A three-step approach to face up to the challenges of IoT security monitoring
New IoT business applications are appearing each day, using connected devices and sensors to more efficiently or intelligently monitor and manage all types of processes and environments. Many companies now rely on IoT solutions to smoothly manage their spaces, using sensors to detect everything from temperature and humidity to the quantity and flow of people and assets like cars.
But as convenient as IoT solutions can be, they also present new security risks. Not only, the number of devices is increasing in magnitude, they may be exposed also to physical access. This means that the border between virtual and physical security vanishes. To best manage these risks, we need to foster and extend traditional security management and monitoring towards innovative approaches: prevention, anomaly detection and automated response.
A renewed emphasis on prevention
In many IoT applications, devices such as sensors are installed in large numbers around a site and can be a point of entry for hackers. Take the case of real-time office occupancy monitoring, where sensors measure the number and flow of people in each space, relaying this data over the local Wifi network back to a centralized platform for processing. By exploiting a vulnerability in a single sensor, an attacker could potentially gain access to the Wifi network to find sensitive company data or to misuse the sensor for their own purposes.
On top of this, since identical IoT devices may use the same firmware, if a hacker finds an entry point into one, they could potentially access data from hundreds to thousands or even millions of devices by taking advantage of their shared vulnerability. Even if not much damage can be done through one device, by harnessing millions of devices, hackers can, for example, build extremely powerful botnets to perform large DDoS attacks. The good news is that the risk of these types of attacks can be minimized through standard preventative procedures, including carefully checking new devices before deployment, keeping the firmware up-to-date, and performing regular security checks. Ideally, these tasks are part of an automated assessment and management, in order being able to cope efficiently with the vast amount of devices.
Moving from device monitoring to anomaly detection
The security risks of IoT infrastructure aren’t limited to compromised hardware but can also involve the communication path of data from the device to the backend, i.e., the database itself, where all of the IoT data is stored, as well as the representation layer, i.e., the user interface. It’s clear that close security monitoring is required, but with the limited capabilities of IoT devices, the standard method of monitoring CPU, memory use and specific processes is no longer feasible. When it comes to IoT, it is important to have an overall and contextualised view of the whole network, and this is where anomaly detection solutions can help to keep a close eye on security threats at all points.
What does this entail? Rather than monitoring individual devices, anomaly detection technologies can identify issues by leveraging machine learning or deep learning with advanced data classification to detect changes in the behaviour of the elements within the IoT environment. The idea is to identify rare or suspicious events that differ from the majority or expected events. For example, if a sensor typically sends data every 10 seconds to the backend, but suddenly changes its pattern, or if a smart heating valve suddenly connects to an email server, this could indicate malicious activity. The same goes for backend monitoring. If the amount of incoming data suddenly changes, this could mean either that an extraordinary event has occurred or that malicious activity is being carried out. By just observing logs without understanding the baseline behaviour, it would be impossible to detect such malicious activities.
Rapid response and containment through automation
Once an anomaly has been detected and marked as suspicious, a rapid analysis and response is necessary to ensure that the breach is contained efficiently. This is where automation becomes essential, as it isn’t possible for security teams to manually assess the thousands or millions of devices and indicators of compromise at the same time. The challenge is to instantly collect and identify which information is relevant in the given context in order to apply the best response and keep the impact of an attack to a minimum. Security Orchestration, Automation and Response (SOAR) solutions can offer the technical support for such tasks.
In the given context, a SOAR solution needs to fulfil two functions. First, it needs to collect all relevant information to allow the security analyst to gain an understanding of the situation, or even to initiate a response automatically. Second, it needs to interact seamlessly with the main corporate security technologies, such as the Security Incident and Event Management (SIEM) system, firewalls, and infrastructure elements like switches or routers. The aim is to, for example, swiftly quarantine an individual device, automatically reconfigure the network to avoid an attacker moving laterally through the organisation, and to inform all stakeholders about the issue.
Taking advantage of new IoT solutions through a solid approach to security
Although IoT solutions add another level of complexity for the Security Operations Center and Computer Security Incident Response Team, by ensuring that both teams have aligned their toolbox and operations with this three-step approach, you can more confidently face up to the challenges that IoT brings and focus on the powerful new benefits and conveniences that this new technology offers.
Starting my professional career at the public research center Henri Tudor in Luxembourg, I was mainly working on security and network related topics in health care. During my time there, I was involved in the secure setup and operation of the Luxembourgish intranet for Healthcare professionals: HealthNet. Heading back to to academia in 2008, I received my Ph.D. from the University of Luxembourg in 2012. Since joining POST Luxembourg, I continued working on security-related topics, now being Head of the CyberDefense team, which is part of POST CyberForce. The responsibilities within CyberDefense cover the traditional “Blue team” tasks of the Security Operations Center (SOC) and the Computer Security Incident Response Team (CSIRT). In the course of my activities at POST, my aim is to protect our customers through a constant evolution of services through high quality and innovative solutions and services.