Supply Chain API Attacks and the Origins of Valence Security

Earlier this month, I was fortunate to have the opportunity to chat with Andy Ellis, a highly respected security professional and currently Operating Partner at YL Ventures, on the main stage at the Cybertech 2022 event in Tel Aviv. Also on-stage were Ira Winkler, Chief Architect at Walmart, Anthony Johnson, Co-Founder and CISO at Delverisk, and Sounil Yu, CISO and Head of Research at JupiterOne. The subject we discussed was the pivotal role that supply chain attacks, especially those involved in the SolarWinds attack, had on our ideation process of building Valence and developing the concept of our SaaS-to-SaaS Supply Chain Security Platform.

Major security breaches like SolarWinds are often catalysts for new startups and security solutions. Valence was no exception, though we didn’t set out to specifically solve the SolarWinds problem. Rather, we saw the SolarWinds attack as a symptom of a series of complex supply chain attacks.

So we spoke to as many CISOs and security practitioners as we could in order to better map out the road to managing those supply chain risks. What we realized was that the SaaS-to-SaaS supply chain thrives on trust. When non-IT users and business units manage SaaS applications without IT security governance, the entire interaction between the organization and the vendor from that point forward is based on trust regarding activities undertaken by the app within the organization. But as new potentially risky integrations are added to a sanctioned SaaS application, this trust must be re-evaluated and managed on a daily, continuous, and automated basis, and that is what we aimed to do.

When setting out on our startup journey, Shlomi and I began focusing on the vulnerable aspects of SaaS application use and sprawl as cloud migration grew exponentially. We zeroed in on aspects of privilege access, authentication, and improving industry controls in these areas. The SolarWinds campaign illustrated - to the extreme - the various techniques that can be used to exploit supply chain access.

Attackers understand that they need to target that weakest link within an organization's security posture. They see this mesh of SaaS-to-SaaS integrations, and realize that once they find a vulnerable third-party vendor with access to your organization, they can easily find the right path into your sanctioned business critical apps, and the sensitive data within the organization.

The CISOs and security experts we consulted also helped us to understand how the industry was fortifying its defenses in light of this threat, and what their current methods and mechanisms are for addressing third-party risk, supply chain access, and controls for access of external vendors into their organization. Most, surprisingly, were struggling to manage them through cumbersome time-consuming manual processes or lacked proper visibility and control into this risk surface. Over time, we realized that we opened a Pandora’s Box of risks and management challenges related to the decentralization of IT.

Users are now onboarding countless new services and vendors, and providing them with access - sometimes privileged access - to the kingdom. We noticed that these applications no longer operate in isolation, but rather form an integration mesh of various business applications in the cloud, through no code/low code automation like Workato and Zapier, third party OAuth apps in platforms like Slack, Microsoft 365 and Salesforce, or API tokens configured by decentralized admins. These applications get adopted by business units throughout the organization, and security teams have no governance or control over them in order to secure their access.

Organizations have lost control over which API token was granted to which third-party vendor and security teams need an easy, automated way to remediate risks to their sanctioned business critical SaaS apps and data arising from unsanctioned non-human identities and third-party integrations. These risks include a lack of visibility into third-party applications, their integrations, level of permissions, and risk, which makes auditing and maintaining compliance almost impossible. It also includes failed offboarding of high risk, unused, or abandoned integrations, and the inability to maintain least privilege access for third-party integrations through right-sizing overly-broad access privileges.

The SolarWinds attack campaign proved that the current lack of oversight and management can have disastrous consequences. Our goal when founding Valence was to ensure that when the next attack occurs, organizations’ are as prepared as they can be with comprehensive security mechanisms in place to ensure business continuity.