1 00:00:06,599 --> 00:00:09,919 I can give you a list of vulnerabilities and you'd think that great. I 2 00:00:09,919 --> 00:00:13,320 now know what my risk is. But the reality and ot is it's not 3 00:00:13,400 --> 00:00:42,399 always directly applicable. That's a single external indicator. Welcome everyone to the Industrial 4 00:00:42,439 --> 00:00:46,560 Security Podcast. My name is Nate Nelson. I'm here as usual with Andrew 5 00:00:46,600 --> 00:00:52,079 Ginter, the vice president of Industrial Security at Waterfall Security Solutions. He's going 6 00:00:52,079 --> 00:00:55,840 to introduce the subject and guests of our show today. Andrew, how are 7 00:00:55,880 --> 00:00:59,840 you. I'm very well, Thank you, Nate. Our guest today is 8 00:01:00,119 --> 00:01:06,400 Rick kN He is the vice president of solutions at Verve Industrial Protection. And 9 00:01:06,560 --> 00:01:10,640 we're going to be talking about context for risk. We're going to be talking 10 00:01:10,640 --> 00:01:15,599 about patching. We're gonna be talking about automation to help us figure out when 11 00:01:15,719 --> 00:01:19,040 something is worth patching, when a vulnerability is worth patching, and you know 12 00:01:19,120 --> 00:01:22,879 when we should probably let it ride. All right, then, without further 13 00:01:22,879 --> 00:01:29,040 ado, here is the interview. Hello, Rick, and thank you for 14 00:01:29,120 --> 00:01:32,879 joining us. Before we get started, could you say a few words about 15 00:01:32,879 --> 00:01:37,079 yourself in your background and about the good work that you're doing at verb Industrial 16 00:01:38,200 --> 00:01:40,599 Yes, thank you, Andrew, and to appreciate the opportunity to share with 17 00:01:40,599 --> 00:01:45,120 you today and discuss. It's always a great time chatting with you as plugged 18 00:01:45,159 --> 00:01:48,719 in as you are, It's always a great discussion. My name is Rickon. 19 00:01:49,200 --> 00:01:53,439 I'm the VP of solutions for Verb Industrial Protection. We're a vendor neutral, 20 00:01:53,200 --> 00:01:59,159 multi function shop that provides both software and services exclusively to the OT space. 21 00:02:00,280 --> 00:02:04,400 We've been around for thirty years, actually privately funded, self grown, 22 00:02:04,560 --> 00:02:08,159 organically grown. I personally have been in the OT business for twenty two years. 23 00:02:09,240 --> 00:02:15,319 I started at a company called Majorcon building the ICs or industrial control security 24 00:02:15,960 --> 00:02:20,879 consulting space. We then get picked up by a company called Honeywell, where 25 00:02:20,879 --> 00:02:23,599 I was a global business development for them for a few years before coming back 26 00:02:23,599 --> 00:02:29,280 to a vendernutual perspective where I am now and again appreciate the opportunity today. 27 00:02:29,479 --> 00:02:34,919 Thanks for that. Our topic today is risk in context. Can you tell 28 00:02:35,000 --> 00:02:38,520 us you know what is that? And you may maybe give us an example 29 00:02:38,599 --> 00:02:40,840 or two. Yeah, this is the gist of what I want to talk 30 00:02:40,840 --> 00:02:46,800 about today. We can be lots of lots of unpack here. The problem 31 00:02:46,919 --> 00:02:49,840 that I'm seeing more and more organization not just me, that we as a 32 00:02:49,879 --> 00:02:53,560 company in our industry took clients and their peers are all starting to realize is 33 00:02:53,560 --> 00:02:59,919 that the traditional IT approach, where you have very cool tools, individual special 34 00:03:00,159 --> 00:03:04,159 tools, and especially people, is interesting. But it's a singular point of 35 00:03:04,240 --> 00:03:08,000 perspective. Right, So I can give you a list of vulnerabilities and you'd 36 00:03:08,000 --> 00:03:10,400 think that great, I now know what my risk is. But the reality 37 00:03:10,400 --> 00:03:16,000 and ot is it's not always directly applicable. That's a single external indicator. 38 00:03:16,400 --> 00:03:21,120 It doesn't include anything to do with whether that's a big deal for you the 39 00:03:21,199 --> 00:03:25,719 owner operator, or on its particular asset or in a particular facility. And 40 00:03:25,759 --> 00:03:30,360 so what we're seeing is that people are needing more and more context. And 41 00:03:30,400 --> 00:03:35,000 this is especially too true on a couple of fronts. Number one, we 42 00:03:35,039 --> 00:03:38,400 don't have enough staff to address all the vulnerabilities. I mean, we turned 43 00:03:38,400 --> 00:03:42,520 on our vulnerability mapping at a midstream gas company the other day and literally at 44 00:03:42,520 --> 00:03:46,759 their flagship site was twenty three thousand vulnerabilities. And you're never going to get 45 00:03:46,759 --> 00:03:50,199 that to zero. And you're not sure even where you should probably start unless 46 00:03:50,199 --> 00:03:53,479 you have some sort of context. So a singular view isn't good enough. 47 00:03:53,479 --> 00:03:55,199 And it's actually something we've been struggling with for many years. I remember about 48 00:03:55,199 --> 00:04:00,199 ten years ago going into an air separation unit and the plant managers, you're 49 00:04:00,199 --> 00:04:01,520 going to do an assessment, and you're going to tell me that they don't 50 00:04:01,599 --> 00:04:04,680 change passwords and they don't patch. How the heck does that help me? 51 00:04:05,520 --> 00:04:09,800 And so on the front of being able to take those scarce resources and focus 52 00:04:09,800 --> 00:04:13,280 them on the things we need to either the lack of staff, the lack 53 00:04:13,319 --> 00:04:16,279 of time, the ability to look at what truly is effective for OT, 54 00:04:17,040 --> 00:04:20,800 which isn't always everything because and everything can't be Windows eleven and patched every Tuesday, 55 00:04:21,439 --> 00:04:26,199 but also the nature of OT and that we can't do Plan A I 56 00:04:26,360 --> 00:04:30,319 either patching necessarily, we need to do Plan B and C and B are 57 00:04:30,360 --> 00:04:35,040 compensating controls or as some interestingly creative marketing people have started to call virtual patching. 58 00:04:35,560 --> 00:04:40,040 If we can't apply blue keep, can we at least disable remote desktop 59 00:04:40,120 --> 00:04:42,199 or the guest account. Well, I don't know the answer to that unless 60 00:04:42,199 --> 00:04:45,600 I know what that system does and what function it provides operations. So the 61 00:04:45,680 --> 00:04:50,319 gist of this is any singular indicator of risk i e. An external penetration, 62 00:04:53,079 --> 00:04:57,199 denial of service attempt, or a list of vulnerabilities, or a patching 63 00:04:57,199 --> 00:05:00,040 tool in and of itself is not enough to provide, you know, our 64 00:05:00,079 --> 00:05:06,319 audience the detail that they need to be able to act appropriately and effectively inefficialty. 65 00:05:09,959 --> 00:05:13,839 Andrew, the way that he's talking there, it reminds me vaguely of 66 00:05:13,839 --> 00:05:19,600 an episode that we did some time ago with a guest who was talking about 67 00:05:19,680 --> 00:05:27,600 like site specific vulnerability that that you can't categorize or that you shouldn't rather categorize 68 00:05:28,360 --> 00:05:33,399 vulnerabilities in a broader sense that he was looking into specific sites and specific industries 69 00:05:33,560 --> 00:05:36,680 and evaluating how they affected those specific plants. And it was sort of a 70 00:05:36,720 --> 00:05:44,519 different alternative to the usual CV kind of way of doing things. Can you 71 00:05:44,600 --> 00:05:48,879 remind me what the name of the guest was there? Yeah, that was 72 00:05:49,439 --> 00:05:55,959 Thomas Schmidt from the BSI, which is the German Office for Information Security, 73 00:05:56,279 --> 00:06:02,560 and he was talking about SSVC, so stakeholder specific vulnerability categorization. This was 74 00:06:02,600 --> 00:06:06,560 a new standard, This was six months ago, a new standard to make 75 00:06:08,160 --> 00:06:15,720 decisions about whether to apply patches for vulnerabilities. And you know, ver Verb 76 00:06:15,759 --> 00:06:18,759 Industrial Protection is one of the vendors in the space. They have automation for 77 00:06:18,920 --> 00:06:21,439 SSBC. And and Rick is going to say more, you know, much 78 00:06:21,439 --> 00:06:28,120 more about that in just a moment. So, I mean I agree with 79 00:06:28,160 --> 00:06:31,399 all that in principle, Um, you know, but it's sort of what's 80 00:06:31,439 --> 00:06:35,839 the right word. These are great principles. But if I have you know, 81 00:06:39,519 --> 00:06:44,600 thirty sites, each of them has you know, six hundred PLCs and 82 00:06:44,759 --> 00:06:47,839 who knows what other kinds of you know, industrial internet, and you know 83 00:06:47,879 --> 00:06:53,959 everything has a CPU nowadays. Um, you know, it's great to say 84 00:06:54,000 --> 00:06:57,959 I can make risk based decisions like that. It's another thing to say, 85 00:06:58,399 --> 00:07:00,959 do I actually understand all of my tens of thousands of devices and which of 86 00:07:01,000 --> 00:07:05,360 them I should manage? How? How can you you know there is there 87 00:07:06,439 --> 00:07:10,160 is there a way to get insight? Is the way to get automation instead 88 00:07:10,160 --> 00:07:13,759 of saying, you know, evaluate every one of my fifty thousand nows that's 89 00:07:13,759 --> 00:07:17,000 myself. Yeah, no, great question. And and you know you're right 90 00:07:17,079 --> 00:07:23,439 like when I talk about the risk index or and it's an individual measure as 91 00:07:23,480 --> 00:07:27,279 not being enough. I mean you look at you look at the NVD score 92 00:07:27,279 --> 00:07:29,879 and it's it's got a ranking, and it's got why it got to that 93 00:07:29,959 --> 00:07:32,560 ranking. There's there's components in there. But you've raised the other point is 94 00:07:32,879 --> 00:07:36,480 how do I take that and scale it both in volume, but also there 95 00:07:36,519 --> 00:07:40,920 are, as you know, nuances within those sixty sites or thirty sites in 96 00:07:40,920 --> 00:07:43,839 the feel sees. Some of them do critical safety things, some of them 97 00:07:43,959 --> 00:07:46,319 do other things. And so as soon as you start to unpack this a 98 00:07:46,319 --> 00:07:51,439 bit, you realize that you need a great level of detail from multiple perspectives. 99 00:07:51,879 --> 00:07:56,720 Um, so let me let me just sort of walk through how we 100 00:07:56,800 --> 00:08:00,879 help clients to build that perspective and what we call a three dimensional you of 101 00:08:00,959 --> 00:08:07,240 the asset. And so the first and foremost is going to the source. 102 00:08:07,519 --> 00:08:09,959 There absolutely has to be an inventory. So you remember our last podcast, 103 00:08:09,959 --> 00:08:15,439 we talked about building a proper inventory, and it never more Now more than 104 00:08:15,439 --> 00:08:18,639 ever, it's the most important thing we're seeing that people are starting to realize 105 00:08:18,680 --> 00:08:22,879 is you need to go directly to the asset. The first source of data 106 00:08:24,000 --> 00:08:28,439 in building this bigger picture view to be able to provide context beyond a single 107 00:08:28,839 --> 00:08:33,320 measure is to pull in multiple measures of the asset. And so the first 108 00:08:33,320 --> 00:08:37,720 source is the asset itself. Can we figure out what it is, Windows, 109 00:08:37,840 --> 00:08:41,919 Linux, Unix, networking gear, PLCs, relays, controllers, what 110 00:08:43,000 --> 00:08:46,360 the manufacturer is, whatever we can glean from that endpoint the more data we 111 00:08:46,399 --> 00:08:48,799 can get from that, the more equipped we are to pivot to different scenarios 112 00:08:48,799 --> 00:08:56,679 and situations in ascertaining and actually measuring risk for our organization. That's the first 113 00:08:56,759 --> 00:09:00,679 bit of data. The second bit of data once you've built that information, 114 00:09:00,679 --> 00:09:03,799 and by the way, we advocate for a direct approach, going right onto 115 00:09:03,840 --> 00:09:09,159 the OS and getting right directly to the plc's not going to intermediary databases or 116 00:09:09,200 --> 00:09:13,000 relying on what I'm hearing through traffic. I want to go to the source. 117 00:09:13,039 --> 00:09:16,399 I want to get answered the questions I need to know, not hope 118 00:09:16,399 --> 00:09:18,720 that I hear them or hope that I'm listening to all of the devices. 119 00:09:18,120 --> 00:09:22,039 So we get all that data we automated into a central database. At that 120 00:09:22,159 --> 00:09:30,240 central database is where we invest to gather and collect and aggregate all the other 121 00:09:30,279 --> 00:09:33,720 data sources that are available to these operators. The very first one is really 122 00:09:33,799 --> 00:09:37,039 quite simple. We take that database once we've built it, and we work 123 00:09:37,080 --> 00:09:41,639 with operations to say, let's put operational impact or user define tags on these 124 00:09:41,679 --> 00:09:46,360 assets. Right, So a tri conics a refinery, clearly a safety system 125 00:09:46,440 --> 00:09:48,759 that's a high impact asset. It gets a high impact label because when we 126 00:09:48,840 --> 00:09:52,759 go to look at risk, whether that's assessing if it exists and is important 127 00:09:52,799 --> 00:09:56,919 to us, or whether we want to turn to remediation tasks like patching or 128 00:09:58,000 --> 00:10:03,080 compensating controls. We can and decide which ones we test on by either redundant 129 00:10:03,120 --> 00:10:05,600 to safety one or not the safety ones but the redundant is not so impactful 130 00:10:05,639 --> 00:10:09,480 ones, or which ones we need to prioritize in terms of budgets and resources, 131 00:10:09,480 --> 00:10:13,879 etc. So we start with the inventory automatically from the endpoint, we 132 00:10:13,000 --> 00:10:16,799 then add user define tags and information about it. We can calculate and for 133 00:10:16,960 --> 00:10:20,879 these from the vendor name or from the subnet they're in or whatever. But 134 00:10:20,919 --> 00:10:24,559 we usually like to make sure we loot the plant people in the tribal knowledge 135 00:10:24,559 --> 00:10:30,200 that those veterans have on the plant floor is invaluable, very very powerful. 136 00:10:30,960 --> 00:10:33,840 So two different data sources starting to build multiple dimensions on the asset. And 137 00:10:33,879 --> 00:10:37,279 then the third thing we'll do is we'll go and get third party indicators. 138 00:10:37,720 --> 00:10:41,960 And this is where we get to the National Vulnerability Database. We'll bring the 139 00:10:41,480 --> 00:10:46,519 list of vulnerabilities in and we can map them one to one at the database 140 00:10:46,600 --> 00:10:52,360 offline from the actual operational environment. So we're very frequently and very thoroughly mapping 141 00:10:52,440 --> 00:10:56,600 vulnerabilities against that very detailed inventory. We can also bring in threat feeds and 142 00:10:56,679 --> 00:11:01,039 known exploits, so we're going beyond by the way, You've got a vulnerability 143 00:11:01,440 --> 00:11:05,240 and there's exploits out there for it, right that may increase or decrease your 144 00:11:05,360 --> 00:11:09,480 urgency. And then the third thing we bring in, of course, is 145 00:11:09,519 --> 00:11:13,039 the first line of defense, the patches that may be available for those devices. 