IoT Makes Entity-Centric Behavioral Analytics a Must-Have for Cybersecurity

28 Jun

IoT Makes Entity-Centric Behavioral Analytics a Must-Have for Cybersecurity

in Blog, Perspectives

by Nikfar Khaleeli

The Internet of Things (IoT) is a hot topic, with Cisco spending $1.4B on an IoT acquisition earlier this year. The buzz around IoT is understandable because it will be game changing. Consider the collapse of the I-35 W Mississippi River Bridge in Minnesota where 13 people died and 145 were injured. When rebuilding the bridge, IoT could have made things dramatically different by equipping smart cement with sensors to monitor any weaknesses that develop. Those sensors could also wirelessly communicate the presence of ice to sensors in your car, alerting you to slow down, or if you were driving a “smart” car, have the car slow itself down. And that’s just a very limited view into what becomes possible with IoT.

However, great caution must be exercised as we tap into the tremendous potential of these connected devices, as I’ve read a number of IoT related articles discussing the pitfalls of this interconnectedness when cybersecurity requirements are not adequately taken into consideration.

  • For example, a tiny consumer webcam that did not have security measures in place was easily hacked to become a persistent backdoor into the enterprise. This provided criminals with the ability to control remote attacks and siphon out corporate data without having to first infect a server or a laptop, which is typically more protected.
  • Then there is Shodan, a search engine for internet-connected devices, which has a section that shows what’s being displayed by vulnerable webcams – i.e., those that use RTSP to share video over port 554 but have no password protection in place. Shodan crawls the Internet, looking for IP addresses with open ports. This allows random people to watch a cat snoozing in front of a TV, which is probably not alarming; but what about a webcam that publicly shows your child sleeping? And what if thieves used a webcam to gauge activity within a house as they decide whether or not to rob it?
  • And let’s not forget about the November 2015 discovery of police body cams that came pre-installed with the Conficker worm. Conficker, which made headlines in 2008, took advantage of a Windows vulnerability that allowed self-replicating exploits and enslaved 15 million Windows machines. So when the infected police body cams were connected to PCs for the purposes of downloading the stored pictures, Conficker tried to infect the machines and spread to others.

Most consumers don’t understand the severity of cyber privacy and security threats – hence passwords like 123456, password, etc., and webcams without authentication enforced. Many vendors don’t want to invest in security for these devices because it costs them money and reduces margins. Unfortunately, that’s not good for enterprise security departments. The pervasiveness of IoT means that these insecure devices will find a foothold within the enterprise and can become a vulnerability that sophisticated cybercriminals will exploit.

Unlike consumers, enterprises have many layers of cybersecurity to help. But if the security teams aren’t actively looking for something, there is a very good chance they won’t discover it. I bring this up because signatures and rules, the foundation on which perimeter defenses and traditional security monitoring solutions have built their success, are very effective when threats are known. However, when threats are unknown, what’s an organization to do? There are no signatures or rules to unearth advanced attacks, which are being regularly employed by sophisticated attackers. These are slow-and-grow attacks, occurring in multiple phases over long periods of time, that either don’t trigger alarms in the traditional defenses, or if they do, activate warnings that by themselves appear innocuous.

User and entity behavior analytics (UEBA) for security emerged to find these unknown attacks. UEBA creates baselines for normal user behavior, connects the dots between these separately harmless events, and by comparing to the “normal” baseline, reveals the attack. For example, a UEBA solution would raise an alert because user Bob logged into the finance server from Santa Clara (his home base) at 9 a.m., but then also logged in from China at 10 a.m. the same day. Given the focus on the “user,” this initial approach wouldn’t catch attacks happening via exploits of IoT vulnerabilities because IoT devices are not usually tied to a user.

What’s really needed are behavioral analytics that can keep up with IoT devices, performing host-based analysis on them to spot any deviations in normal behavior. To take it to the next logical evolution, behavioral analytics should also be able to perform IP-based analysis and then application-based analysis. Take into consideration that Gartner went from publishing a Market Guide on User Behavior Analytics in 2014 to publishing a Market Guide on User and Entity Behavior Analytics in 2015. Avivah Litan, who authored the report, outlines the reason for this change:

“The letter “e” in the term UEBA recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior.”

Said differently, profiling user behavior is necessary, but alone is not sufficient enough to satisfy enterprise security needs. To ensure that your organization has the comprehensive visibility needed to combat attacks from inevitable vulnerabilities introduced by IoT devices, it’s critical that any behavior analytics solution can not only establish a baseline for users, but also for entities (i.e., hosts, IP addresses, applications).

Tags: Blog, Perspectives