Mister Beacon Episode #144

Cyber Security in the IoT

July 12, 2022

Companies are being hacked and ransomed all the time these days, and given the fact that billions of IoT devices have the potential to increase the number of vulnerabilities that companies have to deal with, it’s safe to say that this issue is more important than ever before.

So what exactly can be done to increase the security of everyday devices connected to the internet? Well, we brought on the Co-Founder & CEO of Sternum, Natali Tshuva, to tell us how her company is bringing security and observability to the IoT.


  • Steve Statler 00:00

    Security is super important in IoT. I think we all know that are big vulnerabilities. And as entrepreneurs, it's important to understand as much as we can about this particular area, even though it's not the core of Mr. Beacon podcast. So I'm pleased to haveNatali Tshuva is CEO and founder of Sternum, an Israeli security company. And we're going to interview her about what she's doing and what her company is doing in this area of embedded security systems. The Mr. Beacon podcast is sponsored by Wiliot, Intelligence for Everyday Things, powered by IoT Pixels. Natali, welcome to the Mr. Beacon podcast.

    Natali Tshuva 00:52

    Thank you, thanks for having me.

    Steve Statler 00:56

    Security is is a subject that we delve into only occasionally. But it's super important. And it's kind of this nightmare thing where I try and keep it out of my mind. But I think it's at the front of your mind all the time. So it's good to have you on the show. Can you start off by explaining a bit about what your company does?

    Natali Tshuva 01:16

    Yes, of course, Sternum is providing the first embedded protection and observability platform for IoT devices, which basically brings Endpoint Protection detection and observability into very low resources, embedded devices, which means medical devices PLCs, routers, gateways can enjoy real time observability deep analytics and protection on device. And, you know, the only way to really secure and observe billions of endpoints, which is the expected number of IoT devices connected, is by being able to create some kind of an infrastructure that is common among those devices, protecting them, monitoring them creating business insights for the companies providing those devices. And this is what the enemy is doing, creating that infrastructure delivering that platform to serve our customers in this industry.

    Steve Statler 02:21

    So you're about security on IoT devices. And this podcast is all about IoT devices. So it seems like we're both in the right place. What What kind of devices have you been working on? I was looking at one article that talked about pacemakers. I think we all want our pacemakers to be secure. What are the sorts of things

    Natali Tshuva 02:46

    so we are currently deployed on PLCs? You also want PLCs to be secure, right? We hope we all remember stocks that that was a PLC that was on the line.

    Steve Statler 02:59

    What What do you mean? POC? Mele?

    Natali Tshuva 03:04

    PLC? PLC? Yes, is an industrial control system basically, controlling nuclear facilities and manufacturing facilities. So that's a mission critical device that we are deployed on. Even routers and gateways, or an IoT device. Basically, they run their own framework, enforcing zero trust, safeguarding our networks. And this is devices that we help protect. pacemakers you mentioned, indeed, it's another, you know, mission critical, embedded device that enjoys our on device protection and observability. We also work on sensors, and water equipment. So those are recent deployments. But really, the commonality among the use cases using standard is actually, you know, if you're using a real time operating systems, if you're using an embedded Linux, if you have fleet of devices out there, and you want to solve issues quick where you want to reduce vulnerability management efforts, you want to be compliant and secure when you go into the field than you used to. And the use case is really variety. Because embedded systems, they exist across industries and across use cases. And they don't have any solution like CrowdStrike, or data dog to monitor them or protect them. And stannum delivers that in one holistic platform.

    Steve Statler 04:34

    So would it be too simplistic to compare you to like the antivirus software that we run on our PCs on the you're running on IoT devices? What are the differences?

    Natali Tshuva 04:47

    It will be a very simplistic way to say that yes, I will probably say it's more like running CrowdStrike on all your IoT devices, because we are doing prevention. We're doing detection. We are Collecting operational data that can be used for insights for quality resolving. So it's a really one platform that takes the synergy between data and security. One one step further. And what I mean by that is, I come from the security space. But when you do security, you have to be very intimate with the software with understanding the software. Because to find weaknesses, you actually need to understand a lot about a system. And when you think about that, the way to create insight and observability, is by going deep into the software and collecting data and analyzing data. So for Stan on the synergy between observability and security, is kind of trivial, and in the core of our product. And we think that with the ability to go into the code and protect it, you can also gain insights that no other tools can. So we actually use security techniques to observe, collect data and gain insight on products on devices on how users behave with devices on malfunction is a malfunction solely on cyber breaches altogether.

