It may be just a few short months since we founded VDOO, but it has been over a decade since we started innovating in cyber security, back in the days when it was simply ‘information security’. We started with compliance automation and network-node security certification, through computer forensics and incident response, and in the last few years we have been dealing with endpoint security against targeted attacks and integration of gateway solutions. Our goal has always been to stay one step ahead of the attackers, and ahead of the market. Sometimes we managed, sometimes we didn’t.
With our eyes firmly on this ever-changing world, we set our minds once again to identifying emerging security challenges in the cyber security domain that have not yet been properly solved, and this time, ones that have significant impact on everyone’s lives. Clearly, these challenges would be very challenging to solve and require sterling efforts both from a technology and business perspective.
We love technology, we love gadgets, we love innovation – not just because we are founders of technology companies, but because we believe that being an early adopter is both a duty and a privilege. We adopt whatever technologies we can, not only for business purposes, but also when it comes to our personal lives. We play with things and we play with their security, because that is what interests us by nature. It became clear to us that these gadgets that we enjoy so much, were no longer just for early adopters. We could feel it coming: very soon these gadgets would become an integral part of all of our lives. And we also knew, and still know, that these gadgets might well create the biggest security threat that has ever existed. So, when thinking what challenge to take on next, the immediate candidate was IoT security. It’s huge, and it’s hugely different.
When we started to take apart the challenge, we knew that we did not want to build a solution that would only address one sub-section of the problem, such as security for a specific protocol, specific device or specific segment. We wanted to do something which is scalable and holds value for the entire IoT market.
With that as our mission, we spent a good few months examining the opportunity: we talked to enterprises, manufacturers, OEMs, ODMs, software designers, security providers, VCs and emerging start-ups, as well as connected-device giants, silicon vendors and embedded operating-system providers, to first identify the pain points and understand the severity of the IoT security phenomenon. We also put a great deal of effort into understanding the organized attackers’ state of mind when they look at IoT devices as a new revenue stream. A promising one.
The first thing that we have learned about IoT is that strangely enough, while the cyber attack landscape is growing dramatically, the level of effort required to carry out a successful attack is actually decreasing, since security is simply not an area of focus for the industry and is clearly not being baked into these connected devices. It seems counter-intuitive, but that is the reality: the financial motivation to attack these connected devices is constantly growing, since both the cost of an attack is decreasing and the potential gain from a successful attack is increasing rapidly, as more and more devices are being deployed. There is no doubt in our minds that it is only a matter of time before attackers initiate widespread and large-scale campaigns using IoT ransomware, which will have a much greater impact than what we see today, where the focus is mostly on ransomware on servers and PCs. This is the most common way of making money, and now they can make much more of it. They look at their 2020 plans, and they know that blackmailing via IoT will be their biggest ever source of revenue.
We also learned that many IoT makers release their devices to market in a very vulnerable state, with minimal security, or with the wrong security. It is hard to blame them – in a world where everything is becoming smart overnight, not to mention with fierce competition, their current key priorities are:
- Time to market
- Cost of manufacturing
- Device efficiency and functionality
Talking to makers about security intimidates them immediately, and understandably so; they see all three key priorities being heavily impacted. They assume security means latency in time to market, significant additional costs, and impact on device performance and functionality. There are several additional justifications for them not wanting to deal with security and bake it into their devices:
- IoT is a big, complex ecosystem – OEMs, ODMs, software designers, silicon providers, open-source, etc. Makers tend to outsource some components, sometimes even all components, and in most cases they do not really know what exactly their assembled device contains in terms of software, let alone security. If they don’t even know what they have, how can they know what security they need?
- In most cases they do not have in-house security practices. This is costly and very demanding, and not part of their core business. Security is neither in their culture nor their DNA. This challenge is even deeper, as we are now seeing traditional manufacturers becoming ‘smart’ product manufacturers overnight, and having to adopt practices that until now were only relevant to high-tech companies. On the one hand, they do understand that they need help with the security of their devices, and that it has to be baked in from inception (not added as an afterthought), but on the other – it is clear that there is no economic sense for these companies to build their own security practice.
