Interviews | October 19, 2021

Remotely Accessible Backdoors Pose Big Threat to OT Environments

Armis | Elastic | Endace | Trend Micro

Yevgeny Dibrov
CEO & Co-Founder


Q1. How have threats to OT and ICS environments evolved in recent years? What impact has pandemic-related business disruptions had on the environment?

The biggest fear we have consistently seen in OT environments is the fear from ShadowOT devices appearing that break the isolation and air gap strategy implemented in many OT environments. Many Covid-bubble working policies prevented maintenance engineers from being on-site to make changes inside specified time windows. As a result we have seen remotely accessible backdoors spring up in many OT networks, The Florida Water breach is a typical example where a remote access tool like TeamViewer is being used remotely, but is configured insecurely resulting in unauthorized access that could have poisoned the drinking water for thousands of people.

New devices with radio antennas are also popping up in abundance to presumably enable a remotely accessible maintenance path to the ICS systems, which again pose long term security concerns if no one knows about their existence.

Q2. What do you perceive as the biggest threats to enterprise IoT environments currently? What capabilities are organizations going to require in the years ahead to properly secure their IoT infrastructure?

The biggest threat to organizations with an IoT environment is failing to demonstrate appropriate and proportionate security controls that expose the organization to "serious blame" liability. In IT, organizations have had many years to assess and deploy security controls to mitigate risk. IoT for many, is a risk management blindspot and a hot topic for many cyber resilience frameworks that are adding IOT addendums to existing ones such as NIST and World Economic Forum.

Q3. What do you expect will be top of mind issues for your customers at Black Hat Europe 2021? What does Armis plan on highlighting at the event?

The macro environment for cyber professionals is fast changing. Recently we have seen a spike in ransomware attacks targeting critical infrastructure including hospital networks, rogue states challenging the cyber resilience of NATO members and groups attempting to siphon digital assets and data from a range of market participants. A multitude of bad actors are attacking the UK and the whole of EMEA on a daily basis.

We envisage that device, systems, and environmental security will be top of mind. We are seeing a wide range of IoT, IT, ICS, OT and IoMT devices being corrupted and utilized by foreign actors. Ensuring a firm is cyber secure and cyber resilient is top of mind. We will be showcasing how we have recently helped governmental and corporate entities from being attacked and allowed them to see all the assets in their environments. We will be sharing our latest research and findings on these topics.

Amit Kanfer
Team Lead, Security


Q1. How will Elastic's recent acquisition of benefit customers? What new capabilities has Elastic acquired—or strengthened—through the purchase? provided dev and security teams with the platform they long-needed for putting security guardrails at the right places in their pipelines, from code, to test, to cloud. By harnessing the power of Open Policy Agent, a CNCF graduated open source project, made it easy for developers to describe their security policies-as-code and integrate those policies with their cloud native technologies. OPA's developer-focused culture and DNA made it a perfect fit for Elastic's free and open vision, providing the community with all the search, observability and security capabilities they need.

In the near future, Elastic's users will be able to leverage their existing Elastic agent and cloud integrations to opt-in and add security and compliance capabilities with a click of a button. Moreover, leveraging policy-as-code will provide Elastic's enterprise users with the customization and flexibility they require when complying with multiple security benchmarks such as CIS, GDPR, HIPAA and other unique corporate policies.

Q2. What are the biggest challenges organizations face when it comes to their ability to enforce consistent security policies from the endpoint to workloads in the cloud?

Almost every company today is a software company, and almost all software is developed in the cloud. Developing software to run in the cloud is different from doing the same for on-premise environments. The security perimeter has shifted and evolved to a state where identity takes precedence. From the moment new code is introduced into a git repository, all the way to the point of time when it is deployed and executed in a cloud container, it's vulnerable for supply chain attacks, mostly around identity and authorization.

For example:

  • Is the developer authorized to change the specific code section?
  • Do the proposed code changes comply with the company's policies around cloud misconfiguration, network policies, GDPR, etc?
  • Is the workload using a docker image downloaded from a trusted docker repository?
  • Is the docker container running with special privileges?
  • Does the workload have the right resource limits, preventing it from disrupting other workloads in the cluster?

OPA and policy-as-code in general are perfect tools when it comes to providing a systematic, automated and holistic approach for these questions. The vast ecosystem of integrations, which are all community driven and open sourced, together with the ability to “write your own” policies that fit into the unique and custom requirement that almost every company has, brought the policy-as-code approach to high levels of adoption. The grand vision is to have these hooks along the whole CI/CD pipeline, from code, to build, to deploy, to runtime - with the right security and compliance checks, all defined as code and enforced in real time.

Q3. Why is it important for Elastic to be at Black Hat Europe 2021? What is Elastic's main messaging at the event from a security perspective?

