Name: APAC ATI demo
Uploaded: 2025-07-16T05:53:09.001Z
Duration: 35 min 8 s
Description: APAC ATI demo

Transcript for "APAC ATI demo": Today's Armis demo. I am Antonio Corales, one of the campaign marketing manager at Armis, and I will be your host today. In this session, we will discuss Armis Centrix for early warning. But before we begin into our demo, I would like to cover some housekeeping items. This is a thirty minute demo session. This session is being is being recorded, and it will be available for you on demand. Please submit your question in the chat, and we will address them at the end of the presentation. We have provided some additional resources for you on the topic. Please check them now after the webinar. And with that, I would like to introduce our speaker, Teal Rist, sales engineer at Armis. Now, Teal, I'm handing this off to you. Thank you. Hey, everybody. My name is Teal Rist. I'm senior security engineer here with Armis, and what I'm gonna do is talk to you about Sentriq's early warning. But before we do that, I do wanna talk about our portfolio. We have a full portfolio in asset management, and it goes all the way across the board. So what we do is we go into IT environments. We'll identify all systems within your environment. Not only will I we identify all those systems, but we'll identify the applications, we'll identify the communications, the risk, and everything else associated with that asset. We will also do this in a passive way where we're not actively scanning. We're going out and we're basically using mirroring technology through a SPAN port or using APIs to do integrations. The other thing that we do is we also do OT and IoT. So if you're in a manufacturing environment, same thing. We'll get all asset information. We'll provide you that detailed applications, communications, security risks, all of that in the OT, IoT environment. And, again, we'll do that passively. We also do that in the medical world. So in the hospitals, we look and see all those medical devices, and, again, it's passive. We're taking all that data, and we are the only company currently in the world right now that does asset management across OT, IoT, IT, medical. Nobody else can actually cover that. Now Vypr Pro, that is something else that we recently purchased. What that does is give us end to end vulnerability remediation and prioritization. And what we do is we basically take those vulnerabilities, we reduce them down, and we group them, and then we push them out and follow them and make sure that they're actually being remediated. What I'm gonna do is actually I will show you that platform because it's gonna be something that we integrate early warning with. It's a very, very good integration. So what we're gonna talk about now, of course, is really our early warning platform. What if I could call you up and tell you that there was a vulnerability in your environment that was gonna be exploited in two months, and that vulnerability had not been identified by CISA KEV. But if you patch it now, you'll be safe from attack that not might happen, but actually will happen. Armis has that power. We have the ability to go out on an average and see vulnerabilities three hundred days ahead of CISA KEV. Essentially, what we're telling you is how to protect yourself from attacks in the future. Now what we're talking about, frankly, is hacking the hacker. We go out and we do this proactively. We use evidence based technology. We're using AI crawlers. We're going out on the dark net. We're hitting the chat rooms, the dark nets, and we're we're we're taking the information that they're actually using to talk and actually looking at things such as POCs that they're doing against specific vulnerabilities. We identify that communication. We use honeypots. We use human intelligence, and we go on and listen to those specific conversations. And because we're using that AI, it gives us the ability to focus on key aspects of those conversations. We identify the vulnerabilities that are being talked about and used, and then we basically take that data and use it against them. This information is extracted, correlated. We identify the attacks before they happen or impact your organization, and we provide you the ability to understand this. Now this specific version right here, what we're doing is we're gonna talk about how Armis actually was able to find a vulnerability ahead of CISA KEV and provide protection to our customers, really ahead of, way ahead of the the the threat that was actually coming out. So, basically, this timeline explains a vulnerability that was announced in January. By utilizing true proactive threat hunting tactics, our intelligence determined that there were threat actors that were basically focusing on pseudo exploit. And this was being done in April. We set up a dynamic dynamic honeypot. It's an AI created honeypot to lure the attackers in there. That was successful in June. Actually, June. Sorry. Within two months, enough information was gathered, and then, we used human intelligence to reverse engineer that exploit. Basically, use a Sysmon rule that was created in the excuse me. It's created with the intent of capturing an exploit of this vulnerability in the wild, and we've succeeded in doing that. Ultimately, the National Vulnerability Database issued a CVE in April, ten months after our early warning landed. So our customers were actually protected, and you can see basically what happened. We identified this information. Within a month and a half, we had our people protected. And then, of course, if you look at what was going on with CCAP, people were vulnerable for basically a year. So we were able to provide that protection. So with that, I am going to share