Podcast

Uncovering the Hidden Security Threat of IoT with Jay Leek

Uncovering the Hidden Security Threat of IoT with Jay Leek

Unlock the secrets to secure your connected world with powerful IoT security solutions.

“If you don’t assume that there’s going to be some level of detect and respond kind of fail back mechanism, then you’re going to come up and be very disappointed one day because you didn’t build those layers of defense in, but you should 100% lead with prevention, if you ask me.” – Jay Leek

In this episode, John and Brian speak with Jay Leek. Jay is a venture capitalist investor with a unique background in cybersecurity, having served as a consultant, corporate executive, and the first CISO in private equity. He is the co-founder of Syn Ventures, a venture capital firm investing in the best early-stage cybersecurity startups in the world.

Jay Leek’s career path has been a winding one, from consulting to being the first CISO in private equity. He then started a fund that has done well and has partnered with a four-time CISO to start a venture fund. Through this, Jay and his team have invested in the best, brightest, and most exciting cybersecurity startups. After meeting with 500 companies, Jay and his team learned that prevention is possible when the team, technology and total addressable market are in the right place. After four years of searching, they finally found a company that could actively defend and remediate security risks. Jay and his team have made it their mission to help CISOs solve their security problems and provide the best possible solutions.

In this episode, John and Brian speak with Jay about the following:

1. How former Fortune 500 CISOs are leveraging their experience to help the world’s biggest companies through venture capital investments.
2. How companies are leveraging automation and preventive approaches to combat the shortage of security professionals.
3. How CSOs are tackling the problem of IoT security through prevention measures.

Announcer:

Welcome to the IoT Security Podcast, powered by Phosphorus Cybersecurity, your source for securing the extended internet of things. Join the conversation with your hosts, Brian Contos and John Vecchi.

John Vecchi:

Well, hello, everybody. You’re listening to the IoT Security podcast live on Phosphorus Radio, and I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we’ve got an amazing guest today, somebody that, as soon as we started this podcast, I was telling John I really, really want to have this guy on, and that’s none other than Jay Leek. Welcome to the show, Jay.

Jay Leek:

Thanks. Amazing. I don’t know if that’s the right word to describe it, but we’ll see what happens.

Brian Contos:

Jay, you have one of the coolest backgrounds, I think, of people that we bring on our podcast, and you have a great complement of this hands-on, technical operator, up into what you’re doing today as a venture capitalist investor. Could you give our listeners a little bit of background about how you came up and what it is that you do today?

Jay Leek:

Yeah, sure. I cut my teeth as a consultant back in the late ’90s, early 2000s, and then I went on to run corporate security globally at Nokia, internationally at Equifax, back when it was the only credit bureau that hadn’t been breached. And then I wanted to be the first CISO in private equity where I was a CISO at Blackstone. And, there, I got the opportunity to work with all of our portfolio companies as well, our security strategy, and led our early stage cybersecurity investing off the balance sheet.

And then in 2017 I started my first fund called Clear Sky Security. That fund’s done very well. And then last year, one of my partners is also a 20-year four time CISO, Patrick Heim. He and I started SYN Ventures. And so over the last 18 months or so, we’ve raised 500 million bucks across two funds and we invest in the best, the brightest, and the most exciting early stage cybersecurity startups in the world.

I’m excited to trade fighting the Russians, Chinese and the North Koreans with wondering what 35 CEOs are doing with my money every day. It’s not really my money. It’s money that really, really important people have trusted me we to give to those CEOs too.

John Vecchi:

Exactly.

Jay Leek:

So it’s a different set of problems, but it’s one that makes you sleep slightly better at night.

John Vecchi:

I can imagine, Jay. Like Brian said, it’s so interesting because you came up as you said, as a consult consultant then you were a CISO.

And what’s interesting is your time at Blackstone, you worked with other companies, portfolio companies. When you look at what you’re doing today with SYN Ventures and your other ventures, is it equal benefit of the CISO side and having that interaction with those other portfolio companies that gives you the insight you need to do what you do?

Jay Leek:

No, so I think it’s… Also a little differently. So the answer’s kind of yes to that question, but maybe slightly different angle. So what’s really different about us and SYN, and my background is Patrick and I are the only two former Fortune 500 CISOs full-time in a venture partnership. The only guys that have started a fund.

