In the fall of 2016, a DDOS attack aimed at Dyn, an internet infrastructure company, took down much of Americas’ internet affecting sites like Twitter, CNN, Netflix, Reddit etcetera. Using a  collection of hacked Internet-connected webcams and digital video recorders,  continued streams of automated TCP/IP traffic were sent to the targeted server which overwhelmed and shut it down. This could have been prevented if some kind of a monitoring tool had been deployed which was able to filter out this malicious traffic to ensure timely prevention.


Why can’t we build security in to the devices themselves?

In any discussion about security and the Internet of Things the challenge of securing end devices soon emerges. However, even with the best intentions device requirements are, to a degree, incompatible with security requirements. To be effective many IoT devices need to be low cost so they can be deployed in large numbers. They need to operate for years on a small battery. Both of these requirements constrain the ability to include sufficient processing resources for compute intensive tasks such as encryption. Many are mass-produced at minimal cost with no thought given to protecting them from attack.

This means that many of the approaches to securing an IoT network rely on technology outside the devices themselves. For example , networks can be segmented so a device can communicate only with its assigned destination and/or device and network behavior can be analyzed to determine what is normal and detect abnormalities that could be the result of compromise.

Forrester Research in its TechRadar report Internet of Things Security, 2017 said: “the value of the ability to baseline normal behavior and thus detect abnormal behavior and prevent broad IoT outages means that security analytics has the potential to deliver significant business value for any IoT deployment.”

Forrester goes so far as to say that analytics-based security mechanisms will be essential for detecting IoT attacks and intrusions that are not identified by traditional network security solutions such as firewalls.


Challenges for IoT behavior analytics

The range of different devices that can be deployed in an IoT network is huge and can make the baseline determination of what constitutes ‘normal’ behavior challenging. This baseline of normality must be established for each device type in order for any variation that might indicate compromise to be detected.

VMware subsidiary Airwatch, for example, works with vendors of IoT devices to understand how these operate and to establish device posture – what the device looks like when it is operating normally.

Leon Letto, senior technical marketing architect at Airwatch, says there are many aspects of devices that Airwatch can examine to determine whether a device is in a fit state to do its job, but this must be done for an enormous range of devices.

“Our job is to provide a central platform able to support two or three hundred vendors that produce IoT systems with an API that we can interrogate.

“Airwatch works with the vendor to find out what that posture looks like and how to query it. Then we install an agent on that device to query all those things the vendor has told us will determine whether the device is still in a secure state and we will check in maybe once per hour.”


RSA Security-Project Iris

Another effort in this direction is RSA’s Project IrisProject Iris brings visibility and threat detection to the IoT edge by using statistical techniques and machine learning to flag anomalous behavior occurring on edge gateways or edge devices. Project Iris supports the EdgeX Foundry project, an open source framework for IoT gateways and edge computing with over 60 industry members.

To summarize, monitoring IoT behavior analytics in real time can help make sense of the billions of bits of data being generated to provide threat visibility right at the edge.


Previous blogposts in this series:-

Securing the Internet of Things: Identity in an IoT world

Securing IoT: Segmentation At Scale