out my desktop here, and I'm going to get you into the demo. And I'm gonna show you how we do this. So give me a second. It should be popping up there. I see it, so hopefully you see it. And what we're gonna do is we're gonna talk about ATI and and literally how all of this comes together. Now, what I have here is basically our early warning, and what we're seeing here is probably about 3,000 early warnings that we have. Now this is out of all the vulnerabilities in the world. There are hundreds of thousands, millions of vulnerabilities that have occurred. What we have is we got 3,000 vulnerabilities that we know will be used in an attack. Out of these 3,000 vulnerabilities that I am showing you, I can tell you that about 60% of them, CISA KEV has not identified them as being being used to be exploited. But, yeah, we know that these are gonna be exploited because we've identified this information, and we've taken it and and we've pulled it from, as I said, honey pots and some of the the crawlers that we have out there. So what I'm gonna do is I'm gonna show you what this actually looks like when we drill into one of these. I'm I'm gonna pick up the one that I know that's good instead of searching through it for you. And what we're gonna do is we're gonna take a look at this specific vulnerability. This vulnerability, came out from a vendor, which was Artiflex. The product was Ghostscript. And and as you can see, when we look at this vulnerability down at the bottom, it has this NVD score of 6.3. Now what what does that mean from patching aspect? What this is is gonna be listed as a medium, a a medium vulnerability. And in most cases, what we're looking at is organizations, it's most likely gonna be months before they get to this. So this is something that they're not gonna be too worried about based off the NVD score. However, when we come in here and we look at this and we look at our intelligence, we have multiple sources attesting to our criticality. We even have a public proof of concept that has actually been done on this specific vulnerability. So we know that they're seriously talking about using this out here, and you can see that we've got these multiple sources in the public POC. Now we look at their rating as a 6.3. What we do is we provide admiral admirality scores based off of the danger associated with the vulnerabilities based off of what we're seeing and when they're gonna be used. And the top score that you get is an a one rating, and this specific vulnerability is an a one rating. So in our aspect or in our eyes, this specific vulnerability is a high critical. This is one of the most dangerous vulnerabilities within the environment yet CISA, Kevin, is calling this a medium. So these are the kinds of things that we like to do to come out and show our people that there are vulnerabilities within the environment that you need to take care of that really CISA, Kevin, may say are not critical that you shouldn't worry about. So when we look at that vulnerability and and we see the data, it was first identified by us, July 3, and we put it into our database on the ninth, and then we started notifying all of our people of that. It was basically three months later. You can see down there on July that they basically added it to C SecaF, so we were able to provide, that early warning to our customers. Now, the other thing that we have to be able to do and, really, when you start looking at this, what are the critical vulnerabilities and types of things and and how do I I look at this scale? And what I do is I I I ask people this question. How is it that you identify your vulnerabilities and the ones that are most important to you within your environment? And and what I typically get is I get two responses. One is business impact. Business impact on my systems. And I will tell you a 100% absolutely that is one of the most important things that we need to look at. You know the criticality of your systems. You know which systems are very, very important to you, and those systems need to be ranked higher than the other systems. The next thing and the thing that most people say is I do it based off of criticality. And I'm here to tell you what I'm showing you is that's not really the way to do it. And so if we come in here and we look into our library, I'm gonna give you an example. These right here are low severity threats. 35 low severity threats. Now when we go out and we ask people, what is your SLA on low severity? 90% of them go, I don't have one. In other words, if we get to them, we get to them, but most likely, we're not going to. These 35 right here that I'm showing you let me actually expand that so you can see all of them. These are actively going to be exploited. They're being talked about. They're out on the environment, and they're going to be used. So we can drill into these, and we can see the same types of data that we were seeing from from the other ones. We can see the abnormality scores, the NVD scores low, but we're seeing multiple sites that are showing that these are very, very dangerous vulnerabilities. So what we're doing is we're bringing to the forefront the ability to see that not only critical vulnerabilities are the ones that are the most dangerous. There are low vulnerabilities out there that are actively being exploited that CISA KEV does not realize. Not just low, you have to consider mediums. When we start talking about medium vulnerabilities, typically, what we're looking for that is we're looking at several months to get those done, you know, weeks late weeks to couple months to actually get into the mediums. So let's take a look at another one. When we look at this from, the aspect of what people are doing and and who really works with