The Need for IoT Visibility

Background

Securing your Internet of Things (IoT) assets has never been more important. The proliferation of IoT devices and connectivity has significantly increased the attack surface for organisations across a variety of industry verticals. To drive down the cost of production of these devices manufacturers often cut a lot of corners, one of them being the inherent security of these devices and the available resources to secure them. This manifests in a variety of ways including the usage of insecure/clear text protocols (e.g., HTTP), insecure passwords and default administrative access, and unnecessary services exposed and often to the public Internet. As a consequence, governments and organisations are defining minimum security standards and policies in an attempt to mitigate some of the risks¹.

Why should organisations care?

IoT devices broadly pose two types of risks to organisations:

• IoT devices are often used² as a vector for initial access into as well as persistence within an organisation. Especially when these devices are exposed to the Internet, they can present attackers with a backdoor that bypasses perimeter security controls.
• Insecure IoT devices are included in attacker botnets³ that can then target other organisations and even critical infrastructure. This presents both reputational risk as well as opening the organisation to financial liabilities and fines as the “perpetrator or facilitator” of the crime.

These devices also exist in such volumes that they can no longer all be certified and chipset manufacturers’ application use cases vary in depth and breadth, making visibility and network security a fundamental challenge.

How should organisations address IoT challenges?

• The first step is identifying all of the IoT devices on the network, including manufacturer information, services exposed, communication patterns etc. This is unfortunately not a once-off effort, as these devices are constantly popping up and evolving.
• Harden the devices at initial deployment, including ensuring the use of only secure protocols, changing installation defaults such as passwords and/or administrative access. Secure access to the “control plane” for these devices, including internal controllers and cloud consoles. It is also vital to understand if these devices have remote access that might be bypassing organisational security controls and policies e.g., the use of remote access tools. Lock down all access as necessary.
• Monitor these unmanaged devices for unexpected behaviours e.g., connecting to Internet services such as Google Drive or Twitter, enumerating file shares within the organisation, attempting to connect to internal resources or guess passwords.
• Ensure these devices and the services they use are part of the patch management process. Many of these devices e.g., use open-source software components and thus a vulnerability disclosed in one of those components is also a vulnerability in the IoT device.

Physical security of these devices is also a major concern since access to the device itself can open up a number of attack vectors. However, this topic is beyond the scope of this paper.

How can Arista help?

Network visibility is a bigger challenge today, especially as we are seeing an explosion of devices, applications and connectivity on the network. Across the typical Arista customer base, we often find more than 50% of devices that initially show up on a network are unmanaged. Arista is uniquely situated to address IoT security challenges given its position at the foundation of the network. By combining decades of experience in network infrastructure with cutting-edge threat research, incident response, and threat hunting expertise, Arista can deliver an AI-driven approach to identify IoT and other unmanaged devices on the network. Arista can then continuously monitor the behaviour to identify threats to and from those devices. Just as importantly, these capabilities can be delivered through the existing campus switching infrastructure and without the need for bolt-on IoT security technologies, thereby reducing operational costs and complexity.

Imagine a platform that can baseline your inventory and provide visibility against your device behaviour to protect your network. Arista NDR is the ideal network detection and response (NDR) platform for the ever-evolving IoT landscape. Using techniques like supervised and unsupervised machine learning this solution identifies IoT devices, clusters similar devices, spots outliers and detects the usage of these devices as botnets, for command and control and persistence. AVA, Arista’s automated virtual assist, automates much of the detection-investigation-response cycle for IoT and other threats, eliminating tedious manual efforts and allowing the organisation’s analysts to make effective risk management decisions. Why shift through mountains of data when you can reduce your operational expenditure, improve efficiency, accuracy and finally close the visibility gap that has plagued the IoT domain since its inception? Arista and Newgen Systems have collectively solved it.

If you would like to know more, please visit: http://www.newgensystems.com/arista-networks/.

For some examples of how Arista has helped other customers with their IoT security challenges please read the following case studies:

• Nationstate attack against a municipal water system through an IoT controller
  • https://www.arista.com/assets/data/pdf/CaseStudies/Case-Study-Russian-Made-Remote-Desktop-Software.pdf

• Contractor using IP cameras to spy on an organization
  • https://www.arista.com/assets/data/pdf/CaseStudies/Case-Study-Contractor-Using-Security-Cameras-to-Spy.pdf

• IoT IP phones used to record sensitive conversations
  • https://www.arista.com/assets/data/pdf/CaseStudies/Case-Study-IoT-Devices-Exfiltrating-Data.pdf

^{[1] https://www.nabto.com/us-and-california-iot-security-laws-guide/}

^{[2] https://www.zdnet.com/article/microsoft-russian-state-hackers-are-using-iot-devices-to-breach-enterprise-networks/}

^{[3] https://www.justice.gov/usao-sdca/pr/russian-botnet-disrupted-international-cyber-operation}