1 00:00:02,960 --> 00:00:05,679 Speaker 1: Lots of people have different data sets. They have done 2 00:00:05,679 --> 00:00:08,919 some investment in y security, but they're all struggling to 3 00:00:08,919 --> 00:00:12,320 identify what's the logical next step in that journey. 4 00:00:16,280 --> 00:00:20,160 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 5 00:00:20,280 --> 00:00:23,920 Nate Nelson. I'm here with Andrew Ginter, the vice president 6 00:00:24,000 --> 00:00:28,079 of Industrial Security at Waterfall Security Solutions, who's going to 7 00:00:28,120 --> 00:00:31,559 introduce the subject and guest of our show today. Andrew, 8 00:00:31,800 --> 00:00:32,320 how's it going. 9 00:00:33,079 --> 00:00:37,640 Speaker 3: I'm very well thanking it. Our guest today is Vivek Panada. 10 00:00:38,520 --> 00:00:41,560 You might remember him from an episode a little while ago. 11 00:00:42,560 --> 00:00:46,399 He was the co lead on the top twenty Secure 12 00:00:46,439 --> 00:00:50,119 PLC coding Practices document that came out a year ago 13 00:00:50,159 --> 00:00:53,600 two years ago. Today, he's the senior vice president of 14 00:00:53,640 --> 00:00:58,200 Growth and Strategy at Frenos and our topic is digital 15 00:00:58,240 --> 00:01:02,000 twins for Managing Risk. And it sounds like a bunch 16 00:01:02,079 --> 00:01:05,760 of marketing uh buzzwords, you know, digital twins managing risk, 17 00:01:05,799 --> 00:01:07,959 but they've got some real technology behind this, so I'm 18 00:01:08,000 --> 00:01:08,719 looking forward to this. 19 00:01:09,760 --> 00:01:12,760 Speaker 2: Then, without further Ado, here's you with FIVEC. 20 00:01:15,239 --> 00:01:18,359 Speaker 3: Hello Vivek, and welcome to the show. Before we get started, 21 00:01:18,359 --> 00:01:20,400 can I ask you to say a few words about 22 00:01:20,400 --> 00:01:22,719 yourself for our listeners and about the good work that 23 00:01:22,760 --> 00:01:24,200 you're doing at Frenos. 24 00:01:25,040 --> 00:01:28,680 Speaker 1: Sure, thanks Andrew. Hey everyone, my name is Vivik Ponada. 25 00:01:28,840 --> 00:01:32,120 I am the SVP of Guden Strategy at Frenos. I've 26 00:01:32,120 --> 00:01:34,400 been in the OT security space for quite some time. 27 00:01:34,719 --> 00:01:36,239 Back in the day, I was a guest serve and 28 00:01:36,280 --> 00:01:39,840 controls engineer for GE. Then I became a controls and 29 00:01:39,920 --> 00:01:45,480 cybersecurity solutions upgrade sales manager for them. Initially covered power 30 00:01:45,519 --> 00:01:48,120 and utilities and then of course added oil and gas. 31 00:01:48,200 --> 00:01:50,560 I'm based in Houston, so that was a natural thing. 32 00:01:51,480 --> 00:01:55,079 I uh. Before joining Friendo's worked at Tanozomi Networks as 33 00:01:55,079 --> 00:01:58,280 the reginal sales director for three years. So I've been 34 00:01:58,319 --> 00:02:02,079 in the OT security space for ques time and I 35 00:02:02,120 --> 00:02:05,959 am happy to be on this podcast. And at Frenos 36 00:02:06,480 --> 00:02:09,800 we're doing something cool. We're doing an attack path analysis 37 00:02:09,840 --> 00:02:14,000 and risk assessment at scale, bringing autonomous risk assessments to 38 00:02:14,080 --> 00:02:17,280 a space that's been lacking this kind of approach. So 39 00:02:17,759 --> 00:02:20,719 you're looking forward to our conversation discussing more about that. 40 00:02:21,879 --> 00:02:26,199 Speaker 3: Our topic today is risk, which a lot of people 41 00:02:26,199 --> 00:02:28,360 find boring. I mean, people new to the field tend 42 00:02:28,360 --> 00:02:31,400 to want to focus on attas attacks are interesting, attacks 43 00:02:31,439 --> 00:02:35,719 are technical. You know, it's not until they have failed 44 00:02:35,879 --> 00:02:38,599 to secure funding as a manager of you know, the 45 00:02:38,680 --> 00:02:40,960 security team for the last ten years that they start 46 00:02:40,960 --> 00:02:43,680 being interested in risk, which is the language and the 47 00:02:43,759 --> 00:02:47,560 decision making of business. We're going to talk about risk. 48 00:02:47,759 --> 00:02:50,319 You're talking about you know, we're going to talk about 49 00:02:50,400 --> 00:02:54,639 digital twins, which is a real buzzword nowadays. But you 50 00:02:54,639 --> 00:02:58,280 know this is our topic. And you've mentioned, you know, 51 00:02:58,639 --> 00:03:02,919 risk assessments, you've made intioned attack path analysis. You know, 52 00:03:02,919 --> 00:03:04,919 I'll approach to looking into all of this. You know, 53 00:03:04,960 --> 00:03:08,560 to me, risk is fascinating. It's how we make progress. 54 00:03:08,599 --> 00:03:10,759 It's how we shake the money loose. But you know, 55 00:03:11,240 --> 00:03:13,879 before we start, can we can we before we dig 56 00:03:13,919 --> 00:03:16,319 into it? Can we start at the beginning? What is 57 00:03:16,960 --> 00:03:20,599 the problem the risk problem that you know we're trying 58 00:03:20,639 --> 00:03:21,479 to address here? 59 00:03:22,400 --> 00:03:26,159 Speaker 1: Yeah, great question, Andrew. The past ten plus years in 60 00:03:26,199 --> 00:03:29,719 OT security has been let's find out what we have right, 61 00:03:29,719 --> 00:03:33,039 So lots of people started figuring out that they need 62 00:03:33,039 --> 00:03:36,879 asset inventory solutions. So the likes of Drago's Nozomi Clarity 63 00:03:38,000 --> 00:03:40,520 have been the forefront of that kind of an approach 64 00:03:40,560 --> 00:03:45,400 to necross security monitoring leading to passive asset discovery involved 65 00:03:45,520 --> 00:03:49,840 the identification. So now ten plus years into this, people 66 00:03:49,960 --> 00:03:52,439 have a lot of data sets. They have several sites, 67 00:03:52,719 --> 00:03:55,639 especially the ones that they were considered important to their production. 68 00:03:56,639 --> 00:04:00,759 They've install sensors, they have lots of information. Now they're 69 00:04:00,759 --> 00:04:06,240 asking what next, right, the real use case is risk 70 00:04:06,360 --> 00:04:10,840 identification and risk mitigation, as you mentioned, But there's a struggle. 71 00:04:10,919 --> 00:04:13,560 We will struggle out there with different data sets, not 72 00:04:13,680 --> 00:04:17,240 able to figure out what the actual risk is for 73 00:04:17,360 --> 00:04:21,040 them to address next. So that's the problem trying to solve. 74 00:04:21,560 --> 00:04:26,480 We are trying to aggregate information, provide contextual analysis of 75 00:04:26,639 --> 00:04:30,720 what's their riskiest path to a crown jewel or what 76 00:04:30,920 --> 00:04:35,480 might be the logical way to isolate and segment because 77 00:04:35,519 --> 00:04:39,000 not every risk can be mitigated by just patching a 78 00:04:39,079 --> 00:04:45,079 vulnerability for whatever reason. That's the main problem. So the 79 00:04:45,319 --> 00:04:48,319 conclusion is that lots of people have different data sets, 80 00:04:48,480 --> 00:04:51,519 they have done some investment in notty security, but they're 81 00:04:51,560 --> 00:04:55,279 all struggling to identify what you do with that information 82 00:04:55,680 --> 00:04:58,079 or what's the logical next step in their journey. 83 00:04:59,319 --> 00:05:01,560 Speaker 3: It's one thing to sketch this is what you know 84 00:05:01,600 --> 00:05:05,639 thens cybersecurity framework says a complete security program should look like. 85 00:05:06,240 --> 00:05:08,519 It's another thing to say, I've only got so much 86 00:05:08,560 --> 00:05:13,439 budget this year and you know, a comparable amount hopefully 87 00:05:13,480 --> 00:05:16,199 next year. What do I do this year? What do 88 00:05:16,240 --> 00:05:18,720 I do next year? What's sort of most important to 89 00:05:18,800 --> 00:05:22,319 do first? That's that's a really important question. How does 90 00:05:22,360 --> 00:05:24,000 a person figure that out? 91 00:05:24,079 --> 00:05:24,519 Speaker 1: What? 92 00:05:24,519 --> 00:05:26,040 Speaker 3: What's the decision pass there? 93 00:05:26,720 --> 00:05:30,199 Speaker 1: Yeah, that's the real question. Lots of people in the 94 00:05:30,279 --> 00:05:33,639 past used to say over isolated, or we are segmented. 