146 00:11:13,399 --> 00:11:18,000 So we start with the endpoint data first, the tribal knowledge around the 147 00:11:18,039 --> 00:11:22,279 importance or impact a roll of those devices. Second, third party indicators of 148 00:11:22,399 --> 00:11:26,960 risk in patch, threat feeds, and vulnerability data. And then the fourth 149 00:11:28,000 --> 00:11:31,960 thing will do in that middle layer database that we are compiling all these different 150 00:11:31,960 --> 00:11:35,960 dimensions of the asset about, we will go east and west and connect to 151 00:11:37,559 --> 00:11:43,360 basic building blocks for security tools like the status of your backup or your antivirus, 152 00:11:43,639 --> 00:11:48,720 and in multi vendor environments, the ability to abstract connecting into semantic versus 153 00:11:48,919 --> 00:11:52,360 McAfee versus defender to see if your antivirus is up to data your white listings 154 00:11:52,360 --> 00:11:56,960 in lockdown, to aggregate that into a central view is where the real magic 155 00:11:56,000 --> 00:12:01,840 comes. Now, how we do this to your point in the scenario of 156 00:12:01,000 --> 00:12:07,240 thirty sites is we then cascade any single site or database to a single reporting 157 00:12:07,320 --> 00:12:13,600 dashboard. The reporting dashboard is a it's a singular view into the entire fleet, 158 00:12:13,639 --> 00:12:16,480 and it's a read only view. So what we can do then is 159 00:12:16,840 --> 00:12:22,159 we have all these different data sources consistently from all of our facilities and across 160 00:12:22,200 --> 00:12:26,879 all of our assets. We've got multiple dimensions of potential risk, but not 161 00:12:26,960 --> 00:12:31,440 just the risk, but the assets impact in compensating controls that may mitigate risk 162 00:12:31,559 --> 00:12:37,559 or narrow down the concern. And we can see this with a small specialized 163 00:12:37,639 --> 00:12:45,600 team fleetwide. This allows for an organization to build a standard response, a 164 00:12:45,720 --> 00:12:50,279 standard threshold if you will, for various risks and activities that they need to 165 00:12:50,720 --> 00:12:56,519 act on, and they can then start to remediate with this same technology where 166 00:12:56,519 --> 00:13:00,919 it's ot safe. And we can do this in stages. UM. But 167 00:13:01,240 --> 00:13:03,279 let's let's circle back there on that one. This is this is how we 168 00:13:03,320 --> 00:13:07,919 want to build the context in the first place, UM, and we want 169 00:13:07,919 --> 00:13:11,360 to aggregate it across multiple sites and now give all the power to a very 170 00:13:11,399 --> 00:13:16,480 specialized team uh and and let them start to see what they're looking at all. 171 00:13:16,559 --> 00:13:18,919 Right, So So that's I mean, that's a lot of data. 172 00:13:20,240 --> 00:13:22,279 You know, It's it's useful to have that database. It's it's useful to 173 00:13:22,639 --> 00:13:28,399 capture tribal knowledge. But still, if we have thousands of assets and you 174 00:13:28,399 --> 00:13:33,159 know, even more data about each of the assets in a database, that's 175 00:13:33,200 --> 00:13:37,279 just more information for you know, my poor, my poor brain to it 176 00:13:37,320 --> 00:13:41,159 to to you know, try and suck in and and make informed risk decisions. 177 00:13:41,559 --> 00:13:43,559 Is you know, is there is there a way to uh, to 178 00:13:43,960 --> 00:13:48,000 work with the data once you have Yeah, No, that's an absolutely spot 179 00:13:48,000 --> 00:13:52,000 on observation. I mean, talked about twenty three thousand vulnerabilities, and now 180 00:13:52,000 --> 00:13:54,919 I added three other dimensions in those twenty three thousands. So what do we 181 00:13:54,960 --> 00:13:58,799 do with that great question? Um, the most powerful thing that we're doing, 182 00:13:58,799 --> 00:14:00,919 and you can actually do multiple things with it, but the most powerful 183 00:14:00,919 --> 00:14:03,320 thing you can do with it is to calculate an actual what we call a 184 00:14:03,399 --> 00:14:07,440 residual risk score. So if you were to take those different indicators, and 185 00:14:07,480 --> 00:14:11,080 we do this with the clients and it's automatically done in the software to then 186 00:14:11,120 --> 00:14:16,559 report on the dashboard. But the premise behind it is we build indicators of 187 00:14:16,679 --> 00:14:20,440 risk and we build scores for things we don't like, and it's just like 188 00:14:20,480 --> 00:14:22,720 my golf game. It gets really big and huge and ugly real quick. 189 00:14:24,080 --> 00:14:28,559 So, for example, if devices consider a high impact, it gets the 190 00:14:28,600 --> 00:14:31,039 score of ten. If it's considered lowan impact, it gets a five. 191 00:14:31,159 --> 00:14:35,399 Tribal knowledge now has a score. If it has a critical vulnerability, it 192 00:14:35,440 --> 00:14:39,440 gets seven points. For every critical vulnerability, it may have multiples if the 193 00:14:39,440 --> 00:14:43,039 backup has failed. Right, So all these different data sources can be pulled 194 00:14:43,080 --> 00:14:48,399 into a calculation and a score appended to them, and then the true what 195 00:14:48,440 --> 00:14:52,519 we call residual risk after we've accounted for compensating controls, like the backup is 196 00:14:52,879 --> 00:14:56,440 good and white listing is in lockdown, so the score comes off, we 197 00:14:56,480 --> 00:15:01,879 can build an actual risk score that is ot or end user specific, and 198 00:15:01,919 --> 00:15:07,279 then those scores can be put into thresholds which then drive governance around behavior. 199 00:15:07,480 --> 00:15:09,759 So something that's considered a critical risk, maybe as an order we decide has 200 00:15:09,799 --> 00:15:13,600 to be dealt with within twenty four hours, whereas something with a low risk 201 00:15:13,960 --> 00:15:18,279 can be calculated to do something within a week or a month. And because 202 00:15:18,320 --> 00:15:22,840 it's automatically updating the data and calculating, you are now always looking at a 203 00:15:22,879 --> 00:15:26,600 live score, so you extract from the noise the stuff that is a five 204 00:15:26,639 --> 00:15:33,639 alarm or firepeat have to deal with. Does everybody have their own scoring system? 205 00:15:33,919 --> 00:15:37,879 I mean, we've been talking about SSPC, their CV. Now there's 206 00:15:37,919 --> 00:15:43,519 this. I wonder whether all these different systems get confusing after a certain while. 207 00:15:45,919 --> 00:15:50,200 I think the short answer is yes. The long answers in a sense, 208 00:15:50,480 --> 00:15:56,879 this is why, in my understanding, SSBC was invented. It's because 209 00:15:56,120 --> 00:16:02,200 the vendors in the space do all they you know, they did all have 210 00:16:02,320 --> 00:16:07,120 their own system, and you know, the the users, the governments especially, 211 00:16:07,200 --> 00:16:11,919 said you know, here are some minimum criteria that you should be using 212 00:16:11,039 --> 00:16:15,360 for these risk decisions. You may be able to get sort of find a 213 00:16:15,440 --> 00:16:18,840 grain decisions by doing you know, more analysis of the of the risk and 214 00:16:18,879 --> 00:16:22,279 the context. But you know, here here's a minimum, and so they 215 00:16:22,279 --> 00:16:26,960 put SSBC together. And of course, you know, why would the vendors 216 00:16:27,000 --> 00:16:32,600 do not just SSBC and be done with it. It's I mean, I 217 00:16:32,720 --> 00:16:34,919 worked, I've worked for vendors most of my career. One of the ways 218 00:16:36,000 --> 00:16:41,000 vendors distinguish each other from each other is the feature sets in their product. 219 00:16:41,320 --> 00:16:42,600 So you know, every vendor out there wants to say, yes, of 220 00:16:42,639 --> 00:16:47,519 course we do SSBC, and we give you even more power because we do 221 00:16:47,679 --> 00:16:51,240 X, Y and Z in addition. So yeah, it's not surprising that 222 00:16:51,240 --> 00:16:57,480 everyone does it differently. This is part of why SSBC exists. In the 223 00:16:57,519 --> 00:17:03,519 beginning of the Industrial city Revolution, engineers were told to use it security principles, 224 00:17:03,920 --> 00:17:07,319 protect the information. We were told. We knew this was a poor 225 00:17:07,440 --> 00:17:11,880 fit, but it was all we had. Today, the top security priority 226 00:17:11,920 --> 00:17:18,160 at industrial sites is safety. Don't kill anyone, don't cause an environmental disaster. 