SaaS Security Powered By Your Users

Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com

Welcome to the Did you know Podcast by Varsiource, where we interview founders and executives at amazing technology companies that can help your business save time and money and grow. Especially bring awareness to smarter, better, faster solutions that can transform your business. 1.5s Hello, everyone. Victor with verisource. Welcome to another episode of the Digino podcast. Today we have Push Security, one of our top partners. With us. The CEO founder, Adam Bateman. Push Security essentially is a SaaS security platform powered by your users. And we're going to have obviously, SAS and security are both very hot topics in today's world. And so super excited for Adam to tell us more about Push Security. Welcome to the show, Adam. Thanks,

Victor. It's great to be here.

Yeah. So, Adam, I mean, you have an amazing background and also the founding story. So if you don't mind, if you can give the audience a little background about you. And also, how did Push Security came about? Because like I mentioned, SAS software as a service is growing at a tremendous pace. It's only going to keep growing. There's more and more software to do many more things, amazing things for companies, but it also creates more and more challenges and security loopholes for companies. Right. And so I think what you're doing is so important. 2.2s

Absolutely, yeah, no problem at all. In my background, I'm kind of a lifelong career security person, so I have always been in the industry professionally before that, as a hobby. So I started off the typical, what you call hacker founder, hacking in the bedroom, learning. I'm just really interested in the whole field and just trying and learn as much about as I possibly could. So I came out of university and straight into a work for a company called MWR Info Security, who are a very specialist cybersecurity research house in the United Kingdom here in London. And we were responsible for, we contribute a lot of kind of open source tools and different attack techniques that are still used in the industry today. Presented those at a lot of the kind of mainstream security conferences like black hat, blue hat, and all the big name ones that, you know, there. And so our core business really to begin with was that of consulting. So we were a team of Red Teamers, or ethical hackers. And so what we would do is really interesting engagement. So we work with very, very large enterprise companies, and they would commission us to form kind of Red Team offensive security against them. So to test out their security, so they would, for example, come to us and say, okay, we would like you to achieve these three objectives. We'd agree, those ahead of time it might be transfer this money out of this bank account, a million dollars into the separate bank account, find out the secret project we're working on, or wherever it might be, and then we would assemble a team and we would break into the company and we'd achieve those objectives. And once we've done that, we would go back in and present to them and say, okay, this is how we broke in, this is what we did, and we would advise them on how to actually defend against it. So this has been my life for a very long time on the offensive side of security. And then, like a lot of people in our space, 1s after a while, when you realize kind of how easy it is to do and just and I don't mean that just, you know, necessarily it was a very skilled team, but I mean, it's it's you're on the back foot as a defender. And so a lot of people in my side like to jump over to the other side of the fence and start helping companies to defend themselves, 1.2s which is what brought me into really building out a cybersecurity solution to try to help companies as much as possible. 2.5s

Yeah, no, that's amazing, man what you described, it sounds like you're the Seal team. Sounds like something I've seen in the movies. Man 1.6s and also something is really fascinating because when I think for most people that are not in the security space, they would imagine, hey, these big companies have all the money in the world. They have security teams. They must be like Fort Knox, right? They're protected like everywhere. They have all the tools, all the platforms, all the things you can buy. So just starting from that, Adam, even working with these large companies, why is it still I wouldn't say easy, like you said, for you to find a loophole or achieve your goal of hacking them even though they hire you to do so. But why is it for these big companies still not able to plug all the holes, let's call it that way.

That's a great question. I mean, it's a really interesting point because you think about it, small companies have less resources to defend themselves, but are also, generally speaking, less on attackers radars, and therefore they experience breaches less. It's not always true. You have very small companies that have very specific IP, which would be a target of a foreign nation, state sponsored attacker, and they would want to gain access to them. But generally speaking, smaller companies, smaller resource, but more under the radar. Larger company, much bigger or much more resource, but much more on under people's. Crosshairs. Also, the kind of landing pad of a large company is a lot bigger. They have more It assets, more employees, more to target. And so you really have this sliding spectrum which kind of balances stuff out. But the second thing is, there's a phrase that people talk about quite a lot in instrument. They say as an attacker or as a defender, you need to think of every single thing the attacker might do in order to break into the company. But as the attacker, you have to think about the one thing that they forgot. And so the nature is that it's just very difficult as a defender to do this. It's really a best effort you're continually doing to evolve it. And so, yes, as I said, this is the reason that I think it's very common for hacker founders like myself to go into the industry, because you really want to contribute towards the problem and take our understanding of how companies are targeted and actually flip that around to help people with the defense.

