A Good Endpoint

Visibility is a good way to start to achieve success in the age of IoT

Most of the malicious or criminal activity targeting today’s enterprises involves the endpoint. Insecure endpoints are an expensive risk and difficult to address. As the number of devices with IP connectivity continues to rapidly grow, it gives organizations a new class of dim and dark endpoints to worry about. Research predicts that the B2B IoT segments will generate more than $300 billion annually by 2020.

As enterprise markets invest in IoT, privacy and security concerns loom as they relate to IoT deployments and vulnerability exploitation. Regulatory standards are also lacking. Leading industry voices like cryptographer and author Bruce Schneier are calling for government regulation, as it could be the only solution that could impose required security standards on IoT devices.

No Time to Wait

Effective asset and vulnerability management is critical to maintaining visibility. The effort cannot stop at desktops and laptops. The simple reality today is that organizations need to monitor anything with an IP address that connects to their network resources: smartphones, tablets, IoT devices, and other employee-owned devices (like personal “smart” devices) should all be monitored. The end goal should be to collect and process telemetry from everything. Of course, there are privacy concerns that organizations should be cognizant of when collecting and analyzing this data, and depending on where you are, that can be a whole other challenge to consider.

Still, organizations report facing significant struggles with blind spots in their network activity, with non-corporate devices and user behavior being their top challenges according to this ESG report. If visibility into your infrastructure is narrow and shallow, any risk calculations you make will almost always be a shot in the dark and ultimately inaccurate, leading to some tough questions by the powers- that-be after a significant incident happens. You must be able to identify each device, its current status and state, and the state of all the applications residing on the device, if any.

Here are five best practices that organizations should consider in order to get a better picture of the current state of their infrastructure and improve their endpoint security posture in the age of IoT.

Make sure the most critical assets are covered. If you’re not currently using a modern solution to collect, scrub, analyze, and respond to anomalous log events, then start small—focus on building solutions that target your most critical assets: devices belonging to Csuite executives and their assistants, your privileged accounts and devices belonging to your administrators, and your various system accounts that often have credentials that seldom (or never) change. Start there and expand as time, resources and budgets allow.

Monitor application health. Direct threats to IoT aside, you should also consider having a method to actively monitor the health of applications. If there is an incident or vulnerability, you need to be alerted so that you can respond to it. Think of the process like a checklist: is my endpoint security software still functioning? Can I access specific URLs that malware may try to prevent me from accessing? Have I verified my CPU usage for any odd behaviors that may indicate cryptomining or other resource-based attacks? Can my device connect to the network? If you can’t check off all of these items, that might be a sign of a malware infection or cyberattack, or of a potential vulnerability in the device’s software.

Monitor device traffic. Keeping an eye on device traffic is imperative in the age of IoT. Devices and applications interact with each other in a sort of pattern—maybe you take your fitness tracker with you on a run most mornings, use your smart coffee machine at work every day, or make weekly conference calls from your smartphone. The reality today is some traffic increases should be expected with so much more emphasis on smart devices. But it’s important to watch for things like a massive spike in traffic volume from one of these devices, that device could be malfunctioning at best, or it’s being used to exfiltrate data or participate in a botnet or DDoS at worst. In the context of an organization’s network, this could also point to an employee who is maliciously exfiltrating the data themselves. Awareness of all the devices in an employee’s network, including personal devices, is essential—without full visibility, malicious traffic could go unnoticed.

Combine passive and active scanning in your asset management strategy. Your asset management strategy should include a focus on both actively and passively scanning devices—passive scanning is designed to watch your traffic flows to identify active devices, and active scanning is centered around overtly probing your network looking for previously unseen, dormant or idle devices. When you put the two together, you’ll have a much better picture as to the current state of your infrastructure. This can really help in identifying rogue devices that someone has connected to your network somewhere or IoT devices that aren’t constantly sending data through your network.

Patch early and often. With a plethora of IoT devices in circulation, encountering vulnerability somewhere in your network is almost inevitable. If vulnerability is discovered, the best course of action is to patch your devices early and often. It’s possible that some of the IoT devices you deploy won’t get patches though, or won’t receive timely patches. Unlike companies and organizations who issue patches frequently, some device manufacturers either lack the technical skill or have the resources to provide long-term support of IoT devices. For manufacturers that do provide regular updates, patches fill the holes in your network and protect your endpoint, which is important for maintaining good security posture. However, you have to make sure you have the ability to push patches to all devices.

If you have blind spots in your network (like devices that have been turned off or not connected for long periods of time), then some devices will be left unpatched and serve as easy targets for attackers. It only takes one weak entry point for a hacker to gain access to private data. And for those devices that don’t—or can’t—be patched, you must use other methods to protect your infrastructure. Microsegmentation of those device clouds, locked-down static routing, and dedicated subnetworks with their own industrial-focused firewall devices should all be considered as other security options when patching just simply isn’t possible.

Best practices like these help to counter the existence—and fear of—IoT risk, which is partially due to a lack of visibility. One of the keys to combating that fear, and lighting up this new class of dim and dark endpoints, better understands all of the sources of risk that live in your environment.

Once organizations are able to identify all the pieces that form their network, they are one step closer to designing a well-thought out strategy to address that risk, and creating an environment that better manages risk overall.

This article originally appeared in the May 2018 issue of Security Today.

Featured

  • Report: Cyber Attackers Continue to Turn to AI-Based Tools to Avoid Detection

    Comcast Business recently released its 2025 Cybersecurity Threat Report, a comprehensive analysis of 34.6 billion cybersecurity events detected between June 1,2024 and May 31, 2025. Now in its third year, the report offers business leaders a unique perspective into the evolving threat landscape and provides actionable insights to help organizations strengthen their defenses and align cybersecurity with business risk. Read Now

  • Axis Communications Creates AI-powered Video Surveillance Orchestra

    What if cameras could not only see the world, but interpret it—and respond like orchestra musicians reading sheet music: instantly, precisely, and in perfect harmony? That’s what global network technology leader Axis Communications set to find out. Read Now

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX
  • Nothing Artificial About this Intelligence

    I have been looking forward to this year’s GSX show in New Orleans, the Cresent City, or if you prefer The Big Easy. It seems like quite a while since we’ve been here. Twenty years ago, ASIS, as it was known then was literally washed out of the city by someone known as Katrina. It is a good thing to come back to NOLA. Read Now

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.