Security Unlocked

Share

Simulating the Enemy

Ep. 34

How does that old saying go? Keep your friends close and keep your understanding of a threat actor’s underlying behavior and functionality of tradecraft closer? As new tools are developed and implemented for individuals and businesses to protect themselves, wouldn’t it be great to see how they hold up against different attacks without actually having to wait for an attack to happen? Microsoft’s new open-source tool, Simuland, allows users to simulate attacks on their own infrastructure to see where their own weaknesses lie.  

In this episode of Security Unlocked, hosts Natalia Godyla and Nic Fillingham sit down with Roberto Rodriguez, Principle Threat Researcher for the Microsoft Threat Intelligence Center (MSTIC) and Simuland’s developer, to understand how the project came to life, and what users can expect as they use it.  


In This Episode You Will Learn:  

  • How community involvement will help Simuland grow 
  • How individuals can use Simuland to see examples of actions threat actors can take against their infrastructure 
  • What other projects and libraries went into Simuland’s development 

Some Questions We Ask:  

  • What exactly is being simulated in Simuland? 
  • What do does Roberto hope for users to take away from Simuland? 
  • What is next for the Simuland project? 

 

Resources:  

Roberto Rodriguez’s LinkedIn: 

https://www.linkedin.com/in/roberto-rodriguez-96b86a58/ 

Roberto’s blog post, SimuLand: Understand adversary tradecraft and improve detection strategies: 

https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/ 

Roberto’s Twitter: Cyb3rWard0g 

https://twitter.com/Cyb3rWard0g 

Nic Fillingham’s LinkedIn: 

https://www.linkedin.com/in/nicfill/  

Natalia Godyla’s LinkedIn:   

https://www.linkedin.com/in/nataliagodyla/  

Microsoft Security Blog:   

https://www.microsoft.com/security/blog/  

  

Related:  

Security Unlocked: CISO Series with Bret Arsenault  

https://SecurityUnlockedCISOSeries.com  

 

Transcript:

[Full transcript can be found at https://aka.ms/SecurityUnlockedEp34]

Nic Fillingham:

Hello and welcome to Security Unlocked. A new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft Security Engineering and Operations teams. I'm Nic Fillingham.


Natalia Godyla:

And I'm Natalia and Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.


Nic Fillingham:

And profile some of the fascinating people working on artificial intelligence in Microsoft Security.


Natalia Godyla:

And now let's unlock the pod.


Nic Fillingham:

Hello listeners. Hello, Natalia. Welcome to episode 34 of Security Unlocked. Natalia, how are you?


Natalia Godyla:

I'm doing well, thanks for asking. And hello everyone.


Nic Fillingham:

On today's episode, we have Principal Threat Researcher from the MSTIC Group, Roberto Rodriguez, who is here to talk to us about SimuLand, which is a new open source initiative, uh, that Roberto, uh, announced and discuss in a blog post from may the 20th, 2021. Natalia, you've got a, an overview here of SimuLand. Can you give us the TLDR?


Natalia Godyla:

Of course. So SimuLand is like you said, an, an open source initiative at Microsoft that helps security researchers test real attack scenarios, and determine the effectiveness of the detections in products such as Microsoft 365 Defender, Azure Defender and Azure Sentinel, with the intent of expanding it beyond those products in the future.


Nic Fillingham:

And Roberto, obviously we'll sort of expand upon that in the interview. Uh, one of the questions we asked Roberto is how did this all begin? And it began with an email from someone in Roberto's team saying, "Hey Roberto, could you write a blog post that sort of explains the steps needed to go and, uh, deploy a lab environment that reproduces some of these techniques?" And Roberta said, "Sure." And started writing. And he got to about page 80. Uh, you got 80 pages in and decided, "You know what, I think I can probably turn this into, uh, a set of scripts or into a tool." And that's sort of the kickoff of the SimuLand project. There's obviously more to it than that, which Roberto will go into, uh, in the interview. The other thing we learned, Natalia is Roberto might have taken the crown as the busiest person in, in security.


Natalia Godyla:

He certainly does. And, uh, lucky us, we get to ask him questions about all of the open source projects that he's been working on. So we'll do a little bit of a Harbor cruise through those projects in addition to SimuLand and this episode.


Nic Fillingham:

And with that, on with the pod.


Natalia Godyla:

On with the pod.


Nic Fillingham:

Welcome to the Security Unlocked podcast, Roberto Rodriguez. Thanks for your time.


Roberto Rodriguez:

Yeah. Thank you. Thank you. Thank you for having me here.


Nic Fillingham:

Yeah. We'd love to start with a quick intro. If you could tell the audience, uh, about yourself, about your role at Microsoft and, and what is your day-to-day look like?


Roberto Rodriguez:

Sure. Yeah. So my name is Roberta Rodriguez. Um, I'm a Principal Threat Researcher for the Microsoft Threat Intelligence Center, known as MSTIC, and I'm part of the R&D team. And my day-to-day, uh, is very interesting. There's a lot of things going on. So my role primarily is to empower all their security researchers in my organization to do, for example, some of their development of detections, performing research in general. So I tend to follow my day-to-day into... I kind of like breaking it down into a couple of pieces. Like the whole research methodology has several different steps.


Roberto Rodriguez:

So what I do is I try to innovate in some of those steps in order to expedite the process, trying to maybe come up with some new tools that they could use. And at the same time, I like to dissect adversary tradecraft, and then try and just to take that knowledge and then share it with others and trying to collaborate with other teams as well. Not only in MSTIC, but yeah, but across like other teams at Microsoft as well.


Natalia Godyla:

Thank you for that. And today we're here to talk about one of the blogs you authored on the Microsoft Security blog, SimuLand understand adversary tradecraft, and improve detection strategies. So, um, can we just start with defining SimuLand? What is SimuLand?


Roberto Rodriguez:

Yep. So SimuLand is an open source initiative. It's, it's a project that started just as a blog post to talk about, for example, an end-to-end scenario where we can start mapping detections to it. So we decided to take that idea and started sharing more scenarios with the community, showing them a little bit how, for example, like a threat actor could go about it and trying to compromise the specific, you know, resources either in Azure or on Prem. And then try to map all that with some of the detections that we have, trying to validate detections and alerts from different products from the 365 Defenders security, Azure Defender.


Roberto Rodriguez:

And of course, Azure Sentinel at the end, trying to, trying to bring all those data sources together and then allow also not only people at Microsoft, but outside, right? Customers or people even trying to use trial licenses to understand the, you know, the power of all this technology together. Because usually, you know, when you start thinking about all these security products, we always try to picture them like as isolated products. So the idea is how we can start providing documentation to deploy lap environments, walk them through a whole scenario, map the... For example, attack behavior to detections, and then just showcase what you can do with, you know, with all these products.


Roberto Rodriguez:

Um, that's kind of like the main idea. And of course I, some of the output could be understanding, you know, the adversary in general, trying to go deep beyond just alerts. Because our goal also is not just to say, "Oh, this attack action happens. And then this alert triggers." The idea is to say first, you know, let's validate those alerts, but then second, we want you to go through and analyze the additional data, additional context that gets created in every single step, because at the same, you know, it will be nice to see what people can come up with.


Roberto Rodriguez:

You know, there's a lot of different data sets being showcased through this, you know, type of lab environments that, you know, for example, we believe that there could be other use cases that you can create on the top of all that telemetrics. So that's what we want to expose all that documentation that has helped us, for example, to do internal research. When I joined Microsoft, there was not much so I would say from a lap environment that was fully documented to deploy and then just try to use it right away when there is an incident, for example, or just trying to do research in general. So my idea was why can't we share all this with a community and see if they could also benefit because we're using this also internally.


Nic Fillingham:

I, I'd love to actually just quickly look at the name. So SimuLand, I'm assuming that's a portmanteau or is it, is it an acronym? Tell me how you got to SimuLand. Because I think that may actually also help, you know, further clarify what this is.


Roberto Rodriguez:

Yeah. So, yeah, SimuLand, uh, it's I believe, you know, it comes from as... Well, it has also some contexts around Spanish. Uh, so in Spanish we say simulando. So simulando means simulating something.


Nic Fillingham:

Okay.


