1 00:00:05,599 --> 00:00:08,919 Speaker 1: We use a reactive AI in our methodology to actually 2 00:00:08,919 --> 00:00:12,800 pick the right countermeasure which blocks the technique that the 3 00:00:12,839 --> 00:00:22,679 attacker is using that in that moment in time. 4 00:00:23,800 --> 00:00:28,440 Speaker 2: Welcome, Everyone's the Industrial Security Podcast. My name is Nate Nelson. 5 00:00:28,920 --> 00:00:32,000 I'm here with Andrew Ginter, the vice president of Industrial 6 00:00:32,039 --> 00:00:35,719 Security at Waterfall Security Solutions, who's going to introduce the 7 00:00:35,799 --> 00:00:39,600 subject and the guest of our show today. Andrew, how's going. 8 00:00:40,399 --> 00:00:42,960 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 9 00:00:43,000 --> 00:00:46,280 Gary Southwell. He is the general manager and vice president 10 00:00:46,320 --> 00:00:50,119 at ARIA Cybersecurity Solutions, and we're going to be talking 11 00:00:50,119 --> 00:00:55,200 about AI, a new use for AI in protecting critical infrastructure. 12 00:00:55,479 --> 00:00:59,560 Speaker 2: Then, without further ado, here's your conversation with Gary Southwell. 13 00:01:02,079 --> 00:01:05,000 Speaker 3: Hello Gary, and thank you for joining us. Before we 14 00:01:05,040 --> 00:01:07,040 get started, can I ask you to, you know, say 15 00:01:07,040 --> 00:01:10,319 a few words about yourself for our listeners, and you know, 16 00:01:10,719 --> 00:01:12,400 say a few words about the good work that you're 17 00:01:12,400 --> 00:01:14,359 doing at ARIA Cybersecurity. 18 00:01:14,920 --> 00:01:17,280 Speaker 1: A little bit about me, So my background, I've been 19 00:01:17,280 --> 00:01:21,760 in cybersecurity really since the early days. I was a 20 00:01:21,799 --> 00:01:24,640 system engineer in the nineties, you know, working on some 21 00:01:24,719 --> 00:01:29,200 of the initial checkpoint deployments as firewalls. Spent a lot 22 00:01:29,200 --> 00:01:32,280 of time at Juniper Networks trying to improve the way 23 00:01:32,319 --> 00:01:36,040 we did network security with more of an intrusion detection 24 00:01:36,120 --> 00:01:40,840 prevention systems. Moved on into a company called Secon where 25 00:01:40,840 --> 00:01:44,879 we worked on adding artificial intelligence to a SIM product 26 00:01:45,079 --> 00:01:49,400 so that we could do more advanced managed detection response 27 00:01:49,439 --> 00:01:53,079 solutions for MSSPs. And really over the last seven years 28 00:01:53,079 --> 00:01:55,920 I've been here at ARIA Cybersecurity and we've really looked 29 00:01:55,959 --> 00:02:00,319 at how do we actually stop the tax that we're 30 00:02:00,319 --> 00:02:03,239 seeing in the news. And if you date back, you 31 00:02:03,280 --> 00:02:05,319 know the attacks we're talking about are the ones that 32 00:02:05,359 --> 00:02:09,599 are really going after the critical assets that are out there, 33 00:02:09,840 --> 00:02:13,680 everything from the colonial pipeline on. We want to make 34 00:02:13,719 --> 00:02:16,680 sure that we've got a better way to actually go 35 00:02:16,800 --> 00:02:20,800 in utilize the artificial intelligence properly to find and stop 36 00:02:21,039 --> 00:02:22,240 these types of attacks. 37 00:02:23,439 --> 00:02:27,639 Speaker 3: Thanks for that. And our topic today is using AI 38 00:02:28,000 --> 00:02:31,280 to protect critical infrastructure. And my understanding of the way 39 00:02:31,439 --> 00:02:35,000 you know that you folks use AI is in the hosts. 40 00:02:35,080 --> 00:02:39,400 I mean, you know, outfits like Juniper and others have 41 00:02:39,680 --> 00:02:43,960 used AI in their firewalls for a long time to 42 00:02:44,159 --> 00:02:46,159 look at the messages coming to and try and figure 43 00:02:46,199 --> 00:02:48,319 out you know, do these things? Are these things attacks? 44 00:02:48,719 --> 00:02:51,439 You're doing something different? Is my understanding. You're not focused 45 00:02:51,439 --> 00:02:54,960 on the firewalls, You're focused on the hosts. So you know, 46 00:02:55,360 --> 00:02:58,400 we already have in a sense anti virus on the hosts. 47 00:02:58,439 --> 00:03:03,080 We have whitelisting on the hosts. What is the problem 48 00:03:03,199 --> 00:03:05,199 you guys are trying to solve and why isn't it 49 00:03:05,240 --> 00:03:07,680 already solved with antivirus and whitelisting. 50 00:03:08,840 --> 00:03:12,759 Speaker 1: We believe you want to actually stop the attacks at 51 00:03:12,800 --> 00:03:15,960 the point where they're actually attacking their critical applications, which 52 00:03:16,000 --> 00:03:20,479 is what drives your critical infrastructure. So the challenge with 53 00:03:20,599 --> 00:03:23,520 solutions we call these active solutions that they're going on 54 00:03:23,599 --> 00:03:26,840 the host is that if you look at traditional anti 55 00:03:26,960 --> 00:03:30,240 virus that's been around with us for twenty years, is 56 00:03:30,280 --> 00:03:35,039 that they are looking for files typically that land on 57 00:03:35,159 --> 00:03:39,280 the device and they have a known bad signature that's 58 00:03:39,319 --> 00:03:41,719 calculated off of looking at the file. You can calculate 59 00:03:41,719 --> 00:03:44,000 a hash and it comes up with a value. If 60 00:03:44,039 --> 00:03:46,840 it matches something bad that I've been told about, I 61 00:03:46,879 --> 00:03:50,639 can block it from running. It's a great concept. The 62 00:03:50,680 --> 00:03:55,759 problem is malware of all kinds, including your ransomware. The 63 00:03:55,800 --> 00:03:58,560 signatures are now polymorphic really over the last five years, 64 00:03:58,560 --> 00:04:00,639 so you get different value every time it lands on 65 00:04:00,680 --> 00:04:05,479 a different device. That approach really isn't effective anymore as 66 00:04:05,479 --> 00:04:09,080 we've entered this decade. The other approach, as you mentioned, 67 00:04:09,159 --> 00:04:13,159 is whitelisting. It kind of got a bad name because 68 00:04:13,159 --> 00:04:16,040 it's been difficult to use, But whitelisting just means, or 69 00:04:16,319 --> 00:04:20,639 we call it access control these days. Is it says 70 00:04:20,839 --> 00:04:25,199 I can delineate which application should be running on this device. 71 00:04:25,800 --> 00:04:28,879 I can check their SERTs and then make sure that 72 00:04:29,000 --> 00:04:31,360 it is that application and then allow it to run, 73 00:04:31,879 --> 00:04:36,279 and by default I'll block everything else. So these are 74 00:04:36,879 --> 00:04:39,800 good approaches if we could make them work in today's environments. 75 00:04:40,639 --> 00:04:44,240 So we start there. We were saying, we need to 76 00:04:44,279 --> 00:04:48,399 make sure that the applications, the critical applications can run, 77 00:04:48,839 --> 00:04:51,560 and anything else that would land like a file based 78 00:04:51,959 --> 00:04:56,399 malware ransomware, we're not run. That's just your very basics. 79 00:04:57,079 --> 00:04:59,839 The challenges with these zero data attacks, as I said before, 80 00:05:00,120 --> 00:05:04,160 that they can't detect detect them with signatures. So the 81 00:05:04,160 --> 00:05:08,439 industry kind of evolved over the last five years to 82 00:05:08,519 --> 00:05:12,759 looking at patterns of behavior or what we really cause. 83 00:05:12,759 --> 00:05:16,439 The industry indicators of compromise. When something bad lands on 84 00:05:16,480 --> 00:05:19,439 a device, it does this, and then this and then 85 00:05:19,439 --> 00:05:22,399 this through the kill chain, we can identify the pattern. 