Attack is the Best Form of Defense
In a world where billions of smart devices continuously communicate, sometimes without control, someone needs to ensure that your coffee machine isn't exposing secrets. With the support of the Innovation Authority, the Israeli startup Cy-oT (Cyber of Things) has developed a unique cyber defense technology.
The initials 'IoT' could also stand for 'Internet of Threats', warn the people at Cy-oT, a young and promising Israeli cybersecurity company. This catchy sentence is a good illustration of the company's philosophy, and its objective to protect organizations from the security problems that may be caused by the smart devices operating around them.
"The super-category of IoT and the latest technological innovations is the connected world", says Natan Bandler CEO and co-founder of Cy-oT. "The connected world is a fantastic step for mankind – from medical devices and groundbreaking inventions to mundane items that help us sleep properly and live more comfortably. But like anything new, it comes with risks that need to be addressed."
"Once completely innocent devices such as the office coffee machine or the ventilation system are connected to the Internet of Things, they inadvertently become an incredibly weak link in the defense formation protecting organizational information. In practice, attackers can easily use the smart devices around us to attack or hack into an organization: they simply take control of the device and use it to insert an attack tool. The attackers' common objectives are to disrupt business activity, hack into computers and servers, and leak sensitive information."
"The coffee machine doesn't really need to tell the attackers anything. The access it provides to other devices connected to the organizational network is enough. It can also create a channel of communication by connecting to the internet network of the café under the building. Other devices can assume the role of the coffee machine – a smart camera, a watch of one of the employees, or a smart television."
There are three partners at Cy-oT: Prof. Assaf Schuster - an expert on machine learning and data science who has a strong background in the world of cyber security; Daniel Moscovici – who is leading the product and its marketing; and Natan Bandler – who has accumulated more than 20 years of experience in the worlds of communications analysis and information security.
Bandler says that he likes the link between technology and business and technology's transformation into a value, which equates with business. The company's team is mostly made up of graduates of elite IDF intelligence units – "because you need to know how to attack in order to defend", he explains.
"At Cy-oT we live among the hacking communities, gaining substantial intelligence from them, and we can clearly see that they have identified hacking companies via smart devices as their objective. This device category includes all standard wireless devices, even if nobody has connected them to the network."
"The IoT opens for the hackers a new door into an organization, one they are not always aware of. At Cy-oT, we know how to keep this door open while only admitting the good guys. The organizations to whom we provide our services receive full 24/7 protection that is tailored precisely to them and to their needs."
When Crime Enters the Digital Era
"The Internet of Things is changing everything we do. It is essentially creating a common language of communication between devices, integration platforms and analysis software. This constitutes a quantum leap – the Internet of People dramatically changed the world and now, the Internet of Things is generating yet another major change. We don't always notice it, but everything is becoming smart and connected. Around the world there are between 9-15 billion smart devices communicating with each other and until recently, they were all regarded as completely innocent."
"A smart lighting system for example, is something that can easily be controlled. It can be used to gain access to an enterprise because it will always be connected to it. In other words, it knows the user name and password to the network. Why? because the installer of a smart lightbulb wanted control over it from a distance to be able to turn it off when the last person leaves the office. Therefore, with not much thought, something which can pass on information is connected. A smart hacker sees such light as a way in or out – and the same opportunity can be found in a guest's telephone or in a boardroom video-conference system, all of which are commonly connected to the network, thereby are basically a point of vulnerability."
"Organizations are saturated with wireless networks. After all, the network's presence enables organizations to be more efficient, more modern and smarter – as they need to be – but these worlds are also highly vulnerable because they need to enable connectivity. Sometimes, this naturally comes at the expense of security, however the resulting threats must be guarded against. After all, someone located near the organization and who has access to these systems can easily and cheaply get to the organization's most sensitive assets."
"In the era of IoT, a new, penetrable and vulnerable layer has been added to organizations which includes all the smart devices both within and surrounding the enterprise", Bandler explains. "Our system aims to close these gaps via 24/7 monitoring of the wireless frequency, identification of malicious behavior and the real-time mitigation of any threats."
"The world of crime has gone digital, and yet everyone is expected to assume personal responsibility and protect themselves. Enforcement entities are also part of the protection effort. The attitude should be that, as customers, we have deposited our trust and our information with large enterprises – and if they don't do everything they can to protect it, they should pay a penalty. The European Union, for example, has imposed clear responsibility: if a customer incurs damage within a certain enterprise, that enterprise will compensate him."
"Cy-oT believes that there is room here for regulation and that government systems should be part of it. Information security in homes raises another question: is the police sufficiently prepared, as far as personnel and technology are concerned, to provide a response and investigate this issue? It's not at all certain."
"Criminal elements have already understood the potential in this field and sell the means for hacking as a service for hire. This means that the entry threshold to hacking world has dropped. Anyone accessing the relevant networks can instantly hire this service. People from all over the world make widespread use of these tools every day, even some governments. Some of the central focal points of attack are banks and financial institutions. You don't have to walk in with a loaded weapon anymore – you just organize a strong group of programmers and start operating as a cyberattack group."
"Cyberwarfare has always been at the forefront of the Israeli high-tech industry", says Aharon Aharon, CEO of the Innovation Authority. "Israel is considered a world leader in this field. The winning combination of graduates from IDF technology units and an innovation environment supported by the Innovation Authority enables cutting-edge Israeli technology to shape the future starting today."