95 00:05:34,360 --> 00:05:36,920 You know, we're we have a DMZIN, I T n OT. 96 00:05:37,680 --> 00:05:41,720 A lot of these assumptions have not been validated in 97 00:05:41,759 --> 00:05:45,040 other cases where they have different data sets, it's not 98 00:05:45,240 --> 00:05:49,839 very clear what the what the next problem that they 99 00:05:49,839 --> 00:05:52,160 could solve is, right, So, everybody, like you said, has 100 00:05:52,240 --> 00:05:55,800 limited budget or resources. So the honest question is, hey, 101 00:05:55,920 --> 00:05:59,360 where we should focus next. It's not very clear. People 102 00:05:59,399 --> 00:06:03,279 have done linear projects, right, They'll pick a firewall project 103 00:06:03,360 --> 00:06:07,480 or a segmentation project or a volumetity management program, and 104 00:06:07,560 --> 00:06:11,680 all these are are good, but overall not fixing the 105 00:06:11,759 --> 00:06:16,600 immediate problem or not solving the immediate problem first. Right. 106 00:06:17,399 --> 00:06:23,399 So the commonly requested feature of many of these tools, 107 00:06:23,480 --> 00:06:26,720 like Drego's Nazumi or other vendors has been hey, can 108 00:06:26,759 --> 00:06:32,319 you please tell me what my riskiest asset is or 109 00:06:32,360 --> 00:06:35,319 what my riskiest path is and they have not been 110 00:06:35,360 --> 00:06:39,000 able to do it because that's not in there in 111 00:06:39,079 --> 00:06:43,439 their current portfolio. Is that contextual summarization? Right? So let's 112 00:06:43,439 --> 00:06:46,279 say you have an asset at the Purdue model level 113 00:06:46,319 --> 00:06:49,959 two for example, that is talking to another asset at 114 00:06:50,040 --> 00:06:52,959 level three, and then there's a DMC about that with 115 00:06:53,079 --> 00:06:57,120 some kind of firewall rules isolating it. And if someone 116 00:06:57,240 --> 00:07:01,680 has a real world knowledge of this network, and that's 117 00:07:01,720 --> 00:07:04,360 what we are talking about, right, a digital twin that's 118 00:07:04,600 --> 00:07:08,560 kind of replicating that network, and you analyze if that 119 00:07:08,720 --> 00:07:14,480 firewall rule and if that path is possible not to 120 00:07:14,519 --> 00:07:17,160 get delivered two or you know, maybe they have other 121 00:07:17,439 --> 00:07:20,720 composite controls in that path allowing them to say, yep, 122 00:07:20,839 --> 00:07:24,319 my level to is secure this network, this location is 123 00:07:24,319 --> 00:07:27,879 not reachable easily or it takes a lot of complicated 124 00:07:28,199 --> 00:07:32,120 daisy stating of attacks to get to. Then that would 125 00:07:32,120 --> 00:07:35,839 be an identification of what the what the risk is 126 00:07:35,879 --> 00:07:40,079 and if you need to address something. So the common 127 00:07:40,120 --> 00:07:43,920 consensus has been one, of course, you can really assess 128 00:07:43,959 --> 00:07:47,000 these in real time in the production environment. Right, So 129 00:07:47,040 --> 00:07:50,160 you need to build something that's a replica of that network, 130 00:07:50,399 --> 00:07:53,079 and then you analyze all these scenarios to see if 131 00:07:53,519 --> 00:07:57,480 that asset that you deem important, or that network that 132 00:07:57,519 --> 00:08:01,639 you deem is is it critical for your environment is 133 00:08:01,720 --> 00:08:05,399 reachable or not reachable from the outside or from any 134 00:08:05,399 --> 00:08:07,879 other attack factor that you choose. Right, they assume briach 135 00:08:07,920 --> 00:08:11,079 could be your corporate enterprise network, ork, could be a 136 00:08:11,120 --> 00:08:14,079 wireless network, or it could be anything else that you 137 00:08:14,360 --> 00:08:17,639 deem as a as an attack factor, and to assess 138 00:08:17,759 --> 00:08:22,000 in this digital replica or digital twin if that acid 139 00:08:22,079 --> 00:08:25,079 can be reached. So that's what in general, most people 140 00:08:25,120 --> 00:08:27,879 have been asking for that's been missing in the currently 141 00:08:27,879 --> 00:08:29,480 available set of tools. 142 00:08:31,920 --> 00:08:35,799 Speaker 3: Vivic's answer there was a little abstract. Let me be 143 00:08:35,799 --> 00:08:38,039 a little more concrete. You know, he's saying, Look, a 144 00:08:38,039 --> 00:08:39,960 lot of people in the last ten years have deployed 145 00:08:40,039 --> 00:08:43,720 dragossen ASOMI and lots of other you know, industrial defender 146 00:08:44,080 --> 00:08:50,200 and you name it asset inventory tools. And in a 147 00:08:50,279 --> 00:08:52,720 large organization, these tools come back and say you have 148 00:08:52,879 --> 00:08:59,440 ten thousand, you might have fifty thousand industrial control system assets, okay, 149 00:09:00,960 --> 00:09:03,559 and you know many of them are poorly patched because 150 00:09:03,559 --> 00:09:05,679 they're you know, deep down in areas where you can't 151 00:09:05,679 --> 00:09:08,639 it's really hard to patch them. Patching them is dangerous. 152 00:09:08,679 --> 00:09:11,120 You have to test these patches, blah blah blah. So 153 00:09:11,200 --> 00:09:14,679 you've got one hundred and seven thousand vulnerabilities in these 154 00:09:14,759 --> 00:09:20,360 fifty odd thousand assets, Oh okay, and they're arranged into 155 00:09:20,440 --> 00:09:24,759 you know, eight hundred two thousand whatever sub networks, and 156 00:09:24,799 --> 00:09:30,080 the networks are all interconnected, right, So now you know 157 00:09:30,120 --> 00:09:33,320 you're scratching your head going and the question is what 158 00:09:33,399 --> 00:09:36,240 do I do next with my security? And you know, 159 00:09:36,279 --> 00:09:38,639 one of the things the asset inventory folks have done 160 00:09:38,759 --> 00:09:42,240 is they've allowed you to go through these assets, understand 161 00:09:42,240 --> 00:09:45,159 what they are, and assign a criticality to them. These 162 00:09:45,159 --> 00:09:49,279 are the safety instrumented systems. They're really important. Nothing touches them. 163 00:09:49,320 --> 00:09:51,799 These are the protective relays. They prevent damage to equipment 164 00:09:51,799 --> 00:09:54,559 and so on. And so what he's saying is you 165 00:09:54,600 --> 00:09:56,919 can't just look at the list of assets and vulnerabilities 166 00:09:56,919 --> 00:09:59,639 and figure out what to do next. You need a 167 00:09:59,720 --> 00:10:01,840 more and so this is what he's talking about, a 168 00:10:01,879 --> 00:10:05,600 digital twin that is, you know, looking at attack paths 169 00:10:05,679 --> 00:10:09,080 and looking at which assets are really important and telling 170 00:10:09,080 --> 00:10:13,120 you which really important to have assets have really short 171 00:10:13,120 --> 00:10:16,080 and easy attack pads. That's probably what you need to 172 00:10:16,120 --> 00:10:17,039 focus on next. 173 00:10:18,639 --> 00:10:20,879 Speaker 2: Yeah, and I fear this is one of those things 174 00:10:21,320 --> 00:10:24,480 where everybody else in the world knows something that I don't. 175 00:10:24,600 --> 00:10:26,960 But like, what is a digital twin? 176 00:10:27,679 --> 00:10:31,399 Speaker 3: You know, that word is a marketing buzzword and it 177 00:10:32,159 --> 00:10:35,600 means whatever the marketing team wants it to mean. The 178 00:10:35,639 --> 00:10:37,799 first time I heard the word was in a presentation 179 00:10:37,879 --> 00:10:41,759 a few years ago at S four. The sales guy 180 00:10:41,799 --> 00:10:45,480 from g got up and did a sales pitch, in 181 00:10:45,519 --> 00:10:50,480 my opinion, a very smooth, a very what's the right word, 182 00:10:50,519 --> 00:10:53,960 you know, cleverly scripted sales pitch, But he basically said, 183 00:10:54,000 --> 00:10:57,799 a digital twin is a physical It's a it's a 184 00:10:57,840 --> 00:11:02,879 computer model of a physical system. And you you know, 185 00:11:03,000 --> 00:11:05,840 ge at the time had technology they probably still have 186 00:11:05,919 --> 00:11:09,559 it that well. You know, let's say you've got a 187 00:11:09,600 --> 00:11:13,720 chemical process. It's gonna it's got a physical emulator built in. 188 00:11:13,759 --> 00:11:18,559 It can simulate the chemistry. It's got emulators built in 189 00:11:18,679 --> 00:11:21,639 for all of the ge PLCs in the solution, for 190 00:11:21,720 --> 00:11:25,240 all of the GEI Historian and other components. It's got 191 00:11:25,240 --> 00:11:29,840 a complete simulation, and whenever the physical the measurements coming 192 00:11:29,879 --> 00:11:32,559 out of the physical world they correlate against, you know, 193 00:11:32,639 --> 00:11:35,279 the measurements that should be coming out based on the simulation. 