86 00:05:23,360 --> 00:05:24,920 Once we know the pattern, if we have a way 87 00:05:24,959 --> 00:05:28,319 to then block one of those steps, we can disable 88 00:05:28,360 --> 00:05:32,079 the attack. We call that next generation anti virus. So 89 00:05:32,199 --> 00:05:36,160 vendors like CrowdStrike, Centa one one do a really good job, 90 00:05:36,279 --> 00:05:39,839 you know with those types of approaches. However, when we 91 00:05:39,879 --> 00:05:42,959 get into what are the rest of the attacks, these 92 00:05:43,000 --> 00:05:47,040 are more sophisticated level attacks like the ones we've seen 93 00:05:47,120 --> 00:05:52,360 in the industry, starting with Solar Winds, where you've actually 94 00:05:52,399 --> 00:05:58,079 got humans behind the attacks. They may use some form 95 00:05:58,160 --> 00:06:04,600 of credential use or deposit software through a legit channel 96 00:06:04,680 --> 00:06:08,279 like they did with Solar Winds, and then they progress 97 00:06:08,279 --> 00:06:10,560 an attack once they get in, get a foothold, and 98 00:06:10,560 --> 00:06:14,000 they begin to take additional steps. So we've got a 99 00:06:14,040 --> 00:06:17,920 myriad of attacks. So bringing this back to how do 100 00:06:17,920 --> 00:06:21,319 we use AI. We want an approach that can actually 101 00:06:21,319 --> 00:06:25,639 detect the various attack techniques that are happening, and if 102 00:06:25,680 --> 00:06:30,240 they are somehow adult trading an application, trying to deposit 103 00:06:30,279 --> 00:06:33,439 a new one on the device, or you're coming in 104 00:06:33,519 --> 00:06:38,240 and using existing processes against themselves. We used to call 105 00:06:38,240 --> 00:06:42,240 those advanced persistent threats. They're more generic, very specific ones 106 00:06:42,279 --> 00:06:44,199 are like living off the land, where they're using the 107 00:06:44,199 --> 00:06:47,639 actual OS processes against the actual device. We need to 108 00:06:47,639 --> 00:06:50,000 be able to detect that and apply the right measure 109 00:06:50,079 --> 00:06:52,839 to stop that type of attack. And this is what 110 00:06:52,879 --> 00:06:55,120 we believe is the role of AI on the device. 111 00:06:55,879 --> 00:06:58,480 It's not your generative AI. Just make sure you understand 112 00:06:58,480 --> 00:07:01,560 that the typicoally needs massive horse power. This is the opposite. 113 00:07:01,600 --> 00:07:04,879 We use or reactive AI in our methodology to actually 114 00:07:04,879 --> 00:07:09,240 pick the right countermeasure which blocks the technique that the 115 00:07:09,279 --> 00:07:11,360 attacker is using in that moment in time. 116 00:07:14,560 --> 00:07:16,800 Speaker 2: Andrew, I would just like to second a lot of 117 00:07:16,800 --> 00:07:19,680 the points that Gary has made here. It feels like 118 00:07:20,199 --> 00:07:23,199 we might have crossed some sort of vague threshold in 119 00:07:23,279 --> 00:07:28,720 recent years where traditional detection antivirus has started to work 120 00:07:28,839 --> 00:07:33,240 a little bit less. I mean, as he mentioned, the 121 00:07:33,360 --> 00:07:37,160 number of variants and samples out there of your typical 122 00:07:37,199 --> 00:07:41,399 malware can get really crazy. I mean, only in recent months. 123 00:07:41,439 --> 00:07:44,839 I recall a report about mobile malware. I think this 124 00:07:45,000 --> 00:07:49,920 was published by I Forget the vendor, where you wouldn't 125 00:07:49,920 --> 00:07:55,879 think of mobile malware as necessarily quite as subject to 126 00:07:55,920 --> 00:08:00,879 security analysis as traditional PC malware, and yet so many 127 00:08:01,399 --> 00:08:05,319 malware families that target mobile devices these days have hundreds 128 00:08:05,399 --> 00:08:08,920 or thousands of samples out there. There's a malware called 129 00:08:08,959 --> 00:08:14,720 Godfather with well over a thousand nexus sedarit picks pirate. 130 00:08:16,040 --> 00:08:18,560 So those kinds of solutions that would have picked up 131 00:08:18,639 --> 00:08:24,079 based on traditional fingerprints may not suffice anymore, even in 132 00:08:24,120 --> 00:08:27,279 the mobile realm let alone PCs where we would expect it. 133 00:08:27,600 --> 00:08:31,680 And there's also the fact of he highlighted briefly their 134 00:08:31,959 --> 00:08:36,120 behavioral indicators of compromise. This to me seems like where 135 00:08:36,399 --> 00:08:41,039 cybersecurity across IT and OT has been going lately. Traditional 136 00:08:41,039 --> 00:08:45,639 indicators of compromise can help. But I recently came across 137 00:08:46,440 --> 00:08:52,399 report from Mandiant about Chinese ORB. They call them networks 138 00:08:52,919 --> 00:08:56,960 ORB being short for Operational Relay Box Networks. It's not 139 00:08:57,000 --> 00:09:01,960 an entirely new concept, but basically in China there is 140 00:09:02,000 --> 00:09:07,559 an entire economy of folks who provide infrastructure to thread 141 00:09:07,600 --> 00:09:11,440 actors across the Chinese spectrum. And so where once we 142 00:09:11,519 --> 00:09:14,840 might have been able to say, you know, look out 143 00:09:14,879 --> 00:09:17,440 for these servers they've been used by this group, well 144 00:09:17,480 --> 00:09:19,879 now those same servers are being used by all kinds 145 00:09:19,879 --> 00:09:22,320 of groups, and so it's less helpful now. So the 146 00:09:22,320 --> 00:09:26,679 way that we are adapting is by tracking behaviors of 147 00:09:26,759 --> 00:09:30,799 threat actors rather than static indicators like that. So this 148 00:09:30,919 --> 00:09:32,679 is a very long way to say that I agree 149 00:09:32,720 --> 00:09:34,159 with all of the points that CARRY has made. 150 00:09:34,480 --> 00:09:39,000 Speaker 3: Yeah, and you know you're talking about polymorphic. These our 151 00:09:39,080 --> 00:09:42,519 viruses that change frequently. Either the bad guys change them frequently, 152 00:09:42,559 --> 00:09:44,799 so there's thousands of variants out there, or they change 153 00:09:44,840 --> 00:09:48,480 themselves they sort of self evolve. So again there's thousands 154 00:09:48,480 --> 00:09:51,399 of variants out there, so that signature based solutions have 155 00:09:51,440 --> 00:09:54,720 a hard time keeping track, you know, publishing enough signatures 156 00:09:54,759 --> 00:09:58,840 fast enough to track things as they change. The traditional 157 00:09:59,480 --> 00:10:03,919 sort of alternative to signature based anti virus in the 158 00:10:03,960 --> 00:10:07,399 industrial space has been whitelisting or application control some people 159 00:10:07,440 --> 00:10:11,480 call it or allow listing. What it is is a 160 00:10:11,519 --> 00:10:16,720 list of programs that's allowed to run on your industrial 161 00:10:16,759 --> 00:10:21,240 computer and blocks everything else. So it doesn't matter what 162 00:10:21,320 --> 00:10:24,480 the latest signature of the virus is if it isn't allowed, 163 00:10:24,840 --> 00:10:26,639 if you know it's not on the list of allowed, 164 00:10:26,720 --> 00:10:32,879 then it's blocked. But you know that class of solution 165 00:10:33,200 --> 00:10:40,440 allow listing is itself limited. So for example, when you 166 00:10:40,480 --> 00:10:43,440 install software updates, you have to update the list of 167 00:10:43,480 --> 00:10:46,399 allowed applications because you've just changed a whole bunch of 168 00:10:46,399 --> 00:10:50,440 your applications. You've changed their signatures, you've changed their sizes 169 00:10:50,480 --> 00:10:54,399 and their you know, so having changed all that, that's 170 00:10:54,480 --> 00:10:56,679 a vulnerability. If the bad guys can get in there 171 00:10:56,720 --> 00:11:00,559 and hack the update process, they can get their nasty 172 00:11:00,600 --> 00:11:03,799 listed as an allowed executable and they're off to the races. 173 00:11:05,120 --> 00:11:08,879 Other ways that allow listing is is you know, limited, 174 00:11:09,320 --> 00:11:11,879 Everything is limited. I'm not knocking allow listing. It's a 175 00:11:11,919 --> 00:11:15,639 it's a useful solution, but bear in mind that you know, 176 00:11:15,799 --> 00:11:21,080 it tends to focus entirely on executable codes. So DLLs, 177 00:11:21,200 --> 00:11:25,080 dot xs, dot COM's coming off the hard drive into memory, 178 00:11:25,120 --> 00:11:29,399 and that's when they apply their checks. If your malware 179 00:11:29,480 --> 00:11:32,960 is scripted, well, i'm sorry. The Pearl dot x is 180 00:11:33,000 --> 00:11:36,080 allowed because the operating system needs it, or the the 181 00:11:36,080 --> 00:11:38,919 control system needs it. Python dot x might be allowed, 182 00:11:39,399 --> 00:11:44,000 and now you're loading a nasty as text off the drive, 183 00:11:44,240 --> 00:11:46,159 and allow listing is kind of blind to that. They 184 00:11:46,200 --> 00:11:51,120 don't really check text files. And you know another class 185 00:11:51,159 --> 00:11:54,919 of application that that are of bad stuff that you know, 186 00:11:55,000 --> 00:11:59,200 allow listing is blind to is in memory attacks. So 187 00:11:59,240 --> 00:12:01,919 if you can comprom something and start executing with a 188 00:12:01,919 --> 00:12:04,519 buffer overflow or something and start executing your own code 189 00:12:04,879 --> 00:12:12,600 and inject insert the malware into memory. Again, allow listing 190 00:12:12,720 --> 00:12:15,799 looks at things coming off the disc. It doesn't look 191 00:12:15,799 --> 00:12:19,600 at what's happening in memory. So yeah, you know we 192 00:12:19,720 --> 00:12:24,480 need as well, malware becomes more sophisticated, We need more 193 00:12:24,519 --> 00:12:29,080 sophisticated tools to diagnose it and deal with it. And 194 00:12:29,440 --> 00:12:32,039 you know, here's a new kind of tool. And these 195 00:12:32,080 --> 00:12:34,919 are some examples of why we are always looking for 196 00:12:35,080 --> 00:12:39,799 sort of the next step in these tools. You talked 197 00:12:39,840 --> 00:12:43,679 about sort of attacks that can defeat the access control 198 00:12:43,720 --> 00:12:46,240 as well. Can you go into a little more detail. 