As OT engineers, we know that we cannot simply patch or update our devices with the same cadence required for IT systems. There are many reasons behind why this is true, but I will focus on just one point amongst many which is creating a ‘baseline change.’
Question: Why is it acceptable to allow antivirus signatures to change frequently when this causes a baseline deviation within our process?
The simple answer is to provide a proficient level of security identifying and mitigating endpoint threats; however, these updates also bring along changes to the core security application along with a new signature which often change hourly. If these signatures identify something ‘fishy’ they will act, which may cause outages with our systems.
Mind the Gap
OT Vendors are aware that signatures for advanced endpoint protection can cause issues with their software and often mandate that sections of the file system are excluded from security scanning.
What a great idea, lets tell our adversaries where they should launch their malware without being challenged!
To obtain signature updates there must be a connection to an update server, often, which has access to the internet, directly, slaved or through a filtered and proxied connection. Not all OT systems have this in place so signatures may be updated on a manual basis, or often, not at all.
Next Generation Antivirus (NGAV) which has a level of artificial intelligence usually needs to have a ‘cloud lookup.’ Why do vendors do that? It’s simply because they have acknowledged albeit indirectly that signatures are no longer an effective way of identifying threats but wrapped this feature in shiny packaging and marketed the virtues of artificial intelligence to mask the shortcoming of signatures.
When was the last time you signed for a payment with your debit or bank card? I cannot remember doing this for 5 years or more, why? Because there are better ways to validate you: chip and pin, digital authentication, proximity etc.
Signatures for AV often check three elements, Hash matching, Byte matching and Heuristics characteristics. You only have to change one of these components and traditional antivirus will no longer identify the threat. A bad file that is recompiled or dressed differently is still a bad file but to the AV this is something which is not on the blacklist, therefore it can go about it's business.
That is why it need to send the details to the cloud ‘brain’ a huge supercomputer to work it out and deliver an almighty decision.
If there is no ‘always on connection’ or the signatures are out of date, your level of assurance quickly diminishes, and often by the hour. And for zero-day threats, well if it’s not on the deny list then it’s all ok right?
Cutting the Cord
Next generation antivirus and advanced endpoint protection is not all made equal, the amount of Artificial Intelligence (AI) varies greatly, often less than 2% and is often limited or often non-existent the minute there is no external connection, so how can this be addressed?
Our partners Blackberry developed their endpoint security suite to be 100% artificial intelligence, this has matured since it was launched in 2015 and is now better than ever. Blackberry Protect is self-contained, does not have to have an always on cloud connections and identified 2.7 million characteristics of a file in under 200ms without ever executing a file. If a bad file is redressed, this doesn’t matter, the same points are checked.
Blackberry has a long-standing history in protecting critical assets for sensitive sectors, their solutions are used by 18 of the G20 governments, NATO and Blackberry also has their artificial intelligence protecting assets such as cars, satellites and is also the choice of protection to many blue light and government agencies here in the UK.
In independent testing in 2018, Blackberry Protect was found to have an average 33-month advantage on picking up zero-day threats. When this was compared against the colonial pipeline attack in May 2021, which used a zero-day threat, the AI engine from 2015 identified this threat delivering a massive 68-month predictive advantage! While the signature-based solutions local on the site missed the threat causing widescale outage of fuel in the US through the month.
Blackberry also protects mobile devices and tablets too, so there is a single security suite to protect all of your assets. And the artificial intelligence doesn’t just stop at checking files, it also integrates into an authentication module as well to ensure that only authorised personal can interact with the device through frictionless technology which has excellent situational awareness assisting with zero trust architectures.
Looking After the Elderly
Blackberry Protect addresses the threats of today on technology of yesterday, devices that are all too common in OT systems. While most traditional antivirus vendors have turned their backs on Windows XP, Server 2003, Windows 7 etc to focus on operating systems of today, this is not the case here.
Legacy devices can also have the same level of protection without using a different application suite. And to provide even more assurance, USB port controls and application whitelisting is included within the solution to make these devices fixed function until a change is authorised.
Endpoint Detection and Response (EDR)
Blackberry Optics provides monitoring and visibility that spans your entire organisation, enabling detection and threat hunting for both online and offline devices. While Blackberry products are cloud enabled, they are not cloud dependent, allowing for partially and non-connected devices to be fully protected.
How Can I Find Out More?
Your Industrial Control System is the lifeblood of your organisation and deserves the correct protection. To understand if Blackberry Protect and Optics are the right fit for your business then contact: firstname.lastname@example.org to find out more and we would be happy to do an assessment to determine if this could help to protect your critical systems.