227 00:17:18,720 --> 00:17:23,839 And the second priority is reliability. Do not shut down our factory or 228 00:17:23,880 --> 00:17:30,599 infrastructure. Today, safe and reliable operations use unhackable protections from cyber risks, 229 00:17:30,960 --> 00:17:37,480 not just cybersecurity. For a deeper look at the evolution of the revolution, 230 00:17:37,799 --> 00:17:42,759 we invite you to download Waterfall's report on the Emerging Consensus for Industrial Security Engineering. 231 00:17:44,319 --> 00:17:49,039 You can access the report at the Waterfall website Waterfall dash Security dot com, 232 00:17:49,119 --> 00:17:55,200 slash Engineering dash Consensus, or just go to the resources menu and click 233 00:17:55,240 --> 00:18:00,359 on white papers and ebooks. So, just to clarify, um, these 234 00:18:00,960 --> 00:18:06,839 these sort of characteristics, you know, did the backup work, you know, 235 00:18:06,880 --> 00:18:11,160 what's the what's the impact of are these in a sense preprogrammed that that 236 00:18:11,440 --> 00:18:15,880 users then populate or are they sort of user defined? Can the users to 237 00:18:15,920 --> 00:18:21,079 find the calculation or sorry, the uh the characteristics? And you know if 238 00:18:21,559 --> 00:18:25,079 if the characteristics I used to find out, I would assume the calculation has 239 00:18:25,119 --> 00:18:29,240 to be user to find. How how you know? How? What's the 240 00:18:29,319 --> 00:18:33,720 right word customized? Is this to every site? The calculation itself is something 241 00:18:33,759 --> 00:18:37,400 that we ship with a basic sort of structure. If an organization wants to 242 00:18:37,519 --> 00:18:41,119 change how it's calculated, or emphasize or de emphasize certain indicators one or the 243 00:18:41,160 --> 00:18:45,839 other, they can. The precursor to that question, though, was the 244 00:18:45,960 --> 00:18:51,000 user defined properties. User defined properties are usually set once, ie it's a 245 00:18:51,079 --> 00:18:56,519 high impact asset to operations or it's an inconsequential asset operations UM and those don't 246 00:18:56,559 --> 00:19:00,759 typically change. What does change, and therefore we automate is the presence of 247 00:19:00,839 --> 00:19:06,960 vulnerabilities or the version of the software or the level of the patching. So 248 00:19:07,119 --> 00:19:11,880 where we can automate technical gathering and technical data we do where we need user 249 00:19:11,880 --> 00:19:15,319 to find, we usually establish that upfront. It doesn't typically change. I 250 00:19:15,359 --> 00:19:17,960 mean, it's triconics, is the triconics, it's safety and safety. It 251 00:19:18,000 --> 00:19:22,000 doesn't suddenly stop being something um And so we have a combination of sort of 252 00:19:22,000 --> 00:19:26,759 set up the automation, set up the tags, and then the actual how 253 00:19:26,799 --> 00:19:30,839 you want to calculate is absolutely customizeable, as are the labels up front. 254 00:19:30,880 --> 00:19:33,519 I mean, if we think it's a high impact asset, the client disagrees 255 00:19:33,880 --> 00:19:36,359 it's there, it's their database, it's their threshold, they can they can 256 00:19:36,359 --> 00:19:40,319 customize it. So that makes sense. I mean, you know you've got 257 00:19:40,359 --> 00:19:44,039 automation, you've got a calculation. You can see in your words where the 258 00:19:44,039 --> 00:19:48,680 five alarm fires are. What do you do about those fires? Are we 259 00:19:48,720 --> 00:19:53,519 talking you know, patch everything? Are we talking throw some more firewalls rules 260 00:19:53,519 --> 00:20:00,000 in there? And and you know if you make those changes, what change 261 00:20:00,200 --> 00:20:03,079 do you see in your system? How does can you give us an example 262 00:20:03,079 --> 00:20:07,200 how this works? Yeah? Absolutely, And that's the natural following And as 263 00:20:07,200 --> 00:20:10,279 you said in the intro, you can't always patch. You need to be 264 00:20:10,319 --> 00:20:14,279 able to be creative. So this is where we sort of double down on 265 00:20:14,319 --> 00:20:18,039 the value of that multidimensional view. So I've got to risk my risk score 266 00:20:18,119 --> 00:20:21,599 is automatically calculated. I've got a bunch of really you know, sort of 267 00:20:21,640 --> 00:20:25,039 heavy hitters that look like they're high risk and they need to act upon them. 268 00:20:25,079 --> 00:20:26,799 And so now what I do is I go into those individual assets and 269 00:20:26,799 --> 00:20:32,119 I look at the components that have added to what the problem is. It's 270 00:20:32,119 --> 00:20:33,720 a vulnerability, there's a patch available for it, it's not been applied. 271 00:20:33,960 --> 00:20:37,440 Well, that's your first that's your first path. We want to look at 272 00:20:37,480 --> 00:20:41,640 that patch. Can we deploy that patch again? With our architecture, we 273 00:20:41,759 --> 00:20:45,079 can then do a very safe OT stage sort of approach to the first pass 274 00:20:45,119 --> 00:20:48,559 of potentially patching. We will patch you know, we're done that systems, 275 00:20:48,559 --> 00:20:52,319 domain controller, spile servers and will bake in a certain version like twenty twelve, 276 00:20:52,400 --> 00:20:55,920 make sure it works, and then potentially pass that on to the HIMIS 277 00:20:55,960 --> 00:20:59,359 and engineering station. So we can do a very staged, methodical OT approach. 278 00:20:59,599 --> 00:21:02,039 If we can't do the patch, though, we can then look at 279 00:21:02,039 --> 00:21:03,759 our systems and say, well, what is the risk of this. And 280 00:21:03,960 --> 00:21:07,279 one example we had with a client was blue Keep came out and they couldn't 281 00:21:07,319 --> 00:21:11,640 patch for blue Keep on some other systems. But they didn't want to just 282 00:21:11,680 --> 00:21:12,400 live with a risk. So the next thing they did was they said, 283 00:21:12,400 --> 00:21:17,319 well, what's wrong with blue Keep? And so what they did then was 284 00:21:17,359 --> 00:21:19,400 it well, it mostly attacks you know, the guest account remote desktop. 285 00:21:19,680 --> 00:21:25,599 Well, their twenty four seven staff d hmi's probably didn't need remote desktop enabled 286 00:21:25,680 --> 00:21:27,839 and they certainly didn't need the guest account. So then we use the technology 287 00:21:27,880 --> 00:21:32,319 to start to disable remote destop and the guest account again in a very staged 288 00:21:32,359 --> 00:21:34,880 approach. Now, if you build it properly in the thirty sites scenario that 289 00:21:36,079 --> 00:21:38,519 you've shared with us, you can do this again from a central team that's 290 00:21:38,599 --> 00:21:42,279 queues this up, tease it up for the endpoint, and can involve the 291 00:21:42,279 --> 00:21:47,519 people at the plants to be able to go ahead and be involved in So 292 00:21:47,519 --> 00:21:51,920 it's not a big brother push, but it creates very very precise or precision 293 00:21:52,319 --> 00:21:55,039 in deciding what to do and where to do it and going beyond patching to 294 00:21:55,640 --> 00:21:59,200 compensating controls. And there's two things in there that we may want to dig 295 00:21:59,240 --> 00:22:00,079 deeper into and let you know if you which way you want to go. 296 00:22:00,400 --> 00:22:03,240 There is you know, more examples of things you can do beyond patching, 297 00:22:03,440 --> 00:22:10,640 but there's also the efficiencies gained by the way that this is architected. Perhaps 298 00:22:10,720 --> 00:22:15,680 this is my naivete but coming from more of an IT background. I'm not 299 00:22:15,799 --> 00:22:22,319 quite sure why a lot of the nuance in this discussion ends up factoring into 300 