Internet Of Things (IoT) Security · World Population Adoption rate of digital infrastructure: ... Threat Centric Detection Content SEU/SRU Sandbox VDB Security Intelligence ... Network-Wide

Internet Of Things (IoT) Security: Understanding The Challenges While Mitigating the Risks

Leslie Sin

Systems Engineer

Cisco Systems

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

7.2 6.8 7.6 World Population

Adoption rate of digital infrastructure:

5X faster than electricity and telephony

50 Billion

“Smart Objects”

50

2010 2015 2020

0

40

30

20

10 Bill

ions o

f D

evic

es

25

12.5

Inflection point

Timeline

IoT Is Here Now – and Growing!


Relation to Internet of Everything (IoE)

IoE

Connecting people in more relevant, valuable ways

People

Leveraging data into more useful information for decision making

Data

Delivering the right information to the right person (or machine) at the right time

Process

Physical devices and objects connected to the Internet and each other for intelligent decision making

Things

Networked Connection of People, Process, Data, Things

IoE: Connecting the Unconnected to Generate Business Value

IoT Delivers Extraordinary Benefits


Smart City

Safety, financial, and environmental benefits

Reduced congestion

Improved emergency services response times

Lower fuel usage

Increased efficiency

Power and cost savings

New revenue opportunities

Efficient service delivery

Increased revenues

Enhanced environmental monitoring capabilities

6


The Connected Car

Actionable intelligence, enhanced comfort, unprecedented convenience

Online entertainment

Mapping, dynamic re-routing, safety and security

Transform “data” to “actionable intelligence”

Enable proactive maintenance

Collision avoidance

Fuel efficiency

Reduced congestion

Increased efficiency

Safety (hazard avoidance)

7

The Flip Side: Major Security Challenges


We’ve Created the Perfect Storm…

> Device Explosion

> Connectivity Explosion

> State Cyber Programs

> Industrialization of Hacking

> “Hactivism”

+

+

+

+

=


IoT Expands Security Needs

IoT CONNECTIVITY

Converged, Managed Network

Resilience at Scale Security Application Enablement

Distributed Intelligence

Increased Attack Surface

Threat Diversity

Impact and Risk

Remediation

Protocols

Compliance and Regulation

10

Mitigating The Security Risk Across the Extended Network – The 20,000 FT View


The Secure IoT Architecture – IT Plus OT!

Services

Application Interfaces

Infrastructure Interfaces

New Business Models Partner Ecosystem

Applications

Device and Sensor Innovation

Application Enablement Platform

Application Centric Infrastructure

Security

APPLICATION AND BUSINESS INNOVATION

Data Integration

Big Data Analytics Control Systems

Application Integration

Network and Perimeter Security

Physical Security

Device-level Security /

Anti-tampering

Cloud-based Threat Analysis /

Protection

End-to-End Data Encryption

Services

12


Cisco Security Model

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

Scope

Contain

Remediate

Detect

Block

Defend

DURING BEFORE Control

Enforce

Harden

AFTER Scope

Contain

Remediate


IoT device aggregation core data center

wan / internet [vpn]

management

Hack Device • Unauthorized device • Device tampering • Malware infection

MITM • Sniff traffic • Modify data • Impersonation

Compromise • Unauthorized access • Device tampering • Service disruption • Sniff traffic

MITM • Sniff traffic • Modify data • Impersonation • Service disruption

Compromise • Unauthorized

access • Device tampering • Service disruption • Sniff traffic

Compromise • Unauthorized

access • Device tampering • Service disruption • Sniff traffic

Compromise • Unauthorized use • Malware infection

Exposure In IoT Networks

BEFORE an attack


aggregation data center

BEFORE an attack

firewall ips advanced malware protection

NF analyzer policy server (ISE)

www

web security email security

management

MAB

Authentication and Authorization • Profiling • MAC Address/802.1x • Who, What, When, Where, How • ACL/Cisco SGACL

wan / internet [vpn] core

IoT device



BEFORE an attack



www


management

SGT SGT SGT

SGT / SGACL • Tags traffic based on device policy • Enforces access control based on tag • ISE manages policy

Benefit • Operational simplicity and speed • Dynamic, topology-independent

enforcement • Single access control policy

SGT


IoT device

SRC / DST Camera Sensor Contractor Admin Data Center Internet

Camera ❌ ❌ permit tcp permit all permit video ❌

Sensor ❌ ❌ permit tcp permit all permit udp ❌

Contractor permit tcp permit tcp ❌ ❌ ❌ permit all

Admin permit all permit all permit all permit all permit all permit all



BEFORE an attack



www


management

WSA / ESA • Prohibit unauthorized web use • Prohibit unauthorized email use • Data loss prevention

