Internet Of Things (IoT) Security:

Understanding The Challenges While Mitigating the Risks

Demetris Booth, APJC Lead – Product Management & Product Marketing
Agenda
• Overview & Benefits
• Security Challenges
• Mitigating Challenges
• High Level View
• Technical View

• Bringing It All Together

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Is Here Now – and Growing!
50
50 Billion
“Smart Objects”
40
Adoption rate of
Billions of Devices

digital infrastructure:
30 5X faster than
electricity and telephony
Inflection
point
20 25

12.5
10
World Population
6.8 7.2 7.6
0
Timeline
2010 2015 2020
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Relation to Internet of Everything (IoE)

Networked Connection of People, Process, Data, Things

People Process
Connecting people in more Delivering the right information
relevant, valuable ways to the right person (or machine)
at the right time

IoE

Data Things
Leveraging data into more useful Physical devices and objects
information for decision making connected to the Internet and each
other for intelligent decision making

IoE: Connecting the Unconnected to Generate Business Value

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Delivers Extraordinary Benefits
What Comprises IoT Networks?

Information Operational
Technology Technology Smart
Objects
(IT) (OT)

7
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
 Smart City

 Reduced congestion
 Improved emergency services response times
 Lower fuel usage

 Increased efficiency
 Power and cost savings
 New revenue opportunities

 Efficient service delivery

 Increased revenues
 Enhanced environmental monitoring capabilities

Safety, financial, and environmental benefits

8
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
 The Connected Car

 Online entertainment
 Mapping, dynamic re-routing, safety and security

 Transform “data” to “actionable intelligence”

 Enable proactive maintenance
 Collision avoidance
 Fuel efficiency

 Reduced congestion
 Increased efficiency
 Safety (hazard avoidance)

Actionable intelligence, enhanced comfort, unprecedented convenience

9
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Transforms Data into Wisdom
More Important
Wisdom (Scenario Planning)

Knowledge

Information

01010100101010101010101010101
Data 01010101010001010100101010101
01110101010101010101 Less Important

Big Data Becomes Open Data for Customers, Consumers to Use

10
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
… but it also adds complexity.
New Business Models Partner Ecosystem

Applications

Application Interfaces

Unified Platform

Infrastructure Interfaces

Infrastructure

11
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
… but it also adds complexity.
APPLICATION
New AND BUSINESS
Business Models INNOVATION
Partner Ecosystem

Application
Data Integration Big Data Applications
Analytics Control Systems
Integration

Application Interfaces

Unified
APPLICATION Platform PLATFORM
ENABLEMENT

Infrastructure Interfaces

APPLICATION CENTRIC INFRASTRUCTURE

Infrastructure

Device and Sensor Innovation

12
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
The Flip Side: Major Security Challenges
We’ve Created the Perfect Storm…

> Device Explosion

+
> Connectivity Explosion
+
> Industrialization of Hacking =
+
> State Cyber Programs

+
> “Hactivism”

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Challenges

Traditional Security Challenges Smart Objects

Increased Attack Surface Devices

Information Breach 6 Per Person
Data Privacy Sensors
130 Per Person

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Security Challenges

Superior Granular Advanced Actionable Automated

Visibility Control Threat Protection Intelligence Decisions
Advanced video Differentiated policy Comprehensive Internetworked Machine-to-machine
analytics, remote enforcement across cyber security security solutions for enabled security
management, the extended network threat detection superior intelligence control with
and multi-site and mitigation and rapid response no human
event correlation intervention required

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Expands Security Needs
New Applications
Threat Diversity
Impact and Risk
Remediation
Protocols
Compliance and Regulation

Converged, Distributed Application

Resilience at Scale Security
Managed Network Intelligence Enablement

IoT CONNECTIVITY

17
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Mitigating The Security Risk Across the Extended
Network – The 20,000 FT View
IT and OT are Inherently Different
 IT  OT
• Connectivity: “Any-to-Any” • Connectivity: Hierarchical
• Network Posture: Confidentiality, • Network Posture: Availability, Integrity,
Integrity, Availability (CIA) Confidentiality (AIC)
• Security Solutions: Cybersecurity; Data • Security Solutions: Physical Access
Protection Control; Safety
• Response to Attacks: • Response to Attacks: Non-stop
Quarantine/Shutdown to Mitigate Operations/Mission Critical – Never
Stop, Even if Breached

19
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IT/OT Converged Security Model