Roberto Rodriguez:

But at the same time, I feel that SimuLand, the idea was to say, deploy this environment, which could turn into a, let's say like a land out there that it's, it's primarily to simulate stuff and to start, you know, learning about adversary trade graph. So it's kind of like the SimuLand, like the simulating land or the land of the simulation. And then also in Spanish, they simulando. So it has a couple of different meanings, but the, the main one is this is the land where you can simulate something and then learn and learn about that simulation in general.


Roberto Rodriguez:

So that, that was kind of like the thought that, you know, when behind it, not probably too much, but, uh, (laughs) that was idea. And I think that people liked it. I think it just stayed with the project. So-


Nic Fillingham:

And, and given that you're s- you're simulating sort of the threat space is, is this land that's being simulated? Is this your sort of sovereign, uh, land to protect? Or is this the, is this the actual sort of the theater of cyber war? Like what are you simulating here? Are you're simulating the attacker's environment. Are you simulating your environment? Are you simulating both?


Roberto Rodriguez:

Yeah, it's a great question. So we're trying to, primarily of course you simulate, let's say an organization that has, for example, like on-prem resources that are trying to connect to an Azure cloud infrastructure, for example. So simulating that environment first, but then at the same time, trying to execute some of those, for example, actions that I threat actor could take in order to compromise the environment. And of course that could come with some of the tools that are used also by, you know, known threat actors who trying to stay with public tools. So things that are already out there, things that have been also identified, but a few threads reports out there as well.


Roberto Rodriguez:

So we're trying to use what others also could use right away. You know, we don't want to, you know, of course share code or applications that no one has seen ever out there. So the idea is to primarily simulate the full organization environment, like an example of, of what that environment will look like, but then at the same time use public tools to perform some actions in the environment.


Natalia Godyla:

So, as you said before, you're exposing a lab environment that you had been leveraging internally at Microsoft so the community can benefit from it. What was the community using before in order to either test these products or do further research?


Roberto Rodriguez:

Sure. So I would say that there is a lot of different communities that we're building, let's say, like, for example, some active directory environments, uh, trying to simulate the creation of different, you know, windows endpoints, um, on a specific domain. And then they were using a lot of open source tools, for example, like, you know, things such as Sysmon from a windows perspective, like, oh, it's squarely also in windows, but then on other platforms. But at the same time, what I wanted to do is why can't we use that, which people are used to trying to use open source tools or just open tools.


Roberto Rodriguez:

And then at the same time trying to use, uh, for example, enterprise, security controls or products in general. That type of, uh, simulation of a full end-to-end scenario, I have not seen it before. I have seen, for example, some basic examples of one, let's say, um, you know, scenario from Microsoft Defender, evaluation labs, for example, they have a service where you can simulate two to four computers with MDE, which is Microsoft Defender for endpoint, those scenarios existed, but there was nothing out there that could have everything in one place.


Roberto Rodriguez:

So we're talking about Microsoft Defender for Endpoint, identity, Microsoft Defender for cloud application security, Azure Defender. And then on the top of that, Azure Sentinel detections, all that together was not out there. Once again, there was just a couple of scenarios, lap environments that were touching a few things, but he was not covering the whole framework or the whole platform to test all these different detections. But at the same time, how you can work with everything at once, because that's also one of the goals of the project is we always hear, for example, once again, detections from one product only, but then there is a lot that you can do when you have one detection from MDE, one detection from Azure Sentinel, MDI, et cetera, all that additional context was not public yet before SimuLand.


Roberto Rodriguez:

So that's what I was trying to do. Is to bring all this in one place and, and, you know, bringing everything to the SimuLand. (laughs)


Nic Fillingham:

Is there a particular scenario Roberto, that you can sort of walk us through that's sort of gonna, gonna fully cover the gamut of what SimuLand can do?


Roberto Rodriguez:

Yes, yes. Definitely. So there is one scenario in there. We're trying to, to of course, you know, add more scenarios to this, uh, platform. So the only one that we have in there is what I call golden SAML two, you know, still for example, or 4J SAML token, and then use that in order to, for example, modify Azure ID applications in order to then use those applications to access mail data, for example. So that's one scenario. The, the main part is golden SAML. That's scenario for example, what we're trying to do with SimuLand is to first make sure that we prepare whoever is using SimuLand to understand what it is that you need before you even try to do anything.


Roberto Rodriguez:

Right? Because usually we try to jump directly to the simulation and trying to let's say, attack an environment, but there is a lot of pieces that you need to happen before, right? So SimuLand gives you what is called preparation. So in preparation, and you understand all the licensing that you might need, not every scenario needs, uh, we'll need, let's say an enterprise license, or there's going to be a couple of scenarios where are going to be simple. So not too much going on in there, but next step is how to deploy an environment. So once you take care of the licensing, once you take care of, for example, what are the additional resources that you might need to stand up before you deploy a full environment? So now we can deploy it.


Roberto Rodriguez:

We provide also Azure resource manager templates. So arm templates to let's say first document the environment as code, and then be able just to deploy it with a few commands, um, rather than trying to do everything manually, which is time consuming and is too complex to, to figure it out. The next step of once we have the environment, then we can start for example, running a few actions. So if we go to golden SAMLs, a golden SAMLs starts with let's for example, use a compromised account that was the one handling the Active Directory Federation Services, for example, in the organization on Prem, then we take that and then we start, for example, accessing the database where we can instill the certificate to sign tokens.


Roberto Rodriguez:

Once we get that, then we can go through that whole scenario step-by-step as we go executing every single action, we can start identifying detections, images of what it would look like on MDI, MD, MDE, MKAZ, Azure Sentinel, all the way to even show you some additional settings that you might need to potentially enable if you want to collect more telemetry. And then at the end, which is, you know, closest scenario with, you know, showing you what it is that you did. And then, uh, at the same time, all the alerts that trigger or the telemetry that was available.


Roberto Rodriguez:

And since we are sharing a full environment where everything is running, then you can just go back to the environment and go deeper. Maybe do some forensics, maybe do some additional incident response actions. So that, that will be, I would say the, the end-to-end thing with SimuLand, what you can do once you jump into the project.


Natalia Godyla:

And so for users who've jumped into SimuLand and gone through some of the scenarios, what is your intent for the users once they have these results, what's the use case for them and how do you want them to interact with your team as well? How do you want the community to get involved?


Roberto Rodriguez:

Yes, that's a great question. So initially what we want to people using SimuLand is once again, go beyond just the alerts. Because alerts, which is one thing that will trigger, we're taking care of all that. So wherever is using, for example, the Microsoft 365 Defender products in general, you know, they are protected with all these detections, right? But my goal is for a researcher or a security analyst to go deeper into that telemetry once again, around in a specific, uh, so I run a specific on alerts so that they can learn more about the adversary behavior in general.


Roberto Rodriguez:

Usually we just see the alert and then we stop and then we just started the incident and then we pass it to somebody else. I want people to dive into the, you know, all this telemetry that is being collected and they start putting together that whole adversary tradecraft, for example. Understanding the behavior to me is, is very important. There is a lot of different things that you can do with a telemetry already in SimuLand. So that's just one of the goals. The second goal is to see if you're even ready for those types of, you know, alerts. For example, what do you do if you get all these four or five alerts in your environment? How do you respond to that?


Roberto Rodriguez:

So these could also be part of our training exercise, for example. So there is a couple of things that you can do in there. Another scenario could be, you know, exporting all the data that is being collected and then probably use it for some demos. Once again, also for some training, focusing a lot on trying to understand and learn the adversary tradecraft. Like for me, that's very important once again, because we don't just want to learn about one specific indicator of compromise, we want to make sure that we're covering, uh, scenarios that would allow us to, you know, respond and understand techniques or at the tactical level.


Roberto Rodriguez:

Um, and then from a collaboration with us, I believe that, you know, one could be trying to give us some feedback and see what else we could do with these scenarios. There is a couple of people in the community, for example, that are sharing some cool detections on the top of the stuff that we already developed. There is a lot of detections being insured through Azure Sentinel GitHub, through enter 65, advanced square is GitHub. And there is people just building things on the top of that. So we would like to hear more of those scenarios and maybe include all those to SimuLand so that we can make SimuLand also a place where we can share those schools, those cool detections ideas that people might have.


