Recent Webinar: Anatomy of a 2021 Cyber Attack
Part of the Sightline & Unisys Joint Cybersecurity Webinar Series
Hosted by Unisys’ Lance Vaughn along with Sightline Systems’ Brandon Witte, this 1-hour webinar explores the following questions with an eye towards the future of cybersecurity within manufacturing:
- Where do attacks originate and infiltrate systems?
- What are the stages and lifecycle of a modern attack?
- Why are manufacturers now at an all-time high risk of a breach?
- How can data intelligence and cybersecurity work together to identify & shut down potential risks?
Share The Webinar:
Schedule a Conversation About SIAS & Your Cybersecurity Needs
Webinar Slides
Renee Davidson:
Good morning, everyone. Thank you for joining us today. I’m Renee Davidson, Director here at Sightline Systems and today’s moderator. In today’s webinar: Anatomy of a 2021 Cyber Attack, we will be exploring the cyber threats facing the manufacturing industry in 2021 and beyond and the steps you can take to defend them.
Sightline Systems and Unisys have over a 20-year partnership. Our speakers today are Brandon Witte, CEO at Sightline Systems, and Lance Vaughn, Vice President of Global Security and Alliances at Unisys and they will address the following questions:
-Where do attacks originate and infiltrate systems?
-What are the stages and lifecycle of a modern attack?
-Why manufacturing is now at an all time high risk of a breach?
-How can data intelligence and cybersecurity work together to identify and shut down potential risks?
All participants will be in listen-only mode. We will conduct a Q&A session at the end of the presentation, I ask all participants to post their questions throughout the webinar by submitting them on the Q&A button at the bottom of your screen. With that, I’m going to hand it over to our speakers: Brandon and Lance.
Brandon Witte:
Great. Thanks, Renee. My name is Brandon Witte. And as Renee said, Lance Vaughn is also with us today to go into some more detail regarding the anatomy of cyber attacks.
So, we’re gonna frame this in the context of the cyber threats targeting manufacturing environments, but the concepts we’re going to go over apply to just about any industry out there.
Looking at manufacturing, we’ve seen over the last several years, a tremendous increase in the number of attacks, targeting manufacturing environments.
With that, we’re going to go through a little background on how this has come to be and then exactly how they’re [cyber attackers] doing it and steps that you could potentially use to protect yourself against these attacks.
So a lot of this is related to the concept of the Smart Factory or Industry 4.0; many folks are really looking at those as buzzwords. But, from my perspective, I look at this as taking advantage of technology to help improve operations within the manufacturing environment. So, taking advantage of storage, high power computing capabilities, data processing and analytics, to try and make operations more efficient and better.
Doing these things makes a lot of sense in terms of the benefits it can provide to an organization. According to several analysis studies that have been done, it can provide as much as a 12% increase in labor productivity, increasing capacity utilization of of your lines by over 11% and ultimately improving the production output by as much as 10%. So, there’s a lot of valid reasons or good reasons to be implementing the Smart Factory concepts, as well as Industry 4.0.
This new technology and capabilities, though, create new vulnerabilities and complexities within the environment. So, in the past, where we had serial to serial communications and closed networks controlling manufacturing operations, there’s more and more new interfaces being introduced: ethernet to fiber, fiber connected devices, as well as introducing new protocols: ethernet instead of serial and PTT, mod bus, and all these different types of protocols to connected devices across the environment.
These new networks are expanding. So, beyond just the ICS control systems, we’re seeing the environment connected to corporate it to the cloud for storage, and even to other factories so that they can collaborate and share information. All of this creates new vulnerabilities and requires additional technology to try and safeguard firewalls, secure Wi Fi, and things like that.
So, I’m going to turn over to Lance for a little bit to talk more about some of these new threats and risks that are that are facing these environments due to this new technology.
