OT Security Data Science – A Better Vulnerability Database – Episode 133

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of today’s show. Andrew, how are you?

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Carmit Yadin. She is the CEO of Device Total. And Device Total is doing OT security data science in the area of vulnerability management. And I had no idea what that was, so I was keen to find out.

Nathaniel Nelson
Then without further ado, here’s your interview with Carmit.

Andrew Ginter
Hello, Carmit, and welcome to the podcast. Before we get started, can I ask you to please, you know, say a few words about your background for our listeners, and you know, a bit about the good work you’re doing at the Vice Total.

Dr. Carmit Yadin
Thank you for the opportunity. I highly appreciate it. So a little bit about my background. I started my journey in the cybersecurity space when I joined the Israeli army, was trained for network and security. I worked as a CISO in several NASDAQ companies. I worked with governments around the world, mostly with the U.S. government on gathering intelligence from connected devices.

And with time, I realized that the biggest challenge the cybersecurity industry have is in the fact that as humans, we connect ourselves with so many devices and the number of connected devices is increasing dramatically. And the problem is that security teams and humans don’t have visibility to the security posture of each device and their organization. They don’t they also don’t have visibility on he on how each device impacts the entire organization. a So I decided to take that as a personal mission for me to solve. I did them my doctoral studies is exactly about this subject and I funded the Device Total to solve this unique problem and significant one.

Andrew Ginter
Thanks for that. Our topic today is vulnerabilities, and there’s a lot of information available about vulnerabilities out on the internet. Can you talk about vulnerabilities? Which which part of part of that space is are you looking at?

Dr. Carmit Yadin
So the first important thing is for us to understand what does it means, vulnerabilities for the IoT and the IoT space. And the biggest challenge organizations have today is to know what vulnerability is related to any of their devices in their organization. Now, in order to understand that, we need to understand how the vendors that manufactures those devices match vulnerabilities and what’s important to understand it as one is that vendor publish their vulnerabilities a by two main parameters one is the hardware of the device and the second one is the software which is the firmware version.

Now, there are different sources from where a we can gather this information. So the most reliable source is the vendor security advisory. The vendor responsibility by regulation, by the way, they have to publish and to disclose and the vulnerabilities they are aware of to their to the industry and to their customers.

Most of the vulnerability management today focusing on IoT and OT will gather the information from NVD. Now, the problem with NVD is that NVD provide a non-accurate and non-complete visibility on the vulnerability on those devices. Therefore, customers and organization in order to in order to identify the accurate data, vulnerabilities data for their devices will need to do lots of manual activities. They will need to go to the security advisory and to try to understand what vulnerabilities related to these devices. This task takes like for forever, a lot of time, and it’s a very difficult task to do. A lot of manual work, different websites, a and definitely unscalable. So this is how the industry looks today. There is no one universal repository providing all the data for any device.

Andrew Ginter
So that does sound like a lot of work for you know someone like me. If I’m operating an industrial site, I’ve got a lot of equipment. I’ve got a lot of software. To try and go out and find this information manually, you’re saying, well, it’s a lot of hard work.

Dr. Carmit Yadin
Yes, that’s true. It’s a lot of hard work. But the problem is that security advisories today a are non-structured data. The data inside there is a non-structure. And for those vendors that tried to structure, they didn’t structure the entire data. So we are dealing with a lot of data that machines cannot consume. And humans that are capable to rate that doesn’t have the scalability that machine have. So that’s the problem. The data is there, but we cannot consume that. a And and this is one problem. The second problem would be now that I understand what problems do I have, how am I going to solve that? So you’re 100 percent right.

Andrew Ginter
So that all makes sense. i mean in In previous episodes of the the podcast, we have had people talking about new standards that are out there for publishing vulnerability information in a machine-readable format. I had imagined that those standards would solve this problem. or Are they not solving it?

Dr. Carmit Yadin
Okay. So the way, so the problems start with the fact that specifically in IOT and OT devices, there are so many vendors that manufactures different types of devices to the industry.

And there is no alignment and there is no standardization on how vendor A publish their they’re a security data versus vendor B. So there is no alignment between them. a And our job is to create that alignment because it doesn’t exist elsewhere.

Another thing about standard is that there are lots of standards and regulations for the organizations that are using IOTs and OT devices. They must validate what vulnerabilities they have. They must use their latest version of the devices. a They must control the risk of the devices in different environments.

So the majority of the regulation and the standards is on the organizations that are using the devices versus on how the manufacturer should publish. They have to publish, but the way they publish is their own way, and each vendor are doing that differently today.

Andrew Ginter
Listening to to what you’re saying here, it sounds like what the world needs is a search engine for vulnerabilities that can tell me, what’s broken can tell me what fixes are available, with reliable up to date data is, is that what the world needs.

