction, that was considered to
00:06:19
be a science fiction movie, right, did you look?
00:06:22
Do you ever look back and think like man, I was at the
00:06:24
beginning?
00:06:25
Like how immature were we to think that this wasn't going to
00:06:29
go anywhere?
00:06:30
Speaker 2: Yeah, I was actually writing some of those chapters.
00:06:33
It's I was very fortunate to be at the right place at the right
00:06:41
time, so I can tell you that each time it's each new chapter
00:06:49
was so thrilling that, yeah, it was a very excited, exciting
00:06:57
period.
00:06:58
Yeah, it's where I am today.
00:07:01
You know, thinking as an attacker always helps you
00:07:09
understand as a, as a defender, as a in charge of protection and
00:07:18
security, helps you focus on the, on the right things, or
00:07:27
building the strategy.
00:07:28
How do you want to approach this?
00:07:31
You know this whole problem Because as an attacker, you
00:07:37
always need, you know, one window open, but as a defender,
00:07:45
you need to make sure that all the doors and all the windows
00:07:48
are locked.
00:07:49
So it's it's much more difficult.
00:07:53
You need strategy, you need to method, you need, of course,
00:07:56
tools.
00:07:59
Speaker 1: Yeah, it's a good point.
00:08:00
You know when.
00:08:01
So I got my masters in cybersecurity and you know,
00:08:05
along the path, right, you take a red teaming class and then you
00:08:09
take a blue teaming class.
00:08:10
You didn't think about the order of anything.
00:08:14
You know you're told to take it one semester.
00:08:16
You take it right, it's a very hands on program.
00:08:18
So you know you're, you're actually you're learning, you
00:08:23
know through a slide of okay, this is how I can do
00:08:26
reconnaissance on a window server, this is what it looks
00:08:28
like.
00:08:29
And then you're actually doing it.
00:08:30
You know, in a lab, like you're actually typing the commands
00:08:33
and everything.
00:08:35
And I didn't think the importance of it until I got to
00:08:38
the blue team class and they said, okay, you know, your final
00:08:42
project is to protect this environment against the red team
00:08:45
class.
00:08:46
And you know, if no one gets into your sector, you get an A
00:08:51
right, and if someone gets in but they can't get very far,
00:08:54
it's a B.
00:08:54
If they can get the secret, it's an F, like there's like no
00:08:58
in between on it.
00:08:59
You know, and that was extremely interesting because
00:09:04
you know everyone in the program went red team first.
00:09:07
You know so to see, to see like just what, what we were doing,
00:09:14
how we were attacking the problems first and prioritizing
00:09:18
it.
00:09:18
You know, I think we had like 24 hours to like secure our,
00:09:22
secure our network.
00:09:23
You know, and it was really, it was fascinating.
00:09:27
But you don't realize it until you go through the red team side
00:09:30
.
00:09:30
It's like, oh okay, like I'm used to thinking that other way,
00:09:35
this is what I would do if I was trying to get in.
00:09:39
Speaker 2: Right, right.
00:09:40
I think it's very beneficial.
00:09:43
Speaker 1: Hmm, yeah, it's all.
00:09:46
It's all about a mindset too.
00:09:47
When I have like red teamers on , it really is all about a
00:09:52
mindset of thinking, oh okay, that didn't work, let's try this
00:09:57
other thing over here.
00:09:58
Is that, is that something that is taught, you know, in the
00:10:05
8200 group, or is that something that's kind of, just like you,
00:10:09
you grow to have it right, like it's not something that's taught
00:10:13
or mentioned or anything like that, but it's something that
00:10:16
it's like a, it's an attribute that you grow to to have.
00:10:19
Does that make sense?
00:10:23
Speaker 2: Yeah, but I think you know it's like tackling
00:10:30
complicated problems, so you try one thing and if it doesn't
00:10:35
work then you don't give up.
00:10:36
Right, you have a mission.