    Steve Statler 06:22

    So it sounds like you have to focus on specific platforms, your what are the IoT platforms that you've adapted your software to run on.

    Natali Tshuva 06:35

    So the main difference that stannum brings is being agnostic to the platform. And that's the key innovation. So we have three patents on how we do that. Because the IoT market is diversified. I think that's one of the biggest issues that we see in the market, diversified in operating systems and resources in hardware. If you try to embed even a communication library, you need to tailor it to your specific IoT device. That's difficult, though way we developed our product is by creating something that can integrate with any kind of existing platform, the way for us to do that is to integrate directly with the binary level beneath the operating system, which makes us country support. So three outdoors, Zephyr VX works, thread AX, and many other real time operating systems as well as embedded Linux with the same technology with the same platform. So we didn't tell it case by case.

    Steve Statler 07:45

    So let's kind of make it more more basic, what you're saying is through some mechanisms that I don't understand, you can run on any ARM processor with any operating system. And there's no porting or anything like that it just works with

    Natali Tshuva 08:03

    for example, Medtronic is a customer, they have already a device with software on it, what they do is they install a plugin, the sternal plugin, and then it's integrated with their project. So it's been ported automatically to the operating system that they're using, and then creates the protections that I was discussing, and observability. So basically, we work with device manufacturer, Steve, so it's not like we install remotely, and then it instantly running on existing devices. It is a software solution or tool that device manufacturers can use like any other third party library. But our library creates an integrate with the existing code to make it observable add to protected against software vulnerabilities. So we use techniques like hooking and instrumentation to be able to integrate with your existing communication stacks and with your existing operating system. I hope it makes sense.

    Steve Statler 09:14

    It's making more sense. So you know, if I'm a smoke alarm manufacturer, and I want to make sure that I'm I'm nest, there's a big sample. And I want to Yeah, I want to make sure that my smoke alarms are protected. What's the process that I go through to work with you?

    Natali Tshuva 09:34

    So we gave you the installer, you put that in your CI CD system, so your developer computer, and then when you create additional code or just create a new version of your nest device, it will be compiled together with our solution. And our solution will be protecting your existing code including all third parties. So we will make sure that all memory operations are protected, all execution flows are protected, it will inspect operations like executing code or, or files that are being uploaded to the system. And it will send real time alerts for your existing communication stacks into our cloud portal to alert you something that happened on even on downtime. So just like any other system, if you want to connect your IoT device, for example, to AWS device management system, so we need to include the libraries to make sure that you have the device connected to the platform. So we have a portable SDK that helps you collect data and connect everything needed to our platform. It's very easy to connect and the protections they are being integrated automatically to the existing binary code. That is your existing device. So now basically, you install the plug in, you created a new version, you can either deploy to existing devices by over the air update to basically created the last patch, you can say instead of constantly patching due to security vulnerabilities, it's a one time fee, we're update that makes your device protected against wide range of security threats. And if you're building a new device, then usability helps you to early detect security issues, to understand third parties that are consuming lots of resources, battery bandwidth, it helps you to do dynamic software analysis, because we are running everywhere the code runs, and we create visibility to the code. And we give you a way to do that data analytics and correlations on our cloud. So that when you go to market, you go to market safer, and probably faster. Because this observability helps with bad resolutions and quality issues. And then when your devices are in the field, you'll get full post production. So variance and analytics into usage, arrows and security issues. The way it works is that you can also create visibility for your customers. So if you are nest, and you're selling to a big enterprise, and that enterprise is now worried about your device being an entry point to his network, right, because your device is connected. This is Internet of Things. We're talking about connected devices. And that enterprise, he has endpoint protection, he has email protection, he has network security, he has all of those things. But then the IoT devices or your next device is part of his network, and you have no idea what's going on, on that device. So as a manufacturer, you can enable them to see the security layer to see the cybersecurity health of the device and create additional layer of services to the enterprise's using your devices.