194 00:11:35,639 --> 00:11:38,799 Whenever there's a material discrepancy, they would say, oh, that's 195 00:11:38,840 --> 00:11:42,240 potentially a cyber attack, investigate this, something has gone really 196 00:11:42,320 --> 00:11:45,840 weird here, and would take all sorts of automatic action 197 00:11:45,960 --> 00:11:50,360 to correct it. It was, you know, amazing in principle. 198 00:11:50,960 --> 00:11:54,799 Yet I've heard dozens of other vendors use the term 199 00:11:54,840 --> 00:11:59,399 digital twin to mean other things. The best definition that 200 00:11:59,480 --> 00:12:05,799 I've heard is, look your cell phone, Nate, your cell 201 00:12:05,799 --> 00:12:09,919 phone is a digital twin of you. What does that mean? 202 00:12:10,360 --> 00:12:16,320 It's it's not probably not a biological simulation of your body, 203 00:12:17,039 --> 00:12:21,120 though some apps kind of do that. They're measuring heartbeat 204 00:12:21,159 --> 00:12:26,440 and whatnot. It is an enormous amount of different kinds 205 00:12:26,600 --> 00:12:30,840 of information about you. Somebody who steals your cell phone 206 00:12:30,879 --> 00:12:34,120 steals all that information, knows an enormous amount about you. 207 00:12:34,639 --> 00:12:37,600 And so, you know, I like that definition because it's 208 00:12:37,720 --> 00:12:42,080 much broader than the very specific original definition that I 209 00:12:42,120 --> 00:12:45,799 heard at S four from ge. A digital twin can 210 00:12:45,840 --> 00:12:51,000 be anything that is a lot of detailed information, and 211 00:12:51,080 --> 00:12:53,440 so you know, I can't remember if it's on the 212 00:12:53,440 --> 00:12:55,840 recording or not, but I remember asking Vivec, you know, 213 00:12:56,000 --> 00:12:59,200 is your digital twin that kind of physical simulation And 214 00:12:59,240 --> 00:13:03,200 he's going no, no, no, it's uh, it's a network simulation. 215 00:13:03,320 --> 00:13:07,200 It's a different kind of digital twin than the physical 216 00:13:07,200 --> 00:13:10,960 simulation that some people talk about. So and they use 217 00:13:11,000 --> 00:13:14,440 it for different purposes. So again it's a marketing buzzword, 218 00:13:14,480 --> 00:13:18,519 but it means generally speaking, a system that has a 219 00:13:18,600 --> 00:13:22,039 lot of information, that uses and analyzes and you know, 220 00:13:22,080 --> 00:13:25,600 does good things with a lot of information about another thing, 221 00:13:25,840 --> 00:13:30,879 like my cell phone does for me. Can you talk 222 00:13:30,919 --> 00:13:33,559 about you know, what you folks have, I mean, maybe 223 00:13:33,600 --> 00:13:37,159 give us an example of you know, deciding what to 224 00:13:37,360 --> 00:13:41,519 patch next, uh, and you know, using this this digital 225 00:13:41,519 --> 00:13:43,240 twin and sort of you know, give us some insight 226 00:13:43,320 --> 00:13:45,639 into into what data you have, what data you need, 227 00:13:45,720 --> 00:13:48,039 and how you use that to make these decisions. 228 00:13:48,600 --> 00:13:53,799 Speaker 1: Yeah, great question, Andrew. Patching has been a significantly challenging 229 00:13:53,840 --> 00:13:56,519 problem to solve in OT as you're well aware, right 230 00:13:56,759 --> 00:14:00,320 in it if it's vulnerable, you apply a path and 231 00:14:00,720 --> 00:14:02,759 there's a little bit of downtime impact, but you know, 232 00:14:02,799 --> 00:14:05,639 you run with it. In OT of course it's not 233 00:14:05,720 --> 00:14:09,440 practical because the patch might not be available, an outreach 234 00:14:09,480 --> 00:14:12,440 window might not be available, and of course RESK production 235 00:14:12,759 --> 00:14:15,919 downtime issues to deal with. So patching has been really hard. 236 00:14:16,519 --> 00:14:21,120 With what we're doing, though, it's actually highlighting what to 237 00:14:21,279 --> 00:14:24,559 patch and what might be a skip for the moment. Right, So, 238 00:14:25,399 --> 00:14:29,679 when we're doing this attack path analysis and we come 239 00:14:29,759 --> 00:14:33,480 up with a mitigation prioritization score, and we say that, hey, 240 00:14:33,600 --> 00:14:36,720 this particular network is easy to get to, the complexity 241 00:14:36,759 --> 00:14:40,240 of the attack is pretty pretty low. In just one 242 00:14:40,320 --> 00:14:43,399 or two hops from the enterprise network, I'm able to 243 00:14:43,440 --> 00:14:48,080 get to this asset and this is vulnerable. We do 244 00:14:48,159 --> 00:14:51,960 provide other options besides patching, right, We'll say maybe segmentation 245 00:14:52,240 --> 00:14:54,879 or adjusting the fire wall rule might be a way 246 00:14:54,919 --> 00:14:57,320 to go in some cases. But if you do decide 247 00:14:57,320 --> 00:15:02,720 that patching is relevant and recommendation provides that, you'll see 248 00:15:02,720 --> 00:15:05,159 that if something is not on that attack path, right, 249 00:15:05,200 --> 00:15:08,120 so it might be another asset in the vicinity, but 250 00:15:08,399 --> 00:15:12,080 the complexity of the attack of that to that asset 251 00:15:12,200 --> 00:15:17,440 is much much higher, then you could deprioritize patching that asset. 252 00:15:17,840 --> 00:15:20,399 Even if those two assets we're talking about have the 253 00:15:20,440 --> 00:15:23,240 exact same vulnerability, right, So if something is on the 254 00:15:23,279 --> 00:15:26,639 attack path and it's easier to execute an attack to 255 00:15:26,759 --> 00:15:30,639 that asset, maybe you want to prioritize that more than 256 00:15:30,720 --> 00:15:34,480 another asset that's exactly the same vulnerability, but it's not 257 00:15:34,639 --> 00:15:37,240 on a critical attack path, if you will, and so 258 00:15:37,840 --> 00:15:40,840 getting to it is harder, So you would want to 259 00:15:40,879 --> 00:15:43,360 deprioritize that compared to the other one. 260 00:15:44,080 --> 00:15:47,679 Speaker 3: All right, so you use the word reachable. Is that 261 00:15:48,759 --> 00:15:52,399 loosely the same as are connected to the concept of pivoting, 262 00:15:52,440 --> 00:15:57,159 where an adversary takes over an asset and you know, 263 00:15:57,200 --> 00:16:02,240 a computer a PLC something and uses the compromised CPU 264 00:16:02,360 --> 00:16:07,679 basically to attack other things. Pivot through a compromised device, 265 00:16:07,759 --> 00:16:10,960 attack other things, and then repeat, use the newly compromised 266 00:16:11,000 --> 00:16:14,559 things to attack other things. Eventually, you know, you find, 267 00:16:14,759 --> 00:16:17,879 let's say, computers that have permission to go through a 268 00:16:17,919 --> 00:16:21,519 firewall into a deeper network, and now you can use 269 00:16:21,559 --> 00:16:25,279 that compromised computer to reach through the firewall. Is this 270 00:16:25,360 --> 00:16:28,679 what reachable means reachable by a pivoting path? 271 00:16:29,440 --> 00:16:32,840 Speaker 1: It certainly could be, right, So pivoting would be jumping 272 00:16:32,879 --> 00:16:35,919 from one host or one asset to another, right from 273 00:16:35,960 --> 00:16:40,000 one network to another. The concept of living off the 274 00:16:40,080 --> 00:16:43,559 land means that you have ownership of an asset and 275 00:16:43,600 --> 00:16:48,720 you're using native functionality and eventually get to another asset 276 00:16:48,799 --> 00:16:53,000 from there because you have a direct connection or through 277 00:16:53,039 --> 00:16:56,200 a firewall for example. Right, So reachable essentially means that 278 00:16:56,480 --> 00:16:59,240 you're able to get to that asset. Now, how you 279 00:16:59,279 --> 00:17:02,360 get to that asset or network? Is it because you 280 00:17:02,440 --> 00:17:05,440 know a firewall rule? Has you know any any for example, 281 00:17:05,480 --> 00:17:08,319 that allowed you to just get there, or in another 282 00:17:08,359 --> 00:17:11,000 case you were able to use r DP or some 283 00:17:11,160 --> 00:17:14,640 kind of secure remote access to get there, or in 284 00:17:14,720 --> 00:17:19,119 other cases, you know maybe a USB. Right, somebody plugged 285 00:17:19,119 --> 00:17:21,240 in the USB and now you have access to that asset. 