Satish Mohan, CTO of AirGapNetworks discussed “AirGap Networks” with Priyanka. In this show Satish discusses what is “AirGapped Network”, difference between traditional physical air-gapped networks and virtual air-gapped networks for enterprise applications, High level architecture of AirGap networks, Step to protect networks including identity, importance of network segmentation. They also discuss information on ransomeware kill switch, virtual ring fencing of IOT devices and end the show taking a deep dive into policies enforcement and observability.
- What is an Air Gap? – Definition from Techopedia
- Council Post: The Ransomware Epidemic: How Zero Trust Security Can Help
- The Rising Cost of Malware
- Satish Mohan’s Twitter
Transcript brought to you by IEEE Software
This transcript was automatically generated. To suggest improvements in the text, please contact [email protected].
SE Radio 00:00:00 This is software engineering radio, the podcast for professional developers on the [email protected]. Se radio is brought to you by the I triple the computer society. I believe software magazine online at computer.org/software. As he radio listeners, we want to hear from you, please visit se-radio.net/survey. To share a little information about your professional interest and listening habits. It takes less than two minutes to help us continue to make se radio even better. Your responses to the survey are completely confidential. That’s S e-radio.net/survey. Thanks for your support of the show. We look forward to hearing from you soon.
Priyanka Raghavan 00:00:46 Welcome to software engineering radio, and I’m your host Priyanka Raghavan in conversation with Sathish Morgan from air gap networks, and we’re going to be discussing the topic air gapped networks. So the issue is the chief technology officer at a gap networks where he’s responsible for technology architecture and program innovation having known Southeast for a while. Now, he’s also, well-known in the area of building distributed large-scale systems. So his wealth of experience comes from that. The Southeast we’re really glad to have you on the show. Welcome.
Satish Mohan 00:01:20 Um, hi Priyanka. Thank you very much for having me on the show. Absolutely looking forward to this.
Priyanka Raghavan 00:01:26 Is there anything else that you would like to add about yourself for listeners to know before we jump into egg apnea?
Satish Mohan 00:01:32 Well, I think you gave a great introduction by the way. Thank you very much for that. So my background really spans a variety of systems starting from building large scale distributed systems, all the way to cloud-based applications, security and software defined networking.
Priyanka Raghavan 00:01:49 Great. So let’s just jump right into the shore. And the first thing we’ll do is maybe start with a round of introductions on the topic. So at se radio, we’ve done shows on network security. We recently did a show on BGB. We have had a show on zero trust networks, but we’ve actually never talked about air gap networks. What is the stone? Can you explain that for us listeners?
Satish Mohan 00:02:14 Sure. So the dumb air gap networks, it’s a dumb way historically, for look at it. It has popularized from defense and financial systems. So they were all this absolutely mission critical systems. You had to predict them at any cost from outside Dykers, malware, ransomware things. So what they did at that time was the physically disconnected the system from any kind of network absurdity, isolated it. So there was no network access to the system from other systems or from the internet itself. That is how the term came about. So it’s literally, you’re putting a air gap. I don’t the system, obviously this provides like great physical security, but in reality, it makes such systems really, really hard and impractical to use.
Priyanka Raghavan 00:02:57 Where would you use this kind of air gap network? Is it only in military installations or anywhere else?
Satish Mohan 00:03:04 What we’re seeing nowadays is that many of the network based attacks such as ransomware, these rely on lateral propagation within the network, the way ransomware splits is it attacks your first wisdom. And then they scan the network to see what are the critical systems they can laterally, infect, and compromise. So to predict against these kinds of tests, historically what’s been done is people used to air gap, this absurdity mission, critical systems away from the regular enterprise network. So that even if the enterprise network were compromised, the mission critical systems don’t get impacted. It’s a great concept in theory, but up to now, until we introduce an air gap network solution, based on this, it has been really hard to put it into practice because the only way of moving data in and out of systems is the physical media. You literally have to take a USB sticks ticket and into an air gap system, copy the data. And physically somebody has to walk out with it, transport it to a shared network. So maybe very hard to operationalize in practice. So we haven’t seen these kinds of systems really being deployed in enterprises and organizations it’s used traditionally that the classical area systems have been used or only in very secure defense installations.
Priyanka Raghavan 00:04:17 So the way you would actually move data between an air gap network and maybe somewhere like a shared network is through some physical means like external USB driveway, et cetera, is what is saying.
Satish Mohan 00:04:28 Yeah, that is site. Since the systems are physically disconnected from the entire network, literally a human being has to go in there, copy that data out into some kind of removable media, like a USB stick, for example. And I actually copy it out and transport it to another system where they can analyze it, look at it or share it with other people.
Priyanka Raghavan 00:04:50 So I have run more questions with regards to this physical thing. So I’ve also heard about like a thing in the news. I remember that reading about an air gap network, like a nuclear facility, and that was actually infiltrated by one of these stoke neck warm. I think it does an Iranian facility. So it looks like these kinds of networks have also susceptible to attacks like, you know, radio-frequency so have you read up anything about that? Can you elaborate more? How do you protect against that? Can you do something extra to protect against those kinds of,
Satish Mohan 00:05:22 Yeah, that’s a great question. So typically these kinds of attacks are carried out by nation state doctors. They’re very highly sophisticated attacks like doing a radio-frequency attack onto a target system. What they’re seen as secure defense installations, they place these systems in metal cages, like the term Faraday cages commonly used. So you literally put the system inside of validate cage. So it provides like electromagnetic shielding, even from radio-frequency attacks, not very common, but again, nation state attacks, these kinds of things are very prevalent. And also you bring up a good point regarding the attack on the Iranian nuclear facility, the Stuxnet. Well, so again, this is a great example. So they had a lot of programmable logic controllers inside the nuclear facility. So what the infiltration did was again, they threw a human vector, they deliver the infected USB drive. Somebody walked into the facilities, unknowingly, put in an infected USB drive, and then the loan was able to split within the nuclear facility. So one thing to note here that is you might have air gap, a bunch of systems from the outside network, but still those systems within themselves are still vulnerable to be infected. Unless you also make sure that you micro-segment each system individually, all this leads to the conclusion that we do need some kind of a network micro-segmentation architecture to be put into place on shared any kind of shared network.
