It’s safe to say that the internet of things (IoT) is mature enough that it’s on everyone’s radar by now. The IoT as we know it has been around for more than a decade, but it wasn’t until about five years ago that organizations started integrating the IoT as a core component of their enterprise security programs. Still, many IT professionals and executives alike are not addressing IoT security at the same level at which it’s creating tangible business risks.

I’ve worked with many businesses to help create their security programs from scratch — everything from policies to technologies to ongoing security assessments. One thing I’ve found is that addressing these elements of security from the very beginning is much easier than trying to integrate controls into an environment that’s already established.

It’s no different with the IoT. These devices are bringing an onslaught of random systems into practically every business network, yet many people still aren’t paying attention. That must change if businesses are to maintain some semblance of reasonable security.

Exploits Come in All Shapes and Sizes

In terms of threats and vulnerabilities, the IoT is pretty much a continuation of traditional enterprise network systems. There are myriad scenarios encompassing IoT-related attacks on enterprise networks, such as:

  • Device to device;
  • Device to traditional endpoint — i.e., workstations and servers;
  • Device captures of network traffic;
  • Device to network perimeter; and
  • Device to cloud.

There could be IoT-centric network activity taking place right under your nose that you might not even be aware of. One thing to remember is that IoT network communication goes in two directions — outbound and inbound — across both wired and wireless networks. Your environment must be equipped to not only handle the bandwidth requirements of the IoT, but also the visibility and control that’s needed to keep things in check.

To effectively integrate your IoT environment within your larger vulnerability management program, you must first identify your IoT systems. You simply cannot control or secure the things you don’t know about. But there’s more to it: You also need to understand which specific vulnerabilities IoT devices pose and how those vulnerabilities can be mitigated.

Perhaps the right solution for your organization is a dedicated IoT security appliance. Specific integration with your internal vulnerability scanning and patch management might be in order. Or it could be that you must address things on a case-by-case basis, finding, analyzing and resolving security concerns across all your IoT platforms.

The important part is that you’re properly acknowledging the vulnerabilities. Be it a smaller environment hosting a handful of medical devices or a larger industrial control network made up of countless devices, IoT systems need to be identified, enumerated and evaluated for vulnerabilities. Many security professionals aren’t sure where to start in terms of identifying these flaws. Some vulnerabilities are the predictable basics of weak passwords, unencrypted communications sessions and outdated software that facilitates remote exploits. Others often have odd services running in unexpected ways, or they’re connected to parts of the network and/or doing certain things that you thought were not allowed or even possible.

Simply lumping these systems into existing vulnerability management practices may work, but not always. It’s important to not just tackle IoT vulnerabilities in a binary fashion, but also truly figure out how the IoT can be integrated into your existing security initiatives.

Find the Right IoT Security Solution

I’m a strong believer that buying tools alone does not solve security problems. In fact, procuring and deploying additional tools just for the sake of it can create additional challenges and increase risk. This applies as much to IoT security as it does to any other aspect of enterprise security. That said, there are tools and services dedicated to solving the challenges associated with the IoT. However, before opening the budget to simply check another security or compliance checkbox, you should consider the following questions:

  • What IoT systems are on the network?
  • What specific business risks does the IoT introduce into the enterprise? How are those risks best addressed?
  • What business requirements need to be met?
  • What current work will have to be delayed or given up entirely when taking on a new IoT management/security system? Will a new resource have to be hired to fill the gaps?
  • How will a new IoT management/security system be integrated with existing network security controls? Does there seem to be a reasonable cultural fit?
  • Alternatively, can existing security technologies, such as security information and event management (SIEM), cloud access security broker (CASB) or endpoint detection and response (EDR), be leveraged to discover and lock down the IoT environment?

Determining the proper set of IoT controls for your environment is one of the more important long-term security decisions you will make. This is why all the right people — including management outside of the IT organization — need to be on board so the best decisions can be made. You’ll have to leverage technology for the IoT more than anything else, and I can assure you that your paperwork won’t be enough.

Acknowledge IoT Concerns and Take Action

The IoT is not some new fad that will fade away; it’s a new facet of your network that must be managed whether you think something should be done about it or not. And it’s not going to get any easier as time goes on. Now’s the time to plan and develop approaches to the IoT systems that are already on your network and quite likely posing business risks.

Identify the IoT systems and devices that are — or will soon be — on your network, understand how these endpoints are creating risk, and then do something about it. Any gaps or weaknesses in IoT security will most likely facilitate the next big network event, so prepare your enterprise before it’s too late.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…