IoT devices are everywhere, helping organizations collect real-time data and automate tasks for greater productivity and efficiency.

This is especially true in healthcare and life sciences, where scientists and lab technicians rely on a diverse set of smart devices to get their work done, including automated liquid handling robots, refrigeration sensors, cameras, and mass spectrometers.

These devices are often unpatched, unmanaged, and invisible to IT teams — making them soft targets for adversaries seeking to gain access to corporate networks in order to steal sensitive intellectual property or deploy ransomware.

About Christy Peel

Christy Peel spent the last eight years at a Global 2000 pharmaceutical and life sciences organization, where she was head of global information security and risk management. She previously worked as a Principal Technical Consultant at BT Global Services, where she designed technical architectures for biomedical and energy organizations.

Download the presentation

Webinar Transcript

Jessica Gallis:

Hello everyone, and welcome to today’s SANS webcast: Securing and Managing IoT Devices in Healthcare and Life Sciences, sponsored by CyberX. My name is Jessica Gallis of SANS, and I’ll be moderating today’s webcast. Today’s featured speakers are Christy Peel, former Global Information Security and Risk Officer, G2000 Pharma, and Phil Neray, VP of IoT & Industrial Cybersecurity at CyberX. If during the webcast you have any questions for our presenters, please enter them into the questions window located on the GoToWebinar interface at any time. Please note that this webcast is being recorded and a copy of the slides and recording of this webcast will be available for viewing later today and can be found on the SANS registration page. And with that, I’d like to hand the webcast over to Phil.

Phil Neray:

Good morning everyone. My name is Phil Neray and I’m with CyberX, and I’m pleased to be joined today by Christy Peel, who was just recently Global Information Security and Risk Officer at a major pharmaceutical and life sciences company. As we know, healthcare and life sciences organizations are vital for the health and wellbeing of the planet now more than ever. So I’m thrilled to have her here today to talk about securing IoT devices in those environments.

Just a few words about myself: I started my career as an electrical engineer working in Hydro-Quebec and for Schlumberger on oil rigs. I spent most of my career in information security, most recently in ICS and IoT security. I’m going to start with a few slides to set the stage and then hand it over to Christy in a second.

So I just want to start with how everyone has a different idea of what an IoT device might be, and most organizations don’t know where all their IoT devices are actually located. If you look here, IoT devices can include everything from standard office equipment, like voiceover IP phones and smart TVs, to building management systems and security cameras, which regardless of the industry you belong to, you likely have to control who gets access to your buildings to control the temperature and the air conditioning in your building. Many organizations end up having, without knowing, various consumer devices connected to their networks, and I think Christy might have a little story about that coming up. Then we can just see in other industries, like retail and labs in healthcare, that we’re going to be talking about today, and certainly in the industrial environment we see either older equipment like PLCs and HMIs, and also more recently the adoption of industrial IoT equipment to optimize production processes like temperature sensors and vibration sensors used for applications such as predictive maintenance and predictive analytics.

So I’m going to go through a couple of threat scenarios just to set the stage for what is going on in the world today with adversaries going after IoT devices. The first one is a campaign that Microsoft announced last summer in which adversaries were exploiting vulnerabilities in voiceover IP phones to gain access to corporate networks where they then went after intellectual property. The voiceover IP phone had default credentials. This is a very common scenario with IoT devices. It was exposed to the internet which made it a great candidate as a target for adversaries, and once they were in there, they essentially used it as a springboard to pivot into the corporate network.

A second example is the VPN filter campaign that was announced or discovered last year by Cisco. In this case, they were exploiting vulnerabilities in routers to gain access to the router itself, install their malware, after which the malware was used to perform man-in-the-middle attacks, packet sniffing, a running end map to explore what was in the network, and potentially exploiting endpoint devices as well through that mechanism. And again, the router is a perfect candidate as a target because it’s exposed to the internet on one side, to the corporate network on the other side, they’re difficult to patch, and they’re often misconfigured. We had a similar situation with some power utilities in the western area of the United States being compromised through routers that were exposed to the internet and had not been patched.

The next example is one in which over 500,000 attacks a day are occurring on smart building access control systems. Again, using vulnerabilities in this case that the manufacturer has never even issued a patch for. So these are CVEs that anybody can go look up, figure out how to exploit, and then go after these smart building access control systems. And this is also a common scenario where the manufacturer of the IoT device is much more interested in producing low cost, high volume devices without spending a lot of time on building security or making sure that they’re issuing patches for them on a regular basis.