    Steve Statler 13:16

    Well, I noticed that you did you seem like you did your degree at high school? How how's that possible? You had you did your bachelor's degree by the time you were 19. Yeah, right.

    Natali Tshuva 13:27

    I started with a special program for for talented kids. So you do the graduate degree together with high school. So I finish both at the same time. And then join the unit a 200 in the unit a 200. You know, it's lots of cybersecurity, obviously, then many years as a security researcher and leading research team leading development teams, and mainly designing exploits to extract intelligence. And when you ask about our technology, then what was clear to me during the career is that no matter which system we tried to penetrate, we always succeeded. No matter how many millions of dollars were spent on security, the Windows, Android Linux, iPhone, it was always possible to find a vulnerability and to exploit it. And when we started Stan on we were thinking how we can flip the power between hackers and defenders, because how can it be the defenders has to protect 100% of the flaws of the vulnerabilities. And hackers only needs to find one to find a way in that's a losing game. You will always have one vulnerability in your device no matter how you will implement all best practices. It's a losing game. So when we started the company, we were start thinking on how can we stop ourselves. So the exploitation fingerprint technology is actually exactly that, because what we are doing is, instead of fingerprinting the malware, or fingerprinting the vulnerability and try to find vulnerabilities, what we are doing is fingerprinting the exploitation technique. And let me explain, there is two common industry terms. One is CVE. And another is a CW IE, a CVE. SCBWI is a vulnerability, a specific instance of a vulnerability in a specific device or application. But a C W E is a common weakness enumerator, and it's basically the type the family of the vulnerability. So you can have 100 Different buffer overflows, for example, but they are all under the same CWA, which describes the weakness of buffer overflow. So Stan will instead of trying to identify all the 100, different vulnerabilities, or all the 100 different malware that can operate on your device, we are fingerprinting The CW ie the type, the family of the vulnerability and how it's been exploited. So in the sense of a buffer overflow, for example, to exploit the buffer overflow, no matter which one, you have to cover up the memory, this is something that you have to do, you have to overflow the memory, otherwise you cannot penetrate the device. So instead of finding the vulnerability, what we are doing is hooking into the memory of the operating system, and making sure that no overflows are happening in real time execution. So even if there is a vulnerability when someone tries to exploit it, what we are fingerprinting is the way to exploit it. And then we can alert in real time if something bad happens, we can protect against zero days, we can reduce Patchwork, and most importantly, we can actually safeguard against advanced threats for the long run and for the longevity of the devices. And this support is essential for the IoT space, because patching is hard updating is hard. They essentially doing a very deterministic operation. And IoT device does not include human interfaces, you cannot download applications. So we are not dependent on human mistakes. So we can actually use the fact that they have deterministic operation, and just making sure that the device behaves as intended. And since software is deterministic, and the device is deterministic, all we have to do as Defenders is making sure that there is no deviations from the intended use. And by doing that, we can actually prevent wide range of threats. So this is what we are fingerprinting, and this is not a new approach in the industry. So EDR is Epp and last runtime application self protection, our existing concept that helps secure cloud and help secure PCs. But they do not exist for the IoT space. Because they have low resources, they are diversified. They cannot accept agents, it's very hard to integrate things to IoT devices. But if you overcome those issues, then you can bring advanced industry standards to secure IoT devices as as a bonus feature, you get to deep observability and analytics into the device behavior. So you can create alerts on malfunctioning temperatures. downtime, to have root cause analysis of each one. And that's part of what we provide in the platform. You know,

    Steve Statler 19:04

    how realistic is it to say that you'll never have to patch your device. I mean, if I ship a security camera with, you know, a backdoor, you know, admin, password is admin and the login is admin. Presumably I'm still gonna have to patch that. Even if I have the sternum software on my security.