286 00:17:21,400 --> 00:17:25,039 So a lot of these scenarios are very much dependent 287 00:17:25,079 --> 00:17:28,000 on what the end user is trying to evaluate the 288 00:17:28,119 --> 00:17:32,480 risk for. So if they are, for example, heavily segmented 289 00:17:33,079 --> 00:17:39,559 and their primary mediations are all segmentation and firewall roll based, 290 00:17:39,920 --> 00:17:42,799 then they would want to know if those firewall rules 291 00:17:42,799 --> 00:17:45,519 are working according to plant or is the last time 292 00:17:45,559 --> 00:17:48,119 there was an exception that poked a hole in their 293 00:17:48,160 --> 00:17:52,440 firewall and now they are allowing access from level four 294 00:17:52,559 --> 00:17:57,039 to their critical networks? You know, not realizing that their 295 00:17:57,039 --> 00:18:00,160 firewall has as a whole right or another case, as 296 00:18:00,200 --> 00:18:04,039 they might have assumed that rDPUs disabled in this level 297 00:18:04,079 --> 00:18:08,440 three device in this workstation, but it is actually enabled. 298 00:18:08,480 --> 00:18:11,839 And so now suddenly someone from outside of their enterprise 299 00:18:11,920 --> 00:18:15,240 network is able to get to that level three and 300 00:18:15,279 --> 00:18:17,640 now once you're there, they could do a lot more 301 00:18:17,839 --> 00:18:21,759 right for the exploration. So reachable essentially means that you're 302 00:18:21,799 --> 00:18:24,720 able to get to a network that's of interest from 303 00:18:24,920 --> 00:18:26,680 another area. That's your starting point. 304 00:18:29,960 --> 00:18:33,920 Speaker 3: I remember a couple of episodes a year and a 305 00:18:34,000 --> 00:18:37,960 half two years ago Robin Berthier was on from Network Perception. 306 00:18:38,799 --> 00:18:42,720 He was doing it sounded like a bunch of similar stuff. 307 00:18:43,240 --> 00:18:46,079 He wasn't, you know, taking the I don't think they 308 00:18:46,079 --> 00:18:50,240 were taking the output of you know, Drego's tools, but 309 00:18:50,279 --> 00:18:52,599 I could be wrong. What I remember was that he 310 00:18:52,759 --> 00:18:58,480 was taking firewall configurations and putting a sort of a 311 00:18:58,559 --> 00:19:02,960 reachability what's reachable from where map together for large complex 312 00:19:02,960 --> 00:19:09,839 OT networks, and would issue alarms, would issue alerts when 313 00:19:10,400 --> 00:19:13,480 sort of reality deviated from policy. You could say, policy 314 00:19:13,599 --> 00:19:16,920 is this safety instrumented systems never talk to the Internet. 315 00:19:17,319 --> 00:19:21,359 That's a reasonable policy, And he would ingest you know, 316 00:19:21,559 --> 00:19:25,960 hundreds sometimes thousands of firewall configurations and say and router 317 00:19:26,079 --> 00:19:30,160 configurations and come back with an alert saying these three 318 00:19:30,839 --> 00:19:33,599 devices over here are safety systems and they can reach 319 00:19:33,599 --> 00:19:36,079 the Internet. So that's what he was doing. What we're 320 00:19:36,119 --> 00:19:39,400 talking Here's what seems to me to be different here, 321 00:19:39,400 --> 00:19:42,519 but I could be wrong. Is you know, we're talking 322 00:19:42,559 --> 00:19:48,000 here about pivoting paths, not only sort of network configuration, 323 00:19:48,240 --> 00:19:52,519 not not just reachable, not not just reachability, but the 324 00:19:52,640 --> 00:19:54,319 difficulty of pivoting as well. 325 00:19:55,279 --> 00:19:58,680 Speaker 2: Yeah, and is the reason why pivoting becomes relevant in 326 00:19:58,720 --> 00:20:02,759 a discussion about pocs security because these devices make for 327 00:20:02,839 --> 00:20:06,839 such efficient means of you know, they connect your maybe 328 00:20:07,000 --> 00:20:11,680 let's say lesser IT assets to more important safety critical systems. 329 00:20:11,720 --> 00:20:14,119 So PLCs sort of seem like a natural point at 330 00:20:14,119 --> 00:20:15,599 which an attacker would move through. 331 00:20:16,960 --> 00:20:17,319 Speaker 1: Sort of. 332 00:20:17,839 --> 00:20:21,799 Speaker 3: PLCs tend to be the targets of pivoting attacks in 333 00:20:21,920 --> 00:20:25,000 ot sophisticated attacks, because they're the ones that control the 334 00:20:25,000 --> 00:20:27,400 physical world. You want to reach the PLC to cause 335 00:20:27,440 --> 00:20:33,559 it to misoperate the physical process. Pivoting through PLCs is 336 00:20:34,079 --> 00:20:37,400 possible in theory, and it's you know a little bit 337 00:20:37,440 --> 00:20:40,000 more possible in practice when the PLC is based on 338 00:20:40,160 --> 00:20:42,759 a popular operating system, like a stripped down Windows or 339 00:20:42,799 --> 00:20:45,640 a stripped down Linux. But a lot of PLCs are 340 00:20:45,880 --> 00:20:48,880 just weird. They just you know, their operating system, their 341 00:20:48,920 --> 00:20:53,160 code does one thing, it does the PLC thing. In theory, 342 00:20:53,400 --> 00:20:56,119 you could break into the PLC and give it new code. 343 00:20:56,599 --> 00:20:59,039 But you know, if I want to, if I want 344 00:20:59,039 --> 00:21:01,160 to pivot through a PLS see to a Windows device, 345 00:21:01,160 --> 00:21:02,440 what am I going to? How am I going to 346 00:21:02,559 --> 00:21:04,160 you know, get into the Windows device? I might want 347 00:21:04,160 --> 00:21:07,519 to get into remote desktop. There is no remote desktop 348 00:21:07,559 --> 00:21:12,119 client on a PLC, it doesn't exist. And so pivoting 349 00:21:12,160 --> 00:21:16,440 through PLCs, you the attacker might, depending on the version 350 00:21:16,440 --> 00:21:18,599 of the PLC, might have to do an enormous amount 351 00:21:18,799 --> 00:21:22,119 more work to get pivoted through a PLC. And so 352 00:21:22,160 --> 00:21:24,279 if the only way into a let's say a safety 353 00:21:24,279 --> 00:21:29,359 system target is, you know, a really critical system, is 354 00:21:29,400 --> 00:21:32,839 to pivot through three different PLCs pivoting through firewalls each time, 355 00:21:32,880 --> 00:21:37,319 you know, that's going to be really hard to do. Whereas, 356 00:21:37,759 --> 00:21:42,480 if you know, I remember a presentation from from Dale 357 00:21:42,480 --> 00:21:48,000 Peterson at S four last year year before, where he 358 00:21:48,039 --> 00:21:50,160 you know, he was talking about network segmentation. He says, 359 00:21:50,519 --> 00:21:53,559 you know, network segmentation. Firewalls are almost always the second 360 00:21:53,559 --> 00:21:57,000 thing that you know, industrial sites do to to launch 361 00:21:57,039 --> 00:21:59,799 their security program. And I'm going, excuse me, excuse me, 362 00:21:59,839 --> 00:22:04,000 what second thing? What's the first thing? I thought fireballs 363 00:22:04,000 --> 00:22:06,359 were the first thing everybody does. Andrew, he says, the 364 00:22:06,359 --> 00:22:10,880 first thing is to take the passwordless HMI off of 365 00:22:10,920 --> 00:22:13,119 the Internet. That's the first thing you have to do. 366 00:22:13,119 --> 00:22:17,400 When I'm going, yep, you're right. And a tool like this, 367 00:22:18,039 --> 00:22:21,000 we'll be able to look at you and say, here's 368 00:22:21,039 --> 00:22:23,599 my network. If I want to go from the bad 369 00:22:23,640 --> 00:22:26,559 guys into this HMI. It's on the Internet, it has 370 00:22:26,599 --> 00:22:29,920 no password. That's your number one. It can tell you that, 371 00:22:31,359 --> 00:22:36,160 you know, not just policy, but it says you know, 372 00:22:36,160 --> 00:22:39,440 and the safety systems back there. You got to pivot 373 00:22:39,480 --> 00:22:42,599 through three PLCs. That's going to be really hard to do. 374 00:22:43,359 --> 00:22:45,880 You know, you might have some other security you might 375 00:22:45,920 --> 00:22:49,920 want to deploy in between. So this is