Overview
EP 158 - Embed security and data visibility throughout the product lifecycle - Natali Tshuva, Co-founder & CEO, Sternum |
|
Jan 09, 2023 | |
In this episode, we spoke with Natali Tshuva, co-founder and CEO of Sternum. Sternum provides cybersecurity and data visibility throughout the product life-cycle process using embedded self-protection and monitoring solutions for resource-constrained devices. We discussed the cybersecurity threat landscape for IoT devices and why hacking a device is significantly easier than securing a device. We also explored the potential to unlock hidden data points from device operations to provide operational visibility and insights to operators and manufacturers. Key Questions:
| |
Subscribe |
Transcript
Erik: Natali, thank you for joining us on the podcast today. Natali: Erik, thank you for having me. Happy to be here. Erik: Natali, it's always interesting when I host Israeli entrepreneurs, that somehow they have a background in the military. You don't see this in so many other countries. It's kind of intuitive that Israeli citizens go through the military. Obviously, your military is also very unique in terms of the education opportunity that it provides, as opposed I think in the US military, mostly, you're a grunt doing a bunch of pushups. Israel has very much a high-tech military. I would love to hear your backstory and why you devoted yourself to this company, Sternum. Maybe an interesting place, if it's okay with you, to start would be your — I guess this would be your first job, which was software development with I think this is Unit 8200 with the Israeli Intelligence Corps. Natali: Yes, you're absolutely right. There is a high correlation between cybersecurity founders and their background in the military. I started actually a bit earlier. When I started for my undergraduate degree in computer science, I started together with high school. That was how I really got an exposure to software development and even a little bit to cybersecurity. When the test for 8200 started, I had a background from the university. It, I guess, together with a few other skills got me into one of the corps in 8200, that leads you to really be in an elite cybersecurity unit. As you mentioned, this is really the first job. It's really different from any other job. It's very mission critical, operational, lots of motivation. It feels like you're protecting your country, which is always a motivating element. You learn a lot about what's going on in the real world, I think, unlike other jobs in the industry. When you're in the military, you really get to see the most advanced technologies and how exactly they are being used. Many times, in the industry, there is a disconnect between — okay, you are developing something or you are finding a vulnerability. You're researching something, but you don't really see the outcomes in the actual world. Who is being attacked? How are they being attacked? How is your software protecting them? How is your vulnerability actually being exploited in the world? There is some disconnect between the technological work and the actual outcome. In the military, I think it's really complete, which really helps with training by the way. Erik: Yeah, well, that's interesting. Again, if I'm reflecting on the US military, my assumption is always that they're going to outsource development to maybe Accenture or somebody else. So, there's going to be that gap between the team that's building the software and then the team that's using the software. But it sounds like in your case, it's almost the same team, or you're an integrated team that has end to end ownership. Natali: Yeah, I would say that every unit has its end-to-end ownership on things which really helps you, I think, even building companies. Because you see end to end, what's needed. Erik: Okay. Interesting. There's certainly a logic why so many great entrepreneurs come out of the Israeli military, especially in cybersecurity. Then out of that first role, you joined a company called Cellebrite where you were a research team lead. Then it looks like you were also doing some Linux kernel and Android research before you set up Sternum. What was the motivation for you at that point to say, "Okay, I'm going to move away from my day job, I'm going to jump into the deep end, and set up my own firm"? Natali: Actually, there were two key elements. One is that, during my period in Cellebrite and so on, I actually realized that no matter how much money is being spent on cybersecurity, on securing Android devices, on iPhones, and laptops, I was still able to hack into them. I was able to find vulnerabilities. I was able to exploit them. Cellebrite was able to extract intelligence from terrorists' mobile devices and so on. So, it was always possible. That was one key element of understanding that defenders are losing. We're spending a lot of money. We're spending a lot of time, a lot of resources on patching, on secure design, on best practices, on endpoint protection. Still, hackers are able to hack and able to find vulnerabilities. I thought that there should be another way of solving the problem. That was one element. The second element, to be honest, is maybe stupid. But really, I finished my Master's in Computer Science. This dream of becoming a doctor was always