199 00:12:46,320 --> 00:12:48,320 You know, we're going to talk about AI in a second, 200 00:12:48,360 --> 00:12:51,279 but you know, can we nail down what is sort 201 00:12:51,320 --> 00:12:54,639 of a modern advanced piece of malware? 202 00:12:54,679 --> 00:12:55,399 Speaker 1: What's it look like? 203 00:12:56,159 --> 00:13:00,240 Speaker 3: And you know, can you sort of not comprehension, not 204 00:13:00,320 --> 00:13:01,840 every kind of a maount where that come after us? 205 00:13:01,840 --> 00:13:04,519 Can you give us sort of one example of the 206 00:13:04,679 --> 00:13:07,919 kind of thing that existing anti virus and access control 207 00:13:08,000 --> 00:13:08,759 might struggle with. 208 00:13:09,759 --> 00:13:12,240 Speaker 1: Let me pick one example to let the audience get 209 00:13:12,320 --> 00:13:17,399 their heads around the use of advanced malware and what 210 00:13:17,440 --> 00:13:20,240 do I mean by a sophisticated level of attack. So 211 00:13:20,679 --> 00:13:25,480 one comes to mind I mentioned a minute ago, and 212 00:13:25,519 --> 00:13:29,360 this was the type of attack that really set the 213 00:13:29,360 --> 00:13:33,559 industry kind of its ear. So I'll date myself back 214 00:13:33,600 --> 00:13:37,480 to January twenty twenty one. This is when the discovery 215 00:13:37,519 --> 00:13:40,240 of the Solar Winds attack was happening. Now, this was 216 00:13:40,279 --> 00:13:45,000 a nation state backed attack and if I step into 217 00:13:45,080 --> 00:13:48,320 it a minute, it was very very clever. The way 218 00:13:48,360 --> 00:13:52,639 they did it. It was called a sunburst attack used malware, 219 00:13:53,159 --> 00:13:56,000 but the way they decided to get in was to 220 00:13:56,120 --> 00:14:01,120 actually go into Solar Winds infestrutructure and as they were 221 00:14:01,159 --> 00:14:05,840 packaging there oryan software for an update, they actually put 222 00:14:05,879 --> 00:14:11,000 in we call a shim form of malware inside that update, 223 00:14:11,360 --> 00:14:14,960 very very small so that would go through and not 224 00:14:15,080 --> 00:14:17,360 be easily detected. You didn't want to be doubling the 225 00:14:17,360 --> 00:14:19,679 size of the update that might get picked off. So 226 00:14:19,720 --> 00:14:22,519 it was very very thin and its sole objective was 227 00:14:22,960 --> 00:14:29,759 to get in and as they orian software update was initiated, 228 00:14:30,639 --> 00:14:34,480 it would be ready to do its one task, and 229 00:14:34,559 --> 00:14:40,200 that's one task was to call back out of the 230 00:14:40,320 --> 00:14:46,440 location back to a commanding control location where the rest 231 00:14:46,440 --> 00:14:49,919 of the attack had happened. Okay, so this is very 232 00:14:50,000 --> 00:14:54,279 very small piece of malware. Actually being embedded as one 233 00:14:54,320 --> 00:14:58,039 of the tool sets inside of the Orion update was clever, 234 00:14:59,320 --> 00:15:02,000 but they also made it what would call polymorphic, so 235 00:15:02,279 --> 00:15:08,240 as it deposited inside there, it slightly modified itself so 236 00:15:08,320 --> 00:15:11,399 that if you were to calculate a signature, it would 237 00:15:11,399 --> 00:15:15,159 be slightly different for each form of deposit. This makes 238 00:15:15,159 --> 00:15:17,960 it a lot harder for us to go and say 239 00:15:18,080 --> 00:15:20,840 we can pick it off, and because it's now embedded 240 00:15:20,840 --> 00:15:23,879 to a tool set, that makes it very difficult because 241 00:15:23,919 --> 00:15:28,559 most of today's more sophisticated solutions weren't looking at that 242 00:15:28,679 --> 00:15:31,320 level trying to figure out what was happening, and it 243 00:15:31,360 --> 00:15:35,240 only really exhibited one behavior, it did a callback. What 244 00:15:35,320 --> 00:15:39,440 happened next, though, was after the callback, the attack actually 245 00:15:40,360 --> 00:15:45,200 had twelve more steps, and the callback brought in another 246 00:15:45,399 --> 00:15:49,960 form of malware, and that was more what I would 247 00:15:49,960 --> 00:15:52,000 call it the business end of the attack, so that 248 00:15:52,080 --> 00:15:56,919 had more capabilities inside of it to launch and step 249 00:15:57,000 --> 00:15:59,279 up the attack to allow it to figure out what 250 00:15:59,440 --> 00:16:02,799 was on. And then its other role was then to 251 00:16:03,639 --> 00:16:07,200 attempt to spread inside the environment if it could, and 252 00:16:07,240 --> 00:16:11,240 then pull back information and that's when humans would get 253 00:16:11,279 --> 00:16:15,240 involved and then would begin to take additional steps. So 254 00:16:15,320 --> 00:16:19,720 that's an example of polymorphic malware enabling the beginning of 255 00:16:19,759 --> 00:16:24,840 a sophisticated attack that would get by most of the 256 00:16:24,879 --> 00:16:31,480 protections we have today as an industry. So the next 257 00:16:31,519 --> 00:16:34,440 part of the attack as it began to evolve, had 258 00:16:34,519 --> 00:16:38,200 multiple steps, and one of the steps that was in 259 00:16:38,440 --> 00:16:42,679 the attack, and this was brought up in the Senate 260 00:16:42,679 --> 00:16:46,720 hearings where they brought in some of the industry leaders 261 00:16:47,200 --> 00:16:54,159 Palo Alto and CrowdStrike. Of course, Microsoft and Solar Winds 262 00:16:54,200 --> 00:16:57,399 were in the panel, and they said to them and 263 00:16:57,919 --> 00:17:02,039 they all agreed, it's like in some of the situations 264 00:17:02,080 --> 00:17:05,480 you were present on these devices when this attack was occurring. 265 00:17:06,720 --> 00:17:08,640 I'm trying to quote Marco Ruby Oakes. He asked the 266 00:17:08,720 --> 00:17:14,559 question it was reported that you were bypassed, and everyone 267 00:17:14,720 --> 00:17:17,680 in the panel said yes, that was in fact the case. 268 00:17:18,240 --> 00:17:22,960 So bypass just means that in effect, they either couldn't 269 00:17:22,960 --> 00:17:27,519 see the attack or more likely, the attackers are actually 270 00:17:27,519 --> 00:17:30,279 able to have control of the system and basically disable 271 00:17:30,359 --> 00:17:35,319 them at the task master location at least temporarily. They 272 00:17:35,319 --> 00:17:37,160 probably come back right up and boot up, but it 273 00:17:37,200 --> 00:17:39,319 then lets them get by if they're doing something else 274 00:17:39,319 --> 00:17:42,720 that they might might see an attack. So these were 275 00:17:43,400 --> 00:17:47,559 fundamentally new sets of challenges that the industry now had 276 00:17:47,559 --> 00:17:51,400 to face. That you could use basic tools like malware, 277 00:17:51,720 --> 00:17:55,759 but in the hands of sophisticated actors, they could do 278 00:17:55,799 --> 00:17:58,079 an awful lot of harm. And as we saw with 279 00:17:58,079 --> 00:18:01,119 solar winds, it went on for almost a year without 280 00:18:01,160 --> 00:18:04,400 actually being detected. It was fortunate enough that fireri actually 281 00:18:04,480 --> 00:18:07,720 saw some of their tools actually leaving their environment, and 282 00:18:07,759 --> 00:18:09,519 that was the first time that was ever picked up. 283 00:18:10,720 --> 00:18:14,279 Since then, we've had a series of similar I think 284 00:18:14,319 --> 00:18:17,960 the industry, the OT industry itself from last count had 285 00:18:18,039 --> 00:18:21,200 about seven hundred of these types of attacks actually happening, 286 00:18:21,440 --> 00:18:23,160 not all from the same actor, by the way, but 287 00:18:23,240 --> 00:18:27,359 other actors, because once the formula was figured out, sophisticated 288 00:18:27,359 --> 00:18:31,160 attackers could then utilize some of these same techniques. So 289 00:18:31,319 --> 00:18:33,759 this has been so The ones right after it were 290 00:18:33,799 --> 00:18:36,599 the colonial pipeline that was a simplified variant of what 291 00:18:36,640 --> 00:18:39,599 we just heard about, But there's other types of attacks 292 00:18:39,759 --> 00:18:40,960 that have gone over the years. 