By Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions
“What we know is a drop, what we don’t know is an ocean.” – Isaac Newton
When it comes to IT security, this statement is definitely applicable. When applied to current information security, it means:
- We are pretty good at identifying “known good.”
- We are pretty good at identifying “known bad.”
- We know that there are things about our networks and attackers that we don’t know.
- We should also realize that we may be completely unaware of some attackers, insider threats and ongoing exfiltrations.
The Internet of Things is a new and exciting concept. From connected cars, to medical devices, automated building systems, “smart dust,” and seamless connectivity, it’s a bit of the wild wild west out there. Developers are working to create new and exciting devices to do cool and unexpected things. We’re collecting data faster than ever before, and creating more data than ever before.
Consider the following 2014 data projection from IBM’s Big Data and Analytics team on the growth of data:
According to their analysis, from 2010 to 2015 – just five short years – we have gone from storing approximately 1,000 EXABYTES globally to almost 10,000 exabytes. With the majority of that data coming from devices and sensors that monitor our bodies (ECG, blood sugar, sleep, activity and more).
Think about our current networks. Laptops, desktops, IP phones, wireless access points, routers, switches, firewalls, IDS sensors, antimalware sensors, web proxies, databases, directory servers, mail servers, etc., etc., etc. All of these things generate logs, flows, and traffic that most organizations monitor (and all them should…) and try and organize into a reasonable fashion, to gain some sense of the health, state and general status of their network and business. Some of these networks can generate tens of thousands – or hundreds of thousands – of these events PER SECOND.
Now consider adding tens of thousands of tiny, single-purpose devices, designed to be “in the wild,” constantly and ceaselessly sending traffic to a collector of some kind. Yup. That’s a ton of events. That’s a ton of data. How do we sort it? How to we catalog it? How do we know what’s good, what’s bad, and what we need to worry about?
Further complicating matters is encryption. While many security professionals (yours truly included) advocate strong encryption and the controls around this data, the “bad guys” have figured out that SSL and other encrypted traffic is a gaping hole in visibility. Many enterprises are NOT doing SSL decryption and inspection. In fact, according to John Pirc of NSS Labs, only 35 percent of network traffic traversing private networks is encrypted.
If you can’t see it, you can’t stop it.
Again, while strong encryption is an important piece of a security strategy, decryption and inspection is equally important. Hiding malware and other evolving threads in SSL is becoming a tried-and-true strategy. With the upcoming addition of hundreds or thousands of devices to your networks, making sure you can see these threat vectors, identify “good” or “bad” traffic, and knowing what normal behavior looks like becomes ever more important.
Microsegmentation, tighter security controls, clear policies and automated responses, combined with data analytics, will assist administrators and analysts to understand the traffic and devices on their networks.
What are we looking for? What’s normal? What’s bad? What do you mean by threat vectors?
- By 2016, 23.6 million cars with have Internet access.
- By 2020, each person will have an average of 7 connected devices.
- Smart homes and connected homes are becoming the norm, with hundreds of new devices added daily. Smart home market is expected to grow to $58.68 billion by 2020.
- Machine-to-machine (M2M) communication is projected to grow 30% yearly over the next five years. There will be 26 billion M2M connected devices by 2020.
- Industrial IoT is projected to be a $14 trillion market segment.
You’re probably saying, “OK, and…?”
Each one of the above is a potential threat vector. Until recently, a breach in IT security meant the loss of financial or intellectual property resources. Now, with IoT, we’re talking about real threats to human life. Hyperbole? Overstated? Paranoid? Perhaps not…
- The recent very public Jeep hack highlighted a very serious flaw.
- A telepresence surgery robot was hacked in a proof-of-concept.
Many IoT devices are designed without security in mind, enabling communications, but not thinking through the security lifecycle. And more and more of these devices rely on “the cloud” or a back-end analytics engine for command and control, and they aren’t designed with security in mind.
So, for these new IoT networks, and for the additional load and traffic that will be added, we need to carefully consider what is “good” and what is “bad.”
In a design/development/test phase, devices and their controller gateways need to be monitored and profiled to understand what normal (aka “good”) traffic looks like. Things like average speed, times the traffic sent, and where the traffic is sent should be measured. Then, standard security controls should be defined around the device. For example: Should my smart coffee cup or wearable fitness device be trying to send traffic outside my country? Should my smart tractor talk to anything but my smart barn? Should my manufacturing robot talk to anybody but it’s local network? If so, write and monitor the rule. If not, set alerts as you would any other device.
Mind the gap.
We need to know who owns a device? What is the device doing? Is it supposed to do that? And, if it does something “weird,” how long has it been doing that?
“Doesn’t this make for a massive amount of work?” Yes. Absolutely. This is why device manufacturers should consider security from a device standpoint – secure communications to the controllers, secure lifecycles on gateway-to-device controls, and a way to monitor, provision, isolate and the remove or de-provision the devices.
Whew! Tired yet? It can be daunting. But don’t get too overwhelmed. While the IoT is new, our methods are not. Once the data is on our networks, we need to sanitize, segment, control and protect it like any other critical data.
We need to ensure that we need to do it right – so the Internet of Things becomes a usable, functional, critical and seamless part of our world. Otherwise, it will be the Internet of Playthings.
Editor’s Note: This article originally appeared on LinkedIn.
This post was originally published in March 2016 and has been updated for accuracy and comprehensiveness.