00:10:38
You can't not solve it, so you try one thing, and if it doesn't
00:10:44
work then you try another thing , and if that doesn't work then
00:10:47
you try another thing, and then you you make it.
00:10:51
I don't know any other ways.
00:10:52
I mean, in many cases it's not the first thing that works, but
00:10:58
you learn a lot and you develop, you evolve and you get better
00:11:06
and you understand that you, you find your way.
00:11:13
Speaker 1: Yeah, it's.
00:11:14
You know I asked that question right Because I know that
00:11:19
there's going to be someone out there that's trying to get into
00:11:21
cybersecurity.
00:11:22
And I get this question a lot Like how, how can I gain a
00:11:27
cybersecurity without failing?
00:11:28
You know, and it's like a, it's an impossible task.
00:11:33
You wouldn't want the end result of that.
00:11:36
You would want to fail as much as possible.
00:11:39
You know, in the beginning of my career, before I was even in
00:11:42
cybersecurity, you know there was a couple of situations where
00:11:45
I like completely destroyed a customer's database and we had
00:11:49
to restore it from, like the Postgres, you know, edit logs,
00:11:53
right, the user logs to get the data back right, and I it was
00:12:00
twofold I learned what not to do .
00:12:03
And then I learned a really interesting way of how to
00:12:05
recover someone's data If I really messed it up.
00:12:09
Yeah, like it's looking back on it.
00:12:12
It's really helpful, right, and I've used that maybe once or
00:12:15
twice since, but it was really helpful to just experience that,
00:12:19
because it's like oh, I'm getting fired today.
00:12:22
I didn't realize that.
00:12:23
And then, you know, my VP is like no, you better fix it.
00:12:27
Like, we need you to fix it.
00:12:30
Speaker 2: Of course.
00:12:31
I think that you know we learn more, of course, from our
00:12:37
complicated situation, and since the real world is complicated
00:12:49
enough to provide enough opportunities to learn, then
00:12:54
each of us in the I think, in almost everything we do we need
00:13:00
to cope with situations that are not easy, and security teams
00:13:07
are at the frontline because it's not something rare, and so
00:13:14
you need to deal with the security situation.
00:13:20
And since the world is getting more and more and more
00:13:24
complicated and security teams need to have they need to be all
00:13:31
around players right.
00:13:32
They have the users and their endpoints, and those users now
00:13:40
use so many SaaS applications and now they need to cover
00:13:46
different aspects of the organization.
00:13:48
And if it's still not be in the no-no position, then this is
00:13:58
very challenging and that's why I think that the solutions that
00:14:04
we also see in the domain evolved and we see more and more
00:14:13
solutions, specifically in the complicated domain of security
00:14:22
and specifically in the SaaS security, that try to push you
00:14:30
towards understanding, assessing , right.
00:14:34
You need to cover, so collect enough information so you will
00:14:41
have the ability to make decisions and then focus on the
00:14:48
major ones.
00:14:49
Of course, there are always priorities, so you need to focus
00:14:55
on the major ones.
00:14:56
And then you know, the better the solution, the simpler or
00:15:04
maybe the opportunity to solve those situations in a fast and
00:15:13
easy way to help you move on to the next thing.
00:15:16
But from any incident like this you learn.
00:15:25
You investigate, you learn you know for the next time how to
00:15:31
react?
00:15:31
Yeah, that's the story overall, right, right.
00:15:36
Yeah, it's a good point.
00:15:42
Speaker 1: You talk about SaaS applications kind of being the
00:15:48
new frontline, almost right.
00:15:48
Is that a change or a shift that you saw, you know,
00:15:54
potentially in the 8200 group, where you were looking more at
00:15:58
SaaS applications than other areas or other attack paths,
00:16:05
when you got the idea for wing security?
00:16:08
Because, at least from my end, right, the defender side in
00:16:14
cloud security, like SaaS applications, are the things
00:16:18
that frustrate me the most.
