Security measures are vital to defend and protect IoT devices and solutions, writes Pritam Shiravadekar, the product manager for value added services at Wireless Logic. It is natural to focus resource on prioritising breach prevention – everyone wants to avoid breaches – but companies mustn’t neglect detection. If they do, significant damage could be done before a breach has even been discovered. Anomaly detection must form part of a 360-degree approach to IoT security, one that empowers companies to defend, detect and react in the face of cyberthreats
According to an IBM Security/Ponemon Institute report it takes an astonishing 212 days on average to detect a data breach. All the time security compromises go undetected, damage could be done. If companies want to protect their revenue, relationships, and reputations, they cannot afford to be on the back foot when it comes to breach detection.
What is anomaly detection?
IoT devices generally sit outside enterprises’ perimeters, in unmanned environments where they can be significantly more vulnerable. Hackers could target them to take control of devices, or use them as entry points into enterprises’ systems to steal data or launch ransomware attacks. They could even use compromised devices as launchpads for attacks on other connected targets. Constant vigilance is required – once a weakness has been exposed, it could be exploited further.
To mitigate the risk, IoT devices must be secured, but they must also be monitored. Anomaly detection identifies activity that wouldn’t be considered normal. That could be more frequent, or higher levels of, data transmission. A temperature sensor, for example, might have something wrong if it suddenly starts sending data every hour instead of the expected twice a day. A device suddenly appearing to communicate from another country could be another indication of possible trouble.
businessNot all anomalies mean devices have been hacked, necessarily. A SIM may increase or cease communication for very genuine reasons and devices can simply malfunction. Either way, whether the reason is sinister or benign, companies still need to know about anomalies, and quickly. If there has been a breach, they will need to identify and isolate it to minimise any impact.
How does anomaly detection work?
IoT security begins with defence, but it is incomplete without the ability to detect potential problems and take action should they occur.
If companies don’t have visibility into their IoT devices and traffic, they won’t know if they’ve been compromised. The solution is to know what ‘normal’ looks like and then monitor connected devices so anomalies can be identified.
Anomaly detection provides visibility into IoT devices and solutions and flags any activity that needs investigation. The engines are device-agnostic and work with artificial intelligence (AI) programmes to analyse data feeds and score any potential threats.
It begins with profiling IoT network baseline behaviour, setting business rules containing thresholds to instruct the AI programme so it can learn. The programme then monitors device, network traffic and application-level behaviour.
It can flag anything it detects in real-time, so that action can then be taken. That action could be automated or not, again according to the rules. It could include throttling bandwidth to stop a device communicating into the network or isolating the device within a restricted zone. Alternatively, the anomaly could be sent for review to determine probable cause and therefore what action to take.
The AI engine can also analyse anomalies to identify types of attack. These could be distributed denial-of-service (DDoS), man-in-the-middle (MiTM) attacks, or device takeovers.
How to incorporate anomaly detection into IoT security
Too often, IoT security is thought about after solutions have been deployed. It is imperative to think about security, and anomaly detection, at the product or solution design phase. The best outcomes result from preparation, to prevent attacks ideally of course, but also to detect and react to them should they occur.
Fortunately, anomaly detection is service based, so it is fully scalable according to the size and scope of an IoT project’s initial deployment and growth over time. It can work for a single device or fleet, system wide. By working with automation, anomaly detection helps companies cost-manage and react in a timely way because they are not constrained by over-dependence on labour-hungry manual tasks.
It is important to stress again that anomaly detection is only one part of the security puzzle. It must form part of a 360-degree security model, made up of technology capabilities, standards and best practice that work together to defend, detect and react to cyber threats.
The IoT security threat landscape evolves constantly so all companies, even those who have already adopted best practices, must maintain both defensive and active measures to mitigate risks across their IoT device fleets, communications networks, data and application layers.
There are many threats to counteract including ransomware, malware, device spoofing and MiTM attacks. Companies must protect themselves against the safety, operational, financial and reputational damage that can arise from security breaches.
For these reasons, IoT security must leave nothing to chance. Companies must manage their IoT solutions’ attack surfaces to prevent unauthorised access to data, systems or devices and protect them from compromise. In this, defence is only part of the complete security picture. Detection is a second layer, whereby devices and network behaviour are monitored to spot anything out of the ordinary.
After detection, comes the capability to react, which includes quarantining and cleaning affected devices, reporting breaches and anomalies and applying corrective actions across systems. All aspects of defence, detection and reaction must be planned, understood, practised and maintained for companies to be fully equipped to face the risks that threaten their IoT solutions.
Comment on this article via X: @IoTNow_