00:22:22,440 --> 00:22:29,400 patching. UM. Generally, I've always thought about patching as something that you 301 00:22:29,519 --> 00:22:33,079 should do as soon as possible, whenever the option is available. But here 302 00:22:33,119 --> 00:22:38,680 we're talking about criticality and severity and all of these factors that seem to suggest 303 00:22:38,680 --> 00:22:42,279 that you wouldn't otherwise patch an ever given scenario. So why is that? 304 00:22:42,960 --> 00:22:48,480 I think it's it's easiest to answer with some examples. On your average you 305 00:22:48,519 --> 00:22:52,759 know IT network. You know, let's let's leave the sort of leave the 306 00:22:52,799 --> 00:22:57,319 specialized IT networks out of it, the banking systems and the even the SAP 307 00:22:57,519 --> 00:23:02,599 servers, the ones that are handling payroll. Let's leave sort of that critical 308 00:23:02,640 --> 00:23:06,880 systems out there. You're you're just your desktop network. You've got a bunch 309 00:23:06,880 --> 00:23:11,480 of desktop machines. Um. They are reaching out to the internet every five 310 00:23:11,519 --> 00:23:15,400 minutes to fetch email, to send email, to browse the internet to download 311 00:23:15,480 --> 00:23:21,079 stuff. They're really very exposed, um, And in a sense, they're 312 00:23:21,119 --> 00:23:25,640 all the same, They're all have the same level of exposure. So yeah, 313 00:23:25,680 --> 00:23:27,400 you use the severity, and if it's a severity nine, you patch 314 00:23:27,480 --> 00:23:33,119 it automatically, and there's there's not that much decision making going on on your 315 00:23:33,279 --> 00:23:37,480 that that kind of it network kind of everyone's most familiar with UM. But 316 00:23:37,680 --> 00:23:41,200 you know, on the on the back end here, safety systems are the 317 00:23:41,240 --> 00:23:47,759 ones that prevent unsafe conditions from killing people, you know, over pressure conditions 318 00:23:47,799 --> 00:23:52,079 on boilers from blowing up and killing people, over temperature conditions from you know, 319 00:23:52,640 --> 00:23:59,039 causing explosions or fires. UM. And so let's say there's a vulnerability 320 00:23:59,359 --> 00:24:07,799 that let's uh, somebody crash the machine, you send a message the magic 321 00:24:07,960 --> 00:24:11,440 send the magic message to the machine, and the machine crashes and reboots and 322 00:24:11,519 --> 00:24:17,000 it's down for you know, thirty seconds or five minutes, depends how long 323 00:24:17,000 --> 00:24:21,799 it takes to reboot. How important is that on the main part of the 324 00:24:21,799 --> 00:24:26,240 control system, It's fairly important. You're probably going to take the plant down. 325 00:24:26,359 --> 00:24:30,319 It's it's a reliability threat. How important is that on your safety system. 326 00:24:30,519 --> 00:24:34,640 Well, if your safety system is down for five minutes, human life 327 00:24:34,680 --> 00:24:40,400 is at risk for those five minutes, and so the safety system is more 328 00:24:40,480 --> 00:24:45,200 critical than the rest of the plant systems. Arguably, you know, even 329 00:24:45,240 --> 00:24:48,359 if a you know, cause the machine to reboot, vulnerability is not as 330 00:24:48,359 --> 00:24:53,920 bad as our execute arbitrary code and do nasty stuff. It's still on the 331 00:24:53,960 --> 00:24:59,640 safety systems. It's they're that critical that you should be patching these lower, 332 00:25:00,039 --> 00:25:04,039 lower priority vulnerabilities on the safety systems. On the other hand, if your 333 00:25:04,079 --> 00:25:10,279 safety systems, and you know many of them are air gapped, you cannot 334 00:25:10,519 --> 00:25:15,319 send them a message from any other machine, well, then that vulnerability really 335 00:25:15,359 --> 00:25:19,279 isn't exposed on them, is it. And so you might say, yes, 336 00:25:19,559 --> 00:25:25,799 normally I would patch it. But because you know these safety systems versus 337 00:25:25,799 --> 00:25:27,720 those over there that are exposed, these ones are air gapped, I don't 338 00:25:27,799 --> 00:25:32,559 need to patch these ones as urgently as I do those ones over there that 339 00:25:32,599 --> 00:25:36,880 are on the network. So this is an example of where context drives the 340 00:25:36,920 --> 00:25:41,359 decision of a given vulnerability that you might patch in some circumstances and not others. 341 00:25:44,559 --> 00:25:47,279 I guess my question is, let's say I don't know I put a 342 00:25:47,319 --> 00:25:52,000 firewall rule in, or I don't know I install whitelisting or something, I 343 00:25:52,119 --> 00:25:59,160 take some other measure. What do I see in the system, How does 344 00:25:59,240 --> 00:26:02,119 how does the system does it? You know, does it notice that I've 345 00:26:02,160 --> 00:26:06,680 done this? And recalculate how you know how does this It's it's great that 346 00:26:06,720 --> 00:26:08,480 the system tells me, hey, look I'm in trouble, but does it 347 00:26:08,519 --> 00:26:12,000 come back and say you're not in trouble anymore? Good job? Or you 348 00:26:12,039 --> 00:26:17,720 know how how does that work? You're right, the basic premise is in 349 00:26:17,720 --> 00:26:19,799 that scenario, I'm going to look at something and my score, and you're 350 00:26:19,880 --> 00:26:23,079 right, I overlooked some of the more simple sort of approach. Potentially the 351 00:26:23,200 --> 00:26:26,279 risk score says that I have a high risk and when I dig in there's 352 00:26:26,319 --> 00:26:30,079 a patch needed and maybe I can do a compensating control. Or maybe the 353 00:26:30,160 --> 00:26:34,240 risk is because the backup or part of the risk score is because whitelisting isn't 354 00:26:34,279 --> 00:26:38,640 currently in lockdown or not installed on the device, or the backup failed last 355 00:26:38,759 --> 00:26:41,440 night, or you know, we got this porch or service that really just 356 00:26:41,480 --> 00:26:44,839 need to disable and I can't do any with it. So to your point, 357 00:26:45,279 --> 00:26:49,559 let's install a firewall or inline in a network access control type of thing, 358 00:26:49,960 --> 00:26:56,039 or we can go rerun the backup, or we can enable and install 359 00:26:56,559 --> 00:27:00,559 whitelisting. And to your question, because of the name ure of the way 360 00:27:00,559 --> 00:27:03,839 we collected data, we're continually connecting to the end points, We're continually remapping 361 00:27:03,920 --> 00:27:08,799 vulnerabilities, and we're continually connecting to antivirus and backup databases. You are correct. 362 00:27:10,680 --> 00:27:14,799 Once I make those changes, rerun the backup and solid white listing, 363 00:27:15,240 --> 00:27:18,079 configure the registry, that will then show up in my dashboard and I will 364 00:27:18,079 --> 00:27:22,319 see a reduction in risk. I will see less devices in that higher or 365 00:27:22,400 --> 00:27:26,240 critical category. I will see a trend over time that I had a whole 366 00:27:26,240 --> 00:27:27,480 bunch of five alarm players and now I'm down to a couple. Then, 367 00:27:27,759 --> 00:27:32,880 and you can actually see the improvement. And that's exactly what the dashboard is 368 00:27:32,920 --> 00:27:36,839 for, is to give you that mere real time view into the current status, 369 00:27:37,039 --> 00:27:41,680 which includes improvements as you do these things at recalculations, but it also 370 00:27:41,720 --> 00:27:45,599 includes obstacles or challenges as new vulnerabilities or threats are included, because that's also 371 00:27:45,640 --> 00:27:49,799 injected. So it's a continually moving and evolving line. It's just like looking 372 00:27:49,839 --> 00:27:55,599 at at a trend line in an operational facility when you're making power or oil. 373 00:27:55,920 --> 00:27:57,240 You're doing better, and you see the productivity go up and the tank 374 00:27:57,240 --> 00:28:00,440 fill up and something goes wrong, you see it dropped down. The exact 375 00:28:00,440 --> 00:28:04,200 same sort of scenario I was thinking about. An example you gave a little 376 00:28:04,200 --> 00:28:08,119 while ago, you know, the remote desktop example, and the vulnerability that 377 00:28:08,279 --> 00:28:15,000 you know, let's say, in remote desktop. I'm wondering your is your 378 00:28:15,039 --> 00:28:18,640 system clever enough to say, hey, the vulnerability is in remote desktop, 379 00:28:18,680 --> 00:28:25,599 and look they disabled the remote desktop on these devices. Therefore it automatically reduces 380 00:28:25,640 --> 00:28:29,039 the risk. Is that how it works? Yeah, to an extent. 