    Natali Tshuva 19:28

    I was asked to fix your devices, for sure. But there is a lot of vulnerabilities getting published. And if your software is protected, because it's turned on, you can delay the patch. You can combine few patches and release one update. You can paste the patch into your software release lifecycle. So I'll give you an example. We have a big customer. He had three vulnerabilities discovered and when tested in the lab It was protected by Stan. So, of course, if he has an admin password that is available, then it should patch it immediately. But if he has a command injection vulnerability or buffer overflow, that he has active mitigation against with Sternhell, then he is not vulnerable, there is no way to exploit it. So, he can fix it sometime in the future and he can also not fix it. If there is no plan release, but it will not get exploited in the field, which is the key element here. So, prevention of zero days exist and you can prevent one day is that are unpatched, in the same techniques as you prevent viewer days. And this is this is what we offer.

    Steve Statler 20:44

    Given that we're not a security podcast, can you explain what zero days is?

    Natali Tshuva 20:50

    Yes, of course. So a zero day basically, is a vulnerability that was found by an hacker by a government no matter what, and it was not been disclosed into the public. So basically, nobody knows about it. And people can exploit devices that contains this vulnerability, because you don't even know that you need to patch. Because the vulnerabilities unknown. Whenever an ability gets disclosed, this is where there is account that begins. And it's been called one day, because this is the first day that it's been disclosed. And then you need to go and patched the devices. And there is a nice metric saying like, as long as the vulnerabilities launder disclosed, then most of the devices will be patched against it. So if it's the first day, then probably you will have devices, not that she says the 10 day, then you will have more devices patched. The problem with the IoT space is that even five months old vulnerability, you can probably still exploited in the wild, because IoT devices are not getting updated that frequently. So we have to come up with new ideas on how to secure the IoT. Because the traditional ways would not walk in such a different use case.

    Steve Statler 22:21

    How big is the problem that we've got at the moment? Can you you've probably got a perspective on how vulnerable the software is that you know, if I buy a door lock for my door today? Am I basically opening my door to anyone that wants to download some software on the internet? Or what's your perspective on the state of the industry?

    Natali Tshuva 22:51

    So you know, it's not me saying that the acid IoT does not exist, right. So I think the security status of the devices is very problematic. And we can't really expect each and every device manufacturer to come up with a very secure device. So there needs to be a product that can do that, that's for sure. We also have a huge visibility and observability problem. So those devices collect massive amounts of data, many devices out there, not really benefiting from that data, or analyzing the data in real time or creating insights based on this data. So a lot of product. People, a lot of device manufacturers, a lot of users are blind into the operations of the devices. And it's part of the big gap that the embedded industry has, which is they don't have advanced tools for the viability, analytics and security. And it creates what you cannot see you cannot secure that for sure. And what is not secure and is not monitored, it's probably been hacked, and nobody knows about it. So I think we are now starting to see more and more attacks. Just last week, I heard about four companies got hit by an IoT vulnerabilities. And the need is, is on the rise to understand how to secure the devices.

    Steve Statler 24:34

    So very good. Well, I feel like we've not spent much time talking about the cloud component of what you do the kind of the analytics side. Is there anything more that you want to say about that?

    Natali Tshuva 24:50

    So going back to our software, so eight automatically collects operational data from this For me, you can add and customize the data that you collect is in our portable SDK. Now, our cloud was actually designed to handle massive amounts of data points coming in, in real time. And the key challenge is how you create insights, right? How you're not just presenting logs, but you're saying, Hey, you have a malfunction here. And this is the reason, or you have high CPU usage. And this library is taking most of your CPU at that moment. And to figure that out, we actually used data intelligence, skill sets, as well as AI and machine learning, as well as expertise in the IoT space, because you have to understand the data that you collect, to correlate between them. The outcome is a cloud platform that allows you to customize alerts, and to customize logs and traces. It delivers automatic insights in terms of potential breaches malfunctioning, would cause investigations of errors that is happening in the field, and is also capable of detecting during software development. Bugs, like memory leaks, information leaks, potentially boots that is caused by some third party, and so on. The reason it is enabled isn't because we are, you know, that good at AI. I mean, we're not we're no better than any other AI company. The reason what we are doing is special is the data that we are capable of harvesting for the device. So unlike other tools, we actually instrument third parties and the operating system itself to collect interesting data. And when you have this enrich data from hidden data points in your code, closed source code, third party code, that you're not monitoring that you're not seeing that all of your data analytics and AI algorithms are enriched with things that other tools cannot see. And when you have this data, then you can really make something out of it. So to the cloud part is actually just well designed for IoT. But the the UVP is about the data that we collect how we automatically know which data to collect, and how we translate it to operational security and business insight.