So you've seen, again, you've been in the industry for so long, have a lot of insight on, like you said, you want to be able to help these companies and help customers, but there's so many security products you could have went out and did or built in areas to go after. Why SAS? Well, I can imagine why. That's where everybody's going, right, but what made you start push on SAS? Kind of this area. 1.6s

Yeah. So there are a couple of threads to push. There's SAS, and then kind of, why user centric? So I'll cover both of those because they're sort of intertwined. But when we were doing this work with large or small companies, regardless, 1.5s there's a fundamental pattern that I notice, and it's that the industry is incredibly good at giving people more problems. You think about vulnerability, scanners, detections tools, all of these things, you load them all up and you plug them onto your company and they spit out a big to do list of problems and things you need to do. And so security teams end up very overwhelmed with more and more stuff to do. And so the thing we realized as a founding team, having helped thousands of companies, is that people don't want more problems, they need to not actually fix it. The user centric aspect, which we can come around to later, was about actually automating the sticks and taking problems away from people as much as possible. So that's really what was a fundamental story behind Persia, is that we wanted to do that, to focus on the fix. After we'd done that, we sort of started to then think, okay, what problem should we help people fix? And obviously, SAS is a very prolific it's kind of the future of where companies are going. If you look at modern startups in particular, a lot of them are completely networkless, right. They are literally just a little laptops of employees with 1.1s maybe 100 SaaS applications. And that's the whole company. And that seems to be the way that organizations are going. So focusing on that seemed very relevant. Yeah.

So one of the taglines that I love that you guys have is employees own SAS. They're the user, they own it, they're the ones who buy it and all of these things, and now you get them to secure it. So how did you come up with that concept, the user centric aspect? And how is that kind of accomplished? What are the benefits of making it more user entered? 3.6s

Yeah, absolutely. So, I mean, if you think about how traditionally work services used to be introduced into an organization, it was always done centrally by It, right? So you have servers hosted somewhere inside the company. You'd have employee puts in a request for a new work service, and then the It team would be the ones to actually actually go off, secure that, install it on the server, and then give people access to it. And so security then had a central place to actually go in and enforce controls and actually apply security controls inside the organization. And with SAS, that model has been completely broken open. And now what we have is actually this decentralized It model. So there's multiple surveys and varied stats around the Internet. But when I read that was very interesting was 77% of SAS spend and SAS applications are now 1.6s belong to the kind of individual employees and business units themselves, rather than centrally by It. And also that 80% of employees will now admit to bring a work service like a SaaS platform into the organization without even telling it. So it's very, very obvious now that we're in this position where employees are the ones bringing new work services into the company. And this is a really good thing. It's amazing. For productivity, of course, an individual team like Finance will know what finance software they need. So it makes sense for them to go and experiment with different SAS and bring them into the company, It, with It developers, with developers, and so on. So we're in really a position now where this is the future, this is where the world has gone, and employees therefore own the SAS. And it's not really as easy anymore to be able to centrally enforce security controls because of the fact that dispersed the idea of user centric actually nudge and guide the user. As they're procuring these different work services, the platform will actually nudge and alter their behavior. Say, hey, you just logged into this platform, but you've signed in with a weak password that's been breached or part of a prior breach or some on the Internet, or you don't have multi factor authentication enabled, for example, and actually encourage them to take the right behaviors. So

obviously, when you look at the SAS security aspect of It, 1.1s why hasn't some of these larger security companies focus more on SAS? You think because a lot of It is focused on network the perimeter, and not as many these large, well known security companies have more focused on kind of the SAS aspect of It. Why do you think that is? Where they just haven't gotten into it yet? Or how are you doing it differently? And why haven't they gotten to that area? You think?

Yeah. 3.7s Yeah, good question. So there are a lot of companies focus on SaaS security now, but I think the larger companies tend to focus on 1.3s SAS in more of a sort of traditional approach. So there's a category called Casby cloud access security broker, which is the famous category for targeting, is probably one of the least popular categories in security. And the reason for that is because it's huge. It's still like something like 9 billion a year, I believe, spent in that category. But unfortunately, it's kind of a common 1s agreement that it hasn't really delivered on its promise. And the reason for that is because it tends to use network traffic and logs in order to discover the SAS that employees are using. And the problem with that is you can't always tell the difference between when an employee has just visited a SAS application or whether they've actually logged into it. Right. Because it's just network traffic. You certainly can't easily, without doing something not great like kind of intercepting TLS and that kind of thing, inspecting traffic at a deeper level, work out what security controls are applied on that user's account. 1.4s And the biggest thing of all is that if you do discover that employees are using certain SAS, then what do you really do about it? Right? You can see that employees are all signing up and using this particular SAS application that you don't want. You now have to go and chase those employees and go and talk to them, ask them why they're using it. You have to identify the issues and then get them to go off and fix it, or you just block them at the proxy. And the problem, problem with those approaches that blocking employees, obviously it really hinders productivity inside the company. Company A is allowing employees to be free and embrace and use technology. And Company B isn't. It's simply company a wins. Okay? So that doesn't really lend itself to that. 1s And then the problem with actually going off and have to chase employees all the time, it comes back to exactly what I said at the start of this discussion, is that 1s you're getting more on your to do list. It's increasing the workload on the internal It security, and there's more and more stuff to do. So our view here is that by actually using user centric security, rather than sort of detecting and blocking, you're actually allowing employees to embrace, embracing the fact that employees can go off and use and discover and experiment with and start using new SaaS applications. But you're confident that they're being kind of guided to adopt them in a secure way.

Yeah, no, a follow up question to that. These are great information and insights on the challenges that companies face. So anytime you mentioned user centric, meaning yes, you're giving the power to the user to kind of I wouldn't say police themselves, but even protect themselves or secure themselves. I think a lot of companies hearing that will have the question for you or doubt, which is, hey, what if the people that's more work on them or hey, like, they don't want to do that, they're going to be doing something else. And that actually it's going to be an opposite reaction of this is like another thing I have to do, or hey, I don't want to do that. Or hey, I'm not a security. Like, why am I doing that? What would you say to that? 1.2s That kind of maybe feedback or thought of, okay, if I actually give the power to the user now to use it, that sounds great, but then in reverse, it's kind of like maybe there's some concerns caused by that. What do you think? 1.6s Absolutely, yes. A couple of points to that. So 1.1s the first thing really is that 1.3s if you have a good security culture inside a company, generally employees don't want to be the reason that the company gets breached. Right. Cybersecurity is all over the headlines. It's something that people are aware of now, and they log into their bank each day. People have this level of security awareness, and they generally want to do something, but what they don't want to do is, as you said, they're very busy and they're doing other things. 3.1s Our observation has been that employees don't mind doing these things as long as you make it easy for them. So as much as possible, we will send somebody notifications where they just make a single click. So, for example, if they installed a cloud application and they did an integration back with their office, 365 tenants, an OAuth integration or whatever, and that integration might access a lot of their sensitive data. So for example, it could be they're able to access all of their OneDrive or their Google Drive files or have access to their email and the platform would have deserve over a period of time and say it hasn't. Been used for 90 days, for example, and initiate a conversation to the employee just to say, hey, 2s this application that you installed has actually got access to quite a lot of your data. You haven't used it for 90 days. Can we remove it? And you just say yes or no. It's a single click, and then it goes. And I think the point there is you're not outsourcing the security team's job to employees. You're asking them for context. It doesn't look like you're using this anymore. Can we get rid of it? Or hey, this suspicious activity occurred. Was this you? Yes or no? And you're keeping it really simple. So that's one aspect, keeping it as easy as possible and making sure that you're not sort of actually outsourcing security tasks directly. But the second thing is that don't think about user security, about. 1s A binary, as in does it work or does it not work? Will employees do it or not? It's about improving communication around the business. So it's kind of like open sourcing security and all the way. So what it means is if you imagine not having it and you're in the security team and you observe that an employee in the company somewhere logs into, I don't know, Jamf or another MDM solution, using a password that was is part of prior breach and is being leaked somewhere on pay spin. So an attacker at any time could discover that, log into Jamf, and use that to deploy ransomware across the estate, for example. And you don't have user centric security. You now have to contact that employee and talk to them. And you say, oh, hey, 1.7s

Barry, you just logged into Jamf using this week password. And they're kind of, sorry, who are you? And it's like, oh, I'm Adam from security. How do I know you're Adam from security? How do I know that you're not actually the attacker? And it's like, okay, let me send you a slap message to prove it, okay? And then you're having the conversation, and then after you've done that, you're chasing them and chasing them. User centric security changes 1s the dialogue from being that to, hey, Barry, you just logged into Jam for the weak password. Oh, yes, sorry, I saw that. Okay, I'll get that done. Right? Does that make sense? What we're saying here is it's not just this binary aspect. The security team needs to go out and reach out to the employee anyway to ask them the questions, and user centric security just makes that whole process much easier.

