What keeps cybersecurity professionals up at night? That question has always been a scare tactic in a sales pitch, but lately I've thought there is something that really can keep sleep at bay: the Internet of Things. IoT can present some scary challenges for information security pros.
As we retrieve real-time data from IoT devices and count on it to be accurate, it is important to know that those devices are secure and transmitting data that has not been altered. Yet we are not ready to truly protect the billions of devices that are presently online and transmitting data.
In addition, more and more of these devices are being connected to the cloud. That's the stuff of nightmares right there. More direct use of cloud-based storage will expose new targets to threat actors.
To make matters worse, in the coming years more IoT devices will be 5G-enabled, connecting to a 5G network instead of a Wi-Fi router. That will make them more difficult for organizations to monitor and more vulnerable to attack.
These things keep me up at night. To sleep a bit better, I need to change the way I think about how to protect these devices.
Behavioral approach needed
I have a drive—you might even say a mission—to change the way we think about cybersecurity. It is a real shift from a traditional strategy, which normally involves reaction to events and incidents that are displayed on a single console. These incidents are built upon applications, identity and access managers, and databases. I believe we need to move to a more agile strategy.
Conventional approaches for dealing with information security threats are inadequate when it comes to IoT. Organizations have created distributed environments where much of what we need to protect isn't inside the defensive perimeter anymore. But we haven't moved beyond the idea that if we can build the best possible defense for that perimeter, nothing bad can happen.
What we need instead is to deal with threats through behavioral analysis. With behavioral analysis, we can identify rogue devices, privilege-escalation attempts, lateral movement, malware command-and-control events, and other kinds of threat-actor behavior.
In the case of an attacker engaged in lateral movement on a system, for example, suspicious behaviors can be identified such as attempting to access a shared drive that few of the user's peers access, accessing resources not accessed by anyone recently, or accessing a shared drive more frequently than has been accessed by the user in the past.
In the case of data exfiltration, behaviors can be flagged such as sending an above-average amount of data by a machine to a certain destination or making an above-average number of attempts to exfiltrate data.
And in the case of escalating privileges, alerts can be set off when a user tries to use a service or privileged process not recently used by the user, a machine, or anyone else.
Lack of agility
Traditional information security approaches also lack the agility to cope with the expanded attack surface created by a plethora of IoT devices. With the conventional approach to information security, defenders try to build the best fortification they can around their data crown jewels. That approach lacks flexibility, because once the castle walls are breached—and in today's world, they're always breached—an attacker is free to move laterally through the system.
In addition, while information can flow freely within the walls, accessing and moving it outside the walls is difficult. That's especially problematic in a world where information needs to be shared in many locations by many different people and devices.
With a more agile approach, data jewels are kept in plain sight—much as valuable objects are exposed in a museum—but access to the jewels is tightly controlled and activity around the jewels closely monitored. Access controls allow an organization to change who or what has access to the jewels as conditions change. A new hire is going to need to be granted some access, for example, and an exiting employee's access will need to be revoked. By closely monitoring activity around valuable intellectual property, anomalous behavior can be detected.
For example, a North American service account might be detected being used from Asia. The account tries to access sensitive information it's not authorized to access, such as sales figures, costing, and future design plans. In addition, it starts running a scanner in an attempt to find connected IoT/SCADA sensors. All that activity would be flagged as anomalous behavior that needs immediate scrutiny.
Monitoring devices
Today's tools allow defenders to monitor the behavior of not only people, but also things. We're finding that the models that were developed to control user access to resources can also be used to control the access of things to resources, as well as to expose compromised devices.
Is the device issuing unusual commands? That could be a sign of device compromise. So, too, could an unusual spike in events emanating from the device or an unusual number of failed authentication attempts. Other anomalous behaviors include device activity at unusual times, connection to an unusual destination, or an unusual number of network connections.
As IoT behavior intelligence is embraced by more organizations, they will be better equipped to foil advanced attacks and detect insider threats. I believe we finally have solutions to the cybersecurity problems facing us. Now it's a matter of shifting the industry's mindset. When we do that, I'll be able to sleep more comfortably at night.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.