Lance Vaughn:
Thanks, Brandon. I think at a high level, the threats that we’re seeing are similar threats that we’re seeing in other verticals but are now becoming more and more prevalent in the manufacturing space, primarily because there’s a lot of low hanging fruit in those environments: a lot of legacy systems and a lot of OT systems that are not secured. What started off with the attacks, initially, trying to just steal data and pull data out of environments have now kind of transitioned into ransomware types of attacks, where they’ll literally encrypt the data and prevent the manufacturing operations systems from being able to access the data, which typically leads into shutdowns. Over the past year or so we saw major attacks similar to this at Mitsubishi, Honda, and there were a bunch of others. Some were reported, some weren’t, but fundamentally they were some of the same issues where once an attacker got into a network, they were able to move pretty freely and pretty easily, laterally across the network. So, in other words, if malware or an attack was in the network, the network is pretty available to them to be able to move and to go after different assets and different data types.
What we see currently happening is another shift from just a pure ransomware attack where an attacker is looking to encrypt all the data that’s required are critical data that’s required a manufacturing environment that leads to shutdowns of systems and operations. And then they collect the ransom for it to release the keys to be an unencrypted data is now kind of a hybrid approach where they’ll not only encrypt the data, but they’ll also exfiltrate the data out of the environment. We’ve seen cases where organizations have said, Yeah, we’re not going to pay the date, pay the ransom, we have we have backups, we can backup our system bring those backups in and restore the systems. And the attackers are smart enough to realize that, okay, well, if you’re not going to pay the ransom, then I also have a copy of your data, and I’m just going to release it to the internet, or I’m going to sell it. So, they’ve kind of got you in a couple of different ways there.
But I would say that primarily, the issues are targeting are around those kinds of attacks, the way that they’ve been getting into the environments, kind of what’s listed on this slide. Some of the key ones are certainly phishing, maybe more specifically, spear phishing. Phishing is more of a kind of a broadcast type of hope that someone will click on a certain link where spearfishing is much more targeted where they do the research and understand the the players and the environment. And they can start to send out targeted messages that look like they originate from, especially originally from Oregon, folks inside the environment, much more likely to be clicked on.
In addition to that, we’ve seen some significant attacks from the supply chain. The manufacturers especially are vulnerable to this because they have often times have multiple third party vendors that are tied directly into their networks. One example that is also kind of a supply chain example is the solar winds example where you had solar winds and environment and it was connected to multiple systems. And once that compromise took place, those those systems are compromised. And then I think that the last is that we see a fair amount of is just the insider threat whether it’s someone that’s not happy or who wants to create some kind of espionage or, or some other situation and environment, I would say those are the three main things. And then once the like I said, once the attacker gets into the environment, or is able to get some kind of malware into the environment, the ability for that malware or that attacker to move freely across the network is a critical, critical concern.
And I think the three main thing or the four main things that any organization should be looking at, but especially in the manufacturing space, where you have a lot of OT and, and things like this are first and foremost, segmenting the network, having some sort of visibility into the environment, being able to see what’s going on so that you can address and, and alert on those things. The alerting pieces is key being able to alert various systems and folks in the environment so that they know what’s going on and then finally being able to, to take to take action have some way to respond to these attacks in a really expedient way. Because it doesn’t take long for these attacks to spread very quickly across the network. So, you really have to be, you’re talking really in minutes, you have to be able to respond, those, those are the main things I would say that really needs to be addressed and some of the concerns that we’re seeing in the in the space.
From an attack perspective, there are several different models that have been created over the years. I think Lockheed Martin back in 2011, came up with the concept of a cyber attack chain or kill chain. And the idea was to identify various aspects of the attack, and then figure out how you can address each one of those because the concept would be, if I can, if I can prevent any one of these particular elements or stages, then I can basically for the attack. Now, there are different iterations of this. There Mitre got together with Lockheed Martin, and they came up with a unified Kill Chain, which is even more detailed, it’s about 18 steps.
But I think, on this slide, just the six main ones that that are kind of present, all of the various models are, first and foremost is reconnaissance, most attacks will start with a reconnaissance phase, the ability to look at an environment and understand what’s there being able to get an acid inventory, understand what operating systems are out there, what hardware devices, what patch levels, those kinds of things. So, reconnaissance can be really the key point of being able to take the next step, if you’re able to deploy solutions that kill the attack chain at the reconnaissance phase, you’re way ahead of the game. Because if you can stop an attacker from understanding what’s in your environment, they can’t move on to the next the next steps. And we’ll talk about this a little bit more detail. But this is really one of the fundamental places to really stop the attack before it gets before it’s able to get any further in the, into the environment.