Then the final example is ransomware. We’ve seen ransomware, of course, shut down all kinds of organizations, but more recently we saw it shutting down maritime ports by going after IoT devices there, like security cameras. We’ve seen it shut down factories, as in the Norris Hydro incident last year that was compromised through LockerGoga malware that exploited vulnerabilities in SMB after which they pivoted to active directory, installed malicious scripts there, which then spread like worms to all of the other devices. And of course, we’ve seen ransomware shut down all kinds of facilities, so it’s easy to imagine that they could go after IoT devices anywhere to either cause mischief, get money, or in the case of a nation state attack, steal intellectual property.

So why are IoT devices such ideal targets? We’ve talked about some of the reasons, but another reason is that there are a lot of them and the number of them is going to increase over time, such that if you’re a CIO or a CISO, you’re soon going to be responsible for protecting three times the number of endpoints that you previously managed. So the attack surface is increasing dramatically and that makes them a great target.

One of the main reasons why they’re ideal targets for adversaries is that you can’t put agents on IoT devices. So if you’re a modern IT security organization, you’ve probably put one or several agents on all your desktops and servers. You’ve probably got a Splunk agent, you’ve probably got an antivirus agent, you may have an agent to monitor, you might have an EDR agent on that – but you can’t do the same with these IoT devices. So they are unseen, invisible to your IT department, typically unpatched. As we said, they weren’t designed with security in mind. Often the software in those devices is cobbled together from various open source components that the manufacturer finds on the web, and they often have weaker default credentials. So once again, that makes them ideal candidates for exploitation.

And because they increased the attack surface, they also increased business risk. Some examples here… we talked about ransomware. Ostensive IP and trade secrets, particularly important in the healthcare and life sciences environment where you might spend years developing a new drug. They get herded into DDoS botnets and cryptojacking that you might think, “Well I don’t care. That doesn’t bother my organization.” But they’re stealing CPU cycles from your devices, reducing the efficiency of your own network, and it’s not something you want to have happen. And then if you think of the most extreme scenarios, such as turning off the air conditioning or elevator systems in a modern hotel chain in the middle of summer in Las Vegas, you can see that this can lead to some pretty serious safety incidents. If you think about hijacking devices in a pharmaceutical plant or life sciences environment that’s using chemicals to do their experiments or to build the pharmaceuticals, you can see that that can lead to large scale environmental incidents as well.

So Gartner recently put out a report – and you can get the full report for free from our website – in which they said: number one, many enterprises aren’t aware of the cyber-physical systems, the term that Gartner has coined to describe devices that interface between the digital world and the physical world. They see the financial impact of attacks on cyber physical systems leading to much higher financial loss than anything we’ve seen with data security breaches. So instead of just talking about protecting data, we’re going to need to protect against safety and environmental impacts. As a result, global governments are going to pass laws to hold C-level executives personally liable in the same way they did with Sarbanes-Oxley for example, if they aren’t doing what they should be doing to create safety and security first enterprises. And you can see how that might include making sure that the security of their IoT devices is being covered adequately.

And then finally, something we’ve already seen happen in the industrial world, in the ICS or OT security domain, which is that you need a single organization to be responsible for security in a centrally controlled way. Whether that’s IT security, whether it’s OT or CPS security, you need to have that centered in a central way. You have a SOC, you have analysts that have been trained on how to investigate these types of incidents. Yes, there are differences across IT breaches, OT breaches, IoT breaches. So there are some differences, but there are a lot more similarities. If you look at the MITRE ATT&CK framework for ICS, something like 80% of the techniques, tactics, and techniques described are common across both. So you need a single organization to handle it. Now what I’d like to do is hand it over to Christy, who’s going to talk about the specifics of IT security in these environments.

Christy Peel:

Thanks Phil. My name is Christy Peel. I was formerly a Global Information Security Officer and Risk Manager for a major pharmaceutical and life sciences organization. A little bit of more history around me is that I have computer science and mathematics degrees, so I started up in the software development sector, so I have the tech credentials behind the really long title. I’ve been fortunate enough to work in both energy sectors, designing security systems, as well as life sciences sectors as my career moved on. So Phil asked me to talk a little bit about IoT in healthcare and life sciences today, and to be able to have that conversation, I need to actually give everyone the context around the drivers of motivations of our top security concerns in this sector.