the concept 376 00:22:49,960 --> 00:22:53,240 of pivoting that you know, I found very attractive in 377 00:22:53,640 --> 00:22:58,240 this tool measuring the difficulty an attacker from the Internet 378 00:22:58,440 --> 00:23:07,279 reaching a target inside of a defensive costume. We've had 379 00:23:08,000 --> 00:23:12,519 guests on the show talking about attack paths. You know, 380 00:23:12,720 --> 00:23:16,359 these these are tools that you know, build a model 381 00:23:16,359 --> 00:23:21,359 of the system and count all of the ways that 382 00:23:21,400 --> 00:23:25,680 an attacker can get from where they are into a 383 00:23:25,799 --> 00:23:30,000 consequence that we want to avoid. And it's not just 384 00:23:30,079 --> 00:23:33,519 count them, but evaluate. Let's call it the difficulty. I 385 00:23:33,559 --> 00:23:37,640 mean risk talks about the classic approximation for risk is 386 00:23:38,079 --> 00:23:45,440 likelihood times frequency. Sorry, likelihood times consequence or impact if 387 00:23:45,480 --> 00:23:49,480 you wish, and you know, likelihood is a really murky, 388 00:23:50,119 --> 00:23:53,799 you know, difficult concept for high consequence attacks. And so 389 00:23:53,880 --> 00:23:56,640 what a lot of people do is they substitute likelihood 390 00:23:56,640 --> 00:24:00,519 with difficulty and they try to evaluate how difficult are 391 00:24:01,000 --> 00:24:05,440 really nasty, you know, attacks with really nasty consequences. It 392 00:24:05,759 --> 00:24:09,400 sounds vaguely like you're doing this, You're you're you're talking 393 00:24:09,400 --> 00:24:14,119 about attack paths, You're talking about difficulty. You know, is 394 00:24:14,240 --> 00:24:17,200 this where you're going. The one thing you haven't mentioned 395 00:24:17,240 --> 00:24:18,079 is consequence. 396 00:24:18,880 --> 00:24:22,680 Speaker 1: Yeah, that's a good point, because we are doing something 397 00:24:22,720 --> 00:24:29,160 unique in that we are allowing a user to evaluate 398 00:24:29,519 --> 00:24:33,440 in this digital to enlist digital replica, how an adversary 399 00:24:33,920 --> 00:24:38,960 might be not only pivoting but exploiting different components to 400 00:24:39,000 --> 00:24:42,240 get to their crown. Jules right. The way we're doing 401 00:24:42,240 --> 00:24:46,799 that is showcasing different views of TTPs that are well 402 00:24:46,839 --> 00:24:49,720 documented with all the IOCs and the tread intel that 403 00:24:49,799 --> 00:24:55,039 we aggregated. So if it's a power customer, for example, 404 00:24:55,160 --> 00:24:58,880 they could use an old Typhoon view to see how 405 00:24:58,960 --> 00:25:03,200 a old Typhoon actor might be able to leverage you know, 406 00:25:03,279 --> 00:25:11,079 initial access to credential exploitation, to other kind of exploits 407 00:25:11,079 --> 00:25:14,839 within the environment. And there might be a manufacturing customer 408 00:25:14,839 --> 00:25:18,240 with a whole different set of interesting TTPs that they 409 00:25:18,240 --> 00:25:22,079 want to evaluate. But the idea behind this is you 410 00:25:22,319 --> 00:25:25,920 figure out what the generally documented t tps are for 411 00:25:25,960 --> 00:25:30,279 a certain type of adversary and how they might go 412 00:25:30,319 --> 00:25:33,000 about from you know, your your starting point which is 413 00:25:33,079 --> 00:25:37,880 initial access or the starting point of your of your 414 00:25:37,880 --> 00:25:40,640 thread analysis, to all the way to the ground jewels. 415 00:25:41,079 --> 00:25:44,160 And in doing so, you're making assumptions, right because you 416 00:25:44,160 --> 00:25:46,960 know we're not in this production environment, we're not actually 417 00:25:47,000 --> 00:25:51,519 exploding something, but you're evaluating the different scenarios where you say, okay, 418 00:25:52,079 --> 00:25:55,680 I have this Windows workstation and I'm going to use 419 00:25:55,799 --> 00:25:59,039 r DP, right, I'm going to exploit something there. What 420 00:25:59,119 --> 00:26:02,799 if RDP was just so these days, people have some 421 00:26:02,880 --> 00:26:05,839 data sets where they can explot from an eder tool 422 00:26:05,880 --> 00:26:10,160 and provide open porce and services. Right. Then we know, 423 00:26:10,240 --> 00:26:12,920 for example, upfront that you know some of these services 424 00:26:13,039 --> 00:26:16,680 like SMB or whatever that you think is typically exploited 425 00:26:16,680 --> 00:26:20,759 by the TTP or the third actor of choice or 426 00:26:20,839 --> 00:26:24,519 interest is exploding and you disable that, you now know 427 00:26:24,640 --> 00:26:27,839 that at least that path is closed. Right. In other cases, 428 00:26:28,680 --> 00:26:32,119 the attack path might show three or four different types 429 00:26:32,119 --> 00:26:36,440 of exploits to be able to get to that ground 430 00:26:36,559 --> 00:26:40,680 duel or the ground dual network. Then you know that 431 00:26:40,680 --> 00:26:44,680 that layer of difficulty or the complexity the daisy chaining 432 00:26:44,799 --> 00:26:48,880 is much higher compared to another network or another attack 433 00:26:48,920 --> 00:26:54,640 path that is trivial. Right, So it uses native credentials 434 00:26:54,680 --> 00:26:57,720 and it only takes one hop in the attack path 435 00:26:57,759 --> 00:27:00,880 to get to that asset or network. Then you know, 436 00:27:01,119 --> 00:27:05,079 for example, that the previous one was more complex to 437 00:27:05,200 --> 00:27:07,519 even get to. Right. But the end of the day, 438 00:27:08,319 --> 00:27:11,680 all this conversation so far is about you know how 439 00:27:11,720 --> 00:27:15,240 difficult it is to get to that candual network or 440 00:27:15,279 --> 00:27:18,720 the cundule asset, right, not talking about what the attacker 441 00:27:18,799 --> 00:27:21,279 might do once they get there, because that part is 442 00:27:21,359 --> 00:27:26,519 the impact or the consequence here we actually have a 443 00:27:26,519 --> 00:27:31,279 an automatic assessment based on the types of PLCs or 444 00:27:31,359 --> 00:27:33,799 types of controllers or the types of assets we see 445 00:27:33,799 --> 00:27:37,440 in general, based on our threat intel and our initial assessment. 446 00:27:37,839 --> 00:27:40,119 But an end user that's running this tool or a 447 00:27:40,119 --> 00:27:43,599 consultant that's running this tool can adjust them, right, So 448 00:27:43,640 --> 00:27:46,000 there's a manual way for them to say, Hey, this 449 00:27:46,160 --> 00:27:49,559 network is of a higher priority for me compared to 450 00:27:49,599 --> 00:27:54,480 this other network. Show me what the impact of getting 451 00:27:54,519 --> 00:27:57,359 to this network is for me, because this is higher 452 00:27:57,359 --> 00:28:01,519 for me. So to be fair, we're not doing quantification 453 00:28:01,640 --> 00:28:05,680 yet in this In this tool, we're limiting ourselves at 454 00:28:05,680 --> 00:28:09,559 the moment to how easy or difficult it is to 455 00:28:09,599 --> 00:28:12,759 get to a particular crown duel network and what the 456 00:28:13,319 --> 00:28:16,440 adversary might be able to do in that kind of 457 00:28:16,480 --> 00:28:21,799 a network. Right. So it's one of those interesting aspects 458 00:28:21,839 --> 00:28:25,400 of that analysis where you're not doing the analysis of 459 00:28:25,440 --> 00:28:27,720 what an attacker would do once they get to a 460 00:28:27,759 --> 00:28:30,920 crown duel because that's a whole different model game compared 461 00:28:30,960 --> 00:28:33,480 to you're trying to break the kill chain, break the 462 00:28:33,559 --> 00:28:38,559 path way before that. So you're assessing or analyzing what 463 00:28:38,599 --> 00:28:41,000 are all the attack paths and how easy or difficult 464 00:28:41,000 --> 00:28:43,759 it is to get to the crownd duels that you're 465 00:28:43,799 --> 00:28:44,440 trying to protect. 466 00:28:45,559 --> 00:28:49,559 Speaker 3: Good going. I mean, I have maintained for some time, 467 00:28:50,119 --> 00:28:51,640 you know, and it's easy for me to do because 468 00:28:51,640 --> 00:28:53,680 I'm on the outside. I don't have to do the work. 469 00:28:54,000 --> 00:28:57,799 But I've maintained for some time that risk assessments. Part 470 00:28:57,839 --> 00:29:01,480 of a risk assessment should be a description of the 471 00:29:01,519 --> 00:29:08,240 simplest attack or three that remain credible threats in the 472 00:29:08,279 --> 00:29:12,160 defensive posture, you know, threats able to bring about unacceptable consequences. 