DEALING WITH THE TSUNAMI OF UNMANAGED …...Enterprise Managed Unmanaged BYOD (PC & Mobile) Smartphones Switches Printers VOIP Point of Sale Medical Devices Manufacturing Web, PCs

DEALING WITH THE TSUNAMI OF UNMANAGED DEVICES

©2018 Armis Inc. All Rights Reserved.

Jamil (Jamie) Mneimneh, CISSP-ISSAP

Director, Solutions Architecture

Enterprise of “Things”


Businesses can’t see 40% of the devices around them.



Office Environment

Health Care


Manufacturing


7

Traditional

EnterpriseManaged

Unmanaged

BYOD

(PC & Mobile)

Smartphones

Switches

Printers

VOIP

Point of Sale

Medical Devices

Manufacturing

Web, PCs and Servers

Laptops

Tablets

2010 2014 20202012 2016 2018

20 Billion

15

10

5

20

+ B

illio

n C

on

necte

d D

evic

es

Source: Gartner, BI Intelligence 2016

Unmanaged

and IoT

Access Points

Bluetooth

Security Cameras

Smart TVs

Smart HVAC

Smart Lighting

Protected/UnprotectedProtected Unprotected


Explosive Growth in Enterprise “Things”

Meet The New (Insecure) Endpoint


DesignedTo Connect

Hard to Update

NoSecurity

Hard to Discover

Billionsof Devices

ManyManufacturers

The Growing IoT Exposure

Symantec ISTR, 2018Gartner, World Wide Security Report, 2017

Gartner, BI Intelligence, 2017

25% More than 25% of identified attacks in Enterprises will involve IoT in 2020.

10% of new devices connected to your network will be manageable by traditional methods by 2020.

600% increase in IoT attacks from 2016 to 2017




©2017 Armis – Confidential & Proprietary 12

6 EXPLOITSReal Stories, Never Published


Compromised Tablet


WHATUNAUTHORIZED VIDEO STREAMING

• 200 conference rooms, each had an tablet to control the video system

• The tablet in one conference room was streaming video and audio to unknown destination

• This represented a leakage of sensitive conversations.

Compromised Smart TV


WHATATTEMPTING TO INFECT OTHER DEVICES

• Boardroom was equipped with a Smart TV

• Malware on the Smart TV was trying to infect nearby devices via Wi-Fi and Bluetooth.

Compromised Security Camera

WHATBOTNET ATTACK

• Security cameras on the network were compromised with a botnet

• Botnet was connecting to routers on the network, trying to compromise the routers.

Infected Healthcare Device

WHATENTRY POINT FOR WANNACRY

• MRI machine had an external internet connection for vendor remote support

• Running Windows XP -- unpatched since it would void the warranty

• Infected with WannaCry and trying to infect other Windows systems via SMB

Unauthorized Network Bridge


WHATPRINTER ALLOWED ANYONE TO CONNECT

• A printer connected to the wired network had an open hotspot, allowing unauthenticated access to anyone.

Rogue Network Stealing Credential


WHATTHEFT OF NETWORK CREDENTIALS

• A corporate device was connecting to a pineapple that was collecting Active Directory credentials or hashes

Can Spread From Device To Device

20©2018 Armis Inc. All Rights Reserved.

What is Your Security Strategy?

21

Smartphones

Switches

Printers

VOIP

Point of Sale

Medical Devices

Manufacturing

PCs and Servers

Laptops

Tablets

2010 2014 20202012 2016 2018

Access Points

Bluetooth

Security Cameras

Smart TVs

Smart HVAC

Smart Lighting


Security agents, patch management,

firewalls, NAC

Mobile device management,

guest networks, VDI

Types of Endpoints

????????

Security Strategy

Network

Security

NAC Endpoint

Agent

Traditional Approaches Are Insufficient


THE ARMIS SOLUTIONAgentless Security Platform

23©2018 Armis Inc. All Rights Reserved.

24

Agentless Security Platform

Discover Analyze Protect• Managed & unmanaged devices

• Wired and wireless

• On and off the network

• Risk & threat quantification

• Behavioral analysis

• Anomaly detection

• Remove suspicious devices

• Manually or per policy

• Inform firewall, SIEM, etc.

NO AGENT / HARDWARE FRICTIONLESS

No agent is required on devices for tracking and control. No hardware required.

Deploys in minutes. Integrates with existing infrastructure, firewall, and SIEM.


25

Managed DevicesBYOD Devices IoT Devices Off-Network Devices

How Armis WorksFIREWALL NAC SIEM

WLC Switch Virtual App

EN

DP

OI

NT

SI

NF

RA

ST

RU

CT

UR

ES

ER

VI

CE

S

2

3

1 Discover and classify all devices – on network, off network, corporate, BYOD, IoT, rogue, Bluetooth, etc.

Analyze device behavior and compare to baseline for similar device types. Assess risk.

Protect by triggering WLC, NAC, switch, or firewall to block risky or attacking devices


Armis threat analysis engine

Armis device knowledge base

Sample – Fortune 1K Company (1K Employees)

©2018 Armis Inc. All Rights Reserved. 26

• 1,212 Windows Machines

• 578 Servers

• 1117 Employee Phones

• 370 Tablets

• 213 Guest Phones

• 60 Smart TVs

• 10 Telepresence Systems

• 100 Printers

• 500 VoIP Phones

• 80 Switches

• 110 APs

• 150 Security Cameras

• 10 Gaming Consoles

• 140 Smart Watches

• 5 Digital Assistants

• 25 Smart Thermostats

• 20 HVAC Controllers

• 2 WiFi Pineapples

205 Unmanaged

587 Unmanaged

295 Unmanaged

5 Previously Unknown

78 Open Hot Spots

2 Sending Data To Unauthorized IP

4 on Guest Network

10 Possible Botnet Infections

17 Trying to Connect to other Devices

21 Unpatched Vulnerabilities

Connecting to Multiple Corp Devices

Device Knowledgebase

27

Device Tracking

Device Type

Behavior

Connections

Reputation

Version

Data-at-Rest

History


6M UniqueDeviceProfiles


Documents

DEALING WITH THE TSUNAMI OF UNMANAGED …...Enterprise Managed Unmanaged BYOD (PC & Mobile) Smartphones Switches Printers VOIP Point of Sale Medical Devices Manufacturing Web, PCs