present in my life. I thought, well, this is a good time to do it. So, I started to go to hospitals and visit operating rooms. I really got into it. I realized that I probably was not going to be a doctor in this life, but perhaps I can do something that will contribute to the medical industry. This is how I started actually being exposed to the smart devices, I would say, or embedded devices. It was pretty apparent to me that many industries — industrial, medical, critical infrastructure — are really evolving based on these devices. We treat people better. We build infrastructure better. We predict malfunctioning better. But the devices themselves are based on a really old infrastructure, old operating systems, no resources diversified. Obviously, no security but also no observability. We are building this smart future, but it is based on a really old-fashioned methods and devices. I thought that there is a real opportunity to make an impact by bridging basically the old embedded world and the smart future that we all want to see and we all want to live in, in a secure manner, of course. Erik: Yeah, great. Well, that's a great mission. It's certainly an area of the tech stack that we need to improve on if we're really going to enjoy the benefits of these solutions. Before we jump into Sternum in detail, I'd love to dive a little bit more into this topic of where we are today in the cybersecurity landscape and why, as you said, we seem to be consistently losing despite the vast amounts of money being invested into cybersecurity. What is it? You've already alluded to a couple of these maybe legacy infrastructures and so forth that create challenges. But if you were to define the different characteristics that make it easier for the black hats to win as opposed to the white hats, what is it about cybersecurity that's challenging to solve? Natali: I think there is a general statement, not just for IoT devices. The statement is, basically, hackers only need one vulnerability to win one exploitation. Defenders has to protect everything. So, it's like being a goalkeeper. You can stop all threats. But if you miss on one shot, that could be the losing shot. I think cybersecurity is the same, where hackers only need to score one. Even if you do everything right, everyone misses something. That's the bottom line. You will always have vulnerabilities. The software has vulnerabilities. It's a true statement on all systems. It's actually related to the size of code. If you have 1000 lines of code, you will probably have 15 vulnerabilities. That's the number. Actually, the mindset of the black hats is that, "I can win this because there is vulnerabilities out there, and I can find them in just a matter of time or skills." Automatic tools are failing to find all of the vulnerabilities. Our defenses are always missing something. This is why, I think, generally speaking, it's hard to do cybersecurity properly. In the IoT space, the problem or the challenge is even bigger. I would say it's due to a few elements. One is diversity. If you think about securing IT systems, then usually you're securing a Windows device or a Linux server or a cloud. They're all based on the same host, on the same services, same infrastructure. So, you can build protections that actually apply to all of them and evolve with time. In the IoT space, every device is different on so many aspects. The hardware is different, the operating system, the services, the third parties. You have 10 different Bluetooth libraries you can use. Each one of them can have different vulnerabilities and different weak spots. So, it makes it hard to apply something that will universally secure IoT devices like endpoint protection is universally securing other assets. The second element is resources, actually. Resources is a solved problem in the IoT space. Security takes resources. In the IoT space, we're talking about very limited devices — in memory, in bandwidth, in CPU. So, applying protections that are heavy or even agents that are traditionally used to secure assets cannot be accepted by IoT devices. That's the second element. I think the third element is also — this is an interesting one, I think. It's a balance between the manufacturers of the devices and the customers using the devices, or the users, the consumers or the enterprise. There is some tension between the two. Because in the IoT space, enterprise can secure their assets, and they don't need any permission from Windows or from AWS to secure their cloud. But if you're using an IoT device, you're actually really limited on how you are able to secure them. You can't deploy endpoint protection. You can't change the software. You can't see into them, see how they operate, monitor them. That means that manufacturers are actually the ones that are able to secure the devices properly, to monitor them, to give enterprises or users a view into the cyber health of the device. That's an unusual situation compared to other industries. I think it means that we need to define liability and accountability for securing those devices. Once there will be an owner for the problem, a clear owner and clear requirements, it will help the industry to move forward. Until now, it's a ping pong between all of the entities involved. Erik: Interesting. We do a lot of innovation work