1 00:00:06,040 --> 00:00:09,800 He is actually in the news pretty much on a monthly, if not weekly 2 00:00:09,839 --> 00:00:16,719 basis, examples of critical equipment being exposed on the Internet and being rich. 3 00:00:24,640 --> 00:00:29,640 Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I'm 4 00:00:29,679 --> 00:00:34,840 here with Andrew Ginter, the vice president of Industrial Security at Waterfall Scurity Solutions, 5 00:00:35,079 --> 00:00:38,799 who's going to introduce the subject and guest of our show today. Andrew, 6 00:00:39,119 --> 00:00:42,079 how's it going. I'm very well, Thank you, Nate. Our 7 00:00:42,079 --> 00:00:46,679 guest today is Robin Bertier. He is the CEO and co founder at Network 8 00:00:46,759 --> 00:00:52,640 Perception, and he's going to be talking to us about machine analysis of network 9 00:00:52,840 --> 00:00:58,039 zoning, so you know, basically analyzing our networks so we can understand attack 10 00:00:58,119 --> 00:01:04,760 pads. Okay, your interview with Robin. Hello Robin, and welcome to 11 00:01:04,799 --> 00:01:08,719 the podcast. Before we get started, can you tell our listeners a little 12 00:01:08,760 --> 00:01:12,480 bit about yourself and about the good work that you're doing at Network Perception. 13 00:01:14,799 --> 00:01:18,799 Thanks Andrew for having me. So. My name is Robin Buquier. I'm 14 00:01:18,840 --> 00:01:25,799 the CEO and co founder of Network Perception, a cybersecurity software company. We 15 00:01:25,959 --> 00:01:32,599 help hot networks to get understood, visualized, and analyze for risks. And 16 00:01:32,799 --> 00:01:38,480 my background is in computer science and cybersecurity. I grew up in France, 17 00:01:38,560 --> 00:01:45,879 moved to the United States in two thousand and five for grad school, and 18 00:01:45,920 --> 00:01:55,040 then moved from grad school to Chicago to launch Network Perception and support the critical 19 00:01:55,079 --> 00:02:01,599 infrastructure industry by developing solutions that helps practitioners in those OT and cyber physical system 20 00:02:01,719 --> 00:02:08,680 environments. Thanks for that, and our topic today is analyzing networks analyzing zoning. 21 00:02:09,159 --> 00:02:14,319 You were on the show six months ago walking us through your your network 22 00:02:14,400 --> 00:02:20,080 modeling tools, your capabilities back then, you know, to remind our listeners. 23 00:02:20,439 --> 00:02:23,919 You know, back then you were reading and analyzing config files and backups 24 00:02:24,000 --> 00:02:30,080 for firewalls and routers in my recollection. These let you visualize the network. 25 00:02:30,080 --> 00:02:35,560 It lets you, uh, you know, design a policy, express the 26 00:02:35,599 --> 00:02:39,159 policy to your tool, compare all of these configurations to the policy. You 27 00:02:39,199 --> 00:02:43,159 know, the policy this machine can be reachable by those networks, but not 28 00:02:43,199 --> 00:02:47,039 by anything else, and then report on deviations. You know, is the 29 00:02:47,080 --> 00:02:52,439 network configured the way we think it ought to be configured? And you know 30 00:02:52,560 --> 00:02:58,199 you're back so you're talking about today. What's new? Is there a new 31 00:02:58,240 --> 00:03:02,639 problem that you're solving? Yes, So two things are happening. One inside 32 00:03:02,680 --> 00:03:09,759 netroperception and one outside. Let me start with the outside the driving force first. 33 00:03:10,120 --> 00:03:15,879 So in the last six months, we've seen in uptake in terms of 34 00:03:17,159 --> 00:03:27,639 interest by organizations with out networks to formally verify the segmentation of the environment. 35 00:03:27,719 --> 00:03:31,639 It's becoming more and more of a priority for them, and I think that's 36 00:03:31,719 --> 00:03:43,080 driven by both a more pressure from adversaries making sure you have the right access 37 00:03:43,080 --> 00:03:50,520 policy in place to block attackers to prevent a breage from spreading to the critical 38 00:03:50,639 --> 00:03:57,639 zones inside your network. And it's also driven by more stringent regulations we've seen 39 00:03:59,080 --> 00:04:03,439 with no OXIP seeing now with the TSA Secretity directives, it's just more focused 40 00:04:03,759 --> 00:04:15,840 being put around the importance of extremely robust network segmentation, good hygiene for your 41 00:04:15,879 --> 00:04:23,120 firewalls, and having very precise rules to only allow traffic on a need to 42 00:04:23,160 --> 00:04:28,800 know basis. And then the second thing that's happening inside that properception is that 43 00:04:28,839 --> 00:04:31,680 we you know, I didn't mention in my background, but I really have 44 00:04:31,759 --> 00:04:36,439 two passions. One is is cybersecurity, the other one is information visualization and 45 00:04:38,000 --> 00:04:45,519 specifically how to present a large rim of data into concise reports that leads to 46 00:04:45,839 --> 00:04:53,279 efficient decision making. So over the past couple of quarters, we you know, 47 00:04:53,319 --> 00:05:02,199 reflected on the data analytics that MPVU provides, and we went back to 48 00:05:02,240 --> 00:05:06,160 the you know, brainstorming and the white boat to really think how to best 49 00:05:06,279 --> 00:05:13,680 present that information because sometimes, you know, you start importing file configuration files 50 00:05:13,720 --> 00:05:19,439 and you will have thousands or even tens of thousands of network paths being discovered 51 00:05:19,439 --> 00:05:24,600 by the modeling engine that tells you the exposure of your different critical assets. 52 00:05:25,160 --> 00:05:30,800 So how do we compress and present and summarize this information in the way that's 53 00:05:30,839 --> 00:05:34,040 helping you making better decisions in terms of risk, in terms of you know, 54 00:05:34,079 --> 00:05:41,800 the risk really to your to your network. This is of course a 55 00:05:41,959 --> 00:05:47,480 very important subject that Robin is heading on here. Network segmentation comes up in 56 00:05:47,519 --> 00:05:54,439 any domain of cybersecurity at some point, relatively frequently. In it especially, 57 00:05:54,839 --> 00:06:00,399 I can think of a million examples where an attacker started off with one network 58 00:06:00,439 --> 00:06:04,560 resource and ended up moving their way through a network because wasn't segmented enough, 59 00:06:05,519 --> 00:06:13,959 the classic example being the target breach back in twenty thirteen, when a phishing 60 00:06:14,000 --> 00:06:23,319 email at a small HVAC provider in Pittsburgh led through target's client portal supplier portal 61 00:06:23,439 --> 00:06:29,680 rather, attackers got into the network associated with the HVAC systems and ended up 62 00:06:30,000 --> 00:06:34,040 burrowing their way through the target network through to their point of sale systems and 63 00:06:34,079 --> 00:06:39,040 then stole a bunch of credit card information. The story goes on from there. 64 00:06:39,319 --> 00:06:41,920 So all that is to say, this is very important. You and 65 00:06:41,959 --> 00:06:47,120 I have talked about air gapping and unidirectional gateways and all of these relevant technologies 66 00:06:47,199 --> 00:06:55,279 before. Absolutely, and you know where to begin. It is important. 