In this webinar Dr. Brett Walkenhorst, CTO at Bastille and Carol Koenigsberg, a retired intelligence officer discuss the evolution of security practices—from periodic sweeps to continuous passive spectrum awareness. They also explore how stringent security strategies, once primarily the focus of the federal space, are rapidly expanding to protect commercial AI data centers.
Table of Contents
Key Topics
Resilience for AI Data Centers
Understand why advanced wireless security measures are now being adopted by commercial enterprises, such as Oracle, to protect the highly valuable IP—training data, model weights, and proprietary algorithms—housed inside modern AI data centers.
Threats from Nation State Actors
Learn the importance of establishing a baseline of wireless activity to effectively track anomalies, detect potential data exfiltration attempts, and identify the patient, persistent threats from nation-state actors who probe and gradually extract data over time rather than in a single high-risk event.
The Hidden Dangers in the Supply Chain
Discover how everyday procured items—printers, televisions, chillers, and wearables—are inadvertently introducing unauthorized wireless capabilities into highly secure facilities. Even when “no wireless” is specified, equipment regularly arrives with radios enabled because wireless has become the manufacturing default.
The Shift to Continuous Monitoring
Learn why traditional, once-a-month Technical Surveillance Countermeasures (TSCM) sweeps are no longer enough to catch miniaturized, advanced RF devices. With over 30x more wireless device types in environments today than a decade ago, continuous monitoring is the new standard for threat detection.
Identifying Operational Vulnerabilities
Uncover the hidden risks in everyday building infrastructure, such as HVAC technicians enabling Bluetooth or Zigbee on chiller systems for remote maintenance, hotspot-based data exfiltration from rack-mounted devices, and undiscovered wireless protocols on RFID door locks and OT/ICS controllers.
Wireless Security at Scale: The Oracle Partnership
See how Oracle AI Infrastructure selected Bastille to provide 24/7 continuous passive RF spectrum monitoring across its AI data center portfolio—a landmark deployment validating that wireless security is now table stakes for hyperscalers protecting critical AI infrastructure.
Featured Speakers
Dr. Brett Walkenhorst
Chief Technology Officer at Bastille Networks. He leads the company’s RF security research and product innovation, with deep expertise in wireless signal intelligence, spectrum monitoring, and the detection of wireless threats in sensitive environments.
Carol Koenigsberg
Retired senior intelligence officer who held executive roles driving digital innovation and cybersecurity strategy at a major U.S. intelligence agency. She led wireless intrusion detection programs protecting classified environments, and now advises on advanced security solutions for high-value facilities.
Transcript
Thank you so much for joining our webinar today: Wireless Threats in Sensitive Environments — What Traditional Security Doesn’t See. This is a webinar designed for security professionals in AI data centers, data centers, and secure facilities. My name is Justin Fry, and I’m the CMO here at Bastille.
We have fantastic speakers for you today. First, I’d like to introduce Carol. Carol is a retired senior intelligence officer who previously held executive roles in digital innovation and cybersecurity at a major U.S. intelligence agency. Second, we have Dr. Brett Walkenhorst, our Chief Technology Officer at Bastille. Dr. Walkenhorst leads the company’s RF security research and product innovation. His deep expertise is in wireless signal intelligence, spectrum monitoring, and the detection of wireless threats in sensitive environments.
Together today, they will guide us through the evolution of wireless security from traditional periodic sweeps to continuous monitoring. We will, of course, host a Q&A session at the end. Some people have already sent in questions, so thank you for that. Over to you, Brett, for a walkthrough of the agenda.
Thank you, Justin. And thanks, Carol, for joining us as well.
I’m looking forward to the discussion — I think it’s a pertinent topic. We’re going to start today by laying the foundation to give you a feel for why wireless matters and what the threat landscape looks like at a high level. We’ll go into more detail as we go along.
Then we want to focus on the risks, particularly in AI data centers — but data centers generally — and we’ll also touch on critical infrastructure. One important topic that deserves attention is the types of actors we’re dealing with. Carol and I will both talk a little about nation-state actors and the threats they present to our sensitive networks and infrastructure. We’ll wrap up with some key takeaways, give a brief overview of the Bastille system and a demo, and then launch into Q&A.
Wireless threats have been getting increasing attention over the last 10–15 years. What we did recently at Bastille was look back at the CVEs that had wireless vectors associated with them, and we noticed a striking pattern in the growth of those CVEs relative to total CVEs.
