cybersecurity-concept

Visibility to Secure the Internet of Things

Estimated reading time: 7 minutes

Armis’ value is that it discovers everything, said the company’s regional VP in APJ, Andrew Draper. “We see everything.”

And this is valuable for cybersecurity professionals and solutions that need to protect assets, data, and the integrity/availability of these data and assets. If nothing is known about what has to be protected, how does one start to protect it?

“Everything, at the end of the day, is a device,’ Andrew said.

“And Armis ticks all these boxes – it’s securing OT (operational technologies), industrial control systems (ICS), building management systems (BMS), IoT (Internet of Things) devices.”

Speaking with Andrew over a Zoom call as he explains what Armis does, he starts to share about where he saw the threat landscape was headed, from five to six years ago.

“A CISO once said to me, ‘The biggest thing that is starting to worry me, is ransomware.’ And it wasn’t a joke We’ve seen how it’s evolved now to be a major issue,” Andrew said highlighting at the same time that after working for so long in the industry, one could see trends as they are emerging.

Visibility with Armis

Armis calls itself the industry leader in agentless security, but what this boils down to is a platform that discovers, analyses, and protects devices within range of a distributed network perimeter.

Armis’ uniqueness lies in the scale at which it protects; it is not just endpoints within an enterprise network but also endpoints on networks for healthcare organisations, or manufacturing, or large utility plants.

These healthcare, manufacturing or utility environments can contain critical endpoints which cannot afford to stop working, for example computerised systems that manage pipeline operations.

United States-based Colonial Pipeline which operates the largest petroleum pipeline in that country, had to halt operations for 6 days to contain the attack upon their systems. By the second day, President Biden declared a state of emergency, and on the fourth day, panic buying led to fuel shortages at filling stations in parts of the country.

According to Wikipedia, industrial control systems or ICS, encompass several types of control systems and associated instrumentation used for industrial process controls. They can be as small as a few panel-mounted controllers, all the way up to large interconnected control systems. All these can usually be found in large industrial factories.

So crucial it is for these systems to be able to keep operating, that a typical ICS environment used to be impregnable air-gapped networks. But this is not the case anymore.

“We would never have perceived these (facilities) as being a security threat that needs to be discussed. But now, we are bringing these people into discussions to expand their thinking and understanding of risks that are involved, I would say is the slightly different thing we are doing today compared to other vendors I have traditionally worked at.”

Armis has observed that they are now connected to enterprise networks, or to the Internet, or to business partners’ networks that provide remote support, and so on.

As a result, cyber attackers can more easily find their way into OT environments, through devices connected to the Internet, and through all these different networks that are slowly but surely converging.

What has changed?

Not only are environments converging along with their networks that used to be siloed. Behaviours and threats are evolving as well.

As a result of that, the people that cybersecurity vendors would speak to about cybersecuring systems are slowly but surely changing.

Andrew described, “Information security experts traditionally would not have talked to the people who are in control of managing buildings and its physical security and safety, for example about fire suppression systems, or lifts, or other things in a building.

“We would never have perceived these (facilities) as being a security threat that needs to be discussed. But now, we are bringing these people into discussions to expand their thinking and understanding of risks that are involved, I would say is the slightly different thing we are doing today compared to other vendors I have traditionally worked at.”

When there is an aggregation of telemetry data of this one sensor or a collection of sensors, Armis can obtain more information about the network traffic and be able to give it a risk rating based on their database of threat intelligence and vulnerabilities.

So, Armis works to identify assets, or all the various individual devices that connected to the business’s network. “If we are talking about a bank, the security camera is a great example of an asset which could be hacked and turned into a ‘spying’ tool, or to be manipulated so nefarious events remain hidden.

“Or the camera could be used to deliver a ransomware payload, or it becomes a vulnerability to allow criminals to hack into a business.

“Armis will identify these devices, categorise them, and give you the analysis and trends of their ‘behaviours’,” Andrew said.

Lots of connected devices – sheer volume

We have known for a very long time that the number of devices that are going online and being connected and interconnected between themselves, are increasing exponentially.

Andrew shared, “Our research shows that 80-percent of these devices we are talking about, have zero chance of ever having any form of security software loaded onto them; they are completely unmanageable.”

A majority of sensors, or wearables that are going out into the world, are not the computer systems we are used to having on our desktops or laps., because they are too small to contain operating systems.  But this does not exclude them from the risk of being compromised.

The same goes for the convergence of IT, OT and medical devices that we see happening around us.

The same goes for the convergence of IT, OT and medical devices that we see happening around us.

“In a medical context, you may have an MRI machine. It’s medical technology but sitting next to it is probably a Windows workstation. The same goes for a processing machine in a factory,” Andrew pointed out.

Simplistic devices without CPUs and operating systems, may not contain valuable information that cybercriminals want to extract and monetise like banking info, but their telemetry data can be helpful in detecting aberrant behaviour in the network traffic.

When there is an aggregation of telemetry data of this one sensor or a collection of sensors, Armis can obtain more information about the network traffic and be able to give it a risk rating based on their database of threat intelligence and vulnerabilities.

“We partner with technology vendors for example Checkpoint’s firewall, and can inform their detection response decisions. We can advise to potentially block a device, or segment it into a certain zone until we can observe it, or trigger a vulnerability scan, or alert it to a security incident mechanism.

“This is the greater visibility, and economic value that we can give to our customers.”

Armis partners extensively, not only with technology vendors like Checkpoint, Meraki, IBM, Gigamon, and others, but also service providers like Accenture, Capgemini, Blackberry, Deloitte, and many more.

Best practices

Enterprises need a comprehensive security approach that secures both IT and ICS environments. Such a platform needs to be able to:

  • Generate a comprehensive inventory of all connected devices (OT & IT)
  • Identify risks associated with every device
  • Monitor the behavior and communication patterns of every device
  • Identify policy violations such as deviations from the Purdue reference architecture
  • Detect attack techniques such as those listed in the MITRE ATT&CK model
  • Take automated actions to thwart attackers

Armis’ business expansion

According to Andrew, Armis in the past 12 months have identified Australia and ASEAN businesses as very important to springboard to the rest of the APJ region.

But what is the lever to help them with their expansion?

 For Malaysia at least, Andrew has identified this requires finding the right partners to go-to-market with, from Day One.

“And when I say the right partner, for me that more about what value we can bring to them and how we can invest to help our partners derive maximum profitability,” he concluded.