IT security has utilized the concept of Defense in Depth for decades, but IoT security seems to be ignoring it. Why?

The concept of Defense in Depth

Defense in depth is an established concept in cybersecurity. The idea is to manage risk with diverse defensive strategies so that if one layer of Defense turns out to be inadequate, another layer will hopefully prevent a full breach (as per the US- CERT definition). The underlying assumption of layered Security is that relying on a single defensive measure is too risky, because it may be too easy for hackers to bypass.

Actual application of this methodology may vary, but it generally utilizes at least three layers of security: perimeter, network, and endpoint. Perimeter security includes things like the firewall, gateway and intrusion prevention system(IPS). Internal networking security includes intrusion detection systems (IDS) and network traffic analysis.  Finally, endpoint measures generally include antivirus solutions and endpoint detection and response (EDR).

Defense in depth has inherent complications, including the need to integrate, maintain, and operate multiple solutions. However, since there is no single solution that will provide sufficient security for an entire organization (and never will be), it will remain the leading methodology for ensuring security. Moreover, it seems that as organizations are exposed to new and additional threats, new layers of defense will be added to the basic security model.

Meanwhile In IoT town…

It seems that somehow, in Iot Security, the concept of defense in depth has not yet taken hold. To date, it seems that most IoT deployments are content with very basic security measures, mainly encryption and authentication.

Authentication means that prior to communicating with the network, IoT devices must be verified to prevent unauthorized devices from gaining access.

Encryption ensures that only trusted parties can view the data, whether it is stored on the device or database level or travelling outside the device into a commercial cloud environment.

However, neither encryption nor authentication can secure IoT devices from getting hacked or hijacked. Even though these basic security measures are required, relying solely on them will leave IoT service providers without visibility into what’s happening at the device level. Devices could be infected, recruited to botnets or abused by insiders without any alert being triggered. Furthermore, once the device is authenticated, the device becomes trusted by the IoT service provider and can spread the infection with greater ease.

Applying defense in depth to IoT security solutions

Securing IoT deployments using defense in depth is not a simple “cut and paste” of the way it’s implemented in IT security. The concept of perimeter does not apply for most IoT deployments, where devices are installed in the field and communicate directly to the cloud. Even when they are placed behind a gateway, installing a standard firewall is simply not economical (as there could be a need for thousands of them)

Similarly, network traffic analysis will not reveal much that is happening on the device level, and endpoint security solutions are simply non-existent for IoT devices. It’s also not likely that traditional IT security systems such as AV could be reconfigured for IoT devices, because there is not enough computing power to support these sophisticated software applications.

What could be done? we believe that defense in depth could be applied to IoT security by deploying some monitoring agent on the IoT devices themselves, and achieving visibility into the network traffic by analyzing the metadata stored in the cloud level.

An additional level of big-data analytics should be applied to identify network-wide trends and abnormal behavior, as to identify more sophisticated attacks (like insiders or credential abuse, both of which occur with actually “hacking” the devices or the network.

The fusion between the agents collecting data on the device level and the big data analytics, in conjunction with IoT-devices risk models, can provide similar levels of security that multi-layered defense solution offers for conventional IT environments.

Conclusion

Defense in depth is a proven concept, that should be adopted for IoT security, with the proper technological and methodological adjustments. Doing so will ensure greater level of security than simply relying on basic security means, that can be easily bypassed, endangering the entire IoT deployment.

Contact us to learn more about our managed IoT security services– [email protected].