. Welcome to cybersecurity today. Our topic today is SaaS or software as a service security SaaS software has been around for a long time. Now, believe it or not, I worked on this in the early two thousands with my buddy Mark Langlois. And we tried to convince HP and our management at DMR that you could deliver applications over the internet.
We got thrown out of a lot of offices that we got laughed outta some and then salesforce.com came out and it's not that we were prophets, logically, SaaS was an inevitable progression of the buy versus build contest in software. And once that battle had been won, once people thought it was better to buy than build SaaS was inevitable once the technology caught up. The idea is simple. You avoid the capital cost of development or of purchase.
You pay a relatively low monthly payment for software that's always up to date. And not only does someone else do the development and the maintenance, but, and this is what would make SaaS inevitable they do the hosting too. And that was only part of the equation. Theoretically, you were purchasing the best development team. They specialized in this and they could do it better and not just cheaper. And the costs were shared and the development team was shared.
So they had more and more experience. I. But in reality, the real reason SaaS caught on was cost. You could buy a relatively sophisticated application on your credit card and many people did. So SaaS turned into a bit of a nightmare for IT and eventually for security. This was shadow it on steroids for many reasons, and I'm sure we'll discuss these today.
While we might have bought SaaS thinking we were getting better development, a lot of us started to realize the security side didn't always live up to that. Now, , we've done a lot over the years to try to manage that, but as I've pointed out, we're in a second wave of SaaS now, an avalanche of AI software. So when this report crossed my desk, I reached out to try and get someone to talk about it. And that report that we're talking about.
It's called the State of SaaS Security, and it was developed by the Cloud Security Alliance, they're dedicated to defining standards, certifications, and best practices. They put out the state of SaaS security report, trends and insights for 20 25, 26. They're an independent organization. Been around since 2008 and I managed to get the sponsor of the report, or the company that sponsored the report to to come in and talk about this. It's my guest is Yoni Shohet.
He's the CEO and Co-founder of Valence Security. And Valence, of course, is the sponsor of the report, but this was done independently. Welcome, Yoni. Thank Jim. It's great to be here. Did I get it right on the report? This is an independent report. You guys paid for it, but that was, it was done by an independent group. Yes. CSA did the entire report. We were just, supporting and sponsoring it. Just providing the money. What a well somebody has to, right?
Yeah. Now I wanna talk about you, first of all, 'cause I got a little bit on your bio. First of all, how old are you? Young man? I need to know, you, you're an entrepreneur, you've, got your BSC in math when you were 19. Yep. You, so you were the guy who was sober in university as opposed to me. Okay. Allegedly. And then you went into the Israeli Defense Forces as a cybersecurity team leader. Yep. Can you tell me a little bit about that? I think we're all curious about what that means.
You're 19 or so you've, you graduated and you're in the the defense forces and they put you on a cybersecurity team. What was that like? Yeah so in Israel you have a mandatory military service at the age of 18. Also the legal drinking age is 18, unlike in the US So you can, so your statement wasn't a hundred percent correct in terms of but like I still had a year of eligibility, but I did go through an atypical route where I started when I was 16 during high school in parallelism.
Also, I started my bachelor's in math through a program in the university. And then by the age of 19, I. I laid my Army service and then I joined the Army basically a year later. And served for almost six years in the Israeli intelligence forces across various cyber operations positions. Did my officer school there as well. I finished my service as a captain, eh, managing few teams in various positions across my service during those almost against this six years.
What, why and probably the main reason why we see a lot of entrepreneurs and cyber security companies come out of Israel is that a very young age, you're given a lot of responsibility in very tech focused areas related to security. That the equivalent of what you're able to do probably in the US is only when you're about 30 and then your mid twenties, you're, you finish your service and you're hungry and you experience the highest level of of basically of.
Your capabilities and you broke any type of glass ceiling across your, the early stages of your career, and you're looking to just do more of that. And going into a corporate organization and just doing a day job seems so boring and seems eh doesn't really allow you to fulfill your full potential. Eh, and similar to me, a lot of Israelis, when they get to that stage, they just look for their next.
Next big challenge and prior to go through that entrepreneurship path and founding a company and I went through a similar path and eventually started my first company very shortly after I finished my military service. Yeah, I, which is, I think this is amazing. The, and the, one of the things, and I don't wanna diminish this, I don't wanna, I don't wanna be tri trivialize anything war is not good.
