UEBA: The Answer to IoT’s Vulenrability

UEBA: The Answer to IoT’s Vulenrability

This post is also available in: heעברית (Hebrew)

Cisco and Microsoft have recently invested in the Internet of Things (IoT) – indicating not only that IoT has reached massive scale, but that tech giants are clearly putting their bets behind it. Why? Because IoT is changing the game. Consider the collapse of the I-35 W Mississippi River Bridge in Minnesota that caused multiple fatalities and hundreds of injuries. When rebuilding the bridge, architects could equip smart cement with sensors to monitor for weaknesses that developed in the infrastructure over time. Those sensors could also communicate the presence of ice to sensors in one’s car, alerting drivers when they need to slow down, or if one was driving a smart car, have the car slow down itself. And that’s just a glimpse of what’s possible with IoT. While we’re consistently discussing the potential of IoT and connected “things,” what’s often missing from the story is how to better develop security practices that evolve alongside.

Historically, organizations have relied on perimeter defenses and monitoring solutions when the threats were known. Unfortunately, these tools have fallen short as attackers become more sophisticated and threats are increasingly unknown. This may seem a bit obvious, but is important to bring up because perimeter defenses and traditional security monitoring solutions have built their success.. These are slow-and-grow attacks, occurring in multiple phases over long periods of time that either don’t trigger alarms from traditional defenses or if they do, activate warnings that by themselves appear harmless.

According to Dataconomy.com, user behavior analytics (UBA) has emerged to help find unknown attacks that are being exploited in the wild. UBA creates baselines for normal user behavior, connects the dots between these separate, seemingly harmless events, and compares the normal baseline to the current activity, thereby revealing an attack. However, as IoT continues to grow and the attack landscape evolves, UBA will fail to keep up with the growing number of IoT devices – primarily because exploits of IoT vulnerabilities are generally not linked to a user, rather to a “thing.” For example, there are many types of network devices (e.g., servers, dropcams, etc.) within an organization that are not associated with a user.

While profiling user behavior is necessary, it alone is not sufficient to satisfy enterprise security needs. To ensure an organization has the comprehensive visibility needed to combat attacks that will inevitably come from vulnerabilities introduced by IoT devices, it’s critical that any behavior analytics solution can not only establish a baseline for users, but also for entities (i.e., hosts, IP addresses, applications). Even Gartner’s thinking has evolved, according to dataconomy.com, the organization went from publishing a Market Guide on User Behavior Analytics in 2014 to publishing a Market Guide on User and Entity Behavior Analytics (UEBA) in 2015.

As the threat landscape evolves and as IoT increasingly adopts more “things” not covered by traditional monitoring and detection solutions, attackers have new methods to penetrate the network. With UEBA, organizations can protect against external threats that make their way inside the perimeter as well as the insider threats that already exist.