Of the various new challenges of enterprise security in 2020, IoT devices are arguably the more pernicious because they sneakily follow the tradition of every dumb peripheral once it gets start (CPU) and gets an identity (IP Address). It happened with network printers, scanners, and fax machines (remember those?) and today it’s happening with enterprise IoT lightbulbs, door locks, air conditioners, and thermostats.
But what takes the IoT threat today from merely horrible and promotes it to disastrous is another 2020 network element that is changing the attack landscape: remote sites or, more precisely, the soaring number of remote sites and insecure remote sites at that. And yes, the fact that these remote sites were rushed into existence and therefore sidestepped any reasonable security due diligence doesn’t help.
These remote sites—the overwhelming majority of them home offices—come with consumer-grade IoT security headaches. Ernst & Young (EY) has labeled IoT “the single largest addition to the enterprise attack surface.” Home IoT that can now ride WiFi to your VPN and into your enterprise networks include IoT-based refrigerators, doorbells, IP cameras and Amazon Echos (“Alexa, download all of my employer’s payroll records”).
On the corporate side, the CISO’s top IoT Achilles’ heel is a trust in the many manufacturers who create the enterprise IoT devices. But even if those manufacturers are indeed trustworthy, if that manufacturer’s security is compromised, bad actors can still do their evil with those devices. But on the consumer side, most people don’t even bother to check into the manufacturer’s claims, let alone their trustworthiness.
By the way, IoT devices do not necessarily need a corporate or consumer network at all. Some have their own antennae, allowing those IoT devices to work around almost any network defenses—except for DNS tracking.
This is all happening during a time when an enterprise’s traditional security defenses are crumbling under the weight of the new attack landscapes. Firewall effectiveness, for example, is much lower than it was and, even then, it was still scattered, with one firewall for this IT cloud, one firewall for a LOB private cloud, one for on-prem. That doesn’t even consider the vast number of shadow IT clouds.
But one defense that not only still works but works even better in this environment is DNS tracking. Security analysts can’t install endpoint software on IoT—assuming they even knew and had access to all IoT, neither of which is true—but DNS knows exactly what every IoT device is doing. And it provides this complete visibility through a massive pool of forensic data.
DNS security analysis doesn’t rely on a device being authorized or being known to IT or even being part of an employee’s household devices (a neighbor’s IoT can tiptoe in). It simply needs a device to access the Internet, something that all IoT devices do. Some analysts have reported that as many as 90 percent of IoT devices are not known to that company’s CISO. But with DNS, all IoT devices are detected and tracked.
This is where DNS, DHCP, and IPAM analysis can make a huge difference. Without DHCP data, it’s hard to correlate disparate events related to the same device under investigation, especially in dynamic environments. Without DNS and DHCP, operations teams struggle to accurately identify compromised machines and have limited visibility into what resources that user has been accessing. And without public passive DNS and domain registration data, it’s difficult to fully understand the scope of adversaries’ malicious infrastructure and link events.
DHCP Discovery is much more effective than traditional network scanning techniques, which can be disruptive and need scheduling. That in turn means that such network scanning data is often out-of-date. Also, DHCP discovery is far more comprehensive, feeding into the IPAM database full characteristics of the device (type of device, OS, version) based on the initial DHCP request, along with username, switch port, access point, physical location, MAC Address, current IP/historical IPs and locations and other user details. Using DHCP is a much better way to do discovery when compared to traditional network scanning techniques.
Isn’t it that time that your enterprise reevaluated what it is doing with DNS?
