IoT For All
IoT For All
In this episode of the IoT For All Podcast, Ryan Chacon is joined by the CEO and Co-Founder of Sepio, Yossi Appleboum, to talk about physical layer 1. Yossi begins by introducing himself and his company before breaking down what is physical layer 1 and what makes it unique. Ryan and Yossi then move into higher-level conversations regarding identifying devices and misconceptions of abilities. They then wrap up the podcast by offering advice for companies and talking about the biggest risks in the industry.
About Yossi
Yossi's passion is delivering simple solutions to complex problems. During the last 30 years, he has been involved in multiple engineering and leadership roles. He started his career in the Israeli intelligence corps (Unit 8200), where he participated in and then led large-scale R&D projects. In the late '90s, together with his two partners, he co-founded and led a couple of startups and developed cutting-edge technologies and solutions that addressed the evolving security and networking markets. After successfully exiting these (in 2012 and 2016), he co-founded Sepio (in 2016), where he served as CEO, focusing on leading the team and the growth path.
Interested in connecting with Yossi? Reach out on Linkedin!
Sepio was founded in 2016 by cybersecurity industry veterans. Sepio's HAC-1 is the first hardware access control platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT, and IoT security programs. Sepio's hardware fingerprinting technology discovers all managed, unmanaged, and hidden devices that are otherwise invisible to all other security tools.
(01:36) Introduction to Yossi and Sepio
(04:51) What is the physical layer 1
(07:05) What is unique about layer 1
(11:23) Identifying devices
(13:31) Misconception of its abilities
(16:01) Advice for companies
(18:04) Biggest risks for companies
- You are listening to the IoT For All Media Network.
- [Ryan] Welcome to another episode of the IoT For All Podcast the number one resource and publication for the internet of things. I'm your host, Ryan Chacon. If you are watching this on YouTube, we would love it if you would give this video a like and subscribe to the channel. If you're listening to this somewhere else on a podcast directory, please feel free to subscribe to get the latest episodes as soon as they are out. On today's episode, we have Yossi Appleboum, the CEO and Co-Founder of Sepio. They are a company that has built the first hardware access control platform, providing visibility, control, and mitigation to zero trust, insider threats, BYOD, IT, IoT, IoT security programs. Very interesting conversation. We talk a lot about some things that are pretty new to the show. We talk about using the physical layer one information as new data source for achieving ultimate visibility. We talk about how to truly identify a device that is maybe, tends to try to hide, hide its identity. We talk about why that matters, a lot of other security related topics and challenges that we're seeing in the space and what are some of the biggest risk enterprises face in the IoT world. So very good conversation, and I think we'll get a lot of value out of it, but before we get into it any of you out there are looking to enter the fast growing and profitable IoT market but don't know where to start, check out our sponsor, Leverege. Leverege's IoT solutions development platform provides everything you need to create turnkey IoT products that you can white label and resell under your own brand. To learn more go iotchangeseverything.com. That's iotchangeseverything.com and without further ado please enjoy this episode of the IoT For All Podcast. Welcome Yossi to the IoT For All Show. Thanks for being here this week.
- [Yossi] Thank you so much. Looking forward to that discussion.
- [Ryan] Absolutely, so first thing I wanna do is have you do a quick introduction for, about yourself to our audience so they can get a better sense of who they're listening to?
- [Yossi] Yeah, so I started my career, you can hear my Israeli accent as a young soldier in the Israeli Intelligence in a famous unit today, 8,200. At that time, it was more secretive than today. That was literally on the beginning of '90. So 31 years ago. Since then I was involved in multiple operations and companies around the world between cyber and physical. IoT's part of that, of course. And I'm happy to be here today. I hope this covers a bit about my career path.
- [Ryan] Absolutely. So next thing, talk about the company. Talk about Sepio a little bit. What do you all do? What's the role you have in the IoT space? And then I'd also love it if you could tell us a little bit about the founding story, kind of how the company came to exist. What the opportunity you saw in the market to kind of warrant starting the company, that kind of thing.
