These days, everything’s “smart.” Everything’s “connected.” Cars, watches, thermostats, power meters, home security systems, glucose meters, toilets, you name it. On the one hand, this Internet of Things is amazing. These devices are cool. They’re convenient. They’re capable of remote control. Some of them can even save you money. It’s an explosion of ingenuity.
Unfortunately, it’s also an explosion of new attack vectors being exploited by some of the less scrupulous inhabitants of cyberspace. The problem with this Internet of Things is that the manufacturers of these devices are not always as concerned about security as we end-users might want them to be. I mean, let’s face it, security isn’t easy. Threat detection isn’t cheap. End-users want to focus on acquiring gadgets and living in the uber connected world, and would prefer that someone else worry about security and privacy. But because the device-producing companies want to get their smart cars, watches, whatever out and onto the market as quickly as possible, they often end up selling vulnerable systems—including those where there isn’t necessarily an obvious consumer (e.g., smart meters or kiosks).
To date, the answer to security for Internet-connected devices has been to a) ignore the issue, b) depend on the peripheral security on each device and hope it’s enough, or c) push the onus onto the device owners and let them figure it out—for better or for worse.
There Must Be a Better Answer
Luckily, there are better answers. It’s a matter of thinking things through logically and being as consistent and thorough as possible.
Step number one toward smarter security is to determine a device’s “normal.” How does the device operate in a pristine normal state? What’s the device usually sending and receiving? What’s the typical bandwidth usage?
Once you have that baseline data, that’s when you can start to identify deviations and understand when a device has been compromised (e.g., a bandwidth spike on a phone or a medical device connecting to a different monitoring station). With abnormalities identified, you can then start to prepare for and take remedial action, which can include taking a device offline in order to restore it to its normal state.
But then what? Isn’t there more that can be done once you’ve learned normal and abnormal and even how to enforce remediation? How do you learn from a threat episode? How do you prevent further attacks? You know the device, the characteristics, but is there a way to get a jump start on preventing further attacks? Is there a way to share—and gather—threat intelligence with other organizations?
The Security Advantages of the Cloud
We know there are billions of devices out there. But if you marry that increase in volume with an increase in bandwidth consumption/production (which is going to be unique to certain types of end devices), then you really only have one place to go in terms of acquiring indispensable scalability, elasticity, and security. That’s the cloud.
While endpoint protection is good, it’s usually very singular in function and doesn’t enable you to ask the device to try to do certain things. For example, in certain devices, should a device anomaly be detected, you have the power/footprint to be able to do some enforcement and remediation on the device. In other cases, you may not want to be doing something to an entity, say, like a connected car that’s carrying human passengers. You’d likely want more choices than simply shutting down or disconnecting.
So what’s better is endpoint enforcement complemented with the broader “oversight” enforcement offered in the cloud. Think about it. If you think a device has been compromised, what can you do to verify that? In the cloud, you can try a lot more things. You can get better telemetry. You can insert an IPS service chain in the middle. With Web application firewalls, you can start looking at certain other patterns to ensure that the device is truly being compromised. You can exercise the flexibility of a cloud orchestration system to nail down detection. You can even choose to use intrusion deception and device fingerprinting technologies to start to engage with hackers and understand their behavior.
In fact, these types of solutions (which are able to truly identify different types of devices) can detect and stop hackers before they have the opportunity to cause damage. And this is so very critical in the connected world.
The oh-so-extensible-and-elastic cloud (made possible thanks to virtualization security, security intelligence, and service chaining) is the perfect place to identify the baseline operation for each device, recognize any deviations from the baseline, and initiate remedial action once a breach is detected. It’s also the best place to support high bandwidth, and it’s where intelligence can be gathered and then shared—because, ultimately, you want to be able to learn from attacks so that you can apply more effective mitigation techniques in the future.