I spent last week at the Gartner Security and Risk Management Summit in National Harbor, MD. This is my favorite conference of the year because I get a chance to hear about a wide variety of security topics and talk with plenty of CISOs and security practitioners.
I was especially interested to hear all the discussion of unmanaged / IoT devices. Here are some highlights.
1. Top Ten Security Projects for 2019
Gartner lists Detection and Response as one of the top ten projects enterprises should be working on in 2019. We all know that EDR products have exploded in popularity during the last few years, with companies like CrowdStrike gaining massive valuation. But—these EDR systems all require agents. How do you implement Detection and Response for unmanaged and IoT devices which can’t accept agents? (Hint: I work for a company that does this.)
2. IoT Devices Have No Built-in Security
Michael Chertoff was one of the guest speakers. For those of you who may not know, he is the former Secretary of the U.S. Department of Homeland Security, serving under President George W. Bush. Now he is co-founder and executive chairman of The Chertoff Group, a security and risk management firm that provides high-level strategic counsel to corporate and government leaders on a broad range of security issues. In short—he knows a ton of stuff, has seen a ton of stuff, and has heard a ton of stuff.
Chertoff blasted the insecurity of IoT devices, pointing out that they have “almost zero security built into them by design” and no provision for updating or patching. Chertoff said that it might be time for the U.S. Federal Government to follow the lead that California has taken by laying down standards for what constitutes a minimum level of security any network-connected device.
3. Operational Technology (OT) and Healthcare Environments Are Especially at Risk
Multiple Gartner analysts—Ramon Krikken, John Girard, Nader Henein and Ruggero Contu—spoke about attacks on unmanaged and IoT devices that impact operational technology and healthcare environments. Girard gave a dramatic description of how risky an unprotected IoT device can be. His example involved an HVAC system which, Girard said, has been used as a starting point for several cyber attacks in the United States. In Girard’s example, an attacker started with the HVAC system (which is not typically monitored by any security agents), moved to a system controller for an oil pipeline, then adjusted the pressure in the pipeline to cause it to explode—similar to what happened to the Kirkuk-Ceyhan oil pipeline in 2017.
Armis has seen these kinds of attacks, coming in through unmanaged industrial or medical devices. Here are a few examples, none of which were caught by our customers’ traditional security products:
- MRI machine in a hospital, communicating with C&C in Russia
- Human machine interface (HMI) devices infected with WannaCry
- Vulnerable industrial control devices exposed to the Internet
- BlueBorne vulnerabilities at oil and gas facilities
4. Time to Re-think the Endpoint
John Girard is a VP and Distinguished Analyst in Gartner’s Endpoint and Mobile Security Practice. In his presentation, he urged people to broaden their definition of “endpoint” to encompass anything that can be identified, addressed or attacked. Examples of endpoints that Girard mentioned include network switches, routers, load balancers, firewalls, and VoIP apps. Girard went on to predict that by 2025, every powered device in business settings will be network addressable.
That’s an amazing thought. Up to 90% of these devices will be un-agentable.
5. What Enterprises Can Do to Protect Themselves
There was no shortage of advice from Gartner analysts on how enterprises should respond to the “IoT-ification” of nearly everything in their environment.
Ramon Krikken recommended that security managers start with visibility—see what you have, see what it is doing. The old adage “you can’t secure what you can’t see” has never been more applicable.
Multiple Gartner analysts—Jeremy D’Hoinne, Lawrence Orans, John Girard—mentioned the need for behavioral inspection of endpoint devices that can’t accept agents (which is the vast majority of IoT devices). The security approach which Gartner advocates is CARTA (Continuous Adaptive Risk and Trust Assessment). This calls for a balance of protection, detection, and response. Here is how the three functions apply to devices that you can’t install an agent on:
- Protection. This section of Gartner’s CARTA approach is all about proactively trying to stop the attacker from compromising your assets. For devices that you can’t put an agent on, that means:
- Visibility—knowing what devices you have and how risky each one is
- Network segmentation—keeping the various kinds of devices as separate from each other as possible
- Detection. This section of Gartner’s CARTA approach means detecting when a device has been compromised. This can be done by monitoring the behavior of every device to make sure that it remains consistent with known-good behavior. Gartner analyst Lawrence Orans pointed out that the IDS and IPS products of yesteryear were based on signatures, whereas modern network traffic analysis products (like Armis) are based on detection of behavior anomalies.
- Response. The entire category of products known as Endpoint Detection and Response (EDR) was born a few years ago to help security analysts understand the extent of each cyber attack and to respond appropriately. But traditional EDR systems all rely on agents. What do you do for unmanaged and IoT endpoints that can’t accept an agent? You need something with similar functionality that works strictly from network-based information, i.e. passively monitoring network traffic and storing all connection attempts for later retrieval. And you need a system that helps you automate responses, e.g. by quarantining malicious endpoints and/or blocking transmissions at the firewall.
Of course, Armis includes all three classes of the functionality listed above.