But you say to people when they're starting out in cybersecurity and you, then they're freaking out and they're worried about whether they're gonna make a mistake. You say, look, it's not life or death. But in the Army it actually is like you, you're getting a hell of an experience and a hell of a responsibility in some of those cases.
And at a very young age, at least in Israel, it's a, at a very young age, which really builds you up for a very mature career at a very early stage of your career path, which I think highly contributes to that. What you do matters a lot and you get a lot of responsibility because again, everybody around you are more or less at the same stage of their career path.
So the image I have is that there's a street in a city in Israel, and there's just like cybersecurity companies, like all the way down there. But there, there are a lot of companies. So you are, you're there's a big industry there now. I would say I, I wouldn't, I don't know if I'd say it's the leading place in the world, but pretty darn close. Yeah. In terms of cybersecurity development, what's that living there with all of that going on?
I think definitely compared to the size of the population, it's definitely leading. I think it's really, it's create created a very strong ecosystem because it's a small country and because everybody knows everybody and it's, you're two phone calls away from getting to whoever you want to talk to within the Israeli ecosystem you're able to, to really, to encourage you and to, to all the time, find.
To go beyond what you thought were your limits beforehand, and I think this really encourages the entrepreneurship, encourages people to. Explore these options and also creates the right ecosystem of support so you don't feel like you're by yourself or the first person that has to do something. You have somebody to consult with. You have people that will push you forward.
And you also have, obviously also the sense of competitiveness because a lot of our competitors are Israeli based and a lot of companies that we see. Emerging within the cybersecurity industry, whether if they're former colleagues or people that I had some sort of engagement with in the past. And that obviously also boosts up that entire and really endorses all the, this entire ecosystem. So this is your second company that you've co-founded. Did I get that right from your bio?
I started my first company right after my military service. It was a company was called the Skate Defense. It was focused on the industrial iot, cybersecurity, basically securing shop floor environments and critical infrastructure and manufacturing organizations. Eh, that company was acquired by Honeywell, eh, and afterwards I started Valence about four years ago which is focused on SA security.
Our topic for today, I feel like after my first experience, it's almost the only thing I can imagine myself doing moving forward, just continuing through this route and leveraging or enjoying the level of excitement that I have from just experiencing every day entrepreneurship experience and the ability to actually feel like I'm leveraging all my entire skillset on my day, on the day-to-day basis. And so why focus on SaaS?
So when we started in 2021 and we were looking, Shlomi, my co-founder myself, we were looking for problem spaces throughout our ideation phase. It was a bit after the SolarWinds attack campaign. One of the things that Hackers did there is really they focused on third party vendors which they hacked into them and stole from them APIs and service accounts or service access that they had in order to gain access to their or to their customer base.
For example, they hacked an email security company and they leveraged their tokens in order to steal emails from their customers. And when we started talking to. CISOs and through a security executives that we interviewed throughout our ideation phase, and we asked them, what do you do with all these API tokens that have access to your business applications? We got a very repetitive answer of, we have no idea. We don't know.
Even if they're generated, we have no inventory of them and we can't really track them, and we double click on that. We really focused on that. Problem space. As our initial focus and the more we spoke and engaged with customers around their problem problems with Microsoft Three, five, Google Workspace, Salesforce, GitHub, Okta, and different SaaS applications, we realized that.
They have no idea on what's even configured within these applications because if you compare the modern adoption of SaaS, compared to what you probably saw in the early two thousands is that today SaaS is really adopted and managed outside of IT and security. So the admins of Salesforce are in sales. The admins of Workday are in hr. The admins of GitHub are engineering and security teams really lost touch with what's actually going on within these applications.
When you couple that with the fact that SaaS has been, has become a very complex platform, right? It's not just simple UI that has two buttons and you have one task that you do with it. These are complex platforms with a lot of abilities to integrate, to automate, to integrate, create gen AI processes, and just create complete platforms within one application. So the complexity together with the distributed administration really pulled the.
Us towards really focusing more and more on SaaS security, a, as our primary focus area. Yeah and I think in the same way that SaaS and you brought up the point quite correctly, that you've got these islands of security done by, and I'm sorry, but amateurs, people who are not necessarily trained in security or thinking about how security should be set up and some very sophisticated security. Integrations going on and exposures going on with these.
