How IoT Device Discovery and Activity Detection can Work

Written by

Even as IoT device volume races towards 200 billion by 2020, the vast majority of our connected gadgets still have little or no security features in place – leaving them ripe for the picking to any bad actor with some hacking skills and an agenda.

These vulnerabilities are especially threatening given the personal nature of most IoT devices, which, if compromised, could give hackers not only extra soldiers for a malicious botnet, but also electronic eyes and ears to monitor our lives from afar. The divergence continues to grow between how much we rely on IoT devices, and how secure they actually are.

Consider the reality that few professional sys admins – let alone the average consumer – have any firm idea of how many devices are trying to connect to the web through their local network. In both homes and places of business, visitors or passers-by carry devices programmed to try to connect to available networks on a continuous basis. In this environment, IoT device discovery offers a critical foundation to an IoT security solution.

Even the most tech-savvy consumer or sophisticated sys admin would find it cumbersome to grapple with a process of manually registering and vetting each and every device as it joins the household or enterprise network. That’s just for known devices; such practices would be little help in scenarios where someone with bad intentions introduces an unknown device to the network.

Instead, dynamic IoT device discovery and profiling – which ideally should be included as a module within routers, UTMs, gateways, or similar devices that are in a position to see all inbound and outbound network traffic – is capable of recognizing and identifying specific devices on the network, even with no foreknowledge of what they might be.

It can accomplish this task for IoT devices of all types, from those in the household like thermostats and appliances to Bluetooth devices to computers and mobile devices on the network to virtually any and every device in the enterprise. To achieve this new and badly needed recognition, an IoT device discovery, profiling, and compromised device detection solution needs to look at all seven layers of the OSI model of each device, as well as a repository of known IoT device profiles.

For devices that use very specific, organizationally-unique identifiers (OUIs) – a practice more common among brands that only make one type of devices – successful profiling is usually completed after less than a minute of the device appearing on the network. To identify devices with OUIs used for several different device types, a solution will run higher order detections, relying on criteria such as port scanning and protocol analysis to accurately profile the device (which can take a few minutes longer).

Once connected devices are properly discovered and profiled, anomalous activity detection can be used to continuously analyze device behavior and compare it to what should be expected for the particular device. Detection criteria is also continually updated and adaptive as devices and their uses evolve. This technological process can help ensure network safety as IoT adoption rises, even in cases where the security originally built into an IoT device itself is ineffective or just plain non-existent.

If any device on the network is suddenly behaving against type or is producing suspicious traffic – either because it’s become compromised, does not possess up-to-date software, or it belongs to a user who’s simply up to no good in the first place – that activity will be detected in real-time and any harmful effects can be neutralized by the admins or consumer end users overseeing the network This detection can also report particularly vulnerable devices and oversee their activity with the care that is due.

Because any devices added to a network are detected, profiled, and scanned at the router-level, these solutions scale as the number of connected devices continues to increase. They will grow: as many devices as the customer has, that’s how many the IoT device discovery will detect and profile, on a per-device basis as each comes onto the network.

With both expected and anomalous behavior continuously subjected to detection algorithms in real-time, consumers have the benefit of immediate notification and protection measures when troublesome behavior does occur. This gives them the power to fully mitigate threats, even in the face of the IoT’s many dangers.

What’s hot on Infosecurity Magazine?