From 15 years back to today, disclosures related to wireless devices and protocols have grown by a factor of 230 times. That’s a huge growth pattern. To put it in context, wireless disclosures by themselves have increased at a rate 20 times faster than the total number of CVEs.
The chart on the right illustrates this. If you look at it as an index growth chart — indexing to a starting point in 2010 and watching how it evolves over the next 15 years — total CVEs are shown in red, and wireless CVEs in blue. By the time we get to 2025, those wireless CVEs are 20 times higher than total overall CVEs. The chart on the left shows wireless CVEs by themselves, cumulatively per year — that typical exponential growth pattern. The most striking thing is what you see on the right: wireless is getting a huge amount of attention from the offensive research community.
What’s concerning about this pattern is that we don’t see a similar growth trend of defenders paying as much attention to the wireless attack surface. That’s part of what we want to address today: to bring awareness, encourage people to think about wireless differently, and look at it as an important attack surface that deserves the same kind of attention the wired network requires.
What Traditional Security Doesn’t See
Before we look at monitoring solutions and mitigation strategies, let’s talk about what fails — what is typically done in terms of traditional security, and how that relates to the wireless environment. For that, I’ll hand it to Carol.
Carol: Thank you, Brett. We spend millions in government on physical blockades, RF shielding, trained guards, identity scanners, and comprehensive camera systems. But why does physical security fundamentally fail to protect sensitive areas from modern, invisible wireless threats?
Traditional security is built to stop physical threats — people and devices crossing a boundary. With the modern threats we have now, we need to understand and monitor our environments and have a baseline.
Wireless signals go beyond the boundaries of walls. RF energy travels beyond the physical perimeter you think you’re protecting. So we have a gap. You can fully secure a facility, yet still be vulnerable to invisible remote access or data exfiltration from outside or even from compromised devices inside.
Procuring equipment is a good example. It’s difficult to procure equipment for secure facilities that require us to keep wireless devices out. It’s hard to buy a TV, a printer, even chillers — they all arrive with wireless enabled, even when specifications said otherwise.
Brett: Thanks, Carol. These waves propagate at the speed of light — they don’t read the signs that say “no wireless devices.” Physical security is an important step, but it’s an imperfect sieve. Things will get through, and without some kind of additional layer of visibility and adjudication, that policy is just wishful thinking.
Carol: It really is. We’re putting together an ecosystem — looking at what we have in terms of traditional security, but also putting in systems that allow us to understand our baselines and continuously monitor the wireless environment.
The Wireless Airspace Problem
Wireless signals are invisible to us. Without monitoring solutions in place, they represent an invisible attack surface to bad actors. These signals propagate through physical objects, so you don’t have to be inside a building to present a threat to the systems inside it. All these wireless protocols — Bluetooth, Wi-Fi, Zigbee, cellular — represent potential penetration mechanisms as well as exfiltration vectors.
Carol, you’ve worked in environments along these lines. There are a lot of places in government facilities that — rightly so — exclude wireless almost en masse, with some accommodation for necessary medical devices and other aids. But in general, the policy is just nothing comes in, right?
Carol: That’s right. The government has understood the risks associated with RF for quite some time — they operate in that domain as well. But commercial is starting to understand those threats too. Some domains are beginning to shift their policies to be more in line with that strict exclusion policy.
Brett: AI data centers is one vertical that seems to be moving in that direction. We’ll say more about that in a few minutes. The point I want to footstomp is that the wireless airspace is part of your overall ecosystem. It doesn’t get a lot of attention — perhaps because it’s invisible — but it’s critical. It ties into your networks and, in some cases, to operational systems that can have very real-world effects, potentially impacting safety and even life. It requires monitoring just as much as the wired parts of your systems do.
Carol: I agree. I worked in government for over 20 years. The idea of bringing in wireless — something that’s not acceptable in our buildings — but it’s hard to keep it out in our day-to-day lives. Wireless is part of the keys for our cars; it’s part of our medical devices. Of course, we make exceptions for what we need because some things have to be accepted. They’re whitelisted and we know what they are. But we have found that monitoring the wireless airspace is critical to protect national security, our data holdings, and all aspects of what we do to keep our nation safe.
The Proliferation of Wireless Devices
That’s an excellent segue. Wireless is really everywhere — let’s understand the scope of the problem.