Patrick and I summed it up one day, he and I collectively have procured somewhere around a half a billion dollars of security technologies throughout our careers. Directly, I’m not talking about what our broader teams even did, just within our hands-on direct procurement. And so with that, we have a lot of scar tissue. We have successes fortunately as well. We have a lot of knowings on what are the gotchas, in compliance and privacy and HR, with your DevOps teams or infrastructure team or the developers and where the rubs are, and all this kind of stuff.

And so we get to really bring this voice to the customer into the boardroom, into the investment strategy. If you look at our portfolio, we don’t expect anyone’s going to come and look at the SYN Venture portfolio and go and just procure that as their security program.

But as we’re putting this together, we very much think about it as we’re building a security program and what are the best of breed technologies in these different categories that we would want to deploy if we were sitting CISO. And then what we’ve done is we’ve set up a CISO board of advisors with the five percenters, if you will, the forward-thinking CISOs in the industry really.

We work with those companies closely in helping them think through their security strategies, what their needs are, whether we invest in companies or not and we get to be an advisor. We don’t have any accountability day to day for the operations, which is fantastic, and really help a lot of some of the biggest companies in the world, some of the brightest CISOs in the world. We get to learn from them and get to work with them and help them figure out unique problems need to be solved and how to connect them with emerging technology to do that.

In a way, I would say we feel like we’re the next evolution of our CISO careers, where we’re still very much engaged and involved this CISO community, whether you’re on our board of advisors or not, please reach out to me or Patrick anytime. We’re here to help people solve problems. We know how hard it was when we were sitting in a seat for years. The reason why we were successful is because we had great people to help us solve problems. I’m not putting myself into the great people category, let’s be clear about that. But we had people that could really, really, really help us think through things, and we get the opportunity to help people think through things as well.

I think that’s really what has made us successful. Because if you look, not just at Patrick and I, but the broader team, we’re all operators turned investors. Everyone in our team is either current or former CISO, former CEO of mostly the publicly trade or very large security company, or a former founder of a company that has billion dollar exits and stuff. And so we very much are operators understanding really what the problem is because we dealt with it for many years. Then we try to bring that into our investment thesis and then try to connect the dots with people who have those needs as well, and do it very surgically so we’re not just creating more span and noise in the industry.

Brian Contos:

Jay, when you and your team look at the vast landscape of cybersecurity companies, those that they’re just up and coming. They might be based in the US, or Israel, or somewhere in Europe, or Asia, wherever it is, you have a purview into pretty much everything. I can’t ever remember asking you about a company where you didn’t have some level of insight. I’m wondering, is there a specific formula you and Patrick apply when you’re looking at these organizations and you’re trying to determine do they have the right package? Is it the right product or leadership team or market timing is? How do you see through all the noise to get to the really relevant aspects to say, “Yes, this is a company I’d like to invest in,” or, “Nope, this isn’t right for us,” just because you do see so many?

Jay Leek:

Yeah, so for starters, I mean just to give you a glimpse into it, we invest in somewhere between 1.5 to 2% of the companies we meet per year. It’s pretty consistent. For years, we would track it. It’s actually a metric that we follow pretty carefully. If we go above the 2%, almost wonder are we doing something wrong, quite frankly. And so that means we’ll meet over 500 companies that we never met before this year alone as an example, and so it’s a lot. One is just getting the reps sent. It’s unfortunate for some people, but sometimes in the first five or 10 minutes, we know this isn’t going to go anywhere, or first two minutes it’s not going to go anywhere.Then if you get through a 30-minute meeting and you go onto the next one, doesn’t mean it’s going to go somewhere. But that’s meaningful though actually there’s not a lot of to get to that next level. That’s one, just putting in the reps.

Two though, there are a number of ways to answer the question that you’re getting at. One is purely from an investment kind of thesis perspective, we summarize our investments at the highest level into the three Ts. There’s team, TAM, and technology, Total addressable market, technology, and team. For the stage in which we invest, in earlier stage side of the equation, team by far is number one, period. Without exception. The technology and the TAM, the total addressable market has to be there. But those are interchangeable in numbers two or three quite frankly. But if the team isn’t number one, then we can’t invest. I can tell you countless times where it’s awesome tech, the opportunity is huge, and there’s no way in hell we’re going to sit in a board meeting for the next three to five years with this guy. Can’t invest, which sucks. But it happens a lot as an example.

