Podcasts
Cyber Things
Ep 1
Cyber Things 11.17.25
Ep 1 | 11.17.25

The Unseen World

Show Notes
Transcript

Rebecca Cradick: Welcome to Cyber Things. This is a short series from our normal Bad Actors podcast. We're in a homage to "Stranger Things." We're exploring the hidden world beneath our connected reality. And just like "Stranger Things," the digital world has its own Upside Down, a place of unseen devices, silent intruders, and invisible threats. I'm Rebecca Cradick. I'm the Vice President of Global Communications here at Armis. And for this short series, we're going to be talking to some of our Armis cybersecurity professionals and massive "Stranger Things" fans who are wanting to talk about the digital demons that lurk in the shadows. For my first episode, I am joined by Kam Chumley-Soltani, our Director of OT Solutions Engineering at Armis. Kam, welcome to Cyber Things.

Kam Chumley-Soltani: Thank you so much. I'm excited about this, Rebecca. When you reached out, I was giddy on my chair. This is a no-brainer. So I love it. It's fun. And when you mentioned "Stranger Things," I was like, "Sign me up." No hesitation.

Rebecca Cradick: Perfect. That's what we love. We want something a little bit different than our normal programming discussion. So before we dive into sort of more of the Cyber Things, "Stranger Things" is a few weeks away. Are you excited? I am.

Kam Chumley-Soltani: Chaos. It's chaos everywhere. I'm literally on the edge of my seat. So it's funny, like, as you brought this up and we agreed to do this, there are so many parallels. So it's going to be a good conversation for sure.

Rebecca Cradick: I know. It 100% is. And look, even if you're not a "Stranger Things" fan, I think people will -- and definitely in cybersecurity and in the market that we work in every day, I think people will really resonate with this concept, and I'm hoping it will provoke a lot of debate within our specific cybersecurity community as well. So look, let's get into this. We are in November, 2025 has been absolutely crazy. And we say this every year. We get to the end of the year and think, oh, that was extraordinary year of threats, of hacks, of, you know, uncovering of, you know, things that are going on around the world. But this year, particularly, it seems to have been a lot worse than previous years. And I want to talk specifically to you about critical infrastructure because this is your specialism. This is what you look after from a customer perspective at Armis. Do you think this has been the worst year for targeting critical infrastructure? And, like, what do you think that has looked like in terms of how customers have had to start really thinking about connecting their devices in that world?

Kam Chumley-Soltani: Yeah, 100%. I think not only from a strategic level, but even from a technical level, we see digital convergence coming up more and more and more and more. And maybe where 10 years ago, you had a lot of what we called operational technology and send the stage for everybody, these are things not just business computers and we call the carpeted space, but even things like devices that are programmed to make something go up or down, faster, slower, hotter, colder. So when we say critical infrastructure, we're talking about things like water utilities, electric utilities, pharmaceutical companies, rail, aviation. You name it. Anything that has real kinetic effects in the world, when we say operational technology or critical infrastructure, that's what we're referring to. And to your point, Rebecca, I feel like every year we finish and it's like, "Whoo! That was a year. Surely it can't get any crazier next year." And then it happens. So, to answer your question, I mean, there's been a couple massive attacks already in critical infrastructure specifically. And what we're really seeing is because the convergence of IT and OT and more devices now having internet access or being IP related and not necessarily serial, what that means as we're coming more digital is with it comes additional attack vectors. And we're seeing that time and time again, and there's actually a couple big attacks that we could touch on today.

Rebecca Cradick: Yeah. And I want to talk to you specifically about that, and, like, try and give some guidance to our audience of, like, how we need to think about it as we go into 2026. But it's interesting because, you know, you mentioned a few things. We hear a lot of noise about, you know, digital transformation, IT, OT convergence, where threats actually come from, the unseen devices that sit on your network. But like "Stranger Things," there's a lot lurking in the shadows.

Kam Chumley-Soltani: Yeah, 100%.

Rebecca Cradick: And a lot of stuff we talk about at Armis and, you know, within the community is this fundamental parallel of understanding everything, seeing the unseen, making sure that you understand where every single device has been connected and the impact it has. Why is that so important? Why is that rogue device that's sitting on a network that is just a harmless IoT camera or a harmless little mobile, if that's in the corporate network, why is that so important to be aware of if you are looking in a critical infrastructure operational technology environment?

