As organizations deploy millions of unmanaged IoT devices to optimize operations, securing this expanded attack surface requires a modern agentless approach to IoT security.
What’s more, with limited staff availability, it becomes even more important to accelerate incident response by leveraging existing IT security stacks and automated workflows (SIEMs, SOAR, firewalls, NAC, etc.).
Hear directly from CyberX and our key partners on how to secure your unmanaged IoT/OT devices such as sensors, actuators, and traditional PLCs.
- The IoT/OT Security Challenge: How to Mitigate the Risk — CyberX
- An Inside Look at a Real-World Campaign to Penetrate Corporate Networks by Compromising IoT Devices — Microsoft
- Implementing Micro-Segmentation & Zero-Trust for IoT/OT — Fortinet
- Leveraging an OT MSSP to Augment Your In-House Team — Optiv
Our Panel of Experts
Phil Neray, VP of IoT & Industrial Cybersecurity, CyberX
Jonatan Meczyk, Product Manager, Microsoft
Michelle Balderson, Director, OT & Critical Infrastructure SME, Fortinet
Sean Tufts, Practice Director, ICS & IoT Security, Optiv
Good afternoon and good morning, everyone. My name is Phil Neray. I’m the VP of IoT and ICS Cybersecurity at CyberX. Today we’re joined with BI experts from Microsoft, Fortinet, and Optiv to talk about securing IoT or OT with fewer personnel, which is about the benefits of automation and integration in identifying and remediating threats faster. I want to start by introducing today’s presenters. We have Jonatan Meczyk from Microsoft, Michelle Balderson from Fortinet, Sean Tufts from Optiv, and again, my name is Phil Neray, I’ll be the moderator and I’ll start with a short introductory presentation.
So we’re talking about IoT devices. There are many definitions of what an IoT device is. We’re talking about enterprise IoT, not the types of devices you would have in your home. But there’s variety of different types from IoT sensors in plants, to smart devices in conference rooms, to building management systems. And whether or not the number is 25 billion or less or more, we know that more and more of these devices are being deployed because they support digital business and innovation – some people call it Industry 4.0, some people call it digitalization – but it’s about using more connected and smart devices to improve the efficiency and productivity of our organizations. But as a result, what that means is that the average organization will soon have more than three times the number of endpoints that they previously had, so that increases the attack surface and that increases the risk.
And it turns out that these devices are soft targets for adversaries. They’re typically unseen and unmanaged by the IT department. They’ve traditionally not had agents on them. They weren’t designed to support agents. They’re typically designed with goals of low costs, rather than security in mind. They often have weak or default credentials incorporate open source components that are vulnerable, typically very often connected to the internet. And as a result, that increases your attack surface. You’ll see on the right, the various types of devices I’m talking about can be many different kinds from, as I said, building management at the top left, on the right you see automated robots in a warehouse, security cameras, building access control systems, sensors in plants. It’s a wide variety of devices, but they all share these common characteristics.
I’m going to give you four examples of threats and attacks that have been launched, starting with ransomware. Of course, we’re familiar with ransomware shutting down corporate networks, but they’ve also shut down factories as in the Norsk Hydro example. Earlier this year, the Department of Homeland Security in the United States announced that a major container port had its security cameras and access control systems compromised with ransomware. And we know that the big risk of these types of attacks is downtime and financial losses. The second example is the TRITON attack, which was an attack launched on a petrochemical facility. It was ICS aware malware, in other words, malware that had been specifically written to compromise, in this case, safety controllers in the plants. So we see now that there’s a risk to safety and the environment in these types of attacks. The adversary was very sophisticated. They actually built a backdoor that was deployed to the safety controller and resided in the firmware memory region of the controller, and they modified the native protocol of that device so they could communicate with their backdoor.
The next example is the VPN filter campaign, which was a nation-state campaign that compromised over 500,000 routers, exploiting vulnerabilities in those routers, installing malware into them so they could perform man-in-the-middle attacks, packet sniffing attacks, and potentially compromise endpoint devices as well. Of course, you can see why a router would be an ideal target for an adversary. It’s connected to the internet on one side and connected to your corporate network on the other side. It’s unmanaged, typically unpatched, and often misconfigured.