And then if you were to look at it more from a practitioner point of view, we arguably raised over the last five years just under a billion dollars around one fundamental problem and that’s the people issue. There’s not enough talent, not enough professionals to solve the growing demand and then I would take it a step further and say, even if there were, our adversaries are using technology to attack us today, so versus five years ago maybe. And so if you don’t have technology to combat technology at software speed, then you’re behind, even if you had enough people. You have to use next generation capabilities or technologies in order to be able to defend the enterprise with software as well. It’s not just purely a people issue.

And so if you think about that as the high level problem that we’re trying to solve, and we fundamentally believe every aspect of a cybersecurity or information security or whatever you want to call it security program is right to be replaced if you can deploy a next generation piece of technology and you can manage the risk even to the same level, but maybe even at a better level, but with material less resources.

That then has all kinds of interesting branches around… That means there’s a prevention oriented approach on how we do things. Because if you can stop it, you don’t need people. If you have to detect and respond to it, that by definition requires people. That means pure visibility and not actually leading into being able to do automated remediation, active defense, and all these kind of things like that just creates noise and busy work. And by definition, we don’t need more busy work because we don’t have enough people.

That means that automation is really, really key and we’re not talking about SOAR or whatever. We’re talking about automation throughout the whole security program outside the SOC, everything that you do. That means that driving efficiencies through platform place, meaning where you often would have multiple technologies to solve a problem, consolidating that into one technology, even at a startup level, so you can drive efficiencies so you have one throat to choke.It also means that we fundamentally believe that unless you were born in the cloud in the last 10 years, that you’re going to be hybrid in perpetuity. And so you don’t have a cloud oriented and a on-prem or whatever, you have a purpose-built hybrid cloud solution basically to try.

There’s all kinds of different things like that that go into this efficiencies operation and prevention kind of play to really help with the people issue. Once we get past the team and say, “All right, the team’s great. Of course the technology looks pretty solid and the demand is there. The TAM is there.” All right, now let’s start understanding how you start addressing these other buckets.

John Vecchi:

Yeah. Wow. It’s incredible. There’s so many questions, Brian, we could talk about here even with that. But one of the things, Jay, you had mentioned, and we’ve heard you talk about this before, we need more preventative technologies and as you said, you build your portfolio in thinking in terms of how a CISO might want to deploy a security program and the kinds of technologies that they may need. So when you combine that, is it harder today to find the kind of technologies that check all those boxes? The team, the tech, the TAM, and all the stuff? Is it harder today to find preventative technologies that you would consider next generation or the ones CISOs might really want to deploy? Or is it easier today for you?

Jay Leek:

Let’s take a step back there. I don’t know if it’s harder or easier. I would say that there’s been a lot of broken promises over the years that where people, companies, startups over the last 20 years, to me as a security officer too, promise they could prevent it. In reality, they couldn’t. And so therefore we’ve fallen back to this detect and respond in many aspects of our security programs because prevention doesn’t work. Well, I call BS on that. Technology’s catching up with a lot of the broken promises. I think that we’re finally growing in. Many companies are finally having a large enough dataset, curated datasets, training models. They really understand machine learning versus they’re playing with it before. Customers are willing to take on different risks and understanding really what the trade-offs are better than what they were previously.

I do think that prevention is actually very possible in many aspects of your security program. Now, is it going to be 100%? No. So you do have to fail back to a detect and response sometimes or to alternatives, but that should be the fail mechanism, not the primary mechanism. But I do think if you don’t assume that there’s going to be some level of detect and respond kind of fail back mechanism, then you’re going to come up and be very disappointed one day because you didn’t build those layers of defense in. But you should 100% lead with prevention if you ask me. And I think that it’s very possible. I mean, just look at our portfolio if you want. See a lot of companies that have the possibility of doing that. That wasn’t possible even five years ago, let’s say.

Brian Contos:

Yeah, well prevention’s always been the gold standard people try to achieve. Well, what you can’t prevent, you try to detect and respond. But the further you go down that line, the more expensive it becomes, to your point, because you need more and more people added to that equation. It just adds to complexity. You might not even have those people available.