"What We are Offering is Science Fiction"
"Our solution is analytic", says Bandler. "We have one of the largest databases in the world of IoT communications. We conduct profiling, i.e., create behavioral profiles of these smart devices, so that we can identify them and use the data they are transmitting to know when they are behaving in a manner that is harmful or dangerous to the organization. No less important, we are able to stop them in real-time."
"We listen to wireless communications which are terribly noisy and are capable of listening wisely and analyze who they are and what they are doing, according to the behavioral profile of the devices' communications. For example, we can identify from within the noise whether a coffee machine is just making coffee or if it is connected to a network and gathering information. Our technology continuously analyzes this data in hundreds of millions of devices around the world, enabling us to tell an organization which of its devices is endangering it. When that happens – we can also prevent it."
"Our system creates an enveloping bubble around the customer's physical domain and protects him from all the surrounding devices: from watches worn by the employees, to their telephones and up to the control systems installed in the servers' room."
"Our team has a good grasp on this connected world, in which the major question is how to effectively analyze so much data and identify specific threats. We use every possible tool in the world of data science including machine learning. Our unique advantage derives from our knowledge, our ability to listen to this data and in the worlds of learning and analysis."
"Our technology causes many people some doubts because what we offer can initially seems to customers like science fiction. The existence of an entity like the Innovation Authority who was there to help us prove that it's possible, is of great significance and importance."
"We began operations two years ago. The Innovation Authority identified both the commercial potential and the unique technology that we bring to the market. The collaboration with them is superb and enables us to take steps that would be otherwise difficult. Aside from the funding, the Authority's assistance is manifested in the contacts, assistance, knowledge and direction they provide. This is the first time that I have benefitted from their help and I was very pleasantly surprised."
"Our investors, among the leading investors in the world of cybersecurity, are also highly appreciative of the Innovation Authority. Amichai Shulman, the company’s first investor, is a phenomenal cyber expert and is rated as one of the super-investors in Israeli cyber. The Founders Group, that invests in the company, has strong background and connections in the business world, so is Pico Venture Partners Fund, led by Elie Wurtman, one of the industry's senior figures, that also proved to be of amazing assistance."
"We commenced sales operations several months ago and since then business has taken off. We sell service to any enterprise, large or small, that is concerned about its cyber world, starting with financial and manufacturing entities up to critical infrastructures."
"It's amazing to see how a small seed has grown into the operation of a global company generating income for Israel. We see the welcome Israeli cyber receives. The State of Israel's entire cyber ecosystem is simply unprecedented. We salute the state and greatly appreciate its assistance."
"We operate basically everywhere in the world via very robust business partners. We don't plan on remaining a small startup but rather want to change this field through the customer value that we create. Our vision is to become a large, essential company providing all organizations with complete protection from the world of smart devices and wireless networks."
"This is a huge market and one that is growing because the world is becoming increasingly wireless. In a few more years, no one will say IoT – everything will just be connected as a matter of course. In a world like that, every organization will want simple, non-expensive, good-looking and updated devices – and it is unreasonable to expect that the cybersecurity will be so good that an organization will be able to safely say 'I'm covered'. We consequently see a great future for the company."
Smart Home – But Open to Attack
In the IoT era, cybersecurity problems are no longer a risk that only governments and large organizations need to consider. With all the recent innovations, it's now apparent that our private home has also become a battle field.
"Cyber world risks exist also within the private home. Today, via the internet, one can order a smart lock that communicates with a digital personal assistant – this is charming and can makes our lives more comfortable and energetic, but it also has its risks."
"The problem is not only in a designated 'smart home' system, but also in things we wouldn't normally think of. Did you buy a water bar or a digitally activated device for steaming cauliflower? Beware of someone taking control of them via the cloud. Did a handyman you called want to use your home network to browse an online store for spare parts? Take into consideration that he can now change your bank password. Once a hacker has access to the network, it's game over. It is only a matter of time until he gains control of all the information, and it won't take long."
"A routine home in which life is conducted with smart devices, becomes 'unprotected' from a cyber-perspective. The configuration of threats naturally differs from that in commercial companies, because the most important thing at home is privacy: we don't want anyone looking through a camera placed above the baby's bed and we don't want the smart home to open the garage door to a stranger."
"In comparison to an enterprise in which the danger is mainly to the digital assets, the objective of hacking a smart home is usually physical theft. Another objective may be gaining access to the residents' bank account. This is a very real threat."
"Unlike a bank or enterprises that have enough financial means and tools to mitigate these threats, a private person is completely exposed. The basic security that every person should employ in his home to avoid exposure to such attacks is to backup important information and not to expose things that shouldn't be visible to the wrong person. Avoid putting a camera in the bedroom, for example, and consider whether it's a good idea for the telephone to open the door to the private parking spot. Each person must understand his home systems' settings and its' associated risks."
"There is no doubt that in the IoT era, the home needs protection. We believe this will happen gradually. The internet supplier will also be the entity responsible for providing the protection and in the future, the solutions will come as an inherent part of the service. The solutions are not yet perfect: most homes are still completely exposed and not all the suppliers can provide satisfactory solutions. For business reasons, we have chosen in the meantime not to be active in the private home sector but it is a fascinating world."