Securing the SaaS LayerGalit Lubetzky Sharon of Wing Security on Protecting This Large Attack Surface Steve King (@sking1145) • January 20, 2023 34 Minutes
Every organization uses software as a service. It is completely decentralized and mostly ungoverned. This introduces a major shadow IT problem, and it also creates a whole new attack surface.
"SaaS is a great thing," says Galit Lubetzky Sharon. But its decentralized and constantly changing nature makes securing it a challenge, adds the co-founder and chief technical officer of Wing Security.
"We want to enable the business to run forward, and SaaS is good for business. It accelerates the rate of production, productivity. That’s why we want to allow our users to use any SaaS they want. We just want to have them do it in the secure way," says Lubetzky Sharon.
In this episode of "Cybersecurity Unplugged," Lubetzky Sharon discusses:
- The two methods Wing Security uses to provide an organization with an inventory of every SaaS application it uses;
- The types of data exposed by SaaS applications;
- How Wing Security handles issues of compliance, remediation and privacy.
Lubetzky Sharon is a retired colonel in the Israel Defense Forces' 8200 Unit, Israel's signals intelligence component. After about 20 years of leading IDF's cybersecurity team, she co-founded Wing Security with Noam Shaar, IDF's former CISO, to meet the growing need to secure the SaaS layer.
Steve King: [00:13] Good day, everyone. This is Steve King. I'm the managing director at CyberTheory and our podcast today welcomes Galit Lubetzky Sharon, the co-founder and chief technical officer of Wing Security. And we're delighted to have Galit with us today. She is a retired colonel in the IDF, elite to A200 unit, the equivalent of our NSA for those who don't know, and after 20 years or so leading IDF cybersecurity team, she co-founded Wing Security with Noam Shaar, the IDF's former CISO, to answer a growing need, which is securing the SaaS layer. Today, SaaS is used by everyone and anyone in the organization completely decentralized and mostly ungoverned. This introduces not only a major shadow IT problem - you all know how I feel about shadow IT - it also creates a whole new attack surface and open stores to organization sensitive data. So, we'll be talking about all that and welcome, Galit. It's nice of you to join us.
Galit Lubetzky: [01:28] Thank you, Steve. I'm delighted to be here and on this platform. And thank you for the warm introduction.
King: [01:35] Sure. To set the stage for Wing, could you describe for our audience why SaaS differs from other apps in terms of security and what needs to change to make sure it's protected?
Lubetzky: [01:50] Sure. So SaaS is a great thing. All those applications that we can now use all across the organization, from HR, accounting, legal, R&D, marketing, sales, they all have their needs. And each of those needs has an updated and fine solution that you can adopt easily without asking for anyone to help you with. We all remember the old days when you wanted to use the new app, and you had to go to the security team or the IT team and ask them to install the app for you. So, no longer. It's super easy. Everyone can start using it, sometimes even without paying for it. Just give it a try, provide a permission, start working, do whatever you need to do. So it's completely decentralized, as you mentioned, it's continually changing. And that's great and challenging for the security. Because now, where do you even start holding and managing all those applications? Do you even know which applications are being used?
King: [03:20] Yeah, how do you do that? Does somebody have an inventory of every SaaS application that is being used in the company?
Lubetzky: [03:29] So, that's the first thing that we do in Wing. We help you discover all those applications because we understand that in order to protect something, you need to know that you're using it. So it's a basic layer. And the good question is, how do we do that. And we have two methods. The first one is easy. We integrate with the major SaaS applications, we ask the security team to authorize through all of our access to the account. And we collect the data regarding the applications that are connected, the users, the permissions, and we build this visibility map for our customers. That's the first method. We connect to your Office 365 and to your Google Workspace, or Okta and OneLogin, or Ping Identity, and then to your Salesforce and GitHub and GitLab and Zoom, and so on. And we retrieve the data regarding those third-party applications that aren't connected to this major SaaS application. So, that's the first method. It's easy for the security team. They just need to provide the permission. But it's not complete. How come? Because sometimes users access the SaaS applications directly for their endpoints. It can be from the browser, it can be sometimes a web extension that is installed. Not always, the web extensions are just local add-ons. In many cases, those are SaaS applications that send data back to the vendor and retrieve information back. So it's also a form of a SaaS. So we have an additional capability to query the endpoints. It's not an agent, it's not persistent. We retrieve that additional information to this integrated list of applications. And as you mentioned before, eliminating the shadow IT is important. And that's how we do that, by those combined two methods.
