1 00:00:03,160 --> 00:00:08,080 Speaker 1: We created a new segment in the industry. What we're 2 00:00:08,199 --> 00:00:13,640 doing is data science for cyber security. 3 00:00:18,359 --> 00:00:22,559 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 4 00:00:22,679 --> 00:00:26,320 Nate Nelson. I'm here with Andrew Ginter, the vice president 5 00:00:26,399 --> 00:00:30,440 of Industrial Security at Waterfall Security Solutions, who's going to 6 00:00:30,480 --> 00:00:34,759 introduce the subject and guest of today's show. Andrew, how 7 00:00:34,759 --> 00:00:35,079 are you. 8 00:00:35,960 --> 00:00:38,439 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 9 00:00:38,560 --> 00:00:43,280 Karmit Yadin. She is the CEO of Device Total and 10 00:00:43,359 --> 00:00:48,880 Device Total is doing ot security data science in the 11 00:00:48,960 --> 00:00:53,159 area of vulnerability management and I had no idea what 12 00:00:53,159 --> 00:00:55,359 that was, so I was keen to find out. 13 00:00:56,600 --> 00:01:00,280 Speaker 2: Then, without further ado, here's your interview with Krmeat. 14 00:01:02,600 --> 00:01:05,760 Speaker 3: Hell, car, meet and welcome to the podcast. Before we 15 00:01:05,760 --> 00:01:07,879 get started, can I ask you to please you say 16 00:01:07,920 --> 00:01:10,439 a few words about your background for our listeners, and 17 00:01:10,680 --> 00:01:12,640 you know a bit about the good work you're doing 18 00:01:12,760 --> 00:01:13,680 at Device Total. 19 00:01:14,519 --> 00:01:19,400 Speaker 1: Thank you for the opportunity. Highly appreciated. So a little 20 00:01:19,400 --> 00:01:23,120 bit about my background. I started my journey in the 21 00:01:23,159 --> 00:01:27,920 cyber security space when I joined the Israeli Army was 22 00:01:28,040 --> 00:01:35,159 trained for network and security. I worked as a CISOM 23 00:01:35,519 --> 00:01:41,599 in several NESTBAC companies. I worked with governments around the world, 24 00:01:41,680 --> 00:01:48,840 mostly with the US government, on gathering intelligence from connected devices, 25 00:01:50,439 --> 00:01:56,400 and with time, I realized that the biggest challenge the 26 00:01:56,439 --> 00:02:01,000 cyber security industry have is in the fact that as humans, 27 00:02:01,959 --> 00:02:06,120 we connect ourselves with so many devices and the number 28 00:02:06,280 --> 00:02:13,360 of connected devices is increasing dramatically, and the problem is 29 00:02:13,400 --> 00:02:18,960 that security teams and humans don't have visibility to the 30 00:02:19,039 --> 00:02:26,639 security posture of each device and their organization. They also 31 00:02:26,800 --> 00:02:34,439 don't have visibility on how each device impacts the entire organization. 32 00:02:36,280 --> 00:02:39,759 So I decided to take that as a personal mission 33 00:02:40,199 --> 00:02:45,919 for me to solve. I did my doctoral studies exactly 34 00:02:45,960 --> 00:02:50,199 about this subject, and I funded the device total to 35 00:02:50,400 --> 00:02:56,680 solve this unique problem and significant one. 36 00:02:55,759 --> 00:02:59,439 Speaker 3: Our topic today is vulnerabilities and there's a lot of 37 00:02:59,479 --> 00:03:05,479 information available about vulnerabilities on the Internet. Can you talk 38 00:03:05,520 --> 00:03:10,560 about vulnerabilities? Which part of that spaces are you looking at? 39 00:03:15,000 --> 00:03:18,520 Speaker 1: So the first important thing is for us to understand 40 00:03:18,639 --> 00:03:23,520 what does it means vulnerabilities for the IoT and the 41 00:03:23,520 --> 00:03:30,439 OT space. And the biggest challenge organizations have today is 42 00:03:30,479 --> 00:03:36,280 to know what vulnerability is related to any of their 43 00:03:36,360 --> 00:03:41,280 devices in their organization. Now, in order to understand that, 44 00:03:41,439 --> 00:03:46,039 we need to understand how the vendors that manufactures those 45 00:03:46,039 --> 00:03:52,439 devices match vulnerabilities. And what's important to understand it is 46 00:03:52,479 --> 00:03:59,919 that vendor publish their vulnerabilities by two main parameters. One 47 00:04:00,439 --> 00:04:04,319 is the hardware of the device and the second one 48 00:04:04,560 --> 00:04:09,639 is the software which is the filmware version. Now, there 49 00:04:09,680 --> 00:04:15,560 are different sources from where we can gather this information. 50 00:04:16,480 --> 00:04:22,519 So the most reliable source is the vendor security advisory. 