Product security is experiencing growing pains.

As products started to become connected to various communication sources, most prominently the internet, product cybersecurity teams would protect their assets using proven solutions from the IT world. Professionals quickly recognized that IT-driven cybersecurity tactics did not take into account various product needs and domain expertise, such as integration with legacy systems and components provided by their supply chain, and the complex need to contextualize the data coming from cyber-physical devices.

What’s more, many companies who were used to developing physical products have become compilers of digital systems from various 3rd party vendors. An example of this is in the automotive or aerospace industries where various systems, such as engines, brakes, and other traditionally physical components have become software-driven, delivered by vendors with the relevant software already pre-installed. This saves companies significant time during development, allowing them to maximize their supply chain. On the other hand, each software component must be cataloged in an SBOM, so PSIRT teams can rapidly react to existing and yet uncovered vulnerabilities. 

While these vendors may be trusted on their own, no single apparatus existed that could unbiasedly review each physical component and understand if its layered software posed any hidden threats. For these manufacturers and critical industry players, it doesn’t matter if an exploited vulnerability is the result of a vendor oversight– it’s their names and long-developed reputations on the line. 

The good news is that a product-security platform stands ready to help reduce operational costs by automating critical reports that PSIRT relies on.

Product monitoring and investigating from the ground up

Fast-forward to modern day devices and there are multiple software programs running on each individual device. Each with their own commands, complexities, and network of vendors. So, how do we even begin to zoom out and understand what is going on and how to know if the continuously exposed vulnerabilities are relevant to which devices?

To begin, there must be a way to monitor and remediate component vulnerabilities without physically connecting to the device or taking it temporarily out of operation. Connecting to the device directly to run mitigation steps must first be conducted in a simulated environment to ensure that addressing one issue doesn’t open new ones while in a client’s possession. 

To address this challenge, the Cybellum Product Security Platform pioneered the Cyber Digital Twin, a firmware-based representation of each electronic control unit that is critical in operating a device. When comparing newly discovered threats in a threat intelligence feed, cybersecurity practitioners can understand what the threat means for their device and a breach’s potential greater impact on the full system. 

For example, let’s say you are using the Cybellum Product Security platform and are notified of a recent vulnerability that has the potential to impact multiple digital twins (DTs) from various products across product lines.

Upon further investigation, you discover that this threat is not relevant to your product lines. You can select ‘Mark as ignored’ and have the peace of mind that it has been addressed and won’t return to bug the team again. This is especially helpful if a customer hears about the same threat and calls the customer success team. They can come in and see that security teams determined it is not relevant to their product.

But, what if it is relevant? You can select ‘investigate’ to open a ticket, discover solutions, and create reports that help to mitigate risk and enable remediation of the threat before a hacker strikes. 

At this point, cybersecurity teams can see the potential damage impact to calculate the urgency and priority of this vulnerability. Investigations can be automatically elevated and shared with relevant stakeholders to reduce red tape and ensure relevant parties are directly notified. 

Now, one person’s finding regarding a vulnerability can become a communal resource that may be called upon in the future, should a similar issue persist in future versions of the product.

Responding to product security incidents

One of the most challenging aspects of product security is contextualizing vulnerabilities in order to keep a product secure without introducing friction into the user experience. Rolling out sudden patches or closing ports without understanding how a device is used in the field may make a product obsolete from a client’s perspective. 

It is critical to gain as much information on this threat, as quickly as possible. The best way to achieve this is with a central repository for all internal activities that remain visible to all stakeholders. Time, resources, and costs are better managed when you can identify all impacted devices in minutes, not months.

This means maintaining a location where team members can:

  • Gain an overview on the status of each digital twin and incident that has been investigated
  • Draft their findings thus far and recommended remediation steps
  • Understand relevant preconditions, which might be triggering an alert, and implement counter measures to solve the outstanding problem.
  • Understand the total potential damage impact to act in a way that protects relevant sectors

PSIRT from all angles

Ultimately, Product Security Incident Response Teams (PSIRT) are as effective and efficient as the information they hold. While updated SBOMs, VEX, and other tools are critical in the fight against cyber crime, they are part of a greater PSIRT strategy.

Without a centralized platform to automate and manage documentation, teams often need to manually collect known vulnerabilities, and scan and identify which products have an impacted software component. From there, they must confirm configuration to see if the threat applies to any products. 

Using a centralized product security platform replaces what can be a potentially months-long process with an instant company-wide scan the moment new vulnerabilities are reported. This is achieved with a living history of investigations, mitigation / remediation techniques, and contextualized insights that reduce costs, save resources, and shield you from hacks that may result in irreversible reputational damages. 

As the number of products, components, and software variations continue to grow exponentially, tracking the location of emerging vulnerabilities  during a true emergency is already nearly impossible. Committing to safety and reliable operation means automating processes, streamlining report approvals, and always being ready for whatever comes next.

By Rafi Spiewak