[00:00:35] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always is my co-host Camille Morhardt. How are you doing Camille?
[00:00:43] Camille Morhardt: Hi Tom. I’m doing well.
[00:00:45] Tom Garrison: Well, today we’ve got a pretty cool topic for us. We’re going to dive into the world of the Internet of Things,
[00:00:52] Camille Morhardt: Full of risk and reward. A hot topic in security.
[00:00:58] Tom Garrison: Our two guests today, we’ve done some work with them around looking at IOT and the various risks that are posed as a result. And I think really we should just jump right into it. What do you say, Camille?
[00:01:11] Camille Morhardt: I agree. I think this is such an important space and such interesting guests are on to talk about it. Let’s listen.
[00:01:22] Tom Garrison: Today we have two guests. Our first guest is Malcolm Harkins. He has over 30 years of tech industry experience, most of it focused on security. He is the Chief Security & Trust Officer at Epiphany Systems. He was previously the Chief Security & Trust Officer at Cymatic and Cylance and the VP and Chief Security & Privacy Officer here at Intel. He’s also been a former guest on this podcast
Our second guest is Rob Bathurst. He has over 18 years of experience in offensive cybersecurity and R&D. He is the co-founder and CTO of Epiphany Systems. He has led cybersecurity engagements with Fortune 100 companies and major US government agencies, including the DOD, DOE, DHS and DOJ, lots of acronyms. So welcome to the podcast, both of you.
[00:02:20] Malcolm Harkins: Thanks, Tom.
[00:02:21] Rob Bathurst: Thank you.
[00:02:22] Tom Garrison: All right. So today’s topic, we were going to talk about a whole host of things, but before we start, our company’s been working together and specifically around work that we’re doing focused around IoT–the Internet of Things. And I wonder if either or both of you, maybe we’ll start with Malcolm, can you describe some of that work that we’re doing and maybe even some of the “ah-ha’s” that we found out of this work?
[00:02:51] Malcolm Harkins: Yeah. I’ll start at a high level and then I’ll pass it to Rob. We started some engagements back a while ago focused on IoT, really in kind of building management systems and the capabilities they enable, but also the security issues that cross the boundaries between the Internet of Things and the traditional enterprise environments as well as other ones within organizations, including the manufacturing, operations technology capabilities.
[00:03:20]Rob Bathurst: In the building space it was really interesting because it was about, how do we help an industry change the way they view security? A lot of the technology they have in those buildings that we use every day and live in, they don’t really fundamentally understand from how it could be protected, how it could be attacked. So we grew the relationship from there to, as Malcolm pointed out, the bigger industry enterprise security market. How does IoT play into the normal corporate system as well as the internet at large?
[00:03:54]Tom Garrison: Well, I’m intrigued with the idea of what did people who had buildings and all their systems that go along with the buildings, what were some of the more common areas that were unknown or maybe underserved with regards to security?
[00:04:14]Rob Bathurst: Yeah, so if you look at a building, most people just think of it as a shell with glass and doors and floors. And really when you look at it, it really is a connection of different systems in most modern buildings because of energy regulation and things they get for LEED certification, basically how efficient your building is. They put in automated control systems for their furnaces, their boilers, their air conditioning units, elevators, power systems, access control.
And so if you think in a brand new modern building–and even some of the older ones that have been retrofitted–it’s all connected and it’s all sitting on this network that is not really thought about the same way that you might inside a corporation. And so they usually just connect it together and make it work and hope for the best. And so a lot of the realization has come around to how do they secure it? What do they think about it? Is the building really being threatened by anybody? How could that building be impacted? And what would cause a potential event that would lead to an industry think they care about, which is like an occupancy harm, right? Could something happen to people inside that building? So that industry as a whole is really kind of coming around to that.
[00:05:36] Malcolm Harkins: Just think of the recent ransomware trend where organizations have been impacted and they’ve been held hostage. In some cases, it might be easier for an attacker to, in essence, attack and exploit the building and create that ransomware event rather than just all the PCs and the servers and that type of stuff. Because in a manufacturing environment, if I own the building, I own manufacturing. In a large-scale event, if I own the stadium, I own the event. So those type of things can have different consequences.
But there’s this blend, as Rob was talking about, the facilities systems that manage those buildings, have by and large been built and managed separately from the traditional IT environment. So even the visibility from the traditional CIO and CSO is limited, let alone they might not have the requisite security capabilities in place to manage the risk.
[00:06:40] Camille Morhardt: Well, I’m really interested in how this is different, like one thing in a manufacturing facility, I would assume generally speaking, one company owns that manufacturing facility and they may have access rights and other suppliers or vendors coming in to do work on machines. But when you’re talking about a stadium or when you’re talking about maybe a shared office space that I would imagine we may be seeing more and more of now, you have interactions between multiple companies. And not only that you have, like in a spectator sport, I mean, one of the main attractions I think that they try to provide is internet access for the fans who are there tweeting and texting and doing whatever they’re doing. So you’ve got everybody’s individual consumer device within that environment, as well. So how does that change what you’re trying to manage?
