1 / 27

Michele D. Guel Distinguished Engineer, Cisco

Security Risks & Mitigation Approaches in the IoT. Michele D. Guel Distinguished Engineer, Cisco. A Typical Connected Day in 2017. How Connected Are We?. How many smart devices, apps and providers Personal Work Hybrid How many social media “connections” How much “background” traffic?

oliviad
Télécharger la présentation

Michele D. Guel Distinguished Engineer, Cisco

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Risks & Mitigation Approaches in the IoT Michele D. Guel Distinguished Engineer, Cisco

  2. A Typical Connected Day in 2017

  3. How Connected Are We? • How many smart devices, apps and providers • Personal • Work • Hybrid • How many social media “connections” • How much “background” traffic? • What is your security confidence level? • At Home • At Work • In the world

  4. What are Some Challenges? • Loss of privacy • Loss of humanity • New, unforeseen attack vectors • Increase risk of targeted attacks • Increase need for new laws and regulations • Exponential expansion of threat landscape

  5. The Bottom Line… • “Almost everything that can be used for good can also be used for bad.” Are We Ready?

  6. ISACA 2015 Risk Reward Barometer

  7. IOT at Moving at Warp Speed • Balance speed of business with security • Embrace security is a joint effort • Expect data proliferation on order of petabytes • Prioritize Lagging architectures

  8. Enterprises are Still Lagging • Aging infrastructure • 92% running vulnerable • 32% end of sale • Trailing security posture • 64% in 2014 • 59% in 2015 • Time to detect is not decreasing

  9. DNS Attacks are Still a Blind Spot • Monitoring is not common • DNS monitoring should be used as early warning system • 91.3% of malware uses DNS in attacks • IoT devices need DNS

  10. Common Attack Patterns Have Emerged • Endpoints (Sensors, devices, hubs) • Web based attacks (command/SQL injection, CSRF) • Altered firmware • Physical tampering to force report • Old /vulnerable firmware • Communication channels (ZigBee, Bluetooth, Wi-Fi) • Cloud infrastructure (identity, policies, firmware updates, etc.) • User facing UI controls (AAA)

  11. “As is often the case, consumer demand for new and exciting technologies have far surpassed the implementation of security measures.” Smart Watch Vulnerability Study

  12. Overview How Do We Catch Up?

  13. Better, Faster, More Agile Block and Tackle

  14. “Extend” Your Security Team • Security Leaders • Security “Doers” • Ensure end to end security • Raise awareness of security in area • Ensure sufficient security “doers” • Develop security strategy for area • Ensure security has seat at table • Message up to leadership • Perform security architecture & deployment reviews. • Complete security artifacts • Act as SME to clients for area • Continuous learners on security • Develop trusted partnerships

  15. Expand Visibility on Risk Posture • Service level risks • Infrastructure vulnerabilities • Process maturity & compliance • Coverage of Leaders & Doers • Regular pen tests Need C-Level visibility to trending values

  16. Consider CIS Critical Controls Framework Operationalization of “20 Critical Controls” • Be sufficient in all 20 controls in Production & Extranet network • Be sufficient in most critical controls across labs, engineering, and other non-IT • Add compensating controls where culturally not appropriate • Measure posture of acquisitions using 20 controls • Automate Metric & Test portion of controls • Self reporting when something goes wrong • Score twice a year and report metrics https://www.cisecurity.org/critical-controls.cfm

  17. Minimize the Attack Surface

  18. Keys to Minimizing Attack Surface • “Trustworthy Products” • Full embodiment of Trusted Device Policy and technology to back it up • Pervasive differentiated access (e.g. use of ISE) • Mature behavioral based anomaly detection • Decrease “Mean Time to Detect” and “Mean Time to Contain” • Instrument the network – Fireamp, NGIPS, Netflow everywhere • Segment the network – control zones, security group tags, data-aware

  19. Mature Your Monitoring Capability – Last 5%

  20. Manage & Control Data

  21. Mature Your Data Security Governance Strategy • Govern the data • Laws, contracts, and policies impose requirements on the data • Roles, responsibilities, ownership, etc. sets the accountability • Training, awareness, and metrics to manage behavior Protect the data • Manage use of data throughout the life cycle (i.e. collection  disposal) • Access and rights management • Incubate data-level security solutions Go Deeper Go Broader • Securing the foundation • System / Application / Data security • Monitoring and response • Risk management

  22. Key Tenants of Strong Data Protection • Policies and Standards • Identification and Classification • Data Risk and Organizational Maturity • Incident Response • Oversight and Enforcement • Privacy and Security by Design • Awareness and Education In 2017 Data Center hosted data will be 7.7 Zettabytes

  23. Adapt & Mature Cloud Engagement Models

  24. Scaling Cloud Engagements • Governance & Remediation • Assessment Questionnaires • Architecture Engagement Process • Terms of Use • Compliance • Security Architecture • Architecture Guiding Principles • Assessment & Design Reviews • Baseline Compliance Criteria • Monitoring and Incident Response • Logging & Monitoring Strategy • Event Analysis • Incident Response • Vulnerability Management & Remediation • Scanning methodology • Pen Testing Methodology • Remediation

  25. Key Take Aways • Implement “extended” teams • Master the basics – block & tackle • Expand accountability, visibility, knowledge • Minimize attack surface • Instrument the network • Mature data management • Mature cloud engagement models

  26. Resources & Interesting Reads • http://iwe.cisco.com/web/internet-of-everything-program • http://www.cio-today.com/news/Internet-Devices-Lure-Hackers/story.xhtml?story_id=12100B4EOO00 • http://newsroom.cisco.com/feature-content?type=webcontent&articleId=1312830 • http://www.cisco.com/web/IN/about/leadership/cyber_security_ioe.html • http://adtmag.com/Articles/2014/11/20/IoT-Security-Concerns.aspx?Page=2 • http://blog.trendmicro.com/internet-everything-requires-attention-old-new-cybersecurity-risks-2/ • http://www.simafore.com/blog/bid/207914/Data-and-Analytics-form-2-of-the-4-key-pieces-in-internet-of-things • http://blog.trendmicro.com/road-signs-hacked-ioe-security-takes-center-stage/ • http://www.securityweek.com/top-10-things-cybersecurity-professionals-need-know-about-internet-everything

  27. Thank You @MicheleDGuel mguel@cisco.com

More Related