I’ve been traveling a lot and meeting with executives and meeting with security operations folks. The Middle East and Asia, Europe, US, all throughout this year and talking about xIoT or extended internet of things. The thing that comes up time and time again was we feel like we’ve been blindsided because we weren’t really thinking about these IoT devices, these printers, these voiceover IP phones, these digital door locks or these network devices and wireless access points or these OT devices as a way to potentially get in and attack our IT assets or attack our cloud assets, these pivot attacks. We just weren’t thinking about that.

But now they wake up one morning and they find out I’ve got 50,000 of these things in my network. They’re woefully insecure. A lot of them have default passwords and these organizations are getting backdoored left and right. They’re like, what happened? Why do you think xIoT just snuck up on everybody, because it’s certainly getting a lot of buzz as of 2022 and it certainly will and beyond, but it just kind of came out of the shadows. And why is that, do you think?

Jay Leek:

So I mentioned that we have a CISO board of advisors we established back in 2017. We meet every single October actually. We meet in October because it’s deep enough into the planning cycle for the next year that you can bring your plans and what you’re thinking about for the next year. But you’re not so far along that you can’t influence the roadmap for the next year as well. And so it’s very deliberate, and we do it across industry and its diversity is diversity of industries, people too, but largely of industries. So we can bring different types of thinking across industry together, collaborate, and have knowledge sharing of how to solve various problems in a different way because you usually get groupthink because retail meets with retail, financial services meets financial services, healthcare meets with healthcare, et cetera, et cetera.

And then if I were to dust off a slide from October of 2017, we somehow or another across 12 Fortune 500 CISOs, across 12 different industries agreed on what the top five initiatives for 2018 were, okay? And they all have different iterations and variations of what they were doing. But a fundamental high level, these were the five areas. Four of the five had very clear paths on what they were going to do. The fifth one was IoT security, okay? It’s crazy because what we wrote in 2017 is we need a way, a nomenclature or some kind of language, to describe it in a unified way and in order to be able to have any hope of protecting this and we need to figure out how to secure it, not just tell us it exists and speculate the problems. But, big capital but, we have no freaking clue how to solve this problem.

And so we spent the next five years meeting with 50 some odd companies. Half in Israel probably, but all around the world, not just in Israel and the US and whatnot, trying to figure out who was thinking about this problem that way. Literally all 50 companies until we met Phosphorus, were thinking about discovering some assets, telling you about something anomalous they thought about this asset that was interesting to you, for you to go manually run down to find out you didn’t give a shit about it. Multiply that times 50,000 devices as you use when I only have 5,000 people. It’s a lot of freaking work. And so what happened was is that it became this insurmountable effort, basically. Unless some compliance regulation told me I had to do it, why do I want to do a discovery and anomaly detection for something I don’t care about?

And so you got a lot of broken promises. There’s probably been more venture dollars put into IoT security companies than there is revenue across the whole industry today, over the last five or 10 years. That’s changing significantly, don’t get me wrong. There are some players that have merged such as you guys especially. But the key here is that there’s no one else in the world that we know of that’s doing remediation and prevention, actually fixing the problem.

So now I just gave you your plug. I wasn’t trying to give your plug, but it’s true. It’s the reason why is we’re talking here today. But it literally took us four years to find a solution to a problem that we identified a long time ago. Granted, these are the CISOs that are thinking far ahead here. When we think about our board of advisors, we want to think a year to 18 months ahead. Thinking four years ahead’s really usually bad for a venture bet. But fortunately we didn’t make a wrong bet, and we were patient until we found the right bet to make right.

John Vecchi:

Right, yeah.

Well, and it’s interesting Jay because sometimes I step back and look at the billions of dollars that have been invested in advertising for technologies that basically tell you what you have, but don’t really fix anything. Is it accurate to say that that can affect how CISOs think about this solution when they’re hearing for years with all the dollars getting poured into companies that don’t quite potentially fix it, but we’ll sure as hell find it for you and tell you how bad it is? Does that have an impact on CISOs in their reasoning? That’s all we can do is just discover we can’t go fix it. Is that a mindset?

Jay Leek:

It does. So here’s the thing. A CISO’s got, let’s say, 100 to do, they can only probably get 10 of them done. Even if they have a budget to do 50, they probably only have the bandwidth to get 10 done. Let’s just be honest with ourselves, all right? So you’re constantly juggling risks. And so people are like, “How can they accept the risk?” It’s like, “They’re not accepting the risk. That’s a risk along with the hundred of other risks, they’re only going to get the 10 of them this year.” So they got 90 others along with it. And so I’m a big believer these strategic initiatives that if I don’t do it, we’re going to go out of business.