So everything that we do in life sciences and pharmaceuticals really comes down to not just patient safety, but human safety. This is our number one driver, everything from the data integrity of our sensors to our scientific research. There is a large compliance framework around this – good practice is one, all about ensuring the integrity of our information. Also with respect to human safety, we are hugely concerned and always cognizant update a privacy issues, because we are housing either anonymized, pseudonymized patient data or PHI, so healthcare-related information. There are a lot of compliance frameworks around this that we must be aware of on a global scale, and every country has their own compliance and regulatory frameworks that we have to be aware of, so it’s ever-changing.

Another major aspect of human safety or patient safety is really the availability. So for us, depending on if you’re in pharmaceutical manufacturing or pharmaceutical development or life sciences research, there are things like, do we have reliable supply chains? Do we have our computation time to do a lot of assays, some transformations on large datasets? And by large, I mean multiple petabytes of data. Because we’re in a lab environment, the controls around those lab environments, from everything with our systems, our sensors, to our HVAC systems, they have to be online. So that’s another really big driver and it all comes back to safety, because ultimately what we’re doing is we’re trying to treat diseases and save lives. So while most people think that OT and manufacturing solutions are really in the plants actually producing drugs, it’s not really well known, well maybe more now, that for a single drug you have between 12 to 15 years of just research behind it. So while you’ll hear more around OT and IoT in the manufacturing environment, within that earlier pipeline phases from before we go to one drug, we’re whittling down tens of thousands of drugs. And in these environments we have a lot of labs and a lot of heterogeneous mixture of sensors. The further in the pipeline you get, so past in vitro toxicity, the more regulated you go. So further to the right in this pipeline, is more regulatory requirements that are placed, especially once you even dabble within human studies. Ultimately the goal is to get one new drug into the plant, helping treating patients. So going back to a comment earlier, you really need to understand the risk profile for your organization.

So I’m talking basic CIA triad here, and with regards to life sciences, it really is different depending on which life science organization that you’re actually dealing with. If you’re dealing with early drug discovery and you’re talking to chemists and you’re trying to essentially find targets for diseases and treatments for targets, you’re not necessarily concerned about the confidentiality because we haven’t patented anything yet. You’re concerned about the availability because you do want your data to come back, but you’re highly concerned about the scientific integrity of your information. So that’s just life sciences, so if you plot them on a profile over each other, pharmaceutical manufacturing really cares about the availability of the drug, so how much we’re able to take out or produce through our pipeline to go to market at that point because we’re actually manufacturing it.

Confidentiality, believe it or not, is not necessarily as high as when you first market a drug, because once you market a drug, you have a time window of when that drug will go into generic. And then again, integrity, it comes down to the formulation of the drug. I need to ensure that every single compound that comes off that line is exactly identical and has exactly the same makeup as that 15 years of research has given evidence to and credence to. And then if you just look at pharmaceutical development, they care about everything. So it’s the confidentiality of their drugs, the availability of the information, and then the integrity of it, everything from the chain of evidence of research to actually getting it out to market. And then the last thing you need to understand about these organizations is that you need to understand that the population that makes up these organizations, so this is classic Rogers’ bell curve, or Rogers’ innovation adoption life cycle.

In early drug discovery, your population base is going to be mostly of scientists who consider themselves either early adopters or innovators. Their job is to think completely differently and to come up with novel and different approaches to solving incredibly complicated and challenging problems. So that actual population set within your organization are going to be really risk-averse and really embracing new technology. That being said, it doesn’t necessarily mean that pharmaceutical manufacturing or pharmaceutical organizations fall into this later half of laggards, it is just that they have more compliance and regulatory requirements that will add overhead. So while they may or may not want to embrace more innovative approaches, they may not be able to at such a velocity as early life sciences. So what do you do with all of this? Well, all of this put together, gives you an incredibly diverse and wide attack surface.

So you’re dealing with anything with regards to devices on human and smartwatches to machines who have been built to just pick certain compounds, or robots that built certain compounds, from banks to heart rate monitors to raspberry pies. Because again, our scientists are people who are actually doing drug research. They are also data scientists and they can code as well, to Xboxes. Yes, we’ve had Xboxes onsite, because we’ve had scientists actually request this because of the AR (augmented reality) capabilities of it. And again, wide attack surfaces. Now, some of these equipment in the labs, because they’re dealing either with early, not quite inhuman information, or they’re dealing with genetic information because of the regulatory compliance, you’re not going to be able to be on the same patching cycle or operating system as say a client or a Windows box that she would give to a certain employee.

This is a completely different timescale because sometimes the jobs that these apps or these robots are doing could be taking months, or they’re part of a protocol that, if anything in that experiment changes, it has to be requalified. So again, what do you actually do? So you have this huge mess of IoT devices. You may or may not be able to see it. So you need to actually think of a couple of questions on how to address this. First of all, like anything, you have to identify what devices are on your network today, and then how do you know which are IoT devices and which are not, how do you know by classification, what are the most vulnerable? And then would you know, if you had an adversary in your network today on your IoT devices, would that actually trigger some alarms?

So to kind of give you a story time that Phil alluded, a few years ago after the, after the holidays, we had noticed an uptick in new traffic on our guest network, and a lot of different areas and a lot of different parts of the network were going to kind of the same location. So that caused a scare. We were, “What is this?” We had no idea what and where, and we had to do a lot of work just debugging this and trying to figure out where it was on the network. And we were scared. Well, technically we did have adversary in the network – we didn’t know who this was, we didn’t know what they’re doing. They’re on multiple floors and they are going outside of our on-prem network. Well, it turned out it was Alexa. So what happened was scientists got Alexa for Christmas from their spouses, right? And so they brought them into the office because when you’re in a controlled and clean environment, so you have all your PPEs on, you’re dealing with, protocols, they can go, “Hey, Alexa, remind me in 20 minutes to check this Petri dish.” And because those guests wireless, they just set up the tool to go to guests wireless. So it’s one of those things where if you understand the culture and you understand the need for them, this was a business need that saved them time instead of decontaminating and going and setting the alarm and then re-scrubbing up. So you really have to work with the business and figure out what their needs are. And this is just a minor story. So just that exercise, I answered your first three questions. Now your job going forward and all of your organizations is if this was to happen to you, who’s accountable for security incidences? How do you actually have a response to these types of threats?

And then how you have to start thinking about how to better segment your network. Because lab environments and lab machineries probably won’t be on the same patching cycle as all of your other endpoints, should you segment that out? Should you segment your IoT networks in another segment altogether, as well as, could you actually add some automation? And then getting to IT requirements and security requirements when it comes to IoT devices, right? IT requirements need to have internet connectivity, they need to be patched. There needs to be from an enterprise, some vulnerability management on it, asset management, you need to have an asset store. But for security requirements – because you cannot actually touch that device, or be it for regulatory, or you just don’t have the right to repair because it’s the actual vendor that owns the operating system, or it’s because it’s a microscope and the vendor who created it is out of business and there’s two in the world and good luck trying to repair it – you have to have something that sits one abstraction layer back. So something honestly that’s agentless, that’s on your network, that’s not going to necessarily touch those devices, but they could still do vulnerability risk management around it and then other integration stacks. So how are you going to get this into your scene? How are you going to get this into your ticketing system? It’s also incredibly important how you’re going to make these IoT devices a first citizen with regards to everything else on your network. So I’m going to hand it back to Phil. Those are some lessons learned from us and hopefully this can help you guys looking towards your own networks and helping out and addressing IoT devices.

Phil Neray:

So I’m going to wrap up with a quick summary of who CyberX is and how we can help you if you’re in a healthcare and life sciences organization, or any other organization that has these IoT devices. So the company was founded over six years ago. We are funded by some of the leading Silicon Valley venture firms. One of the differentiating aspects for the company is that we have a patent on our machine-to-machine (M2M) aware threat analytics. What that means is that we’ve developed specialized algorithms for detecting anomalies in M2M communications such as you would find with IoT or ICS devices, and that translates into faster detection of threats with fewer false positives, more accuracy. Most other companies out there are using baselining algorithms that were developed for IT networks, which are non-deterministic, and this patent is for algorithms that were developed for deterministic environments. You can read all about it on our website. It’s based on something called finite state machine analytics. We’ve partnered with some of the leading security companies and MSSPs worldwide, because we recognize that IoT security is part of a larger defense and depth strategy and that it makes a lot more sense to forward the alerts that we detect to your Splunk or radar system or whatever SIM you have, then to expect that your SOC analysts are going to be looking at a specialized console. And one of the key differentiators is that we provide fast and automated deployment. We can deploy 20 to 30 sites a month remotely, so the remote aspect is especially important nowadays, and that’s due to the high degree of automation built into the product.