Dr. Carmit Yadin
No, Andrew, I think that what the world needs is a to know what vulnerabilities exist on on their devices. They don’t want to go and search organizations, don’t want to go and use a search engine to search all the vulnerabilities on all their devices. They want someone to tell them, hey, these are the problems you have.

Dr. Carmit Yadin
These are the solutions that you needed to implement, and that’s the priority on how on how and when you should do that. And that’s a solution that organizations like Armies, Nozomi, and Clarity provide today to their customers. The companies that need that search engine and capabilities are those companies. They need that to have devices that are behind their scenes.

Andrew Ginter
Okay, so so work with me. you know You have product in this space. What do you have? to you know How do you work with with these vendors?

Dr. Carmit Yadin
OK, so what we are doing, we are on a daily basis collecting and normalizing all the data exist on any security advisories in the industry today. So we’re collecting the data from the security advisories, from the vendor website. We normalize the data. We structure the data. And for the very first time in the industry, we managed to create one universal repository that includes all the security data, including the vulnerabilities and the mitigation and remediation for any device exists in the industry today. And what those vendor can do together with us, they can consume our data based on the devices they identified in the customer network, they can query our database and we will reply back with the vulnerabilities matched to the devices they identified, mitigation, remediation, software update, end of life data, and and so on. And we are updating the data daily.

Nathaniel Nelson
So Andrew, i while I was listening to her just now, decided to pull up any given CVE on NVD’s website. We have a description of the problem. We have a score associated with just how severe the vulnerability is. We have hyperlinks to mitigation instructions and then various other information. So I guess what I’m wondering is what exactly the platform she’s describing does so much more or better than what seems to me like a pretty comprehensive list of what I need to know about this vulnerability.

Andrew Ginter
A couple of things. That’s a good question. What Device Total has done is a) make the NBD machine readable. Because you know to her point, if I have a refinery with I don’t know how many CPUs in it. Let’s say, 6,000 devices with CPUs in them. Everything from PLCs to flow meters to you name it. And you know, my my question is not where’s my search engine. I want to go to each one of my 6,000 devices once a month and look up the device in the search engine. That’s not what I want.

What I want is to pay someone like Armis or Clarity or Dragos or Nozomi to tell me what devices I have, to tell me which of those devices are out of date, to tell me what mitigations are available for these out of date devices. I want someone to solve this problem for me.

And so what we need under the hood of Nozomi and Dragos and whatnot is that machine readable database of vulnerabilities, because these platforms are the ones that are active in my refinery, scanning what devices I have, keeping track of what devices I have and where they are and what their purpose is. And they need access to a constantly updated database of vulnerabilities so they can produce those reports about how much trouble I’m in for the devices I have. Does that make sense?

Nathaniel Nelson
So it’s less that NVD doesn’t provide the specific kinds of information we need. It’s much more about making this information accessible and machinery.

Andrew Ginter
That’s right. Machine readable for the other vendors that need the data. Another thing that you know I was talking to Carmit after the fact, I didn’t capture in the recording, is you know she pointed out, and it’s it’s public knowledge. If you Google the NVD program and you know falling behind, you’ll see an announcement from earlier this year.

Andrew Ginter
um saying, you know we are falling behind. There’s too many vulnerabilities. The program had had to to not process all the vulnerabilities that were being disclosed to them. They prioritized what they thought were the most important vulnerabilities, but the database was falling behind. So that’s another argument for a private vendor coming in here doing this, having someone pay them rather than have the government do it and you know be subject to the vagaries of, I’ve only got so much budget. There’s only so much I can do with that budget. you know This is this is an opportunity for private industry to come in and and do the job sort of thoroughly, completely, because they have the money to do it.

So reflecting on this, Nate, what strikes me is, you know i in in hindsight, it it makes perfect sense. But, until I realized what Device Total was about, I had no idea that such a company existed. If you think about it, what’s the the value that’s delivered by companies like Armas and Dragos and that sort of class of call it asset inventory and asset management solution. They scan your network, they figure out what assets you have, and they come back and tell you how vulnerable they are. And so they need their own, every one of these vendors needs a machine-readable database of devices and vulnerabilities, and ideally things like workarounds and compensating measures and fixes if they’re available and where the fix is available. They need all of this so that they can present this in reports, they can present it you in whatever to their customers. And you know before Device Total existed, I would have imagined that every one of these vendors would have to do this research on their own. And once they produce that database for their own internal use, my own guess is that they’d be reluctant to sell that database to somebody else. you know Why would they give their their competitors a leg up? And so that, you know in hindsight, produced the opportunity for someone like DeviceTotal to come in there, do the job once, and sell the results.

If they can do the job in a sense better than any one vendor could do individually, there’s a huge incentive for these vendors to say, you know instead of me doing this painfully manual process and producing a an inferior result, just buy the data from Device Total. So it makes sense in hindsight, but you know before I talk to Carmita, I had no idea that this sort of niche in the ecosystem existed.