vulnerabilities, typically, when we look at it, vulnerabilities are run by the IT group, and and they focus in specific areas. And what they focus in, is they focus in on the PCs and the servers and and those other types of systems out there. But what I've done here is I basically went out and did a a search, using ATI, and I'm removing all IT systems and all mobile devices. So really what we're gonna be looking at is firewalls, IP cameras, workstations, other types of devices, printers, point of sale systems. And the idea here is when we look at it, there's 4,478 targets out there, systems that could be targeted, based off of this information. These are early warnings and systems that are out there that, frankly, the IT group may be ignoring, but we can bring them to the forefront because they're not typically things that they would look at. So give me a second here and we'll move on. Let's go back to the early warning. So the next thing is how do we pull this data? And what we do is we have the ability to come out and do several things. First, we have it integrated into our platforms. I can basically come in and look at it from our, Vypr Pro and our SentriX platform, which I'm gonna show you both of those when we look at it. Or we can do it as a standalone through this platform that you're looking here. But one of the cool things is we give you the ability, using this platform, is to actually load up your vulnerabilities yourself. So what happens is if, let's say, you wanted to do something like that, and I actually will talk a little bit about a report that I do using this specific area, at the end of this. But what we do is we come out and we pull out our CDs. And and, truthfully, the only information that I really need is a list of the UIDs, the CDE UIDs, and then I basically match them. So in this case, this specific customer has 7,453 CVEs. Out of those, we identified 326 of them that are early warning, and those are the ones that you really wanna look at. Now we see that we've got a bunch of critical ones. We can go to the back, and we can see we've got some that are NA. The ones that are listed as NA, those are the ones that CISA KEV hasn't picked up at. We have low ones. So what we're telling these specific individuals that have this specific environment is that, yes, you have critical systems out there, and you've got high, medium, and lows vulnerabilities as well that you need to fix. And these are the ones that we look at. So the real question comes down to is where do we start with vulnerabilities? And the real answer truthfully is with early warning. We wanna look at the early warnings. And when we look at the early warnings and we see an early warning and a CVS score of 10, there's a critical AVM rating, that's probably one of the most dangerous ones that's within our environment. Because not only is CISA KEV identified the specific vulnerability as being bad, but our early warning has also identified it. And as you can see, this specific vulnerability is really bad. Two groups in China discussing weaponized this vulnerability. They identified it, and they can tell you what the vulnerability is. So you have the ability to be able to pull this data yourself through your other platforms and bring it up to fruition. So what I wanna do now give me a second. I'm gonna move over, and I'm going to show you what this looks like from an output. So once I've done this, if I wanna kick this information out, this is really what it is. This is all the data that I put within the environment. As I said, the thing that I need out of all this data that you would provide me is only this column. So if you pulled your data from your Qualys or your vulnerability management tool out there, it would probably pull a lot of those this data. But you could filter it down to where we only need this specific information. Now what I wanna do is come back out and I wanna show you how this looks within our other platforms and how you can actually use this system to do some really, really cool things. Give me a second here and move over to Armis. So this is the Armacentrix platform. And when we look at Armis, of course, what Armis is is it's the asset intelligence platform, and we come out and we are looking for all the assets within your environment. If you remember, I said everything, medical, IT, IoT, IT. All of that information will bring into the environment. And when we look at it from the standpoint of the vulnerabilities and we look at the dashboard, you can see that we've actually got the early warnings already built into. Okay. So what I'm gonna do is I'm gonna jump into the Armis platform and basically show you how we integrate with, ATI early warning. And as you can see, we actually show the early warnings here within, the platform, and you can see all the information around this. These already know device context, criticality, business system boundaries, and they already have prioritizations that put your VIPER ratings, in. And it becomes another input to narrow the funnels down and reduce the vulnerabilities within your environment because what we're looking at realistically is 7,528 vulnerabilities. And here, we've got a 104 early warnings. So what we're gonna do is we're gonna take a look at that information. And how I'm gonna do that is I'm gonna come in here, and we're gonna drill down, and we're gonna come in and say early warning. And I'm gonna say yes. And we'll show all the early warnings that we have here. So we've got 233 early warnings that we've been able to to bring up in the environment. So these are the ones that we consider to be extremely important within the environment, the ones that we need to work with because we know, as I said before, that these vulnerabilities are