Securing Internet Connected Devices (IoT)

Our society is blazing towards automating what seems like every aspect of our lives –self-driving cars, home automation, wearable devices, entertainment, medicine, manufacturing, finance/payments, energy – no industry has managed to remain untouched by internet-connected sensors and actuators. However, this explosive adoption of online devices has far-reaching implications for the cyber security of these devices, the data they collect/store, and the actions they automate.

Cyber Security Concerns for IoT

The cyber security concerns for internet of things (IoT) devices can be categorized in many ways, however, we see some key themes.

1. Hostile takeover / Remote Access Tools

2. Denial of Service Networks/SMURF Amplification

3. Misuse/Tampering (modification of rates)

4. Personal Data Theft (intellectual property, personal photos, and information)

5. Sensitive Data Theft (Credit cards, identity data, financial records, IP theft)

Considerations For IoT Security

The sheer volume of internet devices and the associated volume of log data poses a unique challenge in securing IoT. With any large network the diversity of devices and logs, and the massive event stream they generate is the main issue. In order to secure IoT, you must be able to ingest this tremendous volume of log data, parse and process the fields within the logs to determine normal for each device. Then you must watch for the changes of behavior that indicated misuse or compromise.

This volume and complexity of data cannot be handled manually or through the use of pre-defined rules (as many legacy security management tools do). The only way to analyze this data is through machine learning algorithms. These machine learning algorithms should be configurable on any field in any log, enabling automated learning and applied intelligence to millions and often even billions of events.

This analysis methodology is able to detect deviations in real time. Instances of misuse are determined dynamically based on a change in behavior, not based on signatures that fall easily out of date.  The aggregated changes allow risk scoring and ranking of suspect IoT devices which can be prioritized for investigation and response.

What are the key factors of consideration or points of collections of data?

IoT devices frequently have limited logging and agents often cannot be installed due to the proprietary nature of many devices and the limited capacity to run any agents, so logs often must be collected from network tools like firewalls, NetFlow, and proxies.When the IoT device is a mobile device not owned by the company, application logs become key (in addition or in lieu of network logs), and access and use need to be logged and reviewed at the application layer.

When the IoT device is a mobile device not owned by the company, application logs become key (in addition or in lieu of network logs), and access and use need to be logged and reviewed at the application layer.

Apply The Following Best Practices:

Where possible, operating system logs, endpoint anti-virus, Network Access Control (NAC) devices, and tools for endpoint access validation like BOX, or Mobile Device Management solutions like VMWare, Mobile Iron, Citrix, etc…are both good log sources and best practices.

As a rule, devices should not be allowed to access protected corporate data without an encryption control method that prevents local storage into unencrypted areas, prevents copy and paste, and provides revocable access with two-factor authentication.

All applications should log Authentication, Moves, Adds, and Changes for both success and failure events. Where possible applications should also log the unique entities or accounts acted upon and what actions were taken.

The good news is that even though the task of securing IoT devices seems impossible, with the right approach we can reap the benefits of a connected life without the cyber security risks. This approach must be grounded in data ingestion at scale, and the the application of automated learning and detection, rather than trying to fit old, signature and rule-based techniques to this problem.

The Ghost in the Machine: Tracking Stealthy Fileless Malware in the Windows...
5 Cyber Threats Facing the Financial Service Sector in 2024
What are Insider Threats?
What is the MITRE ATT&CK Framework?