a new security paradigm for iot (internet of threats) · pdf filesession id: #rsac hadi...
TRANSCRIPT
![Page 1: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Hadi Nahari
A New Security Paradigm for IOT (Internet Of Threats)
BAS-M08
Vice President, Security CTOBrocade Communications, Inc.@hadinahari
![Page 2: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/2.jpg)
#RSAC
National Academy of Engineering
Grand Challenges for 21st Century
2
![Page 3: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/3.jpg)
#RSAC
State of the Union
Security posture compared to 2015?How about compared to 2014? Or 2013?
…
Poll!
Why?Year 2014
Incidents 63,437
Breaches 1,367
2015
79,790
2,122
>3,000,000,000,000 threats annually (~$110BN @$27.3/threat)
3
![Page 4: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/4.jpg)
#RSAC
Static Security
![Page 5: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/5.jpg)
#RSAC
Computing: Then & Now
Computing has evolved tremendously
5
![Page 6: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/6.jpg)
#RSAC
Security: Then & Now
Old daysIdentification, authentication, access control (ACL/MAC/DAC/...), TCB, disjointed systems, security an after-thought, etc.
TodayIdentification, authentication, access control (ACL/MAC/DAC/...), TCB, disjointed systems, security an after-thought, etc.
So, security is still...
6
![Page 7: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/7.jpg)
#RSAC
Here’s Why
ID: 64.233.169.240
ID: fe80::4859:e41a:d144:f95c
ID: 2C:1F:23:C1:0A:65
ID: 02:03:08:96:2c:ae
Machines rely on identity to interact with each other
0 1
Machines
7
![Page 8: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/8.jpg)
#RSAC
Here’s Why (cont’d)
Humans, on the other hand, rely on trust
Humans
ID: Vic; IT guy
ID: John; bank teller
ID: Eva
ID: Malin; BFF
8
![Page 9: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/9.jpg)
#RSAC
Identity vs. Trust
Identity
simplestatic
binary
cloneableimmutable
irrevocable
low resolution
coarse grainednon contextual
0 19
![Page 10: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/10.jpg)
#RSAC
Identity vs. Trust (cont’d)
Trust
multidimensional
contextual
dynamic
rewarding
complex
multimodalmultichannel
engaging
full spectrum
revocable
mutable
high resolution
fine grained
10
![Page 11: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/11.jpg)
#RSAC
TCB, ROT, COT
coverNot in humans…
In machines
11
![Page 12: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/12.jpg)
#RSAC
The Static Security Era
Machines & humans are becoming more similar
Issues go beyond identity vs. trust
Static Security is presumptuousNeed to know adversary profile ahead of time
Best case: just detecting attacks
IMPORTANT: Static Security is not bad! still necessaryJust not sufficient anymore
12
![Page 13: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/13.jpg)
#RSAC
Static Security Building Blocks
Assets, attack tree, VATA
Identity, authentication, authorization
Cryptography (confidentiality, integrity, authenticity, non-repudiation)
Attestation, verification, run-/load-/crash-time integrity validation and measurement
…
13
![Page 14: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/14.jpg)
#RSAC
IOT 101
![Page 15: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/15.jpg)
#RSAC
IOT Era
What are the Thingses anyway?Communicating data collector things with varying compute power
What’s the big deal?Data generation
Communication
IOT Security
15
![Page 16: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/16.jpg)
#RSAC
The “Thingses”
Controllers, processors, etc.no standard comm.
Mixed comm. (WiFi, BT, NFC,ZigBee, etc.)
Apps & ecosystems
Transition to services
Massive data generationWe’re not just cyborgs: we’re data-oozing cyborgs
16
![Page 17: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/17.jpg)
#RSAC
IOT Protocols
MQTT
Message Queue Telemetry Transport
MQTT-SN
MQTT for Sensory Networks
XMPP
Extensible Messaging & Presence Transport
17
![Page 18: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/18.jpg)
#RSAC
IOT Protocols (cont’d)
DDS
Data Distribution Service
AMQP
Advanced Message Queuing Protocol
CoAP
Constrained Application Protocol
18
![Page 19: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/19.jpg)
#RSAC
Observations
IOT protocols are mainly message-basedThe Things are (mostly) less-capable (now at least)
Offloading processing to the backend (mainly)Thus messaging & communications infrastructure
Ergo importance of backend & data processingData volume, contextual analytics, etc.
Security not the main focus of Big Data & IOT (sounds familiar?)
19
![Page 20: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/20.jpg)
#RSAC
Result: Attackers Are Winning
More asymmetry of the fieldIOTs aren’t really good at making good security decisions
Easier to hack than defend (due to Static Security)
Securing IOT end-to-end be like shooting pool with a rope
20
![Page 21: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/21.jpg)
#RSAC
Dynamic Security
![Page 22: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/22.jpg)
#RSAC
Solution: Dynamic Security
Designing systems security according to runtime behavior
Protocol- and data- and context-driven
Distributed by natureProcessing boundaries