[00:07:36] Rob Bathurst: You have to understand the way an adversary or somebody might disrupt that building, that organization, the people within it. And based on those objectives, based on those goals, you can kind of work backwards and say, how do I protect those systems? What do I do with them? Some of them like the cellular example you pointed out with all those individual IoT devices, they’re on Verizon’s backbone or AT&T’s backbone, and you just send the data straight through and you say, “that’s their problem to figure out; they’re good at that.”
Some of the other stuff, though, you have to take into account when you talk about these stadiums and these large buildings is the people that do food service, they have PCI requirements, they process credit cards, they might be running on your network. They might be running on that Verizon signal or that cellular signal. And then you have the people that are doing entertainment. You have the people that are doing all of this other stuff, and you have to make a conscious decision of whether or not you put them on your internal network within that facility, or you make a decision, whether do they run on that outside network, again like that cellular service. And it takes a certain amount of understanding what the threat to that activity or that building could be to then work backwards and say, how do I protect it?
[00:09:05] Camille Morhardt: It almost sounds like you’re talking about threat modeling.
[00:09:08] Rob Bathurst: Yeah. I mean, Malcolm probably can give you a little about how threat modeling would take over in that case. But yeah, it is a somewhat complex form of that.
[00:09:17] Camille Morhardt: Is it different when you’re looking at this crossover between OT and IT?
[00:09:22] Malcolm Harkins: The basic concept of doing a threat model or understanding stuff, I’d argue is similar, but there’s a different complexity. And I think what adds to the complexity is this mix between building management type systems, the IoT type systems for those other devices that might be on or off network, and then the regular aspect of the enterprise. And that crossover between those networks and their interconnections, what might seem like a obscure vulnerability that could be exploited in one area could actually take down the entirety of an operation–shut down an elevator system, turn off the fire life safety system, shut down the heating and air conditioning for a 50-storey building that has 10,000 people working in it.
Think of the chaos that that would create, not only within the building, the potential panic and or imagine a kinetic, a physical event connected to that logical event if somebody was trying to do something even more harmful than disrupt technology.
[00:10:39] Tom Garrison: So one of the things that I’ve heard about Epiphany is that you like to tell your clients that there’s a difference between playing offense and playing defense. And I think in the context of both IoT like use cases, but also enterprise use cases, I wonder, what does that mean? And how can our listeners maybe put that mindset to play in their companies?
[00:11:10] Rob Bathurst: Yeah. So I have a career in being a jerk, if you will. My background and my job was to go through and do the Pen tests and do these red team, which are basically just extended pen tests with an objective. And the thing we try and tell our customers is it’s a fundamentally different mindset when you think about it like a pen test or when you think about it like an adversary, because we’re not trying to architect a defense, we’re not trying to architect the function of an organization or a business process. We’re trying to reach the goal. We’re trying to get to the touchdown. We’re trying to get to the objective. And so when we tell people at a high level that we want them to think like the adversary– think offensive, be offensive–we really want you to take a moment and say, “Okay, I don’t want to think about how to defend and the organization right now, I want to think if I was an adversary, where would I go for maximum disruption? Where would I go for maximum value? What would I want to take?”
People naturally want to think good thoughts. They want to be positive. They want to do the best for the places they work. And that sometimes keeps them from thinking, “oh, if X, Y, Z went down, the whole place would fall apart,” because that’s the place they work. But what we try and tell people is that’s the mentality you need to be able to start to understand how to more properly architect and defend yourself.
[00:12:52]Tom Garrison: That makes sense. It’s similar to the mindset that we employ with our product developers. And instead of trying to think of all the defenses that you can put in place, put yourself instead in the attacker’s shoes and say, “okay, if I wanted to try to do this to your product, how might I go about it?” And if you think about that upfront, you architect in a way that you’re in a much safer position. So that definitely resonates to me. So we used a few examples at the beginning of this podcast about IoT. How do you see the carryover, I guess if you will, to enterprises? Are you seeing similarities or are there some unique differences between IoT and enterprise in this regard?
[00:13:40] Malcolm Harkins: There are differences. I’d say the biggest difference that I see when I talk to peers is that traditional enterprise perimeter, they understand where they think they understand it. The IOT, and some of these other environments, they have less visibility to it. So it’s more difficult. Now, again, the challenge that we’ve seen and I’ve seen is, again, this nested complexity, because there’s the traditional perspective of the perimeter, I’ll protect the perimeter defenses. Makes a lot of sense. We always have to harden that as much as possible, and that perimeter could be at the device at the data level and the network level, all those type of things, but what we’ve found and what I’ve experienced as well, that’s an attack surface view of things–that perimeter–and it doesn’t really get to the depth of the connectivity between devices, applications, identities, and networks.