The last example is an attack that Microsoft’s research team discovered/announced in August of 2019. It was a voiceover IP phone that had default credentials. In that same blog post, Microsoft talked about a printer also being compromised and a video compression device being compromised, and they leveraged the vulnerabilities on those devices to deploy malware from which they launched attacks into the network looking for sensitive intellectual property. So again, a perfect example of an IoT device that’s unmanaged, that’s vulnerable, that’s exposed to be internet, and gives the adversary a gateway to pivot into your corporate network and move laterally within it.
So Gartner has written extensively about this – they call the category “cyber-physical systems”. It’s any device or system that interacts with the physical world. You can get the full report from our website. One of their comments is that most CEOs and CISOs aren’t even aware of all of the cyber-physical systems deployed in their organizations, primarily because traditionally the CISO organization wasn’t responsible for these types of devices, like building management systems or smart TVs or OT devices and plants. Gartner sees that increasingly, governments will pass laws holding executives personally liable if they don’t create a safety- and security-first enterprise. In other words, similar to the way Sarbanes-Oxley, about 10 years ago, was used to get management teams to pay attention to weaknesses in their financial reporting. In this case, if you’re not putting in place the proper controls to monitor and patch your cyber-physical systems, they see the same thing happening there. And then finally that these various domains really make sense as part of a single, centrally-controlled security organization. It doesn’t make sense to have different groups responsible for security across different devices because as we’ve said, often adversaries moved from one domain to the other, and the teams that you’ve already trained in your organization to deal with breaches need to be able to deal with all types of breaches as they cross these various domains.
So a quick word about what we’ve done to help address this problem. Number one, we’ve built an architecture that is very easy to deploy because it’s agentless – does not require deployment of agents – and it’s passive, which means it’s non-invasive, has zero impact on the network or the devices – or certainly in factory environments where we’re dealing with a millisecond response times. You can’t use active or scanning type devices to control them. It doesn’t require rules or signatures, or rely on behavioral analytics to identify attacks and anomalies. And it’s available both as an on-premise solution or a cloud-based solution, or a hybrid of the two. It uses multiple forms of threat protection, because just using one isn’t sufficient. It uses comparison to a device profile database which tracks devices and how they use certain ports or DNS addresses and then looks for deviations from that behavior. But it also uses a patented behavioral analytics engine that we’ve developed specifically developed for tracking machine-to-machine (M2M) behavior and looks for anomalies, in this case, over time as opposed to comparing it to a standard profile.
The third aspect is that we have an in-house threat intelligence team formed by former nation-state defenders called Section 52, and they’ve developed a series of automated threat extraction tools and also some human analysis to continuously feed our system with the latest threat intelligence about campaigns, threats, malware targeting, IoT and OT environments.
And then finally, because you’ve already invested in a number of tools in your IP security stack, such as SIEMS, like Microsoft Sentinel, such as SOAR and ticketing systems, configuration management, databases, firewalls, and NACs. From an early point, we’ve put a big emphasis on integrating natively with these various solutions, because again, it’s about automation and integration to speed, the time to identify and mitigate these types of threat challenges we address telling you what devices you have, how they’re communicating, primarily used so you can implement better segmentation and zero trust policies. If you don’t know what you have, if you don’t know how they’re communicating, you’re going to be in the dark when it comes to establishing better segmentation. Secondly, all of these devices have vulnerabilities, but the question is how do you prioritize patching those vulnerabilities or mitigating them so that you’re protecting your most important assets – your crown jewel assets. Thirdly, how do you know if you have any threats in your environment right now? If you’re not continuously monitoring the environment, you’re not going to know and you’re not going to be able to respond to them. A side benefit of the cyber monitoring is identifying misconfigured or malfunctioning equipment, which can reduce the efficiency in your network.
An example would be a misconfigured router or misconfigured HMI that’s spewing traffic across the network, and by continuously monitoring that traffic, we can help your OT teams quickly identify the source of those inefficiencies and address them. And then finally, as I talked about before, integrating with your stack enables you to leverage your existing people, processes, tools so you can centralize, IT security in your SOCs as Gartner has recommended, and demonstrate to auditors that you have put the right focus on building a safety- and security-first environment. So automation and integration, as we’ve said, are important now more than ever – if you have fewer personnel available, fewer personnel in a single place, you’re going to need automation and integration, not only to reduce the time to identify and remediate threats… we’ve also heard from our clients that they are now looking to deploy security into additional facilities and plants, because they’re concerned about the increase in remote access to those networks both by their own employees and by third-party contractors, and they want to make sure that they can quickly spot any unusual or unauthorized activity in the traffic to those sites.