There are tens of billions of wireless-enabled devices worldwide. If you live in the U.S., as we do, you have more than your fair share in your vicinity at any time, both personally and professionally. Smartphones, watches, fitness bands, rings, Bluetooth peripherals, medical devices — even clothing can have wireless modems embedded in them. They’re cheap, easy to do, and easy to configure. Sometimes they get put into a device where the use case isn’t really obvious, but manufacturers want the option to add functionality later.
Sometimes it’s not even clear on the packaging or advertising material that wireless exists. We’ve found that sometimes equipment gets shipped to customers who specifically specified no wireless — and it turned out to have it anyway. This affects devices on a personal level, and these things tend to come in and out of facilities. Unfortunately, even in very secure environments, that sometimes happens unintentionally.
There’s also infrastructure: printers, televisions, HVAC systems — all kinds of things that become part of the fabric of the environment and tend to stay in one place. They often have an interface, sometimes without anyone’s knowledge, until someone happens to bring a sniffer close enough to notice wireless packets coming from the device.
One of the most interesting aspects is operational technology systems supporting critical infrastructure. Chillers (we’ll have an example later), SCADA systems, building management tools — anything that helps automate operations. That equipment will tend to have Bluetooth and Zigbee almost by default, and sometimes Wi-Fi or cellular. There can be multiple types of modems embedded to enable the flexible connectivity required for automation.
This stuff is all around us, and that elevates the risk.
Carol: Absolutely. As we have all of these aspects in our facilities globally, we need to take into account that we have this wireless risk.
Supply Chain Wireless Risk
That brings us to supply chain. Carol, I may have stolen a little of your thunder, but maybe you can add some color. How does supply chain affect us from a wireless risk perspective?
Carol: When we talk about no wireless, we still run a business. The intelligence community still orders equipment for our secure facilities. In many cases, we make specifications for product, and it’s becoming more difficult and more expensive to bring products in with the wireless disabled. If there’s something specific we need to use, we have to actually take it apart and spend more time removing the wireless.
If you step back to where it’s coming from — even with modems and other devices, IT or basic items — things can be implanted. When you think about the supply chain, where did that implant come from? Was it manufactured in another country? In China? Is the implant being put in at that location, or brought in another way?
That’s why continuous wireless monitoring of the airspace is critical. These things may not be intentional — or maybe they are. They can certainly be accidents, but we need to know what we’re dealing with. That’s why it’s important to establish a baseline and re-baseline on a continuous basis. Supply chain risk is not hypothetical — we have seen it repeat in facilities of all types across government, and in our experience, in commercial sectors as well.
The Case for Continuous RF Monitoring
Given the scope of the threats, the vulnerabilities, the ability for bad actors to act in this space, the ubiquity of devices, and the scope of different device types and form factors — all of this points to the need for continuous monitoring.
It isn’t sufficient to identify one time what is in your facility. That’s a good first step — better than a lot of places do — but just identifying it once with a sweep isn’t enough. We see this in both government and commercial sectors, where people concerned about audio/video bugs order what’s called a TSCM sweep: specialists come in with specialized equipment and identify items that shouldn’t belong. That’s great, but given the proliferation of wireless throughout our ecosystem and the increasing diversity of device types — a 30x increase in device types in just the last 10 years — this whole space has been blowing up.
My whole career feels like it was built around the explosion of wireless technologies. The rate of increase continues to increase — that’s the exponential growth we see. The landscape is constantly evolving, and people can bring devices in often without even thinking it’s against policy, simply by carrying them into and out of a sensitive space. This elevates the risk and increases the attack surface enormously.
The solution must not be just a point-in-time sweep given the dynamics of the environment. We have to have continuous visibility — we have to be able to see what is emitting in our environment all the time, not just occasionally.
Wearables and Medical Devices
Another type of device worth mentioning is wearables and medical devices. These are often devices we have to allow even in sensitive spaces, and that can be okay. But without visibility into their behavior, it’s difficult to mitigate risk.
As an example: hearing aids. It’s important for someone with a hearing disability to be able to conduct business — they need that aid. Almost every hearing aid today has Bluetooth connectivity capability. There are other protocols, but they tend to center around Bluetooth.
There’s nothing wrong with having the hearing aid. But if you’re in a secure space listening to sensitive conversations and your hearing aid connects via Bluetooth to your phone — and your phone has cellular connectivity — there’s a clear exfiltration path that no one will ever see unless you’re looking for the wireless emissions themselves. Being able to allow devices in and whitelist them is critical, but having continuous visibility is key to ensuring those devices behave in ways that don’t violate policy once they’re inside.