The second aspect is, okay, now that I know what’s in there in the environment, how do I weaponize my, my payloads and get them into place? How do I how do we exploit whatever vulnerabilities are in the systems and deploy the payload, so it’s ready to go. And they’re generally speaking, when the analysis we’ve done over some of the big attacks and this is a very carefully thought-out process, the attackers are very careful in when they deploy these things. Oftentimes, they’ll deploy it and they’ll let it sit for weeks, months, setting some cases, years, and we’ll just sit there, you won’t even know it’s there. Because they don’t want to tip anyone off as to what they’ve deployed in the environment. So getting that toehold in the environment and having your, your, your exploits sitting there ready to go.
The next general category is actually getting the vulnerabilities and launching the initial breach. So now you’re now you’re spreading, now you’re moving across the network. This is really where segmentation comes into play, especially micro segmentation. And by that, I mean the ability to start to carve up your network so that it’s not as open data flows are not is are not allowed unless they’re specifically allowed. So this concept of down to segmentation, zero trust really, from an internal perspective, making sure that malware and users do not have access to anything that they shouldn’t have access to that will really go a long way in this initial breach face, but assuming that the initial breach happens and the malware is spread, the next step is the exploitation. So now the now in this in the case of ransomware, for example, which has been primary primarily the types of attacks we’re seeing in the manufacturing space, the files on those systems are starting to be encrypted. This happens very rapidly. And it happens across multiple systems at the same time. And what ends up happening then is the as that data is encrypted, the other systems and assets in the environment that are reaching back to pull that data are no longer able to read it. Because it looks like it’s corrupted, and now things start to shut down.
So being able to prevent the exploitation, once, once they’ve done the encryption piece, you’re already in a bad situation, you some of the supply lines might be shutting down and things like that. But then that moves into the next phase, which is really the control where now that now that some of that those systems have been locked down and encrypted and the data is unavailable, the malware oftentimes reach out to what we call command and control, which is typically a server on the internet. And it’ll either do that so that it can exfiltrate data, some of the data out of the environment, so that the attacker has a copy of it or steal the intellectual property. Or it could also be used to further control or send further control messages to the malware. So now the attacker has full control of the environment, and now they can send and manipulate it using human types of controls, as opposed to pure automation. So that’s another key aspect, we see that if even if you were fully if your systems were encrypted and taken down, you really want to be able to prevent this, this control from happening and further capabilities, and the further commands are going to be sent down.
And then, of course the spread is not only in the initial environment that it started out in, it’ll spread across the remote offices and data centers into the cloud and to, to your third party suppliers and things like that. So this is really the the final step. It’s like, once they’ve taken what they they came for, and they’ve taken control, now they can really spread out and even go outside of your, your particular organization.
Brandon Witte:
That’s great, Lance. And in speaking about control, or the, when the breach is happening, as you mentioned, we’re seeing lots of examples where these things are lying in wait. So the implications of these attacks or the speed at which these are deploying or the phases of their the weaponization, I don’t know if that’s a word or not, but that that piece of it has some extremely sophisticated elements to it, where it could be gathering information and very careful about how much or how little information is being transmitted back for a strategy that they’re using to do the attack.
Lance Vaughn:
Yeah, I completely agree. I think that that’s probably one of the things that’s most shocking, with the latest series of attacks, is the level of care that’s taken, as the attacker comes into the environment, even the solar winds attack, and all the reports and analysis that I’ve read about that
there was extreme level of care that was taken by the attackers to make sure that no one was aware of it, because they put a lot of work into getting into this environment look, look at these phases. I mean, the reconnaissance phase, the weaponization phase, I mean, these are all these all take a lot of time. And if they, if they tip their hat at any point then they’re going to be exposed and in the it’s going to be a waste of time for them. So, they’re very, very careful. And not only in terms of how they recon the environment, but how they exhale data, very slowly, very methodically, very carefully over different channels to make sure that they’re not triggering any alarms.
Brandon Witte:
Yeah, that’s a great point too. And I think as the technology and things continue to, to advance, we, we, we start to forget about some of these entry points that are that are being created. You mentioned phishing before and looking for different ways for to get into the environment to the start potentially doing a ransomware or something to that event, and we see it probably in our homes. My doorbell is sending data to somewhere so that I can see the video of what walked in front of my house or sensors that automatically update with new firmware and the list goes on. I think even my car communicate somewhere which could be detrimental.