293 00:18:42,319 --> 00:18:45,200 Speaker 3: Can we talk about AIE. You know, this is the 294 00:18:45,519 --> 00:18:50,039 topic here. If we had a magic AI sitting in 295 00:18:50,079 --> 00:18:54,200 our industrial control system hosts, what would that AI do? 296 00:18:54,319 --> 00:18:56,119 How would it detect attacks like this? 297 00:18:57,039 --> 00:18:59,799 Speaker 1: Well, that's the part that's the most challenging, and that's 298 00:18:59,799 --> 00:19:02,839 why you need some form of AI. There are very 299 00:19:02,880 --> 00:19:09,680 different techniques that are being applied by the attack type. 300 00:19:10,319 --> 00:19:14,599 Some cases, it's just recognizing that there's form code that's 301 00:19:14,599 --> 00:19:19,119 appeared here. In other cases, it's like I've got to 302 00:19:19,200 --> 00:19:25,440 understand that there's an abnormal operation happening in conjunction with 303 00:19:25,519 --> 00:19:30,480 this legitimate application. There's some form I will call adulteration 304 00:19:30,640 --> 00:19:35,079 going on here. In other cases, it's the application is 305 00:19:35,160 --> 00:19:39,799 running fine, but for some reason, it's going from a 306 00:19:39,880 --> 00:19:43,880 user level trying to escalate itself to a system level 307 00:19:44,680 --> 00:19:48,319 that allows them to get control of the application. Or 308 00:19:49,160 --> 00:19:52,200 it's trying to use processes inside the OS that are 309 00:19:52,240 --> 00:19:57,599 not affiliated with an application, or it's a spoofed application 310 00:19:57,799 --> 00:20:01,680 variant that's actually trying to initiate the processes on the OS. 311 00:20:03,160 --> 00:20:05,559 Some of these. I'll bring that up. Is it came 312 00:20:05,559 --> 00:20:07,960 out in the Pool Party attacks that the last Blackhead 313 00:20:08,000 --> 00:20:12,119 in the UK. They showed eight different forms of thread 314 00:20:12,160 --> 00:20:15,920 processes that are available from the OS for the applications 315 00:20:15,960 --> 00:20:21,039 to use that attackers could easily take advantage of. So 316 00:20:21,640 --> 00:20:25,440 I've really described three different types of techniques and the 317 00:20:25,519 --> 00:20:30,039 inside there there's a variety of combinations. So this makes 318 00:20:30,079 --> 00:20:33,000 it very difficult to figure out how to stop all 319 00:20:33,720 --> 00:20:36,640 forms of attack. If I want to make sure that 320 00:20:37,359 --> 00:20:40,519 we're doing the best job we can at the host 321 00:20:40,799 --> 00:20:43,680 to stop whatever may be happening, whether it's a zero 322 00:20:43,720 --> 00:20:47,160 day form of malware or ransomware that we haven't seen before, 323 00:20:47,240 --> 00:20:50,960 we haven't seen the IOC patterns and it's trying to 324 00:20:51,000 --> 00:20:54,960 just do its thing, or it's one of these variations 325 00:20:55,000 --> 00:20:59,519 of attacks that these sophisticated typically nation state back but 326 00:20:59,559 --> 00:21:02,680 now it's a crime backed attacks that are out there. 327 00:21:02,960 --> 00:21:06,079 That these kits are out there and they can vary 328 00:21:06,119 --> 00:21:09,480 their attacks. So the AI really needs to make sure 329 00:21:09,599 --> 00:21:13,640 it's saying I can pick off what's happening, and then 330 00:21:13,759 --> 00:21:15,839 what do I do about it, just like a human would. 331 00:21:16,920 --> 00:21:23,000 I've identified it's a sophisticated attack, someone's using a privileged escalation. 332 00:21:23,279 --> 00:21:26,400 I'm going to apply this countermeasure to block it. I've 333 00:21:26,440 --> 00:21:30,960 discovered this is an interesting piece of code that's arrived 334 00:21:31,000 --> 00:21:35,880 here and I need to block it. I recognize that 335 00:21:35,920 --> 00:21:38,920 this application is no longer working the way it should. 336 00:21:39,559 --> 00:21:43,960 It's actually coppying things off into buffer spaces that it 337 00:21:44,000 --> 00:21:47,519 normally doesn't do. I need to stop that from happening 338 00:21:47,759 --> 00:21:51,880 and block that operation. Or I've got unattached processes from 339 00:21:51,920 --> 00:21:55,599 the OS that should not be running. I need to 340 00:21:55,599 --> 00:21:58,079 make sure I can block them at this moment in time. 341 00:21:58,880 --> 00:22:02,599 So this is where the AI comes into play from 342 00:22:03,240 --> 00:22:05,759 our experience here in the industry. 343 00:22:06,599 --> 00:22:09,319 Speaker 3: Okay, so let's get specific here. You know, we've been 344 00:22:09,319 --> 00:22:11,200 talking about the problem sort of in the abstract and we're 345 00:22:11,240 --> 00:22:15,160 drifting into you know, you folks have this stuff. Can 346 00:22:15,200 --> 00:22:18,279 you give us just a quick rundown? What do you have? 347 00:22:18,559 --> 00:22:19,359 How does it work? 348 00:22:19,440 --> 00:22:19,599 Speaker 1: You know? 349 00:22:19,640 --> 00:22:22,039 Speaker 3: Why do people deploy it? What are we talking about? 350 00:22:22,039 --> 00:22:25,799 Speaker 1: You? So, in our particular application of this technology is 351 00:22:26,799 --> 00:22:32,759 we built a very lightweight agent and it's different from 352 00:22:32,799 --> 00:22:36,240 your typical agents. We are going in at If you 353 00:22:36,319 --> 00:22:39,960 understand kernels, especially in the Windows environment or Linux environment 354 00:22:40,119 --> 00:22:43,519 where we play is wetach it ring zero right at 355 00:22:43,559 --> 00:22:47,599 the kernel level. The reason we do that is we 356 00:22:47,640 --> 00:22:50,519 want to see everything that's going on as far as 357 00:22:51,240 --> 00:22:56,079 processes from applications that are leveraging what's happening into the 358 00:22:56,119 --> 00:23:01,319 kernel and vice versa. The other thing that we do 359 00:23:01,480 --> 00:23:04,880 that makes us fairly unique. We actually have some patents 360 00:23:04,920 --> 00:23:08,119 on this, so we're hoping it'll stay unique is that 361 00:23:08,839 --> 00:23:14,319 we actually watch device memory continuously. This is the way 362 00:23:14,359 --> 00:23:16,960 that we can actually pick off some of these techniques 363 00:23:17,119 --> 00:23:22,599 when you've got adorable use of bupper memory, or you're 364 00:23:22,640 --> 00:23:26,920 actually seeing some process kicking off where something's being written 365 00:23:26,960 --> 00:23:30,640 over here into notepad and that's now being imported into 366 00:23:31,880 --> 00:23:36,319 the application because it's probably giving them access to some 367 00:23:36,480 --> 00:23:40,839 form of change the application that they want to leverage. 368 00:23:42,039 --> 00:23:47,359 We do that inside our agent. The markets that we've 369 00:23:47,440 --> 00:23:49,680 chosen to go after, though, you know, have a variety 370 00:23:49,799 --> 00:23:54,519 of requirements. We're typically talking about operational technology environments, and 371 00:23:54,559 --> 00:23:57,640 there's many of them. You know, if you think about manufacturing, 372 00:23:57,680 --> 00:24:00,799 we're talking about manufacturing floors. We think about utilities. We 373 00:24:00,880 --> 00:24:04,839 are in the process devices out there that have an 374 00:24:04,880 --> 00:24:08,039 OS on them that are helping them run and control 375 00:24:08,599 --> 00:24:13,200 electrical generation and distribution. You're talking about oil and gas, 376 00:24:13,279 --> 00:24:15,799 same way you're dealing with the processes. So these are 377 00:24:15,880 --> 00:24:18,920 environments we chose to go after because they are high 378 00:24:19,000 --> 00:24:23,240 value targets. As we saw what the colonial pipeline is 379 00:24:23,359 --> 00:24:27,000 a good example. When we get into these environments, we 380 00:24:27,039 --> 00:24:31,680 also find that you have got other constraints. Typically there's 381 00:24:31,759 --> 00:24:35,599 not continuous Internet connectivity. In fact, they purposely try to 382 00:24:35,599 --> 00:24:39,319 limit that as one of the protections. They often have 383 00:24:40,319 --> 00:24:43,839 limited processing power available left to anything else that's going 384 00:24:43,880 --> 00:24:46,960 to run besides the production applications. In some cases, some 385 00:24:46,960 --> 00:24:51,240 of these devices that are old or they're running what 386 00:24:51,279 --> 00:24:54,440 I would call old versions of the OS because they've 387 00:24:54,440 --> 00:24:56,799 been trying to sweat that asset for many, many years. 