- [Yossi] Yeah, so Sepio is providing a platform for managing the risk that is coming from outward devices. And of course, IoT devices are part of that but there's also OT and there's of course IT equipment. And to me, looking into that in a perspective as I mentioned of three decades we realize that the borderlines between IoT devices and IT and OT is not always clear and one definition does not fit all. So eventually every asset, software, all out or inside organization brings a level of risk and some of that is acceptable and some of that is not acceptable. And every organization has it's own policies of how to manage that risk and how to define what is risky and what is not. So Sepio's approach is to first provide full visibility of all outward assets. Mature organization has quite good tools today to understand the software aspect of that but not so many efficient tools to literally see in one glance, all the assets, all the outward assets and understand the risk that is coming from that. So this is eventually our space. Technology wise, we are literally sitting, as I like to say, on the bottom of the barrel. It's a layer one of physical layer technology. So totally taking a meaningless physical characteristics and being able to use them in order to provide that visibility part. On top of that, of course, there is the aspects of compliance and and management of what is allowed to be connected in terms of, you know, specific vendors, specific functions of devices into sections within the infrastructure. And then of course, the third part of the mitigation of the undesired, unwanted, too-risky devices within the organization
- [Ryan] You mentioned level one, the physical layer. Can you explain to our audience just kind of at a high level, what that exactly means?
- [Yossi] So eventually when we look into the security market especially in the cyber security market there is the OSI seven layers model that eventually each one of the tools in the industry from cloud security to email security to application security and many other firewalls and inclusion detection systems and network access controls eventually map into one or more layers into that model that become, and became actually, the let's call it the defacto Bible of mapping solutions into the stack. The bottom of that stack is the physical layer, layer one up to layer seven and the top layers of course are application security. But the bottom layer has to do with the connectivity layer. The fact that a device wirelessly or wiredly connected into the infrastructure has a physical impact on the connectivity layer. So, you know, ethernet ports, and USB ports, and Bluetooth, and WiFi, all of these are impacted by their physical parameters based on the device that is connected to the infrastructure to the Cisco switches, Juniper switches, WiFi access points to the USB port of your endpoint and so on and so on. So being able to look into that considered for many, many years undoable physical layer that has no protocol and no addresses and all of that. And using that new data source in order to provide that visibility would, is actually generating a new perspective, a new ability to map everything without the need to analyze the behavior of devices or the traffic inside the network as in a layer two, layer three, layer four. Security solutions.
- [Ryan] So, so then let me ask what is so unique about that layer one data and how does it help, like, you identify devices and kind of just work in general to kind of provide value.
- [Yossi] So just imagine your hand touching the desk. You have a unique fingerprint and that unique fingerprint as a identification, or allow to identify you regardless the name you'll choose to use on that day from Ryan, you can change your name on the screen to someone else, the fingerprint never change. So does any outward device, eventually the components inside your mouse or inside your computer has a unique behavior and the combination between these components and the layout of the printed circuit board that carries all of these components. And then eventually the, even the manufacturing process has a slight impact on these physical parameters, the voltage, the current, the impedance, the slope of signals, the noise, electrical noise that device is doing. And without being too academic, we can literally look on these parameters as literally the lines on your finger when we fingerprint you. So your Dell XPS 13 laptop will have a totally different fingerprint than your Raspberry Pi and all of that. Now you ask a very important question. What do you do with that? Or in, in a way why it brings or how it brings a value. And first understanding the tech surface for any security professional is crucial and being able to map all devices is a significant part of understanding that access. The challenge is how do you do that in outward devices without focusing and without building actually a hay stack of unbelievable amount of data that is based on the network traffic. And solutions in the industry that are quite good but eventually required to tap into the network traffic, tap into the activity, and eventually analyze activity. So I see a video packet that goes from east to west meaning there is an IT camera there. Yes, it is working and it is very precise but the challenge is first how you deal with that in a magnitude of, you know, hundreds of thousands of or millions of data streams running in parallel. And how do you do that in an highly secured or regulated or under compliance organizations? If the traffic is encrypted, you cannot do that. If the organization cannot share privilege data, private data with a third party tool. And we also, what happened when a third party tools get an unlimited access to a privilege information, the Solar Winds incident is still fresh to many, many people in the industry, that's a problem. And our approach is and our technology is totally different. Being able to map these devices based on the fact they are just there, regardless what they do, regardless if they are active or passive, on or off, sending information or don't send information, contributing anything to the network or not is kind of a game changer. I would add another important piece here which is existing network traffic or activity monitoring tools has there needs, of course but it creates kind of a glass ceiling into deployment into a distributed organizations or quite large organizations or any restrictions, as I mentioned couple of minutes ago. And the fact that you don't need to monitor the activities, see the privileged data and all of that, literally breaks that glass ceiling of technology, enable organizations to map everything without any nightmare to do with IT and compliance.