Lance Vaughn:
Yes, I think one of the big things we saw during the COVID-19 during this whole period is that that rapid move from working in the office to going and working at home. And, of course, this this pertain to any organization that had an IT infrastructure, but especially was detrimental to organizations that typically didn’t have folks working from home, so they weren’t really set up for it. And when they did get set up for it, or if they did have any capability to allow that they were typically using a VPN, and that VPN was carrying the traffic from the edge of the home network all the way back into the edge of the data center, that the work at home employees needed to get access to the issue that, around that, and the things that we saw in real life happening, or was that those home networks, and those devices on the home network now had a, an encrypted channel back into the data center, and that malware was able to come in and spread across those environments.
This is particularly dangerous when you have a remote worker accessing like critical infrastructure or manufacturing environments remotely, because now you know the attackers in and that that spread occurs. So what we, as a way to combat that, I mean, you really have to look at, if you’re going to allow remote access, it really has to be end to end protected, it can’t just be protected from one edge of one data center to the edge of another, for example, because there are any number of ways where an attacker can insert themselves and once they’re in their rent. So, you really need to be looking at how to lock that down.
I think, fundamentally, encryption is the key to this, the attackers are using encryption, these ransomware attacks are all based on encryption. But I see a lot of organizations that are still using legacy technologies to try to fight this. You really kind of have to fight encryption with encryption, you can’t use something less, because you will they’ll still win. So, I think a lot of this comes down to really locking down the points of contact, the data transmission, the data at rest, it’s all about securing that data, and using whatever methodologies and means you have and encryption is oftentimes the best way to, to, to thwart an attacker from being able to take over your environments using these techniques.
Brandon Witte:
So with that, I wanted to talk a little bit about preventing these cyber attacks and some of the techniques and a little background on a solution that Unisys and Sightline have put together called SIAS, to try and help make defending against the cyber attacks a little bit easier and more effective. And what we’ve broken it down into two categories of strategies. One is the analysis. And the other is security. So you can, looking at the analysis side of things, collect real-time data. And be watching that information looking for unusual activity anomalies in data can come from a variety of different sources, and use together to try and identify anomalies going on within the environment.
The use of analytics and anomaly detection for alerting individuals or other systems that there’s a potential issue going on,
as well as predictive forecasting and root cause when something is looking strange. Can you identify what might be causing that or what caused that? Unusual activity? Potential security breaches?
And Lance, can you go through a little bit more on the security side as far as when we first talked about being able to take multiple elements of the analysis, alerting, and the overall kind of overview of the systems. Knowing what they’re doing and things like that and being able to connect it now to security because a lot of solutions either do one or the other, but they don’t do both.
Lance Vaughn:
So on the security front, if you start at the bottom with what I was talking about on cryptographic or talking about segmentation, while we’re talking about is taking that segmentation to the next level, using cryptography to actually create very secure Software-Defined boundaries around assets in the environment. That includes the servers, laptops, but also the actual OT types of devices as well, being able to lock those down and prevent and prevent an intruder or malware from breaching into that segment using cryptography. And then towards the top of this chart, the cloaking aspect where having an environment that has these encrypted boundaries, and these devices are protected using a virtual or our software-defined encrypted boundary, but also be able to cloak those assets.
So going back to the initial phase of an attack, where an attacker is doing reconnaissance, the ability to use cryptography to prevent that reconnaissance from taking place. So if I run a network scan, in a manufacturing environment, utilizing this technology, my typical results are going to be no devices found zero hosts available, even though those devices are fully up and running and functioning and the lights are blinking and etc. And they’re providing whatever data they need to, to the to the overall manufacturing environment. From an outsider from an unauthorized access point of view, it looks like the device doesn’t exist. And again, using cryptography to achieve that. And then the real key piece here is being able to take action. So even if an attacker were to get past all of this, the ability to analyze the environment to generate alerts say hey I see a particular asset in the environment that looks like it might be compromised, it’s, it’s exhibiting signs of being compromised, being able to take action and isolate that device instantaneously. And by instantaneously I mean, within seconds. So this concept in the middle there of isolation, dynamic isolation, again, another cryptographic function, where you can take an alert and move a device out of a cryptographically defined environment, move it into another cryptographically defined environment on the fly, in real-time, and really have the ability, which really hasn’t existed until recently to be able to, to make those actions and, and provide that remediation on the fly. And even in remote remote locations where you may not have a lot of staff. So these are some of the key concepts on the on the security side that this, this solution brings.
