Expert Insights spoke to Boris Gorin, co-founder and CEO at Canonic Security. Gorin has been in cybersecurity for over two decades and has spent the last ten years specializing in securing SaaS applications.
Can you give us an overview of Canonic and your AppTotal SaaS app sandbox, how it came to be, and how it functions?
If you think about all these big-name SaaS applications, like Salesforce, Google Workspace and ServiceNow, they’re kind of breaking up into smaller pieces, add-ons and integrations. You don’t need the IT to set up these applications, you can just go to a website and get a plugin for Salesforce or Google Workspace, and then you’ve basically entered into business with them. Then you’ve got a handful of developers in other countries who have access to your data and whom you pay and trust, but that still brings up privacy and security issues. If you think about it as a larger organization, and multiply the number of employees and business apps, then you get a pretty significant problem. How do you manage that securely? And how do you let people connect whatever they want without worrying about what these apps are doing, while staying compliant and secure?
So that’s what Canonic addresses. We help organizations streamline pre-vetting process and continuously monitor apps after connecting them to their environments. Imagine, for instance, that you’re a large company, and you want to get a new add-on for Zoom. You want to connect a new whiteboard app, but this app just so happens to have access to call recordings. As a responsible employee, you send a message to IT and say, “Hey, I want to connect this new whiteboard.” And the admins will say, “Okay, but we’ve got to look into the security.” If they did that manually, it would take days or even months, and you would forget you even asked or needed that add-on.
With Canonic, that should take you a few minutes. Instead of having a security engineer actually dive into an app to test its safety, they can just go to AppTotal. They can plug that app into AppTotal, which creates a sandbox—a virtual environment—and starts to monitor the add-on to see what it does. It basically helps security engineers very quickly vet these apps and understand whether they’re benign or malicious.
How important was it for you that AppTotal as a free, open community version?
It was extremely important. It takes a lot to provide a free premium service and keep it healthy and valuable for its users. You really have to adopt a particular mindset as a commercial company. We’re not a nonprofit organization, we don’t run on donations. We’re a business. So, firstly, you have to embrace the fact that everyone’s going to try and copy that solution. And every one of our competitors and every one of the companies in the adjacent markets are using AppTotal on a daily basis.
It also serves a greater purpose in the sense of trust. We’re providing value to the security engineers who we serve. They also appreciate the fact that we don’t just try to pitch them, sell them and spam them, or do cold outreaches, because the security industry is already so fatigued. There are so many vendors and they’re all the same, and everyone’s talking the same buzzwords and pitching the same stories. We wanted to separate ourselves from that. The evaluation point of any new software really comes through getting value first, for the consumers and for the users.
And it works in turn for us because, by using AppTotal, they get to learn about Canonic and what we do. Then it goes into, “Hey, I like this feature you guys have. I have to have this!” Or, “I’m missing some features. And I really need support. And that’s got to have some enterprise security thing in here.” And they already know us from AppTotal, so they reach out to engage with us.
So, having AppTotal as a free, open service was super important for us both in terms of our positioning in the market, and framing us as being trusted as an app authority.
In recent years, we’ve seen huge changes in the ways that people work and engage with digital services, including increasingly more companies moving towards SaaS and an increase in remote or hybrid work. What kind of threats have you seen as a result?
As an industry, we have been talking about employees going outside of the network perimeter for about a decade now. We always knew it was going to happen and it was inevitable. The pandemic kind of made that reality just a bit faster. So now you’ve got no office, no network. Everyone’s going to use whatever device they like or is the most convenient thing to help them do their job as fast as possible.
Humans have always been the primary target; even when you think about the enterprise security model, attackers don’t attack infrastructure and they don’t attack servers. Maybe sometimes, but if you look at the major breaches and look at the numbers, it’s mostly around phishing, it’s social engineering, it’s about malware that arrives through email and so on. And now, in this remote world, it’s just been amplified because teams have no control whatsoever.
And that’s extremely relevant for us at Canonic. Because naturally if you think about shadow IT, usually it’s about employees that are using their own tools to get their job done faster. Or searching for something and plugging it into their corporate environment, then using it. And the next thing you know is, this thing they’ve plugged in has access to all of your data. And you can’t stop people from doing this, because you’re going to hurt productivity and hinder your users. So, it’s finding ways of working around it and making it secure.
Your website mentions app impersonation, can you talk to us more about how that attack actually operates?
Probably the most famous example here is the one that happened during the US elections in 2016, the John Podesta case. Allegedly, got an email saying, “Hey, we’ve just detected your account has been compromised, and you have to enable Google Defender to secure your account.” The story goes that he emailed an admin, and the admin said it was okay, it was from Google and that’s a Google account security application, so you can go ahead and open it. What it actually was, was a malicious app called Google Defender, which got access to his account, and the rest is history.
That’s one story. About a year later, in May 2017, there was something called the Google Worm. You basically get an email from someone in your contacts–someone you emailed previously–asking you to view a shared document. Once you click that, it will harvest all your other contacts and send them the same email. This particular attack reached tens of millions of people just in its first hour until Google shut it down. I was at Proofpoint at the time, and it was like a warning call because it could’ve been much, much worse. It could have planted a seed and replicated itself.
How can Canonic help organizations to overcome these challenges and combat these threats?
All these apps operate on OAuth, which was invented around 2010. Security usually follows technology. When a new tech is born, no one can think of every security risk out there. We can’t just solve all the problems this might have before we actually see the app get adopted.
Whenever you create a new application, the name of the app is completely arbitrary. So, I can create a new OAuth app and call it Facebook. I can then share it and say, “Hey, check out this new Facebook app.” You open it and see the brand icon, and a message that it’s requesting access to your Google Drive or whatever. As an internet user, you’re not going to reverse this thing to open it up and investigate it. You just look at it and think, “Oh, Facebook. Great. Okay, send it over.” So that’s app impersonation. And we’ve seen that just growing and growing over the years.
So, then it’s down to, as an organization, figuring out how to prevent these threats. You probably have some kind of process for vetting new applications as they come, and you want that as fast and as automatic as possible–without actually impacting employee productivity.
Most of the time, the apps are going to be harmless. Then some of them are going to go under the magnifying glass and be automatically blocked. If you look at the market, I think a third of companies have this kind of process. The problem is that they do it manually and it takes so much time. It’s ineffective and inefficient. Another third isn’t doing anything at all, or they’re trying to restrict it and end up impacting productivity. This is where we come in with AppTotal and its sandbox. We really streamline that process.
As a final question, do you have any parting advice to companies looking to increase their number of SaaS applications and what that they need to look out for?
Cross fingers? Pray? I think with most of the breaches and most of the security issues, they’re not coming in due to lack of policies or lack of controls. It’s from lack of enforcement or a lack of execution of these controls. It’s not hard to think of a policy that says, “Hey, I’m going to look at everything that my employees are using, and I’m going to vet it.” But you really have to make sure that everything that goes in there gets vetted, and that’s the difficulty. And it goes across every vector.
Everyone understands they should have multi-factor authentication for every user account in your SaaS platforms and your applications. That makes a lot of sense. If you ask any CISO out there, they’ll say that all their users have multi factor authentication. Well, in practice they don’t–for various reasons.
It’s about making sure you have the right controls really, and making sure they’re configured correctly, then you’re 80% of the way there. You need to make sure these controls are being enforced and you have the processes to monitor them. Then, most of the time, you should be okay.