51 00:04:23,000 --> 00:04:27,439 The vendor responsibility by regulation by the way they have 52 00:04:27,639 --> 00:04:33,160 to publish and to disclose the vulnerabilities they are aware 53 00:04:33,199 --> 00:04:39,079 of to the industry and to their customers. Most of 54 00:04:39,160 --> 00:04:44,480 the vulnerability management today focusing on IoT and OT will 55 00:04:44,639 --> 00:04:50,920 gather the information from MVD. Now, the problem with MVD 56 00:04:51,199 --> 00:04:57,199 is that MVD provide a non accurate and non complete 57 00:04:57,319 --> 00:05:05,399 visibility on the vulnerability on those devices. Therefore, customers and 58 00:05:05,639 --> 00:05:10,399 organization in order to in order to identify the accurate 59 00:05:10,639 --> 00:05:15,560 data vulnerabilities data for their devices will need to do 60 00:05:15,800 --> 00:05:20,360 lots of manual activities. They will need to go to 61 00:05:20,480 --> 00:05:26,319 the security advisory and to try to understand what vulnerability 62 00:05:26,360 --> 00:05:31,199 is related to these devices. This task takes, like forever, 63 00:05:31,920 --> 00:05:37,959 a lot of time and it's and it's a very 64 00:05:38,000 --> 00:05:42,639 difficult task to do, a lot of manual work, different websites, 65 00:05:44,680 --> 00:05:50,720 definitely unscalable. So this is how the industry looks today. 66 00:05:51,399 --> 00:05:58,079 There is no one universal repository providing all the data 67 00:05:58,160 --> 00:06:00,040 for any device. 68 00:06:01,000 --> 00:06:02,920 Speaker 3: So that that does sound like a lot of work 69 00:06:03,000 --> 00:06:07,399 for you know, someone like me. You know, if I'm 70 00:06:07,560 --> 00:06:09,959 operating an industrial site, I've got a lot of equipment, 71 00:06:09,959 --> 00:06:12,399 I've got a lot of software to try and go 72 00:06:12,439 --> 00:06:16,920 out and find this information manually. You're saying, is well, 73 00:06:16,959 --> 00:06:17,959 it's a lot of hard work. 74 00:06:19,240 --> 00:06:22,279 Speaker 1: Yes, that's true, it's a lot of hard work. The 75 00:06:22,439 --> 00:06:30,040 problem is that security advisories today they are non structure data. 76 00:06:30,319 --> 00:06:33,360 The data inside there is a non structure and for 77 00:06:33,600 --> 00:06:38,240 those vendors that try to structure that didn't structure the 78 00:06:38,399 --> 00:06:42,519 entire data. So we are dealing with a lot of 79 00:06:42,680 --> 00:06:50,240 data that machines cannot consume and a humans that are 80 00:06:50,399 --> 00:06:55,759 capable to rate that doesn't have the scalability that machine have. 81 00:06:56,000 --> 00:07:00,879 So that's the problem. The data is there, but we 82 00:07:00,959 --> 00:07:07,439 cannot consume that, and this is one problem. The second 83 00:07:07,519 --> 00:07:10,920 problem would be, now that I understand what problems do 84 00:07:10,959 --> 00:07:13,720 I have, how am I going to solve that? So 85 00:07:13,879 --> 00:07:15,439 you're one hundred percent right. 86 00:07:16,680 --> 00:07:21,000 Speaker 3: In previous episodes of the podcast, we have had people 87 00:07:21,800 --> 00:07:27,040 talking about new standards that are out there for publishing 88 00:07:28,879 --> 00:07:34,040 vulnerability information in a machine readable format. You know, I 89 00:07:34,079 --> 00:07:37,560 had imagined that those standards would solve this problem. Are 90 00:07:37,720 --> 00:07:38,879 are they not solving it? 91 00:07:40,079 --> 00:07:45,160 Speaker 1: The problems start with the fact that specifically in IoT 92 00:07:45,240 --> 00:07:51,160 and OT devices, there are so many vendors that manufactures 93 00:07:51,319 --> 00:07:55,240 different type of devices to the industry, and there is 94 00:07:55,279 --> 00:08:01,399 no alignment and there is no standardization on how vendor 95 00:08:01,519 --> 00:08:08,120 A publish their security data versus Vendor B, So there 96 00:08:08,160 --> 00:08:14,079 is no alignment between them, and our job is to 97 00:08:14,199 --> 00:08:19,680 create that alignment because it doesn't exist elsewhere. Another thing 98 00:08:19,720 --> 00:08:23,800 about standards is that there are lots of standards and 99 00:08:23,920 --> 00:08:32,440 regulation for the organizations that are using iotis and OUTI devices. 100 00:08:33,080 --> 00:08:38,039 They must validate what vulnerabilities they have, they must use 101 00:08:38,120 --> 00:08:44,159 their latest version of the devices. They must control the 102 00:08:44,279 --> 00:08:48,960 risk of the devices in different end gills. So the 103 00:08:49,039 --> 00:08:53,519 majority of the regulation and the standards is on the 104 00:08:53,799 --> 00:09:00,720 organizations that are using the devices versus on how the 105 00:09:00,799 --> 00:09:06,600 manufacture should publish. They have to publish, but the way 106 00:09:06,720 --> 00:09:11,279 they publish is their own way, and each vendor doing 107 00:09:11,320 --> 00:09:12,399 that differently today. 108 00:09:13,519 --> 00:09:16,600 Speaker 3: Listening to what you're saying here, you know, it sounds 109 00:09:16,679 --> 00:09:20,840 like what the world needs is a search engine for 110 00:09:20,960 --> 00:09:24,559 vulnerabilities that can tell me, you know, what's broken, can 111 00:09:24,600 --> 00:09:28,440 tell me what fixes are available, you know, with reliable, 112 00:09:28,679 --> 00:09:31,039 up to date data. Is that what the world needs? 