So if we take these concepts and apply them back to the different stages, of a cyber attack, we can see how they, how they apply to each phase, and why these things are so important to try and help prevent a cyber attack from causing significant damage to to an environment. Yeah, I mean, if the first one of the reconnaissance, like I said, if you’re able to prevent that reconnaissance from taking place. And the our approach would be to use cryptographic cloaking, it’s a very powerful way to prevent an attacker from seeing if you think about a traditional environment where you might potentially have an internal firewall sitting in front of some devices to provide some segmentation.
I would argue it’s not enough, because the firewalls while they may slow down some information, they may may slow the attacker down. At the end of the day, the firewall won’t block everything. And it won’t provide the level of protection you really need for these advanced persistent threats. Because eventually, that data will start to leak through eventually, someone will find a way to get through the firewall or figure out what the rule is and be able to get traffic through. And so really, what we’re talking about is a fundamentally different approach using cryptographic cloaking to establish whether or not a device is allowed to talk to another device based on cryptography. And it’s, it’s a great way to shut down the reconnaissance base.
From an initial breach perspective, as you said, If things are if you can’t see them, you can’t, you can’t get into them.
So the cloaking becomes a critical critical element to protecting and sounds like that almost tries to create the environments similar to the isolated manufacturing networks where machines were connected to each a miser status systems with serial cables, and weren’t connected to anything else on the network. So they were self-contained systems.
Yeah, exactly. And I think as the systems and that was fairly secure, right, but now that the systems are starting to
IP and things like that, you open up a whole new way for attackers to get in get to the system. So yeah, I think fundamentally, what we’re saying is locking down individuals down even down to the device level to make each device as secure as the next device sitting next to it, making that attack, just so much harder than getting into a network that actually now that you’re in, now, you have to go through the whole phase, again, to break into each individual device, because they’re all secured.
I think kind of going around the circle, I mean the initial breach piece of it, again, the cloaking comes into play, but I think the ability to identify what’s going on from the sideline perspective, but what you’re able to see and what you’re able to kind of call out as something that looks anomalous.
I think sometimes to looking at dynamic isolation, or being able to take action, as fast as possible. So, you mentioned earlier that many of these things happen very quickly. If something, were to infiltrate an environment, and being able to identify that and take action, so having a way of protecting or taking action very quickly is certainly another way to, to protect them, or minimize the impact of a breach that might happen. Right. And I think the exploitation aspect really locking down the environment with segmentation. So, again, if you can, if you can stop this at any one of these particular places on this on this attack chain, then you’re in, you’re in pretty good shape, that I would say that this is an important one, because, again, most, most of the environments that we see are fairly open fairly flat, they don’t have a lot of segmentation. And part of that’s because it can be difficult to segment using traditional technologies and things, it can be hard, it can be a challenging thing.
If you can prevent that spread of attack on the exploitation phase if you can lock that down, and the attack is only able to get a toehold in starting to encrypt files on a particular server in a particular segment, I mean, you’re, you’re still way ahead of the game, because most in most cases, that’s not the case. And most cases, it’s moving really, really rapidly across the environment. And in minutes, you’ll, you’ll, you’ll see all your systems kind of exhibiting that. And then, blocking all internet access, and again, this kind of goes back to a zero-trust concept. And zero trust is basically the, at a high level, the idea that unless you are specifically authorized, then you are absolutely not authorized. So you’re getting down to a point where you’re understanding how devices should connect to each other, what needs to connect to to each other, and preventing [access from] anything else that’s not mandatory or required.