That's, I think that's one of the nightmares of the modern CISO is trying to make all of that work. It's hard enough to make it work with a team that you keep coherently together and keep trained. But the other piece of this is the setup. And you mentioned Microsoft 365, and I think everybody, we've got a lot of people in the audience are fairly technical. Some of them might be, I don't think people realize that this SaaS software that you get that comes outta the case is highly insecure.
If you just, set it up and leave it you've created a major vulnerability in your organization. And there's a shared responsibility model between the vendor and the customer. The vendor is supposed to provide you where you share the consequences. They share the fees, yeah. And eventually they give you the option to make it secure. You need to opt in to a lot of the security features.
They don't come out by default because by default, these vendors want to encourage you to make the most out of the platform. Making the most out of the platform, meaning means that you can leverage a lot of functionalities that the security team may not be on board with. And when you think about how that shared responsibility model actually comes into effect, it means that you need to be on top.
It's your responsibility to be on top of all the different toggles that every platform offers you to make sure that it's. Adopted in a secure way that you're satisfied with. And I think that specifically for, if you look at, for example the Snowflake breach that occurred last year, many Snowflake customers were breached because of the fact that they didn't properly enforce MFA multifactor authentication within their applications.
And eventually even Snowflake came out with a statement saying, Hey, this is. This is your responsibility, but here's how you can configure it. You were supposed to go and click the right buttons, but then it comes back to the fact that you need to know about all your snowflake tenants, and you need to make sure that you properly click all the buttons and that you don't have surprises of somebody unrolling or removing MFA just for a temporary test and not coming back to it and things like that.
Yeah, and I'm I'm not, I don't dive on vendors. Actually. Maybe I am critic more critical than I, I let myself think I am. But one of the things I take it, if you go sell any power, any tool to somebody or anything that is dangerous or has a danger, and you don't warn them of that danger and make sure that they know to get training or they know to get expertise, you'd be prosecuted. But in software, we can have somebody come and say, oh yeah, gimme your credit card.
Take this thing, walk away and not be forced to say, you really need to know about these things, or You really need to talk to somebody. And I get it. Salespeople aren't gonna aren't the mood to, to push people away from buying software. That's not their job. But I always feel that we got into. Client, the satisfaction, I think they call it, or, to get people to use the software. We, there's nobody who phones you up to say, I'm the security person, are you okay? Yep. Yep. So there we are.
And so that brought you into this now and you did this report. Do you wanna just go over some of the main findings of it? I got what I got out of it. I've got some notes here too to go through it. What did you take away from this report? Yep. So I think the encouraging aspect is that really the focus on SaaS security is increasing. We're seeing more budgets, more focus higher priorities on the, on SaaS security as a whole.
But the inherent dangers and risks associated with SaaS are still challenges for a lot of organizations. For example. When we speak a lot with the customers and prospects across the industry, we get a lot of times the claim of, oh, I have it under my single sign-on, or my multifactor authentication, and we're good here. Our SaaS is secure because of our strong authentication methods.
I. But still, when you go into main sources of breaches and some of the challenges that a lot of organizations have based on this survey it's still very much related to identities, which is the core aspect of what you can configure within SaaS is eventually related to access, right? You upload your data to these SA applications and you need to control how you manage access to the data within the applications, whether if it's through permissions, authentication.
Privileges and just making sure that you have good control over it, which is still a major challenge across three main areas, which is human identities and non-human identities, which are basically automation capabilities that are leveraging tokens and APIs and basically a leveraging machine identities for activities. And also just data exposure. Think about it, think about the simple use of OneDrive or SharePoint or Google Drive, right? Something most people use on a day-to-day basis.
We share files on a all the time because you collaborate with somebody, I have a project, they share with them a file. When's the last time you unshare the file? Oh God, I, and I have to, should I be confessing this on the air? I, we're a relatively small organization now, so if people are gonna hack me, they're gonna do it. But in the olden days when I ran a larger company, it used to scare the crap out of me.
