At the Cisco IoT World Forum held last week in London, CEO Chuck Robbins discussed in his keynote how we are on...
the precipice of connecting literally everything, including many things we haven't thought of. I've seen estimates of 10 billion to 30 billion new devices being connected by 2020. While this may seem like a wide range, in my opinion, the actual number doesn't matter. The fact is that over the next decade, businesses need to prepare themselves for a massive wave of new endpoints that will be connected to the company network.
For network operations, having this many devices attached to the network poses some significant challenges, the biggest of which is security. In 2016, ZK Research surveyed network managers on what their biggest challenge was with respect to IoT. And, to no surprise, security was by far the top response.
Securing IoT devices creates a number of interesting challenges for businesses, the most significant of which is the majority of IoT devices aren't deployed by the IT organization itself. In the same survey as above, a whopping 50% of network managers said they were either "not confident at all" or have "low confidence" that they know what IoT devices are attached to the network. There's an axiom in the security world that states, "You can't secure what you can't see." And for many businesses, not being able to see their IoT endpoints creates significant security vulnerabilities.
Also, even if IT is aware of IoT devices, they can be difficult to secure. Most traditional connected endpoints are designed to have at least basic security. Many IoT endpoints have no ability to secure themselves or have security software loaded onto them. Additionally, some older IoT devices are still running operating systems, such as Windows 95, that are filled with known vulnerabilities and have embedded passwords like "password," so they can be easy to breach.
The consequence of an IoT breach can be far more significant than the device itself. For example, one of the more highly publicized retail breaches happened because the HVAC system was breached, which created a backdoor to the point-of-sale system. Most IoT devices are not sitting behind next-generation firewalls, so hackers will target these as a way to backdoor their way onto the company network.
This is why it's crucially important to not only secure IoT devices, but also ensure there is no ability for the endpoint to communicate with other unnecessary networks. For example, in a hospital, the guest network should be completely isolated from the network that patient devices are on, which should be separate from the network where electronic records are stored. This is often not the case, because setting up multiple secure zones using traditional network methods like virtual LANs and access control lists can be a complicated and time-consuming process.
Introducing Cisco IoT Threat Defense
At IoT World Forum, the company announced Cisco IoT Threat Defense to help organizations with the challenge of securing IoT devices. In actuality, the service is more of an architecture that brings together a number of Cisco security technologies and provides a prescriptive way for customers to deploy them. The products that are included in Cisco IoT Threat Defense include:
- TrustSec for network segmentation;
- Stealthwatch for network behavioral analytics;
- Identity Services Engine for defense visibility;
- AnyConnect for remote access;
- Umbrella for cloud security;
- Advanced Malware Protection for antimalware; and
- Firepower for next-generation firewall.
Devices that comply with the Internet Engineering Task Force manufacturer usage description (MUD) specification provide a wealth of information, and Cisco can use this to automate the onboarding of the device and then place it in a secure TrustSec zone to keep it on a completely isolated network, which should keep it out of the reach of cybercriminals.
Older endpoints, or ones that don't comply with MUD, pose a challenge, as Cisco won't know what the device is or what its purpose is. Here is where the breadth of Cisco's products really shines, as the company can use network anomaly detection to infer what the device is and if there is a breach. For example, take the case of a connected soda machine. Normal operations would be the machine sends inventory updates to the manufacturer once a day. If at some point it tries to access a point-of-sale system or an accounting server, one could interpret this as a breach, and the device can be quarantined for further investigation.
This many not prevent the breach, but it would minimize the blast radius to that one particular device instead of having the threat spread throughout the company. Cisco's advantage is its equipment is typically deployed all over most businesses, so the more a customer has deployed, the more Cisco sees -- and the higher the likelihood a breach is spotted quickly and the IoT endpoint is put in a place that is out of harm's way.
Also, because Cisco IoT Threat Defense is made up of existing products, they are mature, seasoned and reliable, so customers do not have to worry about their effectiveness. Similar to what Cisco did with voice over IP, the architectural approach takes much of the guesswork out of having to deploy multiple technologies to solve a single problem.
The IoT era has arrived, and network and security teams need to be prepared to handle the billions of devices about to be dropped onto networks -- and top of mind must be security. IoT Threat Defense won't solve all of the security issues and stop all breaches, but it gives organization a much better chance of protecting their IoT deployments than trying to cobble together a service from scratch.