113 00:09:32,320 --> 00:09:36,600 Speaker 1: Know Andrew, I think that what the world needs is. 114 00:09:38,080 --> 00:09:38,600 Speaker 3: To know. 115 00:09:40,039 --> 00:09:44,200 Speaker 1: What vulnerabilities exist on their devices. They don't want to 116 00:09:44,279 --> 00:09:47,159 go and search our organization don't want to go and 117 00:09:47,279 --> 00:09:50,759 use a search engine to search all the vulnerabilities on 118 00:09:50,879 --> 00:09:54,440 all their devices. They want someone to tell them, hey, 119 00:09:55,159 --> 00:09:59,399 these are the problems you have. These are the solutions 120 00:09:59,440 --> 00:10:03,960 that you need to implement. And that's the priority on how, 121 00:10:04,120 --> 00:10:07,840 on how and when you should do that. And that's 122 00:10:08,120 --> 00:10:13,799 a solution that organizations like Armies, Nozomi and Clarity provide 123 00:10:13,840 --> 00:10:17,960 to day to their customers. The companies that needs that 124 00:10:18,360 --> 00:10:23,559 search engine and capabilities are those companies they need that 125 00:10:23,600 --> 00:10:25,799 to have, They need to have device that we are 126 00:10:25,879 --> 00:10:26,919 behind their scenes. 127 00:10:28,000 --> 00:10:32,720 Speaker 3: You have product in the space. What do you have? What? 128 00:10:32,720 --> 00:10:35,840 What what you know? How do you work with with 129 00:10:35,840 --> 00:10:36,679 with these vendors? 130 00:10:37,840 --> 00:10:40,960 Speaker 1: Okay, so what we're doing we are on a daily 131 00:10:41,039 --> 00:10:48,440 basing collecting and normalizing all the data exist on any 132 00:10:48,799 --> 00:10:53,840 security advisories in the industry today. So we're collecting the 133 00:10:53,960 --> 00:10:59,240 data from the security advisories from the vendor website. We 134 00:10:59,480 --> 00:11:04,879 normally the data, we structure the data, and for the 135 00:11:05,159 --> 00:11:09,919 very first time in the industry, we managed to create 136 00:11:10,240 --> 00:11:17,600 one universal repository that includes all the security data, including 137 00:11:17,679 --> 00:11:23,799 the vulnerabilities and the mitigation and remediation for any device 138 00:11:24,000 --> 00:11:32,039 exists in the industry today. And what those vendor can 139 00:11:32,120 --> 00:11:37,840 do together with us, they can consume our data based 140 00:11:37,840 --> 00:11:42,080 on the devices they identified in the customer network. They 141 00:11:42,120 --> 00:11:47,159 can query our database and we will reply back with 142 00:11:47,399 --> 00:11:54,399 the vulnerabilities matched to the devices they identified, mitigation, remediation, 143 00:11:55,320 --> 00:12:00,679 software update, end of life data, en so on. And 144 00:12:00,720 --> 00:12:02,759 we are updating the data daily. 145 00:12:05,720 --> 00:12:09,039 Speaker 2: So Andrew, I, while I was listening to her, just 146 00:12:09,200 --> 00:12:14,559 now decided to pull up any given CVE on mvd's website. 147 00:12:16,399 --> 00:12:18,279 We have a description of the problem, we have a 148 00:12:18,320 --> 00:12:22,720 score associated with just how severe the vulnerability is. We 149 00:12:22,759 --> 00:12:28,559 have hyperlinks to mitigation instructions and then various other information. 150 00:12:29,240 --> 00:12:33,440 So I guess what I'm wondering is what exactly the 151 00:12:33,440 --> 00:12:37,679 platform she's describing does so much more or better than 152 00:12:37,720 --> 00:12:40,559 what seems to me like a pretty comprehensive list of 153 00:12:40,600 --> 00:12:42,399 what I need to know about this vulnerability. 154 00:12:43,600 --> 00:12:49,399 Speaker 3: What Device Total has done is a make the NBD 155 00:12:49,960 --> 00:12:55,840 machine readable because you know, to her point, if I 156 00:12:55,879 --> 00:13:00,720 have a refinery with I don't know how many CPUs 157 00:13:00,759 --> 00:13:04,200 in it. Let's say you know six thousand devices with 158 00:13:04,320 --> 00:13:07,720 CPUs in them, everything from PLCs to flow meters to 159 00:13:07,840 --> 00:13:13,200 you name it. And you know my question is not 160 00:13:13,759 --> 00:13:16,279 where's my search engine? I want to go to each 161 00:13:16,320 --> 00:13:20,360 one of my six thousand devices once a month and 162 00:13:20,519 --> 00:13:22,879 look up the device in the search engine. That's not 163 00:13:22,919 --> 00:13:26,519 what I want. What I want is to pay someone 164 00:13:26,679 --> 00:13:32,440 like Armists or Clarity or Dregos or Nazomi to tell 165 00:13:32,519 --> 00:13:36,399 me what devices I have, to tell me which of 166 00:13:36,399 --> 00:13:39,240 those devices are out of date, to tell me what 167 00:13:39,320 --> 00:13:42,159 mitigations are available for these out of date devices. I 168 00:13:42,200 --> 00:13:46,039 want someone to solve this problem for me. And so 169 00:13:46,960 --> 00:13:51,440 what we need under the hood of Nazomi and Dregos 170 00:13:51,440 --> 00:13:57,120 and whatnot is that machine readable database of vulnerabilities, because 171 00:13:57,279 --> 00:14:02,120 these platforms are the ones that are active in my refinery, 172 00:14:02,720 --> 00:14:05,720 scanning what devices I have, keeping track of what devices 173 00:14:05,759 --> 00:14:07,720 I have and where they are, and what their purpose is, 174 00:14:08,399 --> 00:14:13,279 and they need access to a constantly updated database of 175 00:14:13,759 --> 00:14:17,759 vulnerabilities so they can produce those reports about how much 176 00:14:17,840 --> 00:14:21,080 troublining for the devices I have? Does that make sense? 