How much stuff was shared and how we would go about finding out who still had access to what. And the tools are at that time were just garbage. You could not find out where all this stuff was and it was well just here you go. Oh, you're no longer with that company, but we're still sharing the document with you. Not a problem, yep. There still are, unfortunately. And I think that that what we see is that the user experience of these SaaS applications make it very easy to share files externally.
Two clicks and it's out. And you can share it open with a link because that's easiest. You don't need to think about least privilege and who actually needs access to it. And you can just create an anonymous public link. But it never encourages you to unshare a file. That's not built into user experience. And what we find is that about. 94% of external file shares in our customer tenants are not really accessed by the external collaborators.
So they're just sitting there shared that other people can access it, but nobody actually needs it and it creates a lot of challenges of just over data exposure within the environment. I understand we have to do it. I've never been able to figure out why they're not timed. Where you share a file for 48 hours.
And the company, Blackberry here, actually tried to do some really good work and I think some people did some work on sharing, but I don't know where that's gotten to and maybe I don't know enough about it, but it seems like a massive hole in, security. But there are more like. We digress. There are more, you talked about multifactor authentication. Your report says like almost 50% of the SaaS breaches are linked to weak MFA protections. That didn't surprise me.
It's dismayed me, but it didn't surprise me. Yeah. I think eventually today attackers realize that. A lot of organizations think that MFA is the silver bullet to protect their identities, but there's way around, there's ways around it. If your MFA requires just code in the phone, and that's something the hackers obviously hacker with trying to get the access to swim swapping and stuff like that.
If if it's something that they can leverage, like MFA fatigue, where they call into your employees and say, Hey, I'm from IT. I need your code. Can you give it to me? Now I just send it to you, to your phone. It's just like a technical issue. People give it a token theft. Like eventually when I log into my SSO in my browser, eh, and somebody gets access to that token in my browser, they can leverage it now in other devices as well.
So there's a lot of methods to try to breach it and just, it's the first. Line in defense, but it can't be the only defense you put in because you need to afterwards make sure that these privileges is enforced, that nobody has access to things that they don't need access to. And eventually that you also monitor the activities that these user perform. So you're able to detect, oh, somebody's doing something abnormal.
Somebody's potentially is going through an account takeover attack, and this is something that we should focus on and try to remediate or to mitigate in terms of potential risks. Okay I get a quiz you on the study. And I hope I didn't, I hope I didn't let you, I hope I let you finish your summary, but this, here's something that just jumped out at me. Okay. And I'll just go through this. This people are really concerned about SaaS.
I think your report says something like 86% of organizations the top priority. And then surprisingly about 80%, 79% said they expressed high confidence in these programs. And then. About half of them think report that organizations, let's say the report actually says organizations report that employees sign up for SaaS applications without securities involvement, and 58% of them are struggling to enforce proper privilege levels. This seems to be a bit of a of a contradiction.
On one hand, somebody's pretty co. This is getting our attention. We're paying a lot of attention to it. On the other hand, we've got these really big weaknesses. Is that, yeah. Do you find that sort of split personality in organizations? I. Maybe we should have asked the confidence level question at the end and not at the beginning, after they answered all the other questions. No, but I think that's the reality.
The reality is that eventually organizations have a lot of confidence that their SAS is secure because of many different reasons. Whether, if it's because they think the vendor just provided to them, secure because they have MFA or a single sign-on, enforce whatever the reason is. But they don't realize the multi-layers of risks that are associated with potential misconfigurations and also shadow adoption of these tools.
If you think about when Deep see came out a few, a couple months ago, eh and it came out in a boom and everybody was interested and curious about, oh, what's deep seek? What's this new gen AI capability that everybody's talking about? Is it good? Is it bad? We found it adopted across almost all our customer base. Notified all our customers. Hey, this is in the news. Just so you know, here are all the users that adopted Gen Deeps seek within the organization.
I think that was the quickest time to remediation I've ever seen our customers go through because they were concerned not only because of the Chinese ties to a deep seek, but also just because it's a new gen AI tool. People are feeding it cus company data and they have no control over it. So there's always new things that pop up that people are concerned and should be concerned about it.
But I do think that the kind of the contradiction that you mentioned between the confidence versus the reality may be because they just didn't, when they answered the question, they answered it at the beginning without thinking about, okay, but what about this and that we're already asking throughout the questionnaire and that maybe that again, note itself next time to ask that at the end.
