Don't Leave Them to Their Own Devices

Threat Vector Podcast Summary

Episode: Don't Leave Them to Their Own Devices
Date: October 30, 2025
Host: David Moulton (Senior Director of Thought Leadership, Unit 42, Palo Alto Networks)
Guest: Asher Devla (Principal Security Researcher, Palo Alto Networks)

Episode Overview

This episode explores the findings of the 2025 Device Security Enterprise Threat Report by Palo Alto Networks, with a particular focus on the security of managed and unmanaged devices, network segmentation, the persistent risks of flat networks, and how organizations can regain control of their expanding attack surfaces. Host David Moulton and guest Asher Devla discuss the realities and persistent challenges facing security teams in the age of IoT, OT, and heterogeneous device environments, highlighting practical advice for visibility, risk management, and proactive defense.

Key Discussion Points and Insights

1. Asher Devla's Path to IoT/OT Security

[02:32] Asher describes his unconventional journey into IoT/OT security, beginning with offensive security roles, transitioning to incident response in Mexico (2017), becoming interested in malware analysis and reverse engineering, and then joining a startup (later acquired by Palo Alto Networks) through a hands-on IoT firmware reverse engineering challenge.
- Quote: “I was in my PJs because I was not sure what was I was doing right.” —Asher Devla, on unknowingly interviewing for his future job (04:49)

2. Challenges with End-of-Life Devices

[05:11] At RSA and other conferences, Asher has highlighted the dangers of IoT devices that are not properly decommissioned and the risks of outdated protocols.
- Quote: “...sometimes you don't have any other option than just accepting the risk. But the most important thing is that you know that you have that risk in your network.” —Asher Devla (05:56)
When operational realities mean you can't remove vulnerable devices, visibility and layered defenses become crucial.
- [07:22] Layering security (firewalls, monitoring, strong policies) around unremovable legacy tech is critical.

3. Gaps in Device Visibility and Inventory

[07:42] Despite advancements, most organizations are still challenged by device inventory and visibility—averaging 80 device types per network, complicated further by bring-your-own-device (BYOD) trends.
Common gaps include:
- Personal smartphones/tablets lacking corporate protection (no EDR/XDR)
- Ubiquitous but exposed IoT devices (IP cameras, DVRs)
- Virtual machines that bypass host security controls
Quote: “Administrators don’t consider the complexity of the ecosystem.” —Asher Devla (08:25)

4. Vulnerabilities Due to Lack of Endpoint Protection

[12:21] ~39% of devices in Active Directory are not protected by EDR/XDR.
- Reasons:
  - OS compatibility issues (older/specialized hardware can’t run modern security)
  - Budget constraints lead to selective license purchasing
  - Forgotten/unused but connected servers
- Quote: “There's no way for you to install an endpoint security for many of them.” —Asher Devla (12:35)

5. Flat Networks and New Attack Paths

[14:23] Flat networks enable attackers to pivot easily between low- and high-value assets.
- Microsegmentation is useful but not a panacea—segmentation supports granular controls and monitoring but doesn’t guarantee security.
- [16:32] “Segmentation doesn’t mean that you have a secure network... but definitely it helps a lot.” —Asher Devla

6. Credential Abuse and Brute Force Attacks

[18:21] SSH brute force remains a top attack method, targeting both IoT and IT infrastructure.
- Quote: “It is one of the top attacks we have observed... also IT servers.” —Asher Devla (18:21)
Hardening and policy measures are especially important where endpoint security is not feasible (e.g., cameras, DVRs).
- Disable unused services, enforce strong passwords, limit connections

7. Principles and Pitfalls of Zero Trust in Device Security

[20:27] Zero trust assumes that device trust can be validated, but lack of management undermines this principle.
- Quote: “If you can't see a device on your network, you cannot protect it…but that's not the only thing.” —Asher Devla (20:50)
- Context and intelligence matter—not just asset presence

8. Persistent Outdated and Unsupported Systems

[21:45] “If it works, don't fix it” mentality traps many organizations with outdated OS/devices.
- Barriers: budget, operational necessity, legacy applications

9. Importance of Asset Lifecycle Governance

[23:32] Lifecycle management must be proactive: plan for acquisition, maintenance, and decommissioning, including erasure of sensitive data.
- Quote: “You need to think about this lifecycle...how you’re going to make sure that it is properly removed from your network.” —Asher Devla (24:03)

10. Context-Aware Risk Scoring vs. Traditional Ratings

[26:19] Not all critical vulnerabilities are equally risky—a less-severe issue on a critical device is more important than a critical CVE in a less-important corner.
- Quote: “Not always the most critical vulnerability is the one that is going to pose the most risk…context is more important.” —Asher Devla (27:23)
Prioritize based on device function, placement in critical processes, and connectedness