That would certainly include stopping internet access, across multiple devices and preventing them from just a from their ability to just access the internet that will really getting granular and saying you you’re able to access this, this asset, this on this IP address on this on this port, and then again, using cryptography to ensure that that is the case, can be a powerful can be a powerful deterrent. And again, stop the attacker from being able to reach back into the environment or, or to be able to XML data of the environment. And then the final piece the, again, it goes back to segmentation, but also, again, on the cloaking, even, even if one aspect of the environment gets compromised, if you’re able to cryptographically cloak the rest of your environment, it won’t move any further than that. So there are multiple points on this attack chain
where we could prevent and prevent the spread of an attack and using technologies that traditionally hadn’t been available before and especially using cryptography and things like that.
Brandon Witte:
That’s great, Lance. And I think one of the key takeaways as well is that defending against these types of things going on is is bigger than just the security group within an organization. It’s teaching people that security is part of everyone’s responsibility and in the applications that we bring into an environment are the technologies because I think a lot of times, we’re not thinking about it from, what could this do to us if we put this in, so to speak, or we’re downloading a new application and not thinking about, as you mentioned, it’s going to talk to the internet, which could be harmless, but also a way of exploiting an environment or bringing new risks into into the organization that no one’s even aware of.
Lance Vaughn:
Yeah, absolutely. That is, fundamentally that is the problem. And that’s that the human factors. weakest link, so.
So for those that are interested in learning a bit more about our approach to protecting environments, please don’t hesitate to reach out we’d love the opportunity to talk more about our specific solution called SIAS. And the techniques and strategies that Unisys and Sightline have put together to protect environments from from these types of attacks.
And I’d like to thank everyone for taking the time today and, and hopefully, take away some some new information regarding the cyber attacks and things that can be done to protect them.
I’ll turn it back over to Renee for Q&A.
Renee Davidson:
So, we’d like to now take a few minutes to address your questions. As a reminder, you can post your questions by clicking on the Q&A function at the bottom of your screen. We do have a few questions that have come in.
Question: This all sounds great, but I have a firewall. Can you explain the difference?
Lance Vaughn:
Yeah, so firewall has been around for a long time; firewalls were originally designed to protect perimeters. And as organizations realized they needed to start to segment their networks internally. That was what we had to work with. So most organizations, they use internal firewalls to segment. The problem is it becomes very complex, when you scale it out.
The firewall rules use the management to make sense of it. I’ve seen several instances where firewalls have so many rules on them that they’re basically open, because somewhere in that rule set, there’s any to any that someone put in, because they needed to get something done quickly, and they forgot to take it back out. Again, it happens all the time. So firewalls can still exist. But what we’re talking about here is kind of taking it to the next level, rather than creating specific rules for particular assets in the environment, using firewall rules and things like that.
Using cryptography, again, on the both on the cryptographic cloaking piece, so in other words, there’s a, basically a cryptographic cryptographic challenge that takes place if one device wants to talk to another one, if that challenge is failed, then there is no communication. But that’s a that’s orders of magnitude more secure than a firewall of any particular firewall rule, for example. But not to say that we we can’t coexist, we can it just, it’s really just taking it to the next level. And then, in addition, being able to encrypt the traffic across the environment, whether it’s in motion, or at rest, really locking that down and preventing an attacker from getting access to it, or if they do get access to it. It’s encrypted, so they can’t do anything with it.
Renee Davidson:
Great. Thanks, Lance. Brandon, do you want to add anything to that?
Brandon Witte:
The only thing I was gonna add to that was the fact that or point that the best defense is a layered approach. So all of these different technologies can come together to provide different layers of protection to just put an organization that in a better position.
Renee Davidson:
Okay, next question,
Question: What is the best BCDR strategy for manufacturing sites when we know for a fact that we can’t duplicate the sites but only have local or remote backups?
Lance Vaughn:
Yeah. I mean, that’s a big question. I mean, from my perspective, we’re working with several providers around backup and recovery and things like that, I would say, fundamentally, the one key thing is making sure that the data that you’re backing up is clean. There have been numerous instances where organizations have backed up the malware into their, you know, their, their Dr. servers and recovery servers. And then when they go to, to bring the data back, it’s, it’s loaded with malware, and you’re right back to where you were, I would say, fundamentally, that’s first thing.
Second is making sure that those those backup servers and that data is locked down, you know, you want to make sure that, you know, you have almost no access to that, you know, outside of what is absolutely required. Because again, we’ve seen situations where, you know, you you backed up all your data, but somehow someone got into your, your recovery data and was able to infiltrate it. And now again, you’re backing up data that’s, that’s got malware, or some other compromise be built into it.