But you brought it around to ai, which I've, I have said is the greatest wave of shadow IT in since the start of of IT yeah. There are more applications out there now with that are powerful and I. Security holes that you could just drive a truck through. You don't have to be sharp and by the way, you can get a eye to help you hack it. So it's are you seeing an awareness of that at all? Yeah, I think I think definitely a lot.
It's in the news everywhere and it almost every organization we're speaking with is. Either has a policy or is enforcing a policy related to gene AI adoption, and most gene AI is delivered as SaaS. Right? How do you consume the new AI tools? Nobody's gonna obviously there are options for on-prem or self-hosted, but most of them were delivered by default as SaaS.
And what we see is that a lot of organizations went through an experiment phase where they said, okay, let's see what type of AI is actually needed by the organization. Now they're trying to create more of. Say limitations on AI adoption, but mostly creating a very clear path towards how good AI adoption looks like within the organization. For example, if you want, you leverage a note taker on your. virtual conference calls.
Here's the tool that was already approved and authorized by the security team. Just use it. And then when they, when we help them identify new adoption of a new tool that is not in the approved or sanctioned capabilities, the message is not, Hey, you cannot do this. Hey, we're blocking you, but. Hey, this is not the extension tools. Please start using this tool because we're not gonna allow that tool and just, it changes the tone of the conversation.
When it comes to how a lot of customer, a lot of security teams engage with with their teams or with their employees within their organization. And I've been saying, don't try and stop it. You're crazy if you just, it'll just go underground. People will just not tell you, or they'll find ways around the cleverest systems to do this, so get out there and say, what are you using? How can we. Find out it's secure.
The other piece that I advise people to do it is don't, and I understand we want approved versions, but don't try and restrict people to the one you think is best. You're gonna get killed. Yeah, the, they're gonna hate you because they got this one that works and it's better than this one that you recommended. And then you lose all credibility. But getting out there and making sure that you enhance you you say, look, we're here to make you. More secure not to restrict what your development is.
A tough conversation. And in fairness, I don't know if a lot of security departments have the staff or the time to properly manage that. So I don't wanna be critical 'cause they got a lot of 4,400 interruptions per day. Per person, for Right. And so they've got a lot on their plate. How should they manage that? Is that, how would you approach it? I think this ties back to the fact that you have shadow adoption of SaaS, but also distributed administration of SaaS applications.
So it's not just who puts their credit card and buys a SA application. It's also the highly critical business applications that are just managed outside of IT and security. I think this is the new reality or this is the reality and teams, security teams need to adjust and therefore collaboration with your business, whether if it's the SaaS admins or the business users, is key.
In order to create a successful SaaS security program, you have to create good conversations and good collaboration to deeply understand what the business is trying to achieve and create the best and most secure methods that ensure the business can actually adopt what they need, but also. Creates the right security control around it to make sure that the, you don't create more risks and that the security team becomes nervous from that type of adoption.
So that collaboration is really key for security teams to be successful because otherwise the business will just find a different way to do it. And. The security team, even if they're not accountable for everything the business is doing they'll still have to see it as something that they'll want to have better visibility and control over a, as this red surface continues to grow. So just get back to the report for a second. I tend to wander.
You might have noticed, we've covered some points, but why should people read the report? Is there other insights that they'll get from it if they check this out? I think the main reason to read the report is really to get better education about the real world risks that we're seeing within organizations and real problems that organization, challenges that organizations are facing.
In order to better understand, first of all, to ask yourself if you are security program is actually addressing these potential risks and whether or not. If you would answer the survey, if you would answer it differently in terms of the questions, we'll also have the raw questions embedded into it and to help you create a better focus on how to improve your SaaS security program internally.
Eh, and also to, to your point in terms of the confidence level versus the reality to make sure that kind of maybe a more of a reality check for. For security practitioners to make sure that they're actually focused on what, what could potentially move the needle and they don't have blind spots when it comes to their, with SaaS security or SaaS environment overall. And if you are most, like I said, a lot of my audience are CISOs or people like that.
Many of them are also managers who might be managing this and trying to stay up to date. If somebody brings a SaaS application into your environment, one of the things that I would point out is really find out how secure their APIs are. Don't just take this, it's got a rest, a PR or some sort of API, really check that out because that, I think that's a vulnerability area. Are there other questions that people should be asking about security of SaaS from your experience?
