Zscaler Buys Canonic Security to Thwart Supply Chain AttacksCanonic Security Purchase to Streamline SaaS Application Governance and Enforcement
Zscaler has agreed to purchase a startup established by a former Proofpoint executive to help organizations thwart SaaS supply chain attacks.
"Traditional CASB and SSPM solutions fall short to secure against the massive amount of supply chain attacks."
– Boris Gorin, co-founder and CEO, Canonic Security
The San Jose, California-based cloud security vendor says its proposed acquisition of Tel Aviv, Israel-based Canonic Security will help customers streamline SaaS application governance and enforcement. Connecting third-party applications and browser extensions to SaaS platforms means critical data assets are being held in third-party drives, email clients and chatbots, adding risk to the supply chain.
"When I speak with the top global CIOs, they consistently express their challenges with efficiently securing supply chain logistics due to the massive blind spot in SaaS-to-SaaS communications," Zscaler CEO Jay Chaudhry says. "While protecting SaaS platforms is necessary with CASB and SSPM, enterprises must reduce the supply chain attack surface, detect SaaS-native threats and automate responses."
Terms of the acquisition, which is expected to close in the current fiscal quarter, weren't disclosed. Zscaler's stock was up $1.14 - or 0.85% - to $135.01 in trading Tuesday afternoon (see: Zscaler CEO: 'Uncertainty Can Act as a Catalyst for Change').
'This Is on Top of Every CISO's Mind'
Zscaler investigated a lot of acquisition targets in the SaaS supply chain and was impressed by Canonic's application risk database, which includes research on about 50,000 third-party applications and 138,000 browser extensions, Vice President of Data Protection Moinul Khan tells Information Security Media Group. Canonic's intellectual property and application threat research is beyond others in the market, Kahn says.
Canonic's technology can determine how much third-party applications and browser extensions are connected to a customer's SaaS platforms and then tap into its own threat research and sandboxing to determine which are benevolent and which are malicious. From there, administrators can easily remove the bad apps and extensions through auto-remediation to reduce the attack surface.
Insecure third-party application integrations have contributed to nine attacks over the past nine months, and issues have arisen around everything from GitHub and Microsoft OAuth to CircleCI and Mailchimp, Khan says. More than 90% of Canonic's 26 employees are either engineers or threat researchers, and the remainder are focused on go-to-market or product management. All Canonic employees will join Zscaler.
"This is on top of every CISO's mind," Khan says. "They want to understand how many apps are out there, who is connecting and which apps are good and which apps are bad. This is a real customer problem that the CISOs are trying to solve today."
'Traditional CASB and SSPM Solutions Fall Short'
Canonic Security was founded in 2020 and exited from stealth in February 2022 with $6 million of seed funding from First Round Capital, Elron Ventures, SV Angel and Operator Partners. The company was co-founded by former Proofpoint Senior Director of Information Protection Products Boris Gorin and Niv Steingarten, former vice president of engineering at OverOps.
"While the SaaS ecosystem continues to grow, traditional CASB and SSPM solutions fall short to secure against the massive amount of supply chain attacks that are targeting organizations and their critical business applications," says Gorin, who serves as Canonic's CEO. "The combination of Canonic with Zscaler's existing inline and out-of-band CASB and SSPM offerings is an ideal technology fit."
Integrating Canonic's supply chain security capabilities into Zscaler's data protection services will allow customers to consolidate point products, reduce costs and simplify management, according to Zscaler. Specifically, Canonic can automate the monitoring of misconfigurations and compliance violations in SaaS platforms such as Atlassian Suite, Google Workspace, Microsoft 365, Salesforce and Slack.
Customers using Canonic will also gain full visibility over first-, second- and third-party apps and API integrations across the enterprise business application estate, according to Zscaler. This will allow organizations to uncover rogue and vulnerable apps as well as assess the risk involved with API access and browser extensions, Zscaler says.
Moreover, Zscaler says Canonic can quarantine suspicious apps, reduce excessive and inappropriate privileges and revoke and block access if necessary. Finally, Canonic can enable application integrations by automating the application vetting and application access recertification processes, according to Zscaler.
Going to the Acquisition Well Once Again
Canonic Security is Zscaler's eighth acquisition over the past six years, according to Crunchbase. The deal comes just four months after Zscaler purchased workflow automation startup ShiftRight for $25.6 million to provide customers with real-time visibility into their security posture and help them manage a growing influx of risks and incidents (see: Zscaler Buys Workflow Automation Firm ShiftRight for $25.6M).
The ShiftRight acquisition came a year after Zscaler bought deception technology startup Smokescreen Technologies for $11.7 million to proactively hunt for emerging adversary tactics and techniques. A month earlier, Zscaler purchased cloud infrastructure entitlement management startup Trustdome for $31.1 million to control who and what has access to data, applications and services in public cloud.
In May 2020, Zscaler acquired early-stage vendor Edgewise Networks for $30.7 million to protect application-to-application communications in public cloud and data center settings. A month before that, Zscaler bought cloud security posture management startup Cloudneeti for $8.9 million to prevent and remediate app misconfigurations in the cloud.
In May 2019, Zscaler got into the browser isolation space with its $13 million buy of Appsulate to provide users with secure access to web-based applications and content. The company's first-ever deal came in August 2018, when it purchased the development team and artificial intelligence and machine-learning technology of TrustPath to enhance security efficacy and accelerate incident response.