Benefit • Outbound-Inbound Content Control • Centralized acceptable web/email usage

policy


IoT device

DURING an attack



DURING an attack



www


management

NF NF NF

NetFlow Analyzer • Collect full NetFlow across network • Detect behavioral anomalies • ISE provides context

Benefit • Full threat visibility • Detect threats in any part of network • Detect access abuse • Detect attacks missed by security

systems NF


IoT device



DURING an attack



www


management

IPS / AMP • Monitor traffic and file threats

Benefit • Integrated advanced threat detection • Detects advanced attacks and malware


IoT device



DURING an attack



www


management

WSA / ESA • Reputation-based web threat blocking • Reputation-based email threat blocking

Benefit • Block advanced web / email threats • Intelligence-driven threat detection


IoT device

AFTER an attack



AFTER an attack



www


management

SGT SGT SGT

ACL / Cisco SGACL • Tag and block suspicious / malicious

traffic • Redirect traffic to packet capture

Benefit • Operational simplicity and speed • Surgically manage threats • Selectively record communications

SGT


IoT device



AFTER an attack



www


management

NF NF NF

NF Analyzer • Record 90 days of communications

activity • Scope extent of breach • Report policy and compliance

Benefit • Full Accountability • Map threat trajectory • Evidence-based auditing

NF


IoT device



AFTER an attack



www


management

IPS / AMP • Retrospective analysis of threats • Contain infected devices and files • ISE provides quarantine

Benefit • Fast threat scoping and remediation • Trace and eliminate infections with the

click of a button


IoT device

Continuous IoT Threat Protection


Sophisticated and Continuous Protection

Retrospective Security

Continuous Analysis

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry

Stream

Continuous feed

Web WWW

Endpoints

Network Email

Devices IPS

Point-in-Time Protection

File Reputation & Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics

One-to-One

Signature


Analyse The IoT Threat!

3. Correlation at Unprecedented Scale

System correlates sample result with millions

of other samples / billions of artifacts.

1. Submission

Analyst (portal) or system (API) submits

suspicious sample to Threat Grid.

2. Proprietary Analysis

An automated engine observes,

deconstructs, and analyzes

using multiple techniques.

4. Enriched Content Integration

Actionable intel generated that can

be packaged and integrated in to a

variety of existing systems


100 TB

Intelligence

1.6M sensors

150 million+

endpoints

35%

email world wide

FireAMP™, 3+

million

13B web req

180,000+ Files per

Day

1B SBRS Queries

per Day

3.6PB Monthly

though CWS

Advanced Industry Disclosures

Outreach Activities

Dynamic Analysis

Threat Centric Detection Content

SEU/SRU

Sandbox

VDB

Security Intelligence

Email & Web Reputation

Email Endpoints Web Networks IPS Devices

WWW

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00

Research Response

Threat

Intelligence

Bringing It All Together


Network-Wide Security with Differential Applications

Security Activity IT OT

Before

Secure Access

• Role-based access for

individuals and groups

• VPN/remote access for most

systems throughout the network

• Complex passwords with

lockout policies

• Role-based access to few

individuals

• VPN to few systems and users

• Badge readers/integrated

sensors

• Simplified passwords (except

for the most critical systems)

Security Group Tagging

• Tags traffic based on device policy

• Enforces access control based on tag

• Enhanced segmentation for

required groups only

• Dynamic, topology-independent enforcement

During

Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only

Threat Mitigation Quarantine affected system Analysis of the threat to determine

appropriate action

Data Integrity and Confidentiality Data Loss Prevention (DLP) Combined physical and

cybersecurity access controls

Network-wide Policy Enforcement Differentiated actions based on value, function, and location of the device

After Retrospective Security Policies Centralised remediation and adaptation


Conclusion: Securely Embrace IoT!

New challenges require new thinking!

– avoid operational siloes

– networking and convergence are key

– a sound security solution is integrated throughout

– build for the future

Security must be pervasive

– inside and outside the network

– device- and data-agnostic

– proactive and intelligent

Intelligence, not data

– convergence, plus analytics

– speed is essential for real-time decisions

33

Documents

Internet Of Things (IoT) Security · World Population Adoption rate of digital infrastructure: ... Threat Centric Detection Content SEU/SRU Sandbox VDB Security Intelligence ... Network-Wide