April 26, 2025 • 38 mins
In this episode of Cybersecurity Today, host Jim Love delves into the topic of SaaS (Software as a Service) security. Sharing his early experiences promoting SaaS, Jim elaborates on its inevitable rise due to cost-effectiveness and shared development resources. The episode highlights security concerns with SaaS, such as shadow IT and weak access control, especially in the face of an influx of AI software. Jim introduces Yoni Shohet, CEO and Co-founder of Valence Security, who discusses the SaaS security landscape, focusing on the independent 'State of SaaS Security' report by the Cloud Security Alliance. Yoni outlines the importance of monitoring API tokens, ensuring proper configurations, and the challenges posed by non-human identities. The discussion underscores the evolving nature of SaaS security, encouraging stronger collaboration between security teams and business units to manage risks effectively.
00:00 Introduction to SaaS Security
00:01 The Evolution and Benefits of SaaS
01:33 Challenges and Security Concerns with SaaS
02:08 Introduction to the State of SaaS Security Report
02:34 Interview with Yoni Shohet: Background and Experience
03:06 Yoni Shohet's Journey in Cybersecurity
08:33 The Rise of SaaS Security Issues
14:03 Key Findings from the SaaS Security Report
17:32 The Importance of SaaS Security Measures
21:36 Managing SaaS Security in Organizations
33:43 Valence Security's Approach to SaaS Security
36:59 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
. Welcome to cybersecurity today.
Our topic today is SaaS or softwareas a service security SaaS software
has been around for a long time.
Now, believe it or not, I workedon this in the early two thousands
with my buddy Mark Langlois.
And we tried to convince HP and ourmanagement at DMR that you could
(00:20):
deliver applications over the internet.
We got thrown out of a lot of officesthat we got laughed outta some and then
salesforce.com came out and it's notthat we were prophets, logically, SaaS
was an inevitable progression of thebuy versus build contest in software.
(00:41):
And once that battle had been won,once people thought it was better to
buy than build SaaS was inevitableonce the technology caught up.
The idea is simple.
You avoid the capital cost ofdevelopment or of purchase.
You pay a relatively low monthly paymentfor software that's always up to date.
And not only does someone else dothe development and the maintenance,
(01:02):
but, and this is what would make SaaSinevitable they do the hosting too.
And that was only part of the equation.
Theoretically, you were purchasingthe best development team.
They specialized in this and they coulddo it better and not just cheaper.
And the costs were shared andthe development team was shared.
So they had more and more experience.
I. But in reality, the realreason SaaS caught on was cost.
(01:26):
You could buy a relativelysophisticated application on your
credit card and many people did.
So SaaS turned into a bit of a nightmarefor IT and eventually for security.
This was shadow it on steroidsfor many reasons, and I'm sure
we'll discuss these today.
While we might have bought SaaS thinkingwe were getting better development, a
(01:49):
lot of us started to realize the securityside didn't always live up to that.
Now, , we've done a lot over the yearsto try to manage that, but as I've
pointed out, we're in a second wave ofSaaS now, an avalanche of AI software.
So when this report crossed mydesk, I reached out to try and
get someone to talk about it.
And that report that we're talking about.
(02:11):
It's called the State of SaaSSecurity, and it was developed by
the Cloud Security Alliance, they'rededicated to defining standards,
certifications, and best practices.
They put out the state of SaaS securityreport, trends and insights for 20 25, 26.
They're an independent organization.
Been around since 2008 and I managedto get the sponsor of the report, or
the company that sponsored the reportto to come in and talk about this.
(02:34):
It's my guest is Yoni Shohet.
He's the CEO and Co-founderof Valence Security.
And Valence, of course, isthe sponsor of the report, but
this was done independently.
Welcome, Yoni.
Thank Jim.
It's great to be here.
Did I get it right on the report?
This is an independent report.
You guys paid for it, but that was,it was done by an independent group.
(02:55):
Yes.
CSA did the entire report.
We were just, supportingand sponsoring it.
Just providing the money.
What a well somebody has to, right?
Yeah.
Now I wanna talk about you, first of all,'cause I got a little bit on your bio.
First of all, how old are you?
Young man?
I need to know, you, you'rean entrepreneur, you've,
got your BSC in math when you were 19.
(03:15):
Yep.
You, so you were the guy who wassober in university as opposed to me.
Okay.
Allegedly.
And then you went into the Israeli DefenseForces as a cybersecurity team leader.
Yep.
Can you tell me a little bit about that?
I think we're all curiousabout what that means.
You're 19 or so you've, you graduatedand you're in the the defense forces and
they put you on a cybersecurity team.
(03:35):
What was that like?
Yeah so in Israel you have a mandatorymilitary service at the age of 18.
Also the legal drinking age is 18, unlikein the US So you can, so your statement
wasn't a hundred percent correct interms of but like I still had a year
of eligibility, but I did go through anatypical route where I started when I
was 16 during high school in parallelism.
(03:56):
Also, I started my bachelor's in maththrough a program in the university.
And then by the age of 19, I. I laidmy Army service and then I joined
the Army basically a year later.
And served for almost six years inthe Israeli intelligence forces across
various cyber operations positions.
Did my officer school there as well.
I finished my service as a captain,eh, managing few teams in various
(04:18):
positions across my service duringthose almost against this six years.
What, why and probably the main reasonwhy we see a lot of entrepreneurs and
cyber security companies come out ofIsrael is that a very young age, you're
given a lot of responsibility in verytech focused areas related to security.
That the equivalent of what you'reable to do probably in the US is only
(04:39):
when you're about 30 and then your midtwenties, you're, you finish your service
and you're hungry and you experiencethe highest level of of basically of.
Your capabilities and you broke anytype of glass ceiling across your,
the early stages of your career, andyou're looking to just do more of that.
And going into a corporate organizationand just doing a day job seems so
(05:01):
boring and seems eh doesn't really allowyou to fulfill your full potential.
Eh, and similar to me, a lot ofIsraelis, when they get to that
stage, they just look for their next.
Next big challenge and prior to gothrough that entrepreneurship path
and founding a company and I wentthrough a similar path and eventually
started my first company very shortlyafter I finished my military service.
(05:24):
Yeah, I, which is, Ithink this is amazing.
The, and the, one of the things,and I don't wanna diminish this, I
don't wanna, I don't wanna be tritrivialize anything war is not good.
But you say to people when they'restarting out in cybersecurity and
you, then they're freaking outand they're worried about whether
they're gonna make a mistake.
You say, look, it's not life or death.
But in the Army it actually islike you, you're getting a hell
(05:45):
of an experience and a hell of aresponsibility in some of those cases.
And at a very young age, at leastin Israel, it's a, at a very young
age, which really builds you up fora very mature career at a very early
stage of your career path, which Ithink highly contributes to that.
What you do matters a lot and you geta lot of responsibility because again,
everybody around you are more or lessat the same stage of their career path.
(06:09):
So the image I have is that there'sa street in a city in Israel, and
there's just like cybersecuritycompanies, like all the way down there.
But there, there are a lot of companies.
So you are, you're there'sa big industry there now.
I would say I, I wouldn't, I don'tknow if I'd say it's the leading place
in the world, but pretty darn close.
Yeah.
In terms of cybersecuritydevelopment, what's that living
(06:31):
there with all of that going on?
I think definitely compared to the size ofthe population, it's definitely leading.
I think it's really, it's create createda very strong ecosystem because it's a
small country and because everybody knowseverybody and it's, you're two phone calls
away from getting to whoever you wantto talk to within the Israeli ecosystem
you're able to, to really, to encourageyou and to, to all the time, find.
(06:57):
To go beyond what you thoughtwere your limits beforehand, and
I think this really encourages theentrepreneurship, encourages people to.
Explore these options and also createsthe right ecosystem of support so you
don't feel like you're by yourself or thefirst person that has to do something.
You have somebody to consult with.
You have people thatwill push you forward.
And you also have, obviously also thesense of competitiveness because a lot
(07:21):
of our competitors are Israeli basedand a lot of companies that we see.
Emerging within the cybersecurityindustry, whether if they're former
colleagues or people that I had somesort of engagement with in the past.
And that obviously also boosts upthat entire and really endorses
all the, this entire ecosystem.
So this is your second companythat you've co-founded.
(07:42):
Did I get that right from your bio?
I started my first companyright after my military service.
It was a company wascalled the Skate Defense.
It was focused on the industrialiot, cybersecurity, basically
securing shop floor environmentsand critical infrastructure and
manufacturing organizations.
Eh, that company was acquired byHoneywell, eh, and afterwards I
started Valence about four yearsago which is focused on SA security.