That’s how the bad folks go from an initial foothold that toehold by popping one thing, and then all of a sudden navigating their way through the daisy chain of connections, to the moment of material impact. And when Rob talked about having that offensive view, it’s really about starting from the inside out, not the outside in. What’s their objective? What are they going after? What are they going to do with it? Once you start from the inside, and then you understand the connection and connectivity of all those things through the enterprise, then you’re better able to make a perimeter decision.
[00:15:27] Rob Bathurst: Just to tail onto that if I may, in the security industry, we have a bad habit of saying, “Well, my responsibility is this, and so this is where I’m going to stop thinking about the problem.” And what you really need to take into account is the interconnected nature of the system. How does the identity, or the device relate to another identity or another device? And actually if you come together as a team and discuss how bad it could be and what the attacker’s objective might be, you get a much better overall defensive understanding that way than you would typically.
[00:16:07] Camille Morhardt: Does it lead to like more sets of partitions and containers and access privileges being set up among all of these devices, or does it lead to more of a sense of continuous checking or authenticating or verifying as something’s being used? I’m talking about devices now within this system.
[00:16:33] Rob Bathurst: When you look at things at a, what are we trying to do? We’re not trying to stop all things all the time forever, because it’s just an impossible task. The environment is to dynamic, everything else is going on. What we’re trying to do is we’re trying to limit the attacker’s opportunity at the moments of greatest weakness. We’re trying to create these barriers as you were mentioning, trying to create these barricades that prevent the attacker from reaching that objective.
And so what we’re really trying to do is as the environment changes, we’re trying to evaluate the pathways. We’re trying to evaluate the relationships and say, as you said, the device is trying to communicate, “Well, should the device have ever been able to get to that other device to begin with? Is that a pathway we wanted to happen? Is that identity meant to be associated with that device? Is that a high-risk activity? What most people in the industry are coming to realize is we’re really trying to manage our exposure. We’re not really trying to manage the event itself. We’re trying to take the cumulative and reduce it as much as possible and say, if we stop this opportunity, then even if that device keeps trying to communicate, our critical system, as Malcolm said the material impact, isn’t there.
[00:17:59] Malcolm Harkins: Yeah. And Camille, your question around authentication and continuous monitoring and stuff that certainly could play into it at some level. But just think of what was recently in the news, Log4j, and the vulnerability in software that had the US government on high alert and telling everybody they need to patch; the SCC got involved and said, “if you’re not patching, you might be liable because you weren’t managing your risk.” And everybody’s saying “patch, patch, patch, patch, patch.” Makes sense on the one hand, but that’s a perimeter related item and in a large enterprise, you got, 50, 100,000 devices, thousands of applications you might have 5,000 instances of Log4j affecting X number of devices. You have this massive vulnerability that is too hard to determine what to action, because just saying, do it all now might actually cripple the enterprise because of all the effort in place to test, check, remediate, the operational impacts of that stuff.
So threading the needle between that one thing, the Log4j vulnerability, and the item that’s going to have maximum impact to your business and understanding the narrowness of where you should address the log4j vulnerability, because it’s in an exploitable path to something that matters, that’s the area that you need to take action on first. The rest of it is just hygiene stuff you take care of when it operationally makes sense, or if there’s no potential for that vulnerability to be exploited to cause real harm, why even necessarily in some cases go deal with it? There might be other mitigations in place.
[00:20:00] Rob Bathurst: You can build a strategy, as Malcolm pointed out, to reduce the exploitable paths. And for the ones you can’t reduce, create resilience, create friction as we typically call it, so that you are aware the adversary is trying something or that you are able to block it, or you’re able to detect it because you can’t remove everything, but there are ways to improve that resiliency.
[00:20:26] Tom Garrison: I guess for me, the interesting thing is exploitability feels like something that becomes very obvious after the fact; but people are told about vulnerabilities whenever they’re published. And so translating between a new vulnerability and whether or not it’s exploitable seems like, how do you do that?
[00:20:50] Malcolm Harkins: That’s the magic of what Rob created with Epiphany Systems, to be blunt, but there’s a difference. So you were talking about it right: you can be vulnerable, but not be exploitable. You could have an exploit happen again at a laptop or a pinpoint device, but that doesn’t mean that your organization is exploitable to a material event.