- [Ryan] One thing I was thinking about was you talked about earlier on kind of the ability to identify devices and is there, how often do devices try to hide their identity? And when that happens, how do you kind of solve that?
- [Yossi] So it's not, you know, I would say that finding a log device is the crown jewel for every security vendor in our market. And, and of course you are happy to mention these names and mention these incidents and talk about these James Bond, so called James Bond stories. And there are plenty of these but in a hundred percent of the cases, organizations don't know fully what they have there. So it's not the device trying to hide, it's the device is just not being mapped because of the limitations of technology, because of the inability to deploy tools that require huge projects into, you know deployment in order to bring that visibility. And eventually, you know, one of our board members, she's experienced, smart woman with history in the CIA, once said a sentence that I keep mentioning which is for a CSO or for a security expert not knowing what's there is literally signing on a empty, you know, like an open check you sign on that you are responsible for that but you don't know what you are responsible to. And, this is the case in a hundred percent of the cases, a hundred percent, we see devices inside organizations that the organization didn't know about. And it's not just BYOD. Shockingly, the infrastructure of the organization, people really don't know, and there's always the aha moment as we like to call it that, oh my gosh, I didn't know it's there, it's not patched, it's really old. It's really risky and that happens, always.
- [Ryan] Gotcha, that makes a lot of sense. Yeah, I appreciate you kind of breaking that down. I wanted to shift here for a second and ask you something a little bit higher level. What are, from the companies that you work with, customers of yours, what are some of the biggest misconceptions about what security solutions in the IoT space can actually do and detect? I'm sure there are a lot of them, but I'm just curious What do you come across the most that you have to kind of explain or maybe shift focus on because it's a common misconception about the capabilities.
- [Yossi] So, you know, I would list the three top ones. One is, especially from a customers that still struggle with their maturity of their security stack in general, they would say, well, I have so many problems with the software. Why should I and all my hardware, and I'm sure that if I know all my endpoints because my endpoint security is providing that list, I know everything about my assets and guess, guess next. It's not really the case and our organizations that keep saying we don't have any IoT device, we don't have any OT device, we're a bank, right? We're an insurance company. And shockingly, they have plenty of these, so that and of course it brings them to a new level of threat they didn't even consider existing. Another one is I'm using so many tools, why do I need another tool? I have a network access control system. I have some IoT security tool. I have OT security tool. I have a network monitoring tool that gives me the information into my CMDB. We keep hearing about CMDB but what we learned is that in mid-size organization and of course the tier one organizations we work with, both the number or in percentage the amount of information they don't know is shocking. I remember one really, really and I'll stop with that really, really shocking number. Really big organization was, there was an argument between the IT and the security. And one said they have 800,000 elements. One said they have 2.4, three times more and the number was four, 4 million. So how can you even feel secured when you have no idea in a magnitude on what's there?
- [Ryan] Right, and how do you, when you work with companies and that those kind of conversations come up or those kinds of discrepancies are being had and they're looking for solution, how do you, how do, what advice do you have for companies kind of looking to get started down this journey?
