…Security is not a “set it and forget it” exercise, especially when it comes to APIs and today’s applications. These environments are constantly changing and evolving with new applications and new capabilities. New vulnerabilities will continually emerge, and the attack surface will change, so your teams and your security tools and strategy must evolve in parallel.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Roey Eliyahu, Co-Founder and CEO, Salt Security.
Roey Eliyahu is a former team leader of an elite cybersecurity unit, developing high-end security systems, in the Israel Defense Forces (IDF). He went on to found the cybersecurity college that trains the next generation of leaders and prepares them for serving in the IDF’s elite security units. Roey also led the development of security system projects at Cigol Digital Systems, a military grade security systems company, before moving to Silicon Valley in 2016 with his idea for an API security technology that leverages Big Data and AI. It’s there he met his co-founder and launched Salt Security. Roey has led the company to be a 2019 RSA Innovation Sandbox Finalist, a 2020 Gartner Cool Vendor in API Strategy, and to land a total of 30 million dollars in funding to date.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in Israel and from a very young age had a huge passion for technology and entrepreneurship. In 2007, when the first iPhone came out, I was amazed by the global impact a single product was able to make so quickly. I started programming when I was 9 years old and fell in love with it and at 11 I started to work as a freelance developer.
At 18 I was selected to join the elite cyber security unit of the Israeli Defense Force (IDF) and was quickly promoted to lead the development of high-end cyber security systems. After that, I founded a cyber security college to train the next generation of the elite cyber security leaders for the IDF. It grew very fast from inception to profitability, all in less than 3 months, completely bootstrapped.
When I was 22, I saw a huge overlooked security problem in the field of API security. It was something that I saw had impact everywhere since more and more applications were being built with APIs at their core. That inspired me to start Salt Security to address the problem.
I’m proud to say that Salt Security is the first patented solution to protect APIs that are the core of our digital world and important to so many of the applications that we all depend on every day.
Starting the company, I set out with a mission to make it safe for companies to innovate and to enable the digital transformation we are experiencing everywhere today. I really think it will be impossible to continue to see the types of applications and rate of innovation that we’re experiencing without the right security to protect these applications.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
One I remember well is when I was first introduced to Trojan viruses. I was 11 and chatting with someone online and he sent me a fun little game. A day later he suddenly sent me a message saying, “can I open the disk tray for you?” and the second I read it, my disk tray was open. It was scary and fascinating at the same time. I did some research and discovered that the game was a Trojan and allowed him to control my computer.
Can you share the most interesting story that happened to you since you began this fascinating career?
Early in my journey I moved to Palo Alto to start a company and heard about Y Combinator and its reputation as the best startup accelerator in the world. Since it was super competitive and the acceptance rate was extremely small, initially I didn’t even think to submit an application since I thought the chances of getting accepted were slim. I had the chance to share my ideas about creating Salt Security in another forum, and one of the panelists was a Y Combinator partner. He suggested I apply — I had two days to meet the deadline. I was accepted, and Y Combinator President Sam Altman was my mentor in the program — it was an amazing experience.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’m super grateful for meeting my co-founder Michael. When I started to explore the idea of building a company to protect APIs, I had never sold cybersecurity solutions to enterprises, so I started to map all the successful companies in cybersecurity that had exits. I wanted to see who at these companies had built and led sales teams from the ground up. Michael was at the top of my list. He had the right experience and amazing success scaling several companies from inception to over 100M dollars in revenue. I was able to connect with him through mutual friends and he loved the idea and the space we were going after. We had amazing chemistry right away, and he joined me as my co-founder. Without him, Salt Security would not be here today.
Are you working on any exciting new projects now? How do you think that will help people?
My only project now is to keep Salt Security growing and focus on our mission of making it safe for companies to innovate by protecting their APIs.
It’s said that over 80% of all internet traffic today runs over APIs. Everything you do online, all of the apps on your phone, they all run on APIs — social networks, streaming services, online retailers, food delivery services, banks, healthcare providers and more. We’re increasingly dependent on applications built on APIs, and these APIs are transmitting more of our sensitive data. When a bank or retailer uses our solution to protect their APIs, they’re ultimately doing it to protect not only their service but also your and my data.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The most basic thing is that you have to love what you do. There is no way around it. You have to be passionate to succeed because the challenges are endless. Reminding yourself of your ultimate goal gets you through the hard tasks and the boring tasks.