381 00:28:29,119 --> 00:28:32,279 I mean, in in the scenario you just gave, there's a couple of 382 00:28:32,319 --> 00:28:37,599 different indicators that would reduce the risk score. And those which are automatically gathered, 383 00:28:37,680 --> 00:28:41,000 like the white listing status is now in lockdown or the backup is now 384 00:28:41,000 --> 00:28:45,400 a success as opposed to a fail that's automatically gathered automatically updated. No problem. 385 00:28:45,680 --> 00:28:49,480 When you get to the more creative ot needs around compensating controls like disabling 386 00:28:49,519 --> 00:28:53,519 remote desktop, we would once we had done that, confirmed that it was 387 00:28:53,640 --> 00:28:56,799 complete on however many assets we did it for, and then we would set 388 00:28:56,799 --> 00:29:03,119 a flag in the software to then not show those systems as still being vulnerable 389 00:29:03,160 --> 00:29:07,240 to that particularly vulnerability because the first pass of mapping the vulnerabilities, and as 390 00:29:07,279 --> 00:29:10,400 a patchelor would say, no, but we know we've applied compensating controls. 391 00:29:10,400 --> 00:29:14,519 So when I show the resulting dashboard to an OT practitioner, they see their 392 00:29:14,559 --> 00:29:18,640 true risk, not again a false positive in that here's all these vulnerabilities because 393 00:29:18,680 --> 00:29:22,720 we know we've got those those extra controls. And again that's just just another 394 00:29:22,720 --> 00:29:26,759 reinforcement for why you'd want to have multiple indicators, not just the vulnerability, 395 00:29:26,880 --> 00:29:29,880 but vulnerability plus how is it configured. Well, now we've got a different 396 00:29:29,880 --> 00:29:33,119 answer. We've got the true answer. I wanted to come back. You 397 00:29:33,079 --> 00:29:37,680 said there was another another topic. I think it was scaling. You know 398 00:29:37,720 --> 00:29:41,200 how you use these numbers. Yeah, no, it's this is the really 399 00:29:41,279 --> 00:29:47,319 powerful part. Right. So the architecture that we instill, and we touch 400 00:29:47,400 --> 00:29:48,880 upon a little bit earlier, but the architecture that we instill means that you 401 00:29:48,920 --> 00:29:52,599 can bring in multiple facilities and all of your assets into a single view, 402 00:29:52,759 --> 00:29:59,160 which means you can have one small specialized team look at the fleet on behalf 403 00:29:59,160 --> 00:30:02,079 of the whole organization. You don't have individual sites having to dig in and 404 00:30:02,119 --> 00:30:04,440 the security experts and figure out what to do about this patch or that risk. 405 00:30:06,359 --> 00:30:10,920 And then with that technology, you can then start to queue up activities. 406 00:30:10,960 --> 00:30:12,799 And I wanted to circle back to this especially because OT always gets really 407 00:30:12,799 --> 00:30:15,240 scared and you think some central it guy is going to do something. I 408 00:30:15,279 --> 00:30:18,039 get it instead. I've been doing this for twenty years. I've seen a 409 00:30:18,079 --> 00:30:23,079 wrench in a firewall in the field, through the physical hardware, through the 410 00:30:23,160 --> 00:30:26,359 chassis. So let me just walk you through through a quick case study. 411 00:30:29,440 --> 00:30:33,200 We have a Generation client that wanted to update a particular piece of software. 412 00:30:33,200 --> 00:30:36,799 In fact, they wanted to uninstall the software. They were afraid of it's 413 00:30:36,839 --> 00:30:38,000 origins and the risk that we're associated with it. And I'm not going to 414 00:30:38,079 --> 00:30:41,160 name anybody, but we all know that there's been a number of companies that 415 00:30:41,200 --> 00:30:48,519 have fallen on the foul side of many people's favor. And so there they 416 00:30:48,519 --> 00:30:51,559 are in a Saturday afternoon. They've got six generation coal fire generation, very 417 00:30:51,559 --> 00:30:56,480 complex environments, and they're needing to remove this piece of software and they're not 418 00:30:56,519 --> 00:30:57,519 sure how they're going to do it. There's a deadline. So what they 419 00:30:57,559 --> 00:31:02,000 do is they can go to the dashboard and in the software and they can 420 00:31:02,000 --> 00:31:04,440 see there's one hundred and forty six copies of software I spread across these six 421 00:31:04,480 --> 00:31:11,480 sites. The central team is able to then initiate a request to uninstall the 422 00:31:11,480 --> 00:31:15,000 software. I say request because while I've said earlier we can make things like 423 00:31:15,000 --> 00:31:18,160 registry changes automatically, we don't always want to be messing in the OT space. 424 00:31:18,279 --> 00:31:21,640 Going to be very respectful and usually uninstall the software requires a reboot, 425 00:31:22,119 --> 00:31:26,799 So we send request to one hundred and forty six systems to unstall the software. 426 00:31:26,160 --> 00:31:32,039 We send a detailed list to each site of exactly which physical room and 427 00:31:32,079 --> 00:31:34,319 wreck this device is in, and when they get to the console they will 428 00:31:34,319 --> 00:31:40,000 see a flashing light saying would you like to accept this action? They are 429 00:31:40,000 --> 00:31:41,599 then able to phone the operator in the control room. They are then able 430 00:31:41,640 --> 00:31:45,880 to follow their own local change process. They're able to uninstall the software, 431 00:31:45,160 --> 00:31:48,000 bring it back on line, and move to the next one and this particular 432 00:31:48,039 --> 00:31:51,960 client. Anyone who's listening this knows that this sort of activity, removing one 433 00:31:52,000 --> 00:31:56,000 hundred fifty copies of software from six locations would take probably weeks or even maybe 434 00:31:56,000 --> 00:32:00,640 a couple of months in a lapse. Not expended time, but just hunting 435 00:32:00,640 --> 00:32:06,319 and searching and finding the time. This activity was completed with a support person 436 00:32:06,359 --> 00:32:08,920 of one at the central and one individual each of the six sites in and 437 00:32:08,960 --> 00:32:14,720 around their day job. It was completed in ninety minutes and because of the 438 00:32:14,799 --> 00:32:17,599 update mechanism, we could see that in the software dashboard updating as they went 439 00:32:17,599 --> 00:32:22,079 around the flight. So this allows we have a client with seven hundred facilities 440 00:32:22,160 --> 00:32:25,759 and a team of eight managing worldwide around the clock. So this is the 441 00:32:25,799 --> 00:32:30,680 future to me of where VERVE sorry, where OT security is going and how 442 00:32:30,759 --> 00:32:34,279 VERVE is helping their clients to do it is there's not enough people and we 443 00:32:34,319 --> 00:32:38,039 need to start doing things. And so if we can combine context ability to 444 00:32:38,079 --> 00:32:43,599 act and OT safe, we start to really move the needle. So that's 445 00:32:43,960 --> 00:32:47,480 that's powerful automation is good automation on the security side. You know, I've 446 00:32:47,519 --> 00:32:52,640 been thinking about this interview though, and I know there are standards bodies, 447 00:32:52,680 --> 00:32:59,079 there are