And then there’s these low hanging fruit initiatives that this isn’t going to put me out of business, but it’s in my top 20 list and if I can bang that thing out relatively easy, all of a sudden it becomes number one or number two for me actually. But in reality it was number 20 because I figure out a way to take that risk and just eliminate it. I don’t have to worry about it anymore. That only happens whenever you’re able to remediate something and you’re able to actively defend against and you’re able to effect active defense remediation before I have a problem equals prevention to me, right? If I can put it in that bucket, then all of a sudden it bumps up from whatever it may be.

And you also, what’s happening is we would always start the year with, here are the top 10 things are going to do. I guarantee you there are things in the top bottom five and things in the top 25 that shift throughout the year. I mean, every year for five years my prior firm, I had a mobile security project in the top 10. And every year for five years, it dropped out of the top 10 before I ever got to it. Because in theory, it’s a big issue, everyone’s got it, it’s how they’re doing business. 70% of email is checked on a mobile. You got to figure there’s probably something to do here. And then in reality, ransomware is a bigger problem. Okay, let’s go deal with that.

John Vecchi:

Yeah, so does it mean, just a quick follow up, that if CISOs understand they could address this problem pretty efficiently, effectively in a preventative way so it’s proactive in and it kind of works, that, like you said, that will say bring it up into some projects they’re going to do?

Jay Leek:

I 100% believe so. I’ve spoken to many of your customers and that’s exactly what they told me. They’re like, “Look, I love…” I’m speaking on behalf of insert Fortune 500 CISO name. I love what Phosphorus does because I deploy it and it eliminates the risk and I don’t have to worry about it anymore. And I can go focus on things that aren’t easy to solve, right?

That’s really what’s important here because it’s a big risk, it’s a huge exposure, but yet we’ve just accepted it for the past 10, 20, 30 years. Now, I’m going to argue it’s not only because we didn’t know it exists. It’s because we’ve been accepting it as a risk for so long we forgot it exists. It’s because it was unmanageable to manage.

What were you going to do? You’re going to send a bunch of help desk guys around to 50,000 printers to change the password. No. You know what I mean? And then the cameras and then the this, and then the that, and then the whatever. And then something breaks and someone’s got to go change it. But I actually outsource, I don’t even own my printers. I outsource from to Xerox, they [inaudible 00:24:14] this and all this kind stuff, right? And it’s like, no. If you can’t solve that problem with software, you’re going to move on to something else you can solve with software.

John Vecchi:

Yeah, that’s true.

Brian Contos:

You’re going to do nothing, right? You’re going to do nothing as it addresses that problem because there’s no way for you to really address it in a meaningful way. I’ll use this analogy, and I’m stealing it from a oil and gas company that I was meeting with in the Middle East about a month ago. But they likened it to going to the dentist. If you go to a dentist and they go, “Oh wow, looks like you’ve got some bad cavities,” and you’re like, “Well fix them.” “Well, we’re not here to actually fix your teeth. We’re just telling you you’ve got some cavities.” You’re like, “Well, what do I do?” And you know, got to go figure it out yourself.

What they like about a preventative approach when it comes to XIoT is it’s like, hey can tell you you’ve got a cavity, but even before you get the cavity, it’s going to do the brushing and the flossing and everything else that you need to do to prevent you from actually getting it. And they said, when we’re talking about not even 50,000 devices, but hundreds and hundreds of thousands of devices without prevention, we just can’t even look at it. It’s just not even doable. To your point, Jay, we’re not going to have a football team full of people armed with paperclips to go around resetting all these devices that we don’t even know what we have, what they do, what they’re running. It’s just a net-zero. That’s great to hear that you’re seeing similar things.

What I’m wondering actually is, again, you’re seeing everything from the new vendors and new products and what’s hot and what’s coming out. What are you seeing from the threat landscape side? Again, you were a practitioner. You were a CISO. You’ve done all these, you’ve done all these things. You’ve seen the threat landscape morph and mature over the decades. What are some of the big threats now? Or are they just the same threats we have had?

Jay Leek:

In a way, they’re the same threats. Those don’t go away. What’s heightened it more and piled on top of the same is you’re starting to see this war in the Ukraine has definitely caused Russia to think about how they are operating differently. Versus used to be Russia as a country, you would think about it from a geopolitical, more non-economic gains perspective.