00:16:19
Right, Because anyone with a credit card can not only just
00:16:22
start up a cloud account.
00:16:23
They could start up a SaaS you know, application account and
00:16:28
start putting my data or the company's data into this
00:16:32
application that may not be secured the way that we needed
00:16:35
to be secured and now we're in a situation that we didn't intend
00:16:39
to be in, we didn't expect to be in, that we didn't even know
00:16:41
we were in.
00:16:42
Is that an attack path that you saw develop potentially?
00:16:49
Speaker 2: Absolutely, absolutely.
00:16:51
I think that this is the vector that we already see and we will
00:17:00
see more and more in the future .
00:17:02
Applications, saas applications , are the new way.
00:17:10
It's not new in terms of, you know, this year, but we see this
00:17:16
market growing in a fast pace.
00:17:19
Last I heard 18% per year.
00:17:24
So it's a I don't know a $200 billion market growing in a fast
00:17:33
pace.
00:17:34
So we understand that it's dynamic, it's growing, everyone
00:17:40
can use it, just as you said, and we see that there are two
00:17:49
potential.
00:17:52
There are many, but in the examples that you took us there,
00:17:58
there are two things that we will see.
00:18:01
One of them is the applications that are not naive Rogok
00:18:10
applications.
00:18:10
You know that there are about 50 applications that are
00:18:27
disguised or close or pretend to be chat GPT like, with a very
00:18:34
similar name, with a very similar logo.
00:18:37
So there are about 50 applications that are not a gen
00:18:45
AI solution, not the open and original chat GPT.
00:18:49
And now that people in the organization upload their data
00:18:54
maybe code, maybe information related to customers now this
00:19:01
data resides over this app and who is doing the process of
00:19:08
making sure that this app is safe enough to hold the
00:19:13
company's information?
00:19:15
So that's one thing, and the other thing is, since the domain
00:19:20
is so active, applications are being breached and we have
00:19:27
visibility to hundreds, hundreds of companies 84 of the
00:19:32
companies that we see were using , on average, three and a half
00:19:40
applications that's been breached in the last three
00:19:44
months.
00:19:44
So, since we are talking about big numbers, organizations with
00:19:52
hundreds of employees, 200, 300, 500 years, nearly 1
00:19:58
applications, 800, 900 applications With that number,
00:20:04
of course, some of them may be risky, some of them may be
00:20:12
breached.
00:20:13
So that's absolutely the new attack surface and we see this
00:20:22
phenomenon growing, both by attackers to use the potential
00:20:33
that they have now, and I believe that we will see this
00:20:41
growing in 2024, 2025, and so on .
00:20:45
Maybe it's the new channel for phishing that way.
00:20:58
Speaker 1: That's an interesting way of looking at it.
00:21:00
When you heard about the Microsoft Outlook breach, to me
00:21:11
that sounds like a SaaS breach and they denied that there was
00:21:17
any data breach, that people just took over email accounts
00:21:21
and whatnot.
00:21:22
But that doesn't make sense to me, being a defensive person,
00:21:29
because if you take over someone's email account, you
00:21:32
have their data 100%.
00:21:34
You have their emails and whatnot.
00:21:36
But the way that these attackers seem to have done it
00:21:42
seems to be a bit more.
00:21:44
I guess it was precise in the accounts that they intentionally
00:21:51
took over, but the way that they did it basically could have
00:21:56
impacted anyone on that platform.
00:21:59
What was your thoughts when you saw the breach from Microsoft?
00:22:09
Speaker 2: Well, look, I'm not surprised because we cover as a
00:22:19
core business of Wings, since we are SaaS experts.
00:22:24
We we've built a huge database of SAS applications, more than
00:22:33
280 SAS applications covered in the database.
00:22:39
We collect information about applications, the vendors, all
00:22:44
the time, and part of it are vulnerabilities, which is any
00:22:53
information that can add to the security assessment of the
00:23:00
application and the vendor.