Priyanka Raghavan 00:06:46 So in other words, if I were to paraphrase, don’t fall into the trap that air gap networks does everything for you. You still have to do your defense in depth and have micro-segmentation et cetera.
Satish Mohan 00:06:58 Right? Definitely. And as we all know that any good security strategy is built upon layered security, it’s never the case that organizations adopt one particular type of security technology and claim they’re immune to malware attacks. So you have to build up your security layers to provide a good defense strategy.
Priyanka Raghavan 00:07:17 Let’s maybe switch gears to say what your company does, which is I think a virtual air gap network. Am I right? Could you talk about that? What does that involve?
Satish Mohan 00:07:27 What we have done this? We have borrowed this Poplar historical term gap networks. And as you likely said, we probably have worked. You had gap network. So the problem we are really trying to adjust as the enterprise campus networks. So if you look at a traditional enterprise networks today, like if you had to walk into an office, let us see. So your device, your company issued laptop, or maybe you have a mobile phone. It automatically gets authenticated placed onto the wireless network because you are a trusted employee and you get immediately based on the wireless network that you join. You’re assigned certain roles and privileges. Like for example, you might be able to access the engineering network or the it network, things of that. What we have seen this today in this post COVID 19 pandemic hybrid work has risen in prominence. So people are moving in and out of campuses.
Satish Mohan 00:08:18 So when you are within the campus, you’re protected with layers of enterprise security, software stacks. You have your next generation firewall. So you have your endpoint protection, multiple layers protecting you. But at the same employment may decide to work from a coffee shop on a few days, and unsuspectingly, he might, he or she might click on a phishing link delivered by email message. That’s a very popular target rector to compromise the first week too. So now your device gets infected and next day, you walk in into your office environment. Again, enterprise location, your laptop joins a shared network. And the way shared networks been built as they’re based on the V land technology. So within the villain technology, there is no protection across devices. East-west within the network itself. It’s a shared broadcast media. Historically, it’s been around since the late eighties. Now it’s based on devices, broadcasting on the Villa network and communicating with each other.
Satish Mohan 00:09:16 So this provides an ideal opportunity for the malware or ransomware to literally lie within a matter of few minutes, largely infect other devices. Again, network bill. It finds a particular device which has enough credentials to go after your data center assets, cloud assets, maybe Tufts set, an IMT sonnet, which can further lead to compromise for sensitive business data. So what we do as air gap networks is basically micro-segment your enterprise network. So the moment you walk in into your enterprise, your device, a laptop is placed into own virtual isolated network. So no data can get in or out from your device unless it’s authorized flow permitted by the air gap, applying security plans. So we’ve picked up on this motion to provide that solution called the zero trust isolation. Obviously we have extended this to different scenarios like hybrid workforce on campus, secure application access and different areas built on this.
Priyanka Raghavan 00:10:14 So that’s so very interesting. So one more thing I want to ask you before jumping in more into the architecture is, so you’ve got your air gap network. That’s protecting your key assets as you say. But one of the things I have discovered in my podcasting journey is one of the first episodes I did with CSO of Musk was about this notepad attack that they had and the case study with us. That is what we did in that episode. And the key finding from that was the importance of an offline backup because the company was able to bring up its resources because they didn’t have a good offline backup. And finally, they were able to bring up the entire 80 by one particular computer, which was not, it was not on the network because some sort of a power failure in one country where this company operated from. So can you maybe talk a little bit about the importance of say an offline backup for all your key resources that still holds good, right. Even though if your egg optics cetera.
Satish Mohan 00:11:11 Sure. Definitely offline backups are definitely an important component of a good ransomware defense strategy. Again, building on the concept of layer defenses, recent attacks have shown that this is not sufficient. What attackers are now doing is they’re resorting to something called double extortion, or there’s a term called triple extortion. So what they do is once they bleach into a enterprise, they exfiltrate all the sensitive data out and put it up on the dark web. And in fact, last week there was a very recent attack where a prominent fortune 500 company was compromised. And literally on the dark web, there is a counter picking of a bill. The ransom is paid, the ransom is not paid by that particular time. What happens is they release the data for sale within the document. So definitely a very scary scenario for an enterprise, having the sensitive data, just being sold on the document. So this is what a double extortion is. A triple extortion is they frequently come back and bleach again and exfiltrate or type to release it again in spite of the ransom being paid as well. So definitely really scary scenarios. And that’s, you can see you, you might use an offline backup to recover your data by 10 doesn’t prevent the attacker from releasing sensitive data into the public domain. Only way to solve this. You need to prevent the attack from happening in the first place.
Priyanka Raghavan 00:12:28 So maybe we can switch gears and get into the architecture. Can you talk a little bit about the network architecture? What I mean competence and how will they communicate?
Satish Mohan 00:12:39 So the anchor network architecture it’s based on deploying an inline security, our plans. So when I say security, our plants, we do support both physical or virtual form factors. In fact, most of our customers prefer the watch will form factor. So this, our plants is actually deployed onto your shared relearn network within the enterprise. So what we have seen is typically one appliance is sufficient to cover a medium size organization, which may have like tens of villains and several thousands of devices. We provide different capacities and form factors, but usually one of our plants is sufficient for one enterprise location. So this security, uh, plants gets its configuration policy and control from a SAS based solution. It’s hosted on, on the public cloud. We onboard the customers onto a SAS portal. Everything about the security appliance is managed through the cloud interface kind of thing.
Satish Mohan 00:13:33 And once you’ve deployed the air gap security, our plants look at the how it operates on the network. The AerCap security appliance becomes the default gateway within the shared Whelan network. Commonly we take over the VAP functionality within the network. So when systems on your network requests for IP addresses, we will hand out IP addresses. And there’s a certain core part of our technology, which enables us to handle IP addresses in such a way. So that any system, when it wants to talk to any of the system, it has to go through the default gateway. And since we are the default gateway, it puts us in the ideal position to inspect the traffic and only allow permitted flows to go to. So the nice thing about this technology is it works for both like enterprise systems and for IOT systems. One of the challenges with other existing security solutions we have seen in the market is that with IOT devices, it’s frequently impossible to install any kind of security agent on the devices because they are running like proprietary operating systems, the vendors to support it frequently cannot even install anything on them. So there is no other way of predicting these systems other than the gap approach, where we actually sit on the network, inspect the traffic fuels and only authorized fuels. This kind of gives you an idea of how the architecture actually works. Everything is cloud managed. The appliances are on-prem. They can also be placed on the cloud as well. We have customers who use different form factors. We have a whole range of options around these.
Priyanka Raghavan 00:15:08 So if I understand the SAS based solution that you have, does that only store the configurations required for having this gateway in your network? Is that what you’re saying? Or
Satish Mohan 00:15:19 That is true. In fact, if this is a question we frequently get asked by potential customers. So we do not store any customer data in our cloud at all. It’s only the configuration frequently. We do store some analytics information, but this is for our ML based algorithms to come up with better predictive suggestions on how to protect your network. But again, it’s only like the metadata, which is stored in the cloud, no customer data.
Priyanka Raghavan 00:15:45 So Satya, I also have another question which you can stop me if it’s a very basic or a dumb question, but one of the things is I currently work for an organization where we build products on the cloud. We don’t have any on-prem solution at all now. And of course we also store customer data, but it’s all on the cloud provider database, et cetera, in this kind of thing. Can you also do air gapping on say the important VBS, which are hauling customer data and you know, some of the, you know, an eventing, a stream can be put in some other network, or for example, in Azure, you have this thing called as a virtual network. Can you air gap that virtual network?
Satish Mohan 00:16:23 Definitely. So ed gapping networks in the cloud can certainly be achieved. Probably the easiest way to achieve it, I would say is to start with the gold providers on network security settings, both AWS, Azure, and Google cloud. All the cloud providers provide you notions such as a VPC security groups and policies. That is a good start. I would say any good approach to predict a cloud workload also has to be combined with a good DevOps hygiene, DevOps methodology. So the challenge is slightly different in cloud environments. It’s not only you need to protect against network-based attacks, which certainly is a very important competence, but also you need to enforce the good IAM controls roles and authorizations and who can access different things. So I would say again, same layer defense, video security on layers.
Priyanka Raghavan 00:17:10 When you say ease of deployment, are there any tooling that you do in terms of like the architecture, like for someone to get your solution running on their V land? For example, how easy is it to deploy it? Is it just a one-click,
Satish Mohan 00:17:25 It’s literally one click in the sense that all our customers need to do is just bring up the VM on their real and network. And the moment you boot up the VM, it shows you a six digit activation code. So the customer just copies the code, punches it in into our UI SAS portal. We complete the handshake and download all the policies, all the configuration, everything, and your network is up and running. So literally takes this a few minutes to bring up a gap network compared to like legacy approaches.
Priyanka Raghavan 00:17:54 Then once you’re on there. So you have a full observability on everything, all the devices in the
Satish Mohan 00:18:01 Exactly. Once you have activated and onboarded the air gap network, what happens is we immediately become the, we assume the role of the DHCP IP address, assignment functionality within the network. We also become the default gateway. So by doing that within a few minutes, all the traffic within your network starts flowing through our security, our plants sitting in your Villa, not only is our plants enforcing security budget, but it’s also like gathering analytics, which are immediately pushed to our cloud portal. They become visible in a few minutes and we have very interesting options. Like we learn from the traffic and based on the learning, we kind of recommend like such a state policies and things like that based on common ransomware attacks and threat Intel feeds, we are continuously monitoring. So we actually kind of come up with a recommended saying that right from day one here had is something you need to kind of install to make an network like instantly secure from all these attacks.
Priyanka Raghavan 00:18:58 So going back to that coffee shop example. So I have got my air gap, virtual net in my company we learn and my device has visited whatever the coffee shop and it’s infected. Now I come on to office. I mean, I mean, obviously, I mean, not physically, but virtually through the office network. What happens then? So how will the, this gateway recognize that this is a faulty, something’s wrong with this device?
Satish Mohan 00:19:23 Going back to the coffee shop analogy, you are sitting in a coffee shop, you unsuspectingly click on a phishing link. Some Poplar ransomware strain gets launched on your particular laptop. And let us say in the next day, you either physically join your enterprise network or virtually via maybe a remote access VPN solution. So the moment you do that, what happens is your system is now part of your enterprise network. Like any normal enterprise system. It will request for an IP address, become part of the villain network, which is being managed by the AerCap security plants did joins the air gap security network. We place like a virtual link fence around your device. We do a couple of smart things around the networking to make sure that no traffic can go in and out of your device unless inspected and authorized by area. So now let’s say your ransomware, which might be sitting dormant on your device now starts to go active.
Satish Mohan 00:20:18 It starts to scan the network to see what are the other systems it can compromise. So it immediately detects the scan. And we based on, again, configurable user policies, we can actually quarantine the device immediately, and there may be smarter ransomware, which might try to circumvent the air gaps, show link fencing mechanism itself. So we have like strong controls in place around that. So we actually detect such attempts. And again, like either automatically quarantine this particular device or alert the operator to our alerting mechanism saying that, Hey, this networks, which definitely looks suspicious from our point of view. So we have basically quarantined it to that. It can not do any damage on a network, but it’s left for the operator to do further forensic analysis on it.
Priyanka Raghavan 00:21:04 But you also have people cribbing about the speed because now it takes a while to get onto the network.
Satish Mohan 00:21:08 No act. In fact, via the inline security device, in that sense, all the traffic flows to us. Like we have extremely low latency packet forwarding built into our product, extremely high throughput and extremely low latency. So a normal enterprise, we have actually tested it with large enterprises of thousands of users sending like several gigabytes of traffic through it. And a normal user would not notice any more disabilities. I’m not saying that they be zero latency data, a few milliseconds latency on certain transactions, but a normal user would definitely not notice anything. They let you work normally uninterrupted in any way. Of course our solution also has like full high availability. For example, you might ask me what happens is the plants not a single point of failure?
Priyanka Raghavan 00:21:54 Yeah, exactly. I was going to ask you that mixed.
Satish Mohan 00:21:58 So what happens is, so we actually let you deploy a cluster of such appliances to all of them kind of form like a redundancy cluster kind of thing. So even if one of them were to go down, a backup in sense would take its function. The traffic would automatically get outed to the backup instance. So other than a little, a few milliseconds of delay, you will not notice anything. Even if an appliance were to fail
Priyanka Raghavan 00:22:21 The is not much. And you’ll be immediately able to detect that something faulty and have a alert, the, either the organization or the user, it’s something like a command and control centers. What you’re going to be alerting, like how does this observability go back to the organization? Does it go to the organization’s command and control center?
Satish Mohan 00:22:43 We have two ways of alerting built into our product. So one is definitely our own SAS portal where we have all the alerts and notifications getting real-time stream to it. But we do realize that most enterprises like to actually consolidate different security solutions into a single SIM SIM is a common term for the security incident and even management system kind of thing. A good example is Splunk for example, is a good SIM. We do stream at events, logs, title loads to any industry standards. So most SecOps personnel would just use a single pane of glass across all these different security products and take proactive action based on that.
Priyanka Raghavan 00:23:24 Okay. That’s great. And maybe we can, again, switch gears and talk about some few key steps in protecting the network. So apart from your threat intelligence that you talk about, you know, which is actively making sure that the latest ransomware threats are caught. The other thing that you talked about in the beginning was, um, identity management and or would it be organicy that multifactor authentication is also very important in the zero trust network. So I guess anyone joining the network, how does that work? Would they have like a two factor authentication? How do you trust them
Satish Mohan 00:23:56 Devices? This is very relevant now because of the hybrid work scenarios. We’ve been seeing the traditional ways of remote access into our enterprise assets. It’s always historically been based on technologies like VPN, which is a virtual private networks. So the main VPNs works as these create like things like IP from your device into your enterprise network. So once the tunnel has been set up, you have complete network level access to all your applications. Your it’s almost as if you’re actually sitting inside your enterprise network. So recent breaches, which happened there was this colonial pipeline attack, the gas pipeline in the U S so here, the attack was actually based on the VPN breach. So the VPN did not have a two factor authentication. The credentials were compromised. The attackers would actually get an into the colonial pipeline network and compromise a large number of systems.
Satish Mohan 00:24:50 So the way the industry has moved forward from these kinds of VPN based solutions is to provide an alternative method of access or zero trust network access the compare and contrast with the VPN network. Once you’re connected to the network, you have access to all the systems and this access is that means your critical applications are always exposed to the network. It aspect of whether they’re being accessed on not let me give you a good example. Let’s say you have a finance application or the HR portal within your enterprise. So you as an authorized employee have 24 by seven access to that finance application moment. You’re on the VPN. You can go to the portal for the finance application log in using your username password and get into it. But if your credentials were compromised and attacker would be able to do the same and get into the finance application, contests that with a zero trust network architecture, right access to the applications is not provided at a network level, but it is what we commonly call a session based access.
Satish Mohan 00:25:50 So the way you would access such a system using the architecture is you go to a browser and you type in like a special URL kind of thing, which will lead you to a ZTE and a gateway and get provides Zika and a gateway. Technically it’s a reverse web proxy. So the request actually goes to the reverse web proxy. At that point, we look at your requests and say that, oh, we need you to first authenticate with a single sign-on provider. So we integrate with Poplar SSO solutions like ping identity, Google, or Azure, 80 and other solutions to that. So what do you notice as a user on your browser is the moment you try to access your finance application. Your browser gets redirected to Okta, let, let us using Octa, right? So you’d be forced to authenticate using Octa and Octa has capabilities to do things like multifactor authentication.