Carol: I can speak to that as well. It’s really important for our workforce to bring in the medical devices they need. We have a comfort level in our buildings because we allow those — we whitelist them, so we know what we trust in the building. But if other devices come up that weren’t whitelisted, we’re able to be alerted and take action to understand what else is in our airspace.
Covert Recording Devices: Phones and Smart Glasses
One more aspect of the threat landscape before we dive into data centers specifically. We have seen documented cases — in the news and in court cases — where people have used cell phones to compromise classified information or proprietary information of a highly sensitive nature, or to enable unauthorized access by sharing a screenshot of a token or something similar.
Phones are so easy to use, and almost everybody has one. They represent a risk we often don’t consider. The ability to take a photo of a screen and transmit that information — or have it sit accessible in the cloud — is a huge risk. The method is so simple and accessible that I think it represents something we should be concerned about.
Some of these cases came down to someone happening to see, on a video camera stream, that someone was taking a photo of something they shouldn’t have. That’s good — we caught some of it. But it’s hard to know how much is still happening that isn’t being caught.
An interesting side note: there’s a very simple, less obtrusive mechanism to do the exact same thing. Smart glasses are becoming more common in our society. When they first came out, they were clunkier, and we had a harder time as a society accepting that someone might be surreptitiously recording us. We’re becoming more inert to it, more implicitly accepting as it becomes mainstream. They’re also less obtrusive — they look more and more like normal glasses.
There’s no visible indication. If someone wears a pair of glasses, looks at a screen, and taps the frame as if thinking, they can take a photo of whatever they’re seeing. I’m not sure any physical security professional would notice that just looking at a camera feed. But they can do the exact same thing as someone using a phone.
Both of these point to the need to monitor for the presence of these wireless devices. With the right technology, you can see them. A system that scans the RF environment makes it clear there’s a device somewhere. If you have policy restricting certain devices in certain locations — which I think you should, depending on who you are and what information you’re protecting — you can create the right conditions to adjudicate that policy properly. You just have to be looking in the right places.
AI Data Centers as High-Value Targets
Let’s talk about AI data centers specifically, and data centers more generically.
To lay the foundation, I want to point back to an announcement from a few months ago: Oracle announced they were partnering with Bastille to roll out wireless monitoring capability across their global footprint of AI data centers. This is a huge shift for the industry and may become a de facto standard. We’re seeing similar movements from other organizations that are peers in the same ecosystem.
It highlights that there are enough people recognizing the threats we’ve been talking about to move the needle on this and shore up security. It’s partly motivated by the value of the IP being protected. AI data centers today are housing hugely valuable intellectual property — they are the crown jewels of the digital economy.
There are multiple reasons for the shift. Let me touch on three:
AI Technology is the most obvious. An AI data center houses the core of what offers services — the models themselves, including training data, parameters, tuning parameters, and other peripheral elements. It costs billions of dollars to train them. That represents very real value in IP, so it must be secured.
Customer Data has always been valuable — that’s why data centers have always been concerned with security. But today’s environment is shifting the focus. The kinds of data customers were once unwilling to push to the cloud is now being pushed there to take advantage of AI analytics, business insights, and projections. The sensitivity of that data is growing.
Operations — many devices that enable automation and maximize uptime rely on wireless connectivity. As all of this comes together — value of IP, need to automate, need to ensure uptime — operators have become hyper-aware of security risks and are working extra hard to secure facilities. That’s why we see the most sensitive government policies beginning to shift to the commercial world.
Carol: The intelligence community has long understood this need. Now that commercial and AI data centers are also seeing the value, there are lessons learned that the intelligence community can provide from earlier experiences.
Brett: That’s an excellent point. It’s why I’m so glad to have you on this webinar. We need to share the lessons you and your colleagues have learned over many years to help the commercial world step up their security posture similarly.
Threat Actors
Carol: Nation-state actors are highly sophisticated, government-backed hacking groups that conduct cyber operations to advance a country’s strategic, military, or economic interests. They’re in it for the long game and have the resources. They are characterized by strategic patience, massive funding, and advanced military-grade tools.
We also have cybercriminals, motivated by financial gain — like ransomware. That’s important because it can affect a wide variety of organizations or individuals.
