With the increase of Internet of Things (IoT) devices comes an increased risk of cyberattacks. Last year’s massive distributed denial of service (DDoS) attacks that infected IoT devices and affected services for many notable companies around the world served as a wakeup call for users, corporations, and governments alike. Today, anything connected to the internet is at risk of an attack, not to mention compromised IoT devices can also be used as a launch point to carry out attacks against other systems.
This year, more than 10 billion devices will connect to networks around the world, and that number is expected to grow ten-fold over the following years. Applying conventional human-centric practices to IoT security management is not practical, as the rate of IoT adoption outpaces many organizations’ ability to keep pace. There are simply too many devices to monitor, especially with the growing number of low-cost sensors and the temptation to connect everything to the internet.
Organizations already find themselves overwhelmed with the volume, variety, and velocity of security data alerts. It is not uncommon for a large organization to receive over 10,000 security alerts per day. Resulting from a combination of duplicate information, false alerts from faulty intelligence data, and the limited capacity of security analysts, only a small portion of alerts are even investigated. As IoT adoption accelerates, this security “alert fatigue” could become full paralysis. Being aware of attack patterns by leveraging threat intelligence data and taking proactive measures to mitigate threats will be key to prevent theft of sensitive data or DDoS attacks. As a result, new approaches to security management, incorporating security analytics, machine learning, and automation, are required.
To address the growing challenges created from IoT, security management solutions must aggregate, correlate, analyze, and enrich security data from a variety of sources within a business-specific context. The business value behind IoT lies in the data collected by devices; therefore, protection of that data is paramount. However, this is not easy, given the diversity of IoT devices and services is significant. For instance, some devices may be simple sensors providing important, but not necessarily mission-critical, information. Meanwhile, others may be highly sophisticated, connecting not just to the network, but to each other, and exchanging crucial information. Another consideration is that many devices use simple processors and operating systems that may be vulnerable to attacks. Some with hardcoded passwords allow malicious software, such as malware, to be implanted, which can launch DDoS attacks against other systems when detonated.
A contextual understanding of devices and the associated services they enable is a crucial aspect to assessing both security threats and the appropriate mitigation. Thus, knowing which IoT assets are part of a network is a critical prerequisite for securing those assets and the associated data that is either stored, processed, or transmitted, as is the ability to discover devices that are connected to your network, both sanctioned and unauthorized (or rogue).
Multi-dimensional security analytics is required
Security management requires end-to-end visibility spanning device, network, and cloud layers. Without an ability to collect, correlate, and analyze data from multiple operational silos, it is probable that security threats will be missed. For instance, an IoT device may be performing its intended function and still be exfiltrating data. If the device is only monitoring the IoT gateway for anomalies, this breach will likely be undetected, unless the connectivity network itself is also monitored for indicators of data leakage.
Multi-dimensional security analytics that correlate data from multiple domains help identify anomalies that might be suspicious, malicious, or inadvertent, and provide context intelligence regarding the nature of the threat, threat vectors used, associated business risk, and recommended mitigation. For example, security analytics can detect whether there has there been a spike in CPU on the sensor or irregular amounts of keep alive packets on the device. They can also tell if the device has exceeded its baseline of data, is performing its intended function (or additional tasks it is not supposed to, such as exfiltrating data), or is having an unacceptable impact to network performance, potentially affecting other services.
When combined with threat intelligence data, security analytics help more effectively detect threats and prescribe the appropriate response – strategic threats require strategic mitigation.
Analytics work hand-in-hand with automation and orchestration
In the same way that human-centric approaches are impractical to detect sophisticated IoT-based security threats, today’s manually-intensive incident response strategies are equally insufficient. By now, the global cyber security skillset shortage is well-documented – predictions are the global cybersecurity workforce will have 1 to 2 million jobs unfilled by 2019. At the same time, incident response processes today are time consuming – up to 33 percent of incident response time is spent on manual processes, leading to inefficiencies and delays. Combined with alert fatigue and the considerable time wasted on false positives, breaches and threats often go undetected. IoT further magnifies this problem, and as a result, security teams are turning to automation and orchestration.
Security operations workflow automation and orchestration are at the heart of the transition from static defense to agile and adaptive response. Automation is the process of executing repeatable actions without human intervention, while orchestration is the concept of chaining these automated tasks into executed playbooks to perform workflows to accelerate both investigation and mitigation.
As it pertains to IoT, security automation must involve more than just operations. It must be aware of and encode business processes, regulations, and IoT service-specific policies, since incident response will vary depending on the nature of the IoT device and service.
Bringing it all together
Multi-dimensional IoT security analytics is key to the rapid detection of threats. Machine learning helps identify anomalous behaviors that indicate compromise by using threat intelligence information across network, device, and cloud layers. When infused with contextual knowledge about the IoT service and business value, appropriate automated rapid response can be initiated.
By leveraging security orchestration, analytics, and response technologies, organizations can scale to the meet the increasing challenges IoT creates while creating new value-added monetization opportunities.
Gerald Reddig is head of Marketing Security at Nokia.