Brandon Witte:
Yeah, from a business continuity perspective, and, and the challenges with remote sites, a lot of this is trying to take advantage of the new technology so that you can improve operations, but provide some of the protections of that isolated network. So one of the components to this is being able to segment the environment better. So that you’re reducing the attack footprint, effectively letting the ICS systems run in a in a closed loop. And if something unusual is happening, even further protecting it. So if we look at something like the events that happened with with Honda, they targeted very specific processes within their ICS system. What we’ve been reviewing is looking for things like that that have happened. So is a critical process suddenly not running any longer. Or are we seeing unusual activity from one of the systems that’s helping to keep operations going. But in order to ensure that the operations continue, being able to take immediate action to potential threats, whether that’s locking everything out of the system until the threat can be researched, can help potentially prevent an entire facility from going down completely, or infecting other facilities from the same type of piece. So it allows you to add those safeguards in to, to keep things from preventing it from happening in the first place, but also some strategies as well, as well for creating local backups that can be protected using the zoning and cryptography as well.
Renee Davidson:
Okay, great, we’ve got time.
Question: I have a lot of other endpoint security products, does this replace them? Do you work with those products? How would I proceed?
Lance Vaughn:
Yeah, on the security side, we certainly work with them. I’m not saying that we would displace all of them. They’re definitely really valid and useful and necessary endpoint security technologies. I think fundamentally, what we’re saying is that security should move down to the endpoint, the traditional approach of kind of high 3000-foot view of the network and trying to look down and seeing what’s going on and, and “act and react” has not really worked out well, just in general terms. So I think, I think as a kind of a general concept, I think, move, you know, starting to secure the endpoints at the endpoint using multiple tools. The last part, that answer then is, yes, we do work with, you know, any other device, I mean, the devils in the details, but we’re typically working low in the stack to provide these capabilities. So if you’re familiar with OSI, the OSI stack, we’re between layer two and layer three, what I’m really saying is we’re not impacting the application layer, we’re not really having effect on that. So we’ve successfully deployed this at scale across, you know, multiple organizations that use multiple endpoint technologies. We’ve never seen any real issues with it. In fact, I have a client that has 15 different agents on each of their endpoints and we work well there, and it’s mostly because of where we sit in the overall in that stack going that way.
Question: So are you implying that we need to move towards implementing something like military protocols(e.g. STU III) on individual computers within a firm? What kind of costs are we looking at?
Lance Vaughn:
So maybe not implying that specifically, what I’m talking about what we talked about in this discussion does originate from the Department of Defense’s something that came out of those environments, not necessarily different protocols, in this case, you know, using, you know, regular TCP IP protocols, for example. But what I’m saying is taking, looking at your environment, a, you know, getting the security down to the endpoint, securing the endpoints, but then using cryptography to, to cloak those assets, you know, make it so that they can’t just communicate at will, with anything in the environment, they’re really locked down, kind of starting to build out a zero trust model around it, encrypting the data in motion, for sure, between assets, which also has the other benefit of, you know, if you if you say that an asset can only talk to, you know, this server or this database, in the environment, and you have an encrypted channel between those assets, what you’re also saying is, not only can no one see the data that’s going crosses, those wires, if they’re not authorized to it, they don’t have keys. But you’re also saying that that data can go outside of its swimlanes. So it can’t, you know, it can’t just decide that it’s going to connect to something else, it’s really locked down to those things. So I think fundamentally, what we’re seeing is using more encryption, and trying to get security down to the endpoints and try to make it so that, you know, the endpoints are just as secure, as you know, as a standalone, you know, as they are to, you know, the overall environment.
Question: Can you explain a bit more about how attackers can gain access via a VPN?