Satish Mohan 00:26:39 It would send up, push an alert to your phone and you can even take it further. You can even enable like biometric authentication, like a fingerprint Latina scan. You can get really fancy with it. Once it’s multiple factors of authentication having passed, we get a confirmation back from the single sign on provider saying that this person has been authenticated. And then what we do is we open a point-to-point connection to your finance application just for your authenticated session. So now us a remote users sitting outside, maybe outside, sitting in a coffee shop, just in that particular browser tab, whichever open you just have access to the finance application, you had to switch to another tab and close your browser. You would have to re authenticate again, compare that to your VPN based access. But once you create a VPN tunnel, you’re logged into an enterprise network. And now we need ransomware, which is compromised. Your laptop is given freely means to compromise the whole network. So this is an important part of air gaps, secure application access strategy.
Priyanka Raghavan 00:27:38 I guess your key to sources on always like this, I guess this network segmentation tool, you’ll finance the world and stop this in one place. And I guess other critical resources that are in another place that is also an email given, right, right.
Satish Mohan 00:27:53 Finished any that there’ve been these two historical concepts, like there’s something called a campus. We like to call it. The enterprise campus campus has been the place where people like employees actually go and work, sit and work kind of thing. But if you look at the modern campuses of today in the, in the 2020s era, other than employee laptops and people who bring their own devices, IOT devices like mobile phones, maybe IOT devices, you will not see any sensitive business assets being stored in the campuses. Your sensitive assets are usually stored in like databases, fight servers, windows shared. And these are typically hosted within the data center. So it got provides two levels of protection. So one is within the campus. We prevent your ransomware from infecting other users by a gapping eat system. And even from your compromised system, when the ransomware tries to access a data center resource. Now, when I say data center, it could be the old school, physical data center kind of thing, or it could be a modern cloud-based data center. We actually get that access and force it access to go through the air gaps, multifactor authentication, single sign on integration solution. So we provide a double prediction of that
Priyanka Raghavan 00:29:03 Trust, no one. So I have repeated this lame couple of times, but it wasn’t from a Google engineer who said, never trust your network. It’s probably already compromised. So that’s the philosophy as well.
Satish Mohan 00:29:16 Exactly the term zero trust. Actually the answer is popularly referred to as never trust, always verify, take a step back and think what, what it really means is do not assume that a particular access to an application is authorized just because of the physical location of the client. Like the client is within a secure perimeter. Don’t assume it’s a safe access, always verified access with a multifactor authentication,
Priyanka Raghavan 00:29:43 Traditional things like IP white listing.
Satish Mohan 00:29:45 Exactly. Don’t do traditional security defenses
Priyanka Raghavan 00:29:49 In one of the articles on the blog in your company, which also talks about zero trust isolation. This is what you’re referencing.
Satish Mohan 00:29:57 Exactly. Isolation is a new term that you going to kind of say that, Hey, we added, um, virtually isolating or ring fencing each of your devices. We don’t trust any device just because it shows up on the enterprise network, but we always force it to authenticate and allow only authorized traffic
Priyanka Raghavan 00:30:14 Anyway, for anyone setting up my network, I think these are good lessons to learn. So I like the storm ring fence. So that’s great. So, you know, whenever you have something that you, don’t not really aware of, you know, try to do this virtual kind of ring fence around it. And before it goes through all the necessary checks before coming in, and of course, like you said, identity is truly important than just like just a one way is not enough. You need multiple factors to prove who you are. The other thing is, which is interesting. I wanted to talk about since we are seeing quite a lot of attacks on ransomware, there’s this thing called the ransomware kill switch. What is that? Can you explain that a bit?
Satish Mohan 00:30:55 I think of the ransomware kilts with us, like the emergency shutoff was at a gas station or another analogy we like to draw is watching the Hollywood movies, especially the ones around impending nuclear attacks. The us government typically has a different DEFCON levels. They say let’s move to Devcon level one or Devcon level two, maybe the clever play on that word and come up with a slanted kill switch. All it does is it provides a different color coded buckets of security profiles and policies. So we have like different color levels in green, yellow, orange, and red. As simple as that, if you log into a SAS portal, you’ll actually see a switch, which looks like a physical selector switch with four colors on it. So the idea is like this. So normally our patient thinks that our green everybody has access to that authorized systems.
Satish Mohan 00:31:42 Things are going. Now, let us say you suspect that a particular system has been infected with ransomware is just a suspicion. It’s not a confirming fact. At this point, you might want to move the network to a slightly elevated protection level. You toggle the switch of green to yellow. So what happens when you move from green to yellow is we shift the network security providers to a different pre-configured profile. So again, what is a security profile in yellow is completely varies from customer to customer. We leave it to them to define what is allowed access within the yellow profile. But here’s an example. You might say that when I’m green, everybody has access to all the systems, systems, fully operational. I moved to ransomware threat level yellow. Maybe I shut off access to my databases and ERP systems. Everything else continues working your, the threat level increases you move to from yellow to orange or to red.
Satish Mohan 00:32:34 And, uh, you could, you could say, when I moved to orange, now my financial systems are completely offline. You get the idea. And then I moved to red, complete network access is shadow except allowing certain forensic analysis to take place because you’re in this need, you cannot always a hundred percent shut off network access because then it’s impossible for a forensic team to route cause where the attack started and shut down the system. So you’re definitely one forensic to take place, but you want to contain damage or further compromise within the network. So the nice thing with these kind of layered approaches is what it led to do is even if you go from green to threat level yellow or orange, that’s certainly important business functions can continue to go on. For example, a CEO of the, of the company might be on a zoom call.