The fact that the self-learning eliminates the need to configure any specialized rules or signatures or policies. And it’s all designed to happen out of the box without a lot of manual intervention. So what CyberX has is an agentless platform – that’s important for a number of reasons that Christy described, but it also helps with the fast and easy deployment. So you don’t need to walk around and install agents on all your IoT devices, which don’t support agents in any case. And the key value of asset discovery is that it A), helps you know what you have, but B), that helps with segmentation and zero trust projects. If you’re trying to figure out how to segment all your IoT devices onto a separate network, you need to know what devices you have, how they’re communicating with other devices, what kind of cross subnet communication you’re seeing – and you can’t do that without discovering those devices, profiling them and understanding their behavior.

The second key aspect is risk and vulnerability management, understanding what are the risks. If you can’t patch the devices, how can you mitigate the risk with some kind of compensating control? Often that might take the form of better segmentation, and certainly continuous monitoring is one of the top compensating controls, because if you can’t patch the device or if you can’t segment the device, continuous monitoring allows you to know immediately if your devices have been compromised, if you have threats in your network quickly, and then to do investigation to quickly respond to those threats. If you have IoT devices that have been compromised and are part of a large-scale botnet or DDoS operation, that can reduce efficiency of your network and your devices.

So there’s a side benefit here, unrelated to security, which is making sure your networks and your devices are running in the optimum way. And then finally we talked about the need for a unified approach to security and governance across all of your networks, whether it involves IoT, IT, or ICS. And that relates to integration with existing security tools. One example of that we’re particularly proud of is that we recently announced a partnership with Microsoft, where we’ve integrated with the Azure Security Center for IoT, and with more and more organizations using Azure as a platform to store their data and to run their analytics, that is particularly important. But of course, we’ve also partnered with many of the other security vendors that you have in your environment. We have a native app for Splunk that you can download from the Splunk store. We have native apps for IBM QRadar that you can also download from the IBM site. We’ve integrated with firewalls such as Palo Alto, Cisco, and Fortinet; with NACs, such as from HP Aruba. Many of our customers are using ServiceNow either as a ticketing system that receives our alerts and then can distribute them to the appropriate folks, or we’re also using the ServiceNow CMDB. So once you’ve gathered all this asset information, you can store it in a centralized configuration management database like ServiceNow. We also have customers using Snow and other CMDBs. And you can see on this slide some of the other platforms that we’ve integrated with, again, recognizing that you need a unified approach in your SOC to IoT security.

I want to invite you to visit our knowledge base on the website where you can download free chapters of the book, Hacking ICS Exposed. You can also access our Global Risk Report, which has some of the stats you see here that were collected from real world production networks. So for example, 64% of the sites we analyzed are still running unencrypted passwords, not running antivirus, running unsupported operating systems. We found that 71% of those sites we analyzed are running unsupported Windows operating systems. That’s also true in the IoT and healthcare world where they’re running Windows systems that cannot be changed, as Christy explained. You can also download our Enterprise IoT Buyer’s Guide, and other white papers such as NIST Recommendations for IoT and ICS Security.

I also want to invite you to two upcoming webinars – one that we’re doing on Tuesday with Mundipharma. Again, recognizing that what pharma companies do is critically important to the wellbeing of our planet, now more than ever. And then we also have two other organizations on that webinar: Essity, which is a multibillion-dollar manufacturer of paper and hygiene products, and Adani Enterprises, which is a manufacturer of electricity in one of the top five conglomerates of India, but they also have many other businesses including ports and solar power. And then on April 23rd, we are doing a webinar with Microsoft, Fortinet, and Optiv to talk about securing IoT and OT when you have fewer personnel onsite, which is a common situation nowadays.

I want to take a look at the chat window and see if there are any questions…

Question: Is this passive? Yes, the CyberX platform is passive and agentless within minutes of connecting to a SPAN port on a network switch or connecting to a TAP. We will present a view of all of your assets and how they’re connected to each other and how they’re communicating to each other and then start the learning period using our built-in behavioral analytics.

Question: Can IoT devices be scanned for vulnerabilities? Another great question because the answer is no. You cannot use the typical tools that you would use in an IT environment like Nessus or NMAP – those tools really aren’t effective in an IoT or OT environment for a couple of reasons. Number one, they are actively probing the devices and as a result, they can actually bring down the very devices that you’re trying to protect.

Christy Peel:

Yes, I’ve experienced just that. So there have been cases where if you’re probing your network, you can bring down, if your segmented incorrectly, part of your lab instruments as well. And then you’re now going above executives going, “Why did multimillion-dollar research pipeline go down a little bit?” So yes.

