It’s that time of year for prediction articles and the number has become almost overwhelming. This year, one of the trending topics I’ve noticed is the growth in Internet of Things (IoT) and connected devices and an expected surge in cyber risks. Technology vendors, industry analysts and government experts are all pointing to the need for IoT security. But is this really a prediction, or simply a case of history repeating itself? The attack surface is growing yet again – granted at a drastically higher volume with many more devices – and new threats are emerging to take advantage of these additional vectors. Sounds like a pretty familiar scenario to me.
Gartner projects that to address these risks, we’ll spend $1.93 billion on IoT security in 2019. Ruggero Contu, research director at Gartner commented that “coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.” The report goes on to say that the absence of “security by design” along with a lack of prioritization and implementation of security best practices and tools is hampering IoT security uptake.
Once again, history is repeating itself: Until protection catches up, threat actors will remain ahead of defenders which puts organizations in detection and response mode. To take the right actions quickly to mitigate damage, security operators need a deep understanding of what is happening in their environment and where to focus attention. But as I discussed in my previous article, we have significant room for improvement when it comes to our containment efforts.
Most security operators are already bombarded by massive volumes of logs, data and alerts which generate a significant amount of noise. With an uptake in IoT devices, the amount of data will increase exponentially in two different ways: 1) more events and alerts related to IoT devices and 2) more external data and intelligence on the adversaries, associated tactics, techniques and procedures (TTPs) and indicators. Our big data problem will become an even BIGGER, big data problem. Moreover, much of this data is just noise as it is not relevant to your organization. And if you apply noise from external sources to your internal systems like the SIEM or your layers of defense (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) or incident response playbooks, these systems can generate even more noise.
Security operators need a way to prioritize data before uploading it into their tool of choice. Whether working in the SIEM and evaluating alerts, or in an incident response platform looking at a case, this will allow you to focus on what is relevant to your specific environment. Because you have multiple sources of context (external threat intelligence, internal data and intelligence, etc.), a central repository will help aggregate data and alerts and manage and automate the prioritization process. By correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.
With context, security operators can now prioritize based on relevance. But what is relevant to one company may not be to another. The capability to assess and change risk scores based on parameters you set, allows you to filter out what’s noise for you and focus decision making and action.
IoT devices will proliferate not just this year but also going forward, and so will attacks targeting these devices. The good news is that the ability to aggregate, score and prioritize data and alerts within the context of your environment will allow you to take the right actions faster to mitigate IoT risk, just as it did in the past when the attack surface grew and threats evolved to exploit them. Since history repeats itself, it simply makes sense to focus your efforts on these fundamental capabilities and processes. Prioritization and noise reduction will serve you now and well into the future. You’ll be able to deal with your growing big data problem, filter out the noise and detect and respond faster, regardless of the latest threat or vulnerability prognosticators see on the horizon.