67 00:06:55,839 --> 00:06:59,120 This is why you know, the first volume, the first volume that was 68 00:06:59,120 --> 00:07:00,759 published in the sixty four four three series. You know it's a it's a 69 00:07:00,759 --> 00:07:05,240 fourteen volume set of standards. The first volume was you know, half of 70 00:07:05,279 --> 00:07:11,319 it was about segmentation IT. You know, it's that important. And you 71 00:07:11,319 --> 00:07:14,639 know on the OT side, you know, the to me, the classic 72 00:07:14,720 --> 00:07:18,600 example was the ransomware attacks Snake got into Honda a couple of years ago. 73 00:07:18,800 --> 00:07:24,079 I mean, there's been lots of ransomware attacks that had OT consequences, but 74 00:07:24,120 --> 00:07:27,920 that was sort of the uh, the highest profile one that had you know, 75 00:07:29,079 --> 00:07:32,680 enough enough detail published to be able to figure out vaguely what happened. 76 00:07:33,160 --> 00:07:38,399 And in my recollection, it was the bad guys got into the IT network 77 00:07:38,639 --> 00:07:44,040 through the IT to Internet firewall and pivoted from the IT network into the OT 78 00:07:44,199 --> 00:07:49,360 network, and you know, contaminated the uh the production line with with ransomware. 79 00:07:49,439 --> 00:07:54,639 You know, operated the ransomware remotely encrypted stuff blah blah blah. And 80 00:07:54,720 --> 00:07:58,759 so you know, there were firewalls all the way along there, and uh, 81 00:07:58,800 --> 00:08:03,680 you know what what people don't understand is, you know when people when 82 00:08:03,720 --> 00:08:09,000 I entered the industry naively, you know, more than much more than a 83 00:08:09,040 --> 00:08:13,319 decade ago. You know, I had sort of the same perception everybody else 84 00:08:13,319 --> 00:08:16,879 did. You know, You take a little encryption, throw a few firewalls 85 00:08:16,920 --> 00:08:20,639 at it, you know, some VPNs and you're good, right, question 86 00:08:20,759 --> 00:08:26,160 mark. And you know it was once I started digging into it. I 87 00:08:26,160 --> 00:08:28,519 mean now bluntly, I went to SANDS training on firewalls, and I was 88 00:08:28,560 --> 00:08:33,720 appalled. And a couple of years later I put together my own presentation on 89 00:08:33,840 --> 00:08:37,440 thirteen ways to break a firewall. You know, what's the low tech way 90 00:08:37,480 --> 00:08:41,320 to break a firewall? Your shoulder surf as you know, the firewall that 91 00:08:41,799 --> 00:08:45,679 enters the password and you enter it yourself later on and at a rule that 92 00:08:45,720 --> 00:08:50,480 says allow all and it's all over. You know, what's the what's the 93 00:08:50,600 --> 00:08:54,480 high tech way to break a firewall? You find a zero day a bug 94 00:08:54,519 --> 00:08:58,720 that no one else has found in the firewall. You write code to exploit 95 00:08:58,759 --> 00:09:01,639 the bug. You sneak your way through the firewall in a way that you 96 00:09:01,679 --> 00:09:03,759 know there is no defense against because there's no patch for the bug. There's 97 00:09:05,120 --> 00:09:07,919 there's no you know, attack signature for the attack. It's it's brand new. 98 00:09:09,559 --> 00:09:13,480 You know what's the uh, the the modern way to break through a 99 00:09:13,480 --> 00:09:16,080 firewall? Well, you know, we've talked about it countless times. You 100 00:09:16,399 --> 00:09:22,480 get into the IT network, you you know, trick various ways into people 101 00:09:22,480 --> 00:09:28,159 and technology into into getting domain credentials, and now you give yourself permission to 102 00:09:28,279 --> 00:09:31,440 log in to systems through the firewall, and you know, work your will 103 00:09:31,519 --> 00:09:35,639 upon the target system. You know. Here, here's a pop quiz. 104 00:09:35,759 --> 00:09:41,799 What is the most widely known sort of the instinctive, the knee jerk reaction? 105 00:09:41,879 --> 00:09:43,639 How do you break through a firewall? What's the most widely known way 106 00:09:43,679 --> 00:09:48,159 through a firewall? Is it like they do in the movies where you type 107 00:09:48,200 --> 00:09:50,399 a bunch of zeros and ones until you get a notification, pull the pops 108 00:09:50,440 --> 00:09:58,000 up and says access granted. And your screen scrolls really fast. No good 109 00:09:58,000 --> 00:10:01,399 one, I have no idea. Okay, you know it's it's the most 110 00:10:01,440 --> 00:10:07,759 widely known is you don't attack the firewall itself. You you know, every 111 00:10:07,840 --> 00:10:16,120 firewall. People imagine that firewalls protect industrial systems from cyber attacks. You know, 112 00:10:16,159 --> 00:10:20,159 they give you access to industrial data, but they protect the industrial systems. 113 00:10:20,720 --> 00:10:24,320 In fact, that's not what firewalls do. What firewalls do is they 114 00:10:24,320 --> 00:10:28,960 give you access to some industrial systems and hopefully block you from others so that 115 00:10:30,039 --> 00:10:35,720 you can ask those industrial systems for data. If you ask for data politely, 116 00:10:35,360 --> 00:10:39,840 well you get data back. If you ask for data impolitely by let's 117 00:10:39,879 --> 00:10:43,799 say, you know, guessing the admin password instead of going in as your 118 00:10:43,919 --> 00:10:50,840 mere user password. Now you're attacking the OT system through the firewall. This 119 00:10:50,960 --> 00:10:54,600 is sort of the the the way that that you know, everyone knows. 120 00:10:54,639 --> 00:10:58,159 Of course, you can attack through a firewall. The firewall gives you access 121 00:10:58,240 --> 00:11:03,679 to a handful of industrial systems and lets you send messages to those systems, 122 00:11:03,720 --> 00:11:07,360 and some of those messages can be attacks. And so you know, this 123 00:11:07,559 --> 00:11:13,480 is you know, back to the point here with with Robin. If you 124 00:11:13,600 --> 00:11:16,679 can send messages to the OT systems through the firewalls, you can attack them. 125 00:11:16,720 --> 00:11:20,360 You can pivot attacks into those systems. And so in my understanding, 126 00:11:20,399 --> 00:11:26,200 this is, you know, the question he's asking of I have you know, 127 00:11:26,399 --> 00:11:30,440 in a refinery, I don't know, dozens and dozens of subnetworks and 128 00:11:30,519 --> 00:11:37,080 dozens of firewalls, and you know configuration for all of those firewalls. The 129 00:11:37,080 --> 00:11:41,159 most complex would be the IoT firewall, but you know there's other configurations everywhere 130 00:11:41,159 --> 00:11:46,600 else. And the question becomes, where can I pivot? How many steps 131 00:11:46,639 --> 00:11:48,480 do I have to go through? How many systems do I have to compromise 132 00:11:48,559 --> 00:11:52,679 before I get from where I am on the Internet or in the IT network 133 00:11:52,759 --> 00:11:58,399 or whatnot to a target that has really high value? You know, how 134 00:11:58,399 --> 00:12:01,879 do you do that that? And this is the kind of analysis that that 135 00:12:01,919 --> 00:12:07,559 his tools are doing, So that makes sense, you know, pressure from 136 00:12:09,000 --> 00:12:13,240 various kinds of regulators, uh, you know, pressure from the threat environment, 137 00:12:13,320 --> 00:12:18,360 people caring more about about how their their networks are configured, and you 138 00:12:18,360 --> 00:12:22,720 know which parts of it are more or less easily reachable. But if I 139 00:12:22,799 --> 00:12:26,519 recall that was kind of what you were focused on on the last time as 140 00:12:26,519 --> 00:12:31,879 well, What's what's changed that you know, you needed to build something new. 141 00:12:33,000 --> 00:12:35,720 So yeah, good question. So so based on that reflection, we 142 00:12:35,840 --> 00:12:41,200 had to improve presenting large room of data into concise reportata, you know, 143 00:12:41,399 --> 00:12:46,360 leading to efficient decision making. We started to work on a new capability for 144 00:12:46,919 --> 00:12:54,120 the platform that we call a zone segmentation matrix, and that feature takes your 145 00:12:54,240 --> 00:13:01,840 entire set of connectivity paths in the environment that