Yeah. 1s And that's what I love about your service. I obviously seen it, heard it many times, and I think it's amazing. I think that it's the right approach. Obviously, the last two years with COVID it has really changed the world in a lot of ways. But I think one thing is accelerated. The digital transformation, where remote work is even more prevalent now, might be the default in the future, where now you have users working from home, working anywhere, which is fantastic, in a way, for employees, the freedom. But now it's even harder and harder for security teams. It's harder and harder to manage the business and the company and security. So what do you think with your kind of security expertise, what do you think has changed 1.7s in the last two years due to COVID that's good for hackers and backboard the companies and that whole shift? What do you think has been happening there? 2.1s

Yes. So a couple of things. I mean, when people started shifting from work from home, we've seen more companies embrace more SaaS applications, in fact, right? So rather than, again, the work services being hosted internally and then you access them directly through a VPN, for example, they would just instead expose us to the Internet. And that meant either putting work services on the Internet when they hadn't previously been exposed to the Internet, which might bring the introduction of some security vulnerabilities, or just adopting any SaaS application. And so there's some very interesting kind of growth figures in SAS on its own. There was a huge spike up through the pandemic of people doing that. So these SAS applications are much more prevalent, there's more per company, and that forms part of the attack surface. But the other thing is that now it's forced, I'd say, and sort of accelerated this decentralized It model that I'm talking about. I mean, some employees may be at home logging back into a central network through a VPN, but many also aren't, right? They're just logging in directly from their home through their ISP and directly out to a SaaS application. And so if you're in a position where you want to use that blocking and enforcing model, where you sort of block at the proxy to stop people from accessing particular stats, that's actually become a lot more difficult 1.4s and it forces you to get a bit more creative in the way you do that. So that was one of the other reasons that we think that kind of using a user centric approach just makes that a whole lot easier in this kind of paradigm. 2.2s

One of the things I love about your service, Adam, as well, is it's extremely useful, powerful impactful, yet it's still cost effective. I think when a lot of companies we talk to, especially maybe the SMB and mid Market, they feel like they don't have the budget, they don't have 1.7s the money to have all these pre security services. But can you talk through, because I know with your service you can help with SMB, Mid Market and Enterprise, can you kind of talk through on each of the level 1.9s how you kind of support companies that are smaller, yet you can scale up as well to some of the largest companies out there? 2s

Yeah, of course. So I think somebody said to me the other day, a user's feedback, which I really liked, and they said the magic of push is that you could use it without having an It or security team. And what they meant by that was the smallest company that we have using at the moment is 20% 20 employee company with no It and security team because it's very, very quick and easy to set up because you log into the platform. We've intentionally kept it very nontechnical and easy to use. And so there's just a couple of API integrations and then the deployment of a browser extension into each employee's browser, which you can do centrally. So it's very, very quick to kind of get up and get going. So smaller companies are using us because of the fact that, as we were saying, you can kind of set it up very quickly and then it's kind of set and forget. Employees are the ones then going off and taking small actions to improve security of the organization over time. And then much larger enterprises, they do have the resources to be able to administer. But if you imagine if you get up to sort of tens of thousands of employees, this problem gets exponentially worse. If you're in a position now where you are logging into a dashboard and you're having to reach out to each employee to ask them about a week account that they just signed up to an assass platform somewhere, 2.4s if you've got to reach out to thousands and thousands of people every day, it becomes very difficult. So larger companies then are coming to us because of the fact that it helps them with this scale issue. If they can get people to sort of automate the conversations with employees, it allows them to spread themselves a lot further.

Yeah, and that's another great point. Obviously a lot of it, like you said, smaller businesses don't have It or security team, but they still need some solutions. And this user centric model, I think, was a smart move. So as we wrap up here, Adam, one of the last questions we like to ask guests is with all your experience and what you know about the security space, if there was one personal advice or business advice, whichever you like, that you're really passionate about, that you would want to share with the audience, what would that be, you think? 2.4s Yeah, I mean, I'm obviously coming at this from receptor that I've immersed myself in the SAS security world, and so I'm looking at it through that lens. But through my career, I've seen a lot of different phases happen in the industry and attackers shifting their focus at different times. It happened when, for example, tax always used to be very much about scanning the public faces or internet facing services, identifying which the ones that belong to your target company, finding vulnerabilities in the kind of mail servers, VPN endpoints, and then pivoting into the file and into the internal network there and doing that. And then actually, the industry got pretty good at securing against those sorts of attacks. And so attackers shifted their focus and they moved it into doing kind of what we call client side attacks. So targeting employees by, for example, sending them an email, like a spear phishing attack with a malicious attachment. And that attachment, when it was run, would take control of the employee's laptop and it would allow the attacker then to move around in the internal network. And there was a lot of focus on that first category of tack the kind of internet facing side. Now the shift is focused into the. 1.3s Client side attacks. And that's where people are focused at the moment. But attackers now have shifted their focus again, and we're seeing this uprising of this third area, and it's an area that we are helping people raise awareness of. And what happens here is that attackers now, you know, there's 25,000 SAS companies today, something like that. And what attackers will do is just simply scan across, across all of those 25,000 SAS applications on a continual basis to identify weak user accounts. So as a user then signs up to an application somewhere on the Internet, the attack will just get alert and say, hey, you've just gained access to company X's user account. And they can log in and they can sort of see what that is. And this is kind of a new shift. This is now how we see attacks trending in the future. And this is a tax surface that people aren't thinking enough about at the moment. And the reason they're not thinking about it enough is because of the fact that it's kind of in the shadows for a lot of organizations. It's not easy to detect