An example of a screen from our IoT security platform showing built in integrations, again available out of the box from our system, so that you can quickly share information across different systems. We recently announced the partnership with Microsoft Azure IoT to add our anomaly detection capabilities to the Microsoft Azure Security Center for IoT. And in the next presentation you’ll see in some ways how this could be used. Some examples of our integration with Fortinet, which is a firewall system where you would use our information, for example, to alert on any scanning malware during the early stage of the kill-chain when the adversaries in your network are looking for vulnerable systems to pivot to. If we find that type of activity, we can communicate it with the firewall and immediately block the source of that malicious traffic.
Some other examples here: if we identify ransomware in the environment, changes to the devices – so if you remember in the TRITON example, the adversary installed backdoors into the controller – that would immediately be detected as a new device connected to the network. You may have a policy in place that says no one’s allowed to connect their laptops to the network, but if you don’t have a way of monitoring for that type of activity, you can’t enforce the policy alerting on dangerous commands. If you’re running a high-rise building and in the middle of summer, someone sends a stop command to the elevators, that can be a serious safety issue. So alerting them those types of commands, and then as we talked about before, identifying misconfigured devices.
Now I’d like to hand it to Jonatan, who is going to talk about Microsoft Azure Security Center for IoT.
So my name is Jonathan in Mexico and Jonatan in Hebrew. First of all, thank you Phil and thank you CyberX for hosting this webinar. I’m Product Manager at Azure Security Center for IoT, and now we’ll be discussing end-to-end security. I will be showing our security product that we developed in our group, and afterwards I will show you a demo that we did at the RSA Conference.
So Phil talked about it already, and we are seeing that IoT is fueling the industry. I can say that at Microsoft, the IoT Hub adoption is going up really fast and we have already more than tens of thousands of new customers. And also as Phil mentioned, there are two things that come – we see the opportunities that IoT brings us, and they bring also a lot of risk. And not only that – it’s a risk of cyber attacks, but there’s a now a question about governments putting regulation over IoT security and then starting to obligate manufacturers to take accountability on the security of those devices and may ask them to recall. So it’s not a matter of question anymore if you want to implement security on your devices.
So Phil already mentioned four attacks that happened, and one of them is a Microsoft research group, and we at Azure Security Center for IoT, where we identify that there are a lot of different things you can do to compromise the devices – you can steal data from it, you can pollute it, compromise it, ransomware it. And I think that the most interesting thing is that that IoT device is becoming the weakest point in the link in the overall organizational network, which means that it doesn’t only risk itself, it is a risk for the entire organizational network. Now I will be talking a little bit about Microsoft and what we are doing in the IoT security field.
So Microsoft is spending over $1 billion in cyber security, or a $5 billion investment for five years in IoT. And we at Azure Security Center for IoT are utilizing all these investments – operation-wise and technology-wise, we are leveraging a cooperation with an inside group. For example, we are working with Microsoft Threat Intelligence, and just as an example, Microsoft Threat Intelligence is processing 6 trillion security signals per day. We are leveraging all of that in our product, as well as cooperating with inside groups in Microsoft. We’re of course cooperating with other companies in our partner program that Phil mentioned earlier, and of course CyberX is one of those companies. CyberX is actually an official Microsoft intelligence security association partner, and we are now working on integrating CyberX’s insights into our systems. So Azure Security Center is integrated in three different user interfaces, and our vision is to be as flexible as we can.
So we are integrating Azure Security Center of course, and the Azure IoT Hub itself, and now in Azure Sentinel. So how is our mechanism working? We have our detection engines that are agent-based, and we are supporting all kinds of platforms. We are supporting Windows and Linux. Besides that, we’re working now on agentless capabilities. We have some agentless capabilities, and we’re working on creating much more capabilities. Some of them of course, will become available when we are integrated with CyberX and we are supporting Edge security mode. The last thing is: what is the security value that we are bringing? So the security volume that we are bringing, on top of those detection engines, are the recommendations that we’ll give you as a customer – the ability to understand your security posture in the IoT solution end-to-end, meaning you can see the entire overview from device to your cloud resources, including the IoT Edge, the IoT Hub. We’re leveraging Microsoft intelligence to give you live alerts, that is, getting a feed on live threats around the world. And we give the option to create your own custom alerts, and that utilizes your knowledge on the devices.