Roberto Rodriguez:

And that could be shared also with others using the environment. Everything I would say from a communication perspective happens through GitHub through issues. Anything that anybody would like to add or probably request, any features. It will be nice. We had one person asking us about, can we add, for example, Microsoft Defender, so MDO, which is Microsoft Defender for Office 365, I think it is. And so those, you know, for example, products, something that I had not added yet. So that's something that is coming. So, uh, invest the type of collaboration that I expect from the community as well.


Natalia Godyla:

And what's on the roadmap for simulant? What's next for evolving the project?


Roberto Rodriguez:

Yeah. So SimuLand has a couple of things that are coming out. So one is going to be automation, automation from the execution of attacker actions. So right now the deployment is automated. I would say, I would say 90% of the deployment is automated. There is a few things that are kind of hard to automate right now. And it's just a simple, just like a few more clicks on the top of the deployment. But from the attacker's perspective, we wanted to make SimuLand a project where you can walk someone through the whole process. These are the actions that take place in the whole simulation, and then you can start exploring one-by-one.


Roberto Rodriguez:

So it's a very manual process to, to go through the SimuLand labs, for example. So one thing that we wanted to do is to automate those steps, those attacker actions, because, you know, we have, for example, a few people that are taking advantage of how modular SimuLand is that they do not want to deal with preparation and deployment. All they wanna do is take the execution of the actions and then just plug them into their own environment. Because they say, I already have the same deployment. Well, yeah. A similar deployment with all the tools that you ask to be deployed. Why not? Can I just take the attacker actions and then just to start a learning or maybe do it in a schedule base, right?


Roberto Rodriguez:

Like every Friday we execute a few scenarios. So that turned into, uh, a new project, which I'm going to be releasing in Black Hat, 2021 in August. That project is called Cloud Katana. And that's a project where I will be using Azure functions to execute actions automatically. And then the other thing that we have for SimuLand is data export. So what I wanna do also is share the data that gets generated after going through the whole SimuLand scenarios, and then just give it to the community. Because I believe that we also have a few conversations with people from the community that say, you know what, I don't have the environment to deploy this.


Roberto Rodriguez:

You know, for example, I don't have resources to, you know, learn about all, you know, all of this, my company doesn't want to somehow, I don't know, support these type of projects, right? So a lot of things, you know, people are having some obstacles as well, right? To try to use these things, even like having a subscription in Azure might be an obstacle or constraint for a lot of people. So why not just give them the data with all the actions that were taken, all the alerts that were collected by Azure Sentinel, and then allow them to use, for example, plain Python code or PowerShell or Jupiter notebooks on the top of that, like, you know, to analyze the data, build visualizations from the top.


Roberto Rodriguez:

So we want to empower those that also, you know, my want to use it, but do not have the resources to do it. So that's also, you know, second thing in the, uh, uh, in the list for SimuLand. The other thing is going to be, so we have, uh, have a lot of things going on, but, (laughs) the, the other thing is going to be, how can we provide a CICD pipeline for the deployment? That's critical because want to make sure that people can plug these into, for example, Azure DevOps, and then they can just have the environment running and they may be, you know, bring the deployment down, you know, bring it up every week and then run a few scenarios, bringing down again.


Roberto Rodriguez:

So we wanted to make sure that he's also flexible for those too, right, to work with. And what else. And I think that the last thing that we have would, would be trying to see if we can integrate more products from Microsoft, and just share, uh, more scenarios. We have two or three coming, uh, hopefully in the next couple of months and it's going to be fun. Yeah. We have a lot of stuff in there. (laughs)


Nic Fillingham:

Tell me how you built SimuLand and then worked a full-time job in the MSTIC team. Was this actually a special project that you're assigned to, or was this all extra curricular? A little column A, little column B?


Roberto Rodriguez:

(laughs) Yeah. So once again, when I started right, these conversations, so I, I mentioned that my role is to also empower others and help to, you know, develop, you know, environments for research, because I love to do research as well, like dissecting. Yeah. Adversary tradecraft is pretty cool. And then the question was just, "Hey, can you build this environment?" Just a simple email? And I was like, "Yeah, I can do that." And I just, to be honest, it took me maybe a week or two to figure it out the infrastructure, and then maybe took me, uh, probably close to a month to write down the whole scenario and make sure that I have the PowerShell scripts that were actually working.


Roberto Rodriguez:

So let's say probably two months it, it took me to do this. It was extra curriculum activities. (laughing?) Definitely besides what I was doing already. Um, and it was fun. I mean, it was fun because that's what I love to do. So some of my boss is super cool, you know, letting me do all this research and then allow me just to also spend some time and trying to get some feedback from also our internal team and other teams as well. So yeah. So it turned into just as a question, can you do this? And I love those questions and somebody says, can you do this? I was like, I would say yes, but then I don't know what I'm getting myself into. And that's the fun part of it.(laughs)


Nic Fillingham:

Before we, before we sort of wrap up here, we're a better, are there any projects that you're working on right now or you're contributing to that you can, you can talk about?


Roberto Rodriguez:

Yeah. So I would say from an open threat research perspective, there's a project called Modeler. So Modeler is a project where I decided to every time I execute or go through my research process, and, and then let's say learn about a specific attack technique, I can collect the data. And then I share those datasets through that project. So for other people that would like to learn about those techniques, they can just access the data directly. So you can learn about adversaries through the data instead of trying to go through a whole process to like to emulate or simulate an adversary.


Roberto Rodriguez:

Which for a lot of people, it's, it's not that easy. So, you know, so for me, I wanted to find ways to expedite that process. Uh, so that project is something that I'm, you know, revamping, uh, soon. So I'm, I'm collecting more data sets from the cloud. Most of my datasets were windows base. I have a couple of from Linux. I have some from AWS, but I wanted to get more from, you know, from Azure. So SimuLand datasets are going to live in Modeler project. So, you know, anything that, you know, gets out of SimuLand, contributed directly to an open source project as well.


Roberto Rodriguez:

So that's one of them. And the other one is Cloud Katana, which is the one that I talked about a couple of minutes ago. So Cloud Katana, the automation of SimuLand attack actions, that one I'm spending, uh, a lot of time to, uh, that one will be released under Azure, but this is still going to be open source. So that's also something that we want to provide to the community to use. And let's say there is a, all the projects too. Yes, I have another project. So it is a project called OSSCM, O-S-S-C-M. And OSSCM is a project that I started to document telemetry that I use during research.


Roberto Rodriguez:

So I believe that a lot of people that want to dive into the technicians and the starring the, you know, defender world, they need to understand the data before they want to make the decisions of like building detections. So my goal with that project was to first document events that I use from different platforms. At the same time, I wanted to create a standardization like common data model for data sets, which by the way, Azure Sentinel is building their common data models through this project OSSCM. So it's also one of our interesting collaboration and opportunities that we have. Uh, Azure Sentinel reaching out to the community and saying, "Hey, instead of Pfizer reinventing the wheel, can we explore your project?" Which is OSSCM.


Roberto Rodriguez:

And then the third part of OSSCM is also a way to document, for example, you know, relationships that we identify in data. So when you want to build, for example, detections, most of the time you want to understand what events can I use to build a chain of events that would actually give me context around an attack behavior. So what we do is we explore the data, we identify relationships and we just document them through that project. So that way somebody else could actually use it and understand what can they do with that telemetry.


Roberto Rodriguez:

So I would say, once again, you learn about that telemetry, you standardize your telemetry, and at the same time, we give you some ideas into what you can do with our telemetry to build detections. So that's another project. Last one would be, (laughs) yeah, last one would be another-


Nic Fillingham:

There's more?


Roberto Rodriguez:

Yes. There's one more. (laughing)


Nic Fillingham:

Do you sleep, man? When do you sleep?


Roberto Rodriguez:

It is being hard but I try to manage my time for sure and do that, but it is, uh, a another project, it's private right now, but it's going to be public, uh, soon. It's going to be through the open threat research community as well. This project is a way to collaborate with, for example, researchers in the community that build offensive security tools or just tools to do, for example, you know, red teaming, they want to use those tools to perform certain actions in, in, in, in a specific environment.


