According to Matt Walmsley, Head of EMEA Marketing at Vectra AI, “The exponential growth we are seeing in terms of the IoT - whether in the consumer or industrial space - simply means that the available attack surface is growing.
“Design engineers have to ensure that devices are accessible from a network or are capable of connecting to the Internet, and that brings with it a host of security risks,” he warns.
For many manufacturers the IoT, while certainly beneficial, has been a source of disruption and the head-spinning pace of change has proved a challenge. Companies, however, have no choice but to embrace the IoT and as such can’t ignore security.
According to Rusty Carter VP at Arxan, a specialist in application security, “The security challenge is growing. Gaming and digital media, for example, have frequently been targeted by criminals and now those attackers are moving against ‘connected’ things in both the consumer and industrial space.”
Despite the associated risks design engineers, in terms of both hardware and software, tend to be focused on delivering business functionality.
“Their expertise and sense of urgency is about delivering business value. Software and hardware are, by their very nature, going to be imperfect and even the best coded applications can fall victim to reverse engineering, which can lead to additional weaknesses being identified,” says Carter.
The ability to steal or even replace code, means that an application can end up doing something that it was never intended to do.
Walmsley makes the point that the speed of innovation is certainly increasing levels of risk.
“Some companies are putting the onus on the user and while consumers should be made aware of security issues, companies shouldn’t expect the consumer to have to actively engage in security hygiene.
“While consumers should be encouraged to change their passwords, designs should have the ability to automatically update software when problems are found, as well as the ability to roll out patches quickly.”
Carter makes the points that the nature of attacks are changing and becoming far more subtle.
“A number of routes are open to the attacker. The advanced persistent threat will see the hacker make their way into a network, where they will establish a presence on a server and then use it to issue commands and take control. They have already passed through the network’s defences and it’s now just a matter of time as to how much data they are able to take.
“For that to work they will have reconnoitred the network extensively, and it’s tough to identify that type of activity.
“However, while it’s a challenge, security is moving that way. It’s no longer about mitigating a breach and restricting the loss of data. It’s about taking better counter measures.”
The IoT is also benefitting from the growing use of standardised hardware platforms which has helped to cut down the attack surfaces available to hackers.
“The key challenge for providers is to start to see security as a fundamental aspect of their business,” says Carter.
Using AI and ML
Cost remains a challenge and is certainly one of the biggest issues when it comes to the consumer space, where margins can be razor thin.
However, the rate of device testing is going up, as there are more people in the profession, and security testing tools are becoming more refined.
“We’re seeing a diverse response to security with pockets of best practice and codes of conduct being established. That, however, benefits those companies who have bought into security and who are minded to focus on it as an issue,” says Walmsley, who warns against relying on regulation or codes of conduct as an answer for what is a fast moving space.
“It has a limited appeal. In truth, manufacturers need to educate their users and, via the design process, force better levels of security hygiene in order to limit security risks.”
In effect, security professionals need to explain why these things are important but also how to fix them.
Vectra AI applies artificial intelligence (AI) and machine learning (ML) to detect and respond to cyber-attacks, whether in the cloud, data centre or within the enterprise, and is able to do so in real time.
“We are proactively addressing the threat of cyber-attacks and can reduce the level of risk,” suggests Walmsley. ”Security can be resource heavy and we wanted to automate the process and to monitor potential attacker behaviour and respond to threats quickly. The most skilled and motivated attacks are carried out slowly and are conducted over a long period of time.”
The company’s Cognito platform is being used to replace legacy technology and uses sophisticated AI to collect and store network metadata to detect, hunt and investigate both known and unknown threats in real time.
“Our approach is network based and our source of data is the network packets that communicate between devices. These are big data sources that see everything that’s going on.
“Enterprises are operating a vast number of interconnected devices and software that is being used to aggregate and then transmit data and access the Internet. Each is a potential haven for an attacker who can use a breach to move around in and orchestrate ‘command and control’ to steal of change data.
“If you are a security professional the network you have to manage has in many cases quadrupled in size, and while there is limited security enforcement in a corporate environment – end point security to monitor and secure your devices - you rarely have that when it comes to the IoT.”
What Vectra AI does is to look at the network communications between devices and uses algorithms to detect security breaches by spotting anomalies and then preventing them from becoming a security breach.
“Our focus is on identifying attacker behaviours; in terms of response, we integrate with the existing tools that customers have. We monitor and record what we see and provide evidence of anomalous behaviours.
“Our approach involves monitoring a lot of data and the only way that can be managed is through automation.
“An IP camera can be used to extract data from a network but it can also act as a staging post to do other things,” says Walmsley. “What we do is spot indicators pointing to unusual or unexpected forms of activity – it’s not about what it is, but rather what it does.”
That approach represents a big shift in how security is viewed, according to Walmersly who argues that it is now becoming increasingly proactive.
“The Cloud is an extension of the enterprise and we think that by monitoring network traffic we will be able to prevent cyber-attacks, before they even happen. Attackers might be able to delete logs, but they can’t erase their footprints in the network.
“We can use automation to reduce the time it takes to identify attacks from over a 100 days, in some cases, to just a matter of hours. But it still needs human oversight - we are nowhere near the point of a truly autonomous response.”
Education is seen as an important tool when it comes to security.
“We need to understand the fears and concerns of our customers and then educate them as to the threats they are faced with – they simply don’t know. That’s not surprising when we are seeing such rapid innovation,” explains Carter.
“A large scale breach can cost you the trust of your customers, while if an IoT device is hacked it can be used for ‘bad’ i.e. it can become a physical botnet, with all the financial implications that brings with it.”
The IoT industry is evolving rapidly and there are signs of a general push towards better levels of security.
But what is important is that a spotlight is shone on flaws in devices and applications.
The more that is done, the fewer flaws there will be. If designers are made aware of the problem, or if users demand a change, then improvements will come.