00:23:01
So we will be able to provide our customers with the insights
00:23:10
on their SAS application usage and to focus them on their major
00:23:14
risks.
00:23:14
So we see applications being breached all the time.
00:23:19
Those applications are connected by the employees in
00:23:25
the company.
00:23:25
It's what they do all the time.
00:23:28
Outlook is a major application, major one, I mean.
00:23:38
If that's the email platform, everyone in the organization
00:23:43
will use it.
00:23:44
But since we talk about big numbers, hundreds of
00:23:51
applications being used in a company, it's not only those big
00:23:56
applications that everyone is aware of and everyone is using,
00:24:00
but also the applications that are used by a small number of
00:24:05
employees or the applications that are connected to your
00:24:09
internal assets.
00:24:10
Think of the third-party applications that are connected
00:24:14
to your maybe outlook or to your Slack or to your Salesforce.
00:24:19
And that's one of the major challenges of protecting the SAS
00:24:28
domain, the usage, the safe usage of SAS applications.
00:24:33
So I was not surprised.
00:24:35
We see that all the time and, as I mentioned, the statistics
00:24:41
also supported.
00:24:42
That's why security teams need to have a tool that will help
00:24:52
them cover this new attack surface all the time.
00:24:58
So you'll have the list of all your applications, You'll know
00:25:03
all the applications that are being used by your employees and
00:25:07
this is your attack surface.
00:25:08
The very, very, very basic thing is to know.
00:25:13
Then you can respond.
00:25:16
If you know that one of the applications that is being used
00:25:21
by your employees has been breached, you can assess what is
00:25:26
the risk, what data was shared over this app, what permissions
00:25:33
did this application get to your internal assets, and respond,
00:25:39
of course, maybe remove the permissions, maybe block the
00:25:45
usage, maybe change the credentials, but first of all,
00:25:50
you have to know that you can respond.
00:25:55
Speaker 1: So that's interesting .
00:25:57
Like you said, the first step is to see what is out there,
00:26:03
what's being used.
00:26:04
So how does your solution do that?
00:26:08
Do you look for key identifiers of a company within these SaaS
00:26:13
applications through your integrations and say, if
00:26:18
something matches I don't know the company's name or the
00:26:20
company's IP or something like that then we'll list it and
00:26:24
categorize it and go about it like that?
00:26:28
Or how do you create that list?
00:26:30
That's probably actually the hardest part for me personally
00:26:35
is actually creating that list of even just knowing what's out
00:26:39
there.
00:26:41
Speaker 2: You're not the only one.
00:26:42
I can tell you that it's a very common problem and you are
00:26:51
right, it's not easy to do and I would even say that it is
00:26:56
impossible to do in a manual way Because it's changing all the
00:27:02
time.
00:27:02
All the time new applications are being used.
00:27:05
Applications that have been used two months ago are not used
00:27:10
anymore, and this is one of the challenges in this domain, that
00:27:16
it's so dynamic and so wide.
00:27:22
So the way we do that.
00:27:25
First of all, as I mentioned, we have the database of SAS
00:27:31
applications.
00:27:32
It is extremely important because without that,
00:27:37
discovering the applications that you use will be almost
00:27:40
meaningless.
00:27:41
It will be like flat data without the means to do anything
00:27:48
with it.
00:27:48
Think of a list of hundreds of applications.
00:27:55
Of course, the major 50, you know.
00:27:59
Maybe you heard of something from the next 50.
00:28:04
But if you're a company with 600, 800 applications, it is
00:28:11
almost meaningless to have this list of fascinating names
00:28:17
without the context of what this app is about.
00:28:20
Who's the vendor?
00:28:21
Is it a big one?
00:28:22
Is it a small one?
00:28:23
What are the compliances that this vendor?
00:28:27
This is actually, since it's your attack surface.
00:28:31
This is your way of assessing the third party risk that you
00:28:39
have as a company.
00:28:42
This is actually part of the compliance that each of the
00:28:47
companies.