- It is not clear what exactly they have to do, and they also do not fully understand the implications of not doing it. Until they get hit. But again, it’s hard to blame them. Today there is no single standard or regulation that is applicable to all devices and which clearly and granularly explains what is required.
After sizing up this HUGE challenge, we went on to examine different potential approaches to solve it. We rather quickly figured out that the very nature of IoT does not enable any one technological solution to secure all or even most devices. It cannot all be solved through gateways, even if we had access to all of gateways out there, whether in homes, businesses or critical infrastructure sites. And it cannot be solved on the device itself. The main reason is diversity: there are so many devices are out there, serving different purposes, implemented in different environments, containing different hardware, in some cases PC-like, in other LE devices with no operating system at all, different third-party software libraries, SDKs and open-source parts. Due to this inherent diversity, we believe that there is no feasible way, even within the same segment of devices, to solve the security challenges in a generic and scalable manner with one security solution – an approach we have grown to be accustomed to when dealing with the traditional IT security industry. This is a grave challenge fueling a LOT of this conversation. We do believe though, that every device should have its own, reliable security, and that automation of device-focused security customization would be one of the keys to success.
It became clear to us that the IoT makers are in the best (maybe even the only) position to successfully address this problem. IoT makers are at the very core of developing devices and (should) have the right level of visibility and control over it. They are also in the position of helping users to use their devices in a more secure manner – in many cases they actually might be obliged to do so. With the right level of awareness, they can solve a major part of this problem. The maker is also the most appropriate candidate for regulation – although currently, efficient regulation is almost impossible, as mentioned above, since this challenge and optimal solutions are in their early days.
Given the challenge and the current tools out there, and taking into account makers’ skill sets and levels of awareness, device makers can choose one of the following courses of action (all of which, we believe, are not relevant to solving real security challenges):
- Do nothing and hope for the best – this is going to end badly, probably with loss of trust from customers, leading to low adoption rates and loss of shareholder equity.
- Try to combine security into their internal practice – this might be plausible, but it will be costly in both money and time. This really requires a fundamental change of focus for a company, and rarely succeeds.
- Reach out to third parties to get help with security – but if the maker does not know what questions to ask, the answers will not be of much use. Additionally, how will they know when they have done ‘enough’, or whether they have done more than is needed for their specific device? More importantly, utilizing traditional risk models and manual processes, the big security labs will charge hundreds of thousands of dollars per product for certification, and in most cases the process will take much more time than they can absorb. Most makers cannot afford this, and would probably not go with it in terms of impact on time to market.
- Go to regulation authorities – this route will always be challenging, not to mention limited, since there cannot be any single standard or regulation for IoT devices, due to the great diversity and distribution in device types, sizes, low-power/high-power, etc. Regulation by its very nature is either high-level and vague with no real actionable direction, or very niche with limited scope of influence. In the IoT space this holds especially true.
Among the dozens of standards, alliances, regulations and bills, the maker cannot be expected to know what’s what. As discussed, the instructions they find will either be so high-level as to be unuseful, or so specific that they are relevant only to certain verticals (e.g. automotive or SCADA) but not to that maker’s IP camera or wearable.
As such, we strongly believe that the right (and maybe only) way to go, is to define the security requirements based on the device’s unique attributes.
Every connected device has its own unique attributes and therefore a unique ‘standard’ (or better yet: device-specific security requirements). We believe that only by looking at each and every device and taking in account all of its components and its environment, can we understand the specific threats to this device, and derive specific requirements. Only by understanding these device-specific threats can the right security be baked into the device, and post-deployment protection be enjoyed.
This is actually one of main things that we at VDOO set out to do.
We realized that the only way to make a real change to this challenge was by building a security authority for the IoT space, one that sets the tone for the industry and provides the tools to take ownership of device security. That can only be achieved by offering an actionable, device-specific solution. This sounds like a rather bold statement, and it is indeed ambitious.
So which devices do we start with?
Looking at the different players in the ecosystem, VDOO’s immediate target audience is IoT makers, specifically makers of commercial IoT. Commercial IoT, in our minds, means connected devices that are heavily bought by big businesses (for example hotels chains, big office buildings, retail giants, etc.) The makers who make devices for these businesses are those most in need of help at this point, however the businesses themselves will also benefit from VDOO’s service, knowing they have bought a device which is not only smart, but is also secured and will not expose their business to additional cyber threats.