388 00:24:57,039 --> 00:25:00,640 You know. For example, we're deployed in a a large 389 00:25:00,640 --> 00:25:07,039 pharmaceutical around the world, and different locations will have devices 390 00:25:07,319 --> 00:25:10,880 that are in these various lines and you'll see, oh, 391 00:25:10,920 --> 00:25:13,200 I see Windows Server two thousand and eight over here. 392 00:25:14,680 --> 00:25:18,920 Some locations we actually see Windows XP typically service pack too, 393 00:25:19,000 --> 00:25:21,960 which is nice because it's got nice controls. And they're 394 00:25:22,000 --> 00:25:25,160 still using that asset because they built their applications on 395 00:25:25,240 --> 00:25:28,319 top of that, and everything just runs and in typical 396 00:25:28,359 --> 00:25:32,200 OT fashion, if it works, don't change it. And then 397 00:25:32,240 --> 00:25:37,200 their hope was let's wall off the environment using passive 398 00:25:37,200 --> 00:25:40,319 protections from the networks if we can. And yet what 399 00:25:40,359 --> 00:25:44,279 they found is supply chain attacks get around the network protections. 400 00:25:46,200 --> 00:25:51,160 So what we did is made sure that our application 401 00:25:51,359 --> 00:25:55,759 could run on these older operating systems. It could run 402 00:25:55,839 --> 00:25:59,720 with very very limited amounts of CPU and limited amounts 403 00:25:59,759 --> 00:26:06,799 of memory, so that we could perform and not impact 404 00:26:06,960 --> 00:26:10,839 the performance of the production applications. The benefit of this 405 00:26:10,960 --> 00:26:15,400 approach is that we can go on a myriad of 406 00:26:15,440 --> 00:26:21,000 these devices with many, many different forms of applications. And 407 00:26:21,039 --> 00:26:23,640 I'll go one step further here is when we're deploying 408 00:26:23,640 --> 00:26:27,720 in these environments, we expect to see tens of applications. 409 00:26:27,759 --> 00:26:30,119 In fact, in some cases we actually see upwards of 410 00:26:30,160 --> 00:26:35,359 a thousand of these applications. So our approach as we 411 00:26:35,440 --> 00:26:40,359 deploy is to prevent the adulteration of applications. One of 412 00:26:40,440 --> 00:26:44,559 the side benefits is in these environments is that when 413 00:26:44,559 --> 00:26:48,359 you have this many applications, you're going to have known 414 00:26:49,240 --> 00:26:54,440 vulnerabilities inside those applications by published by cvees, and the 415 00:26:54,559 --> 00:26:57,720 chance of for ever having in them all continuously patched 416 00:26:58,400 --> 00:27:01,440 even an IT environment is almost know and when you 417 00:27:01,480 --> 00:27:04,599 only have a chance to patch maybe once a quarter 418 00:27:04,640 --> 00:27:08,119 at the fastest and more likely in this pharmaceutical company, 419 00:27:08,160 --> 00:27:11,079 it's once a year. You're never going to be patched. 420 00:27:11,920 --> 00:27:14,880 So one of the side benefits was because we go 421 00:27:14,960 --> 00:27:21,200 in and protect these applications from adulteration, the ability to 422 00:27:21,319 --> 00:27:26,920 exploit these vulnerabilities becomes significantly less. I won't say zero, 423 00:27:27,039 --> 00:27:29,440 but we can go down to you a ninety nine 424 00:27:29,519 --> 00:27:32,519 percent chance that we are going to block the exploit 425 00:27:32,559 --> 00:27:35,640 of these applications. And this then becomes a real benefit 426 00:27:35,640 --> 00:27:41,599 because now you've dramatically improved the likelihood that we can 427 00:27:41,680 --> 00:27:46,200 keep these operations operational even during an attack because we 428 00:27:46,279 --> 00:27:50,279 will continuously block those attackers. That's the benefit. When people 429 00:27:50,319 --> 00:27:53,559 went through the risk analysis, they're saying, Okay, I can 430 00:27:53,599 --> 00:27:55,359 look at it. The cost of my line if it 431 00:27:55,359 --> 00:28:00,119 goes down for X number of hours is thousands of dollars, 432 00:28:00,400 --> 00:28:03,279 and if it goes down for a month, it's millions 433 00:28:03,279 --> 00:28:05,519 of dollars. And if you've taken down my risk by 434 00:28:05,559 --> 00:28:08,519 a factor of ninety nine percent, I can actually calculate 435 00:28:08,559 --> 00:28:11,960 a value to that. So these are the benefits that 436 00:28:11,960 --> 00:28:17,559 we're offering. No, the challenge really that is you've got 437 00:28:17,599 --> 00:28:21,319 all these applications, how do we actually make it easy 438 00:28:21,599 --> 00:28:26,839 for these operators to use this technology, so. 439 00:28:26,759 --> 00:28:28,839 Speaker 3: There was a lot of stuff there. Nate, let me 440 00:28:28,880 --> 00:28:31,759 come back to the Solar Winds example. Gary said, the 441 00:28:31,799 --> 00:28:35,000 malware came in as part of the Solar wind security updates. 442 00:28:35,039 --> 00:28:39,160 So that would have defeated the white listing the application 443 00:28:39,240 --> 00:28:41,480 control I was talking about, because it would have come 444 00:28:41,519 --> 00:28:45,480 in saying, hey, here's a new authorized executable and the 445 00:28:45,519 --> 00:28:53,279 malware had been flagged as authorized. And then what the 446 00:28:53,319 --> 00:28:56,759 malware was, you know, was something that phone home that 447 00:28:56,880 --> 00:28:58,519 called out to the Internet and said, hey, boss, I 448 00:28:58,519 --> 00:29:00,680 got a live one here, and did not much else. 449 00:29:00,920 --> 00:29:04,079 It was very thin, it was small, It was benign looking. 450 00:29:04,720 --> 00:29:07,279 A lot of malware phones home to the vendor. Not 451 00:29:07,680 --> 00:29:10,160 just malware, a lot of legit software phones home to 452 00:29:10,200 --> 00:29:12,440 the vendor and says, you know, here's what's going on, 453 00:29:12,559 --> 00:29:16,279 because the vendor is helping manage the software. So it's 454 00:29:16,279 --> 00:29:20,160 not that suspicious, you know that the malware is phoning 455 00:29:20,160 --> 00:29:24,599 out to the Internet. The alarming thing is that what 456 00:29:24,640 --> 00:29:26,920 it got on the Internet was here's another whole bunch 457 00:29:26,960 --> 00:29:30,000 of code, and it copied the code that it got 458 00:29:30,279 --> 00:29:33,559 from the Internet into memory and started executing it. And 459 00:29:33,640 --> 00:29:36,839 at that point it became dangerous. It really started doing 460 00:29:36,960 --> 00:29:41,079 nasty stuff, and so again, you know, whitelisting would have 461 00:29:41,160 --> 00:29:43,880 missed it as part of the software update, would have 462 00:29:43,960 --> 00:29:47,559 missed it as in memory, you know, pulling stuff off 463 00:29:47,559 --> 00:29:51,599 the internet or off the socket the connection out to 464 00:29:51,640 --> 00:29:54,480 the internet and inserting it into memory and starting to 465 00:29:54,480 --> 00:29:57,240 execute it. This is where we need, you know, sort 466 00:29:57,240 --> 00:30:00,319 of a deeper insight into execution so that I think 467 00:30:00,319 --> 00:30:03,920 that one example sort of hit all the marks there. 468 00:30:06,680 --> 00:30:10,720 You're doing things that that antivirus and access control don't. 469 00:30:11,880 --> 00:30:14,720 Can I ask, you know, just a clarifying question, when 470 00:30:14,880 --> 00:30:17,160 when your stuff is deployed, do you tend to see 471 00:30:17,160 --> 00:30:20,279 it deployed in addition to antivirus or you know, whitelisting 472 00:30:20,319 --> 00:30:24,359 access control, or are you deployed sort of instead of that. 473 00:30:24,880 --> 00:30:27,039 Speaker 1: We've seen it both ways. We designed it so it 474 00:30:27,079 --> 00:30:29,559 would run in parallel, you know, with some of these 475 00:30:30,400 --> 00:30:32,839 ab solutions that are out there, because again we're trying 476 00:30:32,880 --> 00:30:34,759 to go in there and say we're not disrupting your 477 00:30:34,799 --> 00:30:38,720 existing infrastructure. If you have a reason to keep running that, great, 478 00:30:39,200 --> 00:30:45,279 we'll just come in and run alongside. We've never gone 479 00:30:45,359 --> 00:30:48,960 in and they've kept an application. Whitelisting solution there they've 480 00:30:49,000 --> 00:30:52,359 typically just moved to us. So in many cases they 481 00:30:52,400 --> 00:30:56,000 will be running things like Windows Defender and we're running 482 00:30:56,359 --> 00:30:57,559 in addition to that. 483 00:30:58,400 --> 00:31:01,920 Speaker 3: You know, your stuff is installed in the kernel. In 484 00:31:01,960 --> 00:31:08,240 my experience, there's longstanding reluctance to deploy any kind of 485 00:31:08,240 --> 00:31:13,559 security technology on existing hosts, in existing OT network, you know, 486 00:31:13,640 --> 00:31:14,559 existing systems. 