IoT has become a normal way of life for many people, we interact with these devices on a daily basis from doorbells to lights, cameras to building locks. IoT devices have become so prolific that most times we take them for granted. However, as commonplace as they’ve become, we’ve also seen the challenges in securing IoT devices—from massive armies of botnets used for DDOS activity, to being used for command and control in sophisticated attacks as a means to evade modern endpoint security controls. We have even seen some financial sectors suffer large data breaches where IoT offered a means to infiltrate the environment and exfiltrate data.

What makes IoT such a challenge to secure? Well, there are several factors at play ranging from hardware to network—and more importantly to cloud. Almost all IoT devices connect back to cloud services in some way, from consumer through to enterprise IoT devices—connecting to the cloud has become a vital means to operate. And similar to the security challenges present in OT networks, it is almost impossible to embed security agents within every IoT device. Additionally, these devices will typically run operating systems and software that is cheap to build, while tight margins can lead to solutions that run vulnerable code that is difficult to patch. Without the ability to place tight controls on the endpoint, we now look to network monitoring and cloud security to help close the gap.

Network monitoring within enterprise-grade IoT is an effective way to identify attacker behaviour, however, with all of these services connecting to cloud-based infrastructure—it is vital that we also secure the cloud as an attack surface. Cloud security is something that a lot of organisations have been grappling with as it’s large, complex, and constently changing. Adding to the complexity is that each provider does things a little different. And keep in mind that the cloud is made up of multiple core components—IaaS, PaaS and SaaS. IaaS lends itself to some of our traditional based security controls, SaaS is the newest category of security products, while PaaS is a key challenge as a large attack surface. Adding to this challenge is that we tend to look at all three in isolation from a security perspective, which can lead to blind spots that allow attackers to move laterally without detection. Effectively allowing attackers to move from IoT devices to the control plane of the cloud provider with almost no way to track lateral movement is a recipe for disaster.

To overcome the challenges presented by IoT and cloud, we need shift our thinking away from prevention and turn to detection. While we should still make entry as difficult as possible for attackers, prevention shouldn’t come at the expense of detection. However, threat detection at this scale will require a modern approach. If we simply focus on vulnerabilities and malware, we will be forever playing catch up to the attackers. Instead, we need to focus higher up the value chain and look at the attacker behaviour. To Identify behaviour, we need to look at solutions that will provide high-fidelity detections that leverage AI and machine learning to ensure signal clarity is provided without the false positives of signature-based detections. In addition, we need to look at solutions that will bring together all events on the network, IaaS, PaaS and SaaS environments so we can identify lateral movement without blind spots, but also ensure that these events are correlated and prioritised to the highest risk entities—be that user accounts, roles or hosts. Once this view achieved, then and only then will we be able to focus on how to detect, respond and most importantly—stop any attacks that enter or move across the environment.

Chris Fisher
Director, Security Engineering, Asia Pacific & Japan
Vectra AI Inc.

For any further enquiries, please contact Ms Katherine Toh at [email protected]