Even as the
technology industry continues to scramble to protect personal computers,
datacenters and other traditional IT systems from increasingly sophisticated
cyberattacks, a new attack target has emerged – the Internet of Things (IoT).
To protect their IoT applications from attack, organizations are working to
adopt for the IoT the same cybersecurity strategy which has proven to be highly
effective for traditional IT infrastructure – Defense in Depth. A Defense in Depth
strategy leverages edge device, network and cloud security capabilities, along
with end-to-end encryption, to create layers of protection that make it harder
for an attacker to effect an IoT application, and easier to detect, isolate and
remediate successful attacks. Implementing an IoT security Defense in Depth
strategy is complicated, and often requires the creation of a large, dedicated
IoT security team to effectively execute. However, a security orchestration
approach to IoT security can simplify the implementation of a Defense in Depth
strategy, and addresses the cost, complexity and other problems that have made
it difficult and expensive for companies to build robust end-to-end security
into their IoT applications.The Unique Challenges Involved in IoT
Security IoT applications
can be attractive targets for cyberattacks for a wide variety of reasons. An
attacker may want to penetrate the application to steal data or disrupt
operations in ways that either subtle (to make minor adjustments to sensor data
to mislead business intelligence systems relying on that data) or overt (to disable
the entire application with ransomware). They may want to penetrate the
application in order to leverage the aggregate processing horsepower or
internet bandwidth of a large number of IoT devices to mine cryptocurrencies or
to operate mercenary “DDoS for hire” botnets. Or they may want to leverage an
insecure edge device to launch a “pivot attack” on the network to which that
device is attached. For example, in 2018 Darktrace reported an incident they
investigated where a casino network was compromised and its high-roller
database was extracted through an internet-connected thermostat used in the
casino’s lobby aquarium. There are almost as many reasons to hack into IoT
applications as there are IoT applications themselves.
Securing IoT
applications against these myriad forms of attack is also more complicated than
for traditional IT systems. First, the edge devices used for IoT applications
are often low cost and easily obtainable, making it relatively easy to perform
“tear downs” to identify exploitable vulnerabilities. Second, these edge devices
are often deployed in accessible, unsupervised locations, which makes it easier
to tamper with them without being detected. And third, IoT application edge devices
are often deployed in large numbers with tight constraints on their bandwidth
and battery power, making it more difficult to deploy security updates in a
timely fashion.Benefits of Defense in DepthA Defense in
Depth cybersecurity strategy can address many of the unique challenges related
to IoT application security. Such as strategy strives to slow down and dramatically
increase the cost of an attack by forcing the attacker to circumvent multiple
security mechanisms in order to gain access to the target. This discourages
most attackers who don’t have a specific interest in the IoT application. For
example, crypto-miners and DDoS botnet operators will in general move along to
easier targets if they are frustrated by an attack. At the same time, Defense
in Depth also slows down more persistent attackers, while also providing the
IoT application owner with more opportunities to detect their efforts and
deploy countermeasures before the attackers can achieve their goals.Defense in
Depth takes many forms, and IoT application designers should strive to deploy
as many of them as possible. For example, designers should ensure their Defense
in Depth strategy forces an attacker attempting to intercept communications
from an edge device to the cloud to compromise a cellular carrier firewall to
access a private APN, then a VPN tunnel between the device and the cloud, and
then penetrate application-layer encryption to get at the actual data.No system
can be made perfectly secure, but like medieval castles, IoT Defense in Depth mechanisms
like those described above complement each security mechanism (moat, castle
wall, keep) with another, making it much more difficult for an attacker to
fully penetrate the application. When properly executed, such a strategy will
frustrate attackers and cause them to give up, and also increase the
probability that an attack is detected before it can succeed or cause
significant damage.Large,
Dedicated IoT Security Teams – Effective, But Resource-IntensiveHowever,
implementing an IoT Defense in Depth security strategy is complicated, as
companies need to manage security on different types of devices, multiple
connectivity service providers and various cloud service providers. They need
to ensure all these security mechanisms are kept in synch and work smoothly
together. The entire process is both difficult and time-consuming – much more
so than web or other types of applications.Some larger
companies have succeeded in implementing IoT Defense in Depth strategies by
creating dedicated teams of experts versed in the security of the key elements
of an IoT application (edge device, network connectivity and cloud management).
These experts implement a Defense in Depth strategy by ensuring each element of
the application has the most up-to-date security possible, while also
coordinating to protect the points where each element integrates with the others.
This approach can be effective, especially as the resulting Defense in Depth
strategy is specifically designed to address the vulnerabilities of the
company’s particular IoT applications. However, this approach is complicated,
and requires the investment of extensive time and resources.For example,
an IoT security team still has to manually configure their VPN for different
devices, different network connectivity service providers and different cloud
service providers. All the edge device and network firewalls must be kept in
sync, with trusted hosts added to white lists, along with new ports and
protocols. This approach, using different interfaces to adjust the security of
each element of an IoT application, also increases the chance of human error,
leaving open a vulnerability that an attacker could exploit. In addition, the
costs and difficulties involved in recruiting, hiring, retaining and
coordinating large teams of dedicated IoT security experts make this approach
difficult, if not impossible, for small and medium-sized firms, preventing them
from implementing strong IoT security Defense in Depth strategies.Security Orchestration: A Different
Way to Easily and Cost-Effectively Implement IoT Defense in Depth Increasingly,
companies are considering an alternative approach for implementing an IoT
application Defense in Depth strategy – security orchestration. For most
companies, a security orchestration approach allows them to implement a robust
Defense in Depth strategy with a much smaller dedicated security team, and thus
lower initial and ongoing costs.A security
orchestration approach simplifies the implementation of an IoT Defense in Depth
strategy by providing companies with a solution to orchestrate the deployment
and management of layers of protection around all elements of the IoT
application – edge device, network connectivity and cloud. Security
orchestration solutions not only provide multiple layers of protection for the
IoT application, but also simplify security management by allowing the IoT
application’s owner to define a high-level security plan, and then apply and
manage this plan from a single “pane of glass.” Using this single interface,
users can configure and update security provisioning on all their devices,
connectivity providers and clouds, and easily designate who their edge devices
can and cannot communicate with (using whitelists and blacklists) and how they
communicate (ports and protocols).Key Considerations When
Adopting a Security Orchestration Approach for Your IoT ApplicationFor a security orchestration approach to be effective, the security
orchestration solution needs to be built and maintained by a company with its
own experts in all elements of IoT security – edge device, network connectivity
and cloud. In addition, security orchestration does require IoT application
owners to use a single solution (compromising devices, network connectivity and
cloud management software) for their applications, limiting their flexibility
when it comes to “mixing-and-matching” elements from different providers in
their applications.However,
such an adjustment is well worth the benefits of a more cost-effective and
robust Defense in Depth IoT security strategy, especially for small and
medium-sized firms where investment in a large, dedicated IoT security team is
cost-prohibitive. In a world where IoT applications are playing an increasingly
important role in companies’ digital transformation strategies and the number
of cyberattacks continues to grow, security orchestration offers companies an
opportunity to implement a simple, affordable end-to-end IoT Defense in Depth
strategy that allows them to better protect their IoT data from being stolen,
altered or lost.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
