News
More from RSA Conference 2023

Anand Oswal

EVP and GM, AI and Network Security

Palo Alto Networks

Palo Alto Networks embraces AI and ML to automate OT security

Operational technology is a critical use of hardware or software to monitor and detect any changes in industrial machinery and production services.Cyberattacks on OT software and hardware is on the rise, a particularly concerning threat as these targets can affect thousands or even millions of other people if compromised, according to Anand Oswal (pictured), senior vice president and general manager at Palo Alto Networks Inc. In fact, a recent ransomware attack on the Colonial Pipeline stopped 2.5 million barrels of oil, causing fuel shortages and price hikes until the ransom was paid, a harrowing reminder of how severe these attacks can be

Info

Anand Oswal | Palo Alto Networks

Anand Oswal

EVP and GM, AI and Network Security Palo Alto Networks

(gentle music)

>> So, RSA Conference 2023, you know, 2020, this was the last conference actually before COVID. And it's back, it's back in full swing. I'd say 50,000 plus people there. The exhibit hall is packed. I mean, it is wall to wall even when you're walking between north and south. It's just aligned with smaller boots and a lot of the startups. It's just amazing. Anand Oswal is here, Senior Vice President for network security at Palo Alto Networks. Anand, good to see you again.

>> Good to see you again. We had a great year end last year. We finished with Palo Alto Ignite. It was a great event. We had you guys on, and you know, just before, just right after AWS. So we just really strong ending through the year, and now we're starting out strong again this year. And security is even a hotter topic. You know, we've talked about the whole OT and IT, and that's what we're going to get into. But what is the state of the state? I mean, we've got plants and reservoirs and dams and pipelines, it's just a different world out there. What's the state of the state?

>> Yeah, if you think about operational technology, OT networks, right? If you rewind the clock, they were air-gapped long, long ago. There's no connectivity. It's within its own self.

>> Dave: Just that's the way it was,

right? >> Right.

>> And now it's getting more and more connected. And we've seen this with the Colonial Pipeline attack. Right? That happened, few, like a while back, 2.5 million barrels of oil that were flowing every day was stopped. Eventually, they paid a ransom. The White House issued a directive that any pipeline that has security breaches should notify CISA within 12 hours. That's really what's happening. Critical infrastructure is embedded in everything that we do. Think of manufacturing, think of chemical plants, think of energy, utility, oil, and gas. Securing those assets is extremely important, but you got to go about it thoughtfully, right? I think we talked about it in the past that when you think of connected things or digitization, it's affected almost every single industry for the positive I would say, right? It's made things easier, lowering the operational cost for all of the firms using them. But if you don't go about the right way, it leads to security breaches. Because you got to think about it day one and how you want to secure your infrastructure.

>> So, how is the way in which you secure the OT infrastructure? How is it different than the traditional IT infrastructure?

>> So, if you think about security, it can only secure something when you know what it is. Right? So it starts with visibility. The most important aspect of OT is that you want to have true visibility in all your connected devices. And this cannot be done, Dave, through just the traditional approach of a database, a signature, et cetera. There are more and more devices coming online every single day. So you have to use the power of AI and machine learning to identify these connected devices. And that's important. It should be automated and it should scale. You want to understand the device, the make, the model, etc. So that requires a lot of work. Now, you may say that's good. A lot of people in the industry say that we have an OT solution with visibility. So let me give you an analogy. I tell you that you have a leak in your house and I walk away. I don't tell you where the leak is. I don't tell you who's the plumber.

>> You'll find out eventually. (laughs)

>> You'll find out eventually. I don't tell you anything about home warranty, home insurance information. And if the plumber does come to your house, he can't access things he wants to access securely. So, that's a state of only having visibility. It's good, but it's not good enough. The next step we do is around what I call segmentation or policy control. Who should be talking to whom? Should this device be talking to this device? We need to talk to the device? What's your policy? You start with the whole principle of least privileged access. So you set those automatically. Third, as these devices talk outside, you want to watch continuously for threats, for malware, for command control connections, for software exploits on an ongoing basis. And the fourth step, which is not really security really, I would say, but it's more an operational simplicity. You know, when I talk to customer, they say, "I don't want yet another point product solution, give me a solution that integrates in my infrastructure, reduces my operational cost. Tell me about the asset utilization of my devices, how long it has this machine being used," right? I'm getting asked to add more machines in my manufacturing floor. What's my utilization, right? How is the efficiency of this machine compared to the efficiency of the other machine? How is this plant operating compared to my plant in Beijing or India or some other place? So you want to incorporate all of those things into your solution.

