Internet Of Things (IoT) Security: Understanding The Challenges While Mitigating the Risks
Demetris Booth, APJC Lead – Product Management & Product Marketing
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
• Overview & Benefits
• Security Challenges
• Mitigating Challenges • High Level View
• Technical View
• Bringing It All Together
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
7.2 6.8 7.6 World Population
Adoption rate of digital infrastructure:
5X faster than electricity and telephony
50 Billion
“Smart Objects”
50
2010 2015 2020
0
40
30
20
10 Bill
ions o
f D
evic
es
25
12.5
Inflection point
Timeline
IoT Is Here Now – and Growing!
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Relation to Internet of Everything (IoE)
IoE
Connecting people in more relevant, valuable ways
People
Leveraging data into more useful information for decision making
Data
Delivering the right information to the right person (or machine) at the right time
Process
Physical devices and objects connected to the Internet and each other for intelligent decision making
Things
Networked Connection of People, Process, Data, Things
IoE: Connecting the Unconnected to Generate Business Value
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
What Comprises IoT Networks?
Information Technology
(IT)
Operational Technology
(OT)
Smart Objects
7
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Smart City
Safety, financial, and environmental benefits
Reduced congestion
Improved emergency services response times
Lower fuel usage
Increased efficiency
Power and cost savings
New revenue opportunities
Efficient service delivery
Increased revenues
Enhanced environmental monitoring capabilities
8
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Connected Car
Actionable intelligence, enhanced comfort, unprecedented convenience
Online entertainment
Mapping, dynamic re-routing, safety and security
Transform “data” to “actionable intelligence”
Enable proactive maintenance
Collision avoidance
Fuel efficiency
Reduced congestion
Increased efficiency
Safety (hazard avoidance)
9
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Big Data Becomes Open Data for Customers, Consumers to Use
More Important
Less Important
01010100101010101010101010101
01010101010001010100101010101
01110101010101010101
IoT Transforms Data into Wisdom
Wisdom (Scenario Planning)
Data
Information
Knowledge
10
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
… but it also adds complexity.
Application Interfaces
Infrastructure Interfaces
New Business Models Partner Ecosystem
Applications
Unified Platform
Infrastructure
11
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
… but it also adds complexity.
Application Interfaces
Infrastructure Interfaces
New Business Models Partner Ecosystem
Applications
Device and Sensor Innovation
Unified Platform
Infrastructure
APPLICATION ENABLEMENT PLATFORM
APPLICATION CENTRIC INFRASTRUCTURE
APPLICATION AND BUSINESS INNOVATION
Data Integration Big Data Analytics Control Systems Application
Integration
12
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
We’ve Created the Perfect Storm…
> Device Explosion
> Connectivity Explosion
> State Cyber Programs
> Industrialization of Hacking
> “Hactivism”
+
+
+
+
=
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Traditional Security Challenges
Increased Attack Surface
Information Breach
Data Privacy
Smart Objects
Devices
Per Person
Sensors
Per Person
6
130
Security Challenges
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Superior Visibility
Advanced video analytics, remote management, and multi-site event correlation
Granular Control
Differentiated policy enforcement across the extended network
Advanced Threat Protection
Comprehensive cyber security threat detection and mitigation
Actionable Intelligence
Internetworked security solutions for superior intelligence and rapid response
Automated Decisions
Machine-to-machine enabled security control with no human intervention required
IoT Security Challenges
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IoT Expands Security Needs
IoT CONNECTIVITY
Converged, Managed Network
Resilience at Scale Security Application Enablement
Distributed Intelligence
New Applications
Threat Diversity
Impact and Risk
Remediation
Protocols
Compliance and Regulation
17
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IT and OT are Inherently Different
IT OT
• Connectivity: “Any-to-Any”
• Network Posture: Confidentiality, Integrity, Availability (CIA)
• Security Solutions: Cybersecurity; Data Protection
• Response to Attacks: Quarantine/Shutdown to Mitigate
• Connectivity: Hierarchical
• Network Posture: Availability, Integrity, Confidentiality (AIC)
• Security Solutions: Physical Access Control; Safety
• Response to Attacks: Non-stop Operations/Mission Critical – Never Stop, Even if Breached
19
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IT/OT Converged Security Model
20
IT
DMZ
OT
Enterprise Network
Supervisory
Demilitarised Zone
Automation & Control
Ide
nti
ty S
erv
ice
s
Clo
ud
Ne
two
rk S
ec
uri
ty
Se
cu
re A
cc
es
s
Ap
pli
ca
tio
n C
on
tro
l
Co
nfi
g
Mg
mt
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Secure IoT Architecture – IT Plus OT!