gonna be used in exploits. They're gonna be used in attacks, based off of information that we've taken from the attackers themselves. So let's take a look at a specific one. I'm gonna go in and actually just make life easier. We'll copy and paste this one in here. We'll see. Retext. Boy, put that in there, and we'll hit search. Alright. So when we get into this specific vulnerability, as you can see, we've got a lot of of detail around it. We're gonna provide you the criticality when it was first published, when it was last seen, when it was first seen, first detected. We'll tell you about the scores, where it's rated. We'll tell you references. I'll provide you matching information. If there are other systems out there that have this vulnerability, I'll let you know about that. Certain cases, I'll provide you remediation steps, how to fix the vulnerability and provide that detail. In those, we'll tell you how many effective devices are in there as well. But, really, we're gonna focus in this area because this is the information that's coming from the ATI environment. And what we're seeing here is that we've got a lot of critical information. We've got 71 exploits that have actually happened here. That's a a lot of exploits that have actually been used. We've got a last exploited date of 01/09/2025. That's today. First published, 12/31/20000. First weaponized publish date was 2021. So we were about a year ahead on this specific one when we looked at it from an early warning standpoint. You can see the different tags. We can see that this is a fancy bear, a Russian APP group that is one of the big ransomware cartel groups. This is something that happened, the vulnerable was first announced several years ago, as you as I showed, CCCEV in November 2021. And then four months before CISA KEV announced it, we identified it. As for the tags, what they do is they come from our research, both internal, out external as well as, third party feeds that we're using within our environment. So so, you know, in this specific case, you might actually want to know how many exploits are are being used here. And imagining chaining all this together and being able to take the exploits themselves and the threat actors themselves and take that information and be able to actually bring up information around that. So what I'm gonna do is we're gonna come back out in here, and we're gonna actually do a little bit of filtering within the environment. So what I'm gonna do is come back out to the assets. Let's just go backwards, backwards, and backwards, and backwards. There we go. One more time. Alright. Come in here and change this a little bit. And what I'm gonna do is we're gonna come in and look at, confidence level, which we have, status. We probably wanna make sure we're only looking at ones that are open. There's no point looking at closed ones. AVM rating. So when it comes down to this is our Viper rating, and we're gonna make this, of course, critical because that's important to us. Early warning, of course, we want to do yes because those are the things that are important to us. So click on yes, and we'll hit that for right now, and that's basically going to provide us those 233. So the next thing that comes in is let's start adding to this. Because remember when we looked at that vulnerability, there were some things in there that were really, really important. So we want to match. And what I wanna do is I'm gonna do this one based off of the threat actors. So in this case, threat actors, we're gonna say, greater than or equal to five. So so we have three actors. We got that greater than equal to alright. So it's equal to productors, and this one is number of exploits. If I could spell number of exploits. And we're gonna make this greater than 50, I guess. Greater than 50. And this should be and I should change that to the number of threat actors. Sorry about that. Greater than or equal to five. So we'll go ahead and run this specific search. And, basically, what this is doing is it's telling us that there are six vulnerabilities out there that are just as bad as that specific early warning vulnerability that we found that affect a 173 devices. And then boom, you've got that information right there in front of you. You know the criticality ones that you need to go out and fix. So remember what we're looking at. We started off with some five, six, 7,000 vulnerabilities. And now, frankly, we're down to six six critical vulnerabilities in our environment based off the criteria that we used. The five alarm fires that we have going on here, these would be the ones that need to get fixed first and foremost within your environment. So with that, this means that you have the ability to go and leverage the know the knowledge that we already have inside your environment. So you can say, hey. What about the device types? What is the impact here? Know if I'm critical in these different areas. What are the infrastructure sites that I may have issues in? What are the servers and the engineering workstations that I have that I'm worried about? Gives you the ability to go and be specific about what you're finding and looking for within your early warnings. So not only are we gonna tell you got early warnings, but we're gonna give you the ability to find specific early warnings that would be critical specifically to you and your environment based off of things like the number of threat actors and the criticality of the vulnerability. So before we jump totally out, what I wanna do is I need to jump into another area here, and this is our Vypr Pro tool. Viper Pro was purchased a little bit after ATI. We've had both of these for about, eight to ten months. And this specific product is geared towards end to end