(08:06):
Our topic for today, I feel likeafter my first experience, it's almost
the only thing I can imagine myselfdoing moving forward, just continuing
through this route and leveraging orenjoying the level of excitement that
I have from just experiencing everyday entrepreneurship experience and
the ability to actually feel likeI'm leveraging all my entire skillset
(08:28):
on my day, on the day-to-day basis.
And so why focus on SaaS?
So when we started in 2021 and wewere looking, Shlomi, my co-founder
myself, we were looking for problemspaces throughout our ideation phase.
It was a bit after theSolarWinds attack campaign.
One of the things that Hackers didthere is really they focused on third
(08:48):
party vendors which they hacked intothem and stole from them APIs and
service accounts or service accessthat they had in order to gain access
to their or to their customer base.
For example, they hacked an emailsecurity company and they leveraged
their tokens in order to stealemails from their customers.
And when we started talking to.
(09:11):
CISOs and through a security executivesthat we interviewed throughout our
ideation phase, and we asked them, whatdo you do with all these API tokens that
have access to your business applications?
We got a very repetitiveanswer of, we have no idea.
We don't know.
Even if they're generated, we have noinventory of them and we can't really
track them, and we double click on that.
We really focused on that.
(09:31):
Problem space.
As our initial focus and the morewe spoke and engaged with customers
around their problem problems withMicrosoft Three, five, Google Workspace,
Salesforce, GitHub, Okta, and differentSaaS applications, we realized that.
They have no idea on what's evenconfigured within these applications
because if you compare the modernadoption of SaaS, compared to what you
(09:53):
probably saw in the early two thousandsis that today SaaS is really adopted
and managed outside of IT and security.
So the admins of Salesforce are in sales.
The admins of Workday are in hr.The admins of GitHub are engineering
and security teams really losttouch with what's actually going
on within these applications.
When you couple that with the factthat SaaS has been, has become
(10:15):
a very complex platform, right?
It's not just simple UI thathas two buttons and you have
one task that you do with it.
These are complex platforms with alot of abilities to integrate, to
automate, to integrate, create gen AIprocesses, and just create complete
platforms within one application.
So the complexity togetherwith the distributed
(10:37):
administration really pulled the.
Us towards really focusingmore and more on SaaS security,
a, as our primary focus area.
Yeah and I think in the same way thatSaaS and you brought up the point
quite correctly, that you've got theseislands of security done by, and I'm
sorry, but amateurs, people who arenot necessarily trained in security or
thinking about how security should be setup and some very sophisticated security.
(11:03):
Integrations going on andexposures going on with these.
That's, I think that's one of thenightmares of the modern CISO is
trying to make all of that work.
It's hard enough to make it workwith a team that you keep coherently
together and keep trained.
But the other piece of this is the setup.
And you mentioned Microsoft 365, and Ithink everybody, we've got a lot of people
(11:24):
in the audience are fairly technical.
Some of them might be, I don'tthink people realize that this SaaS
software that you get that comesoutta the case is highly insecure.
If you just, set it up andleave it you've created a major
vulnerability in your organization.
And there's a shared responsibility modelbetween the vendor and the customer.
The vendor is supposed to provideyou where you share the consequences.
(11:47):
They share the fees, yeah.
And eventually they give youthe option to make it secure.
You need to opt in to a lotof the security features.
They don't come out by default because bydefault, these vendors want to encourage
you to make the most out of the platform.
Making the most out of the platform,meaning means that you can leverage
a lot of functionalities that thesecurity team may not be on board with.
(12:09):
And when you think about howthat shared responsibility model
actually comes into effect, itmeans that you need to be on top.
It's your responsibility tobe on top of all the different
toggles that every platformoffers you to make sure that it's.
Adopted in a secure waythat you're satisfied with.
And I think that specifically for, ifyou look at, for example the Snowflake
(12:29):
breach that occurred last year, manySnowflake customers were breached
because of the fact that they didn'tproperly enforce MFA multifactor
authentication within their applications.
And eventually even Snowflake came outwith a statement saying, Hey, this is.
This is your responsibility, buthere's how you can configure it.
You were supposed to go and click theright buttons, but then it comes back to
(12:51):
the fact that you need to know about allyour snowflake tenants, and you need to
make sure that you properly click all thebuttons and that you don't have surprises
of somebody unrolling or removingMFA just for a temporary test and not
coming back to it and things like that.
Yeah, and I'm I'm not,I don't dive on vendors.
Actually.
Maybe I am critic more criticalthan I, I let myself think I am.
But one of the things I take it, if yougo sell any power, any tool to somebody
(13:16):
or anything that is dangerous or hasa danger, and you don't warn them of
that danger and make sure that theyknow to get training or they know to
get expertise, you'd be prosecuted.
But in software, we can have somebody comeand say, oh yeah, gimme your credit card.
Take this thing, walk away and notbe forced to say, you really need
to know about these things, or Youreally need to talk to somebody.
(13:36):
And I get it.
Salespeople aren't gonna aren'tthe mood to, to push people
away from buying software.
That's not their job.
But I always feel that we got into.
Client, the satisfaction, Ithink they call it, or, to get
people to use the software.
We, there's nobody whophones you up to say, I'm the
security person, are you okay?
(13:58):
Yep.
Yep.
So there we are.
And so that brought you intothis now and you did this report.
Do you wanna just go over someof the main findings of it?
I got what I got out of it.
I've got some notes heretoo to go through it.
What did you take away from this report?
Yep.
So I think the encouragingaspect is that really the focus
on SaaS security is increasing.
(14:19):
We're seeing more budgets, morefocus higher priorities on the,
on SaaS security as a whole.
But the inherent dangers and risksassociated with SaaS are still
challenges for a lot of organizations.
For example.
When we speak a lot with the customers andprospects across the industry, we get a
lot of times the claim of, oh, I have itunder my single sign-on, or my multifactor
(14:41):
authentication, and we're good here.
Our SaaS is secure because of ourstrong authentication methods.
I. But still, when you go into mainsources of breaches and some of the
challenges that a lot of organizationshave based on this survey it's still
very much related to identities,which is the core aspect of what
you can configure within SaaS iseventually related to access, right?
(15:02):
You upload your data to these SAapplications and you need to control
how you manage access to the datawithin the applications, whether if it's
through permissions, authentication.
Privileges and just making sure that youhave good control over it, which is still
a major challenge across three main areas,which is human identities and non-human
identities, which are basically automationcapabilities that are leveraging tokens
(15:27):
and APIs and basically a leveragingmachine identities for activities.
And also just data exposure.
Think about it, think aboutthe simple use of OneDrive or
SharePoint or Google Drive, right?
Something most people useon a day-to-day basis.
We share files on a all the time becauseyou collaborate with somebody, I have
a project, they share with them a file.
When's the last time you unshare the file?
(15:49):
Oh God, I, and I have to, shouldI be confessing this on the air?
I, we're a relatively smallorganization now, so if people are
gonna hack me, they're gonna do it.
But in the olden days when Iran a larger company, it used
to scare the crap out of me.
How much stuff was shared andhow we would go about finding
out who still had access to what.
(16:12):
And the tools are at thattime were just garbage.
You could not find out whereall this stuff was and it
was well just here you go.
Oh, you're no longer withthat company, but we're still
sharing the document with you.
Not a problem, yep.
There still are, unfortunately.
And I think that that what we seeis that the user experience of
these SaaS applications make itvery easy to share files externally.
(16:33):
Two clicks and it's out.
And you can share it open witha link because that's easiest.
You don't need to thinkabout least privilege and who
actually needs access to it.
And you can just createan anonymous public link.
But it never encouragesyou to unshare a file.
That's not built into user experience.
And what we find is that about.
94% of external file shares in ourcustomer tenants are not really
(16:54):
accessed by the external collaborators.
So they're just sitting there sharedthat other people can access it, but
nobody actually needs it and it createsa lot of challenges of just over
data exposure within the environment.
I understand we have to do it.
I've never been able to figureout why they're not timed.
Where you share a file for 48 hours.
(17:15):
And the company, Blackberry here,actually tried to do some really
good work and I think some peopledid some work on sharing, but I don't
know where that's gotten to and maybe
I don't know enough about it, but itseems like a massive hole in, security.
But there are more like.
We digress.
There are more, you talked aboutmultifactor authentication.
Your report says like almost50% of the SaaS breaches are
(17:36):
linked to weak MFA protections.
That didn't surprise me.
It's dismayed me, butit didn't surprise me.
Yeah.
I think eventually todayattackers realize that.
A lot of organizations think thatMFA is the silver bullet to protect
their identities, but there's wayaround, there's ways around it.