Services
Application Interfaces
Infrastructure Interfaces
New Business Models Partner Ecosystem
Applications
Device and Sensor Innovation
Application Enablement Platform
Application Centric Infrastructure
Security
APPLICATION AND BUSINESS INNOVATION
Data Integration
Big Data Analytics Control Systems
Application Integration
Network and Perimeter Security
Physical Security
Device-level Security /
Anti-tampering
Cloud-based Threat Analysis /
Protection
End-to-End Data Encryption
Services
21
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Security Model
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Detect
Block
Defend
DURING BEFORE Control
Enforce
Harden
AFTER Scope
Contain
Remediate
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security/Attack Continuum - IT
Detect
Block
Defend
DURING BEFORE Control
Enforce
Harden
AFTER Scope
Contain
Remediate
Cloud-based threat
detection and
prevention; policy
enforcement via
firewall, VPN and
identity services
Quarantine based
on real-time
analysis and
actionable security
intelligence from
IPS and WSA
Remediate using
advanced
protection and
network behavioral
analysis
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security/Attack Continuum - OT
Detect
Analyze
Respond
DURING BEFORE Control
Enforce
Harden
AFTER Disable
Contain
Remove
Networked cyber
and physical
security solutions
with OT-specific
policies
Response based
on real-time
analysis and
actionable security
intelligence
Lockdown physical
spaces or disable
access to critical
infrastructure
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IoT device aggregation core data center
wan / internet [vpn]
management
Hack Device • Unauthorized device • Device tampering • Malware infection
MITM • Sniff traffic • Modify data • Impersonation
Compromise • Unauthorized access • Device tampering • Service disruption • Sniff traffic
MITM • Sniff traffic • Modify data • Impersonation • Service disruption
Compromise • Unauthorized
access • Device tampering • Service disruption • Sniff traffic
Compromise • Unauthorized
access • Device tampering • Service disruption • Sniff traffic
Compromise • Unauthorized use • Malware infection
Exposure In IoT Networks
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Required Security Model for IoT
27
Before Discover
Enforce
Harden
During After Scope
Contain
Remediate
Attack Continuum
Network as
an Enforcer
Network as a
Mitigation Accelerator
Network as
a Sensor
Detect
Block
Defend
DURING BEFORE Control
Enforce
Harden
AFTER Scope
Contain
Remediate
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation core data center
wan / internet [vpn]
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
BEFORE an attack
DURING an attack
AFTER an attack
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
MAB
Profiling • ISE builds device database by MAC address • Profile with SNMP (LLDP), DHCP, NMAP,
NetFlow drives MAC-based access policy • ISE manages policy
Benefit • Visibility and access control • MAC linked with device ID and location • Custom access by device profile
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
802.1x 802.1x 802.1x
802.1x • Authenticates device before activating
access • ISE manages policy
Benefit • Operational simplicity and control • Dynamic device authentication • Single policy management
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
SGT SGT SGT
SGT / SGACL • Tags traffic based on device policy • Enforces access control based on tag • ISE manages policy
Benefit • Operational simplicity and speed • Dynamic, topology-independent
enforcement • Single access control policy
SGT
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
NF NF NF
NetFlow Analyzer • Collect full NetFlow across network • Detect behavioral anomalies • ISE provides context
Benefit • Full threat visibility • Detect threats in any part of network • Detect access abuse • Detect attacks missed by security
systems NF
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
IPS / AMP • Monitor traffic and file threats
Benefit • Integrated advanced threat detection • Detects advanced attacks and malware
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
WSA / ESA • Reputation-based web threat blocking • Reputation-based email threat blocking
Benefit • Block advanced web / email threats • Intelligence-driven threat detection
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
AFTER an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
NF NF NF
NF Analyzer • Record 90 days of communications
activity • Scope extent of breach • Report policy and compliance
Benefit • Full Accountability • Map threat trajectory • Evidence-based auditing
NF
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
AFTER an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
IPS / AMP • Retrospective analysis of threats • Contain infected devices and files • ISE provides quarantine
Benefit • Fast threat scoping and remediation • Trace and eliminate infections with the
click of a button • Map threat trajectory
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 44
Advanced Malware Protection For IoT
SaaS Manager
FireSIGHT/ASA Sensor
FireSIGHT Management Center
AMP Malware
license
#
✔ ✖
#
Detection Services &
Big Data analytics
AMP for Networks AMP for Endpoints
SSL:443 | 32137
Heartbeat: 80
The catch? Detection is “in the cloud”.
