Rockville, Maryland-based startup Sepio Systems, a rogue device mitigation firm, has raised a further $4 million that supplements the Series A round of $6.5 million announced in November 2019.
The new investment comes from Munich Re Ventures and Hanaco Ventures, bringing the total raised to $15 million. It is, however, more than just a financial investment since Sepio is simultaneously partnering with the Munich Re insurance arm to provide customers with no-cost guarantees for the service it provides.
Sepio has three primary offices: headquarters in Rockville; R&D in Tel Aviv, Israel; and a machine learning center in Lisbon, Portugal. The firm was founded in 2016 by Bentsi Ben-Atar (CMO), Iftah Bratspiess (co-CEO), and Yossi Appleboum (co-CEO). This is the third company the group has founded together since the late 1990s. Before then, all three had all worked within the Israeli intelligence services. The current chairman of the board, Tamir Pardo, was formerly the director of Mossad, while another advisor is a former CISO with the CIA.
The service provided by Sepio is to detect and mitigate any rogue device that has been attached to the corporate infrastructure. This is a growing threat that only a few years ago was limited to adversarial nation-state activity, but is now increasingly being adopted by major criminal gangs.
While logical security — that is, protecting the flow of data around a system — is well-served by the cybersecurity industry, there is very little that concentrates on the hardware devices. Sepio Systems detects devices connected to the network that should not be there, whether they be keyboards, USB sticks, webcams or even scanners.
“Generally speaking,” Appleboum, told SecurityWeek, “people don’t consider devices like mice or keyboards as potential rogue devices posing a security threat — but it does happen. Sepio recently discovered a rogue mouse that was used to communicate with a C&C in order to deliver a ransomware attack; and another one that was used to exfiltrate proprietary information from a highly secure facility.”
He continued, “We’ve also found rogue keyboards — one was found within the close supply chain of a stock exchange in Europe, where an implant within the keyboard was able to collect sensitive data. These attacks are mostly delivered by swapping an existing device with a false one that looks identical.”
The advantage to the attacker in this scenario is that there is no injection of detectable malware into the network (although it could be done if that is the purpose of the attack). If the attack is intended for espionage only, the rogue device simply exfiltrates what it receives. In the example of the supply chain rogue keyboard, it could potentially obtain credentials for access directly into the stock exchange. The same principle would apply for attacks against military or critical infrastructure facilities. “A rogue device is similar to having a malicious insider inside the target organization,” said Appleboum.
The system works by collecting meta data, which becomes a fingerprint, from all the customer’s devices and storing the fingerprint in the Sepio cloud. If a criminal group were to swap the official device for a compromised one, then the fingerprint changes to something unrecognized, and the device is flagged. So, for example, if a customer uses Dell equipment, all the official keyboards will have an identical fingerprint. If one is swapped for a malicious keyboard with a hidden implant, it may look identical to the official keyboards, but will generate a different fingerprint.
The advantage of this approach is that it does not generate false positives. If one employee doesn’t like the Dell keyboard and brings in and connects a personal Microsoft keyboard, provided that the keyboard has not been tampered with, it will still generate the correct fingerprint for what it is, and be accepted. The Sepio cloud currently holds around 5 million different fingerprints for genuine devices. Proprietary machine learning developed in the Lisbon office is used to determine good from bad fingerprints.
Remediation against detected rogue devices will depend on the customer’s policy. In some cases, especially in production environments, continuity of operation may be essential. Here, the problem will simply be reported, and the customer can take whatever action it deems possible or advisable. If continuity of operation is not essential, Sepio can immediately and automatically shut down the rogue.
The process can also be used in home working situations. The devices will still be monitored by the Sepio cloud. Even if different members of the family use different mice or keyboards on a home computer, only if the device generates a fingerprint unknown to the machine learning in the cloud will an alert be triggered.
Working from home is a growing practice. During the COVID-19 pandemic it has become standard practice. There is ample advice on coping with the new expanded threat from home working — but there is another side that is not so obvious. While staff are being sent home, buildings and infrastructures are largely left unattended. “The whole infrastructure becomes vulnerable to rogue devices while the building is left empty,” commented Appleboum. “Both adversarial states and criminal gangs will use this opportunity to install rogue elements inside those organizations. We are almost certain that such campaigns are in process right now.”
Sepio Systems closed its primary Series A round of $6.5 million in November 2019. That funding had been led by Hanaco Ventures and Merlin Ventures, with the participation of existing investors Energias de Portugal (EDP), Mindset Ventures and Pico Partners.