Expert profile: David Atch
David Atch’s security career and road to Microsoft is atypical of most, “I started in the Israel Defense Forces (IDF) in a cybersecurity role defending attacks and hunting for threats. I did a lot of incident response, forensics, and interacting with industrial control systems.”
While serving in the IDF, Atch met two colleagues who would go on to found the industrial IoT and OT security firm CyberX. He was later recruited into CyberX when his IDF service ended. “I joke that I’ve never had a job interview. The Army doesn’t interview, they just recruit you. CyberX recruited me and then Microsoft acquired the company, so I’ve never had a formal job interview. I don’t even have a CV.”
“Almost every attack we’ve seen in the last year started from initial access to an IT network that was leveraged into the OT environment. Critical infrastructure security is a worldwide challenge and difficult to tackle. We must be innovative in creating tools and conducting research to learn more about these types of attacks.
Atch’s work at Microsoft focuses on matters related to IoT and OT security. It includes studying protocols, malware analysis, vulnerability research, nation-state threat hunting, profiling devices to understand how they behave in a network and developing systems that enrich Microsoft’s products with knowledge about IoT.
“We’re in a connected age, there’s an expectation that everything should be connected to provide a real-time experience where IT software connects to a network enabling OT data to flow to the cloud. I think that’s where Microsoft sees the future, where everything is cloud connected. This provides more valuable data analytics, automation and efficiency enterprises previously were unable achieve. The overwhelming speed of these devices’ connected evolution, and organizations’ incomplete inventory and visibility of them, often tilt the playing field to the attackers,” Atch explains.
That said, the best approach to combat attackers targeting IT and OT is Zero Trust and device visibility, understanding what you have in a network and what it’s connected to is critical. Is the device exposed to the Internet? Does it communicate to the cloud, or can someone externally gain access? If so, do you have the means to spot an attacker’s access? How do you manage employees’ or contractors’ access to spot anomalies?
Because patch management may be impossible in some organizations—or incredibly time consuming—and some software in the operator community is unsupported, you must mitigate vulnerabilities with other measures. For example, a manufacturer cannot easily shut down a factory to test and patch something.
I have to add that I don’t do this work alone. The talented team of researchers, threat hunters, and defenders enable me to continue learning every day.”