Satish Mohan 00:33:17 You don’t want to shut that off just because you went to settle of a yellow or orange kind of thing. So all of these can be like pre-configured policies, bantamweight kill, switch, essentially productivity, easy way just by flipping the switch, you change the state of the network. What is reachable and what is not reachable before we introduced this term, like we actually spoke to like hundreds and hundreds of CEOs. And we asked you, in fact, ask them this question. What would you do if your SecOps guys come running to you and say that, Hey, we suspect there’s been a ransomware breach. What would your first reaction be? Most common response. We got this. We go into the data center and start yanking out cables. People used to do that. That’s like a panic response to the notification that had been breached by ransomware people immediately start taking systems offline to prevent further damage that you don’t know, you don’t know right where the ransomware is spreading. How many systems are impacted. You immediately want to shut off access. People just power down everything. So what we are providing is a very sophisticated control way of just flipping a switch and software and immediately shutting off network access on your V networks, enterprise networks. You are business applications, things
SE Radio 00:34:26 I see radio listeners. We want to hear from you. Please visit sc-radio.net/survey to share a little information about your professional interests and listening habits. It takes less than two minutes to help us continue to make se radio even better. Your responses to the survey are completely confidential. That’s S e-radio.net/survey. Thanks for your support of the show. We look forward to hearing from you soon.
Priyanka Raghavan 00:34:52 How do I find out as an organization on enterprise, what level I should be at? Is there some kind of way like new help scan the network? Like, can I do a vulnerability assessment and then decide
Satish Mohan 00:35:05 A couple of ways to do it? Lead, provide like API integrations with other security tools, again, going back to the concept of layer defense. So let, let us say you have some tracking software installed on your network. I mean, maybe a popular EDR based solution on your network. Some of these other security vendors also do a great job, like identifying lots of attacks. So what you could set it up as in combination with those security solutions, when an attack is detected, you could actually have an integration call it API into the air gap system and have it flipped the switch from yellow to orange part of automatically. So there is an auto automatic response possible in that, uh, not amaz could actually land periodic vulnerability scans on a network on a time basis. And if this can detect something suspicious, that could be a trigger to, to plug in an API integration or manual intervention to flip the ransomware.
Priyanka Raghavan 00:36:01 How long does it take for the vulnerability scanner to run? Like does it depend on the, the network and how many devices?
Satish Mohan 00:36:07 So it definitely depends upon the size of the network. In fact, if you go to an air gap website, we provide our own version of a lightweight ransomware vulnerability scanner. So what does does, does you just download the tool? That’s a simple Windows-based utility. You can just run it on any windows, laptop, a macro is solutions coming up soon too, but you to run a windows laptop within your enterprise, it scans a lot of assets within your enterprise it’s cancer networks. If you have a windows active directory set up, it will scan the windows active directory figured out what are all the systems on the network, which are vulnerable to Poplar ransomware attacks. We have compiled a lot of data from previous ransomware attacks. It’s like a database with constantly updating. So we can look for these common vulnerabilities. So we will provide you a comprehensive report saying that these are the systems which are vulnerable.
Satish Mohan 00:36:58 And also we identify with systems MI are more compromisable too. Like for example, you mentioned not petty as a particular ransomware stream, right? We actually, I didn’t face any that these four systems or the network are compromisable by NotPetya. So we actually identify to that degree of debt. This can probably do a good visibility. It’s a simple tool. You can run it at any time. And there are other security vendors like Qualis and a couple of vendors who also provide excellent tools to scan your network on a regular basis. I think it’s part of a good security hygiene to do periodic scans and let your SecOps team analyze the desserts.
Priyanka Raghavan 00:37:36 What about the soul case where some people ask, have you done a ransomware or say a malware assessment on your network? How does one go about that? Do you just draw out a network diagram and then see, okay. I mean, what are the level of detail? How do you, can you model for such things like, I’m not only talking about ransomware attacks, but maybe, you know, other kinds of attacks, I don’t phishing attacks. So what’s the kind of modeling. Is that something that you recommend people do?
Satish Mohan 00:38:06 Yeah. There has been a couple of tools that have been put out by the, I think it’s a U S department of Homeland security, which help you can actually download it off their website. These actually help you build a model for the model, modular, a security posture for your enterprise. What these tools do is think of it more like a guided questionnaire kind of thing. They are leveraged upon the best practices. They’ve seen some good organizations which have protected themselves successfully. So they actually walk you through this questionnaire, force you to think through the scenarios, think of it like an internal audit of your network by just answering this questionnaire. And you’re absolutely right that these kinds of tools actually make your draw topology for the network, ask you to build out the inventory of what systems you have, what operating system versions they’re running, what batch levels they’re running at all part of good security hygiene to actually take you through this exercise, forced the thought process to perform an audit of a network and definitely a good practice to do at any, any point of time, because it’s all part of good security hygiene, like keeping systems up to date, all the latest.
Satish Mohan 00:39:11 If you have all of the operating systems patched with the latest security patches backward, reduce your compromised risk, right? Significantly.
Priyanka Raghavan 00:39:19 That’s interesting that you talk about batching because I think this couple of attacks recently, it was also been caused by updating to the latest patch, because I think there have been cases where a malware or something was introduced in a batch. So he knows that delicate balance rate, like you need to batch, but you also have to like, make sure that the batch is not one little .
