802.11ax means more IoT. Now, how do I secure it?

Just as network automation improves IT efficiency, deep network insights and machine learning models can facilitate automated attack response.

post 11 image 1

Like the teenager with no driving experience who takes the family SUV on the open highway, even the simplest devices that are connecting to corporate networks have the power to participate in an attack and cause serious damage.

Courtesy of Moore’s Law, anything with an IP address must be now considered a potential threat. Ironically, 802.11ax introduces terrific new security features such as WPA3 and OWE. But, it also makes the WLAN even more IoT-friendly, given the support for dense concentrations of clients in environments such as smart buildings, where devices like lighting controls are as likely to be connected wirelessly as wired.

Despite their computing power, “things” like sensors, controls, equipment, etc., rarely carry even minimum protection beyond a factory-installed (and easily guessed) user id and password that is rarely if ever changed. In addition, these devices do not log, so there is no signal or alert to indicate if they are compromised. To make matters worse, “things” often show up on networks without the knowledge of the IT or security team. Hence, we have the perfect security nightmare: hundreds or thousands of powerful components connected to the IT network, outside the purview of standard security visibility and controls.

In a recent Ponemon Institute survey of 3,800 security professionals co-sponsored by Aruba, IoT was a specific point of focus. The results matched intuition. Seventy-seven percent believe that IoT devices that merely monitored or performed minor tasks posed a threat. Only 24% say their organization’s IoT devices are appropriately secured. Even the responsibility for IoT security is not settled.

Given all this, what can the network and security team do?

The good news is that these devices lead to remarkable employee, customer, and partner experiences—in many ways, digital transformation is driven by IoT. And, however harrowing the thought of a vending machine attacking databases with critical information, it is precisely because IoT devices are connected to the network that security teams can sleep at night. Given the lax security of IoT devices, the only way to tell if a device has been compromised is to look for small changes in network activity that is often indicative of a gestating attack.

Security teams operate the same way fighter pilots do. When deciding if an attack is underway they follow a path of sensing, sense making, decision making, and action. For IoT security, this means turning the network into the “sensor” where raw traffic is processed through a deep packet inspection engine designed to harvest hundreds of relevant behavior elements such as traffic volume, duty cycle, destinations, ports, protocols, etc.

The traffic insights are then passed to machine learning models to build a reference baseline of normal behavior so that deviations can be easily spotted. When the machine learning models see enough evidence that an attack is underway, an alert is generated for the analyst to review. Think about a camera that is sending out twice the amount of packets than it normally does. Or a building control that is attempting to connect to systems it has never seen.

These first two steps are crucial to detect IoT-related incidents and they require both strong network domain expertise and proven data science across wired, wireless, WAN and remote connections. The right decisions and the appropriate actions rely on eliminating false positives and providing the analyst not only the correct attack signal, but also the associated supporting evidence. And, just as network automation is improving the user experience and IT efficiency, deep network insights and precision machine learning models can facilitate automated attack response.

Aruba IntroSpect User and Network Behavior Analytics delivers the deep packet inspection and machine learning required to protect IoT environments. While the solution will work on any network, it has been tuned to leverage Aruba products and technology. For example, Aruba wireless controllers produce AMON logs that characterize wireless traffic and IntroSpect uses them for activity data. Aruba switches now produce security-relevant alerts based on the traffic they see without a separate packet processing function.

Yes, the IoT wave continues unabated, but it doesn’t have to result in compromised security.

About the Author           


Larry Lunetta Blog Contributor

Larry Lunetta is vice president of security product marketing at Aruba, a Hewlett Packard Enterprise company. Larry is also a guest lecturer for entrepreneur studies at Arizona State University.

Full bio