I think there are three layers that you typically need to focus on. The first is, first of all, are you gonna be able to even identify that somebody brought in your sa this SaaS into environment? That's the fundamental question. Do you know it exists? Will you discover it on time and will it be part of your inventory? Then the next question you need to ask yourself is, what capabilities does each SAS application offer me to make it more secure in my environment? What are the controls?
What are the toggles? What are the functionalities that I can control as a user or as a customer of this SaaS app that will make it more secure, but still fits what my business is trying to achieve? And that's really the posture element of one of it could be related to APIs, but it could be MFA, it could be related to who has admin access. It could be related to how data is shared externally. It can be related to a lot of different functionalities that are built into the platform.
Then the third layer is really, okay, let's say I discovered the app I put in the best practices when it comes to security controls. It's as secure as it could get. Breaches could still happen eventually this is the reality. Breaches could still happen because of a lot of different reasons. Will you be able to monitor the activities within the application and to be able to detect.
Breaches if and when they occur, or suspicious or malicious activities, if and when they occur in order to a, make sure that you have proper incident response capabilities for these SaaS applications. So it's a identification, protection, and then detection response. And it's a full life cycle of really building up your program around each one of these applications. And just couple more questions and. Between you and me not and 10,000 other people are listening. You're a vendor.
You you meet a lot of people. You see a lot of things. What are the things in terms of SaaS that make you go, oh my God, please don't do that. What are the things that keep you up at night about what people are doing with SaaS? Yeah, so I think.
What really keeps me up like at night when I think about how people like adopt SaaS is really the fact that it's really related to the fact that a lot of people that are less educated about the potential risks are now going in and configuring these SaaS applications to get their job done. They're not doing anything maliciously, but they're just trying to get their job done. And we're seeing it across.
Almost every business critical SaaS app that there's like surprises and configurations of, oh, I didn't think about this. Oh, I didn't think about that then, and there's a lot of procedures that could break. For example, a lot of organizations think they got offboarding checked and that there's a process that automates either the offboarding or that helps to just remove contractors or employees that are terminated or quit their jobs in a timely fashion.
There's almost always gaps in it because there's sense of control that a lot of administrators want in terms of how these processes actually occur that relate, that eventually translates into a manual processes. And when it comes to manual processes, there's always, there are always gonna be gaps, and we find it in almost every organization. So I think just that, that distributed ownership and the fact that.
The people that have the control are not precisely the people that are concerned about security. It creates a lot of gaps in terms of how organizations are actually ensuring proper security for their SaaS apps. Yeah. And I will tell you, as somebody who had the unfortunate reality of shutting a company down, you don't know how many things you're still paying for and are still connected until you actually go through account by account. I, it shocked the heck out of me.
'cause I thought we were pretty good. Yep. But there's a lot happening out there that you never, like people that not only have access, you're still paying for it. Yeah. Which is huge in many cases. Anything else that, that, that makes you you just want to tell people, please get this so I think we spoke about a bit about APIs, but I think the non-human identities hack surface or resurface related to SaaS apps is is just huge.
We see almost a one to 10 ratio on every human identity in terms of the number of non-human identities that we see in an organization. And we need to realize that these non identities are anything. If I use Calendly and I give Calendly an access to my calendar, it creates an API, it creates an identity basically for Calendly as a machine or an app to access my data. These applications have no MFA, they have no strong authentication.
They're distributed to a lot of third parties that we inherently trust sometimes with a level of access that can administer our sap. Critical SaaS applications. This is just a huge risk surface. Definitely not well integrated into IM processes like we see organizations, POC four different vendors choose one, forget to offboard the other three.
And a lot of risks that are associated just with the day-to-day management of these non-human identities that it's probably one of the most, definitely top three, but one of the most critical risk surfaces that we see within organizations in terms of we didn't even think about it. We didn't look at it. We don't have any visibility into it. It still makes my stomach cringe when I check that box that says, you must trust this application because it can delete everything that you have, wow.
Yeah, I think that's it. But also the non-human identities, not just these, I think this is ex, this is an extreme risk already. But the second level is we're on, we're in the process of bringing non-human employees into our environment. I. Microsoft's already launched, I think 11 security agents this past week that are going to be integrated and per, and agents, by their own nature are things that can perform autonomous tasks. So being able to manage non-human identities even goes up a notch.