Andrew Ginter
Okay, so it’s it’s starting to become clear to me. You’re saying that the kinds of vendors like Drago’s, Nazomi, Claroty, that kind of vendor is your customer.

Dr. Carmit Yadin
So that kind of vendors, yes. So we work with any platform that has asset management and asset discovery solution. And those kind of customers using our data is a layer of intelligence on top of their asset discovery and asset management capabilities, so they can give better visibility and data that they don’t have today, like the mitigation, remediation, end-of-life data for any IoT and OT devices exists in their customers’ network. On top of that, our customers will also be large-scale organizations service providers, SOC companies. a Their problem is that they are using different a assets management discovery, different tool and some of them they are doing even manually. Our capability is in the fact that we are capable to digest any asset inventory list from any source, whether if it’s manually or from the asset discovery.

And we provide a layer of intelligence on top of that data and we will provide on a daily basis the accurate vulnerabilities, accurate mitigation action, what softwares we need to do, a software app update to a under what priority work are the workarounds available from the vendor and with all those data we will also provide a prioritization based on the risk and the criticality for the end a customer.

Andrew Ginter
So Nate, something subtle in there that I’m not sure everyone caught. it’s clear that the asset management vendors are potential customers of this database of vulnerabilities. But Carmit also mentioned service providers. Think, I don’t know, a big oil company with 150 sites, each of which is a multi-billion dollar asset.

These big organizations tend to have central security operation centers. They tend to, to insource, they do that themselves. And you know, these centers tend to have, automation. They’ve got, they buy, one or six of each kind of tool and, uh, they generally have their own automation and own code that they’ve, they’ve invented to pull it all together and, automate the job of managing, uh, vulnerabilities, managing incidents, managing everything.

The second sort of customer she, she, mentioned very fast was service providers. you know, security as a service is a thing. Even in the OT world, a lot of people don’t, people smaller than the biggest companies, need a security operation center, but don’t want to staff their own. They might not be quite big enough to staff their own. Even if they are a little bit big enough, this may not be what they want to focus on. And so there’s a fair number of of service providers out there that will say, we will manage, we will look at your alerts, we will manage your security for you and raise the alarm if if you need to do anything. And send you reports about your assets and do all of the things that a SOC does. And again, these service providers, one they they compete based on the knowledge, the domain of their their security analysts, their experts, their But they also compete to a degree with technology. Yeah, they buy a bunch of off the shelf technology to to gather data and manage alerts. But again, they tend to have some of their own technology that sort of is their special sauce, adds their their their special flavor to the security as a service offering.

And that class of of vendor, service provider, might also benefit from access to a vulnerability database from from time to time to produce their own automation and and make their own people more effective in the space. So that was something that went by fast and and struck me as as interesting.

Andrew Ginter
Interesting. I mean, it sounds like you are competing with the NVD, the National Vulnerability Database. Do you have a search engine where people like me could search your database?

Dr. Carmit Yadin
So a yes, we do have that capability. Our customers can log into the portal and they look and manually for devices. One of our main capability and a very unique one is that we enable customer to identify the security posture of devices even before they purchasing the device.

So we give our customers to see that to get visibility and the impact on any device existing in the industry, even before purchasing that. Now, comparing us to an NVD, we just don’t do what envidy does NVD The goal of NVD is match vulnerabilities and provide data on vulnerabilities.

NVD doesn’t look at the risk from a device perspective. NVD doesn’t consider the relationship between different devices in the network and that impact. and NVD doesn’t have the mitigation, doesn’t provide remediation, doesn’t provide workarounds, end of life data. NVD doesn’t have the data that a organization nowadays needs.

Andrew Ginter
Cool. I mean, I had no idea that before talking to you, I had no idea that this sort of function, that what you do existed in the ecosystem. Can you talk about your reception? how What’s the experience of your customers like? how did How did they receive the the knowledge that you existed?

Dr. Carmit Yadin
I can share with you that when we just started, we went to one of the largest organization, Fortune 500 organization in the US. And he said, listen, we work with all the vulnerability management tools exist in the industry today. a Show us what you have, but it was like very suspicious. He wanted to see another option, but was very suspicious.

And when we actually show him the data, she really liked that. He really liked that because he so we managed to solve him so many problems that he needed to do manually, that he needed to check the vendor to go online and to validate the data for critical e devices. He was very surprised that he can add devices manually, not from assets management and still can get the data. He was amazed because understanding the impact of new devices before purchasing them doesn’t even cross his mind that it that it’s an option.

Not but not just that, the one of the unique thing that we bring is also the mitigation and the remediation. So for the very first time, he doesn’t need to pay for very expensive tools to give them a the problem. Now we can also know what’s the solution for all the vulnerabilities a that were identified on his network and under what priority to sell to to to mitigate that. So it’s it’s a really game changer for the end customers themselves and obviously for companies that has the assets management capabilities that wants to give higher value to their customers.