you're modeling and presenting it according 146 00:13:01,879 --> 00:13:05,679 to a metrix of zone to zone path. So in one single screen you 147 00:13:05,720 --> 00:13:16,480 can see like a pertside, you can see which access network access would present 148 00:13:16,559 --> 00:13:20,759 a risk for your environment. So, for instance, that metrics will reveal 149 00:13:20,799 --> 00:13:26,440 if someone from the corporate network will have direct access to your scaled environment, 150 00:13:26,519 --> 00:13:31,639 and if so, on which pot Before you had to go one by one 151 00:13:31,679 --> 00:13:35,840 into a subnet an asset and then look at the path in and out of 152 00:13:35,879 --> 00:13:43,679 that asset. Now we're surfacing in that metris right away those different results, 153 00:13:43,240 --> 00:13:48,399 and so that that gives you, you know, a faster way to identify 154 00:13:48,440 --> 00:13:54,360 over re permissive rules, overly permissive segmentation, or gaps in terms of your 155 00:13:54,360 --> 00:14:01,120 network segmentation. All right, So the ability to visualize at a glance and 156 00:14:01,200 --> 00:14:05,279 see where problems are in larger network configurations. That that sounds good in theory, 157 00:14:07,440 --> 00:14:11,159 you know, in practice? You know, you mentioned, you mentioned 158 00:14:11,200 --> 00:14:16,399 standards, you mentioned drivers. You know, can you connect the theory the 159 00:14:16,480 --> 00:14:20,720 capability to the practice. How would you use this for i SM? You 160 00:14:20,720 --> 00:14:24,200 know, can you remind us what is NERK I in SM? I mean? 161 00:14:24,279 --> 00:14:28,600 As as a general theme, network visibility has been a key challenge for 162 00:14:28,480 --> 00:14:39,000 out infrastructure. You have geographically dispersed facilities and then some very legacy equipment and 163 00:14:39,080 --> 00:14:46,600 so getting good visibility over those networks is just is difficult. So FIRK as 164 00:14:46,639 --> 00:14:56,000 a year ago NERK to stop drafting a standard around internal network security Monitoring I 165 00:14:56,120 --> 00:15:05,159 n s M, and the concept there would be that even if you implement 166 00:15:05,279 --> 00:15:11,639 good cybo hygiene, even if you have good proactive defense initiatives in place, 167 00:15:13,799 --> 00:15:18,480 if an adversary is able to breach your environment, you should have as part 168 00:15:18,480 --> 00:15:26,720 of your defense in depth you should have capabilities to monitor suspicious netroalk traffic and 169 00:15:26,799 --> 00:15:31,600 alert you and detect if an attack is going on. So NARK is in 170 00:15:31,639 --> 00:15:39,519 the process the drafting team in the process of crafting a revision to the standard 171 00:15:39,559 --> 00:15:46,120 to include a requirement around pulling sensors inside those critical networks in order to capture 172 00:15:46,120 --> 00:15:52,519 the traffic and detect intrusions. It's still much work in progress. Actually two 173 00:15:52,559 --> 00:15:58,720 days ago was the end of the voting period for the first version. I 174 00:15:58,759 --> 00:16:02,759 don't think the that version was accepted, so it's going to go back to 175 00:16:02,799 --> 00:16:06,799 the drafting team for some changes, and then we're going to know in the 176 00:16:06,799 --> 00:16:11,960 next few months in the final version with actual enforcement data in the next couple 177 00:16:11,960 --> 00:16:18,080 of years. But this ties into that big theme of network visibility, and 178 00:16:18,159 --> 00:16:25,639 for us at Network Perception, it's really important that we support the industry gaining 179 00:16:25,759 --> 00:16:32,639 a much more precise understanding of those tea networks, and we see our solution 180 00:16:32,840 --> 00:16:41,559 as extremely complimentary to the network traffic monitoring product that on the market. We 181 00:16:41,639 --> 00:16:45,759 call this the two sides of network visibility. So on one side you have 182 00:16:47,039 --> 00:16:51,000 actual network traffic monitoring and then on the other side you have what will, 183 00:16:51,120 --> 00:16:55,759 which is network modeling. So when you monitor network traffic, you can see 184 00:16:55,759 --> 00:17:00,039 in real time what's happening and you can answer questions such as the something suspicious 185 00:17:00,240 --> 00:17:04,279 occurring now in my network. When you do modeling, you can ensure a 186 00:17:04,279 --> 00:17:08,279 different portion, which is what can connect to what we covered this in the 187 00:17:08,359 --> 00:17:14,759 last episode of the podcast. Now with the I NSM, the push for 188 00:17:14,839 --> 00:17:19,720 the NSM regulation, we're helping in two ways. Number One, we can 189 00:17:19,960 --> 00:17:30,119 help organizations to better plan for the diplomat of their sensus because with NPVU you 190 00:17:30,200 --> 00:17:37,240 can very quickly generate a reference architectural diagram for your environment just in the conflict 191 00:17:37,240 --> 00:17:42,039 fire to your firewalls, barterers and switches and so once you have the diagram, 192 00:17:42,240 --> 00:17:48,400 the decision of where to put sensors in order to capture the correct critical 193 00:17:48,400 --> 00:17:56,079 traffic is easier, specifically with that zone segmentation metric that I referred to earlier, 194 00:17:56,119 --> 00:17:59,519 where you have that Berks eye view and you see what are the critical 195 00:18:00,000 --> 00:18:06,200 connectivity path which zones should be instrumented with those sensors. And then the second 196 00:18:06,319 --> 00:18:15,039 value is to be able to build context around the event that you're going to 197 00:18:15,119 --> 00:18:19,160 trigger through that network traffic monitoring sensor. So, for example, you have 198 00:18:19,839 --> 00:18:27,359 a suspicious netro connection that connects to critical equipment, you want to know first 199 00:18:27,480 --> 00:18:33,799 you know how cretical equipment is in which what what what's the source zone of 200 00:18:33,799 --> 00:18:37,160 that traffic, what's the destination zone? And then if that equipment gets compromised, 201 00:18:37,319 --> 00:18:41,599 Where could an attacker go? Like, what are the other paths that 202 00:18:41,680 --> 00:18:45,000 could be taken for this attack to propagate in cell? Your environment? And 203 00:18:45,039 --> 00:18:51,599 those are the that's the contextual environment, the contextual information that that we can 204 00:18:52,640 --> 00:18:57,759 we can provide for for users. So, Andrew, it seems to me 205 00:18:57,920 --> 00:19:06,799 that we have spoken with many guests before about modeling attack paths, about modeling 206 00:19:06,839 --> 00:19:12,799 networks and such. What is the exact distinction in what Robin's talking about here? 207 00:19:14,640 --> 00:19:18,880 Where to begin? Robin, I think actually later in the episode says 208 00:19:18,920 --> 00:19:22,440 this, So I'm going to repeat what he says in a moment, but 209 00:19:22,519 --> 00:19:27,880 I think I recall him saying drawing a distinction between intrusion detection looking at network 210 00:19:27,960 --> 00:19:36,480 packets and the kind of analysis that his tools do. Intrusion detection looks at 211 00:19:36,640 --> 00:19:41,519 what connections are happening, and if you see an unusual connection, one that 212 00:19:41,519 --> 00:19:45,519 you haven't seen before, you might raise an alarm saying someone should look at 213 00:19:45,519 --> 00:19:48,839 this. I've never seen this before. So it looks at what's happening the 214 00:19:48,880 --> 00:19:55,880 attack. The analysis tool that Robin has doesn't look at what's happening. He 215 00:19:55,880 --> 00:19:59,720 looks at what's possible. He looks at the firewall configurations and says, well, 216 00:20:00,319 --> 00:20:03,079 this device here could connect to that device there. The firewall allows it, 217 00:20:03,480 --> 00:20:07,119 whether or not it's currently happening. IDs is what's currently happening. And 218 00:20:07,160 --> 00:20:11,440 you know, his tool talks about what could happen to you. I guess 219 00:20:11,440 --> 00:20:17,240 I'm kind of surprised that that's actually never been covered before in all of our 220 00:20:17,279 --> 00:20:21,799 previous discussions. You know, I could be wrong. I don't recall it 221 00:20:21,799 --> 00:20:23,599 has been covered, but you know, we're at one hundred and twenty episodes. 