governments out there, There's a lot of debate going on saying what 448 00:32:59,160 --> 00:33:02,000 are the right met tricks? How do you measure risk in in the OT 449 00:33:02,160 --> 00:33:06,240 world? Um? You know, I see people out there saying, well, 450 00:33:06,279 --> 00:33:08,920 you know, um, be careful how you measure risk? Uh? 451 00:33:09,119 --> 00:33:12,960 You know, if if your risk just keeps going up, your your board 452 00:33:13,039 --> 00:33:16,039 is going to be asking you why why they're spending money on security? If 453 00:33:16,079 --> 00:33:21,799 risk keeps going up? If you know some people are saying use use measures, 454 00:33:21,799 --> 00:33:24,319 like how many of the top twenty controls have I implemented? Uh, 455 00:33:24,400 --> 00:33:27,359 you know, well, when you get to one hundred percent, you're done 456 00:33:27,400 --> 00:33:30,119 Again. The question becomes, you know, why am I spending money on 457 00:33:30,160 --> 00:33:36,559 this? The whole question of how do you measure risk seems hard? Yet 458 00:33:37,359 --> 00:33:40,960 you have a dashboard, you are it seems to me you are measuring risk. 459 00:33:42,240 --> 00:33:45,799 Can you talk about about metrics and the value of metrics and you know 460 00:33:45,839 --> 00:33:50,359 how your how your your stakeholders, your customers respond to being able to see 461 00:33:50,640 --> 00:33:55,640 sort of a number that moves around in a predictable way reflecting risk. Yeah, 462 00:33:55,680 --> 00:33:59,599 and that's one of the things we haven't talked about yet, is is 463 00:33:59,640 --> 00:34:04,440 the value of this insight. It goes from if you remember the example earlier, 464 00:34:04,440 --> 00:34:07,359 the plant manager who told me you're doing an assessment night, I already 465 00:34:07,359 --> 00:34:08,719 know I don't patch and I don't change passwords. How does that help me? 466 00:34:09,360 --> 00:34:14,079 That's the answer to this is once you have this data and you have 467 00:34:14,199 --> 00:34:19,400 the context, you can have empirical discussions about trends and you're right, you 468 00:34:19,440 --> 00:34:21,719 know, the risk doesn't always go up, the risk does go down, 469 00:34:22,599 --> 00:34:25,360 and so you can measure risk with what we primarily focus on today, which 470 00:34:25,400 --> 00:34:30,320 is pure risk in terms of vulnerabilities on assets and the impact of that asset. 471 00:34:30,559 --> 00:34:34,000 But once you go up a level, you can start to measure well, 472 00:34:34,000 --> 00:34:37,039 I need to act in this behavior at this facility. But guess what 473 00:34:37,159 --> 00:34:40,760 this flagship facility over here that either makes us more money or is more potentially 474 00:34:42,039 --> 00:34:46,440 catastrophic if it goes wrong gets a different level of scrutiny and of support or 475 00:34:47,000 --> 00:34:52,840 funding. And it's all empirically driven now. And you mentioned some of the 476 00:34:52,199 --> 00:34:58,639 regulatory standards. Outside of the pure risk score, we are getting more and 477 00:34:58,679 --> 00:35:00,599 more calls and more and more, more more engagements to be helping clients to 478 00:35:01,000 --> 00:35:05,320 track and monitor compliance. And are we doing enough? Are we showing the 479 00:35:05,360 --> 00:35:07,440 auditors, are we showing the board, are we showing senior management? Are 480 00:35:07,480 --> 00:35:10,039 we using the money wisely? And are we making trends go in the right 481 00:35:10,039 --> 00:35:14,920 direction? Things like the CIS controls. We have a dashboard that shows here's 482 00:35:14,920 --> 00:35:16,960 your hardware inventory, here's your software, here's your configuration, here's your users, 483 00:35:17,119 --> 00:35:20,159 and you can look at it as a glance and show the CIO, 484 00:35:20,199 --> 00:35:22,960 look we're doing the right things, or look we're going the wrong way. 485 00:35:22,000 --> 00:35:25,440 We need more help. And the most recent when they're quite proud of, 486 00:35:25,559 --> 00:35:30,760 is actually that the federal government announced a CDM Continuous Diagnostics and Monitoring that all 487 00:35:30,800 --> 00:35:37,199 federal entities shall be reporting on. We've actually been approved as the ot response 488 00:35:37,199 --> 00:35:42,320 for that. So we're not only doing this internally within an organization or with 489 00:35:43,079 --> 00:35:46,239 an organization towards helping them comply, but now we're also starting to share with 490 00:35:46,320 --> 00:35:50,719 external and federal sort of entities to really consume this data. It's really starting 491 00:35:50,719 --> 00:35:57,199 to catch on. Let me dive into this just a little bit. Visualizing 492 00:35:57,320 --> 00:36:00,760 risk is you know, a Measuring risk is a is a big debate in 493 00:36:00,800 --> 00:36:06,559 the industry. I gave you some examples in my question, but I don't 494 00:36:06,559 --> 00:36:08,280 know if I don't know if my question made sense now that I listened to 495 00:36:08,360 --> 00:36:12,519 it again, Rick obviously got it. But let me go through it once 496 00:36:12,559 --> 00:36:15,679 more. Let's say you know there are people who out there saying, you 497 00:36:15,719 --> 00:36:19,039 know, risk should reflect you know, what's what's happening in the world. 498 00:36:19,320 --> 00:36:23,320 Well, there's always new vulnerabilities, thousands and thousands of vulnerabilities being reported every 499 00:36:23,440 --> 00:36:27,320 every year. If you count them, your risk indicators going up, Your 500 00:36:27,360 --> 00:36:30,679 chart keeps going up. Qualitatively, we get we get word that, you 501 00:36:30,679 --> 00:36:35,440 know, the sophistication of the adversary is going up. They're using more and 502 00:36:35,440 --> 00:36:38,079 more powerful tools. They're using more and more powerful techniques. Again, the 503 00:36:38,159 --> 00:36:42,480 risk line keeps going up. If you show the board a risk line that 504 00:36:42,559 --> 00:36:45,239 goes up steadily. They asked the question, why are we spending money on 505 00:36:45,320 --> 00:36:49,519 you? You don't seem to be having any effect, so you can't show 506 00:36:49,559 --> 00:36:54,599 them that risk line. You know, I've had I've had people tell me 507 00:36:54,679 --> 00:36:59,400 what you should do is use something like the top twenty controls and say, 508 00:36:59,440 --> 00:37:02,440 my goal is to get the top twenty controls implemented on every machine in my 509 00:37:02,519 --> 00:37:07,599 network. So I see a risk, you know, I see a mitigation 510 00:37:07,679 --> 00:37:10,840 line going up. But eventually, you know, saying I'm getting better and 511 00:37:10,840 --> 00:37:15,280 better. Eventually I'm going to hit my twenty and I flatline. And again 512 00:37:15,440 --> 00:37:20,840 the board goes your security the strength of your security poster seems to a flatline. 