cultivate, and no one really ever gets a pen test of their SAS applications right, because they're not owned by them. So if you were a company and you used 100 different SaaS applications and you picked, I don't know, Jamf again as an example, and you commissioned a security firm to do a pen test against Jam, jam would be really annoyed, right? You're not actually allowed to do that, and so therefore not really on any company's 1.1s kind of risk register. 1s So this is an area that I sort of encourage people to think about. It's a kind of silent way that people can get into organizations. And we're starting to see some quite interesting trends beginning to come up in the industry, which really back this up. 1.2s One. The two most notable, I think, is the Verizon Data Breach Report that came out well, the 2022 version. And they, they take the best part of a million incidents and they compile all the results together to look for trends. And one of the things they say in there under the Web applications section is that the somewhere like in the high 90% of attacks were against to web applications, and the technique that was used to break into those applications over 80% of the time was from stolen credentials. So if you take into consideration that a SAS application is just a web application and attackers sort of spraying across looking for these weak accounts, then it sort of shows how much this is happening. And the second report that we saw that was very interesting is a company called Auth Zero. They're owned by Octa now, and it's a very prolific platform for doing authentication. So in simple terms, a developer would use them to create the login page in their SAS platform. So they therefore have effectively a login interface to lots and lots of different SaaS companies. And they released a report just this year talking about the different trends. And one of the things they said in there was that 58% of their customers login attempts is through stolen credentials. And something like 34% of the traffic is login attempts through kind of weak or stolen credentials. So we're starting to see this interesting trend come up in the market, and I think it's something that the company should start to think about as another potential attack vector.

Yeah. After hearing all that, I got one last interesting question for you. I'm going to call this the trillion dollar question, because if somebody can figure this out, they'll probably be a trillionaire. But obviously 1s you've been in the security space. You've been on both sides of the security, let's call it right. And will there be a day, whether that's five years, ten years, 50 years from now with the growth of AI and the power of AI, is there a day where 2.3s through AI, maybe there's no more security loopholes, where there is no 2.6s security issues or anything like that? Is that possible? Or basically it's just that the hackers adapt to whatever it is and there's always a loophole. And so they're always going to have business or they're going to find something. There is no utopia, I guess, even with like an AI in the future, you think. 1.7s

Yeah, I could very safely bet and say that security will always be a thing and there will always be a way around everything. And I think it's always just about getting the getting the balance. The system becomes unusable when it's fully secure. And I think even with the prevalence of AI, right, that itself is a system. It always has the same weaknesses. And will people start to use AI to attack AI? That's the kind of the question. But I mean, definitely I've definitely gone through phases in my career where a vendor like Microsoft or Google or somebody who owns the big platforms on Mass will introduce a security feature and everyone kind of shook and wondered, wow, is this the end of this particular attack? Everything is going to get much harder and it certainly stops security and it's tracked, but usually only for a matter of months and then people adapt and they find ways around it and then it kind of comes back again, 2.5s I think. 100% secure system. I just can't see that happening at all. But I don't think people should strive for that either. It's really about kind of risk mitigation and just balancing that and just getting the appropriate level of risk. Right. 2.4s Your house is never going to be 100% secure, but would you block up all the windows and doors and have to go through open ten different locks to get in and out every day? You probably wouldn't. You just do enough to put somebody off.

Yeah, that is such a great analogy, man. I got to go by have more locks now, but no, this has been a great conversation, Adam. Thanks a lot for all your insights and super excited to partner with you guys. That was an amazing episode of the Did you know podcast with Varisource. Hope you enjoyed it and got some great insights from it. Make sure you follow us on social media for the next episode. And if you want to get the best deals from the guests today, make sure to send us a message at sales@varisource.com.

Spend Advantage Podcast

SaaS Security Powered By Your Users

Listen to this podcast on