Phil Neray:

Thank you, Christy. So the answer to the question, how do you identify vulnerabilities in IoT and OT devices is that you have to do it at the network layer in an agentless way that’s passive, non-intrusive. As Christy explained, many of these devices operate in sub-millisecond response times. So anything that interrupts that operation can interfere with the experiment that you’re running or the manufacturing process that you’re running. So it’s done at the network layer by identifying what the devices are and looking for any vulnerabilities at that layer, and then again, if you can’t patch them, you have to put in place compensating controls, such as better segmentation and continuous threat monitoring.

Question: What is the cost model and lifecycle support? Well in the case of CyberX, the cost model is based on typically a facility-by-facility basis. We are a software company, not a hardware company. Our technology is deployed as either physical appliances or virtual appliances. And as we mentioned before, it’s available either as 100% on-premise for environments that are not open to the idea of sending their data to the cloud. But in those environments that are, we also offer the technology as a cloud-based service, which has certain advantages as well from an ongoing management point of view. Any other comments that you want to make, Christy?

Christy Peel:

Yeah, my only real comment is that in my experience, these systems are either embedded systems with higher response or availability, and unless there is cognizant and forethought into how you’re going to segment or how these compensating controls, you will not necessarily know your entire attack surface unless you start including these IoT devices. More and more in my opinion, IoT devices is a problem space that it is trying to solve, but OT has already solved it because they’ve had two years ago.

Phil Neray:

Question: Can CyberX help with zero-day threats? That’s a great question because signatures and IOCs of course are very important, but they only address known threats. The only way to address unknown threats, the ones we’ve never seen before, is with anomaly detection. And that’s where CyberX’s patent on self-learning algorithms is so important, because if the system sees any activity on the network that it’s never seen before or that is unusual in some way, you’ll get an alert. And that could include things like a new firmware being loaded onto an IoT device. Of course, that needs to be done from time to time, but it could also be a malicious act where adversaries are putting backdoors into the firmware of those devices. We’ve already seen that in the OT world in TRITON cyber attack where the adversary loaded a backdoor into a safety controller for a Petro chemical plant. So it’s very important to be able to detect zero-day threats and look for anomalous activity that would indicate potentially a zero day threat.

Question: Does CyberX support serial devices? The answer is yes. As you know, many of these older systems were or are serial devices, but eventually that traffic shows up on the network as well. So we can identify anomalies with serial devices as well.

Question about IoT: Do they use common ports and services? It’s really all over the map. Some do, some don’t. Certainly, if you look at building management systems, such as the systems that would be controlling heating and air conditioning in your buildings, they have certain protocols that they use such as BACnet. Those are well known ports. Often those devices are also exposed to the internet at Black Hat and DEF CON this this past year. There were some interesting presentations about attackers exploiting vulnerabilities in BACnet, the BACnet protocol to compromise BMS devices from the internet. But of course, as with any device, adversaries can switch the ports around to try to hide their activities. And that’s also something that would be detected by our platform, which would be the use of a nonstandard port to run a particular application.

Question: Do you have any integration with Forescout? Yes, we do have integration with the Forescout NAC system.

Question: How does your system differ from a normal machine learning-based IDS, IPS? Well, there’s a couple of differences. Number one, IDS and IPS systems are well-known for taking a little while to configure because they require configuration of various specific signatures. The CyberX platform does not rely on signatures. It uses the self-learning algorithms to detect anomalies. With respect to the IPS part of that question, the CyberX platform itself does not block or prevent malicious traffic, but through our integration with standard firewall systems and NACs and security orchestration systems, we can quickly cause malicious traffic to be blocked based on the information that we’ve identified from the anomalous traffic.

Well, that’s it for today. I want to thank everybody for sticking around until the end. I Encourage you to contact me or [email protected] if you have any further questions or would like to see an in-person demonstration of our technology. Have a great rest of your day. Thank you, Christy, and thank you to the SANS organizers for making this possible.

Jessica Gallis:

Thank you, Phil and thank you to our speakers, Christy and Phil for your great presentation and to CyberX for sponsoring this webcast, which helps brings this content to the SANS community. To our audience, we greatly appreciate you listening, and for a schedule of all upcoming and archived SANS webcasts including this one, please visit sans.org/webcasts. Until next time, take care and we hope to have you back again for the next SANS webcast.