with corporates as well. We see another tension here, which is on the one hand, I'd say the positive trends is that companies are moving away from proprietary technology towards more open technology. They're trying to integrate solutions more. They're trying to adopt some consumer best practices in terms of being responsive to customer needs and doing over their updates, or at least releasing more regular updates to add new functionality. These are all, I'd say, generally positive from a user experience perspective, but also introducing a lot more variability into the code than the old model of, "Let's deploy it, and we'll let it sit there for 10 years. Just put it behind a firewall and not touch it once we know it's secure." You also seem to have this tension between the desire to meet customer expectations, and then the need to properly vet technology before it's deployed. That seems, at least in my experience, to create a lot of complexity that maybe didn't exist with the more legacy systems. Natali: Not just before we deploy. I think this is a key sentence you said. Because once it's deployed, it still needs to be secure. You still want to see what's going on with your device, to see into performance, quality, potential attacks, get notified if something bad happens from a security or quality perspective. So, I think the mindset that should be changed is, how much value there is in continue monitoring those devices once shift, and also how we secure them once they are shipped. Because even though everything's right in your development, and still, as mentioned, you will have 15 vulnerabilities per 1000 lines of code. What do you do with those vulnerabilities? What do you do with zero-days? What do you do in real time when there is a new attack, and you haven't managed to patch, or you have zero-day? I think we're still missing on those. But I agree with you that there is lots of progress also from a regulation perspective to shape how we secure those devices. Erik: Okay. Great. You've given us a good overview of where we are today in terms of the landscape and the challenges. There's obviously a lot of cybersecurity solutions on the market, including some that are specifically focused on IoT. What did you specifically see that was missing in the market where you said we can do this better? We can add new capability that doesn't exist yet. What were the areas that you want to focus on as a company? Natali: The main solutions that we see out there are network security solutions. They secure the enterprise network. Basically, same as checkpoint secures your network, but CrowdStrike secure your endpoints. In the IoT space, there was only network security solutions. They are limited because, A, a lot of devices are not part of any enterprise. They are not connected to enterprise network. They are treating people at home or in isolated environments, and so on. B, network security solutions can only prevent or detect threats based on the packet inspection and behaviors on the network. Lots of things remain unseen if you're not on the endpoint itself. This is why a way to secure systems, generally speaking, are a combination of network-based and endpoint-based. In the IoT space, that was a key element that is missing. This is what Sternum brought to the picture from a security perspective — runtime protection, the equivalent of XDR or endpoint protection, only based on a different architecture that is not agent-based. We are bringing those capabilities in an agentless manner that makes us universal to all devices. I want to say one additional note not about security actually. Another thing that was missing in the industry is observability. What I mean by observability is the ability to collect traces, logs, metrics, events from your software, from your embedded device, and have means to analyze them in real-time, to apply anomaly detection on them, to generate insights for future development, to conduct remote debugging instead of sending people or try to reproduce bugs in the lab in a very inefficient manner. This element for device manufacturers has been missing. If you think about application development, you have lots of amazing tools for application monitoring like Coralogix, Datadog, and Directrix. You don't have the equivalent for embedded devices. We need technology that brings those advantages into the most embedded bare metal devices. This was something that was missing that I think Sternum solved pretty nicely with our observability and security platform. Erik: Got you. Okay. So, if we look at the decision that somebody is making around investing in cybersecurity, I guess they have a number of different options. They can focus on different approaches or maybe use multiple solutions for different layers. Then they have to make decisions around how they prioritize things like effectiveness for endpoints or for different layers of the architecture. Maybe some solutions might be better at — they might be more quick to evolve. Other solutions might be easier to deploy on a diverse set of devices or environment. Others might have, of course, different cost and other variables like this. So, if you're thinking from the perspective of an end user — I guess, here, we have to define the end user as the manufacturer or the operator. But let's say from your