Cloud computing has caused headaches for businesses across the globe. But just as we begin to understand the complex nature of this paradigm, it has become the mothership to billions of Internet of Things (IoT) devices.
IoT has exploded into our working and home lives to the tune of 27 billion active connected devices, and consumers and businesses are closing in on $1 trillion in spend.
Within the enterprise, where use cases abound, from cameras to sensors to medical devices, the impact of IoT is as massive as the internet itself. Most IoT devices – often with little built-in security – are connected, either by co-workers or contractors, to the same network as traditional business-critical systems, creating new attack vectors for cybercriminals.
How the IoT connects to the SOC
IoT has added a layer of complexity to the work of the security operations center (SOC) team. Already challenged by the ever-changing cybersecurity landscape, SOC staff now has to understand the subtleties of cyberattacks that play on the hyperconnectivity afforded by the use of enterprise IoT.
Some data will give you an idea of the expansive nature of IoT:
- Use of IoT devices means that global IP traffic will increase three-fold from 2017 to 2022.
- By 2022, machine-to-machine (M2M) connections that support IoT applications will comprise more than half of the world’s connected devices.
- IoT will drive growth in connected devices through 2022.
If the internet and cloud computing broke the enterprise perimeter, IoT creates a universe of micro perimeters, each opening up a gap that cybercriminals can take advantage of. Where does this leave the SOC? Here are some things security operations professionals should ensure they are doing given the rapid rise of IoT.
Obtain Clear Visibility into Your IT Infrastructure
Visibility of all endpoints connecting to your network is important, as they serve as a common starting point for malicious hackers. But it’s even more critical when those endpoints are IoT devices that may not be approved for connection, unpatched or improperly configured. This becomes an even bigger problem when you consider that roughly half of enterprises cannot tell if their IoT devices have been breached.
If don’t have a good handle on your inventory of assets, you cannot ensure the right protection is applied in the right part of this extended network. A study by the Ponemon Institute showed 65% of respondents lack visibility into the wider IT infrastructure. The same study found that the main reason for the SOC being ineffective is a lack of visibility into network traffic.
Understand Your Biggest Threat Use Cases
When cyberattack data and alert output is presented to your SOC analysts, they can be difficult to decipher. A recent study, which examined the challenges of the modern SOC, found that 27% and 24% of respondents, respectively, said that alert fatigue and false positives served as their largest sources of pain. One of the ways this can be resolved is by reviewing case histories and studying issues that arise most frequently. For example, does a particular type of IoT vulnerability or IoT threat arise over and over again? Allocate resources to addressing it quickly and look for ways to automate management, such as grouping by threat instead of working individual alerts, said problems going forward.
Automation Can Be Your Best Friend
You already know that the security industry is operating with a massive talent gap – limiting, among other things, the ability to not only manage your fleet of connected devices but for security operations centers to operate with enough analysts who are trained at detecting the types of anomalous traffic that IoT may bring. But even if your SOC was filled to the rafters with qualified analysts, the sheer number of connected devices invading most companies alone calls for the need for automation.
Security orchestration, automation and response (SOAR) technology can help compensate for some of the workload that IoT necessitates because it brings together disparate detection technologies – including endpoint detection and response (EDR), which has become central tool for IoT threat management – and automates workflows to create the order needed for analysts to make quick work of triage, investigation and response.
Other Things to Consider
Keep an Eye on Compliance
Responsibility to audit systems to meet compliance requirements, including the recently enacted General Data Protection Regulation (GDPR), often falls on the SOC. Regulations such as GDPR has added new provisions for enterprise data protection, and IoT brings fresh things to consider.
In Zero We Trust
The Zero Trust security model was first proposed by the analyst firm Forester. It is based on the premise of “always verify, never trust.” In the updated version, released in 2018, the Zero Trust eXtended Ecosystem places data as a central point from which security decisions are made. There is much work involved in using the model, but the expansion of the enterprise network and complications of moving data across IoT and the cloud means that this is a useful way to approach security.
Authentication is a key principle of Zero Trust. OWASP provides a Top 10 list of IoT weaknesses, and authentication tops the list. Using a zero-trust detect-and-response approach is increasingly being used within the SOC to plug the gaps IoT creates.
With the right structure and technology in place, your SOC team can help empower the organization to embrace the connected device revolution, while keeping its systems, applications, data and users protected.