Kam Chumley-Soltani: Yeah, the real reason is because all these devices, they aren't just standalone. So, yes, if those devices are impacted, they could have catastrophic effects. But it's not just the primary attack. You have to then start considering secondary and third effects and where it's going to go. And to your point specifically with digital convergence, what before was just a router sitting on an enterprise or an IT network is now a gateway or rift or a portal into the OT environment. So looking at things like, for example, those devices that now have internet connectivity, and I'm going to relate everything back to "Stranger Things" here. A few little nuggets along the way, is you can almost think about it as the internet is the main gate or the Mothergate. So although it's great and it's helping us be efficient and more operational, with the Mothergate now available, it's now a portal to reach into and look at those vulnerable devices. And then I'm happy to keep expanding on this, but attack vectors essentially that once you access one device that's vulnerable, it could be a catalyst to then spread more devices, i.e., create the hive of the army, right?

Rebecca Cradick: For sure, so one of the things that's really interesting, I think, and you talk a lot about this parallel with the devices and sort of the portals in IT, potentially, IoT, there's this cross-section of threat that comes from those environments. Even if you air gap a security environment like a manufacturing plant or a hospital, we know that there has been influences from the supply chain, from other devices that they thought was like an air-gapped protected environment, but it genuinely hasn't. Can you talk, in your experience of how you work with customers, how you've had to sort of set up certain environments to try and put some controls in place so that we can manage these sort of barriers and try and keep the sort of lurking hidden concerns of the underworld away?

Kam Chumley-Soltani: Yeah, 100%. And I have to give a huge shout-out to the OT team at Armis, and we do this every single day. It is not only "ooh, ooh, let's go!" It's not only apply -- not only apply ourselves as technical advisors and subject matter, SMEs, but sitting in a room and really being connectors. So to give you an idea, when we think of the internet or we think of the vulnerabilities or threats and all these different tactics, techniques, and procedures that exist out there, right, that really is the Upside Down world, right? That's where all the big scary things live, and they're reaching out. And specifically, what we like to do as a step one is we will go sit in the same room as the IT team and the OT team. And a lot of times, those folks, they never interact. So that's, again, going back to having a power team of Will and El and everybody else all together to chart out what it looks like, right? And then from there, you need to do an initial assessment to understand what devices that you even have. So have initial visibility and monitoring. What's talking to what? What's insecure? What's using insecure protocols? What's vulnerable? And you build it out. So that's where having something like Armis is having that continuous monitoring to understand all the communications between devices, all the vulnerabilities with devices. So that way, in the event that something does reach out from the Upside Down world or from the Mothergate, and the vulnerabilities and the attackers are coming in, now you get some sort of immediate alert or immediate response. So we always tell people it is a crawl, walk, run, and it's not lost on anybody that this doesn't happen overnight, is definitely a phased approach. But that's how you get there. And so even talking about an analogy of what that would look like for all the "Stranger Things" fans out there, and I'll break it down for everybody. So you can think about something like the Mothergate being the internet, and inside of the Mothergate, you essentially have a Mind Flayer who is -- think about the brains behind everything. And this Mind Flayer has a telepathic link to all these different kinds of monsters and armies that can go out there. So you can think about the Mind Flayer as the brains or an advanced persistent threat or a nation state actor that's going out performing some of these large exploitable attacks that we see wreaking havoc across critical infrastructure. And so there's different various types of soldiers, we'll say, that are under the command of the Mind Flayer, right? We'll say Demogorgons and Demodogs and everything else. All you need to know is these are basic attackers that are predatory. And so they essentially will smell blood or some presence of something, and they will attack it. So in this use case, those are hackers or hacker activists that are then going through something like the Mothergate. And earlier, Rebecca, you spoke on environments that are air gapped, and that's why sitting down the team is so important because they may say that they're air gapped, but as you do a bit of objection handling and you're sitting down with the teams and you're mapping out network architectures, long behold, there may actually be an open pivot point to that IT device that they can use as a segue. So maybe those vulnerable devices, those are the blood that the Demogorgons smell and they're going out to attack, right? And maybe in the event that they actually are exploited, those vulnerabilities -- and we can relate this to an attack that's happened over the last couple years that's still ongoing. Once a device is actually exploited, it then becomes a pivot point for all those other devices that will shut down the power grid, that will turn off the baggage handling system out of Asian system, pharmaceutical company, that changes the chemical composition of what that medication looks like. And we can refer to those, right, the actual devices that are being compromised as something like the flayed, right, where they're essentially being taken over to then gather other people and bring them into the army all through that one telepathic link. So it is pretty scary out there, but we advise everybody to first get monitoring and see what's out there. Then you have to have vulnerability management to know which devices can be exploited. Then you have to have threat detection, and then ultimately, it's an ongoing iterator process to keep growing that environment and understanding things. And that also goes back to teamwork, right? Looking at all your other security tools, i.e., the rest of your team that are fighting everything in the Upside Down world, and then joining together.

