Sternum is using patented technology to protect IoT devices against even unknown vulnerabilities in real-time.
The company was co-founded by Natali Tshuva, who was recognised for her talents from an early age and was handpicked at 19 to serve in the Israeli Defense Forces’ 8200 unit (the equivalent of the MI6 in the UK or the NSA in the US.) She then went on to hold numerous high-level cybersecurity roles before founding Sternum.
IoT News caught up with Natali to discuss the IoT security landscape and learn more about how Sternum is delivering “future-proof” security.
IoT News: What made you decide to launch an IoT-focused cybersecurity company?
Natali Tshuva: I considered becoming a doctor and I got exposed through this experience to medical devices and how connectivity and smart medical devices could enhance treatment, save people’s lives, and change basically the way we practice medicine.
That is how I started looking into the IoT space and I found out that it’s not just about security cameras or baby monitors, it’s about critical infrastructure and medical devices and smart cities. That got me really excited because I think it’s a very interesting and important revolution that is missing key components.
I happen to be pretty familiar with embedded security endpoint protection and data analytics for these kinds of devices – so the combination of the industry’s revolution and the co-competencies that we bring got us to found Sternum together.
IN: How do you protect IoT devices from new threats without requiring firmware updates?
NT: Up until now, the main security solutions for this industry were passive and reactive; patching, static analysis, and so on. If you take a look at the IT industry, or the standard industry, we are using a lot of real-time protection, zero-day protection, EDR, runtime application self-protection, and advanced techniques to stop exploitation and to stop attacks in real-time.
That missing piece is what Sternum brings into the IoT space and, by using these techniques to prevent exploitations in real-time, we are capable of stopping attacks even if you have vulnerabilities in your device.
Effectively, it means that even if you don’t patch – or even if your devices are unable to patch – you are still protected.
Cloudflare stopped a record-breaking DDoS in June which, unlike many previous botnets – which have typically used compromised low-power IoT devices – it used more powerful devices like hijacked virtual machines and servers. Do you think the apparent recent shift in botnets towards more powerful devices suggests that IoT security is improving?
I think the landscape of attacks is really wide so we are still seeing different kinds of attacks on low-resource devices as well as more high-end devices. I think the most interesting data is that there were 1.5 billion cyber attacks in 2021 targeting IoT devices. They are being used as entry points to networks, they are being used for botnet attacks… I think it just emphasizes the need for a universal platform that can provide observability, that can provide security, and that can really be a one-stop shop for how you build your products, design them, launch them without issues into the field.
Then, post-deployment, you have surveillance, you have data analytics, and you have real-time protection against all of those vulnerabilities, issues, and gaps that you didn’t find during development.
Statistics show that 50 percent of vulnerabilities are getting missed by static analysis tools and by developers; it’s the same for quality issues and it’s the same for other things that can influence your devices while they are already deployed.
This is where a combination of real-time analytics, real-time security and real-time anomaly detection could really prevent the kind of attacks that you mentioned, but also many different kinds of attacks and issues that can happen.
IN: You mentioned a couple of statistics from recent reports there but is Sternum itself continuing to see an increase in the prevalence of attacks on IoT devices?
NT: Yes, of course. So, first, we are seeing more and more vulnerabilities that are being disclosed. They were always there – vulnerabilities are there whether they are disclosed or not – but more researchers, more white hats, more exploitations in the field suggest more vulnerabilities are being exploited in the wild. We happen not just to see those but also stop those.
I can tell you that, just in the past few months, we were able to prevent three zero-day vulnerabilities from hurting our customers.
We recently launched a new capability into our platform which is anomaly detection, and that capability, Ryan, is very unique in the IoT space because it applies on the unique data that the customer’s device is generating. It’s not general anomaly detection, [it uses a] customized automated learning algorithm that learns the specific device with these data metrics events and provides anomalous behavior detection on that customized data.
Since we developed this and used that with a few customers, we were able to find many malicious activities including interception of the update procedures of the devices, attempts to steal IP from a device; people are trying to investigate the firmware to basically analyze the IP within the machine. We were able to find brute force attempts to try to basically hack into the admin of the device. And that’s just from a few weeks of being in the field.
IN: You mentioned a couple of the attack types there but are the attackers predominantly seeking to add devices to botnets for DDoS attacks, steal data, cryptomining, or something else?
NT: I will answer it from a professional standpoint for a second. To understand what malware wants to do, you have to first be able to deploy the malware. Sternum’s solution is actually preventing this stage from even happening because we are not just identifying a potential breach, we are preventing it from happening in real-time. So, in many cases, we don’t really know what is the next step – like what the malware is trying to do – because we are stopping the malicious activities from even happening.
In some cases, where we detected an activity after it already happened, it was usually penetrating into a bigger network using the IoT device. Entrypoint is a very strong activity that we’re seeing. We’ve discovered a few malwares running on routers that were trying to identify other assets on the network and to listen to the activity that goes through the router.
Ransomware continues to be a strong motivator for malicious activity. In the IoT space, it could sometimes be used in hospitals where you can take control of the medical devices and use that as a ransomware attack. Or we’ve seen some attempts to attack device manufacturers by basically penetrating their devices in the field.