Roberto Rodriguez:

So we want to, you know, collaborate and partner with them and start documenting those tools in a way that we can share with others in the community. So for example, me as a researcher, dissecting adversary tray graph, like all, all the techniques and the behavior behind on a specific tool or a specific technique, it takes time. Like for me, like it would take probably a couple of weeks to dissect all the modules of one tool. So the goal is to why don't we partner with the authors of those tools, we document those, uh, tools and then we can start also sharing some potential ideas into how to detect those scenarios.


Roberto Rodriguez:

That way we, you know, we expedite the research, right? We do it, let's say in a private setting with a lot of researchers from the community, and then we just distribute that, that knowledge across the world. So that way we also help and expedite that whole process. So open through research, we have data. Now we have knowledge, we have infrastructure and then we have a way to share it with our community. So it's like a whole kind of like the main parts of your, you know, research process, but we want to give it a community touch to the, you know, you know, to all this. And that's, and that's it. So I have a couple more, but that's, (laughing) that's kinda like another project that it's, it's, it's coming soon. So-


Nic Fillingham:

I, I think we're going to have to let you go, Roberto. 'Cause if you're just going to get back in today's projects and start submitting some more contributions.(laughing) But before we do that, I want to, I want to circle back to SimuLand, and again, for folks listening to SimuLand, um, they're going to get rid of the blog post. We'll put the link in the, in the show notes. Tell me, what is your dream contribution? What is sort of the first scenario that you want sort of contributed back into this project?


Nic Fillingham:

Or sort of, where are you really hoping that the community will come and rally around either a particular scenario or some sort of other... Who is the person you, you want to be listening to this podcast right now and go like, "Oh yeah, I can do that." What's that one thing you need, or you're really looking for?


Roberto Rodriguez:

Well, actually two things. So one is the automation of, of the attacker actions. It will be, uh, uh, a dream, I would say because I'm, I'm building it on the top of Azure infrastructure. So it will be easier to plug in into your environments to kind of like, you know, periodically do some testing and then map it to SimuLand scenarios. So you have like the full end to end, uh, the environment. You have the labs preparation infrastructure as code all the way to even automating those, um, you know, validation of analytics, for example.


Roberto Rodriguez:

That, that, that's one that even though it's something that it's been done in other places, I think the way how it's going to be done through, through Azure functions is going to be very, very interesting because we're going to have potentially not only attack our actions being automated, but we could maybe have some detections being automated on the top of that. So instead of releasing a tool that will only be used, let's say to attack, right, and a specific environment, we can use a tool that can do both to attack and defend the, uh, the environment.


Roberto Rodriguez:

So usually you see one or the other. One tool to attack or one to defend. The automation that I'm planning to, to release, which would be one of the dreams is to be able to attack and defend automatically. And I think that that would link also very nicely with projects like CyberBattleSim. So that's also one of the dreams is how can we, uh, for example, document SimuLand in a way that could help us create synthetic scenarios that CyberBattleSim can use and then drop an agent and then learn about the most efficient path to take? Because that's, you know, CyberBattleSim, right?


Roberto Rodriguez:

They build environments, synthetic environments to then, you know, teach an agent to take the most efficient path through like, you know, rewards and, and, you know, all this stuff. So SimuLand, the dream would be to connect also those projects. How can, you know how you can have these nice process where you can SimuLand can provide the adversary, tradecraft knowledge, all the, for example, preconditions and all the, the context that is needed to create a CyberBattleSim scenario, and then improve a model to, for example, automate some of that execution of attacks.


Roberto Rodriguez:

And then that model can then be used through Cloud Katana to then execute those paths automatically. And then at the end, you can have some detections on the top where you can apply a similar context. Because SimuLand comes with the attack and detections. So we might find a way to create a data model where we could say, here's the attack here, all detection. So we can maybe build something also with CyberBattleSim the same way. And the other one, so the other dream bug is for me in SimuLand would be, since I was talking to a few coworkers today about this, um, that it would be nice to maybe provide SimuLand as a service for customers or also for, you know, people in the community.


Roberto Rodriguez:

It will be nice to have a platform that people can just access and start learning about these, these tools, these, these data, uh, necessarily not give somebody of course control to execute something. We take care of the execution, but then just expose all this telemetry in a way that is easier for those that, you know, might not have the resources. I love to do things, to build things that would help others to, you know, to do more. So I think that that will be also one of the dreams is how can we just take SimuLand and then just make it a service for, you know, for the community.


Roberto Rodriguez:

That would be pretty cool. So if anybody is listening, (laughs) and, and, you know, would like to make that happen, it would be amazing to have SimuLand as a service for those that don't have the resources like schools, uh, you know, like has anybody in general, the community that, you know, would like to, you know, learn more about this.


Natalia Godyla:

Wow. Roberto, you're going to be busy.


Roberto Rodriguez:

Yes. (laughs)


Natalia Godyla:

For anyone who hasn't watched episode 26, we did discuss CyberBattleSim there. So if that peaked your interest, definitely check out that episode and Roberto, as we wrap up here, are there any resources, Twitter handles that folks can follow to continue to watch your work or maybe join the threat research community?


Roberto Rodriguez:

Yes, yes. Yes. So my Twitter handle is Cyb3rWard0g with a three and the zero. So instead of the E and the O. So Cyb3rWard0g in Twitter. So there is what I share everything that I do is through there. Um, if you want to join the community, we would love to, you know, learn from you and collaborate, go to the Twitter handle OTR. So OT and then R_community. And then they're in the profile and description of the Twitter handle, you have a better link for the, uh, for the discourse invite. So the moment you join that discord, all you have to do is just accept the code of conduct. We want to make sure that we're inclusive, which is welcome everybody.


Roberto Rodriguez:

And if you agree with that, just click the 100% emoji, and then you have access to, to, (laughing) and then you have access to all these channels where you can, you know, ask questions about open source projects. So that's the best way to collaborate.


Natalia Godyla:

Awesome. Thank you. We'll definitely drop those links in the show notes. And thank you again for joining us on the show today, Roberto.


Roberto Rodriguez:

No, thank you for having me. This was amazing. Um, I had never had the opportunity to talk about a lot of projects. Uh, usually it's a one project and then we will see when we talk about. So this has been nice. So thank you very much. I really appreciate it. And I hope to see you guys in another episode.


Nic Fillingham:

We hope so too. Thanks for Roberto.


Roberto Rodriguez:

Thank you.


Natalia Godyla:

Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.


Nic Fillingham:

And don't forget to tweet us @msftsecurity, or email us at securityunlocked@microsoft.com, with topics you'd like to hear on a future episode. Until then, stay safe.


Natalia Godyla:

Stay secure.

More Episodes

7/28/2021

Talking Security With Non-Security Professionals

Ep. 38
Everyoccupationhas itsunique jargon that allowsprofessionalsto speak their ownlanguageand understand each other’s shorthand.Those of us in the world of cybersecurity are no exceptionas we frequently toss around acronyms and abbreviations,buthow can wecybersecurityprofessionalscommunicateall ofthiscrucialingrained knowledge to people who haven’t the faintest idea about technology, security, orwhat ourconversational shorthandeven means?In this episode of Security Unlocked, hostsNic FillinghamandNataliaGodylaspeak with Microsoft’s Chief Security Advisor,Sarah Armstrong-Smith,aboutthe most effective ways to communicate high-level security topics with non-security professionals. In order to create a more secure world, it’s paramountthatthenon-tech savvyareequallyinformed andprotected, and Sarah has some excellent tips in achieving that goal.In This Episode You Will Learn: How important it is to define ‘risk’Why it's amistake to think ofcyber protections as a necessary evilin a corporationThe valueofintroducingtopics by asking questions rather thanlecturingSome Questions We Ask: Who should be driving security conversations in an organization?How should we introducecybersecurityconceptsnon-cybersecurity professionals?What are some tips for complex organizations introducing their teams to cybersecurity concepts?Resources: Sarah Armstrong-Smith's Blog post part 1:https://www.microsoft.com/security/blog/2020/10/13/becoming-resilient-by-understanding-cybersecurity-risks-part-1/Sarah Armstrong-Smith's Blog post part 2:https://www.microsoft.com/security/blog/2020/12/17/becoming-resilient-by-understanding-cybersecurity-risks-part-2/Sarah Armstrong-Smith's Blog post part 3:https://www.microsoft.com/security/blog/2021/02/24/becoming-resilient-by-understanding-cybersecurity-risks-part-3-a-security-pros-perspective/Sarah Armstrong-Smith's Blog post part 4:https://www.microsoft.com/security/blog/2021/05/26/becoming-resilient-by-understanding-cybersecurity-risks-part-4-navigating-current-threats/Sarah Armstrong-Smith's LinkedIn:https://www.linkedin.com/in/sarah-armstrong-smith/Nic Fillingham’s LinkedIn: https://www.linkedin.com/in/nicfill/Natalia Godyla’s LinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog: https://www.microsoft.com/security/blog/ Related: Security Unlocked: CISO Series with Bret Arsenault  https://SecurityUnlockedCISOSeries.com/Transcript:[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp38]
7/21/2021