    Steve Statler 27:49

    Makes sense? So last question about the business is just where you're seeing the most traction, what we talked a bit about some of the use cases, or the industries, at least that you're working on, where where are you seeing the most traction.

    Natali Tshuva 28:06

    So the medical space is a special one, because you have regulation, you have compliance, you have post markets or variance that is very important. And since we are bringing tremendous value, basically out of the box, to those aspects, we see a lot of traction there. Also securing devices that are treating people, I think it's a very important mission. The other verticals is actually we're seeing a lot of corrections in everyone developing embedded systems. And that's really the common use case. So you're developing a device, you want to secure it, you want to observe it. There is no specific industry or vertical that I can say, Steve, this is where we are needed the most. Because it's really an entire community that develops real time operating system applications. So embedded Linux are mission critical devices. And it can be in the industrial space in the water and energy industries. It's really diversified.

    Steve Statler 29:17

    Makes sense again? Well, very good. Thank you very much, Natalie. Yeah, it's important work that you're doing. I can't let you go. Before asking that last question, which is, you know, we asked you to come up with three songs that are important to you, and what are they?

    Natali Tshuva 29:37

    Okay, three, okay. Just three, that's a lot. So I think the trivial choice will be our wedding song. So it's actually an Israeli song. I talks about a crazy woman. Painter and how they Love each other, but give everyone each one of them the freedom to be who they are in the relationship. So I think it's a very nice traditional Israeli song.

    Steve Statler 30:13

    So it's not a new song. It's not a, what's it called?

    Natali Tshuva 30:17

    It's called it's that's all the magic. Okay, that's the name of average, I think the second one will probably be Britney Spears. One more time. So just because, you know, I grew up learning computer science when I was 14, and then a 200. And then the cyberspace, there is no woman in that space. And I had to like cut Britney Spears and put that into the very man. Communities that I was in. So for me, Brittany was always like, something that was mine. And that places.

    Steve Statler 31:05

    I can't believe that. I think that, you know, Israel is seems to be a very progressive society. And when I studied computer science in 1980, there were I was in a class of 100. And they were probably five women. And it doesn't sound like things have changed much. That's,

    Natali Tshuva 31:26

    I hope things change. Now, it was 16 years ago, that I started school. And at least 10 years since a 200. So I hope things change. But the statistics shows that in the cyberspace, they're still like tendon less than 10% Women in leading positions. So there is there is still a road to go

    Steve Statler 31:54

    to get. Yeah. And then your last choice.

    Natali Tshuva 31:58

    Yeah. The last choice so how to save a life. I feel familiar with that song. I think it's okay, Google it later on. It's a great song about friendship, I think and and talking with people after you had some gaps in the past.

    Steve Statler 32:27

    Okay. Very good. And it's a traditional song or who sings it.

    Natali Tshuva 32:34

    It's pretty popular pop songs. Okay. Yeah. Let me see. I forgot the name of the band. The prey.

    Steve Statler 32:47

    Oh, okay. Very good. Sounds sounds sounds like a good thing. Well, Natalie, it's been between my my COVID and the link in the gap between auto ID and security. It's, it's been a little turbulent. But I've really enjoyed it. I've certainly learnt and I appreciate you spending time with us.

    Natali Tshuva 33:15

    Thank you. I appreciate so much the opportunity to be here and the time.

    Steve Statler 33:20

    So if you have been thanks very much for listening and watching the podcast, my interview with Natalie. Hopefully you learned as much as I did, and found the conversation interesting. So thanks very much for sticking with us. We really appreciate it. And until next time, be safe.