IT

Cloud

Network Security
Enterprise Network

Application Control

Identity Services
DMZ Demilitarised Zone

Secure Access
OT
Supervisory

Config
Mgmt
Automation & Control

Presentation_ID 20
Cisco and/or its affiliates. All rights reserved. Cisco Public
The Secure IoT Architecture – IT Plus OT!
APPLICATION
New AND BUSINESS
Business Models INNOVATION
Partner Ecosystem Cloud-based
Threat Analysis /
Protection
Data Control Application
Integration
Big Data Applications
Analytics
Systems Integration
Network and
Perimeter
Application Interfaces Security

Application Enablement Platform Security

Services
Physical Security
Infrastructure Interfaces
Device-level
Security /
Application Centric Infrastructure Anti-tampering

End-to-End Data
Encryption
Device and Sensor Innovation

21
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Security/Attack Continuum - IT

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Cloud-based threat Quarantine based

Remediate using
detection and on real-time
advanced
prevention; policy analysis and
protection and
enforcement via actionable security
network behavioral
firewall, VPN and intelligence from
analysis
identity services IPS and WSA

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Security/Attack Continuum - OT

BEFORE DURING AFTER

Control Detect Disable
Enforce Analyze Contain
Harden Respond Remove

Networked cyber Response based

Lockdown physical
and physical on real-time
spaces or disable
security solutions analysis and
access to critical
with OT-specific actionable security
infrastructure
policies intelligence

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Mitigating The Security Risk Across The Extended
Network – Technical View
 Exposure In IoT Networks
MITM
• Sniff traffic MITM
• Modify data • Sniff traffic Compromise
• Impersonation • Modify data • Unauthorized use
• Impersonation • Malware infection
• Service disruption
Compromise
• Unauthorized
Compromise access
• Unauthorized access • Device tampering
• Device tampering
• Service disruption
Compromise • Service disruption
• Unauthorized • Sniff traffic
• Sniff traffic
Hack Device access
• Unauthorized device • Device tampering
• Device tampering • Service disruption
• Malware infection • Sniff traffic
management

IoT device aggregation core wan / internet

Presentation_ID Cisco and/or its affiliates. All rights reserved. dataCisco
center
Public
[vpn]
Required Security Model for IoT
Attack Continuum

BEFORE
Before DURING
During AFTER
After
Control Detect Scope
Discover
Enforce Block Scope
Contain
Harden
Enforce Defend Remediate
Contain
Harden Remediate

Network as Network as Network as a

an Enforcer a Sensor Mitigation Accelerator

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 27
BEFORE an attack
management

DURING an attack
www
AFTER an attack NF analyzer policy server (ISE) web security email security

firewall
ips
advanced malware protection

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
BEFORE an attack
BEFORE an attack
management

Profiling
• ISE builds device database by MAC address
• Profile with SNMP (LLDP), DHCP, NMAP, www
NetFlow drives MAC-based access policy NF analyzer policy server (ISE) web security email security
• ISE manages policy

Benefit firewall
• Visibility and access control ips
• MAC linked with device ID and location advanced malware protection

• Custom access by device profile

MAB

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
BEFORE an attack
management

802.1x
• Authenticates device before activating
access www
• ISE manages policy NF analyzer policy server (ISE) web security email security

Benefit
• Operational simplicity and control firewall
• Dynamic device authentication ips
• Single policy management advanced malware protection

802.1x 802.1x 802.1x

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
BEFORE an attack
management

SGT / SGACL
• Tags traffic based on device policy
• Enforces access control based on tag www
• ISE manages policy NF analyzer policy server (ISE) web security email security

Benefit
• Operational simplicity and speed firewall
• Dynamic, topology-independent ips
enforcement advanced malware protection

• Single access control policy

SGT

SGT SGT SGT

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
DURING an attack
DURING an attack
management

NetFlow Analyzer
• Collect full NetFlow across network
• Detect behavioral anomalies www
• ISE provides context NF analyzer policy server (ISE) web security email security

Benefit
• Full threat visibility firewall
• Detect threats in any part of network ips
• Detect access abuse advanced malware protection

• Detect attacks missed by security

systems
NF

NF NF NF

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
DURING an attack
management

IPS / AMP
• Monitor traffic and file threats www

Benefit NF analyzer policy server (ISE) web security email security

• Integrated advanced threat detection

• Detects advanced attacks and malware
firewall
ips
advanced malware protection

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
DURING an attack
management

WSA / ESA
• Reputation-based web threat blocking www
• Reputation-based email threat blocking
NF analyzer policy server (ISE) web security email security

Benefit
• Block advanced web / email threats
• Intelligence-driven threat detection firewall
ips
advanced malware protection

