Authored by: David Sajoto, Vice President of Sales for Asia Pacific and Japan, ExtraHop
The Asia Pacific region is at the forefront of the growing Internet of Things (IoT) industry, accounting for about 35.7 percent of global spend with the United States and Western Europe accounting for the next largest share of spending at 27.3 percent and 21.2 percent respectively. As IDC also notes, the region has the benefit of considerable support from governments, such as Singapore, to promote the development of IoT across all major industries including energy, transportation, manufacturing, government, healthcare, and retail. As enterprise IoT devices, particularly printers, VoIP phones, smart boards, and TVs inside enterprise networks, continue its rapid growth, companies need visibility into the uncontrolled risk that these connected devices represent.
Challenges of IoT devices for the Enterprise
The next generation of IoT is becoming more than a group of devices, morphing instead into mission-critical, enterprise-wide services that leverage edge-computing and modern hybrid architectures. This new paradigm requires high levels of uptime and, most importantly, improved security measures.
Some security challenges enterprise IoT devices pose on networks are that IT departments must deal with the service layer a device is part of, rather than just the device itself, there is a lack of visibility into known and unknown IoT devices connecting to the network, and not all devices were designed with security in mind. Further exacerbating the risk, IT and Security operations teams seldom collaborate on IoT device strategy and deployment. To provide effective IoT security, both teams need to work together to ensure continuous operational visibility and awareness of the IoT infrastructure with these three considerations in mind.
1. Enterprise IoT (eIoT) Visibility with Zero Disruptions
Unmanaged devices on the network are a vulnerability, moving eIoT visibility to become one of the top challenges organisations face. IT Ops needs visibility into every single device connected to the network - and what they are talking to. Additionally, if SecOps teams can see each device's make and model, its desired function and what services it is a part of, they can better understand the risk.
As eIoT devices proliferate, attackers are exploiting devices as an easy avenue to gain entry to and further penetrate enterprise security defences. Traditional network and endpoint security solutions, such as next-generation firewall (NGFW), intrusion detection systems (IDS), network access control (NAC), and endpoint detection and response (EDR), are insufficient to address current IoT security challenge because they lack the proper visibility, situational awareness and data analytics capabilities to detect and correlate events. Most eIoT security applications address the problem by adding another point solution to the security stack. However, doing this creates more alerts and noise for SOC teams making it more difficult to manage on a day-to-day basis.
Security and IT Operations teams need a continuous and comprehensive view of eIoT devices and services across their environment to quickly gain visibility and to continually discover and classify IoT devices and services to have an up-to-date view of IoT infrastructure. Agents cannot be installed to track eIoT devices in most instances, so it is not a viable option. The way to protect the network lies in a team's ability to profile the behaviours of IoT devices and services to have a complete picture of how devices act, and interact, across the environment.
2. Advanced Behavioural and ML Driven Detections
Cybersecurity is an asymmetric battle. SecOps needs to defend ever-expanding and complex environments and data science can be a powerful tool in conquering evolving cybersecurity challenges. Data science holds the promise to help stretched SOC teams keep up, complementing traditional detection methods using signatures and complex rules logic.
To build on a strong foundation of discovery and profiling activities, network detection and response (NDR) solutions utilise techniques to deliver the same real-time detection capabilities for IoT security as it does for the hybrid network. NDR solutions using advanced, cloud-scale machine learning (ML) to detect behaviour anomalies and threats, complements ML behaviour detections with a broad spectrum of detection capabilities and incorporates threat intelligence to match known malicious domains and IP addresses.
The question is not about if a security event will happen, but when it is going to happen - and IoT devices exacerbate the problem. Traditional security methods are not only blind to IoT threats, but provide very few investigative workflows to understand the scope of an event and respond to it effectively.
3. Intelligent Response that Rises Above the Noise
Simply detecting IoT threats is not enough, especially with many enterprise SOCs managing hundreds or thousands of alerts each day. Analysts need greater context to understand in seconds whether or not a detection is valid, determine what other peers the device communicated with, and what exactly was communicated. As insecure IoT devices can provide an initial entry point into the network, SOCs must also be aware if attackers used the entry path to pivot and access sensitive data and if that data was exfiltrated.
The best NDR solutions automatically gather contextual information, related detections and packet level details into a single workflow to streamline and accelerate response actions including initiating automated responses such as blocking and quarantining via existing security tools. SecOps teams must quickly determine the impact and scope of an IoT event and easily drill into forensic level details as fast as possible. NDR solutions provide the intelligence and the speed that is needed to catch a threat before the damage is done.
As IoT devices increasingly are installed within enterprise networks, Network and Security operations teams need to consider how to monitor the activity of these devices in the context of the entire network to quickly identify potential threats.