With many IT projects, security is often an afterthought, but that approach puts the business at significant risk. The rise of IoT adds orders of magnitude more devices to a network, which creates many more entry points for threat actors to breach. A bigger problem is that many IoT devices are easier to hack than traditional IT devices, making them the endpoint of choice for the bad guys.
IoT is widely deployed in a few industries, but it is in the early innings still for most businesses. For those just starting out, IT and security leaders should be laying out their security plans for their implementations now. However, the landscape of security is wide and confusing so how to secure an IoT deployment may not be obvious. Below are three things you must consider when creating an IoT security plan.
What to include in an IoT security plan
Visibility is the foundation of IoT security
I’ve said this before, but it’s worth repeating. You can’t secure what you can’t see, so the very first step in securing IoT is knowing what’s connected. The problem is that most companies have no clue. Earlier this year, I ran a survey and asked how confident respondents were that they knew what devices were connected to the network. A whopping 61 percent said low or no confidence. What’s worse is that this is up sharply from three years ago when the number was 51 percent, showing that network and security teams are falling behind.
Visibility is the starting point, but there are several steps in getting to full visibility. This includes:
- Device identification and discovery. It’s important to have a tool that automatically detects, profiles, and classifies what’s on the network and develops a complete inventory of devices. Once profiled, security professionals can answer key questions, such as, “What OS is on the device?” “How is it configured?” and “Is it trusted or rogue?” It’s important that the tool continuously monitors the network so a device can be discovered and profiled as soon as it is connected.
- Predictive analysis. After discovery, the behavior of the devices should be learned and baselined so systems can react to an attack before it does any harm. Once the “norm” is established, the environment can be monitored for anomalies and then action taken. This is particularly useful for advanced persistent threats (APTs) that are “low and slow” where they remain dormant and quietly map out the environment. Any change in behavior, no matter how small, will trigger an alert.
Segmentation increases security agility, stops threats from moving laterally
This is the biggest no brainer in security today. Fortinet’s John Maddison recently talked with me about how segmentation adds flexibility and agility to the network and can protect against insider threats and spillover from malware that has infected other parts of the network. He was talking about it in the context of SD-WAN, but it’s the same problem, only magnified with IoT.
Segmentation works by assigning policies, separating assets, and managing risk. When a device is breached, segmentation stops the threat from moving laterally, as assets are classified and grouped together. For example, a policy can be established in a hospital to put all heart pumps in a secure segment. If one is breached, there is no access to medical records.
When putting together a segmentation plane, there are three key things to consider.
- Risk identification. The first step is to classify devices by whatever criteria the company deems important. This can be users, data, devices, locations, or almost anything else. Risk should then be assigned to groups with similar risk profiles. For example, in a hospital, all MRI-related endpoints can be isolated into their own segment. If one is breached, there’s no access to medical records or other patient information.
- Policy management. As the environment expands, new devices need to be discovered and have a policy applied to them. If a device moves, the policy needs to move with it. It’s important that policy management be fully automated because people can’t make changes fast enough to keep up with dynamic organizations. Policies are the mechanism to manage risk across the entire company.
- Control. Once a threat actor gains access, an attacker can roam the network for weeks before acting. Isolating IoT endpoints and the other devices, servers, and ports they communicate with allows the company to separate resources on a risk basis. Choosing to treat parts of the network that interact with IoT devices differently from a policy standpoint allows the organization to control risk.
Device protection is the final step in IoT security
The priority for IoT security is to protect the device first and then the network. Once an IoT device is secured and joins the network, it must be secured in a coordinated manner with other network elements. Protecting IoT endpoints is a matter of enforcing policies correctly. This is done through the following mechanisms:
- Policy flexibility and enforcement. The solution needs to be flexible and have the ability to define and enforce policies at the device and access level. To meet the demands of IoT, rules need to be enforced that govern device behavior, traffic types and where it can reside on the network. IoT endpoints, consumer devices, and cloud apps are examples where different policies must be established and enforced.
- Threat intelligence. Once controls are established, it’s important to consistently enforce policies and translate compliance requirements across the network. This creates an intelligent fabric of sorts that’s self-learning and can respond to threats immediately. When intelligence is distributed across the network, action can be taken at the point of attack instead of waiting for the threat to come to a central point. The threat intelligence should be a combination of local information and global information to identify threats before they happen.
Unfortunately for network and security professionals, there is no “easy button” when it comes to securing IoT devices. However, with the right planning and preparation even the largest IoT environments can be secured so businesses can move forward with their implementations without putting the company at risk.
Thanks to Zeus Kerravala (see source)