Cyber crime is very different, obviously. Let’s just say, not going into specifics on the call, this was going to be forever recorded in history. I have strong beliefs that that’s changed, differently. That’s that that’s not going to change as long as sanctions are in place, and those sanctions are going to be in place for long time after this war is over. And so that’s just going to forever change I think a superpower, basically. Arguably probably the third-biggest superpower. I think that’s something that people have to be very mindful of.

Number two, so much of what used to be a sophisticated attack is available for lease, for very unsophisticated people, for very low dollars, with lots of upside. And so everyone, for whatever reason, I always found it so fascinating. We would be doing, I can say for five years I had at least one or more three instant responses going on across our portfolio at Blackstone. Most of it’s just stupid stuff. But it’s important things, you know what I mean? But it’s not like a Chinese nation state actor is highly targeting you, or is coming after you necessarily. But everybody for whatever reason wants to believe they’re so important that they’re highly targeted by the Chinese or the Russians or the North Koreans, or they’re Iranians or whatever. In reality, they’re probably not that special.

However, they are being targeted by somebody because they want to make some money off of you. You’re a lowing fruit and it’s an easy target. I think the bar to get in to do things that used to be highly sophisticated threat actors has just lowered so much. I mean, the fact that you can go online and get ransomware as a service and I can get 8 by 5 tech support or 24-hour tech support if I want to pay a premium for it, is just amazing. And so I could be really stupid and go launch a ransomware attack against people. Who knows.

So I think that that bar is just lowered and so it opens up a lot of opportunities for a lot of other threat actors, who might not be sophisticated, to do just as much damage.

John Vecchi:

And when you think in terms, Jay, of CISOs and organizations trying to keep pace with that, and let’s say you talked about maybe CISO will have, and you had this too, your top 10 list. And yes, it’s fluid, some things are moving, but in general maybe five of them are fairly solid that you’re going to try to go do. When you look right now today, what is that top five list in terms of the CISOs you’re talking to? And secondly, does that instruct whatever’s on that list, does that instruct how you go view venture opportunities or do you kind of separate those two in some ways?

Jay Leek:

No, no, no. They’re very much, again, we think about our investment very much how we would build a program if we were running a Fortune 500 company security program today. Look, it’s all about shrinking your problem. You want to shrink your footprint, shrink your problem down to something that’s manageable. So you want to minimize that attack surface area. So again, we’re speaking to these preventative controls and different kind of walls and different layers and whatever that you put in place so that you can limit your attack surface exposure, shrink your problem down to something that you can put your hands around. And so your top five are going to revolve around things like that, in addition to compliance of regulatory drivers, unfortunately that you have to meet, that may or may not make you more secure.

And then the one exception, I mean it’s really unfortunate, but ransomware is probably in your top three of any company in the world today. It’s a big problem. It’s not going away. It’s getting worse. It’s more of a distraction than anything, but it’s a big problem. It has to be solved. And I think I’ll tell you, it’s just a matter of time before you see a big ransomware from XIoT. Maybe you guys are aware of something I’m not aware of that’s actually happened. I’m not aware of it, but can you imagine? I mean, the only reason why it hasn’t happened yet is because Windows is just too easy. But as soon as Windows gets a little bit harder, and fortunately we’re also trying to make it harder through some of our companies. Think about what happens if all of a sudden, you know, have 50,000 endpoints, but you got 2 million XIoT devices and I don’t know any percentage that’s measured in whole numbers isn’t available? It’s just a huge problem that’s waiting on the horizon. So getting ahead of that, I think if I were still a CISO, I would really be thinking about that. And I’m not trying to pitch you. It’s the whole reason why we’re here today and why we believe in what you’re doing.

Brian Contos:

Well Jay, we could go on for hours and hours, but I do want to ask you one last question before we wrap up here, and it’s kind of double clicking a little bit on the statement you just made there. So for a CISO that’s listening into this podcast or somebody that’s just hands-on keyboard security operator, and they’re just now starting to really get a sense of XIoT is something that I’ve got to start really paying attention to. Whether it’s because it could attack my IT assets, it could have a physical impact, shutting down power or spying on me through cameras and audio equipment, or on the OT side, and they’re just starting to think about it. Where should they start? What’s the best way for them to say, okay, I realize XIoT is an issue. What do I do now? What should be my next step as a security leadership in my company?