00:28:48
It's the basic, basic layer of being secure.
00:28:52
Just the fundamentals of compliance are covered in the
00:29:00
discovery piece.
00:29:01
So how do we do that?
00:29:03
We connect through integration to the applications that are
00:29:13
being used by the company.
00:29:17
We collect the data about the users, the permissions, the
00:29:23
applications, the roles of the users.
00:29:25
All that data is aggregated into a very simple list of
00:29:36
assets, of SaaS assets, that is correlated to the information
00:29:42
that we have about the vendor, about the breaches, the
00:29:48
intelligence threads.
00:29:49
Everything is combined together and that's your list of
00:29:55
applications.
00:29:55
What did you not get through this approach?
00:29:58
You did not get the applications that are accessed
00:30:03
directly by the employees, not through the major single sign-on
00:30:09
or the major access management, and applications that are used
00:30:17
with the credit card, just as you mentioned, may not be
00:30:21
discovered that way.
00:30:22
So we have an additional capability to query the
00:30:26
endpoints.
00:30:26
It's not an agent, it's not persistent, but we query the
00:30:30
endpoints and we collect the additional information that is
00:30:35
missing through the first approach, and these are all
00:30:39
aggregated into unified SaaS asset management.
00:30:46
Now you can manage it, now that you have the list.
00:30:51
I can tell you that 30 percent of the applications.
00:30:57
They have access but they are not being used for weeks and
00:31:02
months.
00:31:02
Easily, you can make a decision to remove the permissions and
00:31:08
to minimize your attack surface.
00:31:10
We can help you see or focus on the applications that are not
00:31:22
following your security policy.
00:31:24
The nice thing that you may find interesting, and maybe it
00:31:35
will make you very happy, is that you can do it for free.
00:31:38
You can access our website and we have a tool that helps you
00:31:43
with discovering and the same thing, the applications of your
00:31:52
company.
00:31:53
Speaker 1: So you can do it super easily.
00:31:59
Speaker 2: No human in touch, just try it.
00:32:06
Speaker 1: That's really interesting.
00:32:07
You bring up a situation where employees going on their own to
00:32:15
access these applications potentially do it outside of a
00:32:20
company network.
00:32:21
I think that's what you were talking about.
00:32:24
To me it feels like if it gets that far, it's a breakdown in
00:32:32
probably so many other controls that may not even exist In the
00:32:39
cloud.
00:32:39
For some reason it feels like people just completely forgot
00:32:42
that DLP is a thing.
00:32:44
Almost.
00:32:45
It opens up the organization to a lot of different risks.
00:32:51
Do you also provide recommendations around that In
00:33:01
your report?
00:33:01
Potentially say, hey, we caught it, but this isn't potentially
00:33:08
the primary source that you should be resolving.
00:33:12
You should probably be looking at this other domain that you
00:33:16
don't even have in the environment.
00:33:23
Speaker 2: Okay, so there are many aspects of the DLP
00:33:34
challenge or problem, but you're right, the major thing that we
00:33:41
care about is the data of the company.
00:33:44
That's the essence.
00:33:48
That's what we want to look at the company's intellectual
00:33:52
property.
00:33:52
Of course, we must protect the data of our customers.
00:33:57
Data leakage is one of the greatest fears or one of the
00:34:05
major things that a security team wants to protect.
00:34:10
The SAS domain is challenging in that aspect as well, because
00:34:16
data is stored by users, by our employees, on these applications
00:34:23
.
00:34:23
Not only that, employees want to work, they want to get their
00:34:28
job done.
00:34:28
They share the data with sometimes other collaborators
00:34:33
because they need to do their job.
00:34:37
They have an e-mail, they need to do something.
00:34:40
They share information and, you're right, it's a risk.
00:34:52
So part of the solution for securing the SAS domain should
00:35:01
provide discovery of the data that is stored on these
00:35:08
applications.