487 00:31:15,200 --> 00:31:15,880 Speaker 1: You know, the. 488 00:31:16,319 --> 00:31:19,720 Speaker 3: Vendors sometimes push back and say no, no, no, you've 489 00:31:19,720 --> 00:31:23,319 installed somebody else's software on my system. I don't support 490 00:31:23,359 --> 00:31:26,480 this anymore. You're on your own. There's vendor support agreements, 491 00:31:26,519 --> 00:31:30,880 there's legal agreements that it gets complicated. Can you talk 492 00:31:30,920 --> 00:31:34,400 about that? How you know, how has this technology been 493 00:31:34,440 --> 00:31:38,119 received in an environment that just doesn't want to change anything. 494 00:31:39,000 --> 00:31:41,079 Speaker 1: Well, that's an excellent point that you're making, and it 495 00:31:41,160 --> 00:31:44,880 is one of the inhibitors you know, we see, but 496 00:31:44,960 --> 00:31:49,559 it is changing the The industrial automation vendors typically which 497 00:31:49,559 --> 00:31:55,279 you speak are recognizing that there's problems here, and you know, 498 00:31:55,559 --> 00:31:58,319 they can either be part of the solution or they 499 00:31:58,359 --> 00:32:01,519 can be held liable as part of the problem. And 500 00:32:01,920 --> 00:32:04,880 you're seeing a movement there. You know, for instance, we 501 00:32:04,960 --> 00:32:09,559 have just gone public with a relationship with Rockwell and 502 00:32:09,599 --> 00:32:12,039 they are bringing US now in as part of their 503 00:32:12,079 --> 00:32:17,000 solution to solve these types of problems where appropriate. And 504 00:32:17,000 --> 00:32:20,240 we're having these discussions with these other other vendors. In 505 00:32:20,279 --> 00:32:22,960 some cases they are very very regimented, and others are 506 00:32:23,039 --> 00:32:29,079 much more open to provide more modern approaches, if you will, 507 00:32:29,480 --> 00:32:32,440 to stopping these threats, because they are happening, and they're 508 00:32:32,480 --> 00:32:35,599 starting to happen in increasing fashion. So they can't just 509 00:32:36,359 --> 00:32:40,839 tell the customer my leug agreement with you says you 510 00:32:40,880 --> 00:32:45,000 can't run protection to that I haven't approved on your system, 511 00:32:45,960 --> 00:32:49,319 and then find out that their system was compromised because 512 00:32:49,519 --> 00:32:52,799 their applications had vulnerabilities in them that were exploited. So 513 00:32:52,839 --> 00:32:57,160 you can see the challenge is there, right, So these 514 00:32:57,240 --> 00:33:00,359 vendors are now starting to move and it is something 515 00:33:00,359 --> 00:33:02,200 that really has just really happened over the last couple 516 00:33:02,240 --> 00:33:02,599 of years. 517 00:33:03,680 --> 00:33:07,680 Speaker 3: You know, you were talking about bad stuff, shims that 518 00:33:08,039 --> 00:33:12,519 download other bad stuff. You know, the shim looks benign, 519 00:33:12,640 --> 00:33:16,319 but it winds up downloading code and xing executing Code's 520 00:33:16,400 --> 00:33:20,039 that's not so benign, you know, just thinking about it, 521 00:33:20,640 --> 00:33:24,880 this is what happens in browsers. Browsers download JavaScript routinely, 522 00:33:24,920 --> 00:33:29,400 they execute the code routinely. You know, if if your 523 00:33:29,440 --> 00:33:33,839 AI forbids downloaded code, does it break the browser? How 524 00:33:33,880 --> 00:33:34,960 do you work with browsers? 525 00:33:36,279 --> 00:33:38,599 Speaker 1: Yeah, so that's that's an interesting point. So you know, 526 00:33:38,599 --> 00:33:41,480 when we get into OT environments, you don't typically see 527 00:33:41,519 --> 00:33:46,839 these types of behaviors happening. So they're not downloading apps 528 00:33:46,880 --> 00:33:52,319 through browsers and dynamically executing code, so that's not your 529 00:33:52,319 --> 00:33:55,960 typical behavior that you're going to see. We do have 530 00:33:56,079 --> 00:33:58,640 certain countermeasures though, to all all of us to deal 531 00:33:58,680 --> 00:34:02,720 with things like malicious javascripts running and picking off those 532 00:34:02,960 --> 00:34:05,880 those types of techniques because that may be running independent 533 00:34:05,920 --> 00:34:09,639 of your typical browser download. So we do stop that. 534 00:34:11,119 --> 00:34:14,079 Speaker 3: There's a lot of applications in an IT environment, and 535 00:34:14,880 --> 00:34:16,719 to a lot of people surprised, there's a lot of 536 00:34:16,760 --> 00:34:20,760 applications in an industrial control system environment as well. You 537 00:34:20,840 --> 00:34:24,320 might imagine that. You know, there's fewer control systems in 538 00:34:24,360 --> 00:34:28,679 the world than IT networks, but there's still a huge 539 00:34:28,719 --> 00:34:33,679 diversity of applications of software of even hardware out there. 540 00:34:36,039 --> 00:34:39,199 Is it I mean, is it possible for you guys 541 00:34:39,280 --> 00:34:42,559 to learn all of those applications and keep track of 542 00:34:42,599 --> 00:34:45,719 them as vendors release new security updates? Do you do 543 00:34:45,800 --> 00:34:49,360 this sort of centrally, how do you manage that diversity? 544 00:34:50,119 --> 00:34:53,119 Speaker 1: Yeah, there are multiple ways to do this, and we 545 00:34:53,159 --> 00:34:58,000 do try to work with the larger industrial automation vendors 546 00:34:58,360 --> 00:35:01,199 in advance to get as many of these as we can. 547 00:35:02,440 --> 00:35:05,400 But we realized early on that we couldn't depend on that, 548 00:35:05,559 --> 00:35:10,280 so we built our application so that once our agent 549 00:35:10,320 --> 00:35:14,599 became active on the device, it would quickly inventory everything 550 00:35:14,639 --> 00:35:18,559 had found running on the host, and they would slowly 551 00:35:18,599 --> 00:35:23,000 also look at everything that was over on the disc. Again, 552 00:35:23,559 --> 00:35:25,880 the word slowly is there because we're trying to make 553 00:35:25,880 --> 00:35:28,639 sure we stay within operational parameters, so we don't slow 554 00:35:28,679 --> 00:35:33,000 down the device at all. So when we do that, 555 00:35:33,280 --> 00:35:36,480 we can inventory everything and in some cases we'll say 556 00:35:36,519 --> 00:35:40,000 we find one hundred applications, you know, we'll build that 557 00:35:41,480 --> 00:35:44,920 list on the device, and each of our individual agents 558 00:35:44,920 --> 00:35:49,840 and all devices will build a list. Now, to make 559 00:35:49,880 --> 00:35:54,559 it easy on the operator, we can come up in 560 00:35:54,639 --> 00:35:57,320 a mode we call prevent mode where we say, okay, 561 00:35:57,440 --> 00:36:00,519 we're going to assume that all the application is we 562 00:36:00,760 --> 00:36:06,320 just built are good, right, Chances are that probably the situation, 563 00:36:07,679 --> 00:36:10,119 and then we have these additional countermeasures that are going 564 00:36:10,199 --> 00:36:14,280 to watch and see if anything else happens which is 565 00:36:14,280 --> 00:36:17,360 not good, you know, one of these tech techniques, and 566 00:36:17,400 --> 00:36:21,480 then those will then trigger us to stop those techniques 567 00:36:22,159 --> 00:36:25,280 and zero it in on the application so that that 568 00:36:25,320 --> 00:36:28,719 can be explored. So this allows the vendors to deploy 569 00:36:28,760 --> 00:36:32,199 our agents out on the devices and just say, okay, 570 00:36:32,239 --> 00:36:35,000 you come up and prevent you allow everything that's running 571 00:36:35,000 --> 00:36:38,039 to run. You turn on your countermeasures to look for 572 00:36:38,079 --> 00:36:42,320 bad techniques. And then what they do is they communicate 573 00:36:42,360 --> 00:36:46,559 to a centralized application that's running inside this customer site 574 00:36:47,159 --> 00:36:52,199 typically and it could be right down on these manufacturing lands. 