Securing IoT requires a shift to a security fabric

One of the key takeaways I had coming out of RSA 2020 is that security must shift away from the traditional point product approach to a fabric architecture. At the event, I interviewed a CISO that had a strong opinion that “the current approach with security is not working, has not worked and will not ever work” and I whole heartedly agree with that.

Despite spending billions on cybersecurity, security teams are falling behind because protecting the organization is an asymmetric challenge.  Security professionals need to protect an increasingly larger number of entry points while the bad guys just have to find one way in.  Every mobile phone, cloud application, branch office and remote employee is an entry point.

The growth of the internet of things (IoT) makes this problem exponentially more difficult. 

When I talk to organizations about their digital transformation plans, much of it is based on IoT without the term “IoT” being used.  I recently got a tour of a new soccer stadium in Totteham, UK where everything is connected — fan kiosks, point of sale devices, digital signs and more.  Not once did the IT director giving the tour call it IoT; there’s an expectation now that everything will be connected.

IoT may sound futuristic, and, indeed, many people see it that way, but it has already arrived. And the influx of IoT devices takes the growth of asymmetry from linear to exponential, placing an urgency on trying to reverse this curve.

Towards best-in-class protection

Traditional security architectures are based on perceived best of breed point products located at specific points in the IT environment. Network edge, branch office, cloud edge, endpoint, campus edge, wireless, and so on. There are a couple of problems with this approach. The first is that one might buy a “best of breed” product at a certain moment in time, but no vendor can be best of breed continually.  Technology cycles ebb and flow and so does product leadership. The second, and bigger problem, is this model isolates data and makes analysis of the information, problem resolution and remediation a challenge.

Consider endpoint detection and response (EDR).  Almost all of these tools are effective at detection, meaning they can see when there is something funky going on with the endpoint.  However, most EDR tools are poor at response. Typically, an endpoint is breached because of something further back in the transmission path, such as a network or cloud breach; EDR solutions don’t see this so they can’t fix them.

A security fabric is different in that it encompasses the end-to-end environment. Think of it as a single security entity composed of disparate components.  The data from the entire fabric can be aggregated together and, with the use of artificial intelligence (AI), insights can be gained as to when a breach occurred, where it emanated from, and how to fix it.  In the scenario above, endpoint software could find the breach, and the analysis of the data could locate the source, providing immediate response information.

From nice-to-have to must-have

Many breaches today result in threats that are “low and slow” meaning they hide beneath much of the security infrastructure and slowly make their way around the business gathering information before data exfiltration is executed. Most point products can’t see these threats because they hide in the gaps between them. Analysis of security fabric information can reveal even the smallest of anomalies that could indicate a breach.  For example, if an IoT endpoint is breached, malware on it might be used to map out the network.  Most IoT devices access the same services every day, but if one day it pings the accounting servers, even just for a short time, the fabric will see that, and those servers can be quarantined.  This can significantly shorten the time to find a breach.

With IoT the concept of a fabric moves from a nice to have to a must have as most IoT devices have no inherent security capabilities or even a robust operating system, so there’s no ability to run endpoint software. Instead, the fabric must monitor traffic, understand the baseline, and then report anything outside of that.  The anomaly might not be a sign of trouble, but it’s certainly worth the time to investigate.

What to look for in a security fabric

As companies move forward with IoT, they should plan to adopt a security fabric along with it.  Here are some things to look for:

• Broad protection and visibility. The fabric needs to see every network segment, device, appliance whether virtual, cloud or on-premises.  A single vendor likely won’t have all the components, but they should have the three pillars of endpoint, network and cloud and then leverage third-party relationships to add to the fabric.
• Automatically synchronize security resources to enforce policies. I understand the thought of automation scares the pants off many security pros, but the reality is that people can’t work fast enough to keep up with hackers today. Automation minimizes risk and should be considered the security pro’s best friend.
• Coordination of automated responses to threats detected anywhere in the network. Responding to a threat will likely require multiple actions to be taken and the fabric can orchestrate these to occur simultaneously to avoid leaving gaps.
• A single console to manage all of the security solutions. One of the challenges of best of breed is too many consoles leading to manual correlation of data. The security fabric vendors need to provide an interface to manage the end to end environment at once.

The world is changing quickly.  The cloud, mobility, COVID-19-related work from home, and the IoT is putting new pressures on an old, outdated security model. 

A CISO from a large bank told me she had this epiphany: One doesn’t need best of breed everywhere to have best in class security.  In fact, trying to deploy point products often leads to subpar security as keeping policies and rules up to date across vendors can be a challenge.

It’s time to rethink security and embrace the concept of a fabric and let AI do the things that people can no longer do because of the speed of response and volume of data.