end user, what is the decision process that they're going to walk themselves through as they decide how many cybersecurity partners do I need, and then how do I prioritize where I wanted to vote my resources? Natali: It's a great question. I think my first recommendation would be to first understand the threats. Many potential customers or device manufacturers that we're talking with are lacking the understanding of what's the vast majority of the risk that they have on their devices. Let me give you an example. Some things, if they use encryption, they are not vulnerable to cyber attacks, which, of course, is a very, let's say, shallow statement. Because all assets today are encrypted. Mobile devices, laptops, they're still vulnerable to cyber attacks. So, we are missing some basic knowledge about cyber attacks, about what it means to have a software vulnerability, about the fact that it can bypass secure boot. It can bypass encryption. It can bypass static analysis or patching. So, there is some level of education of first understanding the risk. Then I would say you need to go to the decision, thinking about your risk and how you can maximize risk reduction in a timely manner. This sounds like a very abstract recommendation. But when it comes to reality, it means that if you're considering applying secure boot to prevent mainly physical attacks or attacks in the over the air update. Then you want to apply static analysis to basically find around 40% of vulnerabilities maybe during development. Then you apply — it goes more and more and more. Eventually, you're still vulnerable to 70% of the vulnerabilities out there. Many of them memory vulnerabilities, in memory attacks, logical vulnerabilities, like your developer is leaving passwords somewhere or design issues and so on. Then you did all this effort, spend all this money. It takes time to integrate those solutions. Still, you're vulnerable to the vast majority of threats. When you come to consider solutions, try to think what are the most relevant threats that I have, and which vendor can reduce them significantly. I think for good security, probably, two to three vendors will be enough. Encryption, of course, is a must. Secure boot is important. A layer of end-to-end protection, third-party protection, software vulnerability protection, real-time alerts, anomaly detection on the device behavior will probably complete the picture and will bring your device really to the next level of also being able to report if something bad happens or to learn from the behavior of the fleet of devices in the field. Erik: Let's say, a company says, "Okay. We think we're going to need two or three technology partners to support our cybersecurity efforts." Is it important that they coordinate that decision on who they are? Let's say, they talked to you first. They said, "Okay. We want you to support these layers." Are you then going to specifically recommend and say, "Okay, we'd recommend that you work with Company X in this area and Company Y in that area because we know that we're highly complementary, and we integrate well together?" Or, is it more agnostic, where you would assume that you can integrate and be used effectively with any other cybersecurity solution as long as they're applying some general standards? Natali: We are completely agnostic. You can apply us on legacy devices, as well as new devices. You can use any kind of operating system — Zephyr, free AltOS, Mac, Linux. We provide almost the same level of security for all architectures. We also help you during development. We usually find memory leaks and information leaks and bugs the moment you deploy us independently of any other profilers that you may be using or debuggers. We do have partnerships with NXP and Arm usually combining with trust zone elements or secure hardware completes the picture. When the customer is reaching out to Sternum, there is two paths. One is, I already have a device. I have a hardware. I have a software, and I want you to install your software on it, to secure it, and to bring visibility into the device. The other option is, I'm currently building the device. Do you have any other recommendations for me? In the first option, we just applied our solution. You can't modify anything that is already in there. But in the second option, we can definitely recommend the right hardware, features, understand the attack landscape of this specific device, what its connectivity looks like, what is the attack surface, and then recommend the rights modules or security best practices for that specific design. Erik: Okay. It makes sense. Let's take a step back and talk about who you're working with. There's always this issue where technology could hypothetically be applied to any situation. But the reality is, often you are defined for specific types of customers. So, if we look at it from an industry perspective, which industries are you focused on? If we look at it from a customer perspective, are you being used more commonly by device manufacturers or by operators who have a high diversity of devices that they're managing? Are there other specific types of devices? Do you focus on low power devices or devices that have specific security concerns? What would you define as the ideal scope of your customer? Natali: From an industry