575 00:36:52,199 --> 00:36:55,079 In some cases we've got running an air gapped environment 576 00:36:55,239 --> 00:36:58,199 factory flowers as we speak, so they don't have normal 577 00:36:58,199 --> 00:37:02,000 connectivity outside world. But the one hundred devices in a 578 00:37:02,000 --> 00:37:05,480 manufacturing floor communicate everything that they've learned on their devices, 579 00:37:05,519 --> 00:37:09,599 and it builds the central manifest and then now you've 580 00:37:09,639 --> 00:37:13,079 got depopulated stuff you like, but now you've actually got 581 00:37:13,320 --> 00:37:16,840 an inventory of every single application on which devices or 582 00:37:16,880 --> 00:37:19,800 which lines, because it'll actually give you that capability to 583 00:37:19,880 --> 00:37:23,239 name the lines. And we found that of extreme use 584 00:37:23,280 --> 00:37:25,119 to a lot of these manufacturers because a lot of 585 00:37:25,159 --> 00:37:28,800 things they don't know. All the applications or the application 586 00:37:28,920 --> 00:37:31,840 variants that are running there on each of their OS platforms, 587 00:37:32,280 --> 00:37:34,679 So it gives them visibility of that, and then they 588 00:37:34,679 --> 00:37:36,880 can say, okay, this is a great I can now 589 00:37:36,920 --> 00:37:39,639 have an approved level of manifest and if something goes wrong, 590 00:37:40,079 --> 00:37:42,719 I can look through that and take out those those 591 00:37:42,719 --> 00:37:45,599 bad applications. Or I can say, you know what, I'm 592 00:37:45,599 --> 00:37:47,599 looking through this list and I really don't like that 593 00:37:47,679 --> 00:37:51,480 notepad is running on these applications because that's something that 594 00:37:51,519 --> 00:37:53,840 could be used by an attacker. So I'm going to 595 00:37:53,880 --> 00:37:57,639 say I want to block that. So the centralized control 596 00:37:57,679 --> 00:38:00,519 system we call our trust center can then an update 597 00:38:00,559 --> 00:38:04,639 out and say block the use of Noepad. So it's 598 00:38:04,639 --> 00:38:06,559 a way for you to control the policies in which 599 00:38:06,599 --> 00:38:10,880 you allow certain applications to run. So this was well 600 00:38:10,880 --> 00:38:15,440 received because I said, we have this large global manufacturer 601 00:38:16,000 --> 00:38:20,400 and they were like, this is good because the people 602 00:38:20,440 --> 00:38:22,559 on the site trying to run these things don't have 603 00:38:22,639 --> 00:38:26,039 time to go figure everything out. They need something that's simple. 604 00:38:26,480 --> 00:38:29,440 But then when we're looking and doing some periodic reviews, 605 00:38:29,480 --> 00:38:32,559 we can sit there and say, okay, we can examine 606 00:38:32,559 --> 00:38:34,440 what we have here. We can decide what we don't 607 00:38:34,480 --> 00:38:38,119 like running, and we also can get an indication of 608 00:38:38,199 --> 00:38:41,360 all the different variants of these various applications so that 609 00:38:41,400 --> 00:38:44,760 we can do better planning going forward. In the meantime, 610 00:38:44,800 --> 00:38:48,159 they're fully protected from these types of attacks that they're 611 00:38:48,440 --> 00:38:51,800 most concerned with, everything from the zero day ransomware and 612 00:38:51,840 --> 00:38:54,840 malware all the way up to these very sophisticated nations 613 00:38:54,880 --> 00:38:58,199 date backed attacks. They're typically coming in through their supply chain, by. 614 00:38:58,119 --> 00:39:04,119 Speaker 3: The way, So that struck me as interesting, Nate. You 615 00:39:04,119 --> 00:39:06,119 know a lot of people have been on the show 616 00:39:06,159 --> 00:39:09,320 talking about asset inventory. You can only protect what you 617 00:39:09,360 --> 00:39:14,199 know you have, but asset inventory in most implementations, in 618 00:39:14,199 --> 00:39:18,760 my understanding, tends to focus on what kind of devices 619 00:39:18,760 --> 00:39:22,880 are there. There's PLCs, there's RTUs, there's protective relays. You know, 620 00:39:22,920 --> 00:39:26,559 there's Windows machines, there's Linux machines. What version of what 621 00:39:26,599 --> 00:39:29,360 OS are they running? What's what version of the OS 622 00:39:29,360 --> 00:39:31,719 are they running, what patch level are they running? What 623 00:39:31,880 --> 00:39:35,719 software has been installed? Has this software been patched? What 624 00:39:35,800 --> 00:39:37,519 these folks are doing is sort of coming at it. 625 00:39:37,920 --> 00:39:41,360 I assume all of that, and and they're going through 626 00:39:41,400 --> 00:39:44,199 and making a long list of all of the executables 627 00:39:44,280 --> 00:39:46,119 that are installed on the machine, which is sort of 628 00:39:46,280 --> 00:39:48,800 the next level of detail. I mean, you know, he 629 00:39:48,880 --> 00:39:52,280 mentioned the example of Notepad. Notepad. You know, there's no 630 00:39:52,800 --> 00:39:56,079 there's no there's nothing in the list of installed software 631 00:39:56,119 --> 00:40:00,199 that says notepads installed. It installs when you install all 632 00:40:00,199 --> 00:40:03,079 the OS. It's not a separate install So having that 633 00:40:03,159 --> 00:40:07,119 sort of more detailed asset inventory is you know, to me, 634 00:40:07,199 --> 00:40:10,079 is interesting. It strikes me as potentially useful in terms of, 635 00:40:10,960 --> 00:40:13,800 you know, additional hardening that you can apply to these machines. 636 00:40:14,880 --> 00:40:16,760 Speaker 2: You know, I'm not sure that this was the point 637 00:40:16,800 --> 00:40:19,079 of what you just said there, but you mentioned notepad, 638 00:40:19,119 --> 00:40:23,480 and he mentioned Notepad. I'm wondering, why is Notepad coming 639 00:40:23,480 --> 00:40:25,719 into any of this. That's just the application that I 640 00:40:25,800 --> 00:40:26,920 never use on my computer. 641 00:40:27,519 --> 00:40:30,280 Speaker 3: Yeah, it's an application I never use either. It's it's 642 00:40:30,320 --> 00:40:33,400 an application that lets you edit text files. And you know, 643 00:40:33,519 --> 00:40:36,079 if you ever read me file, nobody wants to edit it. 644 00:40:36,159 --> 00:40:38,159 They want to read it. You can read it in 645 00:40:38,519 --> 00:40:40,360 lots of things, the browser will let you read it. 646 00:40:42,760 --> 00:40:47,920 Notepad lets you create text files as well, and apparently attackers, 647 00:40:48,079 --> 00:40:50,119 you know, it's it's one of the tools that attackers 648 00:40:50,159 --> 00:40:53,360 tend to use more than regular users, because the attackers 649 00:40:53,360 --> 00:40:56,440 always need to put some script file you know, down 650 00:40:56,480 --> 00:40:59,679 so you can execute it, or you know, put a 651 00:40:59,719 --> 00:41:02,199 store and license key into a text file so it 652 00:41:02,199 --> 00:41:05,239 can be imported, and so on. So I guess this 653 00:41:05,400 --> 00:41:10,320 is again one of the tools that owners and operators 654 00:41:10,400 --> 00:41:12,480 might look at and say, I never use that, We 655 00:41:12,519 --> 00:41:14,800 don't need that. The only people that are going to 656 00:41:14,880 --> 00:41:17,159 use that are the bad guys. Take it off the machine. 657 00:41:17,239 --> 00:41:20,599 You know, we had an episode I think recently talking 658 00:41:20,599 --> 00:41:23,199 about living off the land when touched on it briefly, 659 00:41:23,239 --> 00:41:25,559 the using tools that are part of the operating system 660 00:41:25,599 --> 00:41:29,599 to launch attacks. This sounds like one of those tools. 661 00:41:30,159 --> 00:41:32,360 Never really occurred to me. But yeah, you know, when 662 00:41:32,360 --> 00:41:35,960 you say it, I never use notepad either. So if 663 00:41:35,960 --> 00:41:38,320 it's only the bad guys doing it, you know, that's 664 00:41:38,519 --> 00:41:43,639 a candidate to take off the machine. You were talking 665 00:41:43,639 --> 00:41:46,000 about the ability to run in sort of an advisory 666 00:41:46,000 --> 00:41:50,280 mode versus an enforcing mode. Is this relevant to let's 667 00:41:50,320 --> 00:41:52,760 call it upset conditions? I mean, how often do you 668 00:41:52,800 --> 00:41:57,119 start the plant from scratch, maybe once a year, and 669 00:41:57,679 --> 00:42:01,079 everything behaves a little bit differently during start up? How 670 00:42:01,119 --> 00:42:04,599 often do you do an emergency shutdown? Hopefully no more 671 00:42:04,639 --> 00:42:07,800 than every few years. And in an emergency shutdown, everything 672 00:42:07,840 --> 00:42:13,280 is different, everything is changing. Do do you make sort 673 00:42:13,280 --> 00:42:16,599 of provision make exceptions in those cases? 