473 00:29:12,160 --> 00:29:15,039 There's always a path that will let you bring about, 474 00:29:15,119 --> 00:29:17,480 you know, an attack and bring about non acceptable consequence. 475 00:29:17,480 --> 00:29:20,319 The question is how difficult it is, and so to me, 476 00:29:20,680 --> 00:29:24,440 you know, the risk assessment should include a description of 477 00:29:24,559 --> 00:29:31,400 the simplest such attack or you know, attacks plural. So 478 00:29:31,440 --> 00:29:34,039 that's that's sort of what is this kind of what 479 00:29:34,039 --> 00:29:36,079 you're doing? Can can you give me the next level 480 00:29:36,079 --> 00:29:38,960 of detail on what you're looking at and how you're 481 00:29:38,960 --> 00:29:39,920 making these decisions? 482 00:29:40,759 --> 00:29:45,519 Speaker 1: Yeah, definitely. So the problem that you described is that 483 00:29:45,839 --> 00:29:51,920 there might be some open ports or services that are vulnerable. However, 484 00:29:52,039 --> 00:29:55,160 if those ports are closed or if those services are disabled, 485 00:29:55,279 --> 00:29:57,799 then that problem is solved at least for the moment, right, 486 00:29:57,880 --> 00:30:01,759 unless there's another vulnerability discovered on the particular asset. So 487 00:30:01,799 --> 00:30:05,839 what we're doing is very ingesting information from the various 488 00:30:05,839 --> 00:30:09,279 sources that they have. In other cases provide options to 489 00:30:09,359 --> 00:30:11,759 add that in the tool so that you have the 490 00:30:11,880 --> 00:30:15,200 context for information as to what attacks are possible with 491 00:30:15,359 --> 00:30:19,279 what's relevant in that environment. Right. And in the past 492 00:30:19,279 --> 00:30:24,559 people did this using questionnaires, asking people or evaluating subject 493 00:30:24,640 --> 00:30:27,839 matter experts, you know, using a tabletop or something like that. 494 00:30:28,240 --> 00:30:31,680 But the beauty of our final platform is that you're 495 00:30:31,680 --> 00:30:34,599 actually able to do this in an automated fashion and 496 00:30:34,680 --> 00:30:38,960 at scale, because if you have, like a typical customer, 497 00:30:39,119 --> 00:30:43,759 dozens of customers, end user sites, and hundreds or even 498 00:30:43,799 --> 00:30:48,759 thousands of networks, you're not actually able to analyze the 499 00:30:48,880 --> 00:30:51,839 risk of each network, of each acid down to the 500 00:30:51,920 --> 00:30:55,720 level of what's possible with the given boats and services, 501 00:30:55,799 --> 00:30:59,640 or install software or not install software in that environment, right, 502 00:31:00,160 --> 00:31:03,799 But if you're able to ingest all this information right 503 00:31:03,839 --> 00:31:08,240 from the IP addresses and different types of assets, the 504 00:31:08,279 --> 00:31:12,000 vulnerabilities typed to them, to the ports and services that 505 00:31:12,039 --> 00:31:15,240 are enabled or disabled, or in other cases, you know, 506 00:31:15,680 --> 00:31:20,480 making an exception to say I'm disabling this using some 507 00:31:20,599 --> 00:31:25,119 kind of application whitelisting or some kind of segmentation, all 508 00:31:25,200 --> 00:31:29,039 the information at scale can be analyzed and you can 509 00:31:29,079 --> 00:31:33,400 get a view that shows a realistic and more or 510 00:31:33,519 --> 00:31:37,559 less validated attack path versus someone that's just looking at 511 00:31:37,599 --> 00:31:41,000 a piece of paper or a complex network in a 512 00:31:41,039 --> 00:31:44,480 manual fashion. So this is where I think the big 513 00:31:44,519 --> 00:31:48,920 difference is in that we're looking at the attack complexity 514 00:31:49,000 --> 00:31:53,000 and the attack path at scale with whether it's tens 515 00:31:53,519 --> 00:31:56,799 of sites or thousands of networks, and able to decipher 516 00:31:56,839 --> 00:32:01,599 what the context is for exploitation or or just later 517 00:32:01,759 --> 00:32:05,240 movement or whatever the path might be to get to 518 00:32:05,240 --> 00:32:05,960 your crowndules. 519 00:32:06,920 --> 00:32:09,160 Speaker 3: So you've mentioned a couple of times at scale. You've mentioned, 520 00:32:09,200 --> 00:32:12,160 you know, a couple of times, the potential for ingesting 521 00:32:12,160 --> 00:32:15,920 information about a lot of assets and networks. You know, 522 00:32:16,039 --> 00:32:20,920 the asset inventory tools out there produce that knowledge already. 523 00:32:21,000 --> 00:32:24,759 I'm guessing you your interface with them. Can you talk 524 00:32:24,799 --> 00:32:27,279 about about that? How do you get data? How do 525 00:32:27,319 --> 00:32:29,880 you get the data about the system that you're going 526 00:32:29,880 --> 00:32:30,680 to analyze. 527 00:32:31,160 --> 00:32:35,480 Speaker 1: Yeah, we definitely can ingest information from a variety of sources, 528 00:32:35,799 --> 00:32:40,920 So the platform can ingest information offline. So drack and 529 00:32:41,000 --> 00:32:44,559 drop a CSV or an example file or any kind 530 00:32:44,559 --> 00:32:47,240 of spreadsheet, and we also have API hooks to be 531 00:32:47,279 --> 00:32:51,359 able to automatically ingest information from the likes of Dragos 532 00:32:51,400 --> 00:32:54,599 and Zoomi Clarity, which are the OT security product vendors. 533 00:32:54,880 --> 00:32:59,000 We can also ingest information from cmdbs or any kind 534 00:32:59,000 --> 00:33:02,640 of CenTra line data depositories like rapid seven or run 535 00:33:02,759 --> 00:33:08,160 zero tenable. In other cases, the customers might have just 536 00:33:08,319 --> 00:33:11,440 spreadsheets from the last time the data sidewalk, we can 537 00:33:11,599 --> 00:33:16,440 ingest that too, so we're not restricted on ingesting any 538 00:33:16,440 --> 00:33:19,319 specific type of format. We have a command line tool 539 00:33:19,359 --> 00:33:23,359 that can ingust other sources as well. But the basis 540 00:33:23,400 --> 00:33:27,160 the digital twin starts with the firewall and the canfig file, 541 00:33:27,279 --> 00:33:30,599 So we ingest information from the likes of ford Net, Cisco, 542 00:33:30,759 --> 00:33:35,160 Palo Alto, you name it, then ingest information from these 543 00:33:35,240 --> 00:33:37,880 I or OT tools. At the end of the day, 544 00:33:37,960 --> 00:33:41,519 the more information that's provided, the fidelity of the data 545 00:33:41,559 --> 00:33:45,359 is higher. But the beauty of the platform is that 546 00:33:45,480 --> 00:33:48,640 if you don't have any kind of information, we cannot 547 00:33:48,680 --> 00:33:54,839 only create mitigating controls and options within the platform. But 548 00:33:55,279 --> 00:33:58,839 we also built an extension of the Fringnese platform called 549 00:33:58,960 --> 00:34:04,519 optica where you can quickly leverage existing templates for example, 550 00:34:04,640 --> 00:34:09,159 debt servers or Cisco hours or Rockwell PLCs. Within a 551 00:34:09,239 --> 00:34:11,119 few minutes, you can drag and drop and build a 552 00:34:11,159 --> 00:34:15,960 template which then import interfrenos to replicate what might be 553 00:34:16,079 --> 00:34:20,000 in the system already. So long through ashore any kind 554 00:34:20,039 --> 00:34:23,840 of asset information, abound information out there, we can ingest 555 00:34:24,119 --> 00:34:26,800 and if there is none or there's limited visibility in 556 00:34:26,840 --> 00:34:31,519 certain sections or location, we can build something that's very 557 00:34:31,559 --> 00:34:34,519 similar so that the customers can have a few for 558 00:34:34,920 --> 00:34:37,679 what the risk is in a similar environment. 