Modern Risks to the Internet of Things and Software Supply Chains
In this episode of ConversingLabs, host Paul Roberts chats with Thomas Pace, co-founder and CEO of NetRise, about securing both the Internet of Things (IoT) and software supply chains.
EPISODE TRANSCRIPT
PAUL ROBERTS
Hey everybody and welcome back to ConversingLabs podcast. I'm your host Paul Roberts. I'm the Cyber Content Lead here at ConversingLabs and I am here in the ReversingLabs booth at the Black Hat Conference with Thomas Pace, CEO and co-founder of NetRise. Hey, man, welcome.
THOMAS PACE
Great to meet you, Paul. Thanks for having me. Excited to be here.
PAUL ROBERTS
We're thrilled to have you here. So we're here on the show, the beautiful Black Hat Briefings.
THOMAS PACE
Great view.
PAUL ROBERTS
Yeah. Mandalay Bay. Before I ask you to talk to us about NetRise tell us a little bit about yourself.
THOMAS PACE
Yeah, so I started this thing around two and a half years ago during peak COVID because I...
Clearly like to make my own life difficult. And I live in Austin, Texas. Originally from Pittsburgh. Started my career in the Marine Corps doing not cybersecurity things. Then I worked for Department of Energy doing industrial control system security. Worked at this company called Cylance for a little while which was an amazing experience.
Doing ICS and IR work initially, and then I oversaw all of our IoT firmware and embedded system consulting engagements for very large device manufacturers, among other things.
PAUL ROBERTS
Another thing that we have to thank the COVID pandemic for is the birth of NetRise.
THOMAS PACE
Is the emergence of NetRise, yes.
PAUL ROBERTS
Okay, tell us about NetRise. What does the company do?
THOMAS PACE
Yeah, so NetRise, we're a company that focuses on providing visibility and risk identification into a class of devices that historically has had none. And so those devices include, but are not limited to, IoT, industrial control systems, medical devices, embedded systems in vehicles, satellites and telecommunications equipment.
And the way we do that is by automatically unpacking and reverse engineering the firmware.
Reverse engineering isn't, we're actually just like doing software decomposition, basically identifying components, building an SBOM, identifying the vulnerabilities associated with those components in the SBOM, saying are there exploits or not, and then doing analysis across other artifacts that are relevant from a supply chain security perspective, such as public keys, private keys, certificates, misconfigurations, credentials.
And then we give you all of that in a SaaS based platform that you can search, that you can integrate in with other things via our API, that you can build remediations around, alerting, et cetera, et cetera. And so these devices have historically, they don't benefit from this, all of the other normal security solutions that exist.
You can't install an agent. You can't do a credential scan in the same kind of way. There's no way to put EDR on these things, generally speaking. And however, these are the same devices that power the very society in which we all operate and live. And yet we are totally blind to the vulnerabilities and risks that lie within them.
PAUL ROBERTS
Okay. This is the elephant in the living room of the... Information security world. Which is Internet of Things devices, embedded devices.
THOMAS PACE
Yep.
PAUL ROBERTS
So much of this was built on traditional IT, securing, traditional IT networks. Windows endpoints. Traditional kind of perimeterized IT environments.
THOMAS PACE
That's right.
PAUL ROBERTS
It's not the reality we're living in now. Talk about if you were to talk about at a high level where the hotspots are around embedded device security, IoT security for companies or enterprises. Where are they feeling the pain?
THOMAS PACE
Yeah, so we, we sell to both device manufacturers and the enterprise.
Those are different selling motions, obviously. And then we also sell to consulting companies and the federal government as well. Imagine the next Log4j vulnerability. Actually, let me just talk about it this way. When Log4j came out, and you're the biggest company on planet earth, JP Morgan Chase, even, and you want to figure out where is that component in all of my, or do I have that component in all of my routers, switches, security cameras, printers, blah, blah, blah, blah, blah.
Think about the number of device manufacturers that a company like Chase must have. Thousands. Maybe tens of thousands. And you can't just scan it with Tenable and figure out like, oh, here's where Log4j is, or those tools don't work, right? Just cause, they're not meant to do that. And it's not that those tools are bad, those tools are great.
And so you have no way to figure out how to answer that question on your own. And you might think to yourself, won't the device manufacturers let me know, or can't I just reach out to them? Maybe. But what we find is most of them also don't know what software components make up all their devices.
Some of that's for a good reason, and some of that's for not a great reason. And so for an enterprise, if you're dealing with the specter of a remote code execution vulnerability that is known to be generally present in embedded Linux. That is generally what's running on all of your telecommunications infrastructure.
How are you determining if you have that right now? And the answer is, you're just not. And so you're just flying blind. And, before we started recording this we were talking about the Volt Typhoon, nation state threat actor group, that recently compromised some critical infrastructure in the federal government and the way they got into that critical infrastructure organization was by exploiting a vulnerability in a Fortinet firewall. So the very thing that you are expecting to protect yourself against is the very thing that, or not protect yourself against, but to protect you, is the way that now malicious threat actors are getting access into your environment.
How we can continue to operate in this way where we don't think visibility of these devices is important is just not living, is just not acknowledging reality, frankly, at this point.