The next threat actor is the insider threat. Government has seen this publicly over the years. The motivation could be a spy, or someone who didn’t feel they wanted to be part of what the organization was advocating for, so they use their influence and access to harm the organization.
We can also look at this in the context of the airspace and what can be taken with glasses — copying or stealing classified information. It’s important to have the data now available to us with baseline and continuous monitoring, because counterintelligence organizations assess through the alerting data: is this a one-off, or does it look like an insider threat?
Opportunists are another category — a variety of people looking to make money. And multi-tenant contamination — shared locations where government shares space with other organizations, in the U.S. or globally. The wireless ecosystem signals transcend walls and barriers, so it’s easy to have an attack surface in a multi-tenant situation.
It’s important to know what the risks are, understand the baseline you’re collecting, and understand what’s acceptable. The threshold will be different for government, AI data centers, and other commercial companies. But putting together an entire ecosystem to mitigate risk is critical.
Brett: All of these actors are potentially interested in the data being protected in our data centers. What shocked me recently was learning just how much activity there is from nation-state actors working to gain access to data housed in AI data centers. There’s a lot of activity going on, and it further justifies the connection between sensitive government organizations and folks in highly sensitive ecosystems in the commercial world.
When nation-states start coming after you, you really have to think about your risk — the risk of compromise of the information you’re housing, what mechanisms they might employ, and how you can mitigate that risk. We focus largely on wireless because it’s an underappreciated realm that nation-states know how to exploit. There are stories of folks working with highly sophisticated tools, but most importantly with patience and creativity, to penetrate the networks they’re interested in.
Real-World Scenario: The Zigbee Chiller
Let me give you a couple of examples to put a finer point on the wireless risk in data centers and similar facilities.
One is an interesting story. Nothing bad happened, but it was a configuration you didn’t think about until you realized it had happened. We had a data center that we were monitoring. We put in a system and immediately saw concerning activity — Zigbee packets being sent. We ultimately found they were coming from an industrial chiller in the data hall.
A little investigation overturned interesting details. The contractor who had implemented the chiller had left the Zigbee mode on in a very insecure way. This chiller, hardwired into the network, became a dual-homed device that could have been used to gain access. Thankfully, as far as we know, it wasn’t.
The interesting part: the contractor did this for their own convenience. That’s the value of wireless — convenience. They wanted it because it would allow them to perform contract-required maintenance on the chiller without going through the physical security headache of getting access. They could monitor and interact with it through the Zigbee interface from the parking lot — which points to the problem that these waves penetrate physical objects. You don’t have to be inside the facility to present a risk to what’s inside. They did this for their own convenience but left a glaring hole in the security architecture that no one realized was there until someone identified the wireless packets.
Hotspot Data Exfiltration
More concerning is the story of a hotspot coming into a data hall. Through monitoring, we found a phone that would come in periodically and connect with a client device in a server rack. Someone had plugged in a dongle that allowed them to make that connection and access data on the server wirelessly.
The problem: that connection is over Wi-Fi, and the phone has a cellular connection to a tower that allows you to push data to the cloud or anywhere you want. This is extremely easy to do and concerning that it could happen in a data center simply because no one was looking. No one is looking and flagging the idea of hotspots coming in.
If physical security prevents a small dongle from slipping through the security sieve, that kind of thing can easily be introduced and plugged in without anyone noticing. The fact that we don’t have good tools for monitoring this kind of use case makes me even more passionate about ensuring people understand the risks.
OT, ICS & Critical Infrastructure
Operational technology and critical infrastructure — let me close the loop on this. Not only are data centers often considered critical infrastructure, but more traditional facilities like power, oil, gas, and water that we rely on as a society are too.
These systems tend to be interconnected with many devices that have Bluetooth and/or Zigbee almost by default. Very often they get set up without much concern paid to security implications — they often end up with default credentials and may not even have encryption enabled. This is great for convenience and automation, but it presents another risk layer for facilities where very real-world physical effects can be enacted by bad actors.
A bad actor might exploit something nearby — say spyware on a phone that’s been introduced into the facility — and use that as a jumping-off point into other OT-related systems to create havoc. This is another industrial vertical where we really need to pay attention to wireless risk and bring additional layers of visibility and protection.
Key Takeaways
Wireless is part of a broader attack surface. You can’t protect what you can’t see. If Zero Trust is an important paradigm for network security, we need to apply it to wireless as well — and that starts by bringing visibility to it.