559 00:34:38,440 --> 00:34:40,719 Speaker 3: And you mentioned a couple of times I remember here 560 00:34:40,760 --> 00:34:43,880 compensating controls. I mean the compensating control everybody talks about 561 00:34:44,039 --> 00:34:47,000 is more firewall rules, more firewalls, more firewall rules, keep 562 00:34:47,000 --> 00:34:49,320 the bad guys away from the vulnerable assets that we 563 00:34:49,400 --> 00:34:52,239 can't patch because you know, we can't afford to shut 564 00:34:52,280 --> 00:34:57,239 everything down and test everything again. Can you talk about 565 00:34:57,559 --> 00:35:01,039 compensating controls. What other kinds of comp sitting controls might 566 00:35:01,239 --> 00:35:02,639 your your system recommend. 567 00:35:03,320 --> 00:35:06,320 Speaker 1: That's a great question because, as we were discussing earlier 568 00:35:06,360 --> 00:35:09,559 in OT not everything is fixable because a patch might 569 00:35:09,599 --> 00:35:11,880 not be available or an out of the window is 570 00:35:11,920 --> 00:35:16,039 not available, right, So historically most people have used a 571 00:35:16,039 --> 00:35:20,800 combination of allowed listing or deny listing or some kind 572 00:35:20,800 --> 00:35:24,280 of ports and services disabled or you know, to your point, 573 00:35:24,360 --> 00:35:29,079 firewall rules and segmentation have a place in that as well. Overall, 574 00:35:29,480 --> 00:35:31,960 the key is to figure out what the attack path 575 00:35:32,079 --> 00:35:34,760 is and in how or which fashion you can make 576 00:35:34,800 --> 00:35:39,400 that attack path. Right. So, if the consideration is from 577 00:35:39,760 --> 00:35:43,599 level four through a DMZ or firewall, and the firewall 578 00:35:43,679 --> 00:35:46,639 rule was any any or something that was allowing you know, 579 00:35:46,719 --> 00:35:50,159 too much, maybe too many protocols or something that can 580 00:35:50,239 --> 00:35:53,480 be disabled, you can start there as a preference. Right. 581 00:35:53,880 --> 00:35:57,480 If that's not possible, or if that's not a project, 582 00:35:57,519 --> 00:36:01,320 you can take the next thing could be averaging this 583 00:36:01,480 --> 00:36:05,880 kind of SMB or other exploit at that level three 584 00:36:05,960 --> 00:36:09,360 device before going to level two. Let's look at what 585 00:36:09,480 --> 00:36:14,159 this service was on that particular asset, right, so you 586 00:36:14,159 --> 00:36:17,199 can disable that. So within the tool, we built in 587 00:36:17,440 --> 00:36:22,519 almost twenty or so different options for combinations of all 588 00:36:22,559 --> 00:36:26,280 these composite and controls that are historically used in OT right, 589 00:36:26,320 --> 00:36:29,039 So it could be a combination of our world rule 590 00:36:29,159 --> 00:36:33,440 or service or poor disabled, or in other cases it 591 00:36:33,480 --> 00:36:38,119 could be disconnecting them to put in a different segment. Again, 592 00:36:38,199 --> 00:36:40,800 this is not new, right, This is how historically OT 593 00:36:41,119 --> 00:36:44,159 has been able to mitigate some of the risk. We're 594 00:36:44,280 --> 00:36:46,880 just bringing that to the forefront to see or show 595 00:36:46,920 --> 00:36:49,400 you what other things can be done to break the 596 00:36:49,559 --> 00:36:54,119 attack path versus strictly talking about vulnerabilding management and fixing 597 00:36:54,199 --> 00:36:56,840 the problem by applying a patch, which is not practical. 598 00:36:56,880 --> 00:37:04,559 Speaker 3: As we talked about, compensating controls are tricky made we 599 00:37:04,639 --> 00:37:08,039 identify a vulnerability, a weakness in a defensive posture. There's 600 00:37:08,039 --> 00:37:11,119 a new vulnerability announced from some piece of software that 601 00:37:11,159 --> 00:37:14,119 we use on some POC or safety system or who 602 00:37:14,119 --> 00:37:18,000 knows what, you know, deep into our architecture. You know, 603 00:37:18,280 --> 00:37:20,159 the what do we do about that? Is an open 604 00:37:20,280 --> 00:37:25,280 is a question everybody asks sort of the consensus that's 605 00:37:25,280 --> 00:37:29,039 building up is that, you know, if that system is 606 00:37:29,079 --> 00:37:33,039 exposed to attack, then we have to put compensating measures in. 607 00:37:33,320 --> 00:37:36,760 If it's not exposed, or if it's you know, really 608 00:37:36,840 --> 00:37:40,400 hard to reach, maybe we don't need to change anything 609 00:37:40,440 --> 00:37:43,079 in the short term until our next opportunity to do 610 00:37:43,119 --> 00:37:45,320 an upgrade or you know, a planned outage or something. 611 00:37:47,840 --> 00:37:50,239 And a tool like this one like the Freeno's tool 612 00:37:51,079 --> 00:37:53,280 is one that can tell us how reachable is it, 613 00:37:53,320 --> 00:37:57,519 how exposed is this Compare that to our risk tolerance. 614 00:37:57,719 --> 00:38:00,440 Are we running a passenger rail switching system? Are we 615 00:38:00,519 --> 00:38:04,599 running a small bakery? You know, different levels of exposure 616 00:38:04,639 --> 00:38:09,719 are acceptable in different circumstances, So you know, having the 617 00:38:09,760 --> 00:38:12,480 tool give us a sense of how exposed we are 618 00:38:12,559 --> 00:38:16,280 as useful in making that decision are we going to 619 00:38:16,280 --> 00:38:18,360 patch or not? And if we have to do something, 620 00:38:18,519 --> 00:38:21,400 it's useful to have a list of compensating controls and 621 00:38:21,440 --> 00:38:24,400 sort of the list that I heard they go through, 622 00:38:24,440 --> 00:38:25,920 but you know they're probably going to add to this 623 00:38:25,960 --> 00:38:29,400 if they haven't already. You can change permissions. If you've 624 00:38:29,400 --> 00:38:32,320 got a file server that sharing files is the problem 625 00:38:32,320 --> 00:38:34,360 and the bad guys can put a nasty on the fileserver, 626 00:38:34,480 --> 00:38:38,000 change permissions so that you know it's harder to do that. 627 00:38:39,039 --> 00:38:44,519 Turn off services programs that are running on you know, 628 00:38:44,559 --> 00:38:47,960 Windows ships with I don't know seventy three services running 629 00:38:49,280 --> 00:38:52,760 most you know, industrial systems don't need all of these services. 630 00:38:52,800 --> 00:38:54,960 They would have been nice to turn them off ages 631 00:38:54,960 --> 00:38:56,639 ago if you haven't already turned them off. And there's 632 00:38:56,639 --> 00:38:58,760 a vulnerability in one of these services and you're pretty 633 00:38:58,760 --> 00:39:00,559 sure you're not using it, you can in it off. 634 00:39:01,519 --> 00:39:05,480 Add firewall rules that make it harder to reach the system. 635 00:39:05,519 --> 00:39:08,760 Add firewall rules that say, fine, if I need to 636 00:39:08,800 --> 00:39:11,840 reach the system for some of the services, but I 637 00:39:11,840 --> 00:39:15,039 don't think I ever need to reach this service from 638 00:39:15,039 --> 00:39:17,000 the outside, even if I need to use it on 639 00:39:17,079 --> 00:39:20,519 the inside. Add a firewall rule that blocks access to 640 00:39:20,639 --> 00:39:27,119 that service on that host from the outside. None of 641 00:39:27,119 --> 00:39:31,079 this is easy. Every change you make to an important system, 642 00:39:31,280 --> 00:39:33,039 you have you know, the engineering team has to ask 643 00:39:33,079 --> 00:39:35,360 the question, is this how likely is it that I'm 644 00:39:35,440 --> 00:39:37,519 messing stuff up here? How likely is it that I'm 645 00:39:37,519 --> 00:39:40,880 introducing a problem that's gonna that's going to bite me 646 00:39:40,960 --> 00:39:43,320 with a really serious consequence? You know, how likely is 647 00:39:43,320 --> 00:39:46,079 it that the cure is worse than the disease here? 648 00:39:46,719 --> 00:39:50,719 So compensating controls aren't easy. But you know, what I 649 00:39:50,760 --> 00:39:54,679 see this tool doing is giving us more information about 650 00:39:55,280 --> 00:39:58,159 the you know, the the we've got a vulnerable system, 651 00:39:58,239 --> 00:40:01,119 about how reachable is that vulnerable system. What are the 652 00:40:01,159 --> 00:40:03,480 paths that will you know, that are easiest to get 653 00:40:03,519 --> 00:40:06,119 to that vulnerable system if I can you know, turn 654 00:40:06,159 --> 00:40:08,880 off I don't know remote desktop halfway through the attack 655 00:40:09,000 --> 00:40:12,079 path and make the attack that much more difficult. Now 656 00:40:12,119 --> 00:40:14,239 you have to go through I don't know, PLCs instead 657 00:40:14,239 --> 00:40:18,840 of Windows boxes. That's that's useful knowledge. This is all 658 00:40:18,960 --> 00:40:22,239 useful knowledge. We need as much ammunition as we can 659 00:40:22,280 --> 00:40:25,519 get when we're making these difficult decisions about shoot. I 660 00:40:25,599 --> 00:40:28,199 have to change the system to make it less vulnerable. 