At the same time, you also need to periodically step back and take a break. Doing so helps you recharge and look at hard problems with a new perspective when you return. Every few months I try to take a long weekend, and every year, I try to use the holiday season to take a couple weeks off. The most important thing is to let go of work and truly enjoy your time off. Without that you will never get refreshed or reenergized.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First is the people. This industry attracts so many extremely talented and interesting people. I’m constantly impressed by the caliber of the people I meet.
Next is the market. The cybersecurity industry is almost completely resilient to crisis, as long as you are solving a truly hard problem. Companies can’t ignore you, because even in crisis, they still need to protect their business.
Finally the technology. Cybersecurity is an industry where you must keep innovating since attackers and the attack surface continuously evolve. This constant innovation makes every day really interesting, providing new challenges to solve all the time.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
As APIs have become a growing target for attacks, we’re seeing more attackers target login mechanisms with credential stuffing attacks as well as denial of service attacks that look to overwhelm and knock a service offline.
While these attacks use large amounts of activity to achieve their goals, even more concerning are the more subtle attacks that we’re seeing. For instance, a single authenticated attacker can probe an API while staying under the radar and have a significant impact. They can do things like take over an account, access unauthorized data, perform a denial of service attack, or even exfiltrate an entire database of sensitive data.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
At Salt Security we are seeing API attacks on a daily basis and stopping them before the company is breached. APIs are probably one of the most valuable assets that companies have, since they connect so many critical data sources. But many APIs are completely exposed to the Internet and are constantly getting attacked. We prevented one of our customers, for example, from accidentally revealing their own customers’ sensitive data when an attacker replaced a specific term with a wildcard in an API call.
Unfortunately, many companies still rely on traditional tools to protect APIs, so we see lots of API-related breaches every month. The main advice I would give to any company is not to ignore their APIs. You will be surprised how much you will discover and how many attacks are happening under the radar.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Hacking APIs is extremely simple — you don’t need a lot of special tools. You only need an API client with a sniffer like Postman, some time, and your brain. From there, it’s a matter of trial and error, understanding the business logic of an API, looking for ways to manipulate the API calls, and looking for places in the logic that developers usually get wrong. Developers build APIs to perform specific functions and don’t think about how APIs can be misused the way an attacker does.
A great reference for the top API vulnerabilities is the OWASP API Security Top 10.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Hiring a CISO depends only on one parameter — what is the financial reward for an attacker to hack your company. If the reward is significant enough, your company is at risk, and it’s only a matter of time before you get attacked.
You typically see that the size of the company and the amount of data they store correlates with the financial reward for an attacker. Each industry weighs this risk a bit differently. Obviously financial services and fintech companies are much more sensitive, even when they’re still small companies, since the data they store is highly sensitive — and therefore valuable. B2B companies also tend to have a lot of sensitive and valuable data, as do consumer companies.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
It really boils down to abnormalities in your environment, but this can be really difficult for humans to detect given the uniqueness of APIs, their complexity, and the volume of normal activity. Here are some ideas to consider:
1. High Rate of Login Errors: Authentication is the gatekeeper for most applications and the first barrier that an attacker must cross. If they’re trying to gain unauthorized access, you might see a spike in login errors. This metric, however, is not always a good indicator of attack, since a lot of API attacks come from authenticated attackers who are targeting public-facing APIs. In this case, they have legitimate credentials and can easily access the API to look for vulnerabilities unnoticed.
2. Unusual Rate of Errors: Once an attacker has access to the API, they will try to look for vulnerabilities that can be exploited. This stage is called reconnaissance, when the attacker is trying to learn the structure of the API and see how it responds to different requests. During this period, an attacker’s activity will look much different than that of a typical user, and this activity will also potentially generate a large number of errors or alerts. Detecting these types of abnormalities can be really difficult for a human, because it’s not simply a higher-than-normal rate of errors. You really need context and the ability to correlate these errors to see if they’re mistakes or an actual attacker.
3. Unusual Volumes of Data Access: A common goal of any attacker is to access and download a large amount of data. We’ve seen this tack in countless breaches, where attackers download entire databases of user credentials, account numbers, credit card information and other sensitive data like PII. One indication of a breach is a large volume of data being accessed but often, by the time you realize that is happening, it’s too late.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
A company should first identify the source of the attack and stop it, determine the extent of the breach, and then move quickly to secure its systems and eliminate any vulnerabilities that may have caused the breach. The company should then notify the appropriate parties, which includes law enforcement and other affected organizations like partners who might be at risk. If the company collects and stores personal info for partners or customers, they must notify those organizations or people so they can take proper steps to further protect themselves against misuse of the information.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
Privacy measures such as GDPR and CCPA can negatively affect businesses if not followed properly. Both measures enable victims to sue the business holding their personal information if it was compromised in a data breach. A breach can significantly tarnish a business’ brand reputation.