674 00:42:17,519 --> 00:42:19,639 Speaker 1: Prevent mode is our normal mode. But when we go 675 00:42:19,719 --> 00:42:23,440 into these let's call them updates, usually it's maintenance windows 676 00:42:23,519 --> 00:42:27,800 emergency shutdowns, we just asked that the operators turn us 677 00:42:27,840 --> 00:42:33,000 into detect mode. That way the product keeps running. But 678 00:42:33,119 --> 00:42:35,760 as they make these changes, we're not going to try 679 00:42:35,760 --> 00:42:39,000 to get in the way of things happening, especially like 680 00:42:39,039 --> 00:42:41,960 you said, when there's an emergency going on, or you're 681 00:42:41,960 --> 00:42:44,840 just getting a batch of updates coming in, you know, 682 00:42:44,880 --> 00:42:48,119 from patches to the new revisions of applications coming in 683 00:42:48,480 --> 00:42:53,199 across the board. Then once things settle down, you can 684 00:42:53,480 --> 00:42:57,440 look at what we detected as showing alerts you or not. 685 00:42:57,679 --> 00:43:00,400 It depends on what they want to do. It depends 686 00:43:00,400 --> 00:43:02,519 on the situation, of course. And then if you see 687 00:43:02,519 --> 00:43:06,079 everything is fine from what we reported, you just accept 688 00:43:06,159 --> 00:43:10,760 all those changes. You can say these are all okay 689 00:43:10,760 --> 00:43:17,320 to run as is, basically started fresh and move back 690 00:43:17,320 --> 00:43:20,239 into prevent mode. So all the changes have been accepted 691 00:43:20,639 --> 00:43:23,519 and we run from there. So that's the way that 692 00:43:23,559 --> 00:43:25,920 we deal with that and we find it works out 693 00:43:25,960 --> 00:43:28,519 pretty well because it's just simple toggling of a switch 694 00:43:29,079 --> 00:43:31,760 and then toggling it back on once everything is stabilized, 695 00:43:33,599 --> 00:43:35,760 and you still have an ability to track everything that 696 00:43:35,880 --> 00:43:40,360 happened during that mode where you're doing all those changes. 697 00:43:40,480 --> 00:43:44,039 So we have all these wonderful operational logs to tell 698 00:43:44,079 --> 00:43:46,559 you about exactly what happened. So in a lot of 699 00:43:46,599 --> 00:43:50,320 these environments that are definitely under a lot of scrutiny 700 00:43:51,440 --> 00:43:54,599 compliance reasons, now you now have a complete history of 701 00:43:54,639 --> 00:43:55,280 what's happened. 702 00:43:56,239 --> 00:43:58,559 Speaker 3: Well, this has been great, Gary, thank you for joining us. 703 00:43:59,079 --> 00:44:00,719 Before I let you go, so can I ask you 704 00:44:00,760 --> 00:44:02,719 to sum up for us what should know? What should 705 00:44:02,760 --> 00:44:05,199 we be thinking about when we're thinking about this space. 706 00:44:06,239 --> 00:44:09,039 Speaker 1: Well, as I start off, you've got to make sure 707 00:44:09,079 --> 00:44:11,840 you've got a solution that has an ability to stop 708 00:44:11,880 --> 00:44:15,440 all these different variations of attack. It doesn't help if 709 00:44:15,440 --> 00:44:17,800 you're only covering twenty percent of the attacks out there. 710 00:44:18,360 --> 00:44:20,599 You've got to cover the full level of attacks in 711 00:44:20,679 --> 00:44:25,320 order to have a solution with efficacy. The other point 712 00:44:25,519 --> 00:44:28,800 I think we want to briefly touch on is that 713 00:44:29,440 --> 00:44:32,159 you can have the best solutions out there, but if 714 00:44:32,159 --> 00:44:36,239 they're not easy to actually implement and deploy and update, 715 00:44:36,920 --> 00:44:40,599 then the solution will not be successful. That's going to 716 00:44:40,599 --> 00:44:45,679 be that simple that operators with minimal training can figure 717 00:44:45,679 --> 00:44:48,239 out how to deploy it. They can come up and 718 00:44:48,280 --> 00:44:51,239 then deal with this as they go through their normal operations, 719 00:44:51,280 --> 00:44:54,239 as they run it or are going through a period. 720 00:44:54,280 --> 00:44:56,719 Whenever I've got a maintenance window running and they're making 721 00:44:56,920 --> 00:45:00,400 updates to all their applications in their environment, I would 722 00:45:00,440 --> 00:45:02,360 say there's a call to action going on right here, 723 00:45:02,400 --> 00:45:06,719 because for so long the industry has tried to stick 724 00:45:06,760 --> 00:45:09,360 with the old ways and the old ways in the 725 00:45:09,400 --> 00:45:12,239 OT world where or try to use passive defenses as 726 00:45:12,320 --> 00:45:15,679 much as possible air gap which means there's no Internet 727 00:45:15,679 --> 00:45:20,519 connectivity as much as possible, and yet the attacks keep coming. 728 00:45:21,800 --> 00:45:27,239 The problem is there's the human element. The industrial automation vendors. 729 00:45:27,559 --> 00:45:30,280 I don't want to pick on them, but they have 730 00:45:30,320 --> 00:45:32,800 to update their applications at some point, so either they're 731 00:45:32,800 --> 00:45:36,719 bringing in people, or they've got third parties that are 732 00:45:36,719 --> 00:45:39,320 coming in, or the customer has third parties coming in. 733 00:45:39,840 --> 00:45:43,119 And that's when we have people walking past the network 734 00:45:43,440 --> 00:45:47,440 and then plugging into these devices, often with USB sticks 735 00:45:47,599 --> 00:45:51,199 or I mean it's laptops and the updates happen, and 736 00:45:51,320 --> 00:45:55,119 so do the problems. So you can't be myopic and 737 00:45:55,199 --> 00:45:57,880 think we can get away with approaches that worked in 738 00:45:57,920 --> 00:46:02,199 the last decade when there's actually ways that defeat them 739 00:46:02,519 --> 00:46:06,159 every day in our environments. So I would say the 740 00:46:06,199 --> 00:46:09,719 takeaway is you're going to look at a solution. You've 741 00:46:09,760 --> 00:46:14,320 got to find one that will work well, drastically reduce 742 00:46:14,400 --> 00:46:18,400 your risk, that's easy to deploy, and then can deal 743 00:46:18,440 --> 00:46:30,000 with these situations where traditional defenses just don't cover the problem. 744 00:46:30,199 --> 00:46:33,000 Speaker 2: So Andrew to close out here, Gary's talking a lot 745 00:46:33,039 --> 00:46:37,079 about choosing the right solutions, which solution is a tricky word, right, 746 00:46:37,159 --> 00:46:41,320 Are we really solving something here or are we iterating 747 00:46:41,719 --> 00:46:45,519 on a long history of what we've been doing prior. 748 00:46:46,599 --> 00:46:49,239 Speaker 3: That's a good question. I would use the word innovating 749 00:46:49,440 --> 00:46:54,199 rather than iterating. The bad guys keep getting better at 750 00:46:54,440 --> 00:46:57,639 what they're doing. They keep inventing new and different and 751 00:46:57,960 --> 00:47:02,960 subtler ways of a acting us, and so our defenses 752 00:47:03,360 --> 00:47:06,320 need to become more capable. You know, as time goes 753 00:47:06,320 --> 00:47:08,719 by as well as the threat environment changes. And here's 754 00:47:08,760 --> 00:47:12,719 an innovation. Here's a way to address a kind of 755 00:47:12,760 --> 00:47:17,719 attack that is becoming more widely used by the sophisticated, 756 00:47:17,760 --> 00:47:21,920 the high end of the attack spectrum. You know, putting 757 00:47:21,920 --> 00:47:26,719 something benign looking into a software update, putting something benign 758 00:47:26,760 --> 00:47:30,000 looking on a machine, and then loading the nasty in 759 00:47:30,159 --> 00:47:33,920 memory into that benign looking thing. This is you know, 760 00:47:34,039 --> 00:47:36,280 this is the world we live in. This is starting 761 00:47:36,280 --> 00:47:40,760 to happen reasonably regularly. We need technology that's going to 762 00:47:40,800 --> 00:47:44,960 address this threat, you know, the bad guys innovates we 763 00:47:45,679 --> 00:47:46,440 need to as well. 764 00:47:47,199 --> 00:47:50,079 Speaker 2: Well. Thank you to Gary Southwell for speaking with you, Andrew. 765 00:47:50,119 --> 00:47:52,320 And Andrew is always thank you for speaking with me. 766 00:47:53,039 --> 00:47:54,440 Speaker 3: It's always a pleasure. Thank you, Nan. 767 00:47:55,119 --> 00:47:58,960 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thank 768 00:47:59,000 --> 00:48:01,159 you to everybody of their listening. 769 00:48:10,679 --> 00:48:11,119 Speaker 1: Mm hmm