Andrew Ginter
Cool. You’ve been doing this for a while. Can I ask you, where are you at? What’s coming next?

Dr. Carmit Yadin
So today we’re focusing and are primarily focusing on the IOT and the OT industry because of everything that we talked about today. This is where a organization have a very significant problem. But as Device Total, our goal is to cover any device exists in the industry and any device exists in any a network. And our next stage is to add all the IT devices and softwares into our platforms as well. That’s what we are working on.

Andrew Ginter
So that’s a little bit surprising. I mean, in my experience, a lot of the cybersecurity technology that’s in the OT space starts in the IT space and then expands to include the weirdness of of the OT space. You’re doing it the other way around.

Dr. Carmit Yadin
Yes, so apparently we’re not most people. What we’re doing is very different. We didn’t change only that approach. We also changed the other approach. So we created a new segment in the industry. What we’re doing is data science for cybersecurity.

We are a data science company for cybersecurity in a very specific approach for devices. We decided to start from the IoT and the OT industry just because there is no alternative to that, right? And the reason for that is that our organizations today cannot install client or agent on IoT t and OT devices.

And that’s why it’s a significant problem and we as a startup company need to start where we see the biggest potential. So we started there and now we’re expanding for the IT industry.

Andrew Ginter
So I’m wondering, I mean, it sounds like you have more data than the NVD. I’m curious, are you youre working with the NVD? Are they gonna use your data in the future?

Dr. Carmit Yadin
So our business model is to sell data. We’re the only company in the industry today that have this data, and we’re the only organization today that are doing that. We are normalizing, fixing, and constantly updating the data for any device exists in the industry, and the only one that are doing so. So NVD should use and benefit a lot from using our data as well as any other organization. I see NVD as a great a but potential customer for us.

Andrew Ginter
Cool. So, I learned something this episode I had before I i talked to you folks, I had no idea that anyone was doing this. So, thank you for for for doing this good work. Thank you for joining us on the podcast. Before I let you go, can you sum up what what are is sort of the key lessons to to take away from our interview here?

Dr. Carmit Yadin
So the key lessons for us today is that a managing vulnerabilities on IoT and OT devices can be easy, can be done and can be easy. a Our capability is to provide all the vulnerabilities on any device. Actually, we give a commitment that we cover any IoT and OT device provide the vulnerability, the mitigation, remediation, end-of-life data. And a we managed to create data that doesn’t exist in the industry today, and no one is doing that today. And welcome, everyone, to use to go to our website at devicetotal.com you and a sign up for a free demo, connect me on LinkedIn as well and feel free to reach out. And thank you for inviting me today. Highly appreciated.

Nathaniel Nelson
Andrew, that concludes your interview with Carmilla Yadin. To take us out here, I’m wondering, she seemed to suggest that this platform, this service was broadly applicable to all industrial IoT sorts of devices. But is there any particular industry that might need this more than others? Because for one reason or another, they were having trouble with this kind of thing before.

Andrew Ginter
That’s a good question. And on many previous episodes, we’ve had discussions of how difficult it is to patch certain kinds of industrial systems. But what I find in my own customer base is that pretty much everybody needs the knowledge. So heavy industry where there’s safety critical functions and there’s an extreme reluctance to patch still wants to know how much trouble they’re in, so that they can, when new information is available, they can reevaluate the effectiveness of their compensating measures because they can’t patch, but they need to know how much trouble they’re in so that they can figure out, have I got enough and the right kind of compensating measures in place. sort of Less consequential, let’s say, manufacturing that is less safety critical tends to patch more aggressively.

And so they need to know what patches are available and which are more important than others so that they can get those patches applied. So in in my experience, sort of everybody wants this knowledge and they’re going to use it for different purposes. What struck me about the episode was sort of lifting the lid on how all that asset management stuff works. I really didn’t know that there was, I did not know there was this, this, opportunity in the ecosystem for a data science, a service provider providing a lot of data. And now I know that this these people exist. It’s a sort of a look behind the scenes I found interesting. I was also happy for the first time in my life to have a concrete example of data science.

I heard the phrase before and always scratched my head going, what’s that? New fangled language. Well, here is a very large amount of data that needs to be managed, needs to be made available to lots of different kinds of consumers, from people to machines that do asset management to machines that draw conclusions about, well, if you have these vulnerabilities and those vulnerabilities in the same network,

Andrew Ginter
You might be subject to this sort of bigger problem. That kind of of analytics might even be AI-based. These are all services you can provide, conclusions you can draw once you have machine machine access to the data. So data science for for OT security, it’s nice to have an example.

Nathaniel Nelson
Well, thank you to Carmit for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.