Visibility and Anomaly Detection in the Age of IoT
November 2019 by Craig Sanderson, Senior Director of Security Products at Infoblox
Historically, organizations have struggled to gain visibility of what users, devices and applications are accessing their network infrastructure. If the maxim “you can’t protect what you can’t see” holds true, then the prospect of the Internet of Things (IoT) business transition which will result in billions of devices connecting to IP networks is a nightmare in waiting. Identification and classification of IoT devices is particularly problematic because the range of new device types leveraging the IP network is going to explode making it harder for IT security teams to manage and control policies that protect these new devices from themselves and the existing IP connected services.
Beyond controlling accessing and setting policy, IoT also presents a sizable headache when it comes to detecting breaches and enabling effective response. The plethora of protocols that IoT devices will leverage, spanning a broad range of vertical industries from Healthcare to Retail will make it hard for traditional security platforms to detect breaches. Malware sandboxes whose expertise is identifying abuse of well-known operating systems such as Windows servers will have a steep learning curve to apply the same detection for the bespoke applications running on proprietary software platforms. Instead organizations will have to rely heavily on secure IoT endpoint platforms to try and reduce the potential attack surface area. Surely there must be a simpler way to approach these problems. A common denominator that can cope with the breadth of platforms and devices that IoT will present.
That common denominator could well be an infrastructure that is already prevalent across all IP networks, whether they be corporate network, public clouds, next generation data centers and even the Internet. That infrastructure would be the DHCP, DNS and IP address management (DDI) infrastructure which for the past 30 years has provided internet scale to all IP connected devices. How could this ubiquitous infrastructure be applied to the address the challenges of IoT?
Device Identification and Classification
Starting with device identification and classification. IP connected IoT devices are going to require an IP address. If the addresses are statically provisioned organizations will need an IP address management platform to manage the IP address space, even more so given the dramatic increase in consumption of addresses. Even if the devices are going to use IPv6 where address space is not constrained, managing and tracking those addresses is an important operational need. Similarly, if the devices obtain their addresses dynamically, they will still need a DHCP (Dynamic Host Configuration Protocol) server to provide those addresses. In either case the centralized platforms that manage the IP address space will have a comprehensive view of what devices are on the network. More so, through the static address management process there is the opportunity to classify the device at the moment of provisioning. In the case of DHCP, the DHCP request from the IoT device provides a fingerprint that would enable the DHCP server to classify what devices is requesting an address. There does not seem to be any better common way to identify and classify the broad range of IoT devices than with an IP address management and DHCP platform.
In the case of threat detection there is an advantage to protecting devices over users. Anomaly detection for users is difficult because it’s hard to predict what a user’s normal behaviour is. Machines on the other hand tend to be far more predictable which means anomaly detection could be a fruitful way of identifying compromised machines. One common means of applying anomaly detection across the breadth of IoT devices would be to leverage their DNS activity. Since statically configuring applications and services is impractical and not scalable, most IoT devices will leverage DNS to dynamically locate the services and platforms it needs to interact with. DNS provides that flexibility enabling services to be re-located between networks whilst maintaining a common point of reference: the fully qualified domain.
On this premise, it’s possible to monitor and model the services the IoT device seeks to communicate with. If for example there is an IoT thermostat made by a manufacturer in Germany, it may communicate back to the manufacturer for software updates, leveraging DNS to resolve the address of the update server in Germany. DNS servers could model that behaviour and if the device began to deviate from its typical pattern of behaviour, perhaps by attempting to resolve services in a previously unknown location, that would provide an indication of compromise. The common need for IoT devices to use DNS to locate services provides a simple, scalable and consistent model for detecting potential breaches.
Given the looming challenges of IoT, it’s worth considering how the DNS and DHCP platforms that serve IT infrastructure today could be repurposed as a scalable tool for device classification and breach detection.