- [Yossi] You know, it starts, people always try to find a solution to solve all of the problems. That's the human nature, right? So we, I want a system that will allow me to see everything, manage everything, deal with not just the hardware but the firmware, not just the firmware but the vulnerability and so on and so on and so on. So they try to bite a huge bite and it's undoable in most cases. And I would always recommend to organization regardless if it's overall software, first thing, understanding your assets. And yes, we do provide the solution to allow you not just to understand, but literally to control and mitigate, but start by understanding what you have. And it takes, if you have the right tools in software and in hardware, it takes very little time to get a grip on what's going on if you chose the right tools, if you chose the right technologies. And after having that information digest it, don't try, don't run like crazy immediately, okay, we have so much risk here and so much risk there. Digest, prioritize and then you'll realize that your initial plan in most cases will be totally different than the one that you'll bring eventually. And I remember a. working with a hospital and mapping all of their devices and giving them risks call. And the immediate action was like we have so much information inside our endpoints and it's so risky and so on and so on. But then they started to look on their medical devices and the impact on the organization with unknown devices there was potentially huge comparing to the endpoints. So take your time, understand, digest, and then plan.
- [Ryan] Absolutely, you know it's great advice. It's an interesting topic for sure because security is not always the, at top of mind for people who are kind of venturing into an IoT solution but it needs to be, right? It needs to be super important and it kind of causes problems down the line if they're not bringing in these elements early on. I think we've seen that, you know, especially just there's been supply chain kind of things happening. I know we've heard of some supply chain attacks and kind of focusing on the devices that are connected. The last thing I wanna ask you is like what do you think the biggest risks are out there for companies right now that they should be focused on?
- [Yossi] You know, I see a, in one end, quite wide in industry threats, but also very narrow into our market. And, and I think that while most of organizations today have some idea of what they are going to do with their modern programs, there's zero trust. Work from anywhere, cloud, and all of that. We keep forgetting about the basic. And I think that CIS, Center of Internet Security mentioned a while ago, not too long ago, that the basic is the most concerning because we see today because of the movement to modern security programs is that all threats are coming back. And it's 20 years ago, 15 years ago, we talked, everyone talked about USB devices and everyone were under impression that, well, now it's not a concern anymore because we closed that door and we moved on. So, many organizations don't deal with that anymore. And then we see a increasing number of incidents around that. So I think that the simple thing that I see and the simple thing that I can suggest is while you think about the future, don't forget a while, every once of a while to look back and make sure that at least the basics are covered. And, of course, what we do here in Sepio is important to that. But there's many other stuff that, not just what Sepio is doing, that is extremely important to do whit that. And last thing is don't stick to common definitions of things and make them customized to you because some organization would call an IoT device only, you know, webcam, IP cams, and couple of sensors, but in many aspects, even your mouse connected to your endpoint falls into the definition in IoT device in many aspects. It has a connectivity to organization, access to the data, ability to manipulate data, and it is a device. So be careful from following the cloud without customizing the threat and the assets into your world and risk world, at least.
- [Ryan] Absolutely, no I totally agree with you. Super fantastic kind of information here on a topic we haven't talked too much about lately. We haven't really dove into kind of these elements. So I really appreciate you kind of taking the time.
- [Yossi] Thank you
- [Ryan] For our audience out there who may have questions, follow up, wants to learn more, get in touch with, with you all, what's the best way for them to do that.
- [Yossi] So, first we are generating a, like our marketing team, generating a lot of valuable information in our website.
- [Ryan] Right.
- [Yossi] Sepiocyber.com. There's also an ability to reach out through that and send messages. We try to provide help and and building better security to everyone not just selling solution, but literally solving problems.
- [Ryan] Fantastic, well, we'll make sure that we get all this information out kind of attached to this, this webinar, our podcast, sorry. And I think our audience definitely take the time to look into what you have going on. A lot of great resources and valuable information in an area that people need to be paying a lot of attention to, especially as they're looking at bigger deployments and really, you know making sure they have a good chance of success. So truly appreciate your time.
- [Yossi] Thank you again.
- [Ryan] Thank you so much for being here and hope to talk again soon.
- [Yossi] Thank you so much.
- [Ryan] Alright, everyone. Thanks again for watching that episode of the IT For All Podcast. If you enjoyed the episode please click the thumbs up button, subscribe to our channel, and be sure to hit the bell notifications so you get the latest episodes as soon as they become available. Other than that, thanks again for watching. And we'll see you next time.