Satish Mohan 00:39:40 I think you’re referring to the cost. Yeah, exactly. A little before that there was a solar winds attack. Both of these are what I term that’s supply chain attacks. So supply chain attacks, it’s a whole category of our tax ware. So there is trust in one here you are trusting the software vendor. So you are trusting the SolarWinds company to actually follow good security hygiene, make sure that their software repositories are not compromised. You are implicitly trusting the vendor and installing their patches, installing the agents. And the cost actually went after the supply chain component. It doesn’t compromise it at the source. So most unsuspecting users downloaded the latest update thinking they were protecting the systems, as you likely said, got compromised as citizen. I think they’re still in the beginning of the industry is still trying to come to terms with how to protect against these kinds of attacks. A lot more hygiene and policy has to go around that. But again, I would say combine that with a good network micro-segmentation strategy, like air gap solution, putting a little bit of plug here, which would ensure that even if individual systems were compromised, widespread network damage would not happen.
Priyanka Raghavan 00:40:49 One of the key takeaways from this is in the steps to protect your network. Don’t trust anyone, including a management form that are learning to do security. Segmentation is a big key thing like where you place your critical resources in having an account. We’ve covered also a little bit about the scanning capabilities. Can you talk a little bit more about IOT devices now? They are prevalent like everywhere, right? Like you had mentioned at the beginning, they are traditionally very difficult to secure. So the only way out is coming through your gateway, right. Is there anything special that you do? Like how do you ring fence and IOT device?
Satish Mohan 00:41:25 This has made it via case believe that air gaps, agentless solution for Lansing. My prediction really shines because we at other traditional approaches to dance a prediction, they’re all based on some kind of pinpoint defense. So we call them an end point detection and response. As we previously covered on the IOT device, it’s almost impossible to install any kind of security vendors agent on it. Rep camera in a conference room, you cannot install anything on these devices. Also frequently most vulnerable to attacks because they are usually running like custom operating systems or outdated operating systems, which may not have all the security controls, a modern LinuxCon. A lot of windows operating system would have. So they’re very easily breachable and attackers frequently use these as a launching pad to further probe the network and infect other systems. So this will air gap solution really shines because we provide like network level micro-segmentation, we’ve got a security plan sitting on a network, your IOT device automatically when it requests an IP address from an air gap security device, we virtually ring fence it automatically and allow only authorized traffic.
Satish Mohan 00:42:36 For example, we will shut down any access if your IOT devices talking to a CEO’s laptop, which you should not be in any case, we would flag that access and quality in the device. Let us, we could set up security policies saying that, think about the apple TV or Roku device use for streaming video. Right? So the conference who people usually share their presentations to an apple PV, he will ensure that communication always goes from a windows laptop, and a macro is lockup into the apple TV, but no outbound connection from the apple TV to any other device on the network. So that way that is unauthorized as far as we are concerned.
Priyanka Raghavan 00:43:12 Interesting. So there’s no way someone can hack into the,
Satish Mohan 00:43:17 You can get very, very granular finding with this. So all this is happening because of the rich profiling and learning we’re doing within the network.
Priyanka Raghavan 00:43:24 Like you just mentioned. Yeah. We spent hours. Companies spent hours coming up with policies, but actually no one really follows these policies unless there’s a very strong implementation. So how do you solve this problem? Like once somebody defines it, the enforcement, how does that happen? What is the arc? I guess advice for companies
Satish Mohan 00:43:42 We have had years of experience building security products. We do recognize how creating and maintaining security policies is a, it’s an out-patient challenge for organizations. So what you come up at, we have tightened simplify the process of creating and managing policies. So the way we do that, as we introduced something called an autonomous group or a group or a tag based model, so where the yard SecOps person can create groups based on like certain network attributes or device attributes, like operating system manufacturer. We also partner with other security companies. For example, if you have like other EDR vendors deployed on your network, they actually compute like device security scores or like a security posture. Like another security vendor can tell us that this particular, for example, Priyanka laptop has a security of 75. So we can actually get portal. We can say that, Hey, our laptops at security score greater than 75 whose operating system is such and such, maybe windows or Mac McComas.
Satish Mohan 00:44:42 Maybe we can also say, you said it doesn’t have a valid device certificate issued by the enterprise. These devices should be allowed to communicate with our finance systems. So really, really fine grain tag-based policies compare and contrast this to traditional firewalls where policies have always been done being based on IP addresses. It’s very hard to manage in a dynamic environment like an enterprise because IP address as a constantly changing DHCP Lisa venue, and people are walking in and out, that’s the same thing as soon fall into this use and people just blanket everybody to talk to everybody kind of thing. So it’s really hard to manage. So we have tried to solve this with something called autonomous group based policies,
Priyanka Raghavan 00:45:23 Making things find grain also makes it very confusing, right? So it’s just that correct balance because I was working in a company where they had these role-based access and they kept adding roles. And finally there was some hundred and $50. So nobody knew what role they needed to access a particular supply, be the way they solved the problem was give everybody system admin, because it was a mess. You ring home a very important point that how you set up your policies is also a very important part in protecting your network. The question and DMS of observability, you did see that you send your logs, et cetera, to any of these observability tools like Splunk for dashboarding, et cetera. One of the patients had also bought the isolated network, right? The air gap, poultry network. What about that? Do you get like, uh, the question I want to ask is, do you have like a score like everyday saying, you know, it’s good today? Like you had your green, orange, red, do you have the same thing for these, each of these isolated networks saying that it’s good, it’s been scanned. It’s good. Like what’s the kind of observability that you can give at that segmentation level.