So with that being said, I want to show you just a few screens. This is our overview screen – as you can see here at the upper part, this is the threat prevention. This is the security posture of the solution. And you can understand from that all the devices and resources in your solution: what are the risks that there is in the solution? And a benefit: there are the detections that we’re doing and the like. This is another good screen where can you can view the recommendations and the fact that we are doing end-to-end visibility. You can see virtual machines and devices that you have; there can be storage, SQL, any security cloud resource that there is.
Now I’m going to move to our demo. So in our demo that we did at the RSA Conference this year, we created an attack where the attacker is using Mirai botnet techniques in order to compromise an IoT device. And from the IoT device, it started to create lateral movement inside the network and compromised a file share, which is a Windows server in this case. And with that, we want to show those things that Phil and I already talked about – there’s a major security risk with the IoT device which can lead to these kinds of attacks. So in this view, you can see this is an Azure Sentinel view, which is an investigation that we do after we see an attack is ongoing. So this alert is talking about suspicious process executed. And as you can see, we can see that here, this is the machine that the process was run on, and we can see that Mimikatz was run. Mimikatz is a very suspicious process that gets credentials from Windows machines. And if I want to drill down to understand what is happening here, I will want to watch with whom that file share is talking with. So I can see here, this is the IP that the file share is using. And when I do relay to the alerts, I can see this alert called “Outgoing SMB Connection”. So how is this related? I will see what are their related entities, and I know that “Outgoing SMB Connection” is an alert that is triggered by Azure Security Center for IoT. So we can see here there’s a webcam device that triggered this alert. So if I want to drill down on what happened, this IoT device has access through SMB to this file share. So because I know this network, this thing is very, very suspicious. And the SMB is very interesting both reasons – one is that SMB is a file share and get protocol, and the second one is very famous port that was used by WannaCry and EternalBlue.
So I can understand that this IoT device has something wrong with it, and if I want to drill down a little bit more and look at the alerts, I can definitely see that this device has been compromised. And I want to show it to see if we can find a brute force attempt that is a technique that Mirai botnet is using, and with very fast investigation you can find the IoT device, how the attacker created lateral movement and accessed Port 445 and compromised the file share, and from that he stole credentials. And I think you can understand from that point on, he can do whatever he wants inside the network. So this example is utilizing our agent, and this is done in collaboration with, of course, Azure Security Center that is on the cloud, and you can see how the end-to-end security is a very important thing in our world today. And with that we can also integrate CyberX insights, for example, on the agentless worlds to create the same detections. So I would like to thank you all and I’ll let Michelle continue.
Perfect. Thank you. So as everybody has said this morning, the number of devices are dramatically increasing that we’re deploying onto our networks. We’re really enabling our business by having centralization, and really what that’s causing is the digital attack surface increasing dramatically. There are a couple of questions relative to the network and different networking as well, which is as the devices are changing, we’re also adopting new technologies – there’s LoRaWAN and ZigBee and LTE-M. So as we see changes to the number of devices that are coming onto the network, we’re also looking at how the transport is changing and also the compute. And so really what this all means is that we’re interconnecting systems that have never been interconnected before, that were never truly intended to be interconnected, or we’re enabling new modern applications that are intended to be interconnected but putting them right beside applications that are legacy. That just simply expands the digital tech surface, and we have to address that as we’re working through the digitization of our environments.
So the OT cybersecurity challenges that we see within all industries, is that there’s a digital transformation of OT services – with that digital transformation, we have to continue to take into consideration the physical safety concerns, right? Because from an IT perspective, we’re really focused towards data. But from an OT perspective, we need to be able to protect all the way down to level zero. As I go through a Purdue modeling example, I’ll talk about the race to level zero, which is the attackers are really trying to get at that physical equipment, which we’re working to ensure productivity and uptime. But as we add in more devices, we can then see just distributed service attacks that could impact our entire operations.
We need to be able to make sure that we’re applying security measures that ensure productivity and uptime. We’re investing because of the needs to be able to become more operationally efficient and focused towards the customer need, and being able to change that customer experience of being able to drive from the moment the customer’s interested in a product or a solution or even energy to their home. We need to be able to have a quick response to the customer to be able to get that product to them. We need to be able to ensure product integrity, which is if our environments are breached, the integrity of the product can come into question. And then at that point there could be considerable loss in cost of throwing out bad product to be able to then rebuild it because of that.