177 00:14:22,159 --> 00:14:25,399 Speaker 2: I see. So it's less that NVD doesn't provide the 178 00:14:25,440 --> 00:14:28,240 specific kinds of information we need. It's much more about 179 00:14:28,480 --> 00:14:31,879 making this information accessible and machine readable. 180 00:14:32,840 --> 00:14:36,399 Speaker 3: That's right, machine readable for the other vendors that need 181 00:14:36,639 --> 00:14:40,799 the data. Another thing that you know I was talking 182 00:14:40,799 --> 00:14:43,639 to commit after the fact I didn't capture in the 183 00:14:43,679 --> 00:14:47,519 recording is you know she pointed out, and it's it's 184 00:14:47,559 --> 00:14:52,120 public knowledge. If you google the MVD program and you 185 00:14:52,120 --> 00:14:56,000 know falling behind, you'll see an announcement from earlier this 186 00:14:56,159 --> 00:15:01,080 year saying, you know, we are fall behind. There's too 187 00:15:01,080 --> 00:15:06,080 many vulnerabilities. The program had had to not process all 188 00:15:06,120 --> 00:15:09,799 the vulnerabilities that were being disclosed to them. They prioritized 189 00:15:10,000 --> 00:15:12,759 what they thought were the most important vulnerabilities, but the 190 00:15:12,840 --> 00:15:16,919 database was falling behind. So that's another argument for a 191 00:15:16,960 --> 00:15:20,159 private vendor coming in here doing this, having someone pay them, 192 00:15:20,279 --> 00:15:23,039 rather than have the government do it and you know, 193 00:15:23,120 --> 00:15:25,320 be subject to the vagaries of I've only got so 194 00:15:25,399 --> 00:15:27,440 much budget, there's only so much I can do with 195 00:15:27,559 --> 00:15:31,759 that budget. You know, this is this is an opportunity 196 00:15:31,799 --> 00:15:34,039 for private industry to come in and do the job 197 00:15:34,120 --> 00:15:37,360 sort of thoroughly completely because they have the money to 198 00:15:37,399 --> 00:15:41,519 do it. So reflecting on this, Nate, what strikes me is, 199 00:15:41,879 --> 00:15:46,279 you know, I, in hindsight it makes perfect sense. But 200 00:15:46,440 --> 00:15:49,639 you know, until I realized what Device Total was about, 201 00:15:49,720 --> 00:15:52,759 I had no idea that such a company existed. If 202 00:15:52,799 --> 00:15:56,519 you think about it, you know, what's the value that's 203 00:15:56,559 --> 00:16:00,240 delivered by companies like Armis and Dragos, And that's sort 204 00:16:00,240 --> 00:16:05,399 of class of call it asset inventory and asset management solution. 205 00:16:06,519 --> 00:16:09,240 They scan your network, they figure out what assets you have, 206 00:16:09,559 --> 00:16:12,120 and they come back and tell you how vulnerable they are. 207 00:16:13,200 --> 00:16:16,279 And so they need their own Every one of these 208 00:16:16,360 --> 00:16:21,600 vendors needs a machine readable database of devices and vulnerabilities 209 00:16:21,600 --> 00:16:26,039 and ideally things like workarounds and compensating measures and fixes 210 00:16:26,080 --> 00:16:28,360 if they're available and where the fix is available. They 211 00:16:28,399 --> 00:16:30,919 need all of this so that they can present this 212 00:16:31,080 --> 00:16:35,360 in reports, they can present it in whatever to their customers. 213 00:16:36,879 --> 00:16:42,039 And before Device Total existed, I would have imagined that 214 00:16:42,240 --> 00:16:44,799 every one of these vendors would have to do this 215 00:16:44,919 --> 00:16:49,440 research on their own. And once they produce that database 216 00:16:49,440 --> 00:16:52,519 for their own internal use. My own guess is that 217 00:16:52,600 --> 00:16:56,120 they'd be reluctant to sell that database to somebody else. 218 00:16:57,279 --> 00:16:59,840 You know, why would they give their competitors a leg up. 219 00:17:00,279 --> 00:17:03,320 And so that, you know, in hindsight, produced the opportunity 220 00:17:03,320 --> 00:17:05,400 for someone like Device Total to come in there, do 221 00:17:05,440 --> 00:17:08,400 the job once, and sell the result. You know, if 222 00:17:08,400 --> 00:17:10,480 they can do the job in a sense better than 223 00:17:10,519 --> 00:17:13,799 any one vendor could do individually, there's huge incentive for 224 00:17:13,839 --> 00:17:17,000 these vendors to say, you know, instead of me doing 225 00:17:17,039 --> 00:17:22,480 this painfully manual process and producing an infraior result, just 226 00:17:22,640 --> 00:17:26,720 buy the data from Device Total. So makes sense in hindsight. 