If your MFA requires just code inthe phone, and that's something
(18:00):
the hackers obviously hacker withtrying to get the access to swim
swapping and stuff like that.
If if it's something that theycan leverage, like MFA fatigue,
where they call into your employeesand say, Hey, I'm from IT.
I need your code.
Can you give it to me?
Now I just send it to you, to your phone.
It's just like a technical issue.
People give it a token theft.
Like eventually when I log into my SSO inmy browser, eh, and somebody gets access
(18:24):
to that token in my browser, they canleverage it now in other devices as well.
So there's a lot of methods to try tobreach it and just, it's the first.
Line in defense, but it can't be the onlydefense you put in because you need to
afterwards make sure that these privilegesis enforced, that nobody has access to
things that they don't need access to.
And eventually that you also monitorthe activities that these user perform.
(18:47):
So you're able to detect, oh,somebody's doing something abnormal.
Somebody's potentially is goingthrough an account takeover attack,
and this is something that we shouldfocus on and try to remediate or to
mitigate in terms of potential risks.
Okay I get a quiz you on the study.
And I hope I didn't, I hope I didn'tlet you, I hope I let you finish
your summary, but this, here'ssomething that just jumped out at me.
(19:08):
Okay.
And I'll just go through this.
This people are reallyconcerned about SaaS.
I think your report says something like86% of organizations the top priority.
And then surprisingly about 80%,79% said they expressed high
confidence in these programs.
And then.
About half of them think report thatorganizations, let's say the report
(19:31):
actually says organizations report thatemployees sign up for SaaS applications
without securities involvement,and 58% of them are struggling to
enforce proper privilege levels.
This seems to be a bitof a of a contradiction.
On one hand, somebody's prettyco. This is getting our attention.
We're paying a lot of attention to it.
On the other hand, we've gotthese really big weaknesses.
(19:52):
Is that, yeah.
Do you find that sort of splitpersonality in organizations?
I. Maybe we should have asked theconfidence level question at the end
and not at the beginning, after theyanswered all the other questions.
No, but I think that's the reality.
The reality is that eventuallyorganizations have a lot of
confidence that their SAS is securebecause of many different reasons.
(20:14):
Whether, if it's because they think thevendor just provided to them, secure
because they have MFA or a singlesign-on, enforce whatever the reason is.
But they don't realize the multi-layersof risks that are associated with
potential misconfigurations andalso shadow adoption of these tools.
If you think about when Deep see came outa few, a couple months ago, eh and it came
(20:35):
out in a boom and everybody was interestedand curious about, oh, what's deep seek?
What's this new gen AI capabilitythat everybody's talking about?
Is it good?
Is it bad?
We found it adopted acrossalmost all our customer base.
Notified all our customers.
Hey, this is in the news.
Just so you know, here are allthe users that adopted Gen Deeps
seek within the organization.
(20:55):
I think that was the quickest timeto remediation I've ever seen our
customers go through because theywere concerned not only because of the
Chinese ties to a deep seek, but alsojust because it's a new gen AI tool.
People are feeding it cus companydata and they have no control over it.
So there's always new things thatpop up that people are concerned
and should be concerned about it.
(21:16):
But I do think that the kind of thecontradiction that you mentioned
between the confidence versus thereality may be because they just didn't,
when they answered the question, theyanswered it at the beginning without
thinking about, okay, but what aboutthis and that we're already asking
throughout the questionnaire andthat maybe that again, note itself
next time to ask that at the end.
(21:37):
But you brought it around to ai,which I've, I have said is the
greatest wave of shadow IT insince the start of of IT yeah.
There are more applications outthere now with that are powerful
and I. Security holes that youcould just drive a truck through.
You don't have to be sharp and by the way,you can get a eye to help you hack it.
(22:01):
So it's are you seeing anawareness of that at all?
Yeah, I think I think definitely a lot.
It's in the news everywhere and it almostevery organization we're speaking with is.
Either has a policy or is enforcinga policy related to gene AI adoption,
and most gene AI is delivered as SaaS.
Right?
How do you consume the new AI tools?
Nobody's gonna obviously there are optionsfor on-prem or self-hosted, but most of
(22:25):
them were delivered by default as SaaS.
And what we see is that a lotof organizations went through an
experiment phase where they said,okay, let's see what type of AI is
actually needed by the organization.
Now they're trying to create more of.
Say limitations on AI adoption,but mostly creating a very clear
path towards how good AI adoptionlooks like within the organization.
(22:47):
For example, if you want, youleverage a note taker on your.
virtual conference calls.
Here's the tool that was already approvedand authorized by the security team.
Just use it.
And then when they, when we helpthem identify new adoption of a new
tool that is not in the approved orsanctioned capabilities, the message
is not, Hey, you cannot do this.
Hey, we're blocking you, but.
(23:08):
Hey, this is not the extension tools.
Please start using this tool becausewe're not gonna allow that tool and just,
it changes the tone of the conversation.
When it comes to how a lot of customer,a lot of security teams engage
with with their teams or with theiremployees within their organization.
And I've been saying,don't try and stop it.
You're crazy if you just,it'll just go underground.
(23:29):
People will just not tell you, orthey'll find ways around the cleverest
systems to do this, so get outthere and say, what are you using?
How can we.
Find out it's secure.
The other piece that I advisepeople to do it is don't, and I
understand we want approved versions,but don't try and restrict people
to the one you think is best.
You're gonna get killed.
(23:50):
Yeah, the, they're gonna hate you becausethey got this one that works and it's
better than this one that you recommended.
And then you lose all credibility.
But getting out there and makingsure that you enhance you you
say, look, we're here to make you.
More secure not to restrictwhat your development is.
A tough conversation.
And in fairness, I don't know if a lotof security departments have the staff
(24:13):
or the time to properly manage that.
So I don't wanna be critical 'cause theygot a lot of 4,400 interruptions per day.
Per person, for Right.
And so they've got a lot on their plate.
How should they manage that?
Is that, how would you approach it?
I think this ties back to thefact that you have shadow adoption
of SaaS, but also distributedadministration of SaaS applications.
(24:34):
So it's not just who puts theircredit card and buys a SA application.
It's also the highly criticalbusiness applications that are just
managed outside of IT and security.
I think this is the new reality or thisis the reality and teams, security teams
need to adjust and therefore collaborationwith your business, whether if it's the
SaaS admins or the business users, is key.
(24:56):
In order to create a successfulSaaS security program, you have to
create good conversations and goodcollaboration to deeply understand
what the business is trying to achieveand create the best and most secure
methods that ensure the business canactually adopt what they need, but also.
Creates the right security controlaround it to make sure that the,
you don't create more risks andthat the security team becomes
(25:19):
nervous from that type of adoption.
So that collaboration is really keyfor security teams to be successful
because otherwise the business willjust find a different way to do it.
And.
The security team, even if they're notaccountable for everything the business
is doing they'll still have to see itas something that they'll want to have
better visibility and control over a,as this red surface continues to grow.
(25:42):
So just get back to thereport for a second.
I tend to wander.
You might have noticed, we'vecovered some points, but why
should people read the report?
Is there other insights that they'llget from it if they check this out?
I think the main reason to readthe report is really to get better
education about the real world risksthat we're seeing within organizations
and real problems that organization,challenges that organizations are facing.
(26:04):
In order to better understand, first ofall, to ask yourself if you are security
program is actually addressing thesepotential risks and whether or not.
If you would answer the survey, if youwould answer it differently in terms of
the questions, we'll also have the rawquestions embedded into it and to help you
create a better focus on how to improveyour SaaS security program internally.
(26:25):
Eh, and also to, to your point interms of the confidence level versus
the reality to make sure that kind ofmaybe a more of a reality check for.
For security practitioners to makesure that they're actually focused
on what, what could potentially movethe needle and they don't have blind
spots when it comes to their, with SaaSsecurity or SaaS environment overall.
And if you are most, like I said, a lot ofmy audience are CISOs or people like that.
(26:48):
Many of them are also managerswho might be managing this
and trying to stay up to date.
If somebody brings a SaaS applicationinto your environment, one of the
things that I would point out is reallyfind out how secure their APIs are.
Don't just take this, it's got arest, a PR or some sort of API,
really check that out because that,I think that's a vulnerability area.
(27:09):
Are there other questions that peopleshould be asking about security
of SaaS from your experience?
I think there are three layers thatyou typically need to focus on.
The first is, first of all, areyou gonna be able to even identify
that somebody brought in yoursa this SaaS into environment?
That's the fundamental question.
Do you know it exists?
Will you discover it on time andwill it be part of your inventory?