And then we talked about regulatory compliance, which is globally we’re seeing more and more regulation, and we need to be able to make sure that from the moment that we build a policy that we’re able to deal with the compliance and the audit capabilities of it. My presentation is really to discuss what’s the value of zero trust network access and microsegmentation. And so from a zero trust and a microsegmentation perspective, I suggest that we use both of them in combination. What happens in many environments is that we make a decision to put firewall in, but we don’t necessarily segment the network to be able to really get to controls. And so what zero trust network access and microsegmentation allow us to do is to be able to onboard the device, authenticate the user, and understand more about the user and the device, bring that user into a default VLAN and then make a decision of: do I want to be able to put them into community VLAN or do I want to be able to put them into an isolated VLAN?
Once I have that, I can then apply policy and access and privilege based on who and what they are. So you’ll see from the authenticate user perspective, I’m not sure exactly who that is or what that device is, but by the time that I’ve done the process, I know exactly what type of device that they’re using, who that person is, what their privilege access should be, and then I can put them into a least privileged group based off of what their access should be. So why is it important? It’s important because when we do a physical segmentation, really what we’re doing is we’re segmenting based on assumed trust from an assumed trust perspective. It allows me to be a part of a VLAN, allows me to talk individually amongst everybody and that I don’t necessarily have a great understanding of what’s in the environment, and then at that point I have free communication between all the different assets and all of the different people within that assumed trust or being one of the community – in other words, being a part of a community VLAN. Whereas if we start to do microsegmentation in zero trust, you’ll see on the right-hand side I actually understand the individuals, what their roles are, what devices that they’re using, and then I’m also isolating them, which is they have to be able to communicate amongst each other. They have to go through a gateway, and in that gateway then we can apply security policies and we can communicate and secure that environment from the perspective of segmenting and being able to do a least privileged access or zero trust access to it.
Now, I talked about Purdue modeling and in Fortinet as a part of our OT team, we look at all of the different frameworks that wouldn’t necessarily apply to OT and IT, and that we really truly believe in the digital transformation, or what Gartner is saying from the perspective of IT/OT/IoT really coming together in a digital services world. So when we build up a solution, what we look at is as we go from the lowest level, which is: as an attacker, I am really trying to go in and attack the physical layer. Most of the security solutions today will really protect them to level two of the Purdue model. What we believe is that we really have to get to physical protection and protect down to level zero.
There was a question earlier about where and how far down can you go into the Purdue model, and today, from the perspective of the three vendors that are involved here, we can really take ourselves down to that process control level and that we can apply security controls onto the controllers and into the network. And so what we’re attempting or what we’re doing there from the perspective of securing us doing a microsegmentation model, authentication model, and the ability of being able to see all of the different devices and pass telemetry. So being able to get telemetry information from all of the different aspects of the environment up into the SIEM, so from the perspective of Microsoft Sentinel, we can pass all of that information up and then at that point they can have even more detailed information from the perspective of the graphics that Jonatan was showing to us. Then what we need to be able to do is look at the operation and control zone. So dependent upon the industry that you’re in, this is either onsite or this is a data center. So as an example, in electrical, it would be an EMS data center; in manufacturing, this would be on onsite. Typically what we would see in these types of data centers is a need for segmentation, authentication controls, and being able to tie into active directory. Again, we want to have the ability to see all of these different devices and users end up being able to apply controls.
Then we move into the typical enterprise zone, and in level 4 and level 5, really what you’re seeing is management, advanced threats, authentication pieces. Level 3.5 in the modern environment really starts to become where we’d see the shared services and shared data modeling between IT and OT. But you’ll also have cloud-based access pieces. So we have to take into consideration with the Purdue model, it really traditionally goes up to level 4 with an enhanced Purdue model that I’m showing here. Really what we’re showing is taking into consideration all of the modern applications. So we have to take consideration of remote access, third party vendor access that then transports across the enterprise zone to be able to bring controls into the operations or in the control area zones – we have to be able to do that with strong authentication and two-factor authentication. And yet we also have taken consideration of the modern applications we’re talking about with IoT and cloud-based services. And so when we take a look at this, it’s just that really IoT is a vertical vs. a horizontal way that Purdue has been been looking at it. And in that, it’s just that it breaks the modeling of the Purdue model, but really it’s just simply another segment that we need to be able to put into the environment and segment the physical layer and the control area zone away from all of the industrial IoT-based applications. So there’s automated guided vehicles, the access control systems, the physical security systems – anything that is really a data application is either going up into level 3.5, ensuring its data, or it’s going up into cloud-based services. And we need to be able to put security controls in place on that cloud-based service.