>> If I talk to, let's say a, a server manufacturer, like a Dell or an HPE, or a storage manufacturer, like a Pure Storage, they'll talk about security. They'll talk about their supply chains, their Software Bill of Materials. They'll talk about Silicon Root of Trust. They're very in tune with security. And they, you know, they take their responsibility very seriously. When I think about things like, you know, devices, factory devices, machines, cameras, are those manufacturers as astute, have they gotten better in terms of just being more aware of the security issues?

>> Yes and no. Look, we have over a billion new devices coming online in the next couple of years, right? They're made from a plethora of different manufacturers, and they have all a variety of different cost points and capabilities, right? In many cases, you have the plant owner, or in case of a medical factory, the biomed engineer responsible for the equipment. It's very hard for them to understand how do you patch this equipment with software. I need to update for all of these things, right? They want to do what they are best at their job. We want to make sure that it's simplified for them to understand the capability of all these devices, automate all things that they want from a compliance perspective. All of these industries have heavy compliance. So how do you make sure that you can get audit ready? What is all get connected devices? Which of them have unpatched vulnerabilities? What do you need to do to patch these vulnerabilities? Who's talking to which device? Are you monitoring all the transactions? Are you doing this on a continuous basis? We want to do this the entire life cycle.

>> Who does that in the OT world? Is it the SecOps team? Are they now sort of bleeding into the OT world? Is there an analog to the IT SecOps team?

>> Look, they have security engineers, right? But if you look at IT and OT networks, they're still run separately with common DMZ networks. But more and more you see organizations bring IT and OT networks together. Now as these networks have connected, you can imagine the threat landscape will increase. I'll take another example. You've seen many of these OT networks during the pandemic. Started opening up connectivity using 5G because you can't have somebody physically always go for servicing, updating things. Now, as you open up connectivity to your equipment, how do you ensure it secure? How do you ensure that you don't move laterally and spread these threats and malware? So think about this very, very holistically and end-to-end.

>> It reminds me of, and I'm just listening to you talking, reminds me of the FBI and the CIA before 9/11, right? I mean, they had different, you know, agendas, right? And they were different DNA, and it just, that can't be an easy thing to bring together. So, are firms like Palo Alto Networks sort of a glue to bring them together? And what specifically can you do to help?

>> So if you see, many of the customers in these industries of critical infrastructure, manufacturing, utilities, oil and gas, use Palo Alto on their IT side and also on the DMZ side, right? They also use our firewalls in the OT network. Now we're helping bridge that gap between IT-OT networks as they're connecting more and more devices on the OT networks to the outside world, we're ensuring that they're connected with the principles of zero trust lease privilege access and secure connectivity on a continuous basis.

>> It's the same principles, but is it different solutions, different products, purpose built for OT?

>> Yeah, it's a purpose-built product for OT networks because you want to provide, like I said, the four things, visibility. Then you want to do segmentation and automate your policy control. You want to monitor all the transactions and ensure that you are completely secure. And then provide all of the operational simplicity and the visibility that they need from an asset utilization perspective.

>> What's the number one question, or maybe one and two that you get from the OT pros?

>> How do I understand all the devices that I have on my network with all the details I want, type of device, model, make, manufacturer, how do I ensure which of these devices are in unpatched vulnerabilities? I want that whole inventory map. That is their first problem. Because like I said, you can only secure something once you know what it is.

>> Okay, so that's a problem. So is that metadata all available? How do you find that data?

>> We do all that through a combination of our machine learning. So if you put our sensor, which are our firewalls, within 24 to 48 hours, I will be able to identify more than 95% of all devices. This is work that we've done for last many years in terms of how do we understand the protocols, the makes, the model, et cetera. Now there's a small percentage that we understand these devices but don't know exactly what they are. And that's something that we work with the owners, plant owners, manufacturers, et cetera, to understand and over time we keep getting better.

>> As these devices in the factory or the plant, et cetera, as they become more programmable, you've essentially now got an analog to developers, right? Infrastructure as a code, infrastructure in the plant as code. In IT, the developer has a critical role in, you know, the whole shift left thing.