(27:30):
Then the next question you need toask yourself is, what capabilities
does each SAS application offer me tomake it more secure in my environment?
What are the controls?
What are the toggles?
What are the functionalities that Ican control as a user or as a customer
of this SaaS app that will make itmore secure, but still fits what
my business is trying to achieve?
(27:51):
And that's really the posture elementof one of it could be related to
APIs, but it could be MFA, it couldbe related to who has admin access.
It could be related to howdata is shared externally.
It can be related to a lot ofdifferent functionalities that
are built into the platform.
Then the third layer is really,okay, let's say I discovered the
app I put in the best practiceswhen it comes to security controls.
It's as secure as it could get.
(28:13):
Breaches could still happeneventually this is the reality.
Breaches could still happen becauseof a lot of different reasons.
Will you be able to monitor theactivities within the application
and to be able to detect.
Breaches if and when they occur, orsuspicious or malicious activities, if and
when they occur in order to a, make surethat you have proper incident response
capabilities for these SaaS applications.
(28:35):
So it's a identification, protection,and then detection response.
And it's a full life cycle of reallybuilding up your program around
each one of these applications.
And just couple more questions and.
Between you and me not and 10,000other people are listening.
You're a vendor.
You you meet a lot of people.
(28:56):
You see a lot of things.
What are the things in termsof SaaS that make you go, oh
my God, please don't do that.
What are the things that keepyou up at night about what
people are doing with SaaS?
Yeah, so I think.
What really keeps me up like at nightwhen I think about how people like
adopt SaaS is really the fact thatit's really related to the fact that
(29:18):
a lot of people that are less educatedabout the potential risks are now
going in and configuring these SaaSapplications to get their job done.
They're not doing anythingmaliciously, but they're just
trying to get their job done.
And we're seeing it across.
Almost every business criticalSaaS app that there's like
surprises and configurations of,oh, I didn't think about this.
(29:41):
Oh, I didn't think about thatthen, and there's a lot of
procedures that could break.
For example, a lot of organizationsthink they got offboarding checked
and that there's a process thatautomates either the offboarding or
that helps to just remove contractorsor employees that are terminated or
quit their jobs in a timely fashion.
There's almost always gaps in itbecause there's sense of control
(30:04):
that a lot of administrators want interms of how these processes actually
occur that relate, that eventuallytranslates into a manual processes.
And when it comes to manualprocesses, there's always, there are
always gonna be gaps, and we findit in almost every organization.
So I think just that, that distributedownership and the fact that.
The people that have the controlare not precisely the people that
(30:25):
are concerned about security.
It creates a lot of gaps in terms ofhow organizations are actually ensuring
proper security for their SaaS apps.
Yeah.
And I will tell you, as somebody whohad the unfortunate reality of shutting
a company down, you don't know howmany things you're still paying for
and are still connected until youactually go through account by account.
(30:48):
I, it shocked the heck out of me.
'cause I thought we were pretty good.
Yep.
But there's a lot happening out therethat you never, like people that not only
have access, you're still paying for it.
Yeah.
Which is huge in many cases.
Anything else that, that, that makesyou you just want to tell people, please
get this so I think we spoke about a bitabout APIs, but I think the non-human
(31:10):
identities hack surface or resurfacerelated to SaaS apps is is just huge.
We see almost a one to 10 ratio onevery human identity in terms of
the number of non-human identitiesthat we see in an organization.
And we need to realize that thesenon identities are anything.
If I use Calendly and I giveCalendly an access to my calendar,
it creates an API, it creates anidentity basically for Calendly as a
(31:33):
machine or an app to access my data.
These applications have no MFA,they have no strong authentication.
They're distributed to a lot ofthird parties that we inherently
trust sometimes with a level ofaccess that can administer our sap.
Critical SaaS applications.
This is just a huge risk surface.
Definitely not well integrated into IMprocesses like we see organizations,
(31:55):
POC four different vendors choose one,forget to offboard the other three.
And a lot of risks that are associatedjust with the day-to-day management of
these non-human identities that it'sprobably one of the most, definitely top
three, but one of the most critical risksurfaces that we see within organizations
in terms of we didn't even think about it.
We didn't look at it.
We don't have any visibility into it.
(32:15):
It still makes my stomach cringe whenI check that box that says, you must
trust this application because it candelete everything that you have, wow.
Yeah, I think that's it.
But also the non-human identities,not just these, I think this is ex,
this is an extreme risk already.
But the second level is we're on, we'rein the process of bringing non-human
(32:38):
employees into our environment.
I. Microsoft's already launched, I think11 security agents this past week that
are going to be integrated and per, andagents, by their own nature are things
that can perform autonomous tasks.
So being able to manage non-humanidentities even goes up a notch.
(33:00):
Now with AI generated employees,that's really what they are.
It, they do tasks within your world.
I don't know what else you call them.
Yep.
And you have to give themprivileges to do these tasks.
And these privileges are typicallyhigh privileges and not just the basic
privileges that every user has, andthen that just, and they have access
to data and everything else, and justcreates a huge attack surface or a
(33:23):
surface that, that you need to address.
So I always, and I do thank you for this.
You, but you, my guests aremost gracious when they come in.
They've got their own products andservices and I always tell 'em,
this ain't a commercial buddy.
But feel free to talk about yourown product through this piece.
'cause I think that, that's fairness.
You've developed it for these reasons.
What are the solutions?
What should we be doing?
(33:43):
So what Valence does is we give youa very comprehensive SaaS security
platform that allows you to discover,protect and basically monitor your
basic critical SaaS application.
So we start with shadow IT discovery,we'll create an inventory of all
your different SaaS applicationswithin the organization.
Then we can natively integrateout of the box to over a hundred
different SaaS apps that we can startpulling information about their.
(34:05):
Configurations And howwell are they secure?
Basically, SaaS security,posture management, or SSPM.
It's similar to what synaps andc SBMs do in the cloud space or
infrastructure we do for SaaS.
And from there we go into a threatdetection and response and being able
to monitor user and administrativeactivities in order to help
organizations to be able to respondto breaches if and when they occur.
(34:28):
This really helps to buildthat entire, all the different
layers that are required across.
Almost according to any differentsecurity standard or security framework.
Do I, am I able to identify, am Iable to protect and then to detect and
respond capabilities and really create acomprehensive view of your SAS ecosystem.
Wow.
Yeah.
And where do you go from here?
(34:49):
What's your what is the next developmentthat we'll be seeing in, in this?
So I think the more we see Gen ai deliverthe SaaS, the more this will become
inherited aspect of SaaS security.
So Gen AI security for sure continuingto innovate when it comes to how
do, how are you able to discover allyour SaaS apps because it's always a
(35:09):
whack-a-mole game across the organization.
And you need to be very clever in how youtry to catch shadow adoption and covering
just more and more SaaS applications andmore and more business cases that are.
Use cases that areimportant for our customers.
And the, I think maybe if you getthe report is there some sort of
(35:30):
best checklist or something thatsomeone could work for, work from,
to try and evaluate their risks?
Is there anything that you bringto mind or is that, and in fairness
and I. Full disclosure, we'renot getting paid by your company.
So I'm asking this legitimately, is that aservice that a company like yours, prepare
Pro provides, is to help people assesstheir, where they are in terms of SaaS?
(35:53):
Yeah, so some of the main benefits ofour platform is that it's agentless
and it's very easy to implement.
Typically requires an API serviceaccount, access to your SaaS,
through your business, critical SaaS.
And from there, very quickly wecan generate a report of a risk
assessment of your SaaS applications.
Which is a process that can take anywherebetween hours or a couple of days in a
very efficient way to create visibility interms of risks to your specific problems.
(36:18):
Instead of I can sell anything inmy demo environment, but really
gives a organizations a viewpointinto their actual risks and what
actually was configured within theirenvironment, which makes it much
more of a concrete discussion around.
Do I have a problem?
Whether rather than is this a nicereport that I should be concerned of?
Great.
Yeah.
(36:38):
And so is it, and I didn'teven look at your Pro, is your
product a SaaS application?
Yes.
Yes.
It's delivered a SaaS and it'sall a hundred percent SaaS.
I'm only kidding you.
Thanks.
My guest today is Benani Shoat.
He's the CEO and co-founderof Valence Security.
Thank you so much.
This has been a great conversation.
I hope we can do it again.
(36:59):
And that's our show.
I'm redeveloping ourwebsite@technewsday.ca so the
show notes have been a littlelax in the past, a little while.
I'll try and get these up so thatyou can get a link to that report.
I think it's actually decent and worthworth reading, but if you're watching
this on YouTube, there'll be a linkto the report in the comments section.