Jay Leek:

So for starters, don’t go try to figure out how many devices you have. I know some of the most sophisticated CISOs in the world think they have X and they have X times significant more. I don’t know anyone that’s gotten it right, including myself. But discovering the device doesn’t help you really, now you just know your problem’s bigger than what you thought it was.

To me, the first step to prevention is to take control of that device and how do you take control of that device? You rotate the password, you get off default password. And if you could just eliminate the default password risk and understanding that you have control of that advice and that password’s been rotated in some kind of complex way, you’re probably deterring the vast majority of the noise out there that’s going to come after you. You’re not that’s going to deter that nation state, but that’s a totally different level of sophistication.

From there, there’s all kinds of other creative things you can do and you should do, run firmware upgrades and all this kind of stuff and blah, blah, blah. That’s a whole different process and you should totally think about that. But as far as starting somewhere, I want to control my device, I’m going to rotate my password, I want to onboard that into my pan and I want to put that, make that part of a standard IT operations that I run today for the rest of my organization, like just standardize. Do anything that we are doing for everything else. It’s mind-boggling to me that we haven’t gotten there sooner, but we haven’t as an industry. And I think that’ll just simplify your life. That’s about driving operational efficiencies. It’s a process you already use today, and that’s where I would start.

John Vecchi:

Yeah. Well, and Jay, we launched Phosphorus Labs just recently and issued our threat report. And one of the things we outline in there is that 50% of all these XIoT devices are deployed with default passwords. The other 50% good news, bad news, they may have been changed, but they were changed at the point they were deployed and never touched again. And usually with a password that you can pretty much easily guess. So I think your advice is very sound. I think Brian would agree. We hear this, we’ve heard this multiple times, and although we can go and update the certificates, we can harden the devices to shut off Telnet and Bluetooth and wifi and other extraneous ports and protocols. We can do go do firmware, all those things. But as you said, it comes down to very first, at the minimum, let’s rotate and update the credentials. And I think incredibly sound advice, right, Brian? I think something we’ve heard before, right?

Brian Contos:

Yeah.

Jay Leek:

And we didn’t rehearse that one. That’s just my opinion. I’m glad I didn’t know we’re aligned because you start talking, I was like, oh crap, did I say something wrong?

Brian Contos:

No, it is, and we’ve been saying this in security since people start talking about security, but it’s always get back to basics and this and that. But the analogy we always use for XIoT is XIoT security today is kind of like IT security was in the early 90s. It was, it’s pretty basic stuff. What do I got? What’s it running? Does that have a good password? Is it patched? So on and so forth. And the other side of the equation that you don’t really see so much on the IT and cloud side, which is kind of interesting, are these band devices, these devices like Huawei and HKE and Hikvision and things like that, that the US government has just now said, look, you can’t sell these in the US. You can’t even import them anymore because they have a propensity to spy on people with audio and video and you can’t really shut it off and it streams that to some location that’s being mined. And one of the features that’s really interesting about our product, and again, I don’t want to pitch product here, but I think it’s a really cool thing for folks to know about, is if you have these devices in your environment, they’re insecure, you can’t patch it, you can’t rotate the passwords to fix it. You can’t do anything to fix it because the underlying code is built with malicious intent.

So what you need to do is you need to brick it. So one of the things that our solution does is intentionally we’ll go out and discover these devices and say, “Hey, you have 300 of these devices that are known to be malicious from the manufacturer. Do you want to brick them? Yes or no?” And hopefully the answer is yes, and then you can go out and replace them with new gear. But that’s not something people had ever had to really think about in any other category than this, that I know of.

Jay Leek:

Yeah, no, that totally makes sense. So well, that’s a new feature. I didn’t know you guys did that. So learn something new every day.

John Vecchi:

Yeah, it is a new feature and I think for government agencies and of course that that FCC rule was not just for government, but it was actually for everybody. And they even stated for the persons of the United States. So I think something like that could really help.

But amazing, such a fascinating discussion. Jay, it was so awesome to have you with us today. And so thank you really so much for joining us today. Thank you, Brian. But Jay Leek, man, thanks for joining us today.

Jay Leek:

Thanks for having me.

John Vecchi:

And remember everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

And we’ll see you next time on Phosphorus Radio.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.