vulnerability, remediation, and prioritization. So when I typically go out and I start talking about ATI and we start bringing this to the attention of all these early warnings they have, it tends to have people open up and look. And then they start talking about how we can handle these within our platform. So we've actually integrated it into all of our platforms, and we have all the platforms integrated together. So if you're in the Vypr Pro model of, SentriX, what you're gonna do is you're gonna basically come in and do the same type of thing. You're gonna say, show me ATI early warnings that we have within our environment. And then it'll go out and it'll show you the 776 to dedupe finding of early warnings. Now this is gonna be different from the other demo because this is a different demo systems, so the numbers are gonna be slightly different. I do apologize. But you can see that you have all these early warning signs here. And, again, we have the ability again to, you know, if I could type, go out and look at these things based off of severity or risk scores. And in this case, we can say, hey. I know there's no lows. I'm not even gonna do it, but I do know that there are mediums. And we can see that there are 209 mediums that are vulnerabilities in here. Or we could go out and say we wanna look at the critical ones because these are the most critical early warnings as well as CISA KEV identifications of early warnings. So we do have the ability to provide this within all of the platform and all of the different areas within within the platform, giving you really, really great ways to search. With this, though, what we're doing is we're going and saying, hey. This is where you start. You start with these early warnings. And then once you've started with all those early warnings, you basically come into here and you basically look at this and you do the prioritization and remediation. You have campaigns that you start to actually follow the track of them actually patching those vulnerabilities. So last thing that I do wanna talk about, and this is something that we offer to our customers as a free service. It's around ATI. And what it is is it's the ability to actually go out, take your list of vulnerabilities, and, again, all we need are the CDIDs and no other identical identified information. And we will run these, through our system. And what I will do is I'll go out and I'll build a report. And what I'll do is I'll show you basically two or three critical highs, lows, mediums, as well as unknowns within your environment. And I'll basically provide you this information to give you an idea of how this looks within your environment so it's sort of a taste. I believe that we'll have this waiting for you, as one of the downloads, so you can take a look at this and see see what it is. But, it gives you good information on early warnings that could be within your environment. So with that, I'm gonna see if there are any questions in the chat. One of the questions is is, around how are we actually grabbing this data. So what we do is we actually are using AI. We have two two guys that are actually absolutely amazing, Andrew and Mike. Andrew basically started programming, building things at the age of 13. He actually, worked for IBM at the age of 16. He builds AIs for a living. And then Mike basically builds all these crawlers and things that go into the darknet and chat rooms and and and grab information. So what we do is we build these honeypots in these crawlers. And what happens is is the crawlers go out and they basically are programmed to look for specific information within a dark net chat room or community. They find that information. They listen to the chats that are going on. Based off of the information they're pulling or finding, they identify that they need to go to another community or another chat room, and they pull information from there. And they it keeps slinking around the dark net pulling this data and bringing it back to us. So what happens from there is we analyze all this data, and we see the conversations, the conversations where the guy is talking about on the boat that they want to use. And, basically, people are they're going out saying, hey. Can you provide detail? Anybody use this vulnerability? Do you have any advice? And they get advice from all these other hackers. And then in a lot of cases, they actually do a proof of concept. They do a dark net proof of concept to make sure that the vulnerability actually work the way they wanna do it. And they chat about all these things, and they talk about all these things. The one thing that hackers do is they talk. They like to brag about what they can do. So we're just doing what they do. We're taking their information. It's out there. It's free to get. We're going out, and we're taking that information. We're analyzing it and bringing it to the forefront. So that's literally how we do it. We also use very, very smart honeypots. We lure, the dark net guys into there and have them drop their attacks in there, and we suck up that information. We use those as well. Next question. Is this platform integrated altogether? Yes. Absolutely. That is one thing that I do want you to know. Just because I switched around different screens, that's just the way I do it. But these platforms are all integrated together. It's just, you just have to click on the different links within them, to to get to those specific areas. And that looks like, all the questions that we have there, Antonio. So, I'm gonna turn it back over to you. Okay. Thank you, Till. I want to thank everyone for joining us today. Thank you, Till, for your amazing presentation. For more information about Armis, please visit armies.com. Have a great day. Thank you.