11. Breaking the Attacker Chain: Recommendations

[30:11] Move from reactive to proactive security:
- Identify “crown jewels” and attack paths
- Use microsegmentation and strict access controls
- Eliminate blind spots via proper sensor/firewall placement and modern network equipment
- Ensure endpoint security reaches beyond just high-value systems
- Limit Internet-exposed devices as much as possible
Quote: “First, you need to eliminate this kind of freedom of the attacker to move laterally...” —Asher Devla (31:03)

12. Fundamental Security Tenets

[32:32] Rock solid fundamentals: visibility, segmentation, and reducing the attack surface underpin all other strategies

Notable Quotes and Memorable Moments

On accepting risk for outdated devices:
- “You need to accept the risk sometimes. But the most important thing is that you know that you have that risk in your network.” —Asher Devla (05:56)
On network segmentation:
- “Segmentation doesn't mean that you have a secure network… but definitely it helps a lot…” —Asher Devla (16:32)
On context-aware risk:
- “Not always the most critical vulnerability is the one that is going to pose the most risk…” —Asher Devla (27:23)
On proactive defense:
- “You need to eliminate this kind of freedom of the attacker to move laterally...” —Asher Devla (31:03)

Key Timestamps and Topics

| Timestamp | Segment | |-----------|------------------------------------------------------------------------------------------| | 02:32 | Asher’s entry into IoT/OT and malware research | | 05:11 | End-of-life devices & risk acceptance strategies | | 07:42 | Visibility/inventory challenges and blind spots | | 09:36 | Devices most likely to fall through the cracks | | 12:21 | Reasons for low EDR/XDR coverage | | 14:23 | Flat networks and lateral movement risks | | 16:32 | Realistic view on segmentation as a security strategy | | 18:21 | Prevalence of SSH brute force and credential abuse | | 20:27 | Zero trust limitations when visibility is incomplete | | 21:58 | Why outdated/unsupported systems persist | | 23:32 | Evolving toward proactive IT asset lifecycle governance | | 26:19 | Context-aware risk scoring vs. traditional severity ratings | | 28:53 | Prioritization strategies for CISOs faced with sprawling asset inventories | | 30:11 | Breaking attacker chains; practical recommendations | | 32:32 | “Rocking the fundamentals”—encapsulation of the episode’s actionable advice |

Final Thoughts

This episode delivers a candid, practical look at the state of device and network security in 2025:

Acknowledging legacy and unmanaged device realities
Stressing the criticality of context, not just visibility
Advocating proactive, layered, and strategic approaches to device lifecycle, network management, and risk scoring

For security professionals, the discussion offers validation, guidance, and motivation to push for smarter, more nuanced strategies in defending increasingly complex environments.

Threat Vector Podcast Summary

Episode Overview

Key Discussion Points and Insights

1. Asher Devla's Path to IoT/OT Security

[02:32] Asher describes his unconventional journey into IoT/OT security, beginning with offensive security roles, transitioning to incident response in Mexico (2017), becoming interested in malware analysis and reverse engineering, and then joining a startup (later acquired by Palo Alto Networks) through a hands-on IoT firmware reverse engineering challenge.
- Quote: “I was in my PJs because I was not sure what was I was doing right.” —Asher Devla, on unknowingly interviewing for his future job (04:49)

2. Challenges with End-of-Life Devices

[05:11] At RSA and other conferences, Asher has highlighted the dangers of IoT devices that are not properly decommissioned and the risks of outdated protocols.
- Quote: “...sometimes you don't have any other option than just accepting the risk. But the most important thing is that you know that you have that risk in your network.” —Asher Devla (05:56)
When operational realities mean you can't remove vulnerable devices, visibility and layered defenses become crucial.
- [07:22] Layering security (firewalls, monitoring, strong policies) around unremovable legacy tech is critical.

3. Gaps in Device Visibility and Inventory

[07:42] Despite advancements, most organizations are still challenged by device inventory and visibility—averaging 80 device types per network, complicated further by bring-your-own-device (BYOD) trends.
Common gaps include:
- Personal smartphones/tablets lacking corporate protection (no EDR/XDR)
- Ubiquitous but exposed IoT devices (IP cameras, DVRs)
- Virtual machines that bypass host security controls
Quote: “Administrators don’t consider the complexity of the ecosystem.” —Asher Devla (08:25)

4. Vulnerabilities Due to Lack of Endpoint Protection

[12:21] ~39% of devices in Active Directory are not protected by EDR/XDR.
- Reasons:
  - OS compatibility issues (older/specialized hardware can’t run modern security)
  - Budget constraints lead to selective license purchasing
  - Forgotten/unused but connected servers
- Quote: “There's no way for you to install an endpoint security for many of them.” —Asher Devla (12:35)

5. Flat Networks and New Attack Paths

[14:23] Flat networks enable attackers to pivot easily between low- and high-value assets.
- Microsegmentation is useful but not a panacea—segmentation supports granular controls and monitoring but doesn’t guarantee security.
- [16:32] “Segmentation doesn’t mean that you have a secure network... but definitely it helps a lot.” —Asher Devla

