Two startups and two approaches to IoT security
Security is an ongoing challenge when it comes to connected devices. They have to be physically secure from a hardware perspective; their apps have be secure; and the cloud-based storehouse where they put data has to be secure. Finally, data traveling to or from any of those locations must be encrypted. There are dozens of potential weak links.
All of which assumes that the device maker cared about security in the first place and subsequently built secure features into its product. It also assumes the device makers’ suppliers felt the same. The end user has a role here, too, in that she has to choose a good password and at least try to implement decent network security.
Really, it’s no wonder that we’re in the middle of a growing crisis in cybersecurity wrought by the internet of things. But in the last two weeks I’ve encountered two companies that could change the way we think about IoT security.
The first company is VDOO, which has a silly name, but a bold idea. The founders are trying to solve two problems associated with connected device security. The first thing they want to do is make it accessible to every device maker, no matter how small. The second thing they want to do is make security easy to implement.
Accessibility and ease of use are two distinctly different problems. Today, someone wanting to ensure a secure device has to hire consultants to dig into her code and perform penetration testing. That’s a big hurdle and still leaves vulnerabilities as time passes on the devices in the field. Not everyone has the budget or will to do it. And even if they did, there are not enough security consultants to do it for them.
The second problem rears its head after the consultants are done. That’s when a company has to implement a solution to vulnerabilities, which may be cumbersome and requires engineering effort. Thus security has to become scalable from a cost and an implementation perspective.
VDOO tries to solve this by creating a database of device types, known vulnerabilities, and security best practices associated with each type of device. It has used available firmware from existing IoT products and a natural language processing engine to parse companies’ websites to figure out what a device is and what it does. From there it automatically assigns it a device type and figures out the rules.
The idea is that any device maker can submit their website and firmware to get what is essentially a quick, automatically generated security profile and risk assessment. The challenge for VDOO at this stage is building up trust in the best practices that it will recommend to device makers.
The second stage of VDOO’s business plan is to take what it knows about each device and install a piece of software on one or two of those devices running in a quality assurance lab environment. From there, VDOO plans to monitor that agent for changes in the device that would require a security alert or update, information that it would share with the manufacturer.
The challenge here is ensuring that once a vulnerability is found, the device gets updated and all devices in the field get patched. This can be a tall order in both consumer and industrial settings. Consumers are unfamiliar with the importance of patching, and in many corporate settings IT has to approve patches in order to make sure they don’t muck up some other process.
Still, I like VDOO’s idea of trying to protect devices before they head out in the field in a scalable way.
If VDOO is trying to solve security on the manufacturing side, Armis, another startup, is tackling IoT security from the end-user perspective. Armis offers a subscription-based software that keeps an eye on the devices floating around a corporate campus or factory network to determine what they are and watch how they behave. If those devices get unruly, Armis can send information to other security programs already in use by the enterprise, or it can take action to quarantine or shut down the offending equipment.
Armis CTO Nadir Izrael points out that even if a connected device is secure and hardened it doesn’t obviate the need for a CISO to secure her network. In this context, IoT security is really network security made more challenging by the incalculable number of different devices, which can range from a connected car in the parking lot to the CEO’s Apple Watch.
While the Ford in the parking lot might not try to connect to the network, it’s good to know it’s there. Armis’ software runs on top of existing network software that is used to manage wireless access points. The Armis software can take the signals from all of the devices roaming the halls and shouting out to the wireless access points and figure out what device type they are even if they never connect.
That information is sent to the cloud, where Armis analyzes the data against its own database of more than 3 million device types to determine what it is, how it should behave, and what its capabilities are. Izrael says that not only does the security team use the tool, but IT staff also avail themselves of it to track how many iPhones are in the organization or even how many devices in the building have open microphones.
The thinking here is that in a world of trillions of connected devices an organization needs visibility into the chaos those devices might bring into the network. The advantage Armis has over other companies also tracking network behavior to determine bad actors is that it can also detect devices that never try to get on the corporate network and still tell you what they are doing.
From these two startups, it’s easy to see that securing the IoT isn’t just a one-step process. Many different solutions will have to be cobbled together to build up a sense of security. On the manufacturing side, we’re going to need better implementations from the get-go, and constant watchfulness to address vulnerabilities. For the buyers and users of that equipment, the burden is still high. They’ll have to keep an eye on what these connected devices are doing, no matter how secure they claim to be.