We should move from reactive visibility to proactive visibility with continuous monitoring that shows patterns of life and helps you understand on an ongoing basis when something begins to behave inappropriately. You clean up your infrastructure, but also identify malicious behavior when it happens.
As wireless visibility propagates through various verticals, it’s becoming table stakes. It’s a must-have, accepted in more environments. Carol is a great representative of one of those environments. We’re seeing it in various areas in the commercial space as well. It’s not a matter of if you need it — it’s a matter of when, after assessing your risk to determine what you might be vulnerable to without that visibility.
Carol: It’s interesting to see how the commercial business is growing.
Brett: It’s starting to become so well understood broadly that I think it’s important we continue to tell that story.
Bastille Solution Overview
Let’s talk briefly about a solution to this problem. The solution is to bring awareness — visibility is the first step. We do that by monitoring the airwaves directly.
The Bastille solution is a set of sensor arrays that allow us to scan the spectrum quickly and capture information about wireless packets on the air. The sensor scans everything — Wi-Fi, cellular, Bluetooth, Zigbee — everything in terrestrial wireless communications.
We capture timestamped information and know the frequency. The sensors work together to localize the devices sending packets, giving us spatial information. They also demodulate and decode packet headers, capturing a much richer dataset that informs not only what a device is and where it is, but what its behavior is, who it’s talking to, its connectivity state, capabilities, and sometimes even its form factor.
We put all this data on a floor plan so people can easily view it, but there’s also a multidimensional dataset available that’s pushed into an analytics engine to make sense of all the information we capture. We can analyze behavior and identify events that warrant attention, allowing investigation and adjudication aligned with current SOC workflows. Everything integrates with security infrastructure — SIEM tools, MDM, SOAR, playbooks — to enable identifying events quickly.
The sensors are very capable RF systems with high bandwidth and beefy FPGA processors on board. Using those FPGAs, they can capture a broad range of frequencies, processing them and extracting metadata.
Importantly, these devices are RF passive — they don’t transmit. All data flows back to a server over POE+ cable, which also provides power. Single cable, up and running, not cluttering the RF environment. This is important for customers with total exclusion policies like Carol described, but it’s also important for operational security — it’s good not to let people know you have certain capabilities, because they may change behavior to mitigate the risk of being caught. No moving parts. Health monitoring for fail-safe operation.
One-Minute Demo
In this video, you see someone walking into a facility being monitored by the Bastille system. You see her on the camera as she walks through. At the same time, a cyan-colored icon represents the cell phone in her pocket beaconing out to a tower. We watch that move through the facility as she moves through.
When the icon penetrates a geofence around a sensitive area, the system sends a signal to the cameras, which swivel and zoom in on the area of interest. Now we’re capturing physical information about what she’s doing — she looks like she’s not supposed to be there, and we have physical evidence to back up our investigation. That highlights the power of integrating with different types of systems.
That does it. We’ve outlined the threat landscape, given a deeper dive into a couple of verticals, and talked about the solution space. Let’s open it up to questions.
Q&A: Detecting Audio/Video Recording
Justin: Thank you both — excellent presentation. Brett, this may be a question for you: is there a capability that can detect or prevent someone from recording audio or video from a phone or connected device such as glasses?
Brett: Great question — it’s an area of concern based on what I talked about earlier with phones and smart glasses. Any kind of device capturing audio and video by itself may not create a signature that could be identified. But in general, they’re capturing and streaming it somewhere else, and that wireless signal is identifiable.
There are a couple of layers. One: you can simply identify that there is a device there that maybe shouldn’t be. If your policy is exclusionary enough, that’s enough to act. Another layer: certain devices exhibit certain behaviors when transmitting audio and video data. That isn’t foolproof, and I wouldn’t rely on it completely — hence the need to consider your policy. But in general, there are multiple ways. The most robust is simply identifying that there’s a device, with detections that can identify the type of device based on the wireless signature. That’s something Bastille can provide.
Q&A: Barriers to Continuous Monitoring
Justin: This is probably for Carol. In your professional opinion, what is the most influential or pervasive barrier institutions face when tackling the transition to continuous monitoring, and who do you see as best poised to tackle such barriers?
Carol: Good question. As you shift from physical security — guards, gates, fencing, and shielding — to protecting the wireless airspace, it’s culturally a shift. Organizationally, it requires an executive-level champion. It requires policy in government, and understanding what will be done — what are the consequences of identifying wireless devices or other things that might come up.
