Safety Detective spoke to Idan Cohen, CEO and founder of Reflectiz, and found out how his company is tackling third-party website security.
Safety Detective: How did you get into cyber security, and how did you start Reflectiz?
Idan Cohen: While I was serving in the Israel Defense Forces (IDF), I worked in cybersecurity researching and penetration testing, partly offensive and partly defensive cybersecurity. After five years in the IDF, I joined BugSec, one of the largest hacking companies in Israel, eventually becoming their CTO. I got to see what was happening in the cybersecurity world— creating, writing, and testing offensive code. I also got a view of how to do a risk management in cyber-defense. My team included 50 people at a time, which really helped me understand the security requirements that companies are needing today. I tested many, many security platforms and security controls, which taught me what companies need in terms of cybersecurity.
Since I was coming from the offensive side, I was able to carry out cyberattacks, testing the security of companies and huge enterprises to see how I can bypass their security.
While I was working at BugSec, I started a company called Cynet, which is an endpoint detection and response (EDR) solution.
During my time at BugSec, I met my second founder of Reflectiz—Ysrael Gurt. Ysrael was one of my best hackers at BugSec and his expertise was in the web application world. When we started Reflectiz together, we wanted to bring together our knowledge and solve big technology issues like anti-ad blocking. Anti-ad blocking was a challenge because many users were able to install ad blockers in their browsers, and then no ads were shown, which was a huge problem for companies that generate money through ads. The solutions we built allowed us to bypass ad blockers and to present the ads in any case. The way we did it is by actually building our own browser that was able to analyze the page that the user was browsing, and to detect the ads and hide them beneath the actual content of the page. So, if you wanted to block the ads you needed to also block the content, then you couldn’t use anti-blocking.
We decided to pivot once we understood that the market was not ready to pay for this kind of solution, so we returned to the cybersecurity world because that’s our expertise. We took the same technology that we had been building for almost a year and returned to the area we’re familiar with in cybersecurity.
SD: What does Reflectiz do?
IC: Reflectiz detects risks and threats that are caused by third parties on websites. Every website installs and runs many, many third-party components on the website—think about live chats, analytics, and ads. Think about code the developers download from the Internet and then install websites to have better graphics or better designs all to create better user experience. All this code is a remote code—a third-party code that you’re loading from a remote server and running on the website. And what we understood in Reflectiz is that security professionals today, like the CISO and the his security team, don’t have any tools at all to understand who their third parties are, who the web third parties that are running on the website are, what they are doing, where they are running, who installed them, and what type of risks they are creating to the company.
A good example of this is Magecart. Magecart is a known hacking group that hacks mostly eCommerce websites using third party scripts. They look remotely at all the scripts that the site is loading, then, instead of hacking a bank whose website has firewalls and many, many other high security solutions, they just hack one of their third parties that may be hosted in an unsecured location in a different country, changing the code, and then they’re in full control of the site and the users of the site.
Companies today invest a lot of money in building firewalls and high security, but in the world today, there are so many third parties that have access to the same data, that no one needs to hack the company itself. You can just attack the third-party, which we call “supply-chain” attack.
Many organizations are being hacked by their third parties, and our solution is trying to pinpoint this problem. If you have a website with third parties, we are able to detect them automatically to let you know exactly what they are doing, what type of sensitive data they are collecting from whom, where they are sending this data and if they are causing cyber or privacy risk to you.
You will be surprised that an average site today can have 50 to 70 different third parties. You’re trying so hard to make your site the most secure and you test it every three months or so, but you are loading your code from 70 other vendors. And who says that all these other vendors have the best security?
That’s where Reflectiz comes in. Reflectiz is already a revenue-generated company with fully scalable solutions. We don’t need to do any installation or integration—it’s fully automatic, which people like.
We are involved in third-party risk management (TPRM), which offers the ability to detect risks that came from third parties. We can detect your digital assets, in this case your website. We get in there so we can see which of your third parties is causing you a threat.
SD: What are the different industries that your company serves?
IC: Our main clients have data or money to lose, so if you have a website that has only marketing materials and no data or users, you probably won’t need us too much. But if you are a bank, an insurance company, a fintech company that has transactions and money online, an eCommerce company that sells something online, a health company with medical records, travel website, or security BTC website, you would be our client. The main question we ask our clients is whether they have a website with sensitive data. If your website is hacked, would you care about it or only will only be a minor setback of marketing materials. Our clients have a lot to lose without our solution.
SD: Where do you see cybersecurity heading in the next few years?
IC: With the rise of different IoTs, smart homes, etc., the number of nodes of points that you want to protect in order to be secure are increasingly changing, so it’s not the same security as before. We’ll also see that we need to guard many, many procedures that we have online, and those procedures will need to be the most user friendly in the end-user experience.
For instance, recently banks have started to have a full digital bank app on your mobile device where you can manage your account, so it’s a huge change from what we had even 5 to 10 years ago. This change is a fight between our wish to give users the easiest and simplest experience, where they don’t need any technical expertise, but at the same time keeping it on a high cybersecurity level. So, I think that would be one of the hardest challenges that we have in cybersecurity, all available easily, but secured.
And the second thing is that most of the breaches in the past few years were generated by phishing emails. The most common way to infiltrate in an organization is by sending a malicious email with some sexy headline, and someone clicks it and gets hacked. The level of email security products is becoming pretty high, so it’s not so easy to breach an organization through email anymore. That will mean that we’re going to see many new attack vectors that will be used by blackhat hackers to attack organizations. It will be interesting to see in five years from now what the main way to infiltrate organizations will be because so many security products are used to block email phishing attacks, and starting they are starting to do a pretty good job.
As far as IoTs, we see the third-party attack vector as a classic example. So why hack the email of the most secured enterprise, like the bank that has four security solutions on their email and three security solutions on the endpoint? I think third parties, or on a higher look, supply-chain attacks, will be one of the new ways to hack organizations, which is why Reflectiz is building solutions to prevent that.