We are setting ourselves up as the singular source of authority to which IoT makers can look when they need to understand what to do with the security of the devices they make, how to do it right, and if they do it – how to signal to their customers (as well as to other systems) that they own their security and can be trusted. We are building VDOO to help makers looking for data and insights on IoT attacks and trends. This is an ongoing task, covering everything pertaining to the security of connected devices. But what is more important is that by helping the makers, we are helping the entire IoT business ecosystem. We are doing this by building trust, genuine trust, which as far as the technology is concerned, must be very accurate and transparent.
We set out to achieve this objective by building a modular platform that provides the maker with everything they need to know about security. Later on, this platform will also serve other players in the ecosystem. Our platform will take the IoT makers from limited or no control over the security of their devices, to fully implementing security on their device, and getting visual and digital certificates to certify this achievement. This may sound like it requires a great deal of effort, time and cost, but that is exactly where VDOO disrupts this market. VDOO provides an automated solution which can analyze any device, with almost no effort on the part of the maker, and provides efficient ways to secure any gaps in a convenient and actionable manner.
The certification process starts with an automated device analysis – profiling and classifying the device, extracting the specific attributes to conclude what threats there are. This enables us to generate the specific security requirements for that specific device. The result is a security analysis report that shows the device’s attributes, its security requirements and the gaps (and the ‘no gaps’, where sufficient security is already in place) between the device and its requirements. The key here is that we have found a way to perform the analytical phase with barely any input required from the maker, not even access to source code. The maker will see value quickly and without investing time or having to share anything with VDOO.
The analysis leads to a list of actionable items, which can be easily implemented to bridge security gaps, including things such as reconfiguration, OS and third-party SW hardening and mitigations, but also, when needed, it points to open-source and other solutions or third-party options. Once implemented, the analysis runs again, and if all requirements have been fulfilled, the device will be eligible for VDOO security certification.
VDOO provides both a visual certification that proves investment in security and serves as a major market differentiator. The maker also receives ‘smart certification’ to implement on their device, which communicates the device’s security certification status with a variety of network security solutions (NAC/IoT Gateway/FW/provisioning/cloud), and enables protection. VDOO also makes implementation easy by offering firmware-enveloping services to implement the VDOO certification engine on an existing firmware binary.
Without going into all the details of how VDOO does what it does, we do want to share that our offerings are based on several data and technology assets that are at VDOO’s core. One such data asset is what we call the ‘IoT security taxonomy engine’, which is a result of extended research performed by our team, and it allows us to look at any attribute of any given device, or combination of attributes, and immediately determine what the related security risks are, what the security requirements are, and the most efficient way to mitigate these. This is a unique asset that works in conjunction with other assets that we are building, such as a device-internals DBs, IoT third-party libraries, IoT open-source DB, IoT vulnerabilities, IoT operating systems binaries DB and IoT standards requirements.
The main technology assets that we focus on are all based on proprietary mechanisms to deal with the huge challenge of IoT diversification and impossibility of offering one generic solution. Our stand-alone device analysis, contextual device analysis, device-focus security guidance and device-focus security agent generator will all always generate assets for specific devices, depending on the device attributes. That is the core of VDOO, and that is where we are so different.
So what is the status of our technology? We are at a relatively early stage, but we have built up an excellent team of professionals and have already run the analysis on thousands of devices by accessing publicly available data assets, devices and operating system files. We are currently engaging with key players from the entire IoT ecosystem, including design partners, leading businesses, governmental agencies, alliances, security working groups, security evaluators and solution providers, standardization bodies and industry leaders, to make sure we are factoring in all the different considerations for an optimal offering. We are growing fast and we are here to build a mission-driven company that needs mission-driven partners to succeed.
We are committed to shaping the way security is baked into connected devices, as well as to sharing our unique approach to secure devices in the connected world, to enable trust and safety in the biggest technological revolution yet. We urge you to join us on this critical mission.