222 00:20:23,640 --> 00:20:29,839 My memory fails sometimes. I do remember that something like this we talked 223 00:20:29,839 --> 00:20:34,559 about with Terry Inglesby at Amanaza. You know, his company does the attack 224 00:20:34,680 --> 00:20:40,160 tree analysis where he says, well, you know, how could you get 225 00:20:40,200 --> 00:20:42,440 from you know, a source the Internet, a source of an attack, 226 00:20:44,440 --> 00:20:48,400 you know, or a malicious insider sitting at that workstation or whatever. How 227 00:20:48,400 --> 00:20:51,480 could you get from a source of an attack to a high value target. 228 00:20:51,759 --> 00:20:53,599 Well, first you'd have to break into this machine. Then you'd have to 229 00:20:53,759 --> 00:20:57,880 get through that firewall. Then you'd have to and each step he assigns a 230 00:20:57,920 --> 00:21:03,400 weight indicator how difficult it is to do that, how capable the adversary has 231 00:21:03,440 --> 00:21:07,599 to be, and he puts together, you know, all of the possibilities 232 00:21:07,599 --> 00:21:12,480 into a ridiculous number, sometimes literally over a billion possible attack paths, weighs 233 00:21:12,519 --> 00:21:17,480 them all and says, here's the bit you should be worried about. But 234 00:21:18,359 --> 00:21:22,720 in my recollection that I could be wrong. You know, his tool looked 235 00:21:22,720 --> 00:21:29,519 at things sort of a little bit generally, whereas what Robin's tool is doing, 236 00:21:29,519 --> 00:21:32,599 what you know network perception is doing, is looking at the config files 237 00:21:32,759 --> 00:21:37,599 for the firewalls and saying, here's everything that's possible, not sort of generally. 238 00:21:37,640 --> 00:21:41,400 Well, you know, you an attack could pivot through the firewall. 239 00:21:41,599 --> 00:21:45,599 He would say, well, these machines here can talk to those machines there. 240 00:21:45,640 --> 00:21:48,920 That's all the firewall allows. And so's he's doing that sort of detailed 241 00:21:48,960 --> 00:21:56,640 analysis that I'm not aware that other people are doing. IDs is you know 242 00:21:56,680 --> 00:22:03,839 what is happening? You're talking about context? Are you connecting? Are you 243 00:22:03,920 --> 00:22:07,799 supplying that context in a sense in real time? Are you are you taking 244 00:22:07,799 --> 00:22:12,200 the alarms in and analyzing the IP addresses and you know somehow augmenting them. 245 00:22:14,400 --> 00:22:18,480 So step best step we are. So we started to develop integration with the 246 00:22:18,559 --> 00:22:25,680 ideas vendors to be able to first and reach the topology map that we generate 247 00:22:25,960 --> 00:22:32,559 with the asset and equipment that has been detected as communicating on the network. 248 00:22:32,759 --> 00:22:36,559 Because you know, so far, when we create a map, we are 249 00:22:36,599 --> 00:22:42,480 inferring the presence of endpoints based on references that we extract from the configurations of 250 00:22:42,640 --> 00:22:47,640 firewalls, routers and switches. But we don't know for sure that those i 251 00:22:47,680 --> 00:22:52,960 prcs there is an equipment behind it. But if you start integrating with your 252 00:22:52,000 --> 00:22:59,519 network scanners, your asset inventory solution, your ideas providers, then we can 253 00:23:00,359 --> 00:23:04,240 turn those inference into actual endpoint you communicating and being present on the network, 254 00:23:04,240 --> 00:23:11,720 which which is enriching your map. So that pot is, you know, 255 00:23:12,720 --> 00:23:19,359 you have prototype available today. The next phase in that roadmap is to be 256 00:23:19,400 --> 00:23:26,200 able to also visualize the network traffic directly in study MPV map. So that's 257 00:23:26,200 --> 00:23:30,960 something on which we're actively working right now. You can leverage NPVU to contextualize, 258 00:23:32,359 --> 00:23:37,119 but that's not yet you know, automated through integration, So that makes 259 00:23:37,160 --> 00:23:41,799 sense. Another thing that that you said that intrigued me. You're you're you 260 00:23:41,799 --> 00:23:48,720 know, you said, figure out where the adversary can go if an intrusion 261 00:23:48,759 --> 00:23:52,720 detection system and ideas is alarming about a particular asset that appears to have been 262 00:23:52,720 --> 00:23:56,920 compromised and is now sending out probes and and attacks to other or you know, 263 00:23:56,960 --> 00:24:00,359 suspicious traffic to other assets. This is pivoting. This is using a 264 00:24:00,400 --> 00:24:03,960 compromise machine. It. You know, I heard you say that you could 265 00:24:04,039 --> 00:24:08,000 figure out what what we're you know, what assets were at risk by a 266 00:24:08,039 --> 00:24:12,519 pivoting attack, given you know that a certain asset might have been taken over. 267 00:24:12,599 --> 00:24:17,160 Well, you know, in the worst case, if an adversarya is 268 00:24:17,319 --> 00:24:22,079 you know, taking advantage of I don't know, known vulnerabilities, exploiting vulnerabilities, 269 00:24:22,480 --> 00:24:26,880 and you know a lot of control systems are they have they're not fully 270 00:24:26,920 --> 00:24:30,880 patched. It's hard to patch these systems because of reliability concerns, because of 271 00:24:30,920 --> 00:24:36,759 safety concerns. Sometimes in the worst case, you can pivot to you know, 272 00:24:37,000 --> 00:24:41,240 arguably everything on the local network and everything through firewalls that anything on the 273 00:24:41,240 --> 00:24:45,160 local net network can reach. It does little good if you take over one 274 00:24:45,200 --> 00:24:49,319 asset to take your entire you know, zoned network map and turn the whole 275 00:24:49,319 --> 00:24:53,200 thing red and say this is where they can go. Eventually, I'm guessing 276 00:24:53,240 --> 00:24:56,839 you've got something finer grained, can you talk about, you know, what 277 00:24:56,920 --> 00:24:59,480 you actually show people is it? Is it one or two steps ahead? 278 00:24:59,559 --> 00:25:02,400 Is it something thing else? What you know, other than the whole thing 279 00:25:02,480 --> 00:25:07,920 lighting up. Yeah, that's a great question. So currently we're looking four 280 00:25:07,920 --> 00:25:12,200 steps ahead. So what we do is to leverage our understanding of your network 281 00:25:12,240 --> 00:25:18,359 sigmutation. So based on your access policy, firewalls, virus and switches, 282 00:25:19,920 --> 00:25:26,440 what are the pivot from one subnet to another subnet now within the single local 283 00:25:26,480 --> 00:25:30,440 area network. To your point, it's game over, right if you have 284 00:25:30,559 --> 00:25:37,279 one, if you have one equipment compromised, and then that switch is not 285 00:25:37,119 --> 00:25:41,160 segmenting the networking two villains, so you have pretty much everything can do to 286 00:25:41,160 --> 00:25:45,920 everything else in that one net subnet. Then there's not much you can do 287 00:25:48,079 --> 00:25:51,880 where where we're finding the analysis, there is to be able to ingest also 288 00:25:52,839 --> 00:25:59,400 the reports from vunability scanners. So if you scan that environment either activity scanning 289 00:25:59,640 --> 00:26:07,279 or past really monitoring to extract which I pracies is hosting application where you have 290 00:26:07,319 --> 00:26:11,759 a vailability, then we were planning to refine that analysis to show you exactly, 291 00:26:11,799 --> 00:26:15,440 you know, watch which cded it could be exploded on which portment services. 