IoT in Cybersecurity
In cybersecurity, operational technology (OT) and Internet of Things (IoT) devices create a risky threat surface to manage. Companies often have thousands of IoT devices, from thermostats and HVAC units to lighting controls. Each of these devices is accessible via the network. They are often unpatched or unpatchable and may contain vulnerabilities that could be used by a hacker to control a network. To cybersecurity professionals like myself, IoT is a huge risk. IoT devices do not conform to any technical standards, are not held to any security best practices, and thus are often targeted and used by hackers to move around undetected or to create a botnet which could be used in sophisticated large-scale attacks (What is an IoT Device Vulnerability?, n.d.).
In my experience, the cybersecurity industry uses IoT itself for physical door access controls. Those company-issued radio frequency identification (RFID) key cards for accessing a building are swiped against a network of IoT card readers. These networked access control IoT devices are now able to be controlled via phone apps as well (Access Control Systems, n.d.). These keycard solutions are a critical piece of IoT infrastructure, but they pose risk to the business. If the access control system is accessible via a phone app, then it is accessible anywhere in the world, meaning that hackers can direct their attacks at those access control systems.
Personally, as a cybersecurity professional, I have seen many times that IoT devices like the fish tank thermometer in a casino have been the cause of a breach. While there is convenience to be gained, it can present a vector of attack for a hacker. IoT devices in other industries gather data which is aggregated into Big Data datastores, giving data scientists the raw material for performing analysis. Regarding IoT sensors as data collectors in manufacturing, logistics, and health care, they are critical for collecting important data. Hospital rooms have 15-20 IoT devices collecting medical telemetry that is absolutely essential for improving patient care (Norfleet, 2020). As a cybersecurity professional, my job is to enable the business by protecting these IoT environments. Although IoT devices add a lot of potential vulnerabilities to a network, IoT is often mission critical, so I have to take steps to isolate the IoT devices to reduce risk.
Big Data in Cybersecurity
I use Big Data in cybersecurity for threat detection. The strategy is this: collect all of the possible data from every source, then analyze it for threats and signs of hackers. I configure routers, firewalls, switches, wireless access points, servers, workstations, identity systems, email systems, and applications to all log their telemetry data to a Security Information and Event Management (SIEM) system. This SIEM logs all of the events and signals, massive amounts of data, usually millions of log events every day. The SIEM then compares my log data against MITRE ATT&CK™ to identify any attacks. This is a common tactic used by security professionals. MITRE ATT&CK™ maps out log events against common attacker behaviors. Using MITRE ATT&CK™ in my SIEM allows me to find behaviors like brute force attack, privilege escalation, and lateral movement in my networks (My thoughts on using the MITRE ATT&CK framework for SIEM detection’s, 2021). My SIEM also compares my millions of log events against curated threat feeds. Those feeds, from cybersecurity companies like Kaspersky and Palo Alto, provide threat data which my SIEM uses to identify threat patterns in my data.
I use a Security Orchestration, Automation, and Response (SOAR) to automate my response to events in my SIEM. For example: When my SIEM identifies that there is an attack happening on one of my servers, my SOAR will execute a playbook which will quarantine or isolate the threat and alert me. The SOAR gives me the automation to handle the actionable incidents that the SIEM identifies (What is SOAR?, n.d.). These SIEM and SOAR solutions often tie into machine learning (ML) and artificial intelligence (AI) in order to improve the quality of the detections (Wenham, 2020). My organization uses the Microsoft Azure’s AI platform in order to enhance detection capabilities, improve analytics, and reduce human workloads. I feed our data streams into Microsoft’s Data Lakes and Log Analytics Workspaces, then feed that data through the machine learning services so that I can run playbooks against them.
Are IoT and Big Data Connected?
In many industries, IoT collects data that is stored and analyzed by Big Data analytics systems (Thomas, 2022). In cybersecurity, we use cybersecurity appliances like firewalls, but not IoT devices, aside from access control devices like key cards, to generate our log data. In the future, if there is data that IoT will capture for us, I am sure that the cybersecurity industry will quickly adopt IoT.
How Have IoT and Big Data Changed the Way We Do Business?
Big Data enables me to do the impossible: accurately monitor large networks for threats without needing a team of thousands of people. Big Data, combined with automation platforms, helps the cybersecurity industry to scale. Big Data allows me to identify and respond quickly to threats. My automation systems begin incident response processes automatically if there is an attack. This is something that was always completely manual before. In this sense, Big Data has had a very positive effect on the cybersecurity industry. My organization has learned that the data in the SIEM is good for IT automation in addition to cybersecurity. This is enabling new efficiencies across IT and cybersecurity, encouraging collaboration. IoT, on the other hand, have only changed cybersecurity by adding a large landscape of new and unresolvable threats. IoT, for cybersecurity, has primarily been a negative thing.
IoT and Big Data will continue to improve cybersecurity as my industry scales. Right now, despite advanced analytics with our SIEM and SOAR, attacks are so frequent that it I feel like I am always in a reactive mode and always following attackers as they are attacking networks. As technology and processes mature, especially with AI and ML, I predict that cybersecurity experts will finally have an upper hand on attackers. Big Data will help all of our technology evolve and approve. My organization will improve its delivery of cybersecurity solutions as a result of my implementations of Big Data. This will allow us to offer guarantees and additional value to our customers.
The industry is ready for Big Data and IoT. Every new product that hits the cybersecurity market has ML and AI in it already. There are some pitfalls to diving into Big Data, AI, and ML on a large scale. Costs for storage and compute with large datasets will drive up our costs to offer the service to our clients. Collecting massive amounts of data means that there needs to be more systems for data management, more storage for backups of the data, data analytics software, and data scientists to information, knowledge, and value from the data.
Right now, my organization does not have anyone that is strong with storage nor with data science. We have no data analytics experience. This means that, in addition to increased costs from data collection, we will have a lot of payroll increase. These limitations can be mitigated and ameliorated by hiring experienced data engineers and data scientists to advise and lead this shift in our organization. Those data experts will help choose the correct software and solutions for my organization.
Access Control Systems. (n.d.). HID. Retrieved from https://www.hidglobal.com/solutions/access-control-systems
My thoughts on using the MITRE ATT&CK framework for SIEM detection’s. (2021, February 20). Blue Team Blog. Retrieved from https://blueteamblog.com/my-thoughts-on-using-the-mitre-attck-framework-for-siem-detections
Norfleet, A. (2020, October 22). Securing Internet-Connected Devices in the New Era of Healthcare. Cisco. Retrieved from https://blogs.cisco.com/healthcare/securing-internet-connected-devices-in-the-new-era-of-healthcare
Thomas, M. (2022, August 9). 12 IoT Data Examples. Retrieved from https://builtin.com/big-data/iot-big-data-analytics-examples
Wenham, P. (2020, June 6). Security Think Tank: SIEM and AI – a match made in heaven? Retrieved from https://www.computerweekly.com/opinion/Security-Think-Tank-SIEM-and-AI-a-match-made-in-heaven
What Is SOAR? (n.d.). Palo Alto CORTEX. Retrieved from https://www.paloaltonetworks.com/cyberpedia/what-is-soar
What is an IoT Device Vulnerability? (n.d.). Fortinet. Retrieved from https://www.fortinet.com/resources/cyberglossary/iot-device-vulnerabilities