00:35:09
Since, with huge numbers of lines of file names or other
00:35:20
types of data that also you will not be able to do anything with
00:35:23
it, then a good solution should focus you on the major risks.
00:35:28
For example, sensitive files that are shared and maybe risky,
00:35:36
so you don't want to share them with external collaborators, or
00:35:42
the way you share them is not the right way, or maybe shared
00:35:51
on public select channels in an environment that many external
00:35:57
guests have access to.
00:35:58
So a good SPM solution should also provide insights about data
00:36:05
and the capability to minimize the attack surface in that
00:36:11
aspect as well.
00:36:12
Yes, you're absolutely right.
00:36:18
Speaker 1: Yeah, that's the thing with this space, right?
00:36:20
It's like an ever-growing and evolving space and it's only
00:36:25
going to become a bigger issue.
00:36:28
It's only going to become more important and personally, from
00:36:35
being in cloud security, I feel like cloud security will turn
00:36:39
into its own security team in terms of having the different
00:36:45
domains and different teams specializing in the different
00:36:49
areas of the cloud, and SAS being one of them.
00:36:53
As soon as I hear SAS, it's like oh no, I don't think I want
00:37:00
to know this information.
00:37:02
Do we have to go over this?
00:37:03
Like as soon as I hear that, because it opens up such a
00:37:09
different can of worms, it's not only not your computer that
00:37:12
you're storing your data on.
00:37:14
You also don't really have the ability to determine the type of
00:37:20
storage mechanism your data is on or the format that your data
00:37:24
is in to determine.
00:37:26
Ok, if I decide to leave I don't know Microsoft, for some
00:37:31
reason can I even recover my data?
00:37:33
I mean, who knows who else has done it with X solution,
00:37:41
whatever it might be.
00:37:42
Do you also provide insights with your solution to say, hey,
00:37:47
your vendor lock-in with this SAS application is a little bit
00:37:51
higher than other applications?
00:37:53
Or can I go to your solution and let's say I'm looking to use
00:37:59
some SAS application, can I go to your service and have your
00:38:03
service give me like a rundown on that SAS application and say,
00:38:07
oh, it's OK to use or these are the things that you have to be
00:38:12
thinking about and whatnot?
00:38:13
Do you provide that sort of guidance?
00:38:16
Speaker 2: Yes, absolutely.
00:38:17
First of all, we provide you insights about the vendor.
00:38:21
As I mentioned, some information business-wise what
00:38:26
this app and vendor is all about , the size of the company and so
00:38:33
on, but also the compliances that this vendor has and a final
00:38:42
risk scoring that is based on the many attributes that we
00:38:49
collect per vendor that are calculated into security risk
00:38:55
for you.
00:38:55
So once you have visibility about the applications that you
00:39:02
use, you also have it embedded inside the security risk scoring
00:39:08
that we gave to the vendors.
00:39:10
But now let's assume that you want to check on a new app,
00:39:14
whether it's safe enough, whether you want to allow your A
00:39:20
plus 3sit or not.
00:39:21
We also have this lookup in this huge database that we have.
00:39:32
So our customers can also explore and get information
00:39:37
about applications that they're not using, and we also provide
00:39:42
some alternatives.
00:39:43
So if you look at this app and you're interested in what are
00:39:48
the other solutions that are in the same category or you want to
00:39:59
compare to, then we also provide some alternatives.
00:40:06
So you can see also the other security scoring that the
00:40:12
alternatives have.
00:40:15
Speaker 1: Yeah, it's an interesting area in the space
00:40:17
that I feel is often overlooked Actually being able to do an
00:40:23
assessment to some degree of a SaaS application.
00:40:26
I feel like it's almost viewed as a closed off door, like yeah,
00:40:32
it's there, you know it's there and you can't go behind it for
00:40:37
whatever reason, which opens up the organization to a lot of
00:40:42
different risks that they normally wouldn't be in.
00:40:46
Speaker 2: Right.