(37:20):
Thanks a lot for spendingthe time with us.
I hope this was a really good topic.
I hope you enjoyed it.
If you didn't, or if you did, why not?
Let me know.
editorial@technewsday.ca.
You can reach me there.
You can find me on a SaaS application.
LinkedIn I get these moresocial media but the, my, my
sense of irony is always there.
(37:40):
You can reach me on LinkedIn.
A lot of people do.
Or if you're watching this on YouTube,just put a comment right under the video.
I answer each and every one.
Thanks for spending yourtime with us this weekend, or
whenever you listen to podcasts.
You had other things you could bedoing and you spent it with us.
So thank you very much.
I'm your host, Jim Love.
Have a great weekend.
. Welcome to cybersecurity today.
Our topic today is SaaS or softwareas a service security SaaS software
has been around for a long time.
Now, believe it or not, I workedon this in the early two thousands
with my buddy Mark Langlois.
And we tried to convince HP and ourmanagement at DMR that you could
(00:20):
deliver applications over the internet.
We got thrown out of a lot of officesthat we got laughed outta some and then
salesforce.com came out and it's notthat we were prophets, logically, SaaS
was an inevitable progression of thebuy versus build contest in software.
(00:41):
And once that battle had been won,once people thought it was better to
buy than build SaaS was inevitableonce the technology caught up.
The idea is simple.
You avoid the capital cost ofdevelopment or of purchase.
You pay a relatively low monthly paymentfor software that's always up to date.
And not only does someone else dothe development and the maintenance,
(01:02):
but, and this is what would make SaaSinevitable they do the hosting too.
And that was only part of the equation.
Theoretically, you were purchasingthe best development team.
They specialized in this and they coulddo it better and not just cheaper.
And the costs were shared andthe development team was shared.
So they had more and more experience.
I. But in reality, the realreason SaaS caught on was cost.
(01:26):
You could buy a relativelysophisticated application on your
credit card and many people did.
So SaaS turned into a bit of a nightmarefor IT and eventually for security.
This was shadow it on steroidsfor many reasons, and I'm sure
we'll discuss these today.
While we might have bought SaaS thinkingwe were getting better development, a
(01:49):
lot of us started to realize the securityside didn't always live up to that.
Now, , we've done a lot over the yearsto try to manage that, but as I've
pointed out, we're in a second wave ofSaaS now, an avalanche of AI software.
So when this report crossed mydesk, I reached out to try and
get someone to talk about it.
And that report that we're talking about.
(02:11):
It's called the State of SaaSSecurity, and it was developed by
the Cloud Security Alliance, they'rededicated to defining standards,
certifications, and best practices.
They put out the state of SaaS securityreport, trends and insights for 20 25, 26.
They're an independent organization.
Been around since 2008 and I managedto get the sponsor of the report, or
the company that sponsored the reportto to come in and talk about this.
(02:34):
It's my guest is Yoni Shohet.
He's the CEO and Co-founderof Valence Security.
And Valence, of course, isthe sponsor of the report, but
this was done independently.
Welcome, Yoni.
Thank Jim.
It's great to be here.
Did I get it right on the report?
This is an independent report.
You guys paid for it, but that was,it was done by an independent group.
(02:55):
Yes.
CSA did the entire report.
We were just, supportingand sponsoring it.
Just providing the money.
What a well somebody has to, right?
Yeah.
Now I wanna talk about you, first of all,'cause I got a little bit on your bio.
First of all, how old are you?
Young man?
I need to know, you, you'rean entrepreneur, you've,
got your BSC in math when you were 19.
(03:15):
Yep.
You, so you were the guy who wassober in university as opposed to me.
Okay.
Allegedly.
And then you went into the Israeli DefenseForces as a cybersecurity team leader.
Yep.
Can you tell me a little bit about that?
I think we're all curiousabout what that means.
You're 19 or so you've, you graduatedand you're in the the defense forces and
they put you on a cybersecurity team.
(03:35):
What was that like?
Yeah so in Israel you have a mandatorymilitary service at the age of 18.
Also the legal drinking age is 18, unlikein the US So you can, so your statement
wasn't a hundred percent correct interms of but like I still had a year
of eligibility, but I did go through anatypical route where I started when I
was 16 during high school in parallelism.
(03:56):
Also, I started my bachelor's in maththrough a program in the university.
And then by the age of 19, I. I laidmy Army service and then I joined
the Army basically a year later.
And served for almost six years inthe Israeli intelligence forces across
various cyber operations positions.
Did my officer school there as well.
I finished my service as a captain,eh, managing few teams in various
(04:18):
positions across my service duringthose almost against this six years.
What, why and probably the main reasonwhy we see a lot of entrepreneurs and
cyber security companies come out ofIsrael is that a very young age, you're
given a lot of responsibility in verytech focused areas related to security.
That the equivalent of what you'reable to do probably in the US is only
(04:39):
when you're about 30 and then your midtwenties, you're, you finish your service
and you're hungry and you experiencethe highest level of of basically of.
Your capabilities and you broke anytype of glass ceiling across your,
the early stages of your career, andyou're looking to just do more of that.
And going into a corporate organizationand just doing a day job seems so
(05:01):
boring and seems eh doesn't really allowyou to fulfill your full potential.
Eh, and similar to me, a lot ofIsraelis, when they get to that
stage, they just look for their next.
Next big challenge and prior to gothrough that entrepreneurship path
and founding a company and I wentthrough a similar path and eventually
started my first company very shortlyafter I finished my military service.
(05:24):
Yeah, I, which is, Ithink this is amazing.
The, and the, one of the things,and I don't wanna diminish this, I
don't wanna, I don't wanna be tritrivialize anything war is not good.
But you say to people when they'restarting out in cybersecurity and
you, then they're freaking outand they're worried about whether
they're gonna make a mistake.
You say, look, it's not life or death.
But in the Army it actually islike you, you're getting a hell
(05:45):
of an experience and a hell of aresponsibility in some of those cases.
And at a very young age, at leastin Israel, it's a, at a very young
age, which really builds you up fora very mature career at a very early
stage of your career path, which Ithink highly contributes to that.
What you do matters a lot and you geta lot of responsibility because again,
everybody around you are more or lessat the same stage of their career path.
(06:09):
So the image I have is that there'sa street in a city in Israel, and
there's just like cybersecuritycompanies, like all the way down there.
But there, there are a lot of companies.
So you are, you're there'sa big industry there now.
I would say I, I wouldn't, I don'tknow if I'd say it's the leading place
in the world, but pretty darn close.
Yeah.
In terms of cybersecuritydevelopment, what's that living
(06:31):
there with all of that going on?
I think definitely compared to the size ofthe population, it's definitely leading.
I think it's really, it's create createda very strong ecosystem because it's a
small country and because everybody knowseverybody and it's, you're two phone calls
away from getting to whoever you wantto talk to within the Israeli ecosystem
you're able to, to really, to encourageyou and to, to all the time, find.
(06:57):
To go beyond what you thoughtwere your limits beforehand, and
I think this really encourages theentrepreneurship, encourages people to.
Explore these options and also createsthe right ecosystem of support so you
don't feel like you're by yourself or thefirst person that has to do something.
You have somebody to consult with.
You have people thatwill push you forward.
And you also have, obviously also thesense of competitiveness because a lot
(07:21):
of our competitors are Israeli basedand a lot of companies that we see.
Emerging within the cybersecurityindustry, whether if they're former
colleagues or people that I had somesort of engagement with in the past.
And that obviously also boosts upthat entire and really endorses
all the, this entire ecosystem.
So this is your second companythat you've co-founded.
(07:42):
Did I get that right from your bio?
I started my first companyright after my military service.
It was a company wascalled the Skate Defense.
It was focused on the industrialiot, cybersecurity, basically
securing shop floor environmentsand critical infrastructure and
manufacturing organizations.
Eh, that company was acquired byHoneywell, eh, and afterwards I
started Valence about four yearsago which is focused on SA security.
(08:06):
Our topic for today, I feel likeafter my first experience, it's almost
the only thing I can imagine myselfdoing moving forward, just continuing
through this route and leveraging orenjoying the level of excitement that
I have from just experiencing everyday entrepreneurship experience and
the ability to actually feel likeI'm leveraging all my entire skillset
(08:28):
on my day, on the day-to-day basis.
And so why focus on SaaS?
So when we started in 2021 and wewere looking, Shlomi, my co-founder
myself, we were looking for problemspaces throughout our ideation phase.
It was a bit after theSolarWinds attack campaign.
One of the things that Hackers didthere is really they focused on third
(08:48):
party vendors which they hacked intothem and stole from them APIs and
service accounts or service accessthat they had in order to gain access
to their or to their customer base.