So to be able to establish the framework, what we really look at is IAC 62443, which is what really, truly just went through the NIST framework, which is incorporated really truly within what I’m talking about here, which is we need to be able to identify the attack surface. We need to be able to protect. We need to be able to detect the anomalies in the security instances. And then we need to be able to have appropriate response. And from that response we need to be able to make sure that we recover. So of the culmination of the vendors here, we really help you identify all of those assets, protect those assets, be able to detect anomalies against them, and then be able to have that appropriate response with what we’re talking about with Microsoft and the SIEM and SOAR-based technologies. That really brings together the ability to be able to have a broad, integrated, and automated framework against security, and this framework of being able to make sure that you’re securing your environment.
And I’ll pass this over to Optiv, and the key thing here is that you can consume these in multiple different models and one of the models would be being able to consume security from the perspective of managed services. But I think the key thing here is being able to make sure that you can work with consultative services to be able to understand how to get to a maturity and a security maturity model. So thank you very much. Sean, I’ll pass it over to you.
Thank you, Michelle. I like your enhanced Purdue model too. That was pretty cool.
So I’m Sean Tufts, Practice Director for Optiv. I handle all things industrial control and internet of things. I love that Michelle ended on this NIST cybersecurity framework, right? This is exactly the point, and it’s developing these ecosystems where we can put in all phases about NIST framework – the identify, protect, detect, respond pieces – and build a program that grows and flexes with the company. I think that all too often we think of IT security, it’s taking a long time to get to a maturity model and some will say we’re still not close, but we’re blending these solutions together. We’re getting cohesive teams together and when I look at this from my seat, I see this as a plan, build, run conversation, right? Optiv as a corporation is an SI, and we call security SI, where we’re focused myopically on cybersecurity from the IT and OT lens and we build these programs out. It’s important to think of them as living, breathing ideas and systems that we’re working with in that people, process, and technology place.
As we build this out – and this is a quick image on our cybersecurity professional services line card for all things industrial control – having that plan, that business integration, working through technical integrations from a product perspective and then coming out with operational execution is a really hard challenge, right? All too often in my seat, we see customers and clients doing great in one to two of these areas, but really letting other pieces fall. I think that’s especially important in the OT world, because we’re just now getting our arms around what security means in OT and how can we make this really operate.
The piece here that’s missing in that plan-build-run strategy is the two tails of that chart: the business challenges and marrying that with the end resilience. If anyone’s done any elaborate assessments or architecture diagrams or TAP assessments, we’ve all been kind of burdened to death with this risk chart, right? Impact x Likelihood. I, myself, and my career, certainly after the Deepwater Horizon incident, we went to an offshore drilling company (not the same one that was involved in that), and they ultimately locked us out of the room because they said, “These risk populations and these numbers you’re giving us are astronomical. It’s just a joke that comparing risk and thinking you’re going to move the needle by showing us a billion-dollar risk figure.” And we agreed, right? I think that transitions nicely into the business resilience component. How do you turn that risk into something that you can operationalize – something that you can tactically take on and programmatically break down the pieces of those components to offer business value? And our firm, we’d talk a lot about mixing complexity, cost, and effectiveness to truly show what the value to the firm is. Now in cybersecurity, there’s not a direct ROI behind a lot of this, but finding ways we can communicate back to the corporations, especially in OT where we’re talking about business resilience, uptime network, resilience, safety, environmental concerns, and how are we taking those risks and bubbling them into a place where the business can act on it.
This is my childhood hero, Kelvin. I’ll let you guys read the quote…
“God has put me on Earth to accomplish a certain number of things. Right now, I am so far behind that I will never die.”
But I think we’ve all been given a list from a consultant or a professional service or an Excel sheet of 600 things to fix, and I think that’s a real miss. Building through an ethos to that and a chain of projects you can take that actually have business value is the key part there, right? No one’s going to take on a list that’s 300 lines long, but breaking things apart into programs really helps justify the spend, the project, the duration, the tooling costs. And another piece of that is when we build those programmatic stories and all those risks, combining value into our roadmap when we break it apart, but also gives you a defendable position when someone from the C-suite comes down and says, “Hey, why aren’t you doing this? Where’s your focus here, not there?” You can go back to them and say, “Hey, look, this is where we slotted these things. This is why we’re tackling this project, this is why we’re not tackling this project.” I think that gives our security practitioners, whether an OT or IT, a really strong standpoint to show priority and why you’re moving the needle in one direction or another.
