Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Internet Of Things (IoT) Security: Understanding The Challenges While Mitigating the Risks
Leslie Sin
Systems Engineer
Cisco Systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
7.2 6.8 7.6 World Population
Adoption rate of digital infrastructure:
5X faster than electricity and telephony
50 Billion
“Smart Objects”
50
2010 2015 2020
0
40
30
20
10 Bill
ions o
f D
evic
es
25
12.5
Inflection point
Timeline
IoT Is Here Now – and Growing!
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Relation to Internet of Everything (IoE)
IoE
Connecting people in more relevant, valuable ways
People
Leveraging data into more useful information for decision making
Data
Delivering the right information to the right person (or machine) at the right time
Process
Physical devices and objects connected to the Internet and each other for intelligent decision making
Things
Networked Connection of People, Process, Data, Things
IoE: Connecting the Unconnected to Generate Business Value
IoT Delivers Extraordinary Benefits
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Smart City
Safety, financial, and environmental benefits
Reduced congestion
Improved emergency services response times
Lower fuel usage
Increased efficiency
Power and cost savings
New revenue opportunities
Efficient service delivery
Increased revenues
Enhanced environmental monitoring capabilities
6
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Connected Car
Actionable intelligence, enhanced comfort, unprecedented convenience
Online entertainment
Mapping, dynamic re-routing, safety and security
Transform “data” to “actionable intelligence”
Enable proactive maintenance
Collision avoidance
Fuel efficiency
Reduced congestion
Increased efficiency
Safety (hazard avoidance)
7
The Flip Side: Major Security Challenges
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
We’ve Created the Perfect Storm…
> Device Explosion
> Connectivity Explosion
> State Cyber Programs
> Industrialization of Hacking
> “Hactivism”
+
+
+
+
=
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IoT Expands Security Needs
IoT CONNECTIVITY
Converged, Managed Network
Resilience at Scale Security Application Enablement
Distributed Intelligence
Increased Attack Surface
Threat Diversity
Impact and Risk
Remediation
Protocols
Compliance and Regulation
10
Mitigating The Security Risk Across the Extended Network – The 20,000 FT View
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Secure IoT Architecture – IT Plus OT!
Services
Application Interfaces
Infrastructure Interfaces
New Business Models Partner Ecosystem
Applications
Device and Sensor Innovation
Application Enablement Platform
Application Centric Infrastructure
Security
APPLICATION AND BUSINESS INNOVATION
Data Integration
Big Data Analytics Control Systems
Application Integration
Network and Perimeter Security
Physical Security
Device-level Security /
Anti-tampering
Cloud-based Threat Analysis /
Protection
End-to-End Data Encryption
Services
12
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Security Model
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Scope
Contain
Remediate
Detect
Block
Defend
DURING BEFORE Control
Enforce
Harden
AFTER Scope
Contain
Remediate
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
IoT device aggregation core data center
wan / internet [vpn]
management
Hack Device • Unauthorized device • Device tampering • Malware infection
MITM • Sniff traffic • Modify data • Impersonation
Compromise • Unauthorized access • Device tampering • Service disruption • Sniff traffic
MITM • Sniff traffic • Modify data • Impersonation • Service disruption
Compromise • Unauthorized
access • Device tampering • Service disruption • Sniff traffic
Compromise • Unauthorized
access • Device tampering • Service disruption • Sniff traffic
Compromise • Unauthorized use • Malware infection
Exposure In IoT Networks
BEFORE an attack
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
MAB
Authentication and Authorization • Profiling • MAC Address/802.1x • Who, What, When, Where, How • ACL/Cisco SGACL
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
SGT SGT SGT
SGT / SGACL • Tags traffic based on device policy • Enforces access control based on tag • ISE manages policy
Benefit • Operational simplicity and speed • Dynamic, topology-independent
enforcement • Single access control policy
SGT
wan / internet [vpn] core
IoT device
SRC / DST Camera Sensor Contractor Admin Data Center Internet
Camera ❌ ❌ permit tcp permit all permit video ❌
Sensor ❌ ❌ permit tcp permit all permit udp ❌
Contractor permit tcp permit tcp ❌ ❌ ❌ permit all
Admin permit all permit all permit all permit all permit all permit all
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
BEFORE an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
WSA / ESA • Prohibit unauthorized web use • Prohibit unauthorized email use • Data loss prevention
Benefit • Outbound-Inbound Content Control • Centralized acceptable web/email usage
policy