292 00:26:17,079 --> 00:26:25,599 But that really leads to the discussion around actually the importance of reducing the 293 00:26:25,640 --> 00:26:29,160 size of your segment you know, the whole macro segmentation movement, right, 294 00:26:29,200 --> 00:26:33,640 So instead of having a giant, uh, you know, local area network 295 00:26:33,720 --> 00:26:42,839 with dozens of vipiracies, segmenting with villains, or segmenting with actual firewall access 296 00:26:42,839 --> 00:26:49,880 control to be able to group by level of criticality and function equipment, so 297 00:26:49,920 --> 00:26:56,920 that if something is compromised, then you contain within a very small zone that 298 00:26:57,039 --> 00:27:03,960 bridge. Mm hmm. So Nate, I don't know if it was it 299 00:27:03,000 --> 00:27:07,000 was completely clear, But what I just heard Robin say there was that this 300 00:27:07,200 --> 00:27:14,119 tool is helping us answer the question, you know, how should we design 301 00:27:14,319 --> 00:27:18,640 our networks, how should we segment our networks? I mean, look at 302 00:27:18,799 --> 00:27:22,880 you look at the Internet. You look at the threats out there. Nation 303 00:27:22,960 --> 00:27:26,160 states are out there stirring the pot. Ransomware is out there. Some of 304 00:27:26,160 --> 00:27:30,920 the ransomware is backed by nation states. They've got the capabilities of nation states. 305 00:27:30,440 --> 00:27:34,160 Some of the ransomware is rich enough to buy their own nation state tools, 306 00:27:34,519 --> 00:27:37,960 li rich enough to build their own nation state grade tools. So what's 307 00:27:37,960 --> 00:27:44,000 coming at us across the Internet can be really nasty, and you know, 308 00:27:44,079 --> 00:27:48,400 the bad part about these ransom where with nation state tools is unlike nation states, 309 00:27:48,400 --> 00:27:52,200 they're not just going to go after important targets. They're going to go 310 00:27:52,240 --> 00:27:56,599 after everybody with money. So if that grade of ransomware is coming after us, 311 00:27:56,599 --> 00:28:00,559 we got to ask the question, you know, are have we designed 312 00:28:00,559 --> 00:28:04,440 our networks in such a way as to defend them properly. So we look 313 00:28:04,480 --> 00:28:07,480 at our networks, and you know, generally you've got two kinds of networks. 314 00:28:07,519 --> 00:28:12,119 You've got networks where the worst case compromise, if it occurs, is 315 00:28:12,200 --> 00:28:19,359 unacceptable, you know, rail switching systems, safety systems, and there's other 316 00:28:19,440 --> 00:28:23,440 networks where, well, if we get compromised, you know, we kind 317 00:28:23,480 --> 00:28:27,359 of want to recover quickly, and we want our insurance companies to pay us 318 00:28:27,359 --> 00:28:32,680 out. But you know, it's it's a big deal, but it's not 319 00:28:32,720 --> 00:28:38,279 the end of the world. So in both cases, in both kinds of 320 00:28:38,279 --> 00:28:42,359 networks, we've got to figure out how exposed we are. If a bad 321 00:28:42,400 --> 00:28:47,039 guy from the Internet wants to get in, how many steps do they have 322 00:28:47,119 --> 00:28:49,559 to go through? How many machines do they have to compromise and then pivot 323 00:28:49,680 --> 00:28:55,119 use the compromise machine to reach through the next layer of firewall to compromise another 324 00:28:55,200 --> 00:28:59,599 machine. And what Robin's saying is that they're starting to integrate this tool not 325 00:28:59,839 --> 00:29:03,400 just with the network diagrams to count the steps, but to look at the 326 00:29:03,519 --> 00:29:11,279 vulnerabilities in each of these targets and ask the question, how hard is it 327 00:29:11,480 --> 00:29:15,000 to carry out the next pivot. So, for example, if we have 328 00:29:15,359 --> 00:29:22,680 a really important system, very deep in our networks, and it turns out 329 00:29:22,680 --> 00:29:26,839 that we've designed the network, we've broken it not just into one big network 330 00:29:26,880 --> 00:29:30,200 you're in, you're in. You know, Robin saying, let's talk about 331 00:29:30,440 --> 00:29:33,880 finer grained segmentation, micro segmentation. If you break it into small networks and 332 00:29:33,920 --> 00:29:37,279 you've got to get from one small network into another one into another one, 333 00:29:37,359 --> 00:29:41,519 let's say three or four hops in, and two of those hops have to 334 00:29:41,640 --> 00:29:51,160 pass through a machine that has zero known vulnerabilities in it. Well, suddenly 335 00:29:51,559 --> 00:29:55,000 the bad guys, if they want to get in, they've got to conjure 336 00:29:55,079 --> 00:30:02,119 up two zero days to punch through that kind of segmentation. That's expensive. 337 00:30:02,279 --> 00:30:07,359 And so you know, it's not just how many hops that are being counted 338 00:30:07,359 --> 00:30:11,960 here, but it you know, it sounds like what we can start doing 339 00:30:11,000 --> 00:30:15,240 with this kind of system that Robin's putting together is getting insights into really how 340 00:30:15,279 --> 00:30:25,160 thoroughly protected or not our networks are. So that all sounds good. You 341 00:30:25,160 --> 00:30:27,920 know, I'm going to ask you in a moment for sort of examples and 342 00:30:29,000 --> 00:30:32,680 experience. But before I get to that, let me ask you about about 343 00:30:32,720 --> 00:30:37,559 availability this new capability. You know, I can't ask you for examples if 344 00:30:37,599 --> 00:30:40,720 it hasn't been released yet or you know, at least be available in beta. 345 00:30:40,799 --> 00:30:45,759 What's the status of this new development here? Yes, so we are 346 00:30:45,799 --> 00:30:52,680 actively working with a fewer for different partner on finalizing that release, and we're 347 00:30:52,720 --> 00:30:57,880 actually getting super close to raising that to the market. So we're planning to 348 00:30:59,119 --> 00:31:04,839 have a launch of the later's version of ntview that includes the zone sigmaentation Metrix 349 00:31:07,559 --> 00:31:11,440 at the S four conference early notch Okay, So then let me ask you 350 00:31:11,480 --> 00:31:15,880 the hard question about about experience. You know, do you have beta customers? 