King: [05:57] Yeah. Just curious. Your direct experience with end-user customers, what would you say is the average number of SaaS applications a given company might be running at any point in time, based on what you found so far?
Lubetzky: [06:13] Okay. My first hunch would be to ask you to guess. I have the answer. I can say that it's hundreds of SaaS applications.
King: [06:25] All right, wow.
Lubetzky: [06:27] Yeah, medium-sized company, even with less than a thousand employees would have hundreds of SaaS applications, around 600 in average, and companies with thousands of employees, we see 1500 applications. The numbers are huge.
King: [06:53] Yeah. For the most part, what data is exposed? And it's a broad question. So I'm just thinking in categorical terms, not specifics, but what kind of data is generally exposed to these SaaS applications?
Lubetzky: [07:11] Everything. Where do you even start? It's everything. It's the customer's data. When you talk about Salesforce, or HubSpot, or any other marketing or sales application, it's your customers' data. It's your project management, when you talk about applications like Jira and Monday and Spanner. It's your internal information documentation, when you talk about Confluence and Notion, and so on. So it's everything. All the documents that are stored on Dropbox and Box, the data is everything you can think of.
King: [08:02] Yeah. I get that. But when folks use a third-party SaaS application, do they set up a test database with a copy of what is this live production data? And use that to do their testing with? Or do they lock it right on to the production data environment? How does that work?
Lubetzky: [08:33] So, production is usually the infrastructure of the cloud. But there are many specifications that are connected to the infrastructure as well. First of all, you need to understand in order to get to mitigate the risk, you need to understand the list of applications that are there. And then it's not enough just to have the least, you need to understand the permissions that those applications were provided. And with the understanding of the applications and the permissions, then you can manage the full domain. I think it's not enough. As we mentioned before, since we talk about hundreds of applications, it's not enough to know that you're using Loom or Canva, you need to have some additional information that will help you with making a decision about it. So we also do that. We have a huge database of specifications. We collect information about the vendor, what this vendor is all about, where it's located, what is the size of the company, information about security compliances, privacy compliances. And we provide our customers with the data about each app so you can make a decision. So now that you have the list of applications being used, you can also manage it. You see the business information, you see the permissions that were provided, you see who's using it. All in all, it can then make a decision. What do you want to do with the app?
King: [10:31] Yeah. If you prevent these shadow networks that are created when apps are interconnected, what's the basis upon which you make that determination? I assume you do that automatically. So do you just say the rule, you have a policy engine or a rules engine that you consult every time you find an interconnected SaaS app?
Lubetzky: [10:59] Yes, so we have those two methods that we use for discovery. So, once we can connect to an app, we can see all the third-party apps that are connected to it and the permissions that they are given. And we see all the applications that we could not see from the API of the major SaaS applications, we can see them and discover them from the endpoints. We then provide information about the SaaS vendors and the SaaS applications. And we enable the security team to manage it. So once you have a security policy that says, for example, "GDPR is important in our company, we do not want to use applications that do not comply with GDPR. We can help you see all the applications that you're using, and do not comply with GDPR. So you can now make a decision whether you still allow using it because it's crucial to the team or to the users using it or disconnect it because it does not comply with the security policy of your company. And we will also help you with managing that process." So not only are we providing the list and the attributes to make a decision, we'll also help you in the process of allowing the usage of applications and forbidding the usage of applications. So we can also alert and then help you monitor and make sure that if you classified an app as forbidden, no one will be able to use it anymore.
King: [12:57] I understand the compliance issue with GDPR in the United States. I don't think that the compliance regulation requirement extends as far as GDPR does. Do you find that most companies that are looking at you guys as a compliance solution are outside of the United States? Or do you sell on that basis within the United States as well?
Lubetzky: [13:26] So GDPR was just an example. First, we look at SOC 2, ISO/IEC 27001. So we have a list of compliances. I gave an example of the privacy regulation, but it's related to any other compliance standard. And I think it's not about a specific regulation, but more of as a whole, when we provide our security team all the data about the vendor: how big is it? If it's a very small company, up to 10 employees situated somewhere in the world - in your company, there are only two or three employees using this app. You cannot make a decision. In order to make the decision easier, we provide additional information such as the compliances that we've mentioned, and is it a public company, a private company, how much visibility they have in different marketplaces and all these attributes. The bottom line is to help you make a decision whether it's allowed to be used or not.