To that end, how a company handles their customer’s data, how secure that data is, and how transparent the company is about where the data goes can make or break trust with customers. Customers are becoming more aware, sophisticated and more demanding when it comes to this, and, as a result, security is becoming a competitive differentiator for a lot of organizations and their brand. For example, we are working with one financial services company in particular who is taking a proactive approach to security when releasing their mobile application. The company has spent significant time making sure that they have the appropriate measures in place to protect that application in addition to their customers and their data. They’re also taking the time to highlight their security approach with peers in their industry as well as with their customers, so it becomes a real competitive advantage for them.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Before COVID hit, we were already seeing an increase in attacks targeting API. The events of the past year have made digital platforms even more critical, including becoming the main source of revenue. The rise in API usage has empowered businesses to build more dynamic applications, but it also creates security holes that organizations need to understand.
Companies that do not pay attention to these changes and continue to innovate with no regard for data security are being reckless. It is imperative that organizations not only understand how critical APIs are for their business but also the risks and implications of a potential breach. More awareness and education are needed in the market around API threats and API security.
We see that APIs are foundational to digital transformation strategies of business of all sizes. APIs allow these businesses to quickly innovate and create new services and new revenue streams with their ecosystems, so they’re seen as enablers for growth. Organizations adopting the right approach to securing APIs have found the balance between the need to rapidly innovate and the need to protect their business and customers.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We haven’t seen an uptick in errors, but attacker activity is definitely up since the pandemic began. Businesses that are traditionally brick and mortar have been forced to shift operations online, drawing the attention of attackers who are increasingly turning to APIs as the route in. We’ve seen a lot more interest from organizations who now realize just how important their digital platforms are to their business and how critical it is to ensure their services and customer data are protected.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
The first is to achieve comprehensive visibility of your attack surface. You can’t control what you can’t see. Most organizations don’t have a good handle on their API attack surface — they have Shadow APIs and sensitive data exposed. Since APIs are constantly changing, you need a tool to automate the process of cataloging APIs with granular detail to see exposure and stay up to date.
The second is to stop attacks. The big challenge with APIs is that they are unique in every organization, and therefore the vulnerabilities are also unique. It’s impossible to protect APIs with solutions that depend on signatures and can stop only known attacks. Even systems you can tune don’t work, since manually creating policies is not practical. Organizations must move from depending on signatures and humans to leveraging a solution that can gather and analyze a lot of data to look for malicious activity. That’s why we built big data into the Salt Security platform and have a patent on our use of artificial intelligence.
Third, you need to eliminate vulnerabilities all together. You need to show your developers where these vulnerabilities exist in your API, so they can eliminate them. Then you need to complement that “shift left” approach with runtime security as well, but sharing insights into why something is vulnerable makes your developers smarter about building secure APIs.
Fourth, you need to improve how your security and DevOps teams interact. DevOps needs to move fast, and security needs to keep systems safe. Building security into DevOps workflows and enabling automation with next-gen security tooling is crucial to meeting security requirements while minimizing friction with development.
Finally, security is not a “set it and forget it” exercise, especially when it comes to APIs and today’s applications. These environments are constantly changing and evolving with new applications and new capabilities. New vulnerabilities will continually emerge, and the attack surface will change, so your teams and your security tools and strategy must evolve in parallel.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
One thing that I would do is make everyone in the world more security aware. I think many people, especially people who didn’t grow up with computers like I did, think they have nothing to lose online. It always saddens me to hear stories of people who have been scammed either by a phone call or a phishing email. Every part of our lives is increasingly dependent on digital platforms — our communications, our healthcare, our finances are all online. I want people to become more aware of the risks and much more careful with personal information and their activity online. This need applies to companies as well. Some organizations think an attack will never happen to them, that they don’t hold any data important enough to be a target. I think that’s true of very few companies. We all need to do our part to make the online world and the digital platforms we depend on safer and more secure.
How can our readers further follow your work online?
You can visit our website at: https://salt.security/ or follow us on Twitter (@saltsecurity), LinkedIn and Facebook to stay up to date with our announcements and work.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!