Discovering Router Vulnerabilities with Anomaly Detection

Ep. 37
Ready for a riddle? What do 40 hypothetical high school students and our guest on this episode have in common?Whythey can help you understand complex cyber-attack methodology, of course!In this episode of Security Unlocked, hostsNic FillinghamandNatalia Godylaare brought back to school byPrincipalSecurityResearcher,Jonathan Bar Or who discusses vulnerabilities in NETGEAR Firmware. During the conversation Jonathan walks through how his teamrecognized the vulnerabilities and worked with NETGEAR to secure the issue,andhelps usunderstand exactly how the attack workedusing an ingenious metaphor.In This Episode You Will Learn: How a side-channel attack worksWhy attackers are moving away fromoperating systemsand towards network equipmentWhy routers are an easy access point for attacksSome Questions We Ask: How do you distinguish an anomaly from an attack?What are the differences between a side-channel attack and an authentication bypass?What can regular users do to protect themselvesfrom similarattacks? Resources: Jonathan Bar Or’s Blog Post:https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/Jonathan Bar Or’s LinkedIn:https://www.linkedin.com/in/jonathan-bar-or-89876474/Nic Fillingham’s LinkedIn: https://www.linkedin.com/in/nicfill/Natalia Godyla’s LinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog: https://www.microsoft.com/security/blog/ Related: Security Unlocked: CISO Series with Bret Arsenault https://thecyberwire.com/podcasts/security-unlocked-ciso-series
7/14/2021

