Not a week goes by without some sort of vulnerability or breach associated with the IoT taking place. More devices, varied devices, and the rise of far more sophisticated attackers have led to big IT firms investing in their own security capabilities while our government issues executive orders trying to compel companies to invest in better security.
Today’s version of better security requires layers. And after a conversation with Kate Scarcella, chief cybersecurity architect at Micro Focus, I’m convinced that monitoring device behavior will be one of those layers. Much like law enforcement officials trying to assess threats look for suspicious behavior exhibited by people, Scarcella believes devices can provide a set of “tells” after they’ve been compromised.
All we need is software that can spot the one weird device out of thousands.
This isn’t a new idea, even for the IoT. I recall having a similar discussion with Google engineers when discussing the Weave protocol for the smart home. Weave didn’t really go anywhere (now we’re focused on Matter), but Scarcella’s version is designed for enterprise and industrial deployments.
Simply put, if a security camera turns off in the middle of the night when it normally stays on, or if a multimode sensor starts trying to check for light levels when historically it has only collected temperature data, that could indicate an intruder or malware on the network or device. Currently, several companies evaluate device behavior on a network, checking to see if, for example, a camera is trying to contact an industrial controller or a TV in a conference room is trying to call out to a server in China. But evaluating a device’s behaviors generally includes more than just how it behaves on the network.
Other behaviors can include whether a device is on or off, the time of day or week it operates, the processes it’s trying to perform — even command-line behavior on Linux machines. And yes, good software will also measure network connections within the network.
Of course, analyzing all of these variables across thousands of devices is tough, which is why Micro Focus turned to machine learning experts from Interset, which it bought in 2019. (You knew there would be machine learning involved, right?) Honestly, most of the math the Interset folks are using is common to statistics, but they are crunching a lot of numbers for their anomaly detection algorithms.
When oddities are detected, Interset pushes those “weird behaviors” up to a dashboard for a human to review. Interset doesn’t only do anomaly detection across IoT devices for security purposes; Micro Focus is simply packaging up the stats for security and then signing deals with other companies to get those analytics out into the embedded world.
Micro Focus sells the data analysis to Karamba Security, an Israeli IoT security startup I profiled last year. Karamba actually puts its own software on embedded devices and then uses the analytics to track that device behavior for clients.
As someone who tries to keep up with all of the potential weak points and new technologies aimed at securing the IoT, I think looking at this element of device behavior might help businesses with tons of embedded devices. Especially if those devices are already in the field, where it can be impossible to update them with software agents for security providers, but also if the devices are simply too constrained to handle security software.