227 00:17:26,799 --> 00:17:29,440 But you know, before I talk to Carmite, I had 228 00:17:29,480 --> 00:17:35,079 no idea that this sort of niche and the ecosystem existed. Okay, 229 00:17:35,160 --> 00:17:38,039 so it's starting to become clear to me. You're saying 230 00:17:38,279 --> 00:17:42,839 that the kinds of vendors like Drego's Nasomi Clarity, that 231 00:17:42,960 --> 00:17:44,799 kind of vendor is your customer. 232 00:17:46,240 --> 00:17:50,519 Speaker 1: So that kind of vendors, Yes, so we work with 233 00:17:50,839 --> 00:17:56,160 any platform that has asset management and asset discovery solution, 234 00:17:56,920 --> 00:18:01,440 and those kind of customers using a data is a 235 00:18:01,519 --> 00:18:06,039 layer of intelligence on top of their asset discovery and 236 00:18:06,160 --> 00:18:11,720 asset management capabilities so they can give better visibility and 237 00:18:12,319 --> 00:18:16,599 data that they don't have today, like the mitigation, remediation, 238 00:18:17,200 --> 00:18:22,000 end of life data for any IoT and OT devices 239 00:18:22,279 --> 00:18:27,480 exists in their customers network. On top of that, our 240 00:18:27,559 --> 00:18:35,960 customers will also be large scale organization service providers, stock companies. 241 00:18:36,880 --> 00:18:41,960 Their problem is that they are using different asset management discovery, 242 00:18:42,039 --> 00:18:45,440 different tool and some of them that are doing even manually. 243 00:18:46,480 --> 00:18:50,359 Our capability is in the fact that we are capable 244 00:18:50,519 --> 00:18:56,880 do digest any asset inventory list from any source, whether 245 00:18:56,960 --> 00:19:00,880 if it's manually or from the asset discovery, and we 246 00:19:01,160 --> 00:19:06,599 provide the layer of intelligence on top of that data, 247 00:19:06,920 --> 00:19:11,920 and we will provide on a daily basis the accurate vulnerabilities, 248 00:19:12,480 --> 00:19:18,119 accurate mitigation action, what softwares we need to do software 249 00:19:18,200 --> 00:19:24,359 update to, under what priority work are the workarounds available 250 00:19:24,519 --> 00:19:28,359 from the vendor. And with all those data, we will 251 00:19:28,400 --> 00:19:33,000 also provide the prioritization based on the risk and the 252 00:19:33,039 --> 00:19:36,519 criticality for the end customer. 253 00:19:39,839 --> 00:19:43,279 Speaker 3: So it's something subtle in there that that I'm not 254 00:19:43,319 --> 00:19:48,240 sure everyone caught. You know, It's it's clear that the 255 00:19:48,279 --> 00:19:53,960 asset management vendors are potential customers of this, you know, 256 00:19:54,200 --> 00:20:01,839 database of vulnerabilities. But Carmite also mentioned service p you know, 257 00:20:01,960 --> 00:20:03,880 think I don't know a big oil company with one 258 00:20:03,960 --> 00:20:06,359 hundred and fifty sites, each of which is you know, 259 00:20:06,400 --> 00:20:11,599 a multi billion dollar asset. These big organizations tend to 260 00:20:11,640 --> 00:20:15,519 have central security operation centers. They tend to insource, they 261 00:20:15,559 --> 00:20:19,480 do that themselves. And you know, these centers tend to 262 00:20:19,519 --> 00:20:23,279 have automation. They've got you know, they buy you know, 263 00:20:23,359 --> 00:20:27,279 one or six of each kind of tool, and they 264 00:20:27,400 --> 00:20:29,880 generally have their own automation, their own code that they've 265 00:20:29,960 --> 00:20:32,680 they've invented to pull it all together, and you know, 266 00:20:33,039 --> 00:20:39,039 automate the job of managing vulnerabilities, managing incidents, managing everything. 267 00:20:40,400 --> 00:20:44,599 The second sort of customer she she mentioned very fast 268 00:20:45,359 --> 00:20:49,000 was service providers. You know, security as a service is 269 00:20:49,039 --> 00:20:52,920 a thing, even in the OT world. A lot of people, don't, 270 00:20:53,279 --> 00:20:57,720 you know, People smaller than the biggest companies need a 271 00:20:57,759 --> 00:21:01,440 security operation center, but don't want to staff their own. 272 00:21:01,519 --> 00:21:03,720 They might not be quite big enough to staff their own. 273 00:21:03,759 --> 00:21:06,160 Even if they are a little bit big enough, you know, 274 00:21:06,559 --> 00:21:08,160 this may not be what they want to focus on. 275 00:21:08,200 --> 00:21:11,319 And so there's a fair number of service providers out 276 00:21:11,319 --> 00:21:14,759 there that will uh say, we will manage we will 277 00:21:14,799 --> 00:21:17,000 look at your alerts, We will you know, manage your 278 00:21:17,000 --> 00:21:20,000 security for you and raise the alarm if if you 279 00:21:20,039 --> 00:21:23,359 need to do anything, and you know, send your reports 280 00:21:23,400 --> 00:21:25,960 about your assets and do all of the things that 281 00:21:26,200 --> 00:21:31,039 asock does. And again, these service providers one, you know, 282 00:21:31,079 --> 00:21:35,519 they compete based on the knowledge the domain of their 283 00:21:35,720 --> 00:21:39,160 their security analysts, their experts, their people. But