Satish Mohan 00:46:32 Talking about comprehensive security solutions, continuously observing and monitoring threats, trying to look for known attack, vectors and patterns. All these need to be part of a good security hygiene. Any psychotic organization needs to build this tooling and infrastructure in place. Having said that we actually sit very close to the devices in the network, literally on the shared we land, we’re looking at all the chatter, which goes on between the devices. A lot of the modern day devices, especially IOT devices. They talk to each other quite quite a bit. You’d be surprised if you, if you look at the traffic on the network, there’s a lot of chatter going on using protocols such as apples, Vons your protocol. And then there is another protocol called multicast DNS MDNS protocol. So there’s a lot of this chatter going on. So air gap is constantly listening, learning from all the, all of these protocols.
Satish Mohan 00:47:23 We are monitoring the devices for threats and any unauthorized communication. We also working on certain technologies kind of based on the concept of like India network detection and response, which kind of look for advanced threat patterns. For example, most of the lantern attacks. They exhibit a common pattern in the sense that once they find like, let’s say a windows file share or a network file share to encrypt, they would go about like emanating all the files and directories on that windows file share, and then they start encrypting it. So these kinds of behaviors are easy to spot and identify and take action. So we are continuously building new technologies to monitor and observe these kinds of systems. And again, we do send our current reports, alerts events to SIM solutions, provide a consolidated view for the SecOps organization.
Priyanka Raghavan 00:48:14 And I guess you also work with other tool providers to even get the data from the scanning that they do, right? Like say something
Satish Mohan 00:48:24 We definitely, we do learn from other scans. We also subscribe to other Intel feeds that are companies like, which provide like threat Intel feeds and Poplar attacks, which have taken place. We use all this information to fine tune a recommendation system,
Priyanka Raghavan 00:48:39 Asking you a question just purely as a, as a network node. If there was this one thing that you could provide in terms of observability that gives you like this big picture of your favorite thing, how would that look? I know it’s tough to visualize an arm and an audio podcast, but maybe you could just throw out some,
Satish Mohan 00:48:57 One of the challenges with observability is there is a lot of nice, false, positive. It’s like looking for a needle in a haystack kind of problem. I think you raised a great point earlier. Like I would prefer any observability solution to have a hierarchical drill-down kind of thing. Like when you go down to a dashboard, as you rightly said, you can see like overall security scores for different air gap networks, what is the health status and things of that. And then drill down to a particular network only if there is cause for concern, like if security score has dropped down and then try to diagnose what’s happening, I do strongly believe hierarchical top-down information. Aggregation effort is quite funny, good observability solution. Otherwise it’s 70 unmanageable problem to make use of effectively.
Priyanka Raghavan 00:49:43 It’s probably true of maybe, you know, different. We talk about networks, but that can also hold true of let’s say software bugs or
Satish Mohan 00:49:50 Definitely all your cloud-based workloads is a common theme across all software architectures and deployments.
Priyanka Raghavan 00:49:57 Otherwise it becomes the story of a boy who cried Wolf rate because when the real attack happens in the gods, okay. It’s just another thing. If it’s a false positive.
Satish Mohan 00:50:05 In fact, if you look at the solar winds attack, I believe that is what happened. There was an alert on some SIM systems console, but nobody caught it just because of so much of noise happening. People mentally start tuning out to these alerts after a certain period of time.
Priyanka Raghavan 00:50:21 It’s a very delicate balance. After having this conversation with you se that I maybe have to take a course, you know, how the military does things, it would be, it would be worthwhile to learn from there because I think key challenge, right? Pretty much the same thing. How do you find out which part of your borders can get infiltrated? Exactly. Yeah. Okay. So that’s great. So I’ll just do, I guess wind down. I think the main things, if I were to summarize, I think we’ve, we’ve talked about gapping networks, the importance of having segmentation identity, which is, I think you would not heavily about saying that it’s so important to not trust anyone and have a zero trust principle in your networking architecture. And of course, observability is, again, something we talked about. Anything else that you would like to add before we end the show on what else we should do to protect your network?
Priyanka Raghavan 00:51:17 Again, I go back to the theme of zero trust security. One last thing I’d like to leave our listeners with is there’s this concept known as the least privilege principle. Basically what that means is that every component on your system must be able to access only the resources it has been authorized to and nothing more than that. So I think SecOps teams have to take a proactive role in using this as more of a guideline to make sure that even if a system had to be compromised or bleached, the damage can be contained. One of the pillars of a good security architecture.
Priyanka Raghavan 00:51:51 This is great. Thank you so much for this enlightening docs. And before I let you go, is there a place where listeners can reach you? Are you active on Twitter or LinkedIn available on both on both on Twitter and LinkedIn? I think I’m slightly more active on LinkedIn search, probably the preferred way to find me. It’s actually Satish underscore. I allowed that to the show notes and I guess we’d also have, have your LinkedIn profile. It’s been great having him on the show and I hope you enjoyed it as well. Thank you so much, Priyanka. And this was really enjoyable talking to you. This is Priyanka Raghavan for software engineering radio. Thanks for listening.
SE Radio 00:52:32 Thanks for listening to se radio and educational program brought to you by either police software magazine or more about the podcast, including other episodes, visit our [email protected] to provide feedback. You can comment on each episode on the website or reach us on LinkedIn, Facebook, Twitter, or through our slack [email protected]. You can also email [email protected], this and all other episodes of se radio is licensed under creative commons license 2.5. Thanks for listening.
[End of Audio]