How does FACT deal with intellectual property relating to software/binaries/firmware supplied to the FACT platform for scoring?
It is important to understand that we do not analyze or collect source code: we work entirely with binary images of software.
Of course, some of our partners consider their software images to be protected IP, so we offer two options for protecting binaries. The first option allows our vendor partners to send us the binaries over an encrypted link; we then store and analyze them in a private portal that only the partner can access. For the second option, we provide an agent that runs within the partner's release pipeline and creates a Software Bill of Materials for each file. This SBOM is then transferred to our platform for further analysis, but the original software remains with the partner. In both cases, analysis results are not released to the public until the partner has had a chance to review the results and respond as needed.
How different is FACT from next-generation sandbox technologies that use multiple antivirus (AV) engines to scan binaries and provide a verdict as to whether the binaries have been compromised or are malicious?
FACT is an aggregation and correlation service rather than a classic antivirus (AV) cloud service.
In other words, we don't provide the sandbox technology that utilizes multiple AV engines, but rather aggregate the data from multiple platforms that specialize in AV analysis. Our goal is to make all the information about both OT and IT software — malware, vulnerabilities, code signing, SBOMs, etc. — available in one simple software intelligence report. It's like a universal credit report for software that gives companies the assurance that the software they are using in their IT/OT convergence strategy is safe and secure.
What assurance can FACT offer that the platform itself can’t be compromised?
FACT has undergone extensive security reviews and red team testing by Assured Information Security, Inc. on behalf of the US Department of Homeland Security.
Why do I need FACT? Won't code signing ensure we are using authentic software?
Code signing is a very useful technology for determining if software is authentic.
However, without the proper checks, attackers can misuse it to create a false sense of security in their victims. According to an analysis by TrendMicro: "more malicious software appears to be signed than legitimate or benign apps (66% versus 30.7%).... This shows that cybercriminals commonly provide software that is signed correctly, therefore running and bypassing code signing validations." Many companies (and security tool developers) take code signing certificates at face value, not realizing that what matters is who signed them, not if they were signed. That is like airport security accepting your passport without opening it to confirm your photo and details.
Industrial cybersecurity includes a broad range of products and services. What is aDolus’ focus and how is your solution different?
Most of the OT security market is focused on network traffic analysis.
In other words, they are looking for bad behavior inside a company's network. aDolus is looking at the reputation of software or firmware before it is installed into a company's operations.