RSA Labs Project Iris: Edge Monitoring and Analytics for IoT

Aug 07, 2019 | by Kevin Bowers

The Internet of Things (IoT) is a core element driving Digital Transformation, along with cloud, mobile, automation and analytics. Strong business benefits are driving adoption. “Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, producing immense volume of data.”[1]  Sensors, cameras, thermostats, and other networked controls deliver game-changing capabilities to consumers, and organizations alike. Industrial Control Systems (ICS) deliver power, water, and transportation services, as well as manufacturing processes like robotics. Large-scale government projects like Smart City initiatives break new ground in delivering services and improving quality of life for residents.

For those working in the cybersecurity or risk areas, this proliferation of IoT endpoints creates strain on effective operational security. The bottom line is that IoT introduces a massive volume of new, often unmonitored endpoints across your network; in the same Gartner release, “CIOs should ensure they have the necessary skills and partners to support key emerging IoT trends and technologies, as, by 2023, the average CIO will be responsible for more than three times as many endpoints as this year.”1 And they are all attack targets.

The IoT device industry is gaining security capabilities quickly, mainly because of threats presented by global attackers, from hacktivists to cybercriminals to nation states. The 2016 Mirai botnet attack on Dyn, a prominent DNS service, took down major platforms across Europe and North America. Previously, botnets were the primary issue with unpatched computers, but Mirai hijacked IoT devices by the millions – among them a huge number of security cameras and DVRs. Even with relatively low computing power in IoT devices, the sheer number of hijacked devices, each originating from unique IP addresses, created catastrophic failure for several hours.

Mirai raised awareness of IoT as an attack vector, driving changes in the way devices are secured and updated going forward. However, the large population of brownfield (existing) IoT devices, especially in operational technology (OT) use cases, will continue to work against comprehensive IoT security patterns. Many brownfield devices and protocols weren’t designed for open networking, lack compute and power required for performing security functions, are difficult or impossible to update or patch, and have limited replacement options. They are designed to be deployed for decades, far beyond the typical IT refresh cycle.

There are other important challenges to securing IoT, including historic patterns. Traditionally, security and identity systems have operated separately from IoT systems. Cybersecurity teams secure and monitor IT systems; IoT systems are often managed by line-of-business (LoB) with separate engineering teams.

Additionally, IoT devices may be deployed in the field and in potentially hostile locations with no physical security guarantees (e.g. an unmanned wind turbine or traffic sensors in a smart city use case). In such scenarios, the IoT devices require additional protection measures against physical attacks such as manipulating, replacing, or spoofing devices.

With broad experience in many of the areas necessary for securing IoT environments, including risk-based authentication, user and entity behavioral analytics (UEBA), and fraud detection at scale for IT, RSA continually seeks out ways to help customers drive their Digital Transformation initiatives. RSA Labs runs a variety of research projects to explore technology and market requirements. With Project Iris, RSA Labs data scientists explore new methods and algorithms for monitoring and detecting compromised devices based on anomalous behavior. The large scale of IoT deployments and the massive number of devices provide a rich medium for this type of research.

Project Iris leverages an important development in IoT evolution: open solutions for IoT edge management. IoT edge gateways and servers consolidate and integrate IoT devices, in an “edge to core to cloud” continuum, taking control of any IoT deployment, no matter how diverse. Project Iris specifically supports EdgeX Foundry Platform, an industry leading open source technology for managing IoT devices (Figure 1).

Figure 1: EdgeX Foundry

Project Iris gives organizations a tool to view and analyze the consolidated data set of their entire IoT deployment (Figure 2). Analysis can be done on the data set using a web app, or the data can be normalized and ingested by popular security tools including existing SIEM threat detection platforms.

Figure 2: Project Iris High Level Architecture

The code is delivered as a containerized agent application that plugs directly into EdgeX Foundry infrastructure. The agent is deployed on all edge gateways and edge servers passively collecting data about the edge device itself and the devices managed by it, capturing logs, network data and even process and resource consumption information.

From there, Project Iris operates much like a SIEM or another incident response tool. The Project Iris Cloud applies threat analytics to flag known bad actions (e.g., communication with blacklisted IPs), as well as behavioral analytics to detect anomalous behavior based on the specific IoT device type and its function. It then generates alerts for analysts to view and investigate IoT incidents directly in the cloud interface. Data can be sorted by gateway and device, with drill-down and pivoting functions to analyze and understand anomalous behavior including indicators of compromise. The ability to combine filters empowers analysts to pursue data in very flexible ways.

RSA Labs Project Iris is a research project that holds promise for vastly improving the ability to secure the huge and varied universe of IoT. In collaboration with the open EdgeX Foundry and other ecosystem partners, RSA Labs is driving toward enterprise-grade security and management capabilities to the “Wild West” of IoT.

__________
[1] Gartner Press Release, Gartner Identifies Top 10 Strategic IoT Technologies and Trends, November 7, 2018, https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends

# # #

Learn more about protecting your IoT infrastructure with the RSA Labs Project Iris.

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Kevin Bowers

Category: Research and Innovation, Blog Post

Keywords: IoT, SCADA, Monitoring, Cybersecurity, Security, Digital Risk, Digital Risk Management, Digital Transformation