I spent last week at the Gartner Security and Risk Management Summit in National Harbor, MD. This is my favorite conference of the year because I get a chance to hear about a wide variety of security topics and talk with plenty of CISOs and security practitioners.
I was especially interested to hear all the discussion of unmanaged / IoT devices. Here are some highlights.
Gartner lists Detection and Response as one of the top ten projects enterprises should be working on in 2019. We all know that EDR products have exploded in popularity during the last few years, with companies like CrowdStrike gaining massive valuation. But—these EDR systems all require agents. How do you implement Detection and Response for unmanaged and IoT devices which can’t accept agents? (Hint: I work for a company that does this.)
Michael Chertoff was one of the guest speakers. For those of you who may not know, he is the former Secretary of the U.S. Department of Homeland Security, serving under President George W. Bush. Now he is co-founder and executive chairman of The Chertoff Group, a security and risk management firm that provides high-level strategic counsel to corporate and government leaders on a broad range of security issues. In short—he knows a ton of stuff, has seen a ton of stuff, and has heard a ton of stuff.
Chertoff blasted the insecurity of IoT devices, pointing out that they have “almost zero security built into them by design” and no provision for updating or patching. Chertoff said that it might be time for the U.S. Federal Government to follow the lead that California has taken by laying down standards for what constitutes a minimum level of security any network-connected device.
Multiple Gartner analysts—Ramon Krikken, John Girard, Nader Henein and Ruggero Contu—spoke about attacks on unmanaged and IoT devices that impact operational technology and healthcare environments. Girard gave a dramatic description of how risky an unprotected IoT device can be. His example involved an HVAC system which, Girard said, has been used as a starting point for several cyber attacks in the United States. In Girard’s example, an attacker started with the HVAC system (which is not typically monitored by any security agents), moved to a system controller for an oil pipeline, then adjusted the pressure in the pipeline to cause it to explode—similar to what happened to the Kirkuk-Ceyhan oil pipeline in 2017.
Armis has seen these kinds of attacks, coming in through unmanaged industrial or medical devices. Here are a few examples, none of which were caught by our customers’ traditional security products:
John Girard is a VP and Distinguished Analyst in Gartner’s Endpoint and Mobile Security Practice. In his presentation, he urged people to broaden their definition of “endpoint” to encompass anything that can be identified, addressed or attacked. Examples of endpoints that Girard mentioned include network switches, routers, load balancers, firewalls, and VoIP apps. Girard went on to predict that by 2025, every powered device in business settings will be network addressable.
That’s an amazing thought. Up to 90% of these devices will be un-agentable.
There was no shortage of advice from Gartner analysts on how enterprises should respond to the “IoT-ification” of nearly everything in their environment.
Ramon Krikken recommended that security managers start with visibility—see what you have, see what it is doing. The old adage “you can’t secure what you can’t see” has never been more applicable.
Multiple Gartner analysts—Jeremy D’Hoinne, Lawrence Orans, John Girard—mentioned the need for behavioral inspection of endpoint devices that can’t accept agents (which is the vast majority of IoT devices). The security approach which Gartner advocates is CARTA (Continuous Adaptive Risk and Trust Assessment). This calls for a balance of protection, detection, and response. Here is how the three functions apply to devices that you can’t install an agent on:
Of course, Armis includes all three classes of the functionality listed above.
Were you at the Gartner and Security Risk Management Summit? If so, I’d love to hear your thoughts about the conference. Drop me a note to [email protected]
Sign up to receive the latest news