6. Credential Abuse and Brute Force Attacks

[18:21] SSH brute force remains a top attack method, targeting both IoT and IT infrastructure.
- Quote: “It is one of the top attacks we have observed... also IT servers.” —Asher Devla (18:21)
Hardening and policy measures are especially important where endpoint security is not feasible (e.g., cameras, DVRs).
- Disable unused services, enforce strong passwords, limit connections

7. Principles and Pitfalls of Zero Trust in Device Security

[20:27] Zero trust assumes that device trust can be validated, but lack of management undermines this principle.
- Quote: “If you can't see a device on your network, you cannot protect it…but that's not the only thing.” —Asher Devla (20:50)
- Context and intelligence matter—not just asset presence

8. Persistent Outdated and Unsupported Systems

[21:45] “If it works, don't fix it” mentality traps many organizations with outdated OS/devices.
- Barriers: budget, operational necessity, legacy applications

9. Importance of Asset Lifecycle Governance

[23:32] Lifecycle management must be proactive: plan for acquisition, maintenance, and decommissioning, including erasure of sensitive data.
- Quote: “You need to think about this lifecycle...how you’re going to make sure that it is properly removed from your network.” —Asher Devla (24:03)

10. Context-Aware Risk Scoring vs. Traditional Ratings

[26:19] Not all critical vulnerabilities are equally risky—a less-severe issue on a critical device is more important than a critical CVE in a less-important corner.
- Quote: “Not always the most critical vulnerability is the one that is going to pose the most risk…context is more important.” —Asher Devla (27:23)
Prioritize based on device function, placement in critical processes, and connectedness

11. Breaking the Attacker Chain: Recommendations

[30:11] Move from reactive to proactive security:
- Identify “crown jewels” and attack paths
- Use microsegmentation and strict access controls
- Eliminate blind spots via proper sensor/firewall placement and modern network equipment
- Ensure endpoint security reaches beyond just high-value systems
- Limit Internet-exposed devices as much as possible
Quote: “First, you need to eliminate this kind of freedom of the attacker to move laterally...” —Asher Devla (31:03)

12. Fundamental Security Tenets

[32:32] Rock solid fundamentals: visibility, segmentation, and reducing the attack surface underpin all other strategies

Notable Quotes and Memorable Moments

On accepting risk for outdated devices:
- “You need to accept the risk sometimes. But the most important thing is that you know that you have that risk in your network.” —Asher Devla (05:56)
On network segmentation:
- “Segmentation doesn't mean that you have a secure network… but definitely it helps a lot…” —Asher Devla (16:32)
On context-aware risk:
- “Not always the most critical vulnerability is the one that is going to pose the most risk…” —Asher Devla (27:23)
On proactive defense:
- “You need to eliminate this kind of freedom of the attacker to move laterally...” —Asher Devla (31:03)

Key Timestamps and Topics

Final Thoughts

This episode delivers a candid, practical look at the state of device and network security in 2025:

Acknowledging legacy and unmanaged device realities
Stressing the criticality of context, not just visibility
Advocating proactive, layered, and strategic approaches to device lifecycle, network management, and risk scoring

For security professionals, the discussion offers validation, guidance, and motivation to push for smarter, more nuanced strategies in defending increasingly complex environments.

Powered by Wave AI

Summary

Threat Vector Podcast Summary

Episode Overview

Key Discussion Points and Insights

1. Asher Devla's Path to IoT/OT Security

2. Challenges with End-of-Life Devices

3. Gaps in Device Visibility and Inventory

4. Vulnerabilities Due to Lack of Endpoint Protection

5. Flat Networks and New Attack Paths

6. Credential Abuse and Brute Force Attacks

7. Principles and Pitfalls of Zero Trust in Device Security

8. Persistent Outdated and Unsupported Systems

9. Importance of Asset Lifecycle Governance

10. Context-Aware Risk Scoring vs. Traditional Ratings

11. Breaking the Attacker Chain: Recommendations

12. Fundamental Security Tenets

Notable Quotes and Memorable Moments

Key Timestamps and Topics

Final Thoughts

Summary

Threat Vector Podcast Summary

Episode Overview

Key Discussion Points and Insights

1. Asher Devla's Path to IoT/OT Security

2. Challenges with End-of-Life Devices

3. Gaps in Device Visibility and Inventory

4. Vulnerabilities Due to Lack of Endpoint Protection

5. Flat Networks and New Attack Paths

6. Credential Abuse and Brute Force Attacks

7. Principles and Pitfalls of Zero Trust in Device Security

8. Persistent Outdated and Unsupported Systems

9. Importance of Asset Lifecycle Governance

10. Context-Aware Risk Scoring vs. Traditional Ratings

11. Breaking the Attacker Chain: Recommendations

12. Fundamental Security Tenets

Notable Quotes and Memorable Moments

Key Timestamps and Topics

Final Thoughts