perspective, we are focused on industrial, medical, and enterprise IoT. We have customers in each. We work currently with leaders like Medtronic, Nordson in industrial space, Vibrance, NXP and other fortune 10 companies that I cannot disclose the name for. But we're deployed on dozen millions of devices, different devices. These are the top three industries. The second question you asked was about the type of device. This is really where we are truly universal and agnostic. So, we work on a router that goes to enterprises. It's not low power. It's actually a business class router. We operate on a pacemaker which is very low power, very embedded. We operate on a payment device. We operate on an industrial control system. So, it's really varied. I can't really say that we're focused at something. Because we build the platform in a universal way and very lightweight, so it can be applied to many use cases. Since the security and observability is so strong, you can use it on many different kinds of devices. I think it also answers your first question of what types of devices we protect, what use cases. We work currently, mainly, with device manufacturers. We have some enterprise customers as well that are end users and not manufacturers. One of them has been published, actually, a few weeks ago with TX Group — our customer and design partner, which we truly appreciate their partnership. But most starters are device manufacturers looking into reduced patching cost in their organization, accelerate resolving of issues in the field, and gaining insights from the rain field deployments. Those are the key elements why device manufacturers are choosing us? Of course, avoiding being attacked is always something that is interesting, but not necessarily enough. Erik: Okay. Thanks. That's great. That's very clear. Let's choose a case, and walk through it then. I think what would be interesting here is not just to understand from your perspective as a solution provider on what your sales cycle looks like, but to also understand from the customer's perspective as they walk through the decision of how do I evaluate my needs, which vendor do I choose, and then working with you maybe to make customizations or to plan out deployment, and make sure that they're also managing the human aspects of that deployment, the process aspects. If there are specific best practices or common mistakes that you've encountered, just so that we have a bit of a picture in terms of what might a typical deployment look like. Natali: Yeah, I think the question you're asking is pointing out the problem in the IoT space. Because it's so complex, right? You mentioned customization. You mentioned preparing for deployment. Everything is really complex. Think about cloud applications. They are very simple, right? You deploy something. A day after, it's on the cloud, and everything is working. Sternum is more like the second than the first. I will answer your question, but keep in mind that I think most innovative things that we brought is simplicity into the IoT space. From a customer's perspective, let's take a real example. We had a customer that continuously needed to patch its medical device. Patching medical device is really expensive, because you need to go through regulation for a software update. There is a lot of resources, engineering resources, to actually create the patch. It's not as simple as pressing update on your computer. It's a bit more complicated than that. It ended up being around $3 to $5 million per patch. In one year, there was a few vulnerabilities that was being disclosed to them, either privately or publicly — because it was a third-party vulnerability — that made them go through this painful process of patching. They realized that even though the device is five years old, they're still spending tons of money and resources on supporting it and patching it. So, that was the motivator in that case. Then they started looking into vendors. I have to say, the reason to reach out to Sternum was security. Then we did a POC. They also did it with other vendors. During the POC, we just deployed our protection into this legacy device. It took us two days. After two days, there was real-time alerts flowing into our dashboard, showing prevented attacks that was the exact vulnerabilities that were found on their devices. So, we were able to prevent 100% of the vulnerabilities that were found that year. Other vendors couldn't. We also provided them with an attack simulation kit, which is something that we like to provide. We'd give the manufacturers and engineering team a way to look at the source code of vulnerabilities, to look at the source code of exploiting vulnerabilities, and then to see how Sternum will operate, but also other vendors. So, they can just test different vendors on the attack simulation kit and understand the coverage of each and every solution. This helps reaching a decision. At the end, we were chosen. We basically provided a CI/CD integration to the customer. It just created a software with Sternum inside. Basically, then it released the last patch. So, it's another patch. It's another software update to those legacy devices. But from that point on, they are protected autonomously in run time, preventing zero-days in one day even if the manufacturer is not patching. That was the deployment, how it ended up. I think one of the most exciting things is that when the customer starts to see the values in just having the data. Now they are excited about seeing mobile applications and how they interact with their medical devices, seeing where they are in the world, when people are using them, malfunctions. The bugs are being debugged using our system, while previously it took months more to solve an issue in the field. So, it improved the entire support maintenance and insights for this fleet of devices. Obviously, it was a great success. So, we move to deploying on three additional product lines just in the previous year. Does that make sense? Does that help understand the customer journey a little bit? Erik: Yeah, that does. That's quite clear. That's very interesting, this last point that you you mentioned, that they also had lacked visibility into device behavior. You can see your solution now probably has five times as many users from different functions who are accessing that information for a set of different purposes. What does that look like then from the user experience? Because I guess you have your primary users who are concerned about cybersecurity. Now you have these other sets of users who are concerned about everything, from maybe sales and marketing and knowing where are the devices being deployed, so we can allocate our marketing resources more accurately to maybe product innovation and understanding device behavior, et cetera. What does that look like from a user perspective? Natali: There is countless possibilities to use our platform. We are a startup company. We can do everything. We have currently two main users, as we define them. One is security leaders or product leaders, and the second are engineers. The way it looks different is that, basically, per persona, we show different metrics and reorder the capabilities in a different way. If you're an engineer, you will get correlations and mapping of errors in the code. You will get anomaly detection on quality issues and performance issues. Those will be highlighted for you. If you start debugging, then you can write notes to yourself and investigate each event and see the memory profiling. So, we are given really information to help engineers debug and understand performance of third parties and these kinds of things. If you're a security leader or a product leader, then we will focus more on the security alerting in the field, post-market surveillance, really giving you some insights about your products. For example, what are the top flows in the product that are being executed? Which buttons are being pressed and when? All this kind of metrics. Of course, there is open query. So, you can search logs. You can create your own analytics and alerts. It's just a manner of what you put in front and center per persona. It could be interesting also for enterprises and for marketing and sales, but we're not there yet. Erik: Okay. Clear. You mentioned you're about four years old as a company now. Obviously, you already have good traction. But even as an industry, security for IoT devices is still a bit of a baby, right? It's a very young industry, so there's a lot of innovation ahead of us. What are the big priorities for you, if you look at your product roadmap over the next 24 months or so? What are the areas that you see the most potential to help your customers? Natali: Actually, we already started, and we plan to continue. We are big believers in creating trust and giving engineers the ability to deploy for themselves and try out our product easiest as possible. As I mentioned, think simplicity. Don't think about traditional complex IoT solutions. As part of it, we released a free license. You can deploy — honestly, three steps. One, click deployment into Linux devices, and you can use it for free for three devices just to test out some of the features that we provide. We plan to continue in this path, releasing more and more capabilities, either for free or as a self-service. Engineers could onboard their device to use our SDK and get visibility into the software. Security leaders could easily try out our security offerings. This is really the roadmap as we plan to make this industry, and security and observability much more accessible, much more easy to deploy. So, people could just first gain trust that those solutions actually work and improve their devices. Second, they want me to talk with sales, which I think is a great advantage. I am not a fan of talking with sales persons, and I think our customers are not as well. Erik: Yeah, I got you. Wonderful. Well, super interesting. This is a great business and a really important challenge that you've taken on. I think we have a good understanding of your business now, Natali. But is there anything that we haven't touched on that's important for folks to know? Natali: No, I don't think so. I think it was — thank you again for the opportunity and time. I just think that we're really passionate about helping device manufacturers not just secure their devices but also build better products, faster, smarter. That's a mission that I think everyone in general is really, really motivated about. Erik: Yeah, wonderful. We wish you all the success in the world. Natali: Thank you very much, Erik. Thanks for the time.
|