The Role of AI in Risk Prioritization

For most organizations, identifying critical threats that target IoT devices can feel like trying to use bubblegum to stop a fire hydrant from flooding the road. The sheer volume of vulnerabilities becomes overwhelming. As organizations scale their IoT device fleets, the information that floods security, vulnerability, and patch management teams creates a data stream that artificial intelligence (AI) can use to create insights. 

By understanding AI’s role in IoT risk prioritization, organizations can turn overwhelming data into actionable security insights. 

How is AI transforming IoT Vulnerability Prioritization?

Vulnerabilities arise frequently across IT and IoT systems – so much so that it is nearly impossible for security teams to effectively manage and analyze every potential risk that arises in their IoT infrastructure. This, coupled with the wealth of contextual data organizations gain from IoT deployments (including network context, device usage, etc.), creates a fragmented picture of risk for organizations. Multiply this across hundreds (if not thousands) of IoT devices, and the scale of the challenge becomes clear. AI systems can analyze large datasets to uncover patterns, security teams equipped with the appropriate solutions can gain a deeper understanding of their environments and risk posture. 

Data Analytics for Visibility

AI solutions can ingest data from across the organization’s IoT fleet and environment, then apply analytics models that help identify devices connected to the networks. The more data sources that the AI has, the better insight it provides. For example, an AI-driven IoT device security solution should collect data about:

• Device configurations.
• Network traffic patterns. 
• Vulnerability information is stored in databases. 
• Threat intelligence to understand real-life attack risks. 

By correlating this data, organizations go beyond device identification to gain risk-based insights. 

Risk Prioritization from Real-Time Data

Since AI models can correlate these different datasets, they can recognize subtle risk indicators between theoretical vulnerabilities and those that malicious actors actively exploit. Further, AI models can incorporate environment-specific data, like:

• Devices that are critical to operations. 
• Network segmentation that reduces lateral movement.
• Configurations that limit communication across risky ports. 
• Ease of vulnerability exploitation makes attackers more likely to target the vulnerability. 

By analyzing this data, AI models can create dynamic risk scores that better reflect the vulnerability’s actual risk.

Correlate Threat Data from Various Resources

Predictive AI models provide insights into how attackers can exploit a vulnerability. By analyzing information from threat intelligence and historical attack partners, data analytics can predict the likelihood that malicious actors will attempt to exploit a vulnerability. With this insight, organizations can patch or otherwise remediate these high-risk vulnerabilities proactively, improving their security posture and reducing data breach risks. 

Why Do Organizations Struggle to Implement AI-Driven IoT Security?

AI reduces burdens associated with managing IoT security risks. Organizations face technical and operational challenges when they seek to implement these solutions. 

Network Connectivity Disruptions

Traditional vulnerability management tools may incorporate AI, but they often disrupt IoT device connectivity. When traditional vulnerability scanners emulate attacks, they can cause IoT devices to shut down or disconnect from the network. Further, bulk scanning increases network traffic in ways that can overwhelm IoT devices that have minimal compute resources, leading them to freeze, crash, or temporarily disconnect. 

Static Scoring Data 

Typical vulnerability scoring data, like the Common Vulnerability Scoring System (CVSS), fails to provide real-time insights into how attackers are exploiting vulnerabilities. Additionally, the Exploit Prediction Scoring System (EPSS) calculates a probability score to improve risk prioritization. While these static data points may inform an AI model, organizations need more data to create risk-informed prioritization processes. 

Lack of Context

For AI models to predict risk, they need insight into the device and its context, like network neighbors and configurations. For many organizations, the network connectivity and static scoring data issues compound one another to create this larger issue. Without comprehensive, continuous monitoring around identified vulnerabilities, the organization is unable to implement AI models that understand the kill chain. This leaves them struggling to enhance in a complete exploitability analysis, reinforcing their inability to adequately prioritize remediation steps. 

Considerations when Adopting AI for IoT Vulnerability Prioritization

As attackers increasingly target IoT device vulnerabilities, organizations need solutions that understand these devices’ unique security and availability needs. When evaluating options, organizations should consider these capabilities. 

Passive Device Discovery

Organizations need a comprehensive IoT device inventory for visibility into potential security issues. A passive scanning technology that analyzes network traffic can build a complete and accurate inventory without causing downtime or performance issues. A passive scanning solution should be able to build a device profile that includes:

• Operating system
• IP address
• MAC address
• Port numbers
• Hostname
• Version number

Insights About Device Exposures

IoT solutions that leverage AI should incorporate the risk context that enables security teams to focus on the most important devices. Understanding IoT vulnerability risk requires insight into how attackers can use the vulnerability within the context of the organization’s current network architecture and controls. When the AI analyzes risk, it should incorporate information about:

• System architecture: Whether attackers can reach a vulnerable device.
• Network communication flows: Whether sensitive data travels across the network where the device resides.
• Current security controls: Whether the current mitigation prevents attackers from using the vulnerability to compromise the network or system.
• Threat intelligence: Whether attackers currently use the vulnerability in real-world attacks.

Impact-Based Prioritization

As organizations adopt more IoT devices, their risk prioritization solution should incorporate the potential impact that an attack can have. An AI solution should consider critical issues like:

• Physical safety: Compromise or service disruption would lead to harm to people, like patients connected to medical devices or people working on a manufacturing floor. 
• Data impact: Attackers can gain unauthorized access to sensitive data, leading to a potential data breach. 
• Lateral movement: Attackers compromising the device can use it as an entry point to move between networks to accomplish their objectives. 

Mitigation Suggestions

Sometimes, applying a security update is not an option, especially with IoT devices. Many manufacturers fail to provide patches for firmware. Further, some devices may be difficult to patch immediately. An AI IoT risk prioritization solution should provide suggested remediation activities that provide the most security for the least amount of effort, like:

• Deactivating unnecessary services to limit connectivity. 
• Blocking risky ports using a Network Access Control (NAC) tool. 
• Altering configurations to harden the device. 

Continuous Monitoring

Risk is not static. Organizations need AI solutions that understand changing risk profiles. The AI solution should be able to detect malicious behaviors and then correlate the data with other security information, including:

• MITRE ATT&CK framework to map anomalies to attacker tactics, techniques, and procedures (TTPs). 
• Device and vulnerability data in a Software Bill of Materials (SBOM). 
• Indicators from network monitoring tools, like firewalls. 
• Alerts from endpoint detection and response (EDR) tools. 

Asimily: IoT Risk Prioritization with AI

Asimily is purpose-built to manage IoT devices so that organizations have visibility into and control over their fleets. Our platform’s AI capabilities incorporate context about vulnerabilities and the IT environment, so organizations can mitigate risk more effectively. 

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.