Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Every “Thing” Everywhere All at Once

Every asset in an organization’s inventory that is not accounted for and protected is a potential attack vector that an attacker can use to gain access or move undetected.

IoT Risks

In the movie Everything Everywhere All at Once, protagonist Evelyn Wang must travel between dimensions to confront and defeat an evil that threatens her family’s existence in their home universe. For Wang it is a confusing and taxing fight that requires her to use information, experience, and power gained as she navigates the multiverse to know what she must do to overcome the challenges she meets along the way. It’s a convoluted story arc that is not unlike the day-to-day of a CISO working to protect the modern enterprise and the universe of “things” that are being deployed.

The Modern Enterprise is a Multiverse

Like Evelyn Wang’s world, today’s technology estates are convoluted and multi-dimensional environments where decisions made anywhere have implications everywhere. Multi-campus, multi-cloud, on-premises, cloud-based, mobile, and software defined are all common terms defining a single enterprise. And then you have to take into account the physical and virtual assets comprising a typical environment, many of which come and go, connect and disconnect independent of IT management. It’s hard to keep up; but keep up you must, because threat actors are constantly on the prowl looking for vulnerabilities that will allow them to perpetrate whatever attack they’ve got in mind.

A recent conversation I had with the CISO of a large enterprise illustrates the dilemma.

“I am responsible for every device, whether I know about it or not,” he said. “Because we don’t know all of the devices that are connected to the network, we have blind spots that are unprotected.”

What You See Isn’t All You Get

To protect a technology estate, you need to be able to see across the network—in real-time—and have information in context for making good decisions. That is a tall order for any organization, but especially for those that rely on a sprawling IT estate. In a 2022 study commissioned by IBM, technology analyst firm IDC found that the average number of IT assets managed by 29 organizations studied was 2.7 million. That’s a lot of systems and devices, and it’s only the ones that are in the known inventory. Another report found that as many as 20% of an organization’s IT assets may be invisible to IT management and security operations, meaning more than a half-million unsecured things are operating in the average enterprise.

Of that 20%, not all of it is traditional IT that has simply gotten lost in a fast-growing technology environment. Because connectivity is so essential, a lot of things that constitute the Internet of Things (IoT) end up attaching themselves to the enterprise network. In our experience here at Ordr, we’ve seen exercise equipment, gaming consoles, Kegerators, Tesla automobiles, and a lot more operating alongside mission-critical IT systems, Internet of Medical Things (IoMT) devices, operational technology (OT), and plenty more.

Real-time Asset Inventory Is the Foundation for Security

Every asset in an organization’s inventory that is not accounted for and protected is a potential attack vector, or step along a path or lateral movement that an attacker can use to gain access or move undetected. Threat actors know this and are targeting IoT more and more to take advantage. One cybersecurity firm says attacks targeting IoT devices have increased 700% since 2020, and Microsoft security researchers recently discovered a “a sophisticated attack campaign” targeting IoT devices.

That puts a lot of pressure on the CISO, and it also feeds into a vicious asset management and security cycle since a failure to keep track of all assets, including IoT, means that you can’t properly identify your attack surface. These include assets with vulnerabilities, those running outdated operating systems, or devices missing a security agent or patches. This also means IT and security operations aren’t running at maximal efficiency, the context by which decisions are made (and automated) are less precise. Threats thrive in chaos, and so risks increase when assets are not fully inventoried, monitored, and managed in real-time.

Advertisement. Scroll to continue reading.

Three Security Considerations To Navigate The Modern Asset Universe

When security blind spots are a problem, the best first step toward a remedy is to employ tools that enable IT and security teams to gain visibility into the enterprise’s cracks and crevasses. But there are considerations for this:

  • Granular context matters – Asset visibility must include deep threat and asset context. This requires a combination of methods to continuously discover and classify an asset – via deep packet inspection of network traffic, API, NetFlow. For example, in order to determine if you’re impacted by a Zero Day like MOVEit, you must know what applications are actually running on your device. Similarly, to identify vulnerabilities that affect your assets, you may need to know the specific minor version of operating systems running.
  • Behavioral analysis via AI can be a differentiator – Devices are deterministic, a video surveillance camera or an HVAC system or a medical device all have specific behaviors in the network based on their functions. The ability to baseline these communications patterns not only surfaces anomalies– early indicators of a potential compromise, but also informs the foundational Zero Trust policies to secure those devices.
  • Automated policies are important to scale – When there are hundreds of thousands of connected devices in the network, the only way to secure them are via automated policies. This means dynamically generating proactive Zero Trust policies to enable only “baseline” communications for mission-critical devices, or generating reactive policies to block ports, move devices to a different segment or terminate sessions. When a device fits a specific profile, a pre-defined policy can automatically be applied, for example, activating a vulnerability scan when a new device is discovered on the network. 

Evelyn Wang learned how to navigate her way between dimensions of the multiverse to tackle the challenges that were not visible in her home dimension. CISO’s must gain the means to see every asset across a multidimensional enterprise with fidelity and granular context. Only then will they be able to identify their attack surface and address the security gaps that put their enterprise at risk.

Related: White House Unveils Cybersecurity Labeling Program for Smart Devices

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet