The Internet of Things is changing the world. Everything is connected, and the amount of data available for consumption is growing exponentially. From a technologist’s view, this is an exciting opportunity. From a network administrator’s perspective, it’s terrifying.
“As history shows, the future of IoT will need a better security solution than just a firewall paired with an endpoint detection system. It will require something that is more accurate, more scalable, and less intrusive”
While the majority view IoT as an exciting buzzword, the network administrator understands that the connectivity required by true IoT deployments will lead to safety-critical industrial systems, previously existing behind firewalls, being inevitably exposed to potentially insecure networks. Not only that, but a huge workload will arise in ensuring that countless machines are secured in the first place. As the cherry on top, the network administrator likely understands that the existing defense paradigm already in place for network protection will no longer work.
Something needs to change. Network protection systems need to evolve. To understand how this needs to happen, it’s important to look back in time at the history of security – starting long ago before cyber ever existed.
Begin by asking a simple question: how have people historically defended themselves? Prior to 7000 BC, before mass agriculture had fully developed, it was the patriarch who took on the role of defender and was responsible for the well-being of his family. He was tasked with learning how to fight and fend off invaders, regardless of circumstance (think, the movie The Croods)(Sanders & DeMicco, 2013). While it worked to some degree, it was also inefficient because everybody had to devote some of their time to doing it.
As agrarian civilization emerged, people began to live closer together, ending the patriarchal defense system. With that transition, something fantastic occurred. (Kagan, Ozment, & Turner, 2010). They built walls. Not just around houses, but around towns and villages. This let specialized “soldiers” defend a perimeter and fight for a village, letting the common people on the inside go about their daily lives without fear. This had a variety of other benefits, but most notably it changed how people would live and defend themselves for the rest of history.
Now, think about how this applies to software, notably software deployed onto the Internet of Things. Think about how you might defend any of those endpoints today. There might be a firewall, but that is a static and slightly outdated technology. To supplement and provide personalized security, most would probably use endpoint detection systems like an antivirus software, which runs an application on the device 24/7 checking for malware. While it works to some degree at defending a system against threats, history has shown that such a solution is rarely scalable when dealing with a shifting threat landscape.
Notably, there are a few reasons why endpoint protection will not be sufficient for protecting the Internet of Things:
1. Accuracy – Endpoint protection solutions are traditionally built on signature-based detection methods, which 78 percent of security professionals agree (Keane, 2015)are not effective against general attacks. Even in some of the best antivirus accuracy reports, only a very small sample size of a few hundred stale malware samples are used to benchmark the products. There are millions of malicious files created every day, and the fact that 27 percent of all malware variants in history were created last year (Korolov, 2016)indicates the landscape is changing and non-learning solutions won’t be able to keep up with the onslaught of zero-day attacks.
2. CPU Usage – According to a report published by Hobson and Company (Casten, 2009), antivirus software can account for over 15 minutes of downtime per week on endpoint desktops and laptops. This amounts to over $300 of downtime per year per endpoint covered, and that’s on robust systems designed for intense computations. An average IoT node is barely a step up from a Raspberry Pi regarding compute capability. That 15 minutes of downtime for a laptop could translate into hours of downtime for an IoT controller. In order to get around that, the antivirus solution needs to be so lightweight that it is no longer capable of adequately detecting threats. Such a solution would be unacceptable in the IoT world, as worms are often designed to propagate between nodes (i.e. Stuxnet). If that affected node was the controller for heavy machinery like a combustion turbine, any effectual downtime would be highly significant for the lives of many.
3. IT Burden – While it has been established that endpoint security is not going to be 100 percent accurate, this lack of accuracy also accounts for lost economic value outside of missed threats. False positives from endpoint solutions cause companies to spend nearly $1.3M and 21,000 hours of wasted time on IT support every year (New Ponemon Report Reveals High Cost of Dealing with 'False Positive' Cyber Security Alerts, 2015). These numbers cannot scale with the Internet of Things there are not enough IT jobs to support it, and there will be too many operating systems to work across. According to a survey by the SANS institute, the lack of people and dedicated resources maintaining threat detection systems is the leading contributor to why attacks go undiscovered(Shackleford, 2015). As the number of endpoints available for attack increases, the potential for more undiscovered attacks rises, and the IT burden grows.
As history shows, the future of IoT will need a better security solution than just a firewall paired with an endpoint detection system. It will require something that is more accurate, more scalable, and less intrusive.
The solution lies in building a true perimeter detection system capable of evolving as threats change. Endpoint protection, for the time being, may be a necessary evil in some places, but new Artificial Intelligence technologies will make it possible to significantly improve perimeter security with no adverse effects to end users or nodes. These tools can patrol the perimeter of an organization and provide enhanced threat visibility, automated evidence reporting, and rapid incident response, all in a dynamic environment at machine speed.
Building firewalls was a great start, but cognitive perimeter detection tools are capable of taking security to the next level. Not only can they view externally-facing log data (i.e. firewalls, web servers, etc.) and identify threats before they root and multiply, they can also sit on the outside and look in to find insider threats, malware propagation, and malicious intranet traffic patterns.
When paired with good data sources, cognitive perimeter detection methods will provide scalable, accurate solutions behind the scenes effectively securing the borders so that end users and IoT nodes never need worry.