For example, they hacked an emailsecurity company and they leveraged
their tokens in order to stealemails from their customers.
And when we started talking to.
(09:11):
CISOs and through a security executivesthat we interviewed throughout our
ideation phase, and we asked them, whatdo you do with all these API tokens that
have access to your business applications?
We got a very repetitiveanswer of, we have no idea.
We don't know.
Even if they're generated, we have noinventory of them and we can't really
track them, and we double click on that.
We really focused on that.
(09:31):
Problem space.
As our initial focus and the morewe spoke and engaged with customers
around their problem problems withMicrosoft Three, five, Google Workspace,
Salesforce, GitHub, Okta, and differentSaaS applications, we realized that.
They have no idea on what's evenconfigured within these applications
because if you compare the modernadoption of SaaS, compared to what you
(09:53):
probably saw in the early two thousandsis that today SaaS is really adopted
and managed outside of IT and security.
So the admins of Salesforce are in sales.
The admins of Workday are in hr.The admins of GitHub are engineering
and security teams really losttouch with what's actually going
on within these applications.
When you couple that with the factthat SaaS has been, has become
(10:15):
a very complex platform, right?
It's not just simple UI thathas two buttons and you have
one task that you do with it.
These are complex platforms with alot of abilities to integrate, to
automate, to integrate, create gen AIprocesses, and just create complete
platforms within one application.
So the complexity togetherwith the distributed
(10:37):
administration really pulled the.
Us towards really focusingmore and more on SaaS security,
a, as our primary focus area.
Yeah and I think in the same way thatSaaS and you brought up the point
quite correctly, that you've got theseislands of security done by, and I'm
sorry, but amateurs, people who arenot necessarily trained in security or
thinking about how security should be setup and some very sophisticated security.
(11:03):
Integrations going on andexposures going on with these.
That's, I think that's one of thenightmares of the modern CISO is
trying to make all of that work.
It's hard enough to make it workwith a team that you keep coherently
together and keep trained.
But the other piece of this is the setup.
And you mentioned Microsoft 365, and Ithink everybody, we've got a lot of people
(11:24):
in the audience are fairly technical.
Some of them might be, I don'tthink people realize that this SaaS
software that you get that comesoutta the case is highly insecure.
If you just, set it up andleave it you've created a major
vulnerability in your organization.
And there's a shared responsibility modelbetween the vendor and the customer.
The vendor is supposed to provideyou where you share the consequences.
(11:47):
They share the fees, yeah.
And eventually they give youthe option to make it secure.
You need to opt in to a lotof the security features.
They don't come out by default because bydefault, these vendors want to encourage
you to make the most out of the platform.
Making the most out of the platform,meaning means that you can leverage
a lot of functionalities that thesecurity team may not be on board with.
(12:09):
And when you think about howthat shared responsibility model
actually comes into effect, itmeans that you need to be on top.
It's your responsibility tobe on top of all the different
toggles that every platformoffers you to make sure that it's.
Adopted in a secure waythat you're satisfied with.
And I think that specifically for, ifyou look at, for example the Snowflake
(12:29):
breach that occurred last year, manySnowflake customers were breached
because of the fact that they didn'tproperly enforce MFA multifactor
authentication within their applications.
And eventually even Snowflake came outwith a statement saying, Hey, this is.
This is your responsibility, buthere's how you can configure it.
You were supposed to go and click theright buttons, but then it comes back to
(12:51):
the fact that you need to know about allyour snowflake tenants, and you need to
make sure that you properly click all thebuttons and that you don't have surprises
of somebody unrolling or removingMFA just for a temporary test and not
coming back to it and things like that.
Yeah, and I'm I'm not,I don't dive on vendors.
Actually.
Maybe I am critic more criticalthan I, I let myself think I am.
But one of the things I take it, if yougo sell any power, any tool to somebody
(13:16):
or anything that is dangerous or hasa danger, and you don't warn them of
that danger and make sure that theyknow to get training or they know to
get expertise, you'd be prosecuted.
But in software, we can have somebody comeand say, oh yeah, gimme your credit card.
Take this thing, walk away and notbe forced to say, you really need
to know about these things, or Youreally need to talk to somebody.
(13:36):
And I get it.
Salespeople aren't gonna aren'tthe mood to, to push people
away from buying software.
That's not their job.
But I always feel that we got into.
Client, the satisfaction, Ithink they call it, or, to get
people to use the software.
We, there's nobody whophones you up to say, I'm the
security person, are you okay?
(13:58):
Yep.
Yep.
So there we are.
And so that brought you intothis now and you did this report.
Do you wanna just go over someof the main findings of it?
I got what I got out of it.
I've got some notes heretoo to go through it.
What did you take away from this report?
Yep.
So I think the encouragingaspect is that really the focus
on SaaS security is increasing.
(14:19):
We're seeing more budgets, morefocus higher priorities on the,
on SaaS security as a whole.
But the inherent dangers and risksassociated with SaaS are still
challenges for a lot of organizations.
For example.
When we speak a lot with the customers andprospects across the industry, we get a
lot of times the claim of, oh, I have itunder my single sign-on, or my multifactor
(14:41):
authentication, and we're good here.
Our SaaS is secure because of ourstrong authentication methods.
I. But still, when you go into mainsources of breaches and some of the
challenges that a lot of organizationshave based on this survey it's still
very much related to identities,which is the core aspect of what
you can configure within SaaS iseventually related to access, right?
(15:02):
You upload your data to these SAapplications and you need to control
how you manage access to the datawithin the applications, whether if it's
through permissions, authentication.
Privileges and just making sure that youhave good control over it, which is still
a major challenge across three main areas,which is human identities and non-human
identities, which are basically automationcapabilities that are leveraging tokens
(15:27):
and APIs and basically a leveragingmachine identities for activities.
And also just data exposure.
Think about it, think aboutthe simple use of OneDrive or
SharePoint or Google Drive, right?
Something most people useon a day-to-day basis.
We share files on a all the time becauseyou collaborate with somebody, I have
a project, they share with them a file.
When's the last time you unshare the file?
(15:49):
Oh God, I, and I have to, shouldI be confessing this on the air?
I, we're a relatively smallorganization now, so if people are
gonna hack me, they're gonna do it.
But in the olden days when Iran a larger company, it used
to scare the crap out of me.
How much stuff was shared andhow we would go about finding
out who still had access to what.
(16:12):
And the tools are at thattime were just garbage.
You could not find out whereall this stuff was and it
was well just here you go.
Oh, you're no longer withthat company, but we're still
sharing the document with you.
Not a problem, yep.
There still are, unfortunately.
And I think that that what we seeis that the user experience of
these SaaS applications make itvery easy to share files externally.
(16:33):
Two clicks and it's out.
And you can share it open witha link because that's easiest.
You don't need to thinkabout least privilege and who
actually needs access to it.
And you can just createan anonymous public link.
But it never encouragesyou to unshare a file.
That's not built into user experience.
And what we find is that about.
94% of external file shares in ourcustomer tenants are not really
(16:54):
accessed by the external collaborators.
So they're just sitting there sharedthat other people can access it, but
nobody actually needs it and it createsa lot of challenges of just over
data exposure within the environment.
I understand we have to do it.
I've never been able to figureout why they're not timed.
Where you share a file for 48 hours.
(17:15):
And the company, Blackberry here,actually tried to do some really
good work and I think some peopledid some work on sharing, but I don't
know where that's gotten to and maybe
I don't know enough about it, but itseems like a massive hole in, security.
But there are more like.
We digress.
There are more, you talked aboutmultifactor authentication.
Your report says like almost50% of the SaaS breaches are
(17:36):
linked to weak MFA protections.
That didn't surprise me.
It's dismayed me, butit didn't surprise me.
Yeah.
I think eventually todayattackers realize that.
A lot of organizations think thatMFA is the silver bullet to protect
their identities, but there's wayaround, there's ways around it.
If your MFA requires just code inthe phone, and that's something
(18:00):
the hackers obviously hacker withtrying to get the access to swim
swapping and stuff like that.
If if it's something that theycan leverage, like MFA fatigue,
where they call into your employeesand say, Hey, I'm from IT.
I need your code.
Can you give it to me?
Now I just send it to you, to your phone.
It's just like a technical issue.
People give it a token theft.
Like eventually when I log into my SSO inmy browser, eh, and somebody gets access
(18:24):
to that token in my browser, they canleverage it now in other devices as well.
So there's a lot of methods to try tobreach it and just, it's the first.
Line in defense, but it can't be the onlydefense you put in because you need to
afterwards make sure that these privilegesis enforced, that nobody has access to
things that they don't need access to.