00:40:46
That's part of the reason why compliances SOC and ISO.
00:40:54
They ask for the third party risk assessment chapter, so they
00:41:01
want you to list your vendors and they ask you to collect
00:41:08
enough information to make sure that you know that you can trust
00:41:13
those vendors.
00:41:15
And since we don't want to make it a headache for you it may be
00:41:22
a headache if you have to go over dozens of vendors and try
00:41:27
to collect the data and assess yourself whether you can trust
00:41:32
them or not Then having a tool that summarizes it all for you
00:41:38
in one place that you can also use that information as an
00:41:42
evidence as part of your compliance procedure is very
00:41:48
beneficial.
00:41:48
And one last thing that I want to say is that I truly relate to
00:41:58
the way you approach it.
00:42:00
You don't want to get into something that will be more of a
00:42:06
headache than of a solution, and I couldn't agree more,
00:42:14
because we, as security teams, we have already so much on our
00:42:20
plate.
00:42:20
We have so many things we need to take care of All the time.
00:42:24
There are only more and more aspects of cyber that are added,
00:42:31
and we're just this function that needs to make sure that the
00:42:39
business can run as fast as possible towards being a
00:42:45
successful business, and if you find the right tools, with the
00:42:50
right approach to make sure that you can keep the SAS usage safe
00:42:59
, but still without an army of employees in your team that need
00:43:07
to go over all these applications and make sure that
00:43:10
all the permissions are right and all that, then this is a
00:43:14
good solution.
00:43:14
So I advise all the audience that check for solutions to the
00:43:25
SAS domain to look for solutions that automate the process, that
00:43:31
make sure that the load of work that is needed is something
00:43:39
that you can do with your own team and not add or recruit or
00:43:48
increase your team to support.
00:43:51
Speaker 1: Yeah, absolutely so.
00:43:55
We're unfortunately at the end of our time here.
00:43:57
Before I let you go, why don't you tell my audience where they
00:44:02
could find you, where they could find your company, if they're
00:44:05
interested in reaching out and learning more?
00:44:07
And before we dive into that, I really enjoyed our conversation
00:44:12
too.
00:44:12
Like I thought that it was always interesting talking to
00:44:17
someone.
00:44:17
With your experience, you never really know what you're going
00:44:21
to get in terms of an interview, in terms of the content of the
00:44:25
interview, and it was a fascinating conversation.
00:44:29
I really appreciate you being on.
00:44:31
Speaker 2: Thank you very much, joe.
00:44:32
I enjoyed it myself.
00:44:35
It was amazing, and you can reach me at galit, at
00:44:41
wingsecurity, and you can explore our solution on our
00:44:48
website, wwwwingsecurity, and we're waiting for you.
00:44:57
Come and explore Awesome.
00:45:01
Speaker 1: Awesome.
00:45:01
Well, thanks everyone.
00:45:03
I hope you enjoyed this episode .
Related Episodes
Navigating Internal Politics and Personal Security: Insights and Advice
Ever wondered how to navigate the tricky maze of internal politics when pushing for a solution in a professional setting? Why does the balance of knowing when to stand your ground and when to compromise matter so much, especially when you're aiming for a promotion or a raise? Join us as we unp...
Episode 83 - Dan Benjamin - Ex-8200 Group To Entrepreneur
In this episode I talk with Dan Benjamin about his journey into IT and how he took those skills to form Dig Security. We had a fantastic conversation and I hope you enjoy it, if you do please leave a review and share the podcast. Dan's Links: LinkedIn: https://www.linkedin.com/in/dan-benjamin-...
Episode 53 - Menachem Shafran - Ex-Reverse Engineer For 8200 Group
In this episode I talk with Menachem Shafran who is an ex-reverse engineer for the Israeli 8200 Group. We also discuss how his company XM Cyber is revolutionizing how organizations secure their networks by discovering possible paths of attack. If you enjoy the podcast please go leave a review on th...