Danger: Conventional cyberdefense technologies not capable of securing the Internet of Things.
In studying to take the exam to become a Certified Information Systems Security Professional (CISSP) — considered the gold standard of all cybersecurity certifications — I was shocked to see that the areas covered were security technologies that were in many cases more than 20 years old.
Then there were coverage areas that essentially give hackers a road map to system vulnerabilities and the cybersecurity technologies used in trying to stop these vulnerabilities.
But wait, there's more: How a cyberattack is discovered, according to my studies, is a manual process that consists of searching through a hefty amount of historical data stored in system logs. So, should a hacker change something today, we won't see it for months due to the manual discovery processes currently in place, and once we find it, we will attempt to combat it and other attacks with 20-year-old technologies. That is not a recipe for success.
So can cyberdefense catch up? The bottom line is that it must catch up.
Following my most recent speaking engagement at the Cyber and Information Security Research (CISR) Conference at Oak Ridge National Laboratory, there was a clear understanding that current cyberdefense technologies are not effective enough and need a new direction. This was the consensus in both open discussions and private meetings; even recently appointed White House adviser on cybersecurity Rudy Giuliani has stated that “our current cyber defense is not what it should be.”
Giuliani also stated that our government is just too far behind — that it will never catch up, and the solution will be found as it always is: in the private sector. This is the type of cyberdefense reality check we have needed from the top for a long time. And now it is time to act.
If we're going to get effective cyberdefense technologies deployed, we must start funding viable solutions rather than running them though massive public and private bureaucracies — and standards groups such as the National Institute of Standards and Technology (NIST) have recognized this. In fact, NIST Fellow Ron Ross said the agency's new guidance "should be the start of a national dialogue" about deeper cybersecurity for Internet-of-Things devices.
In the wake of the Mirai malware attack that used IoT devices to overwhelm Internet infrastructure provider Dyn with a flood of traffic in October 2016, NIST bumped up the release date for its Special Publication 800-160 that gives IoT cybersecurity recommendations.
NIST and other standards groups must find a way to start fast tracking the use of new cybersecurity technologies rather than dragging them through analysis paralysis groups and organizations. If something out there makes sense, then fund it, test it and get it out there — and then build the guidelines around the actual use of the technology. That’s what hackers do. They are not restricted by adhering to guidelines. If the technology works, they do it. And until we fast track cyberdefense technologies using the same approach, we will always be playing catch-up.
These days, conventional Next Generation Firewall Wall Intrusion Prevention Security (IPS) technologies encrypt or harden the authenticated access to sensitive information. Meanwhile, Security Event and Information Management (SIEM) security technologies try to keep unwanted attacks from coming into our processes and systems.
Neither of these approaches is perfect; each is more of a deterrent than a foolproof way to thwart attacks. Furthermore, IoT and the billions of devices that will affect our business and industrial systems will prove that these conventional security approaches lack the scale and capability to even deploy today's cybersecurity products and services into these tiny IoT devices.
Case in point: One of the design criteria in IoT is to establish the longest possible battery life at the lowest cost. This requires a very small processor and flash memory that oftentimes lack the space for IoT device updates or high-end encryption. This is a big problem; it renders today’s IPS encryption technologies useless and means there is no way to update devices that may have been exploited. The sheer volume of these devices is making current SIEM security technologies obsolete and unmanageable. There is just too much out there to watch. The bottom line is that current cybersecurity approaches cannot scale to the amount of IoT devices on the market, which some people predict will reach 1 trillion.
And this is why we must address cybersecurity with completely new approaches.
We are spending billions of dollars using cyberdefense technologies that monitor the historical cause of a cyberattack — but we need to monitor the effect of cause, which offers a more accurate, deeper and real-time point of validation and discovery.
Being at the right place at the right time can give a cyberdefense system the upfront capability of detecting a cyberattack before the breach has occurred. These desperately needed cyberdefense technologies will be the eyes, ears and even artificial brains of our operational and industrial IT systems. Due to the limitation of current conventional cyber defense technologies, IoT will demand the need to for the new way cyberdefense will be doing business today and in the future.