Rebecca Cradick: Yeah, and it's interesting because what you're talking about, what you're describing here is a massive escalation over the last three years, as you've said. And you know, I hate using this buzzword. We talk a lot about it on our other podcast, but AI has expanded and sped up the mind flarability of the team of bad actors to really put a lot of the emphasis and the speed and the time to hack or a time to threat is very quick now. And so it's interesting, as we look forward to 2026, how I think what you've laid out, the strategy of what you need to think about from a base level perspective, and then sort of add the layers on. We know that AI is massively creating a new dynamic for people to think about, and it is sort of sentient, sort of scariness in that they're starting to evolve and learn from hacks that they've tested in other environments, particularly, and then adapt that to another, you know, whether it's an airport or a water treatment plant. We know that learned behavior has allowed people to expand their attack surface. So, how do organizations then sort of -- you know, we don't want to scare them and suggest that Vecna is sitting watching them. But there is a sort of a more serious point in that we know that this evolving threat landscape is creating massive amounts of change for organizations. So how do you think the first step is in trying to solve that next year? What do you think they should be doing as they look at that expanding attack surface with AI particularly in mind?

Kam Chumley-Soltani: Yeah, spot on. And I mean, you said it best, right? We're seeing a lot of these exploits and attackers and red hatters and penetration testers and everybody else, right, unfortunately, more so on the adversarial side of the house for malicious intent. But you're right. And you can think about this, again, going back to "Stranger Things" of having the Upside Down world of being the big and scary and the attackers, and the Rightside Up being just the normal water utility or electric utility out there. So the real world, where all they care about right now, is they want to make sure that the plant or the treatment facility is up and running, and it's doing the job it performs. It's like living in the real world, right? But on the other side of things, on the Upside Down world, they have one intent and they have one mission, and that's all they're focusing their time on. So two different worlds. So now we look at the Rightside Up, not just making sure that everything is operationally up and running in a safe and secure manner, but now you have to incorporate cybersecurity, and you have to get ahead things like AI and automated offensive abilities, right? So the way that you mitigate that is you have to be very tailored. And it's not lost on us that there's only a finite amount of resources per team. And, for example, the last thing that you want to do is you don't want to get a tool that's giving you four million alerts every single day, and then your team doesn't even know how to tailor it down because there's alert fatigue. So it's understanding of those devices that are vulnerable out there. It doesn't necessarily mean that every single device needs to be patched or needs that sort of upgrade for whatever it might be. If you have the proper segmentation in place with physical or logical segmentation and micro segmentation, the risk inherently will lower, right? So with that being said, it would almost be like instead of those four million alerts, you then would understand that of those four million alerts, maybe there's, you know, a million devices, and of the million devices, because you have proper segmentation, maybe only 10% or 5% of those can actually be exploited. And in Armis terms, we refer to it as attack path mapping. So not just getting alerts, but understanding of those devices, how an attacker from the Upside Down world would come in, and they would actually get to that end, attack the end device, and hop from A to B to C, and then exploit it, and then continue to build out their army and continue to build power, right? So there's a couple mechanisms for that. So integrating all of your tools, understanding what your attack landscape looks like, and then having something like an attack path map so that you know you're getting all of these alerts, but the real things to focus on, so we can prevent any other rifts from opening.

