Guest Column | April 12, 2017

Cybersecurity And The IoT: From Incident Response To Continuous Response

Retailers Anticipate Substantial Changes Driven By IoT

By Rishi Bhargava, Co-Founder, Demisto

There’s no doubt the Internet of Things (IoT) will eventually take over the digital universe. By 2020, IDC predicts there will be more than 210 billion connected devices available, with at least 30 billion actively communicating online. Sensors are expected to number in the trillions within the decade.

The proliferation of connected devices offers innovative ways for businesses to transform themselves, enhance productivity, improve profitability, and engage customers. However, these benefits come at a price: an increased attack surface.

The IoT is a revolutionary melding of the physical world with the digital world, and organizations do not control the physical part. A study by Hewlett Packard found 70 percent of the connected devices analyzed were vulnerable to attack and the average number of vulnerabilities per device was 25. When considering modern hackers’ advanced skills, as well as the fact many are either state-sponsored or members of highly efficient criminal gangs, it’s easy to see the IoT presents new threats requiring a new approach to security.

From Incident Response To Continuous Response

Historically, companies done a poor job detecting breaches, and haven’t fared any better handling an incident. Part of the problem can be traced to mindsets. Incident response was often viewed strictly as a reaction to a cyberattack. More attention was paid to hardening defenses to prevent a successful attack than to learning from past incidents or preparing for the inevitable attack. Continuous response, however, is a proactive defense.

  • A policy of continuous response lets organizations close gaps. Automated tools can detect attacks based on behavior, context, and indicators of compromise.
  • Continuous response treats a network as if it is already compromised rather than waiting for an attack to occur.
  • Automated workflows let companies deny attackers, quarantine compromised devices, and provide forensic evidence.
  • Continuous response lets organizations stay ahead of evolving threats and strengthen defenses with every incident.

Continuous response is not just a plan to respond to a one-time incident. It is a strategy to keep all hackers at bay, including those leveraging IoT to launch their attacks. At its core, continuous response for IoT security relies on the following cybersecurity best practices.

  • Understand the environment. It’s difficult to protect unknown activities. It’s important to understand the infrastructure as well as how an organization connects to vendors, customers or other partners. What IoT devices are connected and what are their known vulnerabilities? Where is sensitive data or intellectual property stored? The more an organization knows about the environment, the better it can protect the assets.
  • Create a strong response plan and continually update. New threats are evolving even more rapidly than innovative technologies. Staying vigilant is key, and that includes making sure the incident response plan is robust enough to handle new methods of attack.
  • Learn everything about the strategies hackers are using, specific vulnerabilities in IoT devices, and innovative technologies to safeguard assets. There are many websites dedicated to cybersecurity where the latest news about hackers and their methods, known vulnerabilities, and effective strategies can be found for keeping attackers at bay. Learn to think like a hacker to uncover the system’s weaknesses before the criminals have the chance to exploit them.
  • Align cybersecurity with business objectives. CISOs are no longer technicians whose only goal is to deny hackers access. The position has evolved to include protecting the brand, ensuring regulatory compliance, and assisting with risk management. Assessing, analyzing, and aligning security efforts are typically tasks not all that difficult for CISOs to master. However, many could improve their communication skills when relating to other C-level executives. CISOs must master the ability to define their security strategies in business terms that resonate with the other party and demonstrate cybersecurity is a group effort.
  • Despite the old saying, practice does not necessarily lead to perfection. However, it can build confidence in the response system among team members and upper management. If necessary, stage mock attacks response team members will have plenty of opportunities to practice. The goal is to have everyone involved react quickly and properly because they know precisely what they need to do, to whom they should report, and what is within their scope of responsibility.
  • Mine the data. Stream processing allows real-time processing as each new event or record arrives, allowing known exceptions and patterns to be identified and acted upon immediately. However, mining the data allows identifying previously unknown patterns. Conduct the internal hunting expeditions to find suspicious activities that could signal a new method of attack.

The rapid growth of IoT devices has made many cybersecurity professionals extremely uncomfortable, but connected devices are not going to disappear. Gartner estimates organizations will dedicate 60 percent of their cybersecurity budgets to “rapid detection and response” — otherwise known as continuous response — by 2020. CEOs and board members are accepting the fact attacks are going to happen and emphasis must shift from preventing attacks to responding to them.

Security automation and orchestration platforms can help with automating response processes, building playbooks, and otherwise enhancing the cybersecurity. Automation platforms can help take an organization from Incident Response to Continuous Response.