King: [14:50] And you find that most folks are interested in Wing because it provides that visibility and protection that it does or is it more on the compliance side or the privacy side?
Lubetzky: [15:08] Okay, so that's an interesting question, because the discovery of SaaS assets is only the first pillar of the solution that Wing provides. After we have this list of applications, we alert on the major security threats. And then we help you with remediation. So, only the first pillar is the discovery of SaaS applications and the management of it. The second part, which is important as well, we alert on major security threats. It can be excessive permissions that were given, it can be rare usage of an app, but it's not the common way to use this app, misconfigurations such as access through the SSO. We saw that Jan from accounting use the app: DocuSign. But she uses the direct user and password access. So we have many threat alerts, we also discover all the files that are shared with external collaborators and the numbers there are huge, we discover sometimes tens of thousands of files that are shared externally because it's easy to share. Think of all the times that you close the shares that you open. So, how many times did you close it, but I can tell you that many of our customers forget to close the shares. And we do that with almost a click of a button. So easy to remediate, we do not want to leave our customers with the alerts and the problems. We always push for remediation, we want to close those issues. We know how busy security teams are, we want to remove the load off their shoulders. So it's an integral part of our solution to remediate. And to do it automatically, you can customize Wing to the automatic workflow. So Wing will take care of the threats for you.
King: [17:45] And that's how you assist in the remediation process, which is a remediation, is a big challenge for most IT departments. I think, what you just described, is that part of the process? Or is that the whole process?
Lubetzky: [18:01] So, first of all, you need to focus on the main gaps and the main threats. And then you need to close those gaps. And we have two approaches to do that. We believe that teamwork is important. And we want to help the security team do their job as easily as possible. So we provide one method, which is to engage the users in the loop. We know that Madison, for example, shared thousands of files while she worked with a counter partner and the partnership was ended three months ago. Those files are still open, those shares are still open. And now, we can ask Madison to close those shares because she knows that the project ended three months ago, and there was no need to keep those shares open. So we can send Madison a message, one click of a button. We know that Madison is also busy. And if it will not be very short, very actionable, she will dismiss it and she will ignore it. So it needs to be easy, on the go, can be an email or Slack message, whatever is comfortable for the employees to engage. And that's the first method. Unfortunately, sometimes, employees don't cooperate with the security team. In many times they do, it makes it easier. But in case they don't, we don't want to leave the security team without the means to remediate with the problems. So, we always provide the security team the capability to close those issues on their own. And as I mentioned before, once you know the workflow that suits you, for example, once we discover files that are open for more than three months, send automatic notification to the owner, you can send another notification in case you missed the first one. But then two messages that were ignored - that's it, just close the share. And we do that, and you can customize it according to your preference. And by that we help with remediation, we help closing the gaps.
King: [20:52] Feels to me, since you work around the identity access management space, seemingly a lot around permissions policies, is there a conflict at all between your product and the more traditional IAM or CIAM applications provide?
Lubetzky: [21:18] That's a good question. And I would say, on the contrary, there's no contradiction.
King: [21:28] You just make them better, I assume. Right?
Lubetzky: [21:32] Okay, they manage the axis. It's crucial. We can tell things that they can't see. So all the applications that are integrated with your main IAMs are applications that security team or the IT team - they know about it, they integrated it in the first place. But the third-party applications that are connected to those major SaaS applications are the ones that are in the shadows. So, we increase the visibility map, we integrate with those IAMs. Because it's part of the picture. We also help with some inconsistencies in case we see that the user was suspended in Okta, but still has active permissions to GitHub. So, we can alert about such inconsistencies, but it's not a contradiction at all.
King: [22:39] Yeah, and they're all of the presumably other shadow IT applications, don't have a connection to an IAM system. Otherwise, they would be running in production, or in the main data center or data, IT organization. You find these things, you say, "there's no identity access management on this application." And you report that back to the CISO or the CIO, or what have you.
Lubetzky: [23:13] Yeah. So, and then, first of all, not all applications have integration with those IAMs. So, many of them do, but many don't. So first of all, it's not an easy decision to make. You should stop using these apps. Galit, stop using this app, because it does not have an integration with Okta. But I would say, "Please, Steve, I need it. It helps me do my job." It's okay sometimes to allow using an app, if it's for the right cause. First of all, you know that you're using - if there's a breach, if there's something that is concerning regarding this app, you can mitigate it. That's why we insist on the basic layer of discovery and holding this SaaS asset management. But then you can also decide that you don't allow using this app, it's okay as well. You don't want to take the risk. It's not mandatory. So, you can decide that this application is not allowed in your company, and we will help you authorize it.