351 00:31:15,920 --> 00:31:18,720 Do you have you know sites where you've been trying us out? You 352 00:31:18,720 --> 00:31:22,519 know, who've been working with you? How is it working? What are 353 00:31:22,559 --> 00:31:26,400 these people learning? What kind of feedback are you getting? You know, 354 00:31:26,440 --> 00:31:30,200 how how's it going? Especially this, uh, this whole pivoting concept sounds 355 00:31:30,240 --> 00:31:33,200 interesting? Have you got any examples of that? Yes, so on the 356 00:31:33,279 --> 00:31:40,960 RUB and partner we are you know, working closely with them too deploy that 357 00:31:41,039 --> 00:31:47,119 solution and inform them with what we call the steppingstone map. And that's you 358 00:31:47,119 --> 00:31:51,400 know what you read earlier with the pivoting. And so what's interesting is that 359 00:31:51,720 --> 00:31:56,920 while we don't have you know, example of actual network bridge yet to illustrate 360 00:31:57,759 --> 00:32:07,759 the value of it, we observe these just the initial value of enabling stakeholders 361 00:32:07,799 --> 00:32:15,480 from different teams and different background to understand finally like how you know the network 362 00:32:15,559 --> 00:32:22,359 environment is configured and what segmdation means and how things are protected, you know. 363 00:32:22,400 --> 00:32:25,079 With the visual map and this, you know, lighting up the pyvoting 364 00:32:25,079 --> 00:32:30,319 points, you put risk in context. And whether you are from compliance or 365 00:32:30,359 --> 00:32:37,599 cybersecurity or networking, whether you are a technical person or you are in in 366 00:32:37,720 --> 00:32:42,599 the you know, in the leadership, you know, the picture helps everyone 367 00:32:42,720 --> 00:32:47,519 to have the same language to discuss about those concepts which can be pretty complex 368 00:32:47,599 --> 00:32:55,119 with the size and sophistication of networks today. So the feature and the capability 369 00:32:55,119 --> 00:33:00,279 and the visual edition of it has been received extremely well by all or in 370 00:33:00,480 --> 00:33:05,400 sure you know better distance okay, So let me ask you what if I 371 00:33:05,400 --> 00:33:12,279 mean, if I have a complex network and I've got high value assets buried 372 00:33:12,440 --> 00:33:16,119 deep in that network somewhere protective relays or safety instrumented systems or I don't know, 373 00:33:16,799 --> 00:33:22,039 leak detection systems. What do I know You've got high value assets and 374 00:33:22,759 --> 00:33:29,039 you know the pivoting path that I worry about is from a command and control 375 00:33:29,079 --> 00:33:32,319 center on the internet. Can I ask you, you know, is it 376 00:33:32,359 --> 00:33:38,480 possible to take your tool and say I'm worried about an attack from the internet. 377 00:33:39,279 --> 00:33:45,480 What's the shortest, the easiest path to get from the Internet into these 378 00:33:45,559 --> 00:33:49,880 high value assets? And you know, is that possible? And you know, 379 00:33:49,960 --> 00:33:52,000 do do people start seeing things that their eyes open and go, oh 380 00:33:52,039 --> 00:33:57,079 shoot, I forgot about that. You know? Is that is that doable 381 00:33:57,079 --> 00:34:00,680 with your technology? Yes? So it actually it's pretty interesting, like every 382 00:34:00,720 --> 00:34:09,320 time we reminded analysis for the first time, you know, there are insights 383 00:34:09,559 --> 00:34:15,960 I can't I can't remember like a single example where someone saw the result of 384 00:34:15,000 --> 00:34:19,159 that stepping stone map and didn't tell us, Oh, I didn't know that 385 00:34:19,239 --> 00:34:24,320 this was possible. You know this, I didn't know that this access was 386 00:34:25,599 --> 00:34:30,360 you know, was doing board in that environment? But so the way we 387 00:34:30,440 --> 00:34:36,000 do it, and often you know you have you start importing some conflict files 388 00:34:36,000 --> 00:34:42,960 into the platform. They may not cover all your network path all the way 389 00:34:43,039 --> 00:34:45,599 to the to the Internet, because you start with your own your critical environment, 390 00:34:45,639 --> 00:34:50,519 with your criticals and an esp In the case of NERD, what we 391 00:34:50,559 --> 00:34:58,280 do is that we when we passed the conflict files, we extract the raving 392 00:34:58,360 --> 00:35:02,199 table and specifically the deffault routes, and so we know that Internet traffic or 393 00:35:02,800 --> 00:35:07,360 external traffic would come from a specific gateway. We put the get in the 394 00:35:07,400 --> 00:35:16,119 map and then we have actually default template routers that you can also import in 395 00:35:16,159 --> 00:35:23,800 addition to your actual equipment in order to close the gaps between the environmental mapping 396 00:35:24,000 --> 00:35:30,079 with the network that's connecting to the external world. And that allows us to 397 00:35:30,639 --> 00:35:34,840 breach and connect the different islands that you could see in the network map. 398 00:35:36,039 --> 00:35:39,199 And then we launched the stepping stone map from that external gateway and you're going 399 00:35:39,239 --> 00:35:45,559 to see in one, two, three, or four hubs which nodes could 400 00:35:45,599 --> 00:35:50,880 be used as pivot for an adversary standing from the external zone to go all 401 00:35:50,920 --> 00:35:57,960 the way to your critical equipment. Right now, this analysis is agnostic of 402 00:35:58,119 --> 00:36:01,599 your vulnerabilities, but we're working to be able to filter it down to prune 403 00:36:02,639 --> 00:36:08,159 that set of capabilities, a set of possible path that we identified into you 404 00:36:08,199 --> 00:36:13,480 know, to your point, the shortest or easiest path based on venomit information, 405 00:36:13,880 --> 00:36:20,920 which hosts have an outdated application of something that could be exploded, and 406 00:36:21,039 --> 00:36:27,159 matching a board or survey that's available based on your fireword wards like really connecting 407 00:36:27,199 --> 00:36:30,480 the dots and combining those two data sets into an insight for you to know, 408 00:36:30,760 --> 00:36:35,920 like which path is the risk testing in your network? So you know 409 00:36:36,039 --> 00:36:38,199 what you're saying here, It actually reminds me of, you know, an 410 00:36:38,280 --> 00:36:43,239 experience in my past. I was at Industrial Defender. I was working with 411 00:36:43,320 --> 00:36:49,199 Jonathan Palaya, a very capable penetration tester. You know, we were not 412 00:36:49,320 --> 00:36:52,239 doing a pen test. Uh, the business had been contracted with a customer 413 00:36:52,320 --> 00:36:57,159 to look at some network diagrams and you know, some systems do a risk 414 00:36:57,199 --> 00:37:01,840 assessment basically, and we did not have any kind of technology like this. 415 00:37:02,119 --> 00:37:06,920 And so I remember Jonathan sat down with I don't know, you know, 416 00:37:07,079 --> 00:37:12,360 seventeen three foot by five foot as built network diagrams, big massive things full 417 00:37:12,360 --> 00:37:16,159 of you know, wiring diagrams and he's paging through these things one after another, 418 00:37:16,440 --> 00:37:21,159 and he looks up and he says, you realize there's a path from 419 00:37:21,199 --> 00:37:27,639 the internet into your deepest control system here without ever passing through a firewall. 420 00:37:27,760 --> 00:37:31,480 Just routers, what do you mean? Well, on this network diagram, 421 00:37:31,519 --> 00:37:35,159 it starts here from the Internet, and then you go to this machine and 422 00:37:35,159 --> 00:37:37,800 that machine through here, and then you take this thing over here that you 423 00:37:37,800 --> 00:37:40,000 know is kind of off in the corner, takes you over to this page. 424 00:37:40,000 --> 00:37:45,000 Bang bang bang, You're in, you know. And the reaction was, 425 00:37:45,559 --> 00:37:47,440 give me that and you know, snatch the network diagras back, kick 426 00:37:47,519 --> 00:37:51,159 us out, go and fix the problem, and you know, bring us 427 00:37:51,159 --> 00:37:54,159 back in a couple of months. Is this the kind of thing that you 428 00:37:54,199 --> 00:37:58,119 know you're looking at? Is this this the kind of experience you're trying to 429 00:37:58,159 --> 00:38:06,480 prevent? And it's it's interesting because I can't find in my memory like a 430 00:38:06,519 --> 00:38:14,639 single example of you know, user we hasn't had this type of insight after 431 00:38:15,000 --> 00:38:22,639 depraying our solution. This is always a weakness or some misconfiguration or overly permissive 432 00:38:22,719 --> 00:38:29,400 rule that someone forgot inside that configuration that allows this type of of path may 433 00:38:29,440 --> 00:38:31,760 be not always on the Internet, but for sure from an untrusting zone to 434 00:38:31,800 --> 00:38:39,199 a trusted zone. So the key there is to do that, you know, 435 00:38:39,239 --> 00:38:44,840 with the power of technology, right because for you know, the expertise 436 00:38:44,920 --> 00:38:49,400 and experience that the genre is bringing, your example, we want to be 437 00:38:49,440 --> 00:38:55,320 able to bring that that capability without the risk of human error to the mass 438 00:38:55,320 --> 00:39:00,320 and to be able to have all of stakeholder's being able to identify those risky 439 00:39:00,360 --> 00:39:05,360 paths. But yeah, it's it's fascinating, like we stop, you know, 440 00:39:05,440 --> 00:39:08,920 important conflict files, the map is getting generated, and then you know, 441 00:39:08,960 --> 00:39:14,599 in those firewalls we have in the ratios, we extract the default gateways 442 00:39:14,599 --> 00:39:19,760 so we know we can infer wates the external access point into your environment. 