>> Anand: Yes.

>> Even though, you know, it may not be their wheelhouse, they're being forced essentially and asked to help secure the network. Is the same thing happening in the OT world?

>> In the OT world, it's around ensuring that when these devices get connected or when we are connecting to these devices from the outside world, we are doing it securely, as these devices talk to each other or these devices talk to other interfaces as we bring IT-OT networks together, they're done securely. That is the number one thing that the OT owners are worrying about.

>> Is there, you think about ransomware, you think about, you know, people talk about air gaps. I guess, like you say, it used to be that the whole OT infrastructure was air-gapped. Right, so that goes away. What are some of the best practices that you see with some of your, you know, top customers?

>> If you see our top customers, the best practices that they do is really, say, how do you get a zero trust approach to operational technology? Right? And zero trust is a very abused word. Dave, you and I talked about this in the past.

>> Yeah, you have the mindset. >> Right.

>> you're bringing that mindset >> Exactly.

>> into OT, but yes, it is abused word.

>> It is, but it's all around, how do you ensure that you give the least privilege access? So, is the user or the machine authorized and authenticated. Is that device having malware itself? What is that I'm trying to access? What application, what data, what other equipment, what server? Do you have the right permission sets for that? What is my transaction? Which means that as I'm having data flow, I want to watch for threats, the ransomware, the malware, et cetera, and do that on a continuous basis. That's the principles of zero trust that our customers are employing.

>> I was reading the Unit 42 Threat Intelligence Report that came out last week or the week before, you know, prior to RSA. It was just astounding to me, you know, the one graph that really caught me was that 80% of the alerts come from 5% of the rules, and it has for a long, long time. And then the other one was that the propensity of secrets to be hardcoded. You know, it's the code base. And so, and that's in IT where there's, you know, very high awareness of security. OT, I would think there's security, you know, maturity, on the maturity model. They're less mature than their IT brethren, right?

>> And also on the OT side, and just like the IT side, majority of the breaches happen because you have misconfigurations or you haven't configured your security equipment properly, your security service properly. That's majority of the breaches that happen even in the OT world because OT networks are by nature flat, which means that you really want to ensure that you get full visibility and then really control, have granular control on policy. We start with, when you talk about zero trust, we say that no one can talk to nobody. And then you allow each connection to go through versus the reverse motion of everybody can talk and I'm going to block whatever I am going to block. It's a mindset change.

>> So, a flat network means, in theory, it's easier to traverse horizontally, right?

>> Yes, and so you want to really put all those granular policy controls thoughtfully and automate them because you can't do it manually again. You do manually at one scale and you'll make errors.

>> What's the right regime? We talked earlier about the OT and the IT worlds coming together. Who's involved in that? It's the engineers, the plant manager, the CIO, the CISO. But, again, who's really going to take responsibility? Are organizations thinking about it as a holistic system or is it sort of a still stove pipe?

>> So I would say it's a journey. We talk to different customers, and they're in a different phase of that journey. First step they're doing is how do you bring IT and OT networks together? And they're only connected to a DMZ but you want to ensure that you can now connect to these OT assets from the outside. So how do you make sure that you have zero trust network access to these devices? As these things come more together, I think it comes down to how organizations will also change their structures. How you have single entities managing their IT and OT networks versus what's done today. But that's a journey as you know.

>> How big is this market? I mean it's got to be enormous and a huge opportunity. And it's very immature in terms of the security adoption,

right? >> Absolutely. If you read reports of just say manufacturing, OT, security, completely end-to-end, it's a multi-billion dollar market. And then you think of energy and utility and oil and gas and food industry and beverage and chemical plants. And this is a massive opportunity. It's also important because critical infrastructure, the reports I read which said that threats to critical infrastructure could lead to possible deaths. And I was first alarmed when I read the report, and it talked about an example of a chemical plant. If an attacker gets access to the chemical plant and changes the composition of how much you're mixing the chemicals, it can lead to catastrophic effects. And that's why thinking about this holistically from day zero, day one, is very important as we build these networks.

>> Very interesting conversation, Anand. Thanks so much for coming back in theCUBE. It's good to see you again.

>> Good to see you Dave.

>> All right, and keep it right there. This is Dave Vellante for John Furrier, the entire theCUBE team, from RSA 2023. We're live at Moscone West. Right back. (gentle music)