It’s quite difficult to imagine life without connected devices like essential healthcare monitors and IoT devices. However, as these devices only continue to grow in number, the job of securing them all from cybercriminals seems insurmountable.
Ziv Dines, Chief Technology Officer, Group CTO Lead at Armis, sat down with Frontier Enterprise to discuss the evolving landscape of cybersecurity threats faced by these connected devices. In this conversation, he shares Armis’ strategies to counter such risks.
How do you see the evolution of managing IT and OT assets, especially with the IoT Edge coming up?
Basically, we look at the world and manage unmanaged devices. But it’s not so simple. In a perfect world, everything is managed and you know everything. Then, we divide the world into those devices that are actively managed by the network and those that are not. Usually, this separation is between IT and what I like to call non-IT, so it can be IoT or OT medical devices.
I like to look at it in terms of managed and unmanaged. But even in the managed world, there are always things that should be managed but aren’t, for various reasons—mistakes, breaches, and other issues. To simplify, on the managed side, we ask: what is not following the management directive?
Let’s take a simple example. Imagine you have two directives. First, every computer of a certain type, let’s say type ABC, should have an agent. Second, every device meeting certain criteria should be scanned once enough. And the last directive is that every device should have the latest operating system patch. Three rules, simple enough. If you follow these, you might think, “Hey, my network is managed.” But there are two corrections.
Firstly, is your managed network truly managed? And secondly, before you state that “My managed network is managed,” you should assess the hygiene of your device management. Ask yourself, “Have I forgotten some of these devices?” With my three examples, I’d probe further: “Do you have devices that, according to criteria, should have an agent but don’t? Or maybe they don’t have the latest agent, or an up-to-date one? Are all devices that should be scanned, actually scanned?” There are many reasons why devices might not get scanned, and you wouldn’t know because management tools only track what they do. By definition, they don’t know what they don’t do, and this isn’t an insult to the tools. That’s where we identify the deltas. Whether you’re missing 50, 500, or 5,000 devices, these are your action items. Update those agents or address the issue at hand. This approach applies to the managed part of your network.
For the unmanaged part, the challenge is managing the unmanageable. It’s not as simple as buying a tool and putting an agent on these devices; it’s impossible. We use different tools, observe the traffic, and integrate with the infrastructure to first discover what these devices are. We identify them, understand them, and monitor their activities. This helps in managing them effectively, revealing front door vulnerabilities, their behaviour, any deviation from normal behaviour, and actions they shouldn’t be taking.
Agentless security solutions seem to be the future for IoT devices. However, there are some cases where your firmware is really old or really hyper-customised. How do you deal with that?
Everything Armis does is agentless. We look at it this way: if a device has an agent, then that’s great. They’re getting the information, and it’s all good. It’s wasteful not to use it. But otherwise, we don’t need an agent. Our approach is like interacting with a customer; you should first listen to the customer, understand their problems, and hear what they’re saying before offering a solution.
The same principle applies to our software. We listen to the network traffic. By doing so, we understand the device without installing anything on it or taking any active action—just remaining completely passive. This (approach) is the future but also the present. As we continue, it’s rapidly gaining traction, something definitely to watch out for.
When it comes to specific industries, like medical devices for healthcare, how do you work with the manufacturers?
We approach this in two distinct ways. Firstly, we work directly with the manufacturers, and this is true for both OT and medical devices. They’re similar in a way, but also different. We also collaborate with aggregators or aggregation points, gathering information from them as well. These aggregation points are diverse data sources, some free, some paid, providing us insights about different types of devices. For instance, if a medical manufacturer comes up with a new device, we need to understand it. We acquire information from three different sources for this. One is our cooperation with the manufacturer, but this alone might not be sufficient or quick enough. Secondly, we rely on third-party aggregators that compile this type of information. The third source is our own deployments.
We have our solutions deployed across over 3 billion devices worldwide. This scale allows us to tell our customers, “Yes, your network is special and unique, but a new device type in your network is likely not exclusive to you.” We’ll probably see it elsewhere in the world and conduct active analysis on it. Once we do, it’s added to our knowledge base. With the power of cloud computing, all our customers benefit from this accumulated knowledge.
What’s the most exciting stuff that you guys are working on right now in your labs?
There are so many underway, but my personal favourite involves new ChatGPT-like capabilities we’ve been developing. What does this mean, exactly? I’ll give you an example from one of our customers.
Normally, when you try to query our system for an answer, you’d rely on reports, alerts, or dashboards. Ideally, your question is already answered in one of these. But if it’s not, as new questions always arise, you can use our query language. It’s straightforward, requiring just a few clicks to create a query that answers your specific question. This is part of the customisation, and you can save these queries for later use. It’s simpler than SQL; we call it a QL.
For instance, there was an executive from a Fortune 50 company in a board meeting. A question came up, and they needed information quickly. This person used our console right there in the meeting, executed the query, and got the results within two minutes. This capability surprised everybody, as not many CISOs and CIOs in such board meetings do this daily. They’re certainly capable and can use a query, but it might not be part of their everyday routine. Our new ChatGPT-like capabilities will change this. It’s all about using natural language. I wouldn’t call it as just another item on the roadmap; I see it as something truly exciting. It’s a small change, but it has the potential to significantly improve how our users interact with the system.