443 00:39:20,519 --> 00:39:23,719 We launch a stepping stone analysis from that access pondent. You know, just 444 00:39:23,760 --> 00:39:29,519 a few seconds later you see the nose in your map lagging up, and 445 00:39:30,599 --> 00:39:36,440 you know you're going to see your critical zone with everything little a specific color 446 00:39:36,480 --> 00:39:38,440 that says you know, this is protected, this is mitigated by access control. 447 00:39:38,480 --> 00:39:44,239 And then for sure there's always like one of the two nodes in bright 448 00:39:44,320 --> 00:39:50,039 red that tells you there's a direct access from an external ip RAS all the 449 00:39:50,039 --> 00:39:53,239 way to that critical equipment deep inside your environment that you have no idea about 450 00:39:53,280 --> 00:40:00,199 them. You know, the causes are the very but often it's someone a 451 00:40:00,280 --> 00:40:04,239 temporary fire or rule like six months ago and it was supposed to stay for 452 00:40:04,360 --> 00:40:07,719 a couple of days, but they forgot to remove it. Or you know, 453 00:40:07,760 --> 00:40:14,960 we thought that this rule was actually preventing external traffic from getting in, 454 00:40:15,320 --> 00:40:21,000 but we had a misconfiguration. The rule never got attached to an interface, 455 00:40:21,039 --> 00:40:23,079 so the rule was useless, you know, just a line in your confide 456 00:40:23,079 --> 00:40:30,440 that the fire wasn't taken into account. Or we had examples of just object 457 00:40:30,480 --> 00:40:35,119 groups not being correctly defined. You know, you have rules that are referencing 458 00:40:35,519 --> 00:40:40,199 source and destination services using groups, and then it's pretty complex as a human 459 00:40:40,280 --> 00:40:44,800 to keep track of that, right you have to use lookup tables and make 460 00:40:44,800 --> 00:40:47,360 sure that you know what value is in which group, which sort of appearacies, 461 00:40:47,360 --> 00:40:52,159 which sort of portant services, and so often we see you know, 462 00:40:52,760 --> 00:40:59,360 an old ip or something forgotten that gives more access than they expect. So 463 00:40:59,480 --> 00:41:05,079 the example that that Robin gave, there were misconfigured firewalls, and you know, 464 00:41:05,199 --> 00:41:07,480 I just wanted to jump in sort of with a couple of examples of 465 00:41:07,480 --> 00:41:13,000 misconfigured firewalls on my own. You know, I used to do a demo 466 00:41:13,639 --> 00:41:16,760 at like trade shows how to break through firewalls. Uh, you know, 467 00:41:16,920 --> 00:41:22,119 just an awareness thing, a threat awareness thing. One of the scenarios was 468 00:41:22,320 --> 00:41:29,119 just misconfiguring the firewall. And we're not we're not talking about home you know, 469 00:41:29,199 --> 00:41:34,199 small office firewalls here. We're talking about enterprise grade firewalls. And these 470 00:41:34,199 --> 00:41:40,239 firewalls have operating systems and user interfaces that are designed for scale. They're designed 471 00:41:40,320 --> 00:41:46,159 for big systems. Uh. You know, they're designed to deal with complexity. 472 00:41:46,239 --> 00:41:52,320 And so you know, if you want to put a rule in there 473 00:41:52,360 --> 00:41:57,000 that says Andrew's laptop is allowed to connect to you know, the Pie server 474 00:41:57,119 --> 00:42:02,239 through the firewall, well you can't. It's not one rule. First you 475 00:42:02,320 --> 00:42:07,159 have to define who Andrew is, and then you have to define what Andrew's 476 00:42:07,239 --> 00:42:12,559 laptop is, and then you have to define what the Pie server is. 477 00:42:13,639 --> 00:42:16,760 And then you put a rule together, not with Andrew's laptop's IP address and 478 00:42:16,800 --> 00:42:22,760 the Pie server IP address and allow you put together. You have to partner. 479 00:42:22,800 --> 00:42:24,960 You have to define service numbers, the port numbers as well. You 480 00:42:25,000 --> 00:42:34,920 put a rule together that says roughly in English, Andrew's laptop is allowed to 481 00:42:35,000 --> 00:42:40,519 connect to the you know, a Viva PI client server port on the PIE 482 00:42:40,599 --> 00:42:46,599 server in the DMZ network. You use almost exactly those words. Okay, 483 00:42:46,599 --> 00:42:51,639 there's no IP addresses anywhere, there's there's no user names, there's it's all 484 00:42:51,760 --> 00:42:57,639 symbols. And they do this so that you know, these thousands of complicated 485 00:42:57,639 --> 00:43:01,679 firebles are are comprehensible. But what it means, and you know my demo, 486 00:43:02,320 --> 00:43:06,360 what it means is that you can look at that firewall rule and say, 487 00:43:06,760 --> 00:43:09,559 there's nothing wrong with this firewall rule. Andrew's laptop is allowed to connect 488 00:43:09,559 --> 00:43:15,119 to blah blah blah. The rule is right, yet I'm letting the entire 489 00:43:15,159 --> 00:43:20,639 IT network connect to the PIE server. There's something wrong with this rule. 490 00:43:21,280 --> 00:43:23,000 And you can stare at the rule till le cows come home and you won't 491 00:43:23,039 --> 00:43:28,079 find it because it's there's nothing wrong with the rule. What's wrong is with 492 00:43:28,239 --> 00:43:31,440 the definition of the IP address of Andrew's laptop. You've buggered up the definition 493 00:43:31,480 --> 00:43:35,559 and you've included the entire IT network in the definition. You've got to look 494 00:43:35,599 --> 00:43:37,800 in a different place. You got to look at the definition of each of 495 00:43:37,800 --> 00:43:43,159 the symbols and you know, I forget the details, but there was another 496 00:43:44,199 --> 00:43:49,840 thing where, you know, instead of saying I messed up the definition of 497 00:43:49,880 --> 00:43:52,519 the DMZ network and now you can connect to anything you want. You know, 498 00:43:53,440 --> 00:44:01,000 if you basically these these systems are complicated and it really is easy to 499 00:44:01,119 --> 00:44:07,119 mess them up in ways that just aren't evident when you know, you look 500 00:44:07,159 --> 00:44:09,840 at you look at the definition and you try and understand what it's doing. 501 00:44:13,800 --> 00:44:15,960 So that's how fascinating. You know, have you got anything else for us? 502 00:44:16,000 --> 00:44:20,559 I mean, you seem to be a fountain of examples here. What 503 00:44:20,559 --> 00:44:23,960 what else you know? Can we can we get insights from using technology like 504 00:44:24,000 --> 00:44:29,480 this? These actually in the news pretty much on a monthly, if not 505 00:44:29,559 --> 00:44:37,679 weekly basis, examples of critical equipment being exposed on the Internet and being breached. 