Rebecca Cradick: Yeah. And it's funny because one of the big premises of "Stranger Things" is, of course, awareness and power and having that control and how you manage control. And I, you know, excited to see the Eleven and Dustin and the rest of the crew and how they tackle -- the coming together of the two worlds. But it's funny because, in cybersecurity, we talk a lot about awareness being the key power. But of course, it's the one thing that slips through a lot of organizations' fingers, because it's ever-changing. One minute, you think, you know, you've got everything sorted. You know where everything is. You can see everything. You know what your attack surface looks like. But of course, guest access, the supply chain, anything that's coming in and out on a daily basis changes the game. So awareness and a control is complete illusion. So, how do you then get into that proactive defense mode when actually, a lot of organizations are still having to react to everything on a daily basis?

Kam Chumley-Soltani: Yeah. Yeah. And I think a lot of it comes down to information sharing, collaboration, teamwork, private private-public partnerships. And the reason for that is because, to your point, we don't want to be reactionary. A lot of times, when you look at recent attacks over the last couple of years, typically an adversary will sit in an environment for months before they actually exploit those end devices or they execute a kill chain. And at that point, it's probably too late, right? They know everything about living off the land. So it's coordinating with people and finding a trusted advisor to help you. And you look at the team in "Stranger Things," right? Without each other, they would crumble. It really is a powerhouse team. And the way I like to look at it is they all bring something to the table, whether it's a scientist or it's the loyalty of a team, or maybe it's even something like, we'll consider Armis the El, right? We're closing the rift. And the team uses us as the tool to go forward. So we will be the aggregation of all the other security tools, everybody else on the team. And then, acting as El, we will use that power to go close the rift. And that's where we come from. So now, instead of having somebody living off the land for six months or seven months, we will identify anomalies or rogue devices or dual home assets, or somebody coming in when they shouldn't, or PLC switching modes. And then that's because we're using the team as the one point of truth. And then, as El, we can then talk to the rest of the team and close it together.

Rebecca Cradick: Yeah. And I love this analogy of, like, teamwork because I think that, for us that have been working in cybersecurity for so long, it does feel like the community tries to band it together. You know, we do not point fingers when other people have been, you know, hit. We are in the trenches together trying to defend the nation and defend the countries that, you know, our customers are based in. It's interesting as I look back for last year, this year, and look forward, I do genuinely feel -- and why I'm so sort of passionate about this subject is how mainstream cybersecurity issues are now. We talk a lot in, you know, our little bubble of cybersecurity professionals of, like, what the problems are, but this year feels like it is in every conversation, my grandmother, my parents, my friends, my family, people that are not remotely in the cybersecurity world, but they know the impact now. This is not a hidden technology, IT society, IT department sort of element of discussion. It is mainstream life. Everybody has probably been affected by something in the last couple of years, whether that's, you know, the democracy at threat that happened last year. I'm a Brit. The UK this year has been inundated with threats across retail, you know, big manufacturers, car manufacturers, financial institutions. It really does feel like we have been inundated this year in problematic attacks. And it's had a huge detrimental effect on the economy. It's had a detrimental effect on the people working at those organizations, not just in cyber, but the actual staff. And I worry, next year, that this could potentially get even more critical. You mentioned right at the beginning of our discussion, a water treatment plant, we know some horror stories that have happened there, we talk about medical issues, you know, cutting-edge life-threatening issues that have been created or have been affected by cybersecurity threats or disruption. If we look into next year, what are the things that you would put out there about, you know, positive intent that the community and the wider society need to be aware of as we think about cybersecurity issues for 2026?

