Identifying who and what is on the network is a challenge for many organizations. Incomplete visibility makes it difficult to implement advanced security policies and recommendations. Endpoint analytics is a way to identify, verify, and build complete profiles for all devices on a network.
As organizations undergo digital transformation, they're adding more and more devices to their networks. Studies indicate that endpoints--both user and IoT (Internet of Things) devices--are projected to grow in number exponentially in the foreseeable future.
IoT devices present management and security challenges. Not only are they proliferating, but some are added in an ad hoc manner outside of IT's controlled environment, without an overall plan and with minimal security provisions. Others may have been added years ago, obtained from vendors that don't scrupulously keep their software updated. All these conditions can increase the threat surface. In 2019, Cisco's Talos Security Research Team published 87 advisories about IoT, 23% more advisories than the next-largest category, desktop computing.
There is growing evidence that bad actors are taking advantage of these weaknesses. The number of cyber attacks on IoT devices surged by more than 300% in 2019 (Melissa Michael, Attack Landscape H1 2019: IoT, SMB Traffic Abounds, December 2019), and over 75% of vulnerabilities discovered in 2019 were from IoT devices (Martin Zeisser, Talos Vulnerability Discovery Year in Review--2019, December 2019).
It is clear, therefore, that organizations must build in appropriate security as they deploy IoT devices at scale. The first step in securing IoT devices is knowing what devices you have in your network. Endpoint analytics is a way to identify and profile IoT devices, uncover spoofed devices, and detect and contain potential threats.
Endpoint analytics aggregates data from a variety of sources in the network, collates and analyzes it to build a detailed endpoint profile, and groups similar endpoints by applying artificial intelligence and machine learning (AI/ML) techniques.
A rich set of data is essential for endpoint analytics to work. Varied sources are necessary to provide the 360-degree vision to build a complete profile for each endpoint.
Some sources of such information are deep packet inspection (DPI) of traffic to and from the endpoints, telemetry information from network probes, and asset information from configuration management databases.
Analysis of the data collected reveals crucial details about endpoints, such as their makes, models, and operating systems.
Further analysis of their communications using techniques such as Cisco Network Based Application Recognition (NBAR) and Cisco Software-Defined Application Visibility and Control (SD-AVC) can discern the protocols being used. These techniques can identify more than 1400 protocols used in environments such as healthcare, enterprise IoT, and building automation.
In cases where endpoints can't easily be identified and profiled, artificial intelligence (AI) and machine learning (ML) techniques in endpoint analytics aggregate all collected data about those endpoints and use an algorithm to cluster them by shared attributes.
Administrators can define a rule for such endpoints and profile all of them at once. After previously unknown endpoints are profiled, this learning can be made part of a shared knowledgebase, to benefit other organizations in their own deployments.
Endpoint analytics classifies the newly profiled endpoints into logical groups. For example, all IP phones may be placed in one group, all medical imaging systems in another group, and so on. Defining and enforcing security and quality-of-service (QoS) policies are easier when applied to groups rather than to individual endpoints.
Endpoint analytics makes all devices visible, verifies their identity, and determines whether they pose any security threats.
In corporate networks that have been around for a while, there are likely to be connected things that are known simply by their IP addresses. No one knows whether they're cash registers, surveillance cameras, or heart-rate monitors.
Devices not properly identified, profiled, and secured pose a clear security risk. Figuring out what they are is the first step in securing them.
An unsecure endpoint may be hacked or maliciously placed in the network, where its MAC address makes it look like something it is not. For example, a compromised printer may pretend to be an MRI machine, gaining access to patient records.
Proper identification of the printer and analysis of its communication can detect and flag its anomalous behavior.
Endpoint analytics uses the profile it builds to assign each device a score based on its network behavior. This score could provide administrators or upstream security applications extra guidance in deciding whether to trust an endpoint or to investigate it for security breaches.
The identification, profiling, grouping, and trust scoring that endpoint analytics provides can be used to reduce threats. Administrators may use this information to define security policies. They may also implement mechanisms to isolate rogue or compromised endpoints to reduce threat proliferation.
Endpoint analytics helps to secure your organization by helping to define segmentation policies for zero-trust access and regulatory compliance.
Accurate identification and profiling of endpoints support network segmentation--a key part of the zero-trust security framework. Network segmentation benefits organizations by reducing overall risk, shrinking the scope of compliance, and limiting the lateral movement of malware to contain threats such as ransomware.
Despite the benefits of segmentation, many organizations have been hesitant to segment their networks widely, since the process can be complicated and error-prone. Endpoint analytics can serve to lower the barrier to effective segmentation.
While every organization would benefit from implementing robust security for IoT devices, those with data-privacy, security, and Regulatory compliance mandates--such as healthcare and financial institutions--should seriously consider deploying endpoint analytics. Industries that use many IoT devices--such as manufacturing, transportation, smart cities, and utilities--would also benefit.
“Locating, recognizing, and securing a growing number of legitimate IoT devices within an organization is becoming a complex challenge, and it can become harder to recognize illegitimate equipment accessing the same network and resources.”Tanner Johnson, Senior Analyst, Connectivity and IoT, Omdia, in IoT Cybersecurity Market Tracker--Update 1H 2020
Remove the barrier to network segmentation by extending your visibility into device identities and how they interact with each other. Define the right access policies to secure your organization.