There were some publications that you can look for on companies whose devices were declared as not to be used by enterprises because they are weak in terms of security. So we are seeing security being used for a kind of competitive edge. People want to make sure that they are buying secure devices and companies are basically enhancing their security efforts to make sure that they can be in line with the enterprise standards.
IN: There was a major ransomware attack on our healthcare system here in the UK which made headlines around the world, so we’ve unfortunately had first-hand experience of that one.
Have you ever let an attack slip through and what lessons were kind of learned from that to make your solution more robust going forward?
NT: Part of the reason why we worked very hard on the anomaly detection component in the past year is because we learned that our solution provides deterministic protection against software vulnerabilities – which are a top threat to the IoT space – but there are a lot of vulnerabilities that are more logical vulnerabilities, like people making human mistakes. Basically, that could cause malicious activity or open the door for an attacker.
You can’t really catch that using deterministic protection because it’s not the software that has a bug, it’s more of a logical mistake. Our anomaly detection component is tailored exactly for that because it learns the logical behavior of the device and its patterns – the pattern of updating, the pattern of connecting, the pattern of operation –- then when there is something that is out of pattern, our anomaly detection is capable of alerting about it in real-time.
That actually completes the picture of what we were missing before. I think it makes our platform the most holistic platform out there for securing the device from edge-to-cloud, including all of its components and including the third parties and supply chain which is a major challenge in the industry.
IN: Sternum launched the first IoT attack simulation platform earlier this year, which was something I was glad to cover, but what benefits in your words does it provide enterprises?
NT: This is a nice story because it came from many discussions that we had with customers that were saying to us: “Your solution sounds like magic, how can it be true?” But the most interesting question was: “How can I check it? How can I test it? Because, when I buy a network solution for securing my network, I can go to MITRE ATT&CK and compare SentinelOne to CrowdStrike to Cybereason and so on. But, if I want to purchase an IoT security solution, I don’t have any benchmark and I don’t know how to test you.
We took that in and thought: “How can we make it easier for enterprises and device manufacturers to actually test what they are protected from, where they have vulnerabilities, and how other solutions – not just Sternum – handle different threats?”
For that purpose, we built the attack simulation platform—which is very similar to what MITRE is doing, only it simulates attacks targeting IoT devices. Then the enterprise and device manufacturer can actually deploy different security solutions and test them against real-life exploitations and see how effective they are and what the weak spots of your device or your security defenses that you have are.
I think this is another step in bringing trust into the industry, Ryan. Two months ago we released the first freemium in the industry that provides free runtime protection to OpenWRT devices. One thing we heard is: “How can runtime protection work on OpenWRT? It has no resources, that doesn’t sound true.”
What I’m trying to say is that trust is missing in the industry. People don’t believe that a solution works the way it says it works and people find out how to also evaluate because of the missing standards and missing platforms. Sternum, at the first stage, is just trying to bring trust by releasing free tools, free simulations, to freely experiment with our products so you can see how easy it is to install and how effective it is.
We are very transparent in terms of what tests we are providing, what simulations we are running, and what kind of threats we are able to prevent—all for the purpose of bringing trust into the industry and emphasizing the fact that you can have strong security while still maintaining time-to-market schedules and resources and bandwidths that you have on your limited IoT devices.
IN: What is your focus over the course of the next year?
Same focus as previous years, which is basically being the infrastructure for every smart device out there. We keep talking with manufacturers and they have two main challenges.
One [challenge] is, “I have a lot of data that my devices are exposed to, how can I gain insights from that? Data Insights that will affect my next product release, insights that will help me resolve issues faster and provide remote debugging or remote support, and how can I build a monitoring system and analytics system that can support my needs?”
That’s one thing, and my message to these manufacturers is don’t build it yourself because it will take you years and it will not be as good as taking a product that was purpose-built exactly for that.
The second challenge, that we keep hearing, is security.
Security has been a challenge for the past few years but, in 2021, something significant happened and devices started to be exploited exponentially more than in previous years. So the challenge has become even more urgent.
Sternum is aiming, in the next year, to provide that platform that solved these two main challenges so manufacturers could continue to innovate and really treat people better, build infrastructure smarter, and build our new cities in a secure and observable way.
IN: You’ll be sponsoring, exhibiting, and speaking at this year’s IoT Expo Europe, what will you be sharing with the audience?
First, we have a very interesting keynote that actually steps outside of what Sternum is doing and just talks about my experience as a vulnerability researcher and exploiter—just to give the audience the sense of how attackers think before they do something malicious and why and how they approach the problem or the challenge.
I think it’s very interesting because we can’t really develop security solutions in a vacuum, we have to understand the other side to be able to overcome the other side.
The other thing is that – if you come and visit our booth – you’ll get to see the attack evaluation platform that we developed and you’ll get to see the anomaly detection in real-life, in real-time, on actual devices.
There will be some cool hardware in our booth and you can see different IoT devices, some of them commercial off-the-shelves, and how they can be protected and observed.
And developers could take a first-hand view of how to use their SDK to collect logs, events, and metrics from their software to be analyzed on our platform.
You can view our full interview with Natali below:
Natali Tshuva and the wider Sternum team will be sharing their invaluable insights at this year’s IoT Tech Expo Europe. You can find out more about Natali’s keynote here. Swing by Sternum’s booth at stand #228.