Kam Chumley-Soltani: Yeah, and I'll start off by saying I'm scared, too, Rebecca. Never in my life did I think that I'd be sitting around a Thanksgiving dinner and my grandma bring up cyber attacks. So it's crazy. I mean, and not even in critical infrastructure, right? I mean, that's what I'm very passionate about. I think you are, too. But even looking at things like deep fakes and using AI to replicate audio and visuals, and now impersonating people, where not just from a technological standpoint, but even things like social engineering being expedited through AI. So it is terrifying, and I think, next year, the way that we get ahead of this really is going out and interacting with the ecosystem and our partners and getting involved. To give you an idea, here at Armis, we're heavily involved with things like building out OT Zero Trust framework and providing comments. There's something called the OT Cyber Coalition that does amazing work on the hill that we're very involved with. And shout out to them. They're doing a great job, too. And information sharing with things like ISACs, Information Sharing and Analysis Centers, where we're now using the information that we have, not only just as an OEM and as Armis, but sharing it across the entire ecosystem so that we can succeed together. So that way, in the event that there is a zero day, you don't have to wait weeks or months to understand that if you've been attacked that you can get immediate results. And then pulling something in, there's a bunch of great partners out there, too, that have things like incident response retainers. So in the event that there is some sort of attack or incident that occurs, even if you don't have the manpower to support that sort of incident response, you have a team that's backing you. So you have something from a technological standpoint that's backing you, and what's been identified and those attacks and fingerprints and any sort of hash that's matching or indicators of compromise. But you also have a team that can go out there and visit you. They can help you walk through that response. They have maybe something like a flyaway kit to do assessments to understand what's been attacked and triage it and everything else. So really, to answer your question in short, it goes back to those partnerships and building a powerhouse team that, regardless of where that rift opens up or how the story changes, or maybe things that you didn't expect to happen in the first place, you can stay agile and be proactive and use AI to your advantage, right? Use it to augment your team. And not from a noise standpoint of being even more alerted and having the noise fatigue in front of you, but use it to do things like educate your teams on critical infrastructure, educate them on how to use specific tools, right? I mean, even us at Armis, we have a data lake of, you know, 6.5 billion devices that we're constantly fingerprinting. You can use AI to essentially look through that database to see which devices are end of life and if sale can be exploited. And you can use it for a variety of other things, right? Like enrich your SOC, educate your team members. Come to workshops that we're at, everybody else. Go to conferences that are talking about cutting-edge technologies and problems, and really just get involved. Every person in this community, and you and I both, Rebecca, we're very passionate about this because, at the end of the day, it's about protecting society, right? We're all in it together.

Rebecca Cradick: It is. And I love that. I mean, we should end there really because that is the end game, at the end of the day, and what a lot of us get up in the morning and work as hard as we do for. We are actually at the very, very cutting edge of technology and the impact it has on day-to-day lives. And I don't want everyone to be scared, but we do see a lot of change, and I think going into next year, we need to be acutely aware of what could potentially happen. Awareness, knowledge is power, and just being aware of those things and being proactive and not sitting back and sort of waiting for things to happen is going to be crucial. I look forward to the rest of this series because we're going to be talking to Michael Freeman, who's head of our Armis Threat Intelligence team, Nadir Izrael, our Co-Founder and CTO, and then, of course, Curtis Simpson, our CISO. So we're going to have lots and lots of discussions about what else could be happening, but I'm going to end on our favorite subject. Of course, "Stranger Things" is three weeks away. A little bit of prediction. You don't know how it's going to set itself up for the final series. What do you hope to see?

Kam Chumley-Soltani: Yeah, to be honest, I feel like the ending was already pretty emotional for me. So before this -- I mean, I literally sat there for about four minutes afterwards just digesting everything. So I don't know if it's going to have to be a grand finale of the two worlds finally colliding and the Upside Down world now essentially projecting itself into the Rightside Up, but I don't know, especially with things like the particles and matter in the air. Does that mean that more people are going to join the army? What does that mean for El not being blind? There's just so many things that are coming up that I couldn't tell you. I think the show does a great job of keeping us on our toes. And trust me, I'm on my toes right now, Rebecca.

Rebecca Cradick: I'm just playing all the music, like I'm an '80s kid I think. I'm just playing the music and getting ready for it. But you know, I'm a sucker for a happy ending. I really hope that, you know, in a bit like the cyber world, we will defeat the baddies, and that's how it will play out in the show as well as in real life. Kam, thank you so much for joining me for the first episode. I'm really excited. We're going to get your views later on in the series as to how it's all mapped out in the actual program, but also how we go into 2026. So, for now, thank you so much. And for the rest of our audience and listeners, please tune in for the next episode, where we talk even more about some of the threats exposed by the Upside Down. Till then, bye. [ Music ]

Cyber Things
Podcast Info
HOST(S):
Rebecca-Cradick
Rebecca Cradick is the host of the Armis Bad Actors Podcast, where she drives meaningful conversations at the cutting-edge of cybersecurity. As an award-winning corporate storyteller and seasoned global communications leader with 25+ years of experience, Rebecca has a passion for uncovering provoking thought leadership angles in the industry. She's currently the Vice President of Corporate Communications at Armis, The Cyber Exposure Management & Security Company.
Schedule: Monthly
Creator: Armis Security
Cyber Things