I want to focus on that tail at the end of this, on the far right of that chart, that operational component, right where you started putting these ideas and these thoughts into operational rigor. Everyone right now is facing this balancing act of analog tools getting plugged into digital capabilities and trying to match that. Are we an air gap network? Are we truly leveraging the Azures of the world to get more digital tools out of this? That’s a really fine line to walk. I empathize with customers who are trying to marry those two worlds. The thing from a security practitioner standpoint, especially one having a managed service that we support, is when we find these burgeoning new economies and toolsets and capabilities, but we’re marrying those two worlds, we want to put a warm blanket of security around it. And really having managed detection response capabilities that look at what we call these the “three kings”, but endpoint, network, and SIEM, right? And when we’ve seen new technologies come to bear, we want to put those tools around it.
That also leads into the security journey. We started with CyberX about two years ago where we looked at IT security data and what those IT teams are doing from our managed service point of view. What were they concerned with? What were they spending their time on, how could we help, how could we alleviate some of that stress? At the same time looking at our OT clients and figuring out how they’re managing this, and obviously the solution three to four years ago was: push the plant manager, give them responsibility for it, and that really didn’t work. It didn’t scale. We also have an interesting question: with tools like Fortinet or CyberX, how do we make sure that we’re connecting those two worlds? In a lot of cases, not a lot of people are logging into every single tool they have in their environment, every single day and keeping those things up-to-date and viewed and the alerts tuned down so it doesn’t become just a noisy mess. And what we discovered was that there was really a desire to move to the a more mature model. We’re taking that OT security data, telemetry data, whether it’s populated by CyberX or Fortinet, putting it through to a SIEM. You’re saying someone’s monitoring your IT network or skipping the SIEM entirely and plugging it right back into the SOC where you can populate an extra head, and that extra head we’ve proven has an ROI – if you want to do that on your own, but it takes a team of three to four if you want to follow the sun or even more when you start adding more tools and more capabilities. Having a third-party partner that’s combing through those alerts and triaging things as they come up has proven to be very valuable.
The reason, and one of the reasons we’re going forward with CyberX, is we looked at all the tools on the market, and to provide a true managed service around an OT tool, you’ve got to have that alert triage capability, threat hunting settings, and configuration abilities to audit. Also bringing up reporting and keeping the whole system healthy. And that’s a difficult task in any technology, but I think CyberX has a great platform for it specifically around their alert features, right? We’ve got the ability for a SOC analyst who’s an IT wonk, who knows about route switch and firewall but maybe doesn’t know about Rockwell, doesn’t know about Honeywell gear or DCS systems to take a look at there and get a report that looks and feels like they want to feel, and having that mitigation piece on the bottom is the most critical part there, telling that SOC analyst what he should be concerned about in the OT environment. And I think by doing that, that gives us a good opportunity to put those three tings of a managed service around an OT network, right? And using all of these vendors that are here in this slide today to talk about how to spread that peanut butter around and really get OT and IoT supported in a way that might be unique today and leverage, as Phil opened this with, finding ways to maximize people and projects and accountability and budgets, especially in today’s economy. We need to figure out how to use our full-time employees better and how to use our tooling better. I think their managed services is a way to do that.
So in closing on my section, I wanted to focus on the plan and the run aspects. I think our other panelists have done a great job on that build component and finding a way to develop that ecosystem of people you’re speaking with, whether it’s a professional service org, a managed service org, or a manufacturing vendor, and finding a way to build your own ecosystem. When I got started in OT security and having worked at operators before, it was really challenging because you felt a little alone, right? Historically we’ve relied on the GEs and the Siemens or the Jacobs to help build that ,and we kind of put it away and said, “Hey, that’s your job to secure.” I think there’s a new economy, a new ecosystem that’s there to support anybody as they’re going through these same kind of challenges.
And with that, I want to say thank you and turn it back over to the CyberX team.