513 00:37:21,880 --> 00:37:23,519 Why are we spending money on this? Again? Have you not solved 514 00:37:23,559 --> 00:37:28,519 this problem? Can we start spending less money on this? And of course 515 00:37:29,000 --> 00:37:32,079 you know you can't. That's that's the wrong measure as well. But what 516 00:37:32,159 --> 00:37:37,039 ricks had described here. You know their dashboard. Imagine what the dashboard looks 517 00:37:37,039 --> 00:37:39,679 like. New vulnerabilities are discovered in the world, and we do the risk 518 00:37:39,719 --> 00:37:44,559 calculation, and some of them are relevant to our most critical systems, and 519 00:37:44,760 --> 00:37:47,159 our calculation of risk goes up. You see the trend line going up, 520 00:37:49,159 --> 00:37:53,360 and the OT security team springs into action, you know, presses the button, 521 00:37:53,400 --> 00:37:58,800 figures out which machines most originally need to be patched, patches those machines 522 00:37:58,960 --> 00:38:04,320 or applies compensating measures to protect those machines, and the risk line goes down, 523 00:38:04,639 --> 00:38:08,599 saying good, good job, You've you've reduced your risk. And then 524 00:38:08,599 --> 00:38:13,320 of course there's more vulnerabilities over time, the rescise going up and down. 525 00:38:13,400 --> 00:38:16,880 You can see progress. You can see that the money you're spending is you 526 00:38:16,920 --> 00:38:20,880 know, in the absence of spending money, the risk would go up unboundedly, 527 00:38:21,280 --> 00:38:23,039 and you're spending the money and so it keeps coming down. You can 528 00:38:23,079 --> 00:38:28,639 see, you know that something good is happening. This is a step up 529 00:38:28,679 --> 00:38:32,880 from you know, waving your hands at the board. Um, it's still 530 00:38:32,920 --> 00:38:37,039 a qualitative metric. I mean, in the engineering space, you might be 531 00:38:37,119 --> 00:38:43,119 used to calculating like safety risk mathematically, you've got a you know, one 532 00:38:43,159 --> 00:38:45,119 in a million chance of a death at the facility. You know in the 533 00:38:45,159 --> 00:38:52,760 next year. You don't have that kind of mathematical precision, but at least 534 00:38:52,800 --> 00:38:55,400 you've got something, and it's something visual and it's something that in a in 535 00:38:55,440 --> 00:38:59,480 a real sense makes sense. So you know, I think this is a 536 00:38:59,480 --> 00:39:05,519 step in the right direction. Risk is a dry topic. Um. A 537 00:39:05,559 --> 00:39:08,559 lot of people, you know, I speak at conferences. If you know, 538 00:39:08,599 --> 00:39:13,840 I've proposed, uh, you know, many presentations with risk in the 539 00:39:13,880 --> 00:39:16,280 title. Most of them don't get accepted. If I get accepted, nobody 540 00:39:16,280 --> 00:39:22,400 shows up because it's you know, people see it as as academic, as 541 00:39:22,519 --> 00:39:27,000 as not actionable. But you know, metrics people are interested in, you 542 00:39:27,039 --> 00:39:31,360 know, and concrete advice as to where you know the highest value investment. 543 00:39:31,400 --> 00:39:36,599 Next is that's huge? So, UM, you know, thank you for 544 00:39:36,599 --> 00:39:40,559 for for joining us. You know, these are to me, these are 545 00:39:40,639 --> 00:39:45,559 are very positive developments in the in the field of the technology. Um. 546 00:39:45,760 --> 00:39:47,000 Before we let you go, Uh, you know, did you want to 547 00:39:47,039 --> 00:39:50,760 sum up for us? Is there are there words of wisdom you have for 548 00:39:50,840 --> 00:39:52,880 us? Uh? Well, the things that I think are important, whether 549 00:39:52,880 --> 00:39:57,960 the wise or not. Let the audience judge. But you know, I've 550 00:39:57,960 --> 00:40:00,760 been in this business, as I mentioned the top of the the call, 551 00:40:00,920 --> 00:40:04,719 for twenty two years, and I've seen a lot of attempts at you know, 552 00:40:04,760 --> 00:40:07,639 the silver bullet, and you know it was white listing in oh nine, 553 00:40:07,719 --> 00:40:13,559 and it's it's other promises since then, and even some notable public speakers 554 00:40:13,559 --> 00:40:15,599 saying, well, we can't patch, why bother, let's just give up 555 00:40:15,599 --> 00:40:19,360 and hunker down. But the reality is that this can happen. We just 556 00:40:19,480 --> 00:40:22,079 need to be prepared to roll our sleeves up and get at it. Why 557 00:40:22,159 --> 00:40:27,559 we've been avoiding addressing the technical and security that we continue to amass and compile 558 00:40:27,599 --> 00:40:30,440 over adding more technologies and IoT and then being surprised at how much risk there 559 00:40:30,519 --> 00:40:34,920 is is it's a bit baffling to me. You've been on the circuit as 560 00:40:34,920 --> 00:40:36,639 long or longer than I have, Andrew, and you know that some of 561 00:40:36,679 --> 00:40:37,960 the things we say, we've been saying for twenty years, and still people 562 00:40:38,000 --> 00:40:40,519 nod their head and write it down as its stage advice. Right. So 563 00:40:42,639 --> 00:40:46,320 I think that we're seeing a turn that people are embracing the fact that yeah, 564 00:40:46,320 --> 00:40:47,960 I really do need to get into it. I really do need the 565 00:40:49,039 --> 00:40:51,920 data because I need to make conformed decisions. There's only so many people, 566 00:40:52,199 --> 00:40:54,400 so many dollars, and there's so much risk. I need to be I 567 00:40:54,480 --> 00:40:58,320 need to be creative, I need to be precise, and I need to 568 00:40:58,360 --> 00:41:00,920 be effective. And so I'm quite excited at what we're seeing, and I 569 00:41:00,960 --> 00:41:05,880 would I would hardly recommend that you dig into how you actually get to those 570 00:41:05,920 --> 00:41:07,360 end points, because that's where the data resides, it's where the risk resides, 571 00:41:07,400 --> 00:41:12,960 and that's where the solution ultimately resides as well. And if you do 572 00:41:13,000 --> 00:41:16,559 want to dig deeper, you know, we have always taken these case studies, 573 00:41:17,000 --> 00:41:22,760 user testimonials, public presentations of how some of these things are from from 574 00:41:22,760 --> 00:41:25,519 the end users, not from us our resource page. We just recently published 575 00:41:25,519 --> 00:41:29,519 a couple of new white papers on exactly these types of topics, but also 576 00:41:29,519 --> 00:41:32,920 again some of the use cases that actual frontline industry pairs of yours speaking to 577 00:41:32,960 --> 00:41:37,679 the audience here that are doing this and realizing the benefits. We have some 578 00:41:37,800 --> 00:41:40,920 that are accelerating five year programs down into two and a half to three years, 579 00:41:40,960 --> 00:41:45,840 and I think there's some real valuable insights from people frontline, you know, 580 00:41:45,880 --> 00:41:47,880 not the talking heads like me and Andrew, and you really probably should 581 00:41:47,880 --> 00:41:51,039 dig into that. And you can also probably sign up for a webinar two 582 00:41:51,039 --> 00:41:52,639 while you're there, because we do those every months as well. So I 583 00:41:52,639 --> 00:41:55,639 hope this helps, and please do dig into the educational content we have up 584 00:41:55,639 --> 00:42:02,400 there, and if anybody's curious, please feel free to reach out. Andrew. 585 00:42:02,440 --> 00:42:07,480 That was your interview with Rick Kahn. Do you have any final thoughts 586 00:42:07,480 --> 00:42:10,599 to take us out with today? I was really encouraged by the episode. 587 00:42:10,639 --> 00:42:15,800 I mean, um, you know, this is automation. This is automation 588 00:42:15,840 --> 00:42:22,079 for security. You know, it's it's a truism that our enemies attacks are 589 00:42:22,119 --> 00:42:27,639 getting more sophisticated because they're automating their attacks, because our enemies are using more 590 00:42:27,679 --> 00:42:32,719 and more sophisticated automation. Here is automation for our defenses. Uh, here 591 00:42:32,800 --> 00:42:37,159 is a way to you know, this kind of automation. Can can you 592 00:42:37,199 --> 00:42:40,280 know, take a lap a lot of time off of the analysis part of 593 00:42:40,320 --> 00:42:45,280 our defenses, off of the the implementation part of our defenses. You know, 594 00:42:45,599 --> 00:42:49,840 automating the defenses, you know, sounds extremely useful. You know, 595 00:42:49,880 --> 00:42:52,199 this sounds like a very effective kind of automation. So you know, I 596 00:42:52,519 --> 00:42:57,280 see this as good news, as a very positive development. Okay, well 597 00:42:57,320 --> 00:43:00,880 then, thanks to Rick for enlighten us today, and thank you Andrew for 598 00:43:00,920 --> 00:43:05,559 speaking with me. It's always a pleasure. Thank you, Nate. This 599 00:43:05,639 --> 00:43:10,679 has been the Industrial Security Podcast from Waterfall. Thanks to everybody out there listening