Dancing with Data: Harmonizing Device States and Relationships in IoT Security Strategies

As organizations expand their Internet of Things (IoT) device deployment, they expand their attack surface. These devices bring productivity benefits, but as attackers increasingly target them, they create vulnerable access points. Further, they often contain or transmit sensitive information. 

Security professionals know they can’t defend what they don’t know they have. To gain the necessary visibility, organizations adopt detection and monitoring tools. However, most of these are optimized for general IT. After deployment, they often find that while the tools provide transparency into network communications, they struggle to classify IoT that aren’t as amenable as IT to classification. Or they rely on active scanning, which is not always possible for IoT in certain environments such as hospitals or utilities.

When investing in an IoT security solution, organizations should consider how rich that platform’s understanding of an IoT device fleet will be. A useful lens to use when evaluating needs is whether the platform will model states, relationships, or both. 

What is the Difference Between States and Relationships for IoT?

Generally speaking, software to manage IoT (or anything else) seeks to create a digital model of the real world. Two major approaches are to record and understand states vs. relationships between assets. For example, a data backup is a static record of the state of assets at a point in time. A model that accounts for network connections, neighbors, and traffic is focused on relationships.

In IT, these concepts relate to the different goals that an organization has with its security monitoring. Collecting states is useful for gathering inventory, backups, vulnerability detection, compliance, and anomaly detection. It’s less useful for vulnerability prioritization and remediation.

Challenges Achieving Accurate States and Relationship Models

Many organizations struggle to implement appropriate IoT security because the devices come with unique challenges that traditional tools fail to identify or manage. Further, even when organizations seek an IoT-specific solution, the tools look like they are giving a complete analysis of all the relevant information, but really aren’t. 

Ability to Scan for Information

Traditional technologies, like enterprise IT vulnerability scanners, use active scanning techniques that send test traffic across the network to examine the responses. Unfortunately, this process can take IoT devices offline for various reasons. To maintain availability and identify IoT device vulnerabilities, organizations need passive scanning devices that collect data from the network’s traffic flows. 

Generating a Device Inventory from Network Traffic

Not every scanning technology is equally accurate. Most rely on a Switch Port Analyzer (SPAN), a port mirroring session that copies packets from one switch to a port on a destination switch. Often, the IoT tools then import information from their databases. While these tools may provide insight into devices, they do not directly access information from devices.  Without thoughtfully considering the limitations of a SPAN-first approach, this can create issues due to: 

• Failure to configure monitoring for both received and transmitted packets
• Overrunning the port which can lead to packet loss
• Connectivity issues when deploying the analyzer
• Limited information from the provider’s database limits device categorization capabilities
• Lack of accurate, detailed information about device types and their connectivity across the network ecosystem

Vulnerability Prioritization

Related to these other issues, many tools provide limited insight into IoT device vulnerabilities. They often rely solely on data like:

• Common vulnerabilities and exploits (CVE) data which details what the vulnerability is
• Exploit Prediction Scoring System (EPSS) data which details the probability attackers will exploit the vulnerability but no insight into whether they could successfully exploit within the context of the organization’s current mitigations
• MITRE ATT&CK tactics to identify and alert on an anomaly without additional insight into the context 

While this data provides transparency, it often needs more context into the current IoT device environment, like segmentation and targeted segmentation strategies, which leaves remediation prioritization manual and time-consuming.

5 Questions to Ask IoT Device Security Vendors

As organizations expand their security monitoring to include IoT devices, they need technologies that understand the unique risks arising from these devices while taking into account the current mitigation strategies in place. When vetting potential vendors, should consider the following questions.

1. How do you collect asset data and what data do you collect?

At their core, IoT security solutions provide data that security, IT, and vulnerability management teams need to protect networks and systems. While nearly all solutions use SPAN ports, the information that augments those findings should include robust network traffic insights, like the kind generated by deep packet inspection. Deep packet inspection provides detailed data about how devices communicate with one another and across the network environment. 

Key capabilities to look for include:

• Passive data collection from SPAN ports to ingest network data with fault-tolerance, such as for dropped packets
• Comprehensive device lists that include device types and detailed categories
• Ability to integrate with other asset inventory tools, like traditional vulnerability scanners
• Deep packet inspection to identify unique device communication patterns for more accurate anomaly detection
• Metadata collection to understand device use, location, and modification

2. How do you generate a risk score?

Many IoT security tools provide risk scores based on data analytics. Transparency means knowing what data feeds these analytics. To gain insights from these analytics, organizations need accurate data. Vendor databases may be based on generic device definitions or overly broad categories that fail to consider device use cases or differing models within a fleet. 

Key capabilities to look for include:

• Use of known vulnerabilities and real-world exploits
• Incorporation of AI-based classification
• Ability to provide context based on environment, including risk mitigations like hardening and segmentation
• Going beyond using MITRE ATT&CK framework to label vulnerabilities – using the framework to determine exploitability in context

3. How do you assess vulnerability risk to help prioritize remediation?

Identifying vulnerabilities tells security, IT, and remediation teams the issues that exist. To prioritize response activities, they need to understand potential threats based on their environment’s context. Providing generic remediation steps that fail to consider the organization’s network architecture and mitigation strategies can leave teams struggling to identify the most secure, lowest-effort remediation activities. 

Key capabilities to look for include:

• Ability to analyze high-risk vulnerabilities within the context of current device configurations and segmentation strategies
• Remediation guidance incorporating time and effort required to reduce risk – not just suggesting patching and segmentation
• Use of industry-specific sources, such as digesting MDS2 information for medical devices
• Insight into mitigation impact on security, like reducing personally identifiable information (PII) on device

4. Can you simulate the risk that new devices might create?

To create a proactive IoT security strategy, organizations need to include risk management during the procurement process rather than after purchasing the devices. Accurate data fed into advanced analytics enable this proactive process by enabling organizations to simulate the impact new devices could have on overarching security posture.

Key capabilities to look for include:

• Visibility into device impact on security posture prior to implementing mitigations
• Suggestions for efficient, cost-effective, high-value mitigation activities 
• Database containing secure device configurations
• Insight into the impact that suggested mitigations would have on security risk
• Ability to analyze device protocols to onboard new to-market devices in days for consistent monitoring across the environment

5. How do you help manage device and network segmentation?

As both a critical compliance and security requirement, network segmentation offers organizations a way to prevent lateral movement. With IoT security tools that enable both micro-segmentation and the simpler-to-implement targeted segmentation, organizations can more effectively and efficiently manage their fleets by segregating devices with similar risk factors.

Key capabilities to look for include:

• Detailed device lists for associating discovered devices to device categories
• Segmentation across device subsets to implement targeted segmentation based on device connectivity and risk level
• Ability to create logical device groups based on organizational context 

Accurately Gather both States and Relationships for Efficient Device Fleet Security Management

Purpose-built to manage IoT devices, Asimily provides organizations with the necessary visibility into and control over their fleets. Our platform provides context, taking into account vulnerabilities and the IT environment, so organizations can mitigate risk more effectively. 

Asimily’s platform leverages passive data collection with deep packet inspection that incorporates metadata to generate high-quality, authentic asset inventories. It overcomes the limitations of the SPAN-first approaches listed above, such as by handling dropped packets and evaluating traffic patterns over time. Using our fast protocol parser, customers can confidently connect new devices from existing or new manufacturers without delay, improving security and reducing the overall total cost of ownership.

Using Asimily, you can create logical groups of devices in any way that makes sense for your organization to implement targeted segmentation strategies. These capabilities improve incident response and vulnerability remediation programs by focusing on unique device risks and current configurations rather than just device model data. 

Since the Asimily platform takes your environment and context into account, you can dramatically reduce the number of high-risk vulnerabilities that your team needs to address. Remediation teams can also leverage our efficient mitigation suggestions that focus on reducing the time and effort spent securing device fleets. 

As your organization expands its IoT device fleet, Asimily’s IoT security platform enables you to make data-driven, risk-based purchasing decisions by providing the risk associated with a specific device. Our Risk Simulator offers specific changes to configurations or processes that immediately reduce the risk associated with a verified exploit linked to a known vulnerability on a configured device. By simulating the impact these mitigations have on your overall risk score, you can make informed decisions about the impact before purchasing or before committing resources to handle anomalies or vulnerabilities.