Forget the perimeters; for security, examine device behavior – Stacey on IoT
Not a week goes by without some sort of IoT vulnerability or breach occurring. More and more devices, various devices, and the rise of much more sophisticated attackers have led large IT companies to invest in their own security capabilities as our government issues executive orders trying to force companies to invest. in better security.
The current version of better security requires layers. And after a conversation with Kate Scarcella, chief cybersecurity architect at Micro Focus, I’m confident that device behavior monitoring will be one of those layers. Just as law enforcement officials trying to assess threats look for suspicious behavior in people, Scarcella believes devices can deliver a set of “such” after they’ve been compromised.
All we need is software that can detect the one strange device out of thousands.
This is not a new idea, even for the IoT. I remember having a similar discussion with the engineers at Google when discussing the Weave protocol for the smart home. Weave really hasn’t gone anywhere (now we’re focusing on Matter), but Scarcella’s version is designed for enterprise and industrial deployments.
Put simply, if a security camera turns off in the middle of the night when it normally stays on, or if a multimode sensor starts trying to check light levels when historically it has only collected light levels. temperature data, it could indicate an intruder or malware on the network or device. Currently, several companies are evaluating the behavior of devices on a network, checking whether, for example, a camera is trying to contact an industrial controller or a TV in a conference room is trying to call a server in China. But evaluating a device’s behavior is not usually limited to its behavior on the network.
Other behaviors can include whether a device is on or off, the time of day or week it is running, the processes it is trying to run – even the behavior of the command line on machines. Linux. And yes, good software will also measure network connections within the network.
Of course, analyzing all of these variables on thousands of devices is difficult, which is why Micro Focus turned to the machine learning experts at Interset, which it bought in 2019. (You knew that machine learning would be involved, wouldn’t it?) Honestly, most of the calculations the Interset folks use are common to statistics, but they do a lot of numbers for their anomaly detection algorithms.
When oddities are detected, Interset pushes these “weird behaviors” to a dashboard for a human to review. Interset doesn’t just detect anomalies on IoT devices for security purposes; Micro Focus simply gathers the safety statistics, then signs agreements with other companies to disseminate these analyzes in the embedded world.
Micro Focus sells data analytics to Karamba Security, an Israeli IoT security startup that I profiled last year. Karamba actually puts its own software on the integrated devices and then uses the analytics to track the behavior of that device for customers.
As someone who tries to keep up with all the potential weak spots and new technologies aimed at securing IoT, I think examining this element of device behavior could help businesses with tons of built-in devices. Especially if those devices are already in the field, where it may not be possible to update them with software agents for security providers, but also if the devices are just too constrained to handle security software.