Lance Vaughn:
Yeah, so that’s it’s kind of been a hotspot, I have another deck that I show where I’ve pulled probably 60 different headlines over the last year, around VPN, the VPN issue became, became significant with COVID, as organizations went from a 10%, work at home to 100% work at home overnight. So there were multiple issues at a high level, one of the issues is the VPN, again, is generally a connection that’s running from, you know, a network edge to a network edge, it’s not generally, you know, point to point, you know, device to device, device application, that kind of thing. So you’re leaving areas where an attacker can insert themselves, whether it’s in the case of a home user, for example, if there’s malware on the home users network, they can jump on there on that home users network Connect connection and ride that VPN all the way into the, to the edge of the data center. Once they hit the edge of the data center, the VPN terminates. And now the traffic’s dumped into the data center, and can pretty much go where it wants to go, Unless Unless they, the organization’s really taken on a significant, you know, micro-segmentation and segmentation project that tracks pretty much running rampant across that flat network. The other aspect of the VPN that’s that’s been challenging is the VPNs are typically a single point of failure or a bottleneck, right? So you have, you know, all your user base, again, going back to the home user coming in to a single, or maybe more than one, but it’s still via a VPN concentrator, for example. So we had seen a lot of attackers go after the VPN concentrator to either to try to compromise it, or just to take it offline launching DDoS attacks against it and things like that, and, you know, making so a user couldn’t even access their the assets were falling because the concentrator was no longer up and running. So there’s been a lot of issues with VPN, I think, you know, it serves a purpose. But if you want to take it to the next level, you really want to look at kind of moving probably beyond a VPN and nibbling you know, secure communication paths, device to device point to point and further removing the ability for an attacker to insert themselves.
Question: In practice, isn’t that that just an insurmountable number of rules that need to be defined and maintained to provide this layer of security, which ultimately still leaves me vulnerable if I don’t implement them? And isn’t that really hard to do?
Brandon Witte:
Well, maybe I’ll take the first shot. And I would say, yeah, traditionally it is. And traditionally, I would argue, that’s why hasn’t been done is because it has been really challenging. And I think it goes back to the fact that we’re using technologies that really weren’t designed to do that, and trying to accomplish those kinds of things. And getting down to that level. One of the things that we didn’t talk about in this discussion is the approach that we are advocating with this solution is not on a IP address or protocol, firewall rule base is much more on a identity basis. So in other words, being able to take identity of an asset or adding a server or identity of an IoT device, for example, and then drop that basically drag and drop it into a secured, encrypted, you know, Software-Defined boundary. And being able to look at that and visually, say, I can see these devices, I can see the communication paths visually see them, I can know what they are binding, I can drill down on that device or on that communication path, they can see exactly how it’s communicating, what it’s communicating, how you know, how it’s connecting all those kinds of things. Again, that technology, that capability wasn’t available years ago, or even a few years ago, this is kind of the game-changing piece of it, the ability to start to base your security on things that are tangible and intuitive, like identity. And then, you know, kind of bringing it up a couple levels. So you’re not in the weeds with trying to, you know, look at things just from a IP address or port protocol perspective.
Question: What kinds of things are you able to detect in my environment? And what kind of situations are you able to identify?
Brandon Witte:
Yeah, that’s a great question. Obviously having the tools in place to protect the environment, so the cloaking and micro-segmentation, but also the behavioral analytics monitoring the data to look for unusual activity, this could be something like watching a server to ensure that the appropriate processes are running and taking action when those those aren’t. Isolating that asset or other assets until the incident can be investigated. Other things are because you’re collecting such a broad swathe of information, watching network traffic, for instance, and using the capacity or predictive capabilities to compare what’s actually happening to what we expect to be happening, which could be indicative of something unusual occurring within the network. And whether that’s just creating an alarm for someone to go investigate or actually taking action to isolate the asset until it can be reviewed. Just a sampling of the types of things. Lance touched on it earlier, talking about the malicious user. So whether it’s within an ICS system, someone that’s disgruntled, making adjustments to the speed of a motor or changing the the recipe associated to a skew in the in the production line. These could be things happening from within the organization as well as from outside and watching those settings to detect anomalies or unusual behavior.
Renee Davidson:
If there are no additional questions, I’d like to thank Brandon and Lance for their presentation today and for all of you for joining and for the great questions that you asked. All participants will receive a replay of today’s webinar and details on our next webinar in February: “How to Protect your Assets”. If you should have additional questions or would like to schedule a one on one to address your needs and concerns, please reach out to me directly My contact information is on the screen: [email protected]. Our webinar is complete. Thank you all. I wish you all well and have a great day. Thanks.