Securing the Internet of Things

Ep. 36
Thereused to bea time when our appliances didn’t talk back to us, but it seems like nowadays everything in our home is getting smarter.Smart watches, smart appliances,smart lights-smart everything! Thisconnectivity to the internetis what we call the Internet of Things(IoT).It’s becoming increasingly common for our everyday items to be “smart,” and while thatmay providea lot of benefits, like your fridge reminding you when you may need to get more milk, it alsomeans thatall ofthose devices becomesusceptible to cyberattacks.On this episode of Security Unlocked, hostsNic FillinghamandNatalia Godylatalk toArjmandSamuelabout protecting IoT devices, especially with a zero trust approach.Listenin to learnnot onlyaboutthe importance of IoT security,but also what Microsoft is doing to protect againstsuchattacks and how you canbettersecurethesedevices.In This Episode You Will Learn: Whatthe techniquesareto verify explicitly on IoT devicesHow to apply the zero trust model in IoTWhat Microsoft is doing to protect against attacks on IoTSome Questions We Ask:What isthedifference between IoT and IT?Why is IoT security so important?What are the best practices for protecting IoT?Resources:ArjmandSamuel’s LinkedIn:https://www.linkedin.com/in/arjmandsamuel/Nic Fillingham’s LinkedIn:https://www.linkedin.com/in/nicfill/Natalia Godyla’s LinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://thecyberwire.com/podcasts/security-unlocked-ciso-seriesTranscript:[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp36]Nic Fillingham:(music) Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in new and research from across Microsoft's security, engineering and operations teams. I'm Nic Fillingham.Natalia Godyla:And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.Nic Fillingham:And profile some of the fascinating people working on artificial intelligence in Microsoft Security.Natalia Godyla:And now, let's unlock the pod. (music)Natalia Godyla:Welcome everyone to another episode of Security Unlocked. Today we are joined by first time guest, Arjmand Samuel, who is joining us to discuss IoT Security, which is fitting as he is an Azure IoT Security leader a Microsoft. Now, everyone has heard the buzz around IoT. There's been constant talk of it over the past several years, and, but now we've all also already had some experience with IoT devices in our personal life. Would about you, Nic? What do you use in your everyday life? What types of IoT devices?Nic Fillingham:Yeah. I've, I've got a couple of smart speakers, which I think a lot of people have these days. They seem to be pretty ubiquitous. And you know what? I sort of just assumed that they automatically update and they've got good security in them. I don't need to worry about it. Uh, maybe that's a bit naïve, but, but I sort of don't think of them as IoT. I just sort of, like, tell them what I music I want to play and then I tell them again, because they get it wrong. And then I tell them a third time, and then I go, "Ugh," and then I do it on my phone.Nic Fillingham:I also have a few cameras that are pointed out around the outside of the house. Because I live on a small farm with, with animals, I've got some sheep and pigs, I have to be on the look out for predators. For bears and coyotes and bobcats. Most of my IoT, though, is very, sort of, consummary. Consumers have access to it and can, sort of, buy it or it comes from the utility company.Natalia Godyla:Right. Good point. Um, today, we'll be talking with Arjmand about enterprise grade IoT and OT, or Internet of Things and operational technology. Think the manufacturing floor of, uh, plants. And Arjmand will walk us through the basics of IoT and OT through to the best practices for securing these devices.Nic Fillingham:Yeah. And we spent a bit of time talking about zero trust and how to apply a zero trust approach to IoT. Zero trust, there's sort of three main pillars to zero trust. It's verify explicitly, which for many customers just means sort of MFA, multi factorial authentication. It's about utilizing least privilege access and ensuring that accounts, users, devices just have access to the data they need at the time they need it. And then the third is about always, sort of, assuming that you've been breached and, sort of, maintaining thing philosophy of, of let's just assume that we're breached right now and let's engage in practices that would, sort of, help root out a, uh, potential breach.Nic Fillingham:Anyway, so, Arjmand, sort of, walks us through what it IoT, how does it relate to IT, how does it relate to operational technology, and obviously, what that zero trust approach looks like. On with the pod.Natalia Godyla:On with the pod. (music) Today, we're joined by Arjmand Samuel, principle program manager for the Microsoft Azure Internet of Things Group. Welcome to the show, Arjmand.Arjmand Samuel:Thank you very much, Natalia, and it's a pleasure to be on the show.Natalia Godyla:We're really excited to have you. Why don't we kick it off with talking a little bit about what you do at Microsoft. So, what does your day to day look like as a principle program manager?Arjmand Samuel:So, I am part of the Azure IoT Engineering Team. I'm a program manager on the team. I work on security for IoT and, uh, me and my team, uh, we are responsible for making sure that, uh, IoT services and clients like the software and run times and so on are, are built securely. And when they're deployed, they have the security properties that we need them and our customers demand that. So, so, that's what I do all a long.Nic Fillingham:And, uh, we're going to talk about, uh, zero trust and the relationship between a zero trust approach and IoT. Um, but before we jump into that, Arjmand, uh, we, we had a bit of a look of your, your bio here. I've got a couple of questions I'd love to ask, if that's okay. I want to know about your, sort of, tenure here at Microsoft. Y- y- you've been here for 13 years. Sounds like you started in, in 2008 and you started in the w- what was called the Windows Live Team at the time, as the security lead. I wonder if you could talk a little bit about your, your entry in to Microsoft and being in security in Microsoft for, for that amount of time. You must have seen some, sort of, pretty amazing changes, both from an industry perspective and then also inside Microsoft.Arjmand Samuel:Yeah, yeah, definitely. So, uh, as you said, uh, 2008 was the time, was the year when I came in. I came in with a, a, a degree in, uh, security, in- information security. And then, of course, my thinking and my whole work there when I was hired at Microsoft was to be, hey, how do we actually make sure that our product, which was Windows Live at that time, is secure? It has all the right security properties that, that we need that product to have. So, I- I came in, started working on a bunch of different things, including identity and, and there was, these are early times, right? I mean, we were all putting together this infrastructure, reconciling all the identity on times that we had. And all of those were things that we were trying to bring to Windows Live as well.Arjmand Samuel:So, I was responsible for that as well as I was, uh, working on making sure that, uh, our product had all the right diligence and, and security diligence that is required for a product to be at scale. And so, a bunch of, you know, things like STL and tech modeling and those kind of things. I was leading those efforts as well at, uh, Windows Live.Natalia Godyla:So, if 2008 Arjmand was talking to 2021 Arjmand, what would he be most surprised about, about the evolution over the past 13 years, either within Microsoft or just in the security industry.Arjmand Samuel:Yeah. Yeah. (laughs) That's a great, great question, and I think in the industry itself, e- evolution has been about how all around us. We are now engulfed in technology, connected technology. We call it IoT, and it's all around us. That was not the landscape 10, 15 years back. And, uh, what really is amazing is how our customers and partners are taking on this and applying this in their businesses, right? This meaning the whole industry of IoT and, uh, Internet of Things, and taking that to a level where every data, every piece of data in the physical world can be captured or can be acted upon. That is a big change from the last, uh, 10, 15 to where we are today.Nic Fillingham:I thought you were going to say TikTok dance challenges.Arjmand Samuel:(laughs)Natalia Godyla:(laughs)Nic Fillingham:... because that's, that's where I would have gone.Arjmand Samuel:(laughs) that, too. That, too, right? (laughs)Nic Fillingham:That's a (laughs) digression there. So, I'm pretty sure everyone knows what IoT is. I think we've already said it, but let's just, sort of, start there. So, IoT, Internet of Things. Is, I mean, that's correct, right? Is there, is there multiple definitions of IoT, or is it just Internet of Things? And then, what does the definition of an Internet of Things mean?Arjmand Samuel:Yeah, yeah. It;s a... You know, while Internet of Things is a very recognized acronym these days, but I think talking to different people, different people would have a different idea about how Internet of Thing could be defined. And the way I would define it, and again, not, not, uh, necessarily the authority or the, the only definition. There are many definitions, but it's about having these devices around us. Us is not just people but also our, our manufacturing processes, our cars, our, uh, healthcare systems, having all these devices around, uh, these environments. They are, these devices, uh, could be big, could be small. Could be as small as a very small temperature sensor collecting data from an environment or it could be a Roboticom trying to move a full car up and down an assembly line.Arjmand Samuel:And first of all, collecting data from these devices, then bringing them, uh, uh, using the data to do something interesting and insightful, but also beyond that, being able to control these devices based on those insights. So, now there's a feedback loop where you're collecting data and you are acting on that, that data as well. And that is where, how IoT is manifesting itself today in, in, in the world. And especially for our customers who are, who tend to be more industrial enterprises and so on, it's a big change that is happening. It's, it's a huge change that, uh, they see and we call it the transformation, the business transformation happening today. And part of that business transformation is being led or is being driven through the technology which we call IoT, but it's really a business transformation.Arjmand Samuel:It's really with our customers are finding that in order to remain competitive and in order to remain in business really, at the end of the day, they need to invest. They need to bring in all these technologies to bear, and Internet of Things happens that technology.Nic Fillingham:So, Arjmand, a couple other acronyms. You know, I think, I think most of our audience are pretty familiar with IoT, but we'll just sort of cover it very quickly. So, IoT versus IT. IT is, obviously, you know, information technology, or I think that's the, that's the (laughs) globally accepted-Arjmand Samuel:Yeah, yeah.Nic Fillingham:... definition. You know, do you we think of IoT as subset of IT? What is the relationship of, of those two? I mean, clearly, there are three letters versus two letters, (laughs) but there is relationship there. Wh- wh- what are your thoughts?Arjmand Samuel:Yeah. There's a relationship as well as there's a difference, and, and it's important to bring those two out. Information technology is IT, as we know it now for many years, is all about enterprises running their applications, uh, business applications mostly. For that, they need the network support. They need databases. They need applications to be secured and so on. So, all these have to work together. The function of IT, information technology, is to make sure that the, there is availability of all these resources, applications, networks and databases as well as you have them secured and private and so on.Arjmand Samuel:So, all of that is good, but IoT takes it to the next level where now it's not only the enterprise applications, but it's also these devices, which are now deployed by the enterprise. I mentioned Roboticoms. Measured in a conference room you have all these equipment in there, projection and temperature sensors and occupancy sensors and so on. So, all of those beco- are now the, the add on to what we used to call IT and we are calling it the IoT.Arjmand Samuel:Now, the interesting part here is in the industrial IoT space. Th- this is also called OT, operation technology. So, you know, within an organization there'll be IT and OT. OT's operation technology and these are the people or the, uh, function within an organization who deal with the, with the physical machines, the physical plant. You know, the manufacturing line, the conveyor belts, the Roboticoms, and these are called OT functions.Arjmand Samuel:The interesting part here is the goal of IT is different from the goal of OT. OT is all about availability. OT's all about safety, safety so that it