TL; DR: Sepio Systems, founded in 2016, is pioneering the hardware access control (HAC) space with a platform that provides ultimate visibility, policy enforcement, and rogue device mitigation (RDM). The solution uses physical-layer fingerprinting, machine learning modules, and a threat intelligence database to fully protect customers against hardware-based attacks. Through these innovative technologies, Sepio aims to help businesses, manufacturers, and government agencies worldwide operate in lower-risk server and network environments.
Although sensational headlines suggest otherwise, cybersecurity defense has continually grown stronger over the past decade, making it harder for cybercriminals to achieve their goals. Solutions now exist to protect against various software-based techniques, including denial-of-service attacks, malware, phishing, and ransomware.
Frustrated with such defense systems, many malicious actors are finding alternative paths to digital assets via hardware-based attack tools. In 2018, for instance, a telecommunications company in the U.S. fell victim to a nation-state supply chain attack executed through hacked motherboards in servers.
Fortunately, one Israel-based security company is stepping up to the plate with a hardware access control (HAC) platform designed to protect customers from these emerging threats.
“The mission of the company is to protect enterprises and organizations against rogue devices by providing visibility, control, and mitigation,” said Yossi Appleboum, CEO at Sepio Systems. “While everyone else is focusing on device activity, we’re focused on the existence of the device.”
Sepio’s HAC-1 platform safeguards customers from hardware-based attacks using machine learning modules, a threat intelligence database, and physical-layer fingerprinting. The hardware fingerprinting technology identifies managed, unmanaged, and hidden network devices undetectable to other security tools.
HAC-1 has numerous use cases across industries, including healthcare, manufacturing, the Internet of Things (IoT), financial services, retail, and government agencies. As the first rogue device mitigation (RDM) provider of its kind, Sepio’s goal is to lead the charge in fully protecting a wide range of customers against hardware-based attacks.
Providing Thought Leadership in Hardware Access Control
Sepio was founded by Yossi, Iftah Bratspiess, Greg Poch, and Bentsi Benatar in 2016, but the founding team worked together for more than 30 years.
“My executive team and I started our cybersecurity careers in the Israeli intelligence community,” Yossi said. “We built a couple of cybersecurity companies before exiting them quite successfully. Then we launched Sepio, which is now five years old.”
By the end of the year, the company will have onboarded roughly 100 employees. Yossi said the company’s growth reflects increasing market demand for HAC solutions.
“The ability to get into your outward infrastructure is easier than ever today because the know-how is out there for bad actors,” Yossi said. “You can see that with the U.S. government’s awareness of the issue with China compromising hardware supply chains.”
The emerging trend is also evidenced by the Center for Internet Security (CIS) controls — a prioritized list of its best practice guidelines for computer security. The very first guideline, CIS Control 1, focuses on actively managing all hardware devices on a network while preventing unauthorized and unmanaged devices from gaining network access.
“If this were not a big issue, it wouldn’t be listed under the first item in the CIS critical controls,” Yossi said. “They want to raise awareness because there are not enough solutions for this problem. This is where we believe that we provide the most value because our approach is unique.”
Accolades from Gartner, Frost & Sullivan, and TAG Cyber
Hardware-based attacks will only become more common as technologies like 5G wireless and the Internet of Things (IoT) gain prominence and provide additional attack paths. Gartner estimates that by 2021, more than 25 billion IoT endpoints will be installed, with an IoT market valuation reaching $3.9 trillion.
Yossi told us that the existing IoT security companies on the market can be divided into two main groups.
“There are companies that try to secure the IoT device itself, and there are other ones that try to protect the organization against rogue devices,” he said. “The problem is that the ones that try to protect the organization are attempting to apply the traditional network security methodologies to hardware-based attacks.”
These traditional approaches don’t pick up on devices that aren’t contributing to the network — including passive units used to exfiltrate data. Sepio’s HAC-1, on the other hand, provides total visibility over all network hardware, whether connected as a peripheral or a network element. The software can pick up on hardware used to impersonate human interface devices (HIDs).
“We don’t need to see traffic or analyze what’s going on inside the network to know what’s there,” Yossi explained. “It’s a holistic solution that provides full control and visibility of outer infrastructure.”
Sepio’s distinctive value proposition has recently attracted attention from analysts such as Gartner, Frost & Sullivan, and TAG Cyber. Gartner, for example, recognized Sepio in its April 2020 Cool Vendors in Cyber-Physical Systems Security report.
“Gartner and other analysts realize that what’s being provided in industry today is not sufficient to protect organizations from the growing number of rogue devices,” Yossi said.
Tools for Networking, Security, and Procurement
Sepio’s HAC-1 solution empowers IT teams to gain almost immediate hardware visibility in all server and network environments.
“We save them time and money on the networking side,” Yossi said. “Deploying the tool in huge organizations takes mere hours, and after doing so, visibility is achieved within the next day. In addition to that, the reporting capabilities within the system can change the way an organization operates — you’re not calling 10,000 people and asking, ‘Did you connect something to the network?’”
That visibility also makes it easier to patch switches and routers used to connect servers within the network. Of course, on the security side, the ability to see, report on, and assess the risk of outer infrastructure is priceless.
“The problem with security is not just the risk itself, but the uncontrolled risk,” Yossi said. “If you can see all the risks, there may be some you choose to live with. But at least you can assess them.”
HAC-1 also provides benefits in terms of procurement. Yossi told us that every large organization is now subjected to vulnerabilities in their supply chains. Malicious actors are increasingly creating spoof devices designed to penetrate organizations or swindle customers financially.
“Everyone saw what happened with SolarWinds on the software side,” he said. “The hardware side can quickly become a nightmare. You need something inside your organization that can identify knockoffs.”
Future Plans to Expand Alliances with Outside Vendors
Sepio has exciting plans in the works for the remainder of 2021 and beyond. This year, the company will introduce partnerships with outer infrastructure vendors.
“We’re going from supporting end users only to supporting vendor partners so end users can control their supply chain and security posture in a way that closes the loop — from the design phase of the project until the item comes to your door. We will introduce the first alliance later this year.”
The company is also planning to focus on looking inside individual computing environments. Yossi said many vendors that we assume manufacture parts in America are merely assembling them within the country.
“We have almost no ability to control that as a society — not to mention the ability to verify not just one unit, but all of them,” he said. “Our technology will go from just looking at interfaces to looking inside the computing environment, using big data and machine learning to detect anomalies within a large organization.”
Finally, the company is working on WiFi security for remote working environments. “It’s one thing to have wifi security for your office building. It’s a totally different challenge when we’re talking about working from home,” Yossi told us.
Keep an eye out for a hardware security solution coming soon.