PAUL ROBERTS
As you pointed out, the traditional protection measures that we're used to deploying endpoint protection and so on, don't really port so well to embedded devices, too many different platforms, too many different, resource constraint, right?
Is this merely about knowing where your risk is, or are there specific steps that organizations can take, again, both on the producer side, the OEM side, and on the consumer side, the customer side, to address the underlying risk? Because otherwise it's a boil the ocean problem, right? Trying to...
Lift the level of software quality across all of these different IoT devices. That's a big, that's a big ask.
THOMAS PACE
Massive. Yeah, so I think there's a significant number of compliance frameworks and standards that we can all align towards if we're interested in doing that.
But, my favorite way to change things is to let the market be responsible for making the change. But we're not giving the market the information it needs to determine if it wants to make that change or not. That's the problem. I've said this many times, and this is probably a crazy thing to say as a startup CEO, but, if we can, if I could magically have an SBOM for every single thing that we support on planet earth right now, and nobody cared about that, then I got to do something else with the rest of my life, right?
But I don't think, I don't expect that to be the case, and that's why I'm doing what I'm doing. If I were to provide an SBOM for every device that JP Morgan had, I'm willing to bet they're gonna have some terse words for those device manufacturers. Yeah. And that's going to force those device manufacturers to probably pursue better approaches to developing products, secure by design, secure to market, et cetera, et cetera. But, we're not even giving people that ammunition right now. It's always, this is what you have in security, you have this perpetual chicken and egg problem, somewhat. It always takes a handful of organizations and people and whatever to like, breach that problem and then, a flood starts.
PAUL ROBERTS
One of the arguments you sometimes hear about why there is such resistance to SBOMs is that there are vendors out there who don't want to open the doors and let people know.
Oh yeah, we've been using this out of date library. This is really about self preservation.
THOMAS PACE
There's no such thing.
PAUL ROBERTS
There are bodies in the closet and they really don't want to open the closet and show where the bodies are.
THOMAS PACE
I'll try to come up with an analogy. So imagine everyone had the flu. Everyone on planet Earth has the flu. And then, someone was like, hey, would you want to take a flu test?
And they were like no. It's everyone has it. So my point here is, everyone is in a bad spot. We have looked at thousands and thousands of device manufacturers, and millions of firmware images. I cannot point to one that is like the beacon of light amongst all other device manufacturers. It does not exist.
So what are people ashamed of? There's nothing. It just is what it is.
PAUL ROBERTS
There's nobody at a comparative advantage or disadvantage.
THOMAS PACE
And by the way, that is going to start changing. So as an example the companies who have been using our product for, over a year and soon to be years, are getting a really good handle on all of the vulnerabilities and risks and making those changes.
And sooner rather than later, those companies are going to be able to say, we are quantitatively better and quantitatively more secure, than X, Y, or Z company who might be a much, much bigger company, frankly. Yeah, but they haven't adopted this mentality yet. So whenever people are like, oh, I'm nervous that we're gonna find problems.
It's like, why are you in this business if finding problems is what you are afraid of? That is, that's what we do.
PAUL ROBERTS
We all know that you can stick your head in the sand, but the one person who's definitely not going to stick their head in the sand is the cyber adversary, right? They are going to, they are on the lookout for these.
THOMAS PACE
Exactly. I say that all the time. Listen, we have a absolutely incredible team at NetRise. I am the, I am really low on the totem pole at NetRise in terms of...
PAUL ROBERTS
Except that you're a CEO.
THOMAS PACE
I'm the CEO, yeah, I'm good at talking to people. But to live in this world where we're the only ones that are capable of identifying these vulnerabilities and risks is just totally untrue, right?
And that's... The only people that are not benefiting from this kind of solution is the end user. They're the only ones not benefiting. The only, it's funny that the people who push back on it the most are the only two people that are being impacted. Which is the device manufacturer and the end user of the device.
PAUL ROBERTS
So let me talk about, so one of the topics that often comes up or one of the arguments is we need more regulation and... And recently we saw the passage of the Patch Act which is for medical devices. And this is, of any federal legislation that's ever been passed, gets the closest to some of the things that you're talking about. Which is requires medical device makers to have SBOMs, to show that they're using secure development practices that they are remediating vulnerabilities, etc. etc. It works because behind it is the Food and Drug Administration, which actually can say to a company, you cannot sell your product until you meet this standard.
I think that other agencies may actually in theory have that ability, legally, but they don't use it. The FDA is an outlier that way, but, the Patch Act is a really good model for how, what this, what it might look like to extend that into other verticals, other types of product, home appliances, manufacturing equipment, you name it. What are your thoughts on that? Is that the way to do it, or?
THOMAS PACE
So philosophically, I am generally not a big fan of regulation.
PAUL ROBERTS
Yeah. You're an entrepreneur.
THOMAS PACE
Yeah, I mean it's just do we see the people running the government?
PAUL ROBERTS
The concern is that you're gonna, you're gonna mandate, you're gonna lock stuff in, right?
THOMAS PACE
I do think that regulation of certain things is obvious.