[00:21:18] Rob Bathurst: People think automatically exploits only apply to vulnerabilities. And they only think vulnerabilities are flaws in code or flaws in firmware or flaws in whatever it is, but exploitability goes beyond that. And it’s really about the totality of the adversary’s ability to take advantage of that. So that could be the misconfiguration that is then related to an identity, which is then related to a vulnerability or in vice versa. What we’re really trying to get people to disconnect is that we have to look not just at the exploitability of a single technical condition, but the exploitability of the totality of those relationships. So how do I, as an adversary, exploit the way you are architected, the way you’re configured, the way your defenses are deployed. And these things are far beyond the attack surface thing that Malcolm mentioned before, and much more systemic, usually within an organization, things that they just, “ell, that’s the way we’ve always done it” type of approach, which is what usually leads to those compromises.
[00:22:31] Camille Morhardt: I feel like I’ll almost go back to, we were talking about smart buildings at the beginning of the conversation, and it’s like, you can’t be sure you’re going to prevent any fire ever in your building no matter what you do. So then do you have smoke detectors? Do you have sprinkler system? Do you have fire doors? Do you have automatic way to call the fire department? And then that’ll help you get back up and running faster too and isolate the problem as opposed to just, “oh my God, if we didn’t stop the fire to begin with then the whole building’s going down.”
[00:23:04] Rob Bathurst: Well, yeah, it’s funny actually. It’s a great analogy. If we look at the security industry right now, we basically hire former arsonists to come try and burn our building down and then tell us whether or not they were able to light it on fire. But in reality, you’re right. When you build the building, you have a building inspector, you have a fire marshal, you have people come around and check it and evaluate it and make sure it’s up to code. And we don’t have that kind of same rigidity in the security space. And instead, we should be having a fire inspector constantly sitting there going, “you shouldn’t put those rags over that because in case you didn’t know, there’s a heater right underneath here.” And so we really need to get out of the calling the fire department is our first reaction for security or hiring an arsonist is our first reaction for security and get more to the proactive inspection side of it.
[00:24:05] Tom Garrison: Before we do let you both go, we do have a segment we like to call fun facts. And I guess I’ll start with Malcolm. Do you have a fun fact you’d like to share with us?
[00:24:20] Malcolm Harkins: Yeah, well, I just came back to from vacation and my wife and I did a trip and went to the Grand Canyon and a interesting fun fact, the most dangerous animal in the park is the rock squirrel because of the damage that they create and they’re most troublesome in the canyon. So that was something different than I had ever expected, but something I learned while I was there.
[00:24:41] Tom Garrison: Is it because people trip in the holes or what’s the issue?
[00:24:46] Malcolm Harkins: No. Well, they bite people on the paths. And if you think of the Rim Trail, and you have all these little ankle biters, again, difference between what might be considered vulnerable and exploitable.
[00:25:05] Tom Garrison: (laughs) That’s interesting. How about you, Rob?
[00:25:07] Rob Bathurst: Apparently a crocodile can’t stick out its tongue, although, I wouldn’t reach in and check.
[00:25:12] Tom Garrison: I guess I didn’t even realize that the crocodile had a tongue, but I guess…
[00:25:16] Rob Bathurst: Oh, yeah. There’s all kinds of weird ones too. Like apparently pigs can’t look up in the sky because the way their eyes are positioned.
[00:25:25] Tom Garrison: That’s cool. We got two fun facts there. All right. So, Camille.
[00:25:27] Camille Morhardt: So I was trying to figure out what is at the center of our galaxy the other day, because my son asked me “what’s at the center of our galaxy?” and I was like, “God, let me just get out the Google here. I’m not exactly sure.” We seem to be swirling around either a super massive black hole– that theory was established in the early 70s–and subsequently it seems like we may be thinking now it’s actually dark matter instead of a super massive black hole. And I’m going to have to do some more reading to find out what the implications are if it’s in fact dark matter as opposed to a super massive black hole.
[00:26:08] Rob Bathurst: That has fundamentally altered my understanding of the world.
[00:26:12] Tom Garrison: That’s the goal of a fun fact. Okay. So my fun fact comes from National Geographic, at least allegedly. And it is that if you took the entire population, human population, of earth and you stood them shoulder to shoulder, that everyone could fit within the 500 square mile city limits of Los Angeles.
[00:26:41] Camille Morhardt: So that’s like a two-fer because I didn’t know that the city limits of Los Angeles were 500 square miles.
[00:26:46] Rob Bathurst: Yeah.
[00:26:48] Malcolm Harkins: Would that weight in that spot create a dark matter moment that didn’t cause a crater or collapse?
[00:26:56] Tom Garrison: Or force an earthquake, whole San Andreas thing just slips right there?
[00:27:01] Rob Bathurst: I smell a movie.
[00:27:04] Tom Garrison: Yeah, there you go. There you go. All right. Well, hey, Malcolm and Rob, thanks for joining us. I think we definitely touched on some pretty interesting topics there around IoT, and we certainly appreciate the partnership with your company.
[00:27:15] Rob Bathurst: Yeah. Absolutely. Thank you.
[00:27:17] Malcolm Harkins: Thanks, Tom.