506 00:44:37,760 --> 00:44:44,280 Right the latest that I have in nine is uh the water and West 507 00:44:44,360 --> 00:44:50,880 Water treatment facility in i Equipped, Pennsylvania, and that that got compromised just 508 00:44:50,880 --> 00:44:58,880 a few months ago, and the issue came from a PLC with the Human 509 00:44:58,960 --> 00:45:06,280 Machine interface where you know there's a port on those equipment. Actually in this 510 00:45:06,400 --> 00:45:14,760 kiss Ticipate pot twenty five six that was directly exposed to the Internet and then 511 00:45:15,440 --> 00:45:19,320 to make it worse, the password on that machie that the piece of equipment 512 00:45:19,400 --> 00:45:22,760 was a default password from the manufacturer that hasn't been changed, So that got 513 00:45:23,079 --> 00:45:27,920 compromise pretty quickly. And you know, this is the type of finding where 514 00:45:28,239 --> 00:45:32,800 if you have network modeling, you can very quickly, you know, you 515 00:45:32,840 --> 00:45:37,400 import your firewalls, you import your list of equipment from yourdset inventory and you 516 00:45:37,440 --> 00:45:43,280 can see, okay, what's exposed and what's not exposed. So another example 517 00:45:44,199 --> 00:45:50,199 is last year May eleven when you had a cordin need attack against sixteen Danish 518 00:45:50,480 --> 00:46:00,000 energy companies where an attacker exploded vulnerability inside a firewall to be able to craft 519 00:46:00,280 --> 00:46:07,519 arbitrary command and run arbitrary command on those firewalls. So those equipment where netal 520 00:46:07,519 --> 00:46:14,400 equipment were exposed to the outside. But then the neutronsgmentation for the rest of 521 00:46:14,400 --> 00:46:19,360 the environment wasn't strong enough to contain those attacks. So the attackers on you 522 00:46:19,400 --> 00:46:25,400 know what five hundred DP protocol of those six CEL devices were able to to 523 00:46:25,400 --> 00:46:31,760 get compromised and then pivot to your discussion to get the critical equipment inside the 524 00:46:32,320 --> 00:46:39,519 inside those sixteen facilities. And so that's the type of inside you want to 525 00:46:39,559 --> 00:46:44,800 have prior to an attack, because you know the next zero that are going 526 00:46:44,880 --> 00:46:50,519 to get published. You want to have the confidence that you segmentation and the 527 00:46:50,679 --> 00:46:54,360 ZO thing that you put in place with access policy is strong enough to contain 528 00:46:57,079 --> 00:47:00,920 any potential you know, zero day into a you know, vendor of network 529 00:47:00,960 --> 00:47:05,480 equipment to a single zone and not propagetting to the rest of your critical environment. 530 00:47:06,559 --> 00:47:09,079 That all makes sense. You know, we're coming up on the end 531 00:47:09,119 --> 00:47:13,199 of the episode. I want to say thank you so much for joining us 532 00:47:13,400 --> 00:47:16,079 before we let you go, can you you know, sum up for our 533 00:47:16,079 --> 00:47:21,519 listeners. What should we take away from from you know, the changing needs 534 00:47:21,559 --> 00:47:25,880 and the you know, the changing capabilities in the world of network segmentation. 535 00:47:28,079 --> 00:47:32,400 Thanks Andrew again for having me andsure. So really, the the key one 536 00:47:32,440 --> 00:47:37,639 I wanted to make is that verification of network segmentation is becoming more and more 537 00:47:37,639 --> 00:47:43,400 of a priority, and it's it's it's not a one time thing, right, 538 00:47:43,400 --> 00:47:49,280 because the networks of today's networks are just growing in size and complexity and 539 00:47:49,320 --> 00:47:53,400 becoming more and more dynamic, even in inside traditionally more stadic environments such as 540 00:47:53,519 --> 00:48:02,719 out environments. So it's a cyber hygiene best practice to frequently make sure that 541 00:48:02,840 --> 00:48:08,519 the configuration of the equipment and forcing your segmentation so the firewalls, vatters and 542 00:48:08,679 --> 00:48:15,880 switches is correct and you don't have overly permiency rules or gaps that could open 543 00:48:15,960 --> 00:48:20,920 up access to your critical equipment. So to that end, we are about 544 00:48:20,960 --> 00:48:27,800 to release the most capable vision product and PVU that includes that new zone segmentation 545 00:48:27,960 --> 00:48:32,360 metrics to give you a birth sie view of your exposure for your environment, 546 00:48:32,599 --> 00:48:40,159 really helping faster insight and decision making in terms of network risks. And I 547 00:48:40,239 --> 00:48:46,440 invite folks to check us out at at network dash perception dot com for more 548 00:48:46,440 --> 00:48:53,320 information about how we can we can have them. Andrew, that just about 549 00:48:53,440 --> 00:48:58,880 concludes your interview with Robin Bartier. Do you have any final thoughts that you 550 00:48:58,920 --> 00:49:02,400 would like to leave with our listeners. I mean, yeah, you know, 551 00:49:02,480 --> 00:49:08,239 reflecting back on the episode here we're talking about network segmentation. This in 552 00:49:08,280 --> 00:49:12,920 a sense is the oldest trick in the book. It's the oldest tool in 553 00:49:12,960 --> 00:49:15,440 the trade. It's the first thing that was documented in the first volume of 554 00:49:15,480 --> 00:49:20,880 six two four four three, Back when when you know, industrial cybersecurity wasn't 555 00:49:20,920 --> 00:49:23,000 industrial cybersecurity, it was scat of security. It was you know, even 556 00:49:23,039 --> 00:49:28,840 the terminology has changed, and you know, fireballs have been around forever. 557 00:49:29,639 --> 00:49:32,960 Yet you know, this is a new development in the field. I mean, 558 00:49:34,400 --> 00:49:37,519 when was the last sort of big new development in the field. It 559 00:49:37,599 --> 00:49:42,480 was there was deep packaged inspection over a decade ago, is my recollection. 560 00:49:42,559 --> 00:49:47,719 But here's a way to analyze networks, you know, here's a way to 561 00:49:49,639 --> 00:49:54,920 add context to alerts when there's potential intrusions in progress. You know, we've 562 00:49:54,960 --> 00:50:00,599 been talking to some some vendors of asset risk tools, asset inventory tools that 563 00:50:00,719 --> 00:50:06,440 sort of they're working with the the intrusion detection vendors, the alarming vendors to 564 00:50:06,920 --> 00:50:10,920 say, look, this asset is at risk from this attack. That's that's 565 00:50:10,960 --> 00:50:16,440 coming in here because they have information about the asset. Here's an extra step. 566 00:50:16,480 --> 00:50:21,079 The next step is okay, given that this asset is at risk of 567 00:50:21,280 --> 00:50:25,679 potentially being compromised. If it were compromised, here's all of the other assets 568 00:50:25,679 --> 00:50:31,119 that would be at risk because this one's at risk. You know, the 569 00:50:31,840 --> 00:50:37,920 field continues to to to develop. It. You know, surprises me that 570 00:50:37,920 --> 00:50:40,960 that something as old as the idea of network segmentation. You know, there's 571 00:50:42,159 --> 00:50:45,559 there's there's still there's new inventions happening in the field, so you know, 572 00:50:45,920 --> 00:50:52,280 it's it's an interesting development. Well, thank you to Robin for sharing that 573 00:50:52,320 --> 00:50:54,719 development with us. And Andrew, as always, thank you for speaking with 574 00:50:54,719 --> 00:50:58,960 me. It's always a pleasure. Thank you, Nate. This has been 575 00:50:59,000 --> 00:51:04,039 the Industrial Security podcast from Waterfall. Thanks to everybody out there listening.