PAUL ROBERTS
Health safety.
THOMAS PACE
Health safety. So the fact that the FDA does it, I think is a good, it's a good model, even though that my company would probably greatly benefit from regulation. Once again, I'm generally, I'm not like wildly supportive of it.
What, like I said before, let the market do the talking. And now that being said, you have just an amazing amount of work coming out of organizations like CISA who are now operationalizing the SBOM use cases and all of that. And they're providing this, like the toothpaste is out of the tube, right?
Because we have customers come to us and say, Hey, our end users are demanding SBOMs now. There's no regulation. It's just happening. And so now, is that going to be enough to get the mass adoption that we all hope and dream for? I just, I can't know that. But, also as we begin to see the federal government adopt them more for their own, which is happening, they've got the biggest stick on planet earth.
And I don't mean from a regulation perspective, I mean it from a buying perspective.
PAUL ROBERTS
Yeah, lead by example. This is definitely a model that the federal government is interested in using.
THOMAS PACE
And that stuff ends up translating to the commercial side in a hurry. And you look at other companies who had super early success in the federal government, like Carbon Black, and FireEye, and companies like that, and just, it went well for them.
PAUL ROBERTS
So when you look at the process, and we've seen so many examples, I talk a lot about the web hackers versus the auto industry, the research Sam Curry and his team came out with a few months back. Huge just raft of telematics vulnerabilities, manufacturers and suppliers, the auto industry.
Mudge, you know, a few years ago did the survey, 15-year survey of broadband routers and no net improvement in security across, 6,000 firmware images over 15 years. So there's a lot of kind of evidence that practices are not great. But when you look at it, what are the things that these companies are not doing or investing in that's resulting in these bad outcomes? Vulnerable, trivially vulnerable software pushed into production, pushed out to end users, and then compromised. What part of the build, development, release process are they getting wrong and what types of capabilities do they need to really improve the quality of what's coming out the other end?
Is it just awareness? Is it just...
THOMAS PACE
You always have those things, right? Those things always exist, those like more existential human components. But I think if we're talking about like from a... more tactical, technical product perspective. It's like, how do we know if I have malware on my computer today versus yesterday?
Because I have antivirus running on it. I'm continuously monitoring it. That is possible. Now, not via an agent, but if we have an SBOM as an example, we can continuously monitor those components. To determine if they get vulnerabilities or not. This is not... We're not trying to cure cancer here. Like this is basic. This is like really simple stuff.
PAUL ROBERTS
You're using this Python module library. We learned yesterday there's a RCE...
THOMAS PACE
And that's not to say, here's a vulnerability in this open source component, it needs to be fixed tomorrow. But at least now we have visibility. Now we're making decisions based on data and not which way the wind's blowing.
Now we're doing the same things we're doing on our laptops, desktops, and servers, just using a different approach because a different approach is required. But continuously monitoring iteratively improving things. etc. It's just the normal things we do already. I don't think it, it doesn't require like a totally different paradigm and thought process in terms of how we address these things.
What's the first step always? Get visibility. Step one. You can't make decisions on things you can't see, right? And if you look at the critical security controls, everybody knows what critical security control number one is. Everyone. What's critical? It's asset inventory. What's critical? Security control number two.
Software inventory. I think that's right. Maybe it's three, but I think it's software inventory, right? And And then like critical, and these are in order. In priority order, and so critical security control number like 18 or something is malware defense.
PAUL ROBERTS
Right. Yeah. Ha ha!
THOMAS PACE
How many malware companies do you see around here and how many software inventory companies do you see around here? Now I know software inventory doesn't have you know, cool threat group names...
PAUL ROBERTS
Not to name anybody of course...
THOMAS PACE
Yeah, I can't think of anyone. But I think it's really that simple, like in my opinion, I don't, it doesn't require this totally net new approach for all of this.
If we always have visibility into what's going on, I don't think the product security teams have enough talent, enough budget, I don't think they have scalable solutions as it stands today. Same thing as antivirus. Let's go look at antivirus 15 years ago. How did that scale? Not great.
You'd have all these management servers and you had to update all your signature databases on time. And then someday, one day someone was like, wouldn't it be neat if we like did all this in the cloud and it's scaled and we only had to make a decision in one place and instead of 20 places, it's the exact same thing.
So you go to product security teams right now and they're using like, a discrete source code tool here and they're using a software composition tool over here. And a certificate management tool over there. And a tool to determine what...
PAUL ROBERTS
That's how you fill the Mandalay Bay with booths.
THOMAS PACE
Here's how you find weak credentials. And these are all separate things. It can be in one thing. We built it in one thing. And we give you that continuous monitoring, we give you that constant analysis, we give you that real time visibility, we give you the threat intelligence enrichment, we do all of the things that you need to do to basically address this thing and continuously monitor these devices.
Like I said, it's it's a really exciting time. The winds are blowing in the right direction for those of us in the supply chain risk management field. And so all I'm doing is putting up my sale and hanging on.
PAUL ROBERTS
Hanging on. Tom Pace, NetRise. Thank you so much for coming on. That was great.
THOMAS PACE
Yeah. Thank you very much.