A Good Endpoint

Visibility is a good way to start to achieve success in the age of IoT

• By Richard Henderson
• May 01, 2018

Most of the malicious or criminal activity targeting today’s enterprises involves the endpoint. Insecure endpoints are an expensive risk and difficult to address. As the number of devices with IP connectivity continues to rapidly grow, it gives organizations a new class of dim and dark endpoints to worry about. Research predicts that the B2B IoT segments will generate more than $300 billion annually by 2020.

As enterprise markets invest in IoT, privacy and security concerns loom as they relate to IoT deployments and vulnerability exploitation. Regulatory standards are also lacking. Leading industry voices like cryptographer and author Bruce Schneier are calling for government regulation, as it could be the only solution that could impose required security standards on IoT devices.

No Time to Wait

Effective asset and vulnerability management is critical to maintaining visibility. The effort cannot stop at desktops and laptops. The simple reality today is that organizations need to monitor anything with an IP address that connects to their network resources: smartphones, tablets, IoT devices, and other employee-owned devices (like personal “smart” devices) should all be monitored. The end goal should be to collect and process telemetry from everything. Of course, there are privacy concerns that organizations should be cognizant of when collecting and analyzing this data, and depending on where you are, that can be a whole other challenge to consider.

Still, organizations report facing significant struggles with blind spots in their network activity, with non-corporate devices and user behavior being their top challenges according to this ESG report. If visibility into your infrastructure is narrow and shallow, any risk calculations you make will almost always be a shot in the dark and ultimately inaccurate, leading to some tough questions by the powers- that-be after a significant incident happens. You must be able to identify each device, its current status and state, and the state of all the applications residing on the device, if any.

Here are five best practices that organizations should consider in order to get a better picture of the current state of their infrastructure and improve their endpoint security posture in the age of IoT.

Make sure the most critical assets are covered. If you’re not currently using a modern solution to collect, scrub, analyze, and respond to anomalous log events, then start small—focus on building solutions that target your most critical assets: devices belonging to Csuite executives and their assistants, your privileged accounts and devices belonging to your administrators, and your various system accounts that often have credentials that seldom (or never) change. Start there and expand as time, resources and budgets allow.

Monitor application health. Direct threats to IoT aside, you should also consider having a method to actively monitor the health of applications. If there is an incident or vulnerability, you need to be alerted so that you can respond to it. Think of the process like a checklist: is my endpoint security software still functioning? Can I access specific URLs that malware may try to prevent me from accessing? Have I verified my CPU usage for any odd behaviors that may indicate cryptomining or other resource-based attacks? Can my device connect to the network? If you can’t check off all of these items, that might be a sign of a malware infection or cyberattack, or of a potential vulnerability in the device’s software.

Monitor device traffic. Keeping an eye on device traffic is imperative in the age of IoT. Devices and applications interact with each other in a sort of pattern—maybe you take your fitness tracker with you on a run most mornings, use your smart coffee machine at work every day, or make weekly conference calls from your smartphone. The reality today is some traffic increases should be expected with so much more emphasis on smart devices. But it’s important to watch for things like a massive spike in traffic volume from one of these devices, that device could be malfunctioning at best, or it’s being used to exfiltrate data or participate in a botnet or DDoS at worst. In the context of an organization’s network, this could also point to an employee who is maliciously exfiltrating the data themselves. Awareness of all the devices in an employee’s network, including personal devices, is essential—without full visibility, malicious traffic could go unnoticed.

Combine passive and active scanning in your asset management strategy. Your asset management strategy should include a focus on both actively and passively scanning devices—passive scanning is designed to watch your traffic flows to identify active devices, and active scanning is centered around overtly probing your network looking for previously unseen, dormant or idle devices. When you put the two together, you’ll have a much better picture as to the current state of your infrastructure. This can really help in identifying rogue devices that someone has connected to your network somewhere or IoT devices that aren’t constantly sending data through your network.

Patch early and often. With a plethora of IoT devices in circulation, encountering vulnerability somewhere in your network is almost inevitable. If vulnerability is discovered, the best course of action is to patch your devices early and often. It’s possible that some of the IoT devices you deploy won’t get patches though, or won’t receive timely patches. Unlike companies and organizations who issue patches frequently, some device manufacturers either lack the technical skill or have the resources to provide long-term support of IoT devices. For manufacturers that do provide regular updates, patches fill the holes in your network and protect your endpoint, which is important for maintaining good security posture. However, you have to make sure you have the ability to push patches to all devices.

If you have blind spots in your network (like devices that have been turned off or not connected for long periods of time), then some devices will be left unpatched and serve as easy targets for attackers. It only takes one weak entry point for a hacker to gain access to private data. And for those devices that don’t—or can’t—be patched, you must use other methods to protect your infrastructure. Microsegmentation of those device clouds, locked-down static routing, and dedicated subnetworks with their own industrial-focused firewall devices should all be considered as other security options when patching just simply isn’t possible.

Best practices like these help to counter the existence—and fear of—IoT risk, which is partially due to a lack of visibility. One of the keys to combating that fear, and lighting up this new class of dim and dark endpoints, better understands all of the sources of risk that live in your environment.

Once organizations are able to identify all the pieces that form their network, they are one step closer to designing a well-thought out strategy to address that risk, and creating an environment that better manages risk overall.

This article originally appeared in the May 2018 issue of Security Today.