And eventually that you also monitorthe activities that these user perform.
(18:47):
So you're able to detect, oh,somebody's doing something abnormal.
Somebody's potentially is goingthrough an account takeover attack,
and this is something that we shouldfocus on and try to remediate or to
mitigate in terms of potential risks.
Okay I get a quiz you on the study.
And I hope I didn't, I hope I didn'tlet you, I hope I let you finish
your summary, but this, here'ssomething that just jumped out at me.
(19:08):
Okay.
And I'll just go through this.
This people are reallyconcerned about SaaS.
I think your report says something like86% of organizations the top priority.
And then surprisingly about 80%,79% said they expressed high
confidence in these programs.
And then.
About half of them think report thatorganizations, let's say the report
(19:31):
actually says organizations report thatemployees sign up for SaaS applications
without securities involvement,and 58% of them are struggling to
enforce proper privilege levels.
This seems to be a bitof a of a contradiction.
On one hand, somebody's prettyco. This is getting our attention.
We're paying a lot of attention to it.
On the other hand, we've gotthese really big weaknesses.
(19:52):
Is that, yeah.
Do you find that sort of splitpersonality in organizations?
I. Maybe we should have asked theconfidence level question at the end
and not at the beginning, after theyanswered all the other questions.
No, but I think that's the reality.
The reality is that eventuallyorganizations have a lot of
confidence that their SAS is securebecause of many different reasons.
(20:14):
Whether, if it's because they think thevendor just provided to them, secure
because they have MFA or a singlesign-on, enforce whatever the reason is.
But they don't realize the multi-layersof risks that are associated with
potential misconfigurations andalso shadow adoption of these tools.
If you think about when Deep see came outa few, a couple months ago, eh and it came
(20:35):
out in a boom and everybody was interestedand curious about, oh, what's deep seek?
What's this new gen AI capabilitythat everybody's talking about?
Is it good?
Is it bad?
We found it adopted acrossalmost all our customer base.
Notified all our customers.
Hey, this is in the news.
Just so you know, here are allthe users that adopted Gen Deeps
seek within the organization.
(20:55):
I think that was the quickest timeto remediation I've ever seen our
customers go through because theywere concerned not only because of the
Chinese ties to a deep seek, but alsojust because it's a new gen AI tool.
People are feeding it cus companydata and they have no control over it.
So there's always new things thatpop up that people are concerned
and should be concerned about it.
(21:16):
But I do think that the kind of thecontradiction that you mentioned
between the confidence versus thereality may be because they just didn't,
when they answered the question, theyanswered it at the beginning without
thinking about, okay, but what aboutthis and that we're already asking
throughout the questionnaire andthat maybe that again, note itself
next time to ask that at the end.
(21:37):
But you brought it around to ai,which I've, I have said is the
greatest wave of shadow IT insince the start of of IT yeah.
There are more applications outthere now with that are powerful
and I. Security holes that youcould just drive a truck through.
You don't have to be sharp and by the way,you can get a eye to help you hack it.
(22:01):
So it's are you seeing anawareness of that at all?
Yeah, I think I think definitely a lot.
It's in the news everywhere and it almostevery organization we're speaking with is.
Either has a policy or is enforcinga policy related to gene AI adoption,
and most gene AI is delivered as SaaS.
Right?
How do you consume the new AI tools?
Nobody's gonna obviously there are optionsfor on-prem or self-hosted, but most of
(22:25):
them were delivered by default as SaaS.
And what we see is that a lotof organizations went through an
experiment phase where they said,okay, let's see what type of AI is
actually needed by the organization.
Now they're trying to create more of.
Say limitations on AI adoption,but mostly creating a very clear
path towards how good AI adoptionlooks like within the organization.
(22:47):
For example, if you want, youleverage a note taker on your.
virtual conference calls.
Here's the tool that was already approvedand authorized by the security team.
Just use it.
And then when they, when we helpthem identify new adoption of a new
tool that is not in the approved orsanctioned capabilities, the message
is not, Hey, you cannot do this.
Hey, we're blocking you, but.
(23:08):
Hey, this is not the extension tools.
Please start using this tool becausewe're not gonna allow that tool and just,
it changes the tone of the conversation.
When it comes to how a lot of customer,a lot of security teams engage
with with their teams or with theiremployees within their organization.
And I've been saying,don't try and stop it.
You're crazy if you just,it'll just go underground.
(23:29):
People will just not tell you, orthey'll find ways around the cleverest
systems to do this, so get outthere and say, what are you using?
How can we.
Find out it's secure.
The other piece that I advisepeople to do it is don't, and I
understand we want approved versions,but don't try and restrict people
to the one you think is best.
You're gonna get killed.
(23:50):
Yeah, the, they're gonna hate you becausethey got this one that works and it's
better than this one that you recommended.
And then you lose all credibility.
But getting out there and makingsure that you enhance you you
say, look, we're here to make you.
More secure not to restrictwhat your development is.
A tough conversation.
And in fairness, I don't know if a lotof security departments have the staff
(24:13):
or the time to properly manage that.
So I don't wanna be critical 'cause theygot a lot of 4,400 interruptions per day.
Per person, for Right.
And so they've got a lot on their plate.
How should they manage that?
Is that, how would you approach it?
I think this ties back to thefact that you have shadow adoption
of SaaS, but also distributedadministration of SaaS applications.
(24:34):
So it's not just who puts theircredit card and buys a SA application.
It's also the highly criticalbusiness applications that are just
managed outside of IT and security.
I think this is the new reality or thisis the reality and teams, security teams
need to adjust and therefore collaborationwith your business, whether if it's the
SaaS admins or the business users, is key.
(24:56):
In order to create a successfulSaaS security program, you have to
create good conversations and goodcollaboration to deeply understand
what the business is trying to achieveand create the best and most secure
methods that ensure the business canactually adopt what they need, but also.
Creates the right security controlaround it to make sure that the,
you don't create more risks andthat the security team becomes
(25:19):
nervous from that type of adoption.
So that collaboration is really keyfor security teams to be successful
because otherwise the business willjust find a different way to do it.
And.
The security team, even if they're notaccountable for everything the business
is doing they'll still have to see itas something that they'll want to have
better visibility and control over a,as this red surface continues to grow.
(25:42):
So just get back to thereport for a second.
I tend to wander.
You might have noticed, we'vecovered some points, but why
should people read the report?
Is there other insights that they'llget from it if they check this out?
I think the main reason to readthe report is really to get better
education about the real world risksthat we're seeing within organizations
and real problems that organization,challenges that organizations are facing.
(26:04):
In order to better understand, first ofall, to ask yourself if you are security
program is actually addressing thesepotential risks and whether or not.
If you would answer the survey, if youwould answer it differently in terms of
the questions, we'll also have the rawquestions embedded into it and to help you
create a better focus on how to improveyour SaaS security program internally.
(26:25):
Eh, and also to, to your point interms of the confidence level versus
the reality to make sure that kind ofmaybe a more of a reality check for.
For security practitioners to makesure that they're actually focused
on what, what could potentially movethe needle and they don't have blind
spots when it comes to their, with SaaSsecurity or SaaS environment overall.
And if you are most, like I said, a lot ofmy audience are CISOs or people like that.
(26:48):
Many of them are also managerswho might be managing this
and trying to stay up to date.
If somebody brings a SaaS applicationinto your environment, one of the
things that I would point out is reallyfind out how secure their APIs are.
Don't just take this, it's got arest, a PR or some sort of API,
really check that out because that,I think that's a vulnerability area.
(27:09):
Are there other questions that peopleshould be asking about security
of SaaS from your experience?
I think there are three layers thatyou typically need to focus on.
The first is, first of all, areyou gonna be able to even identify
that somebody brought in yoursa this SaaS into environment?
That's the fundamental question.
Do you know it exists?
Will you discover it on time andwill it be part of your inventory?
(27:30):
Then the next question you need toask yourself is, what capabilities
does each SAS application offer me tomake it more secure in my environment?
What are the controls?
What are the toggles?
What are the functionalities that Ican control as a user or as a customer
of this SaaS app that will make itmore secure, but still fits what
my business is trying to achieve?
(27:51):
And that's really the posture elementof one of it could be related to
APIs, but it could be MFA, it couldbe related to who has admin access.
It could be related to howdata is shared externally.
It can be related to a lot ofdifferent functionalities that
are built into the platform.
Then the third layer is really,okay, let's say I discovered the
app I put in the best practiceswhen it comes to security controls.
It's as secure as it could get.
(28:13):
Breaches could still happeneventually this is the reality.