they also 284 00:21:39,240 --> 00:21:41,920 compete to a degree with technology. Yeah, they buy a 285 00:21:41,960 --> 00:21:44,880 bunch of you know, off the shelf technology to gather 286 00:21:44,960 --> 00:21:47,039 data and manage alerts. But again they tend to have 287 00:21:47,599 --> 00:21:50,480 some of their own technology that sort of is their 288 00:21:50,519 --> 00:21:54,960 special sauce adds their their their special flavor to the 289 00:21:54,960 --> 00:22:00,160 the security as a service offering. And that class of 290 00:22:00,400 --> 00:22:04,559 vendor service provider might also benefit from access to a 291 00:22:04,599 --> 00:22:08,920 vulnerability database from from time to time to you know, 292 00:22:09,559 --> 00:22:12,440 to produce their own automation and make their own people 293 00:22:12,480 --> 00:22:15,839 more effective in the space. So that, you know, that 294 00:22:15,960 --> 00:22:20,599 was something that went by fast and struck me as interesting. 295 00:22:24,200 --> 00:22:28,279 Sounds like you are competing with the MVD, the National 296 00:22:28,359 --> 00:22:33,599 Vulnerability Database. Do you have a search engine where people 297 00:22:33,720 --> 00:22:35,799 like me could search your database? 298 00:22:36,759 --> 00:22:40,400 Speaker 1: Yes, we do have that capability. Our customers can log 299 00:22:40,559 --> 00:22:48,279 into the portal and they look manually for devices. One 300 00:22:48,319 --> 00:22:52,200 of our main capability and a very unique one, is 301 00:22:52,200 --> 00:22:58,119 that we enable customer to identify the security posture of 302 00:22:58,279 --> 00:23:03,319 devices even before for they purchasing the device. So we 303 00:23:03,359 --> 00:23:09,200 give our customers to get visibility and impact on any 304 00:23:09,279 --> 00:23:15,079 device existing the industry, even before purchasing that. Now, comparing 305 00:23:15,279 --> 00:23:19,240 us to an MVD, we just don't do what MVD 306 00:23:19,359 --> 00:23:27,880 does MVD. The goal of mvds is match vulnerabilities and 307 00:23:28,039 --> 00:23:34,799 provide data on vulnerabilities. MVD doesn't look at the risk 308 00:23:35,359 --> 00:23:43,000 from a device perspective. MVD doesn't consider the relationship between 309 00:23:43,079 --> 00:23:48,519 different devices in the network and that impact. MVD doesn't 310 00:23:48,559 --> 00:23:55,160 have the mitigation, doesn't provide remediation, doesn't provide workarounds, end 311 00:23:55,200 --> 00:23:59,920 of life data. MVD doesn't have the data that or 312 00:24:00,039 --> 00:24:01,920 organization nowadays need. 313 00:24:02,839 --> 00:24:06,599 Speaker 3: Can you talk about your reception? You know, how what 314 00:24:06,599 --> 00:24:09,039 what's the experience of your customers? Like what you know? 315 00:24:09,079 --> 00:24:12,759 How did how did they receive the you know, the 316 00:24:12,880 --> 00:24:14,519 knowledge that that you existed. 317 00:24:15,599 --> 00:24:18,319 Speaker 1: I can share with you that when we just started, 318 00:24:18,799 --> 00:24:22,759 we went to one of the largest organizations Fortune five 319 00:24:22,799 --> 00:24:27,960 hundred organization in the US and he said, listen, we 320 00:24:28,119 --> 00:24:31,799 work with all the vulnerability management tools exist in the 321 00:24:31,799 --> 00:24:36,799 industry today, show us what you have. But it was 322 00:24:36,920 --> 00:24:42,440 like very suspicious. He wanted to see another option, but 323 00:24:42,640 --> 00:24:48,799 was very suspicious. And when we actually show him the data, 324 00:24:48,920 --> 00:24:54,680 he was he was she really liked that. He really 325 00:24:54,799 --> 00:24:58,680 liked that because so we managed to solve him so 326 00:24:58,920 --> 00:25:02,799 many problems that he needed to do manually that he 327 00:25:02,880 --> 00:25:06,559 needed to check the vendor, to go online and to 328 00:25:06,759 --> 00:25:12,880 validate the data for critical devices. He was very surprised 329 00:25:12,920 --> 00:25:18,839 that he can add devices manually, not from assets management, 330 00:25:19,000 --> 00:25:23,359 and still can get the data. He was amazed because 331 00:25:24,400 --> 00:25:31,400 understanding the impact of new devices before purchasing them doesn't 332 00:25:31,519 --> 00:25:37,920 even cross his mind that it's an option and not 333 00:25:37,920 --> 00:25:42,200 not just that. The one of the unique things that 334 00:25:42,240 --> 00:25:46,839 we bring is also the mitigation and the remediation. So 335 00:25:46,880 --> 00:25:51,200 for the very first time, he doesn't need to pay 336 00:25:52,599 --> 00:25:58,920 for very expensive tools to give them the problem. Now 337 00:25:58,960 --> 00:26:02,400 he can also know what's the solution for all the 338 00:26:02,480 --> 00:26:07,640 vulnerabilities that war identified on this network and under what 339 00:26:07,839 --> 00:26:12,319 priority to sell to to mitigate that. So it's a 340 00:26:12,440 --> 00:26:16,839 it's a it's a really game changer for the end customers. 