Thanks Sean. Awesome. So we want to thank you for your participation. We have time for a few more questions. I also want to direct you to some upcoming webinars and some more educational information in our knowledge base that will provide additional details on the challenges that we face with IoT and OT security. Hacking ICS Exposed is one of the first books dedicated to this category, and you can download some of the introductory chapters from that book from our website. It’s a great place to get started. We’ve also got the Gartner report I talked about and a solution brief on how you can use these technologies to accelerate your network segmentation projects. If you want to learn more about CyberX’s IoT security platform and how it integrates with Microsoft Azure, I encourage you to go look at the Azure marketplace, and under Products just type in CyberX and you’ll see a full description.
And then our partners on this call today are running a series of webinars – Fortinet has one coming up very shortly. Optiv has one. And then CyberX is running two of them – one should be really interesting: on May 8th we have cybersecurity experts from Baker Hughes, which is an oil field services company, First Quality, which is a multibillion-dollar manufacturer of specialized paper products, and ONE Gas, which is a gas energy utility. We have experts from each of those that are going to talk – there are no PowerPoint slides, it’s going to be a conversation about how do you bring IT and OT together, obviously both from a technical point of view and an organizational point of view. And then on May 22nd, we’re going to talk about the MITRE ATT&CK framework for ICS, which is an evolution of the MITRE ATT&CK framework for enterprise, but with specific tactics, techniques, and procedures that ICS attackers would use.
I want to thank my panelists today, and let’s just take a quick look at the Q&A. We have a question about Azure Sentinel and CyberX: is it an accurate understanding that Azure Sentinel for IoT requires a solution such as CyberX to be useful? The answer is that it’s all about defense in depth, multilayer security. If you can monitor the network layer, if you can monitor active trajectory, if you can monitor your endpoints, if you can bring it all together in a comprehensive analytics platform like Sentinel, that’s the way you identify threats faster and mitigate those threats by looking for the root cause. The two are completely complimentary as your Sentinel aggregates and correlates data from various sources and is an essential element of any SOC strategy, whereas CyberX is focused specifically on monitoring the network layer. Gartner calls this category network security monitoring, or NSM. But in the case of cyber exits, NSM specifically is purpose-built IoT and OT based on our understanding of the protocols that are unique to those environments. The devices and the behaviors that are quite different than what you would find in an IT environment. In an IoT or OT environment, we’ve talked about machine-to-machine (M2M) communication, so if you’re using anomaly detection or baselining algorithms that were developed for IT environments, they’re going to take a lot longer to learn what’s going on and you’re going to have a lot more false positives. In the case of CyberX, we have a patent on how we analyze that behavior specifically in M2M communications. So there’s never been a silver bullet in security, and ICS and OT security are no exception.
So we are integrated with Azure Sentinel as well, and we are also integrating our detections, so for us, Sentinel is, as you mentioned, we are generating the protections and the alerts.
There’s one other question that I wouldn’t mind answering, that says: to what level of the Purdue model can agentless sensors, i.e., down to the PLC or RQ level, and how might this ensure zones and conduits that separate environments are not breached? So I wouldn’t mind answering that from a Fortinet perspective, and I’d like to hear the other panelists as well. From an agentless perspective is that really what you’re doing is monitoring the layer 2 traffic at the PLC and RTU level, as well as the controller level, and when you integrate a CyberX and Fortinet together, it gives us the ability of being able to monitor that traffic, understand the risk, and then apply security policies within the firewalls, if you decide that you need firewalls. It also answers the zones and conduits questions that is all a part of the microsegmentation and segmentation that I talked about. So something to take into consideration there. And then relative to controllers, so not at the PLC or RTU level, but at the controller level or the SCADA master level, a Fortinet can put an EDR agent and monitor processes on those controllers as well. Phil, from a CyberX perspective, what are your thoughts?
So we’re monitoring any communication that appears in the network traffic, it’ll be analyzed and we’ll be looking for unauthorized or suspicious activities. And it turns out that even layer zero traffic eventually ends up on that network traffic. So again, we need a multilayer defense in depth approach and firewalls, network security monitoring solutions, SIEMS, Azure Security Center for IoT, which also gathers its own intelligence, as Jonatan pointed out – these are all important. As I said before, there’s never been a silver bullet and integration and automation are key to making all these things work together.
I want to thank my panelists today for their participation. I want to thank members of the audience. We had over 700 registrations for this webinar, so obviously it’s a very vital topic to many folks in the world. I want to thank you for your attendance today and have a great rest of your day.