Breaches could still happen becauseof a lot of different reasons.
Will you be able to monitor theactivities within the application
and to be able to detect.
Breaches if and when they occur, orsuspicious or malicious activities, if and
when they occur in order to a, make surethat you have proper incident response
capabilities for these SaaS applications.
(28:35):
So it's a identification, protection,and then detection response.
And it's a full life cycle of reallybuilding up your program around
each one of these applications.
And just couple more questions and.
Between you and me not and 10,000other people are listening.
You're a vendor.
You you meet a lot of people.
(28:56):
You see a lot of things.
What are the things in termsof SaaS that make you go, oh
my God, please don't do that.
What are the things that keepyou up at night about what
people are doing with SaaS?
Yeah, so I think.
What really keeps me up like at nightwhen I think about how people like
adopt SaaS is really the fact thatit's really related to the fact that
(29:18):
a lot of people that are less educatedabout the potential risks are now
going in and configuring these SaaSapplications to get their job done.
They're not doing anythingmaliciously, but they're just
trying to get their job done.
And we're seeing it across.
Almost every business criticalSaaS app that there's like
surprises and configurations of,oh, I didn't think about this.
(29:41):
Oh, I didn't think about thatthen, and there's a lot of
procedures that could break.
For example, a lot of organizationsthink they got offboarding checked
and that there's a process thatautomates either the offboarding or
that helps to just remove contractorsor employees that are terminated or
quit their jobs in a timely fashion.
There's almost always gaps in itbecause there's sense of control
(30:04):
that a lot of administrators want interms of how these processes actually
occur that relate, that eventuallytranslates into a manual processes.
And when it comes to manualprocesses, there's always, there are
always gonna be gaps, and we findit in almost every organization.
So I think just that, that distributedownership and the fact that.
The people that have the controlare not precisely the people that
(30:25):
are concerned about security.
It creates a lot of gaps in terms ofhow organizations are actually ensuring
proper security for their SaaS apps.
Yeah.
And I will tell you, as somebody whohad the unfortunate reality of shutting
a company down, you don't know howmany things you're still paying for
and are still connected until youactually go through account by account.
(30:48):
I, it shocked the heck out of me.
'cause I thought we were pretty good.
Yep.
But there's a lot happening out therethat you never, like people that not only
have access, you're still paying for it.
Yeah.
Which is huge in many cases.
Anything else that, that, that makesyou you just want to tell people, please
get this so I think we spoke about a bitabout APIs, but I think the non-human
(31:10):
identities hack surface or resurfacerelated to SaaS apps is is just huge.
We see almost a one to 10 ratio onevery human identity in terms of
the number of non-human identitiesthat we see in an organization.
And we need to realize that thesenon identities are anything.
If I use Calendly and I giveCalendly an access to my calendar,
it creates an API, it creates anidentity basically for Calendly as a
(31:33):
machine or an app to access my data.
These applications have no MFA,they have no strong authentication.
They're distributed to a lot ofthird parties that we inherently
trust sometimes with a level ofaccess that can administer our sap.
Critical SaaS applications.
This is just a huge risk surface.
Definitely not well integrated into IMprocesses like we see organizations,
(31:55):
POC four different vendors choose one,forget to offboard the other three.
And a lot of risks that are associatedjust with the day-to-day management of
these non-human identities that it'sprobably one of the most, definitely top
three, but one of the most critical risksurfaces that we see within organizations
in terms of we didn't even think about it.
We didn't look at it.
We don't have any visibility into it.
(32:15):
It still makes my stomach cringe whenI check that box that says, you must
trust this application because it candelete everything that you have, wow.
Yeah, I think that's it.
But also the non-human identities,not just these, I think this is ex,
this is an extreme risk already.
But the second level is we're on, we'rein the process of bringing non-human
(32:38):
employees into our environment.
I. Microsoft's already launched, I think11 security agents this past week that
are going to be integrated and per, andagents, by their own nature are things
that can perform autonomous tasks.
So being able to manage non-humanidentities even goes up a notch.
(33:00):
Now with AI generated employees,that's really what they are.
It, they do tasks within your world.
I don't know what else you call them.
Yep.
And you have to give themprivileges to do these tasks.
And these privileges are typicallyhigh privileges and not just the basic
privileges that every user has, andthen that just, and they have access
to data and everything else, and justcreates a huge attack surface or a
(33:23):
surface that, that you need to address.
So I always, and I do thank you for this.
You, but you, my guests aremost gracious when they come in.
They've got their own products andservices and I always tell 'em,
this ain't a commercial buddy.
But feel free to talk about yourown product through this piece.
'cause I think that, that's fairness.
You've developed it for these reasons.
What are the solutions?
What should we be doing?
(33:43):
So what Valence does is we give youa very comprehensive SaaS security
platform that allows you to discover,protect and basically monitor your
basic critical SaaS application.
So we start with shadow IT discovery,we'll create an inventory of all
your different SaaS applicationswithin the organization.
Then we can natively integrateout of the box to over a hundred
different SaaS apps that we can startpulling information about their.
(34:05):
Configurations And howwell are they secure?
Basically, SaaS security,posture management, or SSPM.
It's similar to what synaps andc SBMs do in the cloud space or
infrastructure we do for SaaS.
And from there we go into a threatdetection and response and being able
to monitor user and administrativeactivities in order to help
organizations to be able to respondto breaches if and when they occur.
(34:28):
This really helps to buildthat entire, all the different
layers that are required across.
Almost according to any differentsecurity standard or security framework.
Do I, am I able to identify, am Iable to protect and then to detect and
respond capabilities and really create acomprehensive view of your SAS ecosystem.
Wow.
Yeah.
And where do you go from here?
(34:49):
What's your what is the next developmentthat we'll be seeing in, in this?
So I think the more we see Gen ai deliverthe SaaS, the more this will become
inherited aspect of SaaS security.
So Gen AI security for sure continuingto innovate when it comes to how
do, how are you able to discover allyour SaaS apps because it's always a
(35:09):
whack-a-mole game across the organization.
And you need to be very clever in how youtry to catch shadow adoption and covering
just more and more SaaS applications andmore and more business cases that are.
Use cases that areimportant for our customers.
And the, I think maybe if you getthe report is there some sort of
(35:30):
best checklist or something thatsomeone could work for, work from,
to try and evaluate their risks?
Is there anything that you bringto mind or is that, and in fairness
and I. Full disclosure, we'renot getting paid by your company.
So I'm asking this legitimately, is that aservice that a company like yours, prepare
Pro provides, is to help people assesstheir, where they are in terms of SaaS?
(35:53):
Yeah, so some of the main benefits ofour platform is that it's agentless
and it's very easy to implement.
Typically requires an API serviceaccount, access to your SaaS,
through your business, critical SaaS.
And from there, very quickly wecan generate a report of a risk
assessment of your SaaS applications.
Which is a process that can take anywherebetween hours or a couple of days in a
very efficient way to create visibility interms of risks to your specific problems.
(36:18):
Instead of I can sell anything inmy demo environment, but really
gives a organizations a viewpointinto their actual risks and what
actually was configured within theirenvironment, which makes it much
more of a concrete discussion around.
Do I have a problem?
Whether rather than is this a nicereport that I should be concerned of?
Great.
Yeah.
(36:38):
And so is it, and I didn'teven look at your Pro, is your
product a SaaS application?
Yes.
Yes.
It's delivered a SaaS and it'sall a hundred percent SaaS.
I'm only kidding you.
Thanks.
My guest today is Benani Shoat.
He's the CEO and co-founderof Valence Security.
Thank you so much.
This has been a great conversation.
I hope we can do it again.
(36:59):
And that's our show.
I'm redeveloping ourwebsite@technewsday.ca so the
show notes have been a littlelax in the past, a little while.
I'll try and get these up so thatyou can get a link to that report.
I think it's actually decent and worthworth reading, but if you're watching
this on YouTube, there'll be a linkto the report in the comments section.
(37:20):
Thanks a lot for spendingthe time with us.
I hope this was a really good topic.
I hope you enjoyed it.
If you didn't, or if you did, why not?
Let me know.
editorial@technewsday.ca.
You can reach me there.
You can find me on a SaaS application.
LinkedIn I get these moresocial media but the, my, my
sense of irony is always there.
(37:40):
You can reach me on LinkedIn.
A lot of people do.
Or if you're watching this on YouTube,just put a comment right under the video.
I answer each and every one.
Thanks for spending yourtime with us this weekend, or
whenever you listen to podcasts.
You had other things you could bedoing and you spent it with us.
So thank you very much.
I'm your host, Jim Love.
Have a great weekend.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com