341 00:26:16,880 --> 00:26:21,839 Themselves and obviously for companies that has the assets management 342 00:26:21,880 --> 00:26:26,359 capabilities that wants to give higher value to their customers. 343 00:26:27,400 --> 00:26:30,200 Speaker 3: You've been doing this for a while, Can I ask you, 344 00:26:30,200 --> 00:26:32,440 you know, where are you at? What's coming next? 345 00:26:33,279 --> 00:26:38,039 Speaker 1: Today? We're focusing and I'm primarily focusing on the IoT 346 00:26:38,519 --> 00:26:43,279 and the OT industry because of everything that we talked 347 00:26:43,319 --> 00:26:48,359 about today. This is where an organization have a very 348 00:26:48,400 --> 00:26:53,640 significant problem. But as device, our goal is to cover 349 00:26:54,079 --> 00:26:58,839 any device exists in the industry and any device exists 350 00:26:58,960 --> 00:27:05,799 any a network, and our next stage is to add 351 00:27:05,920 --> 00:27:13,160 all the IT devices and software into our platforms as well. 352 00:27:14,119 --> 00:27:15,400 That's what we are working on. 353 00:27:16,200 --> 00:27:19,119 Speaker 3: So that's a little bit surprising. I mean, in my experience, 354 00:27:19,279 --> 00:27:23,519 a lot of the cybersecurity technology that's in the OT 355 00:27:23,720 --> 00:27:27,759 space starts in the IT space and then expands to 356 00:27:27,880 --> 00:27:32,279 include the weirdness of the OTA space. You're doing it 357 00:27:32,279 --> 00:27:33,039 the other way around. 358 00:27:34,200 --> 00:27:39,880 Speaker 1: Apparently we're not most people. What we're doing is very different. 359 00:27:40,119 --> 00:27:43,920 We didn't change only that approach, we also change the 360 00:27:44,000 --> 00:27:48,880 other approach. So we created a new segment in the industry. 361 00:27:49,559 --> 00:27:56,759 What we're doing is data science for cyber security. Okay, 362 00:27:56,880 --> 00:28:02,039 we are a data science company for cyber security in 363 00:28:02,079 --> 00:28:07,119 a very specific approach for devices. We decided to start 364 00:28:07,200 --> 00:28:12,160 from the IoT and the OT industry just because there 365 00:28:12,200 --> 00:28:16,079 is no alternative to that right And the reason for 366 00:28:16,240 --> 00:28:22,200 that is that organizations today cannot install client or agent 367 00:28:22,640 --> 00:28:27,039 on IoT and OT devices and that's why it's a 368 00:28:27,079 --> 00:28:31,880 significant problem. And we, as a startup company, need to 369 00:28:32,039 --> 00:28:35,880 start where we see the biggest potential. So we started 370 00:28:36,000 --> 00:28:41,480 there and now we are expanding for the IT industry. 371 00:28:43,119 --> 00:28:46,119 Speaker 3: It sounds like you have more data than the MVD. 372 00:28:47,359 --> 00:28:49,720 I'm curious, are you Are you working with the MVD? 373 00:28:50,000 --> 00:28:52,279 Are they going to use your data in the future. 374 00:28:53,200 --> 00:28:57,720 Speaker 1: So our business model is to sell data. We're the 375 00:28:57,759 --> 00:29:01,960 only company in the industry to the that have this data, 376 00:29:02,559 --> 00:29:06,039 and we're the only organizations today that are doing that. 377 00:29:06,920 --> 00:29:14,920 We are normalizing, fixing, and constantly updating the data for 378 00:29:15,119 --> 00:29:18,960 any device exists in the industry and the only ones 379 00:29:19,079 --> 00:29:23,200 that are doing so. So I m v D should 380 00:29:23,279 --> 00:29:26,319 use and benefit a lot from using our data as 381 00:29:26,400 --> 00:29:31,400 well as any other organization. I see NVD as a 382 00:29:31,559 --> 00:29:35,519 great potential customer for us. 383 00:29:36,640 --> 00:29:40,039 Speaker 3: Cool. So you know I learned something this episode I 384 00:29:40,079 --> 00:29:42,680 had before I talked to you, folks. I had no 385 00:29:42,799 --> 00:29:48,400 idea that anyone was doing this. So you know, thank 386 00:29:48,440 --> 00:29:51,599 you for doing this good work. Thank you for joining 387 00:29:51,680 --> 00:29:53,920 us on the podcast. Before I let you go, can 388 00:29:53,960 --> 00:29:56,920 you sum up what is sort of the key lessons 389 00:29:56,920 --> 00:29:58,799 to take away from our interview here. 390 00:30:00,079 --> 00:30:03,319 Speaker 1: So the key less lessons for us today is that 391 00:30:05,440 --> 00:30:12,119 managing vulnerabilities on IoT and OTI devices can be easy, 392 00:30:12,519 --> 00:30:18,759 can be done, and can be easy. Our capability is 393 00:30:18,799 --> 00:30:24,039 to provide all the vulnerabilities on any device. Actually we 394 00:30:24,400 --> 00:30:29,000 give a commitment that we cover any IoT and OUTI device, 395 00:30:29,680 --> 00:30:37,200 provide vulnerability, the mitigation, remediation, end of life data, and 396 00:30:37,920 --> 00:30:42,759 we manage to create data that doesn't exist in the 397 00:30:42,880 --> 00:30:47,680 industry today and no one is doing that today. And 398 00:30:47,839 --> 00:30:52,319 welcome everyone to use to go to