“On-prem” addresses cloud objections.
On-Prem
proxy
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Sophisticated and Continuous Protection
Retrospective Security
Continuous Analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
Web WWW
Endpoints
Network Email
Devices IPS
Point-in-Time Protection
File Reputation & Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Analyse The IoT Threat!
3. Correlation at Unprecedented Scale
System correlates sample result with millions
of other samples / billions of artifacts.
1. Submission
Analyst (portal) or system (API) submits
suspicious sample to Threat Grid.
2. Proprietary Analysis
An automated engine observes,
deconstructs, and analyzes
using multiple techniques.
4. Enriched Content Integration
Actionable intel generated that can
be packaged and integrated in to a
variety of existing systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
100 TB
Intelligence
1.6M sensors
150 million+
endpoints
35%
email world wide
FireAMP™, 3+
million
13B web req
180,000+ Files per
Day
1B SBRS Queries
per Day
3.6PB Monthly
though CWS
Advanced Industry Disclosures
Outreach Activities
Dynamic Analysis
Threat Centric Detection Content
SEU/SRU
Sandbox
VDB
Security Intelligence
Email & Web Reputation
Email Endpoints Web Networks IPS Devices
WWW
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Research Response
Threat
Intelligence
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Network-Wide Security with Differential Applications
Security Activity IT OT
Before
Secure Access
• Role-based access for
individuals and groups
• VPN/remote access for most
systems throughout the network
• Complex passwords with
lockout policies
• Role-based access to few
individuals
• VPN to few systems and users
• Badge readers/integrated
sensors
• Simplified passwords (except
for the most critical systems)
Security Group Tagging
• Tags traffic based on device policy
• Enforces access control based on tag
• Enhanced segmentation for
required groups only
• Dynamic, topology-independent enforcement
During
Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only
Threat Mitigation Quarantine affected system Analysis of the threat to determine
appropriate action
Data Integrity and Confidentiality Data Loss Prevention (DLP) Combined physical and
cybersecurity access controls
Network-wide Policy Enforcement Differentiated actions based on value, function, and location of the device
After Retrospective Security Policies Centralised remediation and adaptation
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IoT Can Actually Increase Security Posture
Network of Security Devices
– Cyber Security Firewall, IDS
– Physical Security IP cameras, badge readers, analytics
Actionable Security Intelligence
– Automated / M2M
– Human Response
Remote Capabilities
– Configuration and Management
– Collaboration Between Groups
IDS
Secure Access Video+Analytics
NG Firewall
Security
Intelligence
50
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Conclusion: Securely Embrace IoT!
New challenges require new thinking!
– avoid operational siloes
– networking and convergence are key
– a sound security solution is integrated throughout
– build for the future
Security must be pervasive
– inside and outside the network
– device- and data-agnostic
– proactive and intelligent
Intelligence, not data
– convergence, plus analytics
– speed is essential for real-time decisions
52