Now with AI generated employees, that's really what they are. It, they do tasks within your world. I don't know what else you call them. Yep. And you have to give them privileges to do these tasks. And these privileges are typically high privileges and not just the basic privileges that every user has, and then that just, and they have access to data and everything else, and just creates a huge attack surface or a surface that, that you need to address. So I always, and I do thank you for this.
You, but you, my guests are most gracious when they come in. They've got their own products and services and I always tell 'em, this ain't a commercial buddy. But feel free to talk about your own product through this piece. 'cause I think that, that's fairness. You've developed it for these reasons. What are the solutions? What should we be doing?
So what Valence does is we give you a very comprehensive SaaS security platform that allows you to discover, protect and basically monitor your basic critical SaaS application. So we start with shadow IT discovery, we'll create an inventory of all your different SaaS applications within the organization. Then we can natively integrate out of the box to over a hundred different SaaS apps that we can start pulling information about their. Configurations And how well are they secure?
Basically, SaaS security, posture management, or SSPM. It's similar to what synaps and c SBMs do in the cloud space or infrastructure we do for SaaS. And from there we go into a threat detection and response and being able to monitor user and administrative activities in order to help organizations to be able to respond to breaches if and when they occur. This really helps to build that entire, all the different layers that are required across.
Almost according to any different security standard or security framework. Do I, am I able to identify, am I able to protect and then to detect and respond capabilities and really create a comprehensive view of your SAS ecosystem. Wow. Yeah. And where do you go from here? What's your what is the next development that we'll be seeing in, in this? So I think the more we see Gen ai deliver the SaaS, the more this will become inherited aspect of SaaS security.
So Gen AI security for sure continuing to innovate when it comes to how do, how are you able to discover all your SaaS apps because it's always a whack-a-mole game across the organization. And you need to be very clever in how you try to catch shadow adoption and covering just more and more SaaS applications and more and more business cases that are. Use cases that are important for our customers.
And the, I think maybe if you get the report is there some sort of best checklist or something that someone could work for, work from, to try and evaluate their risks? Is there anything that you bring to mind or is that, and in fairness and I. Full disclosure, we're not getting paid by your company. So I'm asking this legitimately, is that a service that a company like yours, prepare Pro provides, is to help people assess their, where they are in terms of SaaS?
Yeah, so some of the main benefits of our platform is that it's agentless and it's very easy to implement. Typically requires an API service account, access to your SaaS, through your business, critical SaaS. And from there, very quickly we can generate a report of a risk assessment of your SaaS applications. Which is a process that can take anywhere between hours or a couple of days in a very efficient way to create visibility in terms of risks to your specific problems.
Instead of I can sell anything in my demo environment, but really gives a organizations a viewpoint into their actual risks and what actually was configured within their environment, which makes it much more of a concrete discussion around. Do I have a problem? Whether rather than is this a nice report that I should be concerned of? Great. Yeah. And so is it, and I didn't even look at your Pro, is your product a SaaS application?
Yes. Yes. It's delivered a SaaS and it's all a hundred percent SaaS. I'm only kidding you. Thanks. My guest today is Benani Shoat. He's the CEO and co-founder of Valence Security. Thank you so much. This has been a great conversation. I hope we can do it again. And that's our show. I'm redeveloping our [email protected] so the show notes have been a little lax in the past, a little while. I'll try and get these up so that you can get a link to that report.
I think it's actually decent and worth worth reading, but if you're watching this on YouTube, there'll be a link to the report in the comments section. Thanks a lot for spending the time with us. I hope this was a really good topic. I hope you enjoyed it. If you didn't, or if you did, why not? Let me know. [email protected]. You can reach me there. You can find me on a SaaS application. LinkedIn I get these more social media but the, my, my sense of irony is always there.
You can reach me on LinkedIn. A lot of people do. Or if you're watching this on YouTube, just put a comment right under the video. I answer each and every one. Thanks for spending your time with us this weekend, or whenever you listen to podcasts. You had other things you could be doing and you spent it with us. So thank you very much. I'm your host, Jim Love. Have a great weekend.