661 00:40:28,719 --> 00:40:35,199 What am I going to change without breaking something? Well, 662 00:40:35,239 --> 00:40:37,519 thank you so much for joining us, Vivik. Before I 663 00:40:37,599 --> 00:40:39,519 let you go, can I ask can you sum up 664 00:40:39,519 --> 00:40:42,159 for our listeners? You know, what are the most important 665 00:40:42,199 --> 00:40:44,679 points to take away from this new technology? 666 00:40:45,440 --> 00:40:45,639 Speaker 1: You know? 667 00:40:45,679 --> 00:40:47,760 Speaker 3: And I don't know what can they do next? 668 00:40:48,639 --> 00:40:50,960 Speaker 1: The quick summary is we're trying to solve a problem 669 00:40:51,039 --> 00:40:54,760 that's been around for a decade plus. Lots of customers 670 00:40:54,920 --> 00:40:58,000 do not have a risk assessment in place. They're not 671 00:40:58,119 --> 00:41:01,320 quite sure where this ten currently, so some of them 672 00:41:01,320 --> 00:41:04,199 are early in their journey with this lack of information. 673 00:41:05,159 --> 00:41:07,119 They still need to figure out where they have to 674 00:41:07,159 --> 00:41:10,239 invest their next dollar or next hour of resource and 675 00:41:10,280 --> 00:41:13,159 the other cases. They had spent the past three or 676 00:41:13,199 --> 00:41:16,440 five years in developing an ot security program, A lot 677 00:41:16,519 --> 00:41:20,159 of information available, lots of alerts, but again they're not 678 00:41:20,239 --> 00:41:24,119 so sure how they are compared to maybe their industry yeers, 679 00:41:24,320 --> 00:41:27,079 or how they are compared to you know, where they 680 00:41:27,119 --> 00:41:30,519 should be in their security positor management. So what Frenos 681 00:41:30,639 --> 00:41:33,679 is able to do is to both leverage their existing 682 00:41:33,760 --> 00:41:39,119 data sets and missing information by providing something that's a 683 00:41:39,280 --> 00:41:43,079 replica of their environment showcase where they should be focusing 684 00:41:43,119 --> 00:41:47,400 on in terms of breaking the attack paths, highlighting not 685 00:41:47,679 --> 00:41:50,400 just where they currently stand, but also where they were 686 00:41:50,679 --> 00:41:54,800 compared to yesterday. So overall, this is what most executives 687 00:41:54,800 --> 00:41:58,280 I've been asking before investing in OT security. Where do 688 00:41:58,320 --> 00:42:01,679 we stand currently? How good are we compared to an 689 00:42:01,679 --> 00:42:07,400 existing known attack vector or campaign if you will, And 690 00:42:07,480 --> 00:42:11,440 then how good can we be currently as in today? 691 00:42:11,719 --> 00:42:15,159 Because the risks are not staying constant, so how do 692 00:42:15,199 --> 00:42:17,360 we keep up with them? So the outcome of the 693 00:42:17,360 --> 00:42:20,760 friendales platform is both a point in time assessment if 694 00:42:20,760 --> 00:42:24,920 you like, and also continues posture management because you're able 695 00:42:24,920 --> 00:42:28,800 to validate what compensating controls and prevent the measures that 696 00:42:28,920 --> 00:42:32,679 you are deploying or implementing and if they're going well 697 00:42:32,800 --> 00:42:36,519 or not. So conclusion is that we are a security, 698 00:42:36,519 --> 00:42:40,079 posture management and visibility company that's able to bring out 699 00:42:40,559 --> 00:42:43,320 the best in your existing data sets and provide your 700 00:42:43,360 --> 00:42:46,719 gaps and the gap analysis and help you figure out 701 00:42:47,000 --> 00:42:50,519 where to invest your next dollar or resource on what 702 00:42:51,559 --> 00:42:55,760 site or what location And if you like to know more, 703 00:42:55,920 --> 00:42:59,320 hit me up on LinkedIn. My email is vivid at 704 00:42:59,320 --> 00:43:01,960 friends dot I or happy to connect with you on 705 00:43:02,000 --> 00:43:05,760 LinkedIn to take it from there to like more information, 706 00:43:06,199 --> 00:43:08,679 youet up on our website for you to start io 707 00:43:08,800 --> 00:43:11,239 as well. You'll see all the information about our current 708 00:43:11,320 --> 00:43:14,559 use cases, the different products and services we have to 709 00:43:14,639 --> 00:43:17,280 offer them. So looking forward to connect with more of you. 710 00:43:21,000 --> 00:43:23,519 Speaker 2: Andrew. That just about does it for your interview with 711 00:43:23,599 --> 00:43:26,639 you Panada. Do you have any final word to take 712 00:43:26,719 --> 00:43:27,440 us out with today? 713 00:43:28,079 --> 00:43:32,400 Speaker 3: Yeah? You know this topic is timely, the topic of 714 00:43:33,440 --> 00:43:36,199 risk based decision making. I mean this too is coming 715 00:43:36,239 --> 00:43:40,119 into effect in a lot of countries in Europe. The 716 00:43:40,760 --> 00:43:43,840 regulation in every country is different, but the directive says 717 00:43:44,000 --> 00:43:48,480 you have to be making risk based decisions. And I'm sorry. 718 00:43:48,480 --> 00:43:52,079 A risk assessment is, you know, should be much more 719 00:43:52,119 --> 00:43:55,079 than a list of unpatched vulnerabilities. A list of unpatched 720 00:43:55,119 --> 00:43:58,480 vulnerabilities does not tell you how vulnerable you are. It's 721 00:43:58,599 --> 00:44:01,360 just a list of vulnerabilities to figure out how much 722 00:44:01,400 --> 00:44:03,639 trouble you're in, you need a lot more information. You 723 00:44:03,679 --> 00:44:06,800 need information about how you know which assets are most critical. 724 00:44:06,840 --> 00:44:11,599 You need information about how reachable are those critical assets 725 00:44:11,639 --> 00:44:16,760 for your adversaries. And you know, when new vulnerabilities are 726 00:44:16,760 --> 00:44:23,039 announced arise that simplify the pivoting path, that simplify reachability 727 00:44:23,239 --> 00:44:26,960 of a critical asset for your adversaries. You need advice 728 00:44:27,000 --> 00:44:29,760 as to you know, that's what you need to fix next, 729 00:44:30,360 --> 00:44:33,239 and here are your options for fixing that. So I 730 00:44:33,280 --> 00:44:37,880 see this kind of tools, as you know, a step 731 00:44:37,920 --> 00:44:40,159 in the right direction. This is the kind of information 732 00:44:40,280 --> 00:44:43,519 that a lot of us need in not just the 733 00:44:43,559 --> 00:44:47,039 world ofness too, in the world of you know, managing 734 00:44:47,719 --> 00:44:51,800 managing risk, managing reachability. You know we've all segmented our networks. 735 00:44:51,840 --> 00:44:54,320 What does that mean you can still reach bang bang bang, 736 00:44:54,360 --> 00:44:58,360 pivot on through Well, then what does that mean? This 737 00:44:58,480 --> 00:45:01,239 kind of tool tells us what that means. It gives 738 00:45:01,280 --> 00:45:07,840 us deeper visibility into reachability and vulnerability of the critical 739 00:45:07,840 --> 00:45:13,239 assets you know, risk opportunity to attack. You know, I 740 00:45:13,320 --> 00:45:18,679 don't like the word vulnerability too often it means software vulnerability. 741 00:45:18,719 --> 00:45:21,599 This talks about You know, this kind of tool exposes 742 00:45:21,719 --> 00:45:25,159 attack opportunities and tells us what to do about them. 743 00:45:25,199 --> 00:45:27,400 So to me, that's a very useful thing to do. 744 00:45:28,199 --> 00:45:28,440 Speaker 1: Well. 745 00:45:28,440 --> 00:45:31,000 Speaker 2: Thank you to Vivic for highlighting all of that for us. 746 00:45:31,000 --> 00:45:33,159 And Andrews always thank you for speaking with me. 747 00:45:33,719 --> 00:45:35,039 Speaker 3: It's always a pleasure. Thank you. 748 00:45:35,639 --> 00:45:39,719 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 749 00:45:39,719 --> 00:45:41,639 to everyone out there listening.