IoT Device Inventory Needs Real-time Accuracy and Smart Categorization

Getting Visibility Right from the Start

Step one in any IT security problem is knowing what to secure. First, you have to see it, know all about it, and then you need to act on that information. The information you gather is everything you can about a device, then it has to be classified as your organization sees fit.

For IoMT and IoT security, how does a usable IoT device inventory get crafted? One or more data sources are used to intelligently get a complete single record of each device in the aggregate, with all of its associated metadata. Data sources can be spreadsheets, active (scanning) or passive (listening) network traffic analysis, or even software inventory repositories such as CMMS and CMDB. It’s very important to get visibility right because it is the source of truth, and helps baseline behavior for threat detection and vulnerability mitigation.

Seeing Connected IoT Device Inventory

Seeing every device and its MAC address on the network is important. This should be visible as soon as possible, which means not relying on high data volumes from devices that don’t create too much network traffic. A hidden danger is that your IoT device inventory solution hides a device because it does not have enough information. Asimily’s approach is to show every MAC on the network from the first data packet seen since it provides the customer with proof that the device exists. As more data comes in, the device continues to be classified more precisely. The alternate approach, waiting until there is more data and higher confidence to “reveal” a device to customers creates blind spots, also because there are always going to be devices where sufficient data might never be transmitted. So some “known” devices might never be exposed to customers – exactly what an attacker would want. In such cases, the lack of visibility brings increased risks to the environment.

Network traffic analysis is particularly helpful because it does not require risky scanning or queries to devices that might not perform well under those circumstances. The two most effective ways of deriving usable data from network traffic are AI-based and DPI (deep packet inspection). DPI cracks packets to understand proprietary protocols not just in the header but also in the payloads of those packets. The benefit of this approach is granularity – every packet may have some useful information. However, enough data for every device is not always going to be available.

This is where Artificial Intelligence and pattern recognition come in. Pattern recognition uses the data from device profiles which then uses some of the metadata seen in the environment (e.g. sources, destinations, ports) to accelerate confident device classification. Together DPI and AI form a complete picture of the environment which in turn helps better identify devices even when all the traffic from the device is not being transmitted.

Asimily uses both techniques, plus any other external data sources available. DPI-only approaches ignore all the rich data that comes from heuristics and rules about devices. Such an approach might struggle as the scale increases. That’s because there will be devices where getting detailed information could be challenging due to network architecture. DPI can be augmented with manual human intervention but Asimily seeks to avoid the pitfalls that come with just using humans to analyze traffic and make assumptions.

IoT Device Inventory Smart Classification

One key challenge for accurate classification is tracking devices that are mobile and whose IPs are continuously changing. This is more challenging in Layer 3 networks where only the IP of the device is transmitted on the network and not the MAC. Asimily has developed state machines to solve the problem of accurately tracking changing IP-MAC associations. But to do this, broadcast traffic like ARP and others will need to be sent. In addition or as an alternative, SNMP (Simple Network Management Protocol) walks used to query network infrastructure can be used. An integration with DHCP servers can also be used. Failing to use any of those techniques could cause well-classified devices to “drift” over time and become incorrectly classified. But when done, the net result of all of these techniques is an accurate, classified inventory of devices, even when they move around the network.

External data sources are additive and not required for an accurate IoT device inventory, but they help. For example, pulling in Vulnerability Scanner data enriches the data Asimily has to work with to determine which devices are on a network. Asimily has over 50 integrations to assist customers, not just vulnerability scanners but also others that have inventory data. Through these integrations, Asimily also becomes a complete device repository providing insight into every device on the network.

Finally, there can always be differences in naming conventions. A device and the family a device is in are not always named similarly, based on how an organization thinks about the device. For example, supply stations could be IoMT for some organizations but non-medical IoT devices for others. These differences can be easily reconciled in the final IoT device inventory.

Understanding IoT Device Inventory-Gathering Methods Helps Buyers

Of all the technical problems involved in strong IoT security, inventory is not the hardest. As attacks have increased, Asimily finds challenges in incident response and vulnerability mitigation to be more pressing across the industry. But getting an accurate, classified inventory is an important first step to solving every other security problem. The complex, multi-faceted approach that Asimily took years to develop solves the shortcomings of earlier approaches and scales for all environments. By combining multiple techniques and data sources, Asimily uses numerous innovative cutting-edge techniques, some patented, to provide the best inventory possible. A small example is Asimily’s parser for understanding new protocols, which does in days or hours what used to take weeks. Customers benefit from all of this by just having confidence that they have a good inventory, freeing up mental space, financial resources, and team time to tackle pressing device security issues to protect their users.

To learn more about the Asimily risk remediation, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.