King: [24:30] Yeah. So that increases the popularity of the CISO.
Lubetzky: [24:40] I think it will increase the popularity because I remember the days when we used to say that the security teams are the no no's. "Don't do this. Don't do that." Because then you risk the network. I think those days are - I wouldn't say gone. Today we look for the approach that enables work, we want to enable the business to run forward and SaaS is good for business. It accelerates the rate of production, productivity. That's why we want to allow our users to use any SaaS they want. We just want to have them do it in the secure way.
King: [25:33] Yeah, sure. So your spin is that instead of you're not the department of "No", but what you do is you just help everybody get visibility into what they are doing and what the exposures and risks associated with that are. That's simple. And if they want to continue taking that risk, I guess it's up to them.
Lubetzky: [25:58] Exactly.
King: [26:02] So if I'm not mistaken, you spent around 20 years in the service to your country and IDF. And I think he retired as a full colonel. Is that right?
Lubetzky: [26:17] Yes.
King: [26:18] So, I got a couple of questions about what you were thinking when you were in IDF. And assuming that you worked on this topic with Noam, what was 20 years ago that was a different world than it is today. What was your original idea or inspiration for the product? If you want to reveal. You don't have to. This isn't the inquisition. I'm just curious. Because the world changes. And, if you don't change with it, it's hard to be successful.
Lubetzky: [26:59] I agree. So, it's a good question.
King: [27:03] Were you aware? I mean, did you? Yeah, I don't think he probably targeted the identity management world or the SaaS world back then. But it must have been around what happens in shadow IT maybe.
Lubetzky: [27:19] I think that I will not go into a lot of details about exactly what we did in the days that we were in the IDF. But I can share a lot of insights that we have since then. I was the first CISO of the IDF. We have a rich background of cyber, many years in the offensive, and then in the defensive side. And walking in the shoes of the CISOs, I must tell you that I understand or we understand that solutions to the security team must be easy and rewarding. It's a very difficult job. So you want to plan something that will call you to come back to the system because you see the progress, you see something that is improving, it needs to be intuitive, because you have so many systems that you need to manage the same time. With that understanding, I think it's something very substantial that we took when we established Wing. We wanted Wing to solve a big problem. And to turn it into a simple solution. It's a challenge. But we like challenges.
King: [29:03] Yeah, sure. And it seems you have done that quite well. I can't imagine why anybody wouldn't have your product installed. I certainly would. Last question. And this is, again, from your perspective in the military. If we look at the future of cyber defense - and, by the way, I asked you that prior question because some of our audiences from our CyberEd initiative, which is an online education and training for cybersecurity, and people are always interested in how did you get here. How did your current career path evolve? What was it about cybersecurity that got you interested, etc. So that's why I asked that question. But in terms of future cyber defenses for countries, yours and mine. Are you confident that we can compete on that battlefield? And are we doing all that is necessary right now to engage with enemy adversaries? Just to be blunt.
Lubetzky: [30:19] Okay, so can we? I think that the short answer is yes. Is it an easy one? No, because let's take the SaaS domain as an example. It's a growing field, it's growing rapidly, it's changing. And with all that good that we just discussed. There are also opportunities, and there will always be those that will try to exploit this situation. So it's a game of thieves and cops, cats and mice. It's a never-ending situation. But I think that we, the good guys, will always build the right tools. So we provide better defense capabilities and security for security teams that want to protect their assets. And it's an ongoing process, because with the new technologies, there are always the new challenges and then comes the new capabilities to protect and so on. So yes, it's a busy world. I think that all of us have a lot of work to do that will not be done in the near future. But it will be fascinating, I'm sure.
King: [31:57] Great answer. Well, thank you, Colonel Lubetzky. I do appreciate your handling of that question. And the exchange that we just had, I think it was illuminating at least for me, and I'm sure our audience would feel the same way. So I appreciate you spending 30 minutes of your crazy day, I'm sure. I don't know what time it is over there now, but it's probably late. I look forward to having you on the show again. Maybe in six months or so.
Lubetzky: [32:29] That will be great. I enjoyed the conversation. Thank you very much.
King: [32:34] Okay. Galit, thank you again. This is Galit Lubetzky Sharon, the co-founder and CTO of Wing Security. I'm Steve King, I'm your host. And until next time, I'm going to sign off. Take care.