our website at 399 00:30:52,400 --> 00:30:58,920 deviced dot com you and sign up for a free demo, 400 00:30:59,559 --> 00:31:03,519 Connect me on lin Gidin as well, and feel free 401 00:31:03,559 --> 00:31:06,599 to reach out. Thank you and thank you for inviting 402 00:31:06,720 --> 00:31:08,599 me today. Highly appreciate it. 403 00:31:12,160 --> 00:31:16,720 Speaker 2: Andrew. That concludes your interview with Karmitia Dein to take 404 00:31:16,799 --> 00:31:20,119 us out here, I'm wondering she seemed to suggest that 405 00:31:20,960 --> 00:31:26,640 this platform, this service was broadly applicable to all industrial 406 00:31:26,759 --> 00:31:31,880 IoT sorts of devices. But is there any particular industry 407 00:31:32,119 --> 00:31:36,480 that might need this more than others because for one 408 00:31:36,559 --> 00:31:38,599 reason or another they were having trouble with this kind 409 00:31:38,599 --> 00:31:39,440 of thing before. 410 00:31:40,079 --> 00:31:42,720 Speaker 3: That's a good question, and you know, on many previous 411 00:31:42,759 --> 00:31:47,000 episodes we've had discussions of how difficult it is to 412 00:31:47,039 --> 00:31:51,599 patch certain kinds of industrial systems. But what I find 413 00:31:51,799 --> 00:31:56,119 in my own customer base is that pretty much everybody 414 00:31:57,000 --> 00:32:01,359 needs the knowledge. So heavy industry where there's safety critical 415 00:32:01,359 --> 00:32:06,720 functions and there's an extreme reluctance to patch, still wants 416 00:32:06,759 --> 00:32:09,599 to know how much trouble are in so that they can, 417 00:32:09,880 --> 00:32:12,559 you know, when new information is available, they can reevaluate 418 00:32:13,039 --> 00:32:17,519 the effectiveness of their compensating measures because they can't patch, 419 00:32:17,640 --> 00:32:19,079 but they need to know how much trouble are in 420 00:32:19,119 --> 00:32:21,279 so that they can figure out have I got enough 421 00:32:21,519 --> 00:32:26,119 and the right kind of compensating measures in place? Sort 422 00:32:26,119 --> 00:32:30,880 of less consequential, Let's say, you know, manufacturing that is 423 00:32:31,000 --> 00:32:36,200 less safety critical tends to patch more aggressively, and so 424 00:32:36,640 --> 00:32:39,200 they need to know what patches are available and which 425 00:32:39,200 --> 00:32:41,680 are more important than others so that they can get 426 00:32:41,720 --> 00:32:46,759 those patches applied. So, in my experience, sort of everybody 427 00:32:46,839 --> 00:32:49,519 wants this knowledge and they're going to use it for 428 00:32:49,599 --> 00:32:53,720 different purposes. What struck me about the episode was sort 429 00:32:53,759 --> 00:32:57,720 of lifting the lid on how all that asset management 430 00:32:57,759 --> 00:33:01,160 stuff works. I really did know that there was you know, 431 00:33:01,400 --> 00:33:04,240 I did not know there was this, this opportunity in 432 00:33:04,279 --> 00:33:10,039 the ecosystem for a data science a service provider providing 433 00:33:10,359 --> 00:33:15,160 a lot of data and you know, now I know 434 00:33:15,240 --> 00:33:18,200 that you know these people exist. It's it's a sort 435 00:33:18,240 --> 00:33:23,039 of a look behind the scenes. I found interesting. I 436 00:33:23,079 --> 00:33:25,960 was also happy, for the first time in my life 437 00:33:25,960 --> 00:33:29,839 to have a concrete example of data science. I heard 438 00:33:29,880 --> 00:33:32,119 the phrase before and always scratch my head, going, what's 439 00:33:32,160 --> 00:33:35,839 that you know, new fangled language. Well, here is a 440 00:33:35,960 --> 00:33:39,319 very large amount of data that needs to be managed, 441 00:33:40,240 --> 00:33:43,160 needs to be made available to lots of different kinds 442 00:33:43,160 --> 00:33:47,839 of consumers, from people to you know, machines that do 443 00:33:49,119 --> 00:33:53,200 asset management, to machines that that you know, draw conclusions 444 00:33:53,240 --> 00:33:56,160 about Well, if you have these vulnerabilities and those vulnerabilities 445 00:33:56,200 --> 00:33:59,319 in the same network, you might be subject to this 446 00:33:59,440 --> 00:34:03,200 sort of your problem. That kind of of analytics you know, 447 00:34:03,279 --> 00:34:07,319 might even be AI based. These are all services you 448 00:34:07,359 --> 00:34:11,199 can provide conclusions you can draw once you have machine 449 00:34:12,360 --> 00:34:15,840 machine access to the data, so you know, data science 450 00:34:15,920 --> 00:34:20,199 for for OT security. It's nice to have an example. 451 00:34:20,800 --> 00:34:23,320 Speaker 2: Well, thank you to car Meete for speaking with you, Andrew. 452 00:34:23,320 --> 00:34:26,000 And Andrew is always thank you for speaking with me. 453 00:34:26,400 --> 00:34:27,920 Speaker 3: It's always a pleasure. Thank you, Nate. 454 00:34:28,280 --> 00:34:32,280 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 455 00:34:32,280 --> 00:34:34,039 to everyone out there listening.