The ever-growing IoT attack surface
The theme of a recent Infosecurity Europe 2017 Strategy Talk, facilitated by Quocirca, was how to limit the ability of hackers to exploit the expanding IT attack surface created by the deployment of increasing numbers of IoT (Internet of Things) devices. The two panellists, representing the security vendors FireEye and ForeScout (the session sponsor), contended that a better integrated approach to network security was required.
Some estimates regarding future numbers of IoT devices run into the tens of billions (for example, Gartner, Juniper and McKinsey). Quocirca’s own 2016 business-focused research, European Perceptions, Preparedness and Strategies for IoT Security, based on the short-term estimates of German and UK IT managers, were more conservative. However, many may be in denial about the scale of the IoT opportunity they will be expected to enable. The need for IoT device discovery and security is prescient.
The roll-out of IoT devices may be a carefully planned and application-specific or ad hoc, as the rising tides of shadow IT and consumerisation lead lines-of-business and end users to deploy their own devices. Pragmatic IoT security must be generic and able to deal with all types of devices; whether they have been endorsed by IT management or not. Both security products and network design have a part to play.
IoT security is a pressing issue for four reasons. First, there are data protection issues; devices may transmit sensitive information (even IP addresses may be considered personal data under the EU GDPR). Second, IoT devices can be used as ingress points to broader IT infrastructure. Third, IoT devices are being recruited to botnets for the ongoing launch of denial of service attacks. Fourth, attempts to disrupt business processes may be targeted at poorly defended IoT deployments.
This last point is perhaps the most worrying, many IoT deployments are all about the better monitoring and management of critical infrastructure. Such attacks have the potential for kinetic impact beyond cyber-space, for example causing power outages, disrupting transport systems and industrial espionage.
Quocirca’s research shows that most organisations recognise the need to be able to discover and classify IoT devices. Furthermore, there is growing recognition that this must be achieved without on-device agents; the variety of devices and operating system is too great, the device processing power often limited and, of course, ad hoc devices will be unknown when they first connect to a network.
Gateway to the IoT
IoT gateways are turning out to be fundamental from design perspective (see Quocirca Computer Weekly buyer’s guide, No silver bullet for business IoT security). For planned IoT roll-outs, all devices associated with a given application can be deployed behind single gateway where security functions can be aggregated. Gateways can also help with ad hoc device attachments, for example, through isolating network segments for supply chain interactions and guest access.
IoT security needs to recognise new threats and ensure all relevant devices are protected from them. FireEye and ForeScout advocate that their integrated approaches can achieve this at the scale required for current and future IoT deployments.
ForeScout’s CounterACT technology acts as a gateway, discovering, classifying and continuously monitoring network attached devices and ensuring a given level of security. It does not require pre-installed agents to do this (although agents are available for advanced management of known devices). CounterACT can recognise hundreds of different IoT device types, ranging from sensors and probes to printers and security cameras as well as more traditional user end-points.
FireEye’s Network Threat Prevention Platform (NX Series) identifies potential threats on devices via its virtual execution engine (sandbox). It can also identify anomalous behaviours, for example, recognising and blocking the outbound call-backs made by malware to command and control (C&C) systems.
FireEye can inform CounterACT about the threats it discovers via ForeScout’s ControlFabric, a means for sharing security information. CounterACT can then scan other endpoints for presence of the newly identified threats and enact policy-based controls depending on the severity of the threat and priority of the device. End-points can be quarantined, network access limited, remedial actions taken and notifications issued.
ForeScout CounterACT and FireEye NX are complementary, for the former is not equipped to recognise previously unknown threats, whilst the latter does not monitor new devices attaching to networks. The partnership is a good example of how integrated security can achieve a greater level of protection than the sum of that achieved each product alone. Other network security and advanced threat protection products are available.