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
AFTER an attack
AFTER an attack
management

NF Analyzer
• Record 90 days of communications
activity www
• Scope extent of breach NF analyzer policy server (ISE) web security email security
• Report policy and compliance

Benefit firewall
• Full Accountability ips
• Map threat trajectory advanced malware protection

• Evidence-based auditing
NF

NF NF NF

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
AFTER an attack
management

IPS / AMP
• Retrospective analysis of threats www
• Contain infected devices and files
• ISE provides quarantine NF analyzer policy server (ISE) web security email security

Benefit
• Fast threat scoping and remediation firewall
ips
• Trace and eliminate infections with the advanced malware protection
click of a button
• Map threat trajectory

IoT device aggregation wan / internet

core data center [vpn]
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Continuous IoT Threat Protection
 Advanced Malware Protection For IoT

AMP for Networks AMP for Endpoints

Detection Services &
Big Data analytics

✖ ✔
On-Prem
SSL:443 | 32137
FireSIGHT Management Center
proxy SaaS Manager
Heartbeat: 80

#
FireSIGHT/ASA Sensor #

AMP Malware The catch? Detection is “in the cloud”.

license

“On-prem” addresses cloud objections.

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Sophisticated and Continuous Protection

Point-in-Time Protection Retrospective Security

Breadth and Control points:

Email Network
Endpoints IPS
WWW
Web Devices

Telemetry
Stream

File Fingerprint and Metadata Continuous feed

One-to-One Fuzzy Machine Advanced Dynamic
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Signature Finger-printing Learning Analytics Analysis File and Network I/O
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Process Information

File Reputation & Sandboxing Continuous Analysis

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
 Analyse The IoT Threat!
1. Submission
Analyst (portal) or system (API) submits
suspicious sample to Threat Grid.

4. Enriched Content Integration 2. Proprietary Analysis

Actionable intel generated that can An automated engine observes,
be packaged and integrated in to a deconstructs, and analyzes
variety of existing systems using multiple techniques.

3. Correlation at Unprecedented Scale

System correlates sample result with millions
of other samples / billions of artifacts.

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
 Threat I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Research
II II0000I II0 101000 0II0 00 0III000 III0I00II
Intelligence 10I000 0II0 00 0III000 II1010011 101 1100001 110
I00I II0I III00II 0II00II 101000 0110 00 Response
1100001110001III0
110000III000III0 I00I II0I III0011 0110011 101000 0110 00

WWW Advanced Industry Disclosures

Email Endpoints Web Networks IPS Devices
Outreach Activities

100 TB Dynamic Analysis

Intelligence 180,000+ Files per Threat Centric Detection Content
1.6M sensors Day
SEU/SRU
150 million+ 1B SBRS Queries
endpoints per Day Sandbox
35% 3.6PB Monthly VDB
email world wide though CWS
Security Intelligence
FireAMP™, 3+
million Email & Web Reputation
13B web req

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Bringing It All Together
Network-Wide Security with Differential Applications
Security Activity IT OT
• Role-based access to few
• Role-based access for
individuals
individuals and groups
• VPN to few systems and users
Secure Access • VPN/remote access for most
• Badge readers/integrated
systems throughout the network
sensors
• Complex passwords with
Before • Simplified passwords (except
lockout policies
for the most critical systems)
• Tags traffic based on device • Enhanced segmentation for
policy required groups only
Security Group Tagging
• Enforces access control based • Dynamic, topology-
on tag independent enforcement
Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only
Analysis of the threat to determine
Threat Mitigation Quarantine affected system
appropriate action
During
Combined physical and
Data Integrity and Confidentiality Data Loss Prevention (DLP)
cybersecurity access controls
Network-wide Policy Enforcement Differentiated actions based on value, function, and location of the device

After Retrospective Security Policies Centralised remediation and adaptation

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Can Actually Increase Security Posture
 Network of Security Devices
– Cyber Security
 Firewall, IDS
– Physical Security
 IP cameras, badge readers, analytics NG Firewall IDS

 Actionable Security Intelligence Security

– Automated / M2M Intelligence
– Human Response
Video+Analytics Secure Access
 Remote Capabilities
– Configuration and Management
– Collaboration Between Groups

50
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion: Securely Embrace IoT!
 New challenges require new thinking!
– avoid operational siloes
– networking and convergence are key
– a sound security solution is integrated throughout
– build for the future
 Security must be pervasive
– inside and outside the network
– device- and data-agnostic
– proactive and intelligent
 Intelligence, not data
– convergence, plus analytics
– speed is essential for real-time decisions
52
Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public