We’ve talked throughout this presentation about understanding baselines in buildings. From my experience in government, we did not understand the baseline until we were able to be alerted or understand what we were facing. With that, we could put in place what was important from a risk-mitigation perspective.
It’s very important to communicate with your workforce as you’re doing this. Education — annual training to identify what items are acceptable and not acceptable — and the ability to communicate openly and share what the threats are and why you’re putting monitoring systems in place.
Q&A: General Data Centers vs AI Data Centers
Justin: Would this be as important for general data centers as for AI data centers, and why?
Brett: Short answer: yes, it is as important. Each organization and facility needs to consider its risk profile independently. AI data centers — the value of the IP and various other considerations — have really pushed those actors to shore up security. Other facilities, including data centers generally, are extremely important and warrant this level of visibility and protection.
Carol: I concur. It’s important to know what’s happening in our data centers because we talked about the crown jewels. In government secure facilities with classified information, it is critical that we protect our national security and our information.
Q&A: Effective Baselines and Distinguishing Threats
Justin: Brett, a two-part question from someone at a government department. What does an effective baseline of wireless activity look like within a secure facility, and how frequently should it be reassessed? And how can organizations distinguish between benign wireless noise and indicators of potential nation-state activity or data exfiltration?
Brett: A baseline depends on understanding over time, which requires continuous monitoring. We recommend the baseline be continuously updated. If you’re always looking, over some period you establish a baseline of typical activity — what devices are communicating with what other devices, at what times, in what places. You use all that data to establish typical patterns of behavior. This should be ongoing, in my opinion. Otherwise you’re back to trading off continuous visibility for point-in-time scans, and I think it’s a trade not worth making.
On distinguishing benign noise from potential nation-state activity: it may not be straightforward to identify that a nation-state actor is acting, but to determine whether something is benign, malicious, or somewhere in between — including misconfigurations that cause concern (a yellow flag instead of red) — you can push metadata to an analytics engine that runs heuristics and AI-based models to identify when something malicious may be occurring. Flag those events and recommend users investigate further. Investigation may indicate a persistent, patient actor, and you may eventually determine it’s a nation-state actor. That’s not an automated function, but tools can get you much closer and at least raise the flag.
Q&A: Full-Spectrum Facility Security
Justin: Two related questions, clarified by the sender: how can we create a comprehensive plan that mandates, designs, implements, operates, and continuously assesses and improves full-spectrum facility security? The clarification: the question concerns countering the many ways facility security and continuity of operations can be adversely affected by adversarial actions. Bastille mitigates many risks, but with new interfaces, perhaps can be even more effective.
Brett: One thing that facilitates a comprehensive approach including wireless security is the ability to integrate different systems together. At Bastille, we try to make that as simple as possible. Bastille data can feed other systems by issuing webhooks to a target node — you set up the right credentials and the data is pumped to that target. On the receiving end, you configure that to accept and interpret it properly. It’s a straightforward process. That’s the technical glue that enables the broader security paradigm.
Carol: On the operational side, it depends on the particular organization and what they’re looking to gain. Being able to put this data into other systems allows you to do things with the data. Different use cases for the data, and how you want to understand what’s happening in your buildings and protect them — you’ll be able to utilize this data with other holdings you have. It depends on your use cases and your perspective on protecting your buildings.
Q&A: Determining a Baseline of Allowable Devices
Justin: Final question: how do Bastille systems determine a baseline of allowable devices within data centers — specifically things like existing Zigbee systems? How do I know what is a new signal and consequently a potential threat?
Brett: This is another aspect of the analytic piece. All the data gets fed into the analysis engine that can look across boundaries of time, space, and behavior. We have alerts that can be configured to identify when new devices appear based on certain parameters — that’s baked into the overall tool.
If your metric is “a new signal is potentially a threat,” you probably have policy that locks things down sufficiently to not be a fire hose. You can configure the system simply to provide that information, and every time the event occurs, you dig in to find out what’s going on. Chances are it’s a little more nuanced, but maybe you’re in a space where that makes sense. It depends on the use case — we work with customers to tailor the analytics to their needs.
Closing
Justin: Thank you both so much. To learn more about Bastille, please reach out to us at bastille.net. We look forward to seeing you at our next event.
Brett: Thanks, Justin. Thanks, Carol.
Carol: Thank you so much.