The time used to be that we knew what our devices were doing. We programmed them so we had an idea of all the information they would send to places. We knew what was running from a software perspective. The combination of closed ecosystems and specialized requirements for hardware meant that we knew that a router or a switch would only be forwarding packets. And continual audits of our server infrastructure meant we knew when something was running that shouldn’t be.
Today’s world isn’t so easy to figure out. The explosion of Internet of Things (IoT) devices has made our lives significantly more complicated from a detection perspective. Aside from knowing that our devices are talking to something, we’re not really sure what they’re doing or even what normal is. Under regular circumstances, a burst of traffic to a remote destination from a sensor might not be a good thing, unless that destination was the AWS dashboard where it is controlled. But how am I supposed to know that the traffic that’s being sent is every the right traffic to send?
As we’ve seen in recent years, IoT devices can be compromised to do things they aren’t supposed to be doing. From the Target PoS hack in 2013 to the hack of a casino through a remotely-monitored fishtank thermometer in 2018, we can see the potential for IoT devices to be misused. And these often don’t pop up on regular scans because they don’t have the ability to be scanned or have an agent running on them relaying data back to us. What we really need is a way to detect when IoT devices deviate from their norm.
Armis Investigates
I had a chance to sit down with Armis during RSA Conference back in March. I met with Nadir Izrael, the CTO and Co-founder. He told me a little bit about what Armis is working on with regards to security IoT devices in the enterprise. And it all starts by figuring out what they should be doing.
Armis is an IoT behavior engine that is crowd sourced. They take inputs from a variety of different devices like smart speakers, thermostats, medical devices, and more, and they put them into a giant knowledgebase. Armis profiles those devices to find out what kinds of traffic patterns they should be sending. Do they communicate with specific servers? Do they query for the same DNS every time? What time do they update? How often? Do they ever talk to other devices on the network?
Once Armis builds this baseline, it starts scanning for abnormal behavior. What happens when a glucose pump suddenly starts trying to access the Electronic Medical Records (EMR) system? Why did our smart lights suddenly stop querying for updates from their update servers? Why are the security cameras suddenly sending a ton of traffic to the internet in what looks like a DDoS attack? All of these are situations that Armis can address. Because they aren’t relying on agents to find those characteristics. Instead, they build a profile of the device and the device’s communication patterns and constantly match it against the baseline.
But that’s not all Armis does. They also crowdsource potential vulnerabilities from the Internet. They are always looking at newly-released CVEs, reading security researcher blogs, and trying to find when the next zero-day exploit is about to drop. Once all that data has been ingested it to the Armis Knowledgebase, it is shared with the rest of the community to ensure that all Armis customers are up-to-date with the latest exploits and are ready to combat them if they see them.
Armis is also acutely aware that data theft, as we’ve seen in past compromises, is only the tip of the iceberg. The real value of using IoT devices to do the hacking is the chance for them to be persistent. By doing things like shutting off update services or doing recon work on the network from an “invisible” device like a speaker or a camera isn’t designed to steal just a few credit card numbers. Instead, it’s designed to gain a foothold to start getting more and more information and perhaps even go further, such as data manipulation. Could you imagine the possibilities involved if someone were to compromise something critical, like election infrastructure or even the power grid? Now you can see why profiling those IoT devices isn’t just a fleeting idea for jumping into a new market.
Bringing It All Together
Armis understands that the future of cloud and serverless data centers means the only devices left on-site will likely be IoT. And, unlike the purpose-built networking equipment of the past, IoT devices can be much more easily compromised to exfiltrated data or gain a foothold for other nefarious activities. The key is being able to figure out what those devices should be doing and alerting you when they do something out of the norm. That’s the value of Armis.
If you’d like to learn a bit more about Armis and their platform, make sure you head over to http://Armis.com.