doesn't hurt anybody working on the manufacturing line. OT's all about environmental concerns. So, it should not leak bad chemicals and so on. A while, if you talk about security, and this is, like, a few years back when we would talk about security with an OT person, the, the person who's actually... You know, these are people who actually wear those, uh, hard hats, you know, on, uh, a manufacturing plant. And if you talk about security to an OT person, they will typically refer to that guard standing outside and, and, uh, the-Nic Fillingham:Physical security.Arjmand Samuel:The physical security and the, the walls and the cameras, which would make sure that, you know, and then a key card, and that's about all. This was OT security, but now when we started going in and saying that, okay, all these machines can be connected to, to each other and you can collect all this data and then you can actually start doing something interesting with this data. That is where the definition of security and the functions of OT evolved. And not evolving, I mean different companies are at different stages, but they're now evolving where they're thinking, okay, it's not only about the guard standing outside. It's also the fact that the Roboticom could be taken over remotely and somebody outside, around the world, around the globe could actually be controlling that Roboticom to do something bad. And that realization and the fact that now you actually have to control it in the cyber sense and not only in the physical sense is the evolution that happened between OT.Arjmand Samuel:Now, IT and OT work together as well because the same networks are shared typically. Some of the applications that use the data from these devices are common. So, IT and OT, this is the other, uh, thing that has changed and, and we are seeing that change, is starting to work and come closer. Work together more. IoT's really different, but at the same time requires a lot of stuff that IT has traditionally done.Natalia Godyla:Hmm. So, what we considered to be simple just isn't simple anymore.Arjmand Samuel:That's life, right? (laughs) Yeah.Natalia Godyla:(laughs)Arjmand Samuel:(laughs)Natalia Godyla:So, today we wanted to talk about IoT security. So, let's just start with, with framing the conversation a little bit. Why is IoT security important and what makes it more challenging, different than traditional security?Arjmand Samuel:As I just described, right, I mean, we are now infusing compute and in every environment around us. I mean, we talked a little bit about the conveyor belt. Imagine the conference rooms, the smart buildings and, and all the different technologies that are coming in. These are technologies, while they're good, they're serve a scenario. They, they make things more efficient and so on, but they're also now a point of, uh, of failure for that whole system as well as a way for malicious sectors to bring in code if possible. And to either, uh, imagine a scenario where or an attack where a malicious sector goes into the conveyor belt and knows exactly the product that is passing through. And imagine that's something either takes the data and sells it to somebody or, worse case, stops the conveyor belt. That is millions of dollars of loss very, uh, that data that the company might be incurring.Arjmand Samuel:So, now that there's infused computer all around us, we are now living in a target which in a environment which can be attacked, and which can be used for bad things much more than what it was when we were only applications, networks and databases. Easy to put a wall around. Easy to understand what's going on. They're easy to lock down. But with all these devices around us, it's becoming much and much harder to do the same.Nic Fillingham:And then what sort of, if, if we think about IoT and IoT security, one of the things that, sort of, makes it different, I- I th- think, and here I'd love you to explain this, sort of... I- I'm thinking of it as a, as a, as a spectrum of IoT devices that, I mean, they have a CPU. They have some memory. They have some storage. They're, they're running and operating system in some capacity all the way through to, I guess, m- much more, sort of, rudimentary devices but do have some connection, some network connection in order for instruction or data to, sort of, move backwards and forwards. What is it that makes this collection of stuff difficult to protect or, you know, is it difficult to protect? And if so, why? And then, how do we think about the, the, the potential vectors for attack that are different in this scenario versus, you know, protecting lap tops and servers?Arjmand Samuel:Yeah, yeah. That's a good one. So, uh, what happens is you're right. Uh, IoT devices can be big and small, all right. They could be a small MCU class device with a real-time operating system on it. Very small, very, uh, single purpose device, which is imagine collecting temperature or humidity only. Then we have these very big, what we call the edge or heavy edge devices, which are like server class devices running a Roboticom or, or even a gateway class device, which is aggregating data from many devices, right, as a, a, and then take, taking the data and acting on it.Arjmand Samuel:So, now with all this infrastructure, one of the key things that we have seen is diversity and heterogeneity of these devices. Not just in terms of size, but also in terms of who manufactured them, when they were manufactured. So, many of the temperature sensors in environments could be very old. Like, 20 years old and people are trying to use the same equipment and not have to change anything there. And which they can. Technically they could, but then those devices were never designed in for a connected environment for these, this data to actually, uh, be aggregated and sent on the network, meaning they per- perhaps did not have encryption built into it. So, we have to do something, uh, additional there.Arjmand Samuel:And so now with the diversity of devices, when they came in, the, the feature set is so diverse. Some of them were, are more recent, built with the right security principles and the right security properties, but then some of them might not be. So, this could raise a, a challenge where how do you actually secure an infrastructure where you have this whole disparity and many different types of devices, many different manufacturers, many of ages different for these devices. Security properties are different and as we all know talking about security, the attack would always come from the weakest link. So, the attacker would always find, within that infrastructure, the device which has the least security as a entry point into that infrastructure. So, we can't just say, "Oh, I'll just protect my gateway and I'm fine." We have to have some mitigation for everything on that network. Everything. Even the older ones, older devices. We call them brownfield devices because they tend to be old devices, but they're also part of the infrastructure.Arjmand Samuel:So, how do we actually think about brownfield and the, the newer ones we call greenfield devices? Brownfield and greenfield, how do we think about those given they will come from different vendors, different designs, different security properties? So, that's a key challenge today that we have. So, they want to keep those devices as well as make sure that they are secure because the current threat vectors and threat, uh, the, and attacks are, are much more sophisticated.Natalia Godyla:So, you have a complex set of devices that the security team has to manage and understand. And then you have to determine at another level which of those devices have vulnerabilities or which one is the most vulnerable, and then, uh, assume that your most vulnerable, uh, will be the ones that are exploited. It, so, is that, that typically the attack factor? It's going to be the, the weakest link, like you said? And h- how does an attacker try to breach the IoT device?Arjmand Samuel:Yeah, yeah. And, and this is where we, we started using the term zero trust IoT.Natalia Godyla:Mm-hmm (affirmative).Arjmand Samuel:So, IoT devices are deployed in an environment which can not be trusted, should not be trusted. You should assume that there is zero trust in that environment, and then all these devices, when they are in there, you will do the right things. You'll put in the right mitigations so that the devices themselves are robust. Now, another example I always give here is, and, uh, I, your question around the attack vectors and, and how attacks are happening, typically in the IT world, now that we, we have the term defined, in the IT world, you will always have, you know, physical security. You will always put servers in a room and lock it, and, and so on, right, but in an IoT environment, you have compute devices. Imagine these are powerful edge nodes doing video analytics, but they're mounted on a pole next to a camera outside on the road, right? So, which means the physical access to that device can not be controlled. It could be that edge node, again, a powerful computer device with lots of, you know, CPU and, and so on, is deployed in a mall looking at video streams and analyzing those video streams, again, deployed out there where any attacker physically can get a hold of the device and do bad things.Arjmand Samuel:So, again, the attack vectors are also different between IT and OT or IoT in the sense that the devices might not be physically contained in a, in an environment. So, that puts another layer of what do we do to protect such, uh, environments?Nic Fillingham:And then I want to just talk about the role of, sort of, if we think about traditional computing or traditional, sort of, PC based computing and PC devices, a lot of the attack vectors and a lot of the, sort of, weakest link is the user and the user account. And that's why, you know, phishing is such a massive issue that if we can socially engineer a way for the person to give us their user name and password or whatever, we, we, we can get access to a device through the user account. IoT devices and OT devices probably don't use that construct, right? They probably, their userless. Is that accurate?Arjmand Samuel:Yeah. That's very accurate. So, again, all of the attack vectors which we know from IT are still relevant because, you know, if you, there's a phishing attack and the administrator password is taken over you can still go in and destroy the infrastructure, both IT and IoT. But at the same time, these devices, these IoT devices typically do not have a user interacting with them, typically in the compute sense. You do not log into an IoT device, right? Except in sensor with an MCU, it doesn't even have a user experience, uh, a screen on it. And so, there is typically no user associated with it, and that's another challenge. So you need to still have an identity off the device, not on the device, but off the device, but that identity has to be intrinsic off the device. It has to be part of the device and it has to be stable. It has to be protected, secure, and o- on the device, but it does not typically a user identity.Arjmand Samuel:And, and that's not only true for temperature sensors. You know, the smaller MCU class devices. That's true for edge nodes as well. Typically, an edge node, and by the way, when I say the edge node, edge node is a full blown, rich operating system. CPU, tons of memory, even perhaps a GPU, but does not typically have a user screen, a keyboard and a mouse. All it has is a video stream coming in through some protocol and it's analyzing that and then making some AI decisions, decisions based on AI. And, and, but that's a powerful machine. Again, there might never ever be a user interactively signing into it, but the device has an identity of its own. It has to authenticate itself and it workload through other devices or to the Cloud. And all of that has to be done in a way where there is no user attached to it.Natalia Godyla:So, with all of this complexity, how can we think about protecting against IoT attacks. You discussed briefly that we still apply the zero trust model here. So, you know, at a high level, what are best practices for protecting IoT?Arjmand Samuel:Yeah, yeah. Exactly. Now that we, we just described the environment, we described the devices and, and the attacks, right? The bad things that can happen, how do we do that? So, the first thing we want to do, talk about is zero trust. So, do not trust the environment. Even if it is within a factory and you have a guard standing outside and you have all the, you know, the physical security, uh, do not trust it because there are still vectors which can allow malicious sectors to come into those devices. So, that's the first one, zero trust.Arjmand Samuel:Uh, do not trust anything that is on the device unless you explicitly trust it, you explicitly make sure that you can go in and you can, attest the workload, as an example. You can attest the identity of the device, as an example. And you can associate some access control polices and you have to do it explicitly and never assume that this is, because it's a, uh, environment in a factory you're good. So, you never assume that. So, again, that's a property or a principle