wan / internet [vpn] core
IoT device
DURING an attack
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
NF NF NF
NetFlow Analyzer • Collect full NetFlow across network • Detect behavioral anomalies • ISE provides context
Benefit • Full threat visibility • Detect threats in any part of network • Detect access abuse • Detect attacks missed by security
systems NF
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
IPS / AMP • Monitor traffic and file threats
Benefit • Integrated advanced threat detection • Detects advanced attacks and malware
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
DURING an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
WSA / ESA • Reputation-based web threat blocking • Reputation-based email threat blocking
Benefit • Block advanced web / email threats • Intelligence-driven threat detection
wan / internet [vpn] core
IoT device
AFTER an attack
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
AFTER an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
SGT SGT SGT
ACL / Cisco SGACL • Tag and block suspicious / malicious
traffic • Redirect traffic to packet capture
Benefit • Operational simplicity and speed • Surgically manage threats • Selectively record communications
SGT
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
AFTER an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
NF NF NF
NF Analyzer • Record 90 days of communications
activity • Scope extent of breach • Report policy and compliance
Benefit • Full Accountability • Map threat trajectory • Evidence-based auditing
NF
wan / internet [vpn] core
IoT device
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
aggregation data center
AFTER an attack
firewall ips advanced malware protection
NF analyzer policy server (ISE)
www
web security email security
management
IPS / AMP • Retrospective analysis of threats • Contain infected devices and files • ISE provides quarantine
Benefit • Fast threat scoping and remediation • Trace and eliminate infections with the
click of a button
wan / internet [vpn] core
IoT device
Continuous IoT Threat Protection
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Sophisticated and Continuous Protection
Retrospective Security
Continuous Analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
Web WWW
Endpoints
Network Email
Devices IPS
Point-in-Time Protection
File Reputation & Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Analyse The IoT Threat!
3. Correlation at Unprecedented Scale
System correlates sample result with millions
of other samples / billions of artifacts.
1. Submission
Analyst (portal) or system (API) submits
suspicious sample to Threat Grid.
2. Proprietary Analysis
An automated engine observes,
deconstructs, and analyzes
using multiple techniques.
4. Enriched Content Integration
Actionable intel generated that can
be packaged and integrated in to a
variety of existing systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
100 TB
Intelligence
1.6M sensors
150 million+
endpoints
35%
email world wide
FireAMP™, 3+
million
13B web req
180,000+ Files per
Day
1B SBRS Queries
per Day
3.6PB Monthly
though CWS
Advanced Industry Disclosures
Outreach Activities
Dynamic Analysis
Threat Centric Detection Content
SEU/SRU
Sandbox
VDB
Security Intelligence
Email & Web Reputation
Email Endpoints Web Networks IPS Devices
WWW
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Research Response
Threat
Intelligence
Bringing It All Together
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Network-Wide Security with Differential Applications
Security Activity IT OT
Before
Secure Access
• Role-based access for
individuals and groups
• VPN/remote access for most
systems throughout the network
• Complex passwords with
lockout policies
• Role-based access to few
individuals
• VPN to few systems and users
• Badge readers/integrated
sensors
• Simplified passwords (except
for the most critical systems)
Security Group Tagging
• Tags traffic based on device policy
• Enforces access control based on tag
• Enhanced segmentation for
required groups only
• Dynamic, topology-independent enforcement
During
Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only
Threat Mitigation Quarantine affected system Analysis of the threat to determine
appropriate action
Data Integrity and Confidentiality Data Loss Prevention (DLP) Combined physical and
cybersecurity access controls
Network-wide Policy Enforcement Differentiated actions based on value, function, and location of the device
After Retrospective Security Policies Centralised remediation and adaptation
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Conclusion: Securely Embrace IoT!
New challenges require new thinking!
– avoid operational siloes
– networking and convergence are key
– a sound security solution is integrated throughout
– build for the future
Security must be pervasive
– inside and outside the network
– device- and data-agnostic
– proactive and intelligent
Intelligence, not data
– convergence, plus analytics
– speed is essential for real-time decisions
33