Elastic is the only free and open limitless XDR solution in the market today, and, being at Black Hat allows us to share this message with the broader security industry, as well as allowing users to speak to our experts and ask any questions they may have. It's important for users to understand the benefits of an open platform, and gain an understanding of all the features built into our technology stack, and how it might benefit their organization.

Cary Wright
Vice President, Product Management


Q1. Endace has positioned itself as a company that can help organizations record network history with perfect clarity. Why are always-on packet capture and full history search so important from a security standpoint? What specific issues does it help organizations address?

Always-on packet capture is one of the most trustworthy and reliable evidence sources for resolving security incidents quickly and accurately. Logs can often lack details or may have been deleted or tampered with and zero day threats may be sneaking through our defences without detection. When we do have a firewall or IDS alert, how can we tell if there are other downstream nefarious activities that compromise our organization’s security? With always-on packet capture security analysts always have the evidence they need to reconstruct exactly what happened before, during and after any alert or indicator of compromise. Knowing exactly what occurred allows quick remediation, greatly improving our security posture.

Q2. What are some of the major trends that are likely to drive demand for your technology over the next few years? What impact, if any, has the COVOD-19 pandemic had in your market space?

The growing sophistication and rapid evolution of attacks is driving the need for always-on packet capture. Threat actors, often supported by nation states, are using supply chain attacks, zero day vulnerabilities, insider activity, and other techniques to evade typical detection techniques, targeting enterprise and government networks of any size without restraint. COVID-19 has only added to that challenge by increasing the attack surface with remote workers operating from unsecured home networks. Recording network traffic is the only reliable way to know exactly what transpired before, during, and after any threat. It also provides invaluable evidence that complements SIEM and SOAR solutions, making them even more effective.

Q3. What is Endace's main message for security leaders and decision makers at Black Hat Europe 2021?

Traditional security defences are no longer enough. It’s critical to equip security teams with trustworthy and reliable evidence so they can remediate threats quickly and confidently. Always-on network recording highlights the extent of any threat and is a key evidence source that cannot be altered by attackers. Deploying always-on network recording greatly improves SoC team productivity and overall security posture by enabling threats to be remediated quickly and accurately. Integrating this critical evidence into the security tools that SoC teams are already using offers a chance to level the playing field against cyber attackers.

Mike Gibson
Vice President, Security Research and Customer Success

Trend Micro

Q1. What do you perceive as some of the biggest threats to enterprise endpoints over the next few years? What kind of capabilities are going to be required to address these threats?

Overall, not only will threats continue to evolve but it feels like the summer of cybercrime with such an uptick in high profile attacks as of late. Criminals are better enabled and equipped today than ever – less experience is needed to be a full-fledged cybercriminal with "as-a-service" offerings available in underground forums for all types of threats and attacks. Attackers are improving their methods to hide in the shadows and slip through any cracks they can find.

One positive change to counter this is that companies are consolidating their security vendors, which reduces the number of cracks and shadows to hide in. No matter the security stack, visibility and connectivity will be the most important factors that contribute to successfully mitigating the risk of cyberattacks in the future. A simplified view across the entire IT infrastructure that provides actionable information and risk assessments plus connectivity across security solutions will help security teams see anomalous behavior and stop attacks before payloads are dropped.

Q2. Why has XDR become such a crucial need for enterprise organizations? Over the next few years, do you see XDR as replacing SIEM or coexisting with it?

The job of security teams today has become unmanageable. Teams, who are already understaffed, must manage countless dashboard and innumerable event logs, try to correlate the information, and make sense of the red flags to know when an attack is underway. That is not a scalable approach, nor will it be effective in stopping damaging attacks. This is the beauty and value of a good XDR solution. These solutions make data correlations for security teams, connecting across the entire IT environment to see threat events from endpoints, cloud assets, the network, and email and web gateways. When teams can ignore the noise and focus on actionable logs from a single dashboard, they are much better equipped to identify and stop criminals.

There is distinct value in XDR and SIEM solutions, but they should work together to maintain their value proposition. XDR solutions will continue to focus on specific, and more detailed, data sources stored for shorter periods of time for real-time alerting and response activity. SIEM solutions will continue to collect summarized information, from a larger number of data sources, for longer periods of time to solve general security use cases and compliance requirements. One of those data sources will be metadata and alerts from XDR solutions.

Q3. What are Trend Micro's plans at Black Hat Europe 2021? What technologies/services/capabilities do you plan on highlighting at the event?

The best cybersecurity platform must leverage the best research. During Black Hat 2021, we'll be giving attendees a peak behind the curtains of Trend Micro Research. We have undisputed leadership in vulnerability research globally. We will shine a light on this during our threat defense challenge, where participants can get hands-on with our post-patch vulnerability intelligence and turn those into protection mechanisms to block exploitation.

Beyond this in-booth & virtual challenge, check out our talk on vulnerability intelligence, a joint session on robot reversing, and an arsenal session on a unique take on CTFs that our teams have had a lot of fun with.

Sustaining Partners