within zero trust that we always exercise.Arjmand Samuel:Uh, the other one is you always assume breach. You always assume that bad things will happen. I- it's not if they'll happen or not. It's about when they're s- uh, going to happen. So, for the, that thinking, then you're putting in place mitigations. You are thinking, okay, if bad things are going to happen, how do I contain the bad things? How do I contain? How do I make sure that first of all, I can detect bad things happening. And we have, and we can talk about some of the offerings that we have, like Defender for IoT as an example, which you can deploy on to the environment. Even if it's brownfield, you can detect bad things happening based on the network characteristics. So, that's Defender for IoT.Arjmand Samuel:And, and once you can detect bad things happening then you can do something about it. You get an alert. You can, you can isolate that device or take that device off the network and refresh it and do those kind of things. So, the first thing that needs to happen is you assume that it's going breach. You always assume that whatever you are going to trust is explicitly trusted. You always make sure that there is a way to explicitly trust, uh, uh, uh, either the workload or the device or the network that is connected onto the device.Nic Fillingham:So, if we start with verify explicitly, in the traditional compute model where it's a user on a device, we can verify explicitly with, usually, multi factor authentication. So, I have my user name and password. I add an additional layer of authentication, whether it's an, you know, app on my phone, a key or something, some physical device, there's my second factor and I'm, I'm verified explicitly in that model. But again, no users or the user's not, sort of, interacting with the device in, sort of, that traditional sense, so what are those techniques to verify explicitly on an IoT device?Arjmand Samuel:Yeah. I, exactly. So, we, in that white paper, which we are talking about, we actually put down a few things that you can actually do to, to, en- ensure that you have all the zero trust requirements together. Now, the first one, of course, is you need, uh, all devices to have strong identity, right? So, because identity is a code. If you can not identi- identify something you can not, uh, give it an access control policy. You can not trust the data that is coming out from that, uh, device. So, the first thing you do is you have a strong identity. By a strong identity we mean identity, which is rooted in hardware, and so, what we call the hardware based root of trust. It's technologies like TPM, which ensure that you have the private key, which is secured in our hardware, in the hardware and you can not get to it, so and so on. So, you, you ensure that you have a, a strong identity.Arjmand Samuel:You always have these privilege access so you do not... And these principles have been known to our IT operations forever, right? So, many years they have been refined and, uh, people know about those, but we're applying them to the IoT world. So, these privilege access, if our device is required to access another device or data or to push out data, it should only do that for the function it is designed for, nothing more than that. You should always have some level of, uh, device health check. Perhaps you should be able to do some kind of test station of the device. Again, there is no user to access the device health, but you should be able to do, and there are ways, there are services which allow you to measure something on the device and then say yes it's good or not.Arjmand Samuel:You should be able to do a continuous update. So, in case there is a device which, uh, has been compromised, you should be able to reclaim that device and update it with a fresh image so that now you can start trusting it. And then finally you should be able to securely monitor it. And not just the device itself, but now we have to technologies which can monitor the data which is passing through the network, and based on those characteristics can see if a device is attacked or being attacked or not. So, those are the kind of things that we would recommend for a zero trust environment to take into account and, and make those requirements a must for, for IoT deployments.Natalia Godyla:And what's Microsoft's role in protecting against these attacks?Arjmand Samuel:Yeah, yeah. So, uh, a few products that we always recommend. If somebody is putting together a new IoT device right from the silicone and putting that device together, we have a great secure be design device, which is called Azure Sphere. Azure Sphere has a bunch of different things that it does, including identity, updates, cert management. All these are important functions that are required for that device to function. And so, a new device could use the design that we have for Azure Sphere.Arjmand Samuel:Then we have, a gateway software that you put on a gateway which allows you to secure the devices behind that gateway for on time deployments. We have Defender for IoT, again as I mentioned, but Defender for IoT is on-prem, so you can actually monitor all the tracks on the network and on the devices. You could also put a agent, a Micro Agent on these devices, but then it also connects to Azure Sentinel. Azure Sentinel is a enterprise class user experience for security administrators to know what bad things are happening on, on-prem. So, it, the whole end to end thing could works all the way from the network, brownfield devices to the Cloud.Arjmand Samuel:We also have things like, uh, IoT Hub Device Provisioning service. Device provisioning service is an interesting concept. I'll try to briefly describe that. So, what happens is when you have an identity on a device and you want to actually put that device, deploy that device in your environment, it has to be linked up with a service in the Cloud so that it can, it knows the device, there's an identity which is shared and so on. Now, you could do it manually. You could actually bring that device in, read a code, put it in the Cloud and your good to go because now the Cloud knows about that device, but then what do you do when you have to deploy a million devices? And we're talking about IoT scale, millions. A fleet of millions of devices. If you take that same approach of reading a key and putting it in the Cloud, one, you'd make mistakes. Second, you will probably need a lifetime to take all those keys and put them in the cloud.Arjmand Samuel:So, in order to solve that problem, we have the device provisioning service, which it's a service in the Cloud. It is, uh, linked up to the OEMs or manufacturing devices. And when you deploy our device in your field, you do not have to do any of that. Your credentials are passed between the service and the, and the device. So, so, that's another service. IoT Hub Device Provisioning Service.Arjmand Samuel:And then we have, uh, a work, the, uh, a piece of work that we have done, which is the Certification of IoT Devices. So, again, you need the devices to have certain security properties. And how do you do that? How do you ensure that they have the right security properties, like identity and cert management and update ability and so on, we have what we call the Edge Secured-core Certification as well as Azure Certified Device Program. So, any device which is in there has been tested by us and we certify that that device has the right security properties. So, we encourage our customers to actually pick from those devices so that they, they actually get the best security properties.Natalia Godyla:Wow. That's a lot, which is incredible. What's next for Microsoft's, uh, approach to IoT security?Arjmand Samuel:Yeah, yeah. So, uh, one of the key things that we have heard our customers, anybody who's going into IoT ask the question, what is the risk I'm taking? Right? So, I'm deploying all these devices in my factories and Roboticom's connecting them, and so on, but there's a risk here. And how do I quantify that risk? How do I understand th- that risk and how do I do something about that risk?Arjmand Samuel:So, we, we got those questions many years back, like four, five years back. We started working with the industry and together with the Industrial Internet Consortium, IIC, which a consortium out there and there are many companies part of that consortium, we led something called The Security Maturity Model for IoT. So, so, we put down a set of principles and a set of processes you follow to evaluate the maturity of your security in IoT, right? So, it's a actionable thing. You take the document, you evaluate, and then once you have evaluated, it actually give you a score.It says you're level one, or two, or three, or four. Four, that's the authentication. All else is controlled management. And then based on th- that level, you know where you care, first of all. So, you know what your weaknesses are and what you need to do. So, that's a very actionable thing. But beyond that, if you're at level two and you want to be at level four, and by want to means your scenario dictates that you should be at level four, it is actionable. It gives you a list of things to do to go from level two to level four. And then you can reevaluate yourself and then you know that you're at level four. So, that's a maturityArjmand Samuel:Now, In order to operationalize that program with in partnership with IAC, we also have been, and IAC's help, uh, has been instrumental here, we have been working on a training program where we have been training auditors. These are IoT security auditors, third party, independent auditors who are not trained on SMMs Security Maturity Model. And we tell our customers, if you have a concern, get yourself audited using SMM, using the auditors and that will tell you where you are and where you need to go. So, it's evolving. Security for IoT's evolving, but I think we are at the forefront of that evolution.Nic Fillingham:Just to, sort of, finish up here, I'm thinking of some of the recent IoT security stories that were in the news. We won't mention any specifically, but there, there have been some recently. My take aways hearing those stories reading those stories in the news is that, oh, wow, there's probably a lot of organizations out here and maybe individuals at companies that are using IoT and OT devices that maybe don't see themselves as being security people or having to think about IoT security, you know T security. I just wonder if do you think there is a, a population of folks out here that don't think of themselves as IoT security people, but they really are? And then therefore, how do we sort of go find those people and help them go, get educated about securing IoT devices?Arjmand Samuel:Yeah, that's, uh, that's exactly what we are trying to do here. So, uh, people who know security can obviously know the bad things that can happen and can do something about it, but the worst part is that in OT, people are not thinking about all the bad things that can happen in the cyber world. You mentioned that example with that treatment plant. It should never have been connected to the network, unless required. And if it was connected to the, uh, to the network, to the internet, you should have had a ton a mitigations in place in case somebody was trying to come in and should have been stopped. And in that particular case, y- there was a phishing attack and the administrative password was, was taken over. But even with that, with the, some of our products, like Defender for IoT, can actually detect the administrative behavior and can, can detect if an administrator is trying to do bath things. It can still tell other administrators there's bad things happening.Arjmand Samuel:So, there's a ton of things that one could do, and it all comes down, what we have realized is it all comes down to making sure that this word gets out, that people know that there is bad things that can happen with IoT and it's not only your data being stolen. It's very bad things as in that example. And so, the word out, uh, so that we can, uh, we can actually make IoT more secure.Nic Fillingham:Got it. Arjmand, again, thanks so much for your time. It sounds like we really need to get the word out. IoT security is a thing. You know, if you work in an organization that employs IoT or OT devices, or think you might, go and download this white paper. Um, we'll put the link in the, uh, in the show notes. You can just search for it also probably on the Microsoft Security Blog and learn more about cyber security for IoT, how to apply zero trust model. Share it with your, with your peers and, uh, let's get as much education as we can out there.Arjmand Samuel:Thank you very much for this, uh, opportunity.Nic Fillingham:Thanks, Arjmand, for joining us. I think we'll definitely touch on cyber security for IoT, uh, in future episodes. So, I'd love to talk to you again. (music)Arjmand Samuel:Looking forward to it. (music)Natalia Godyla:Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.Nic Fillingham:And don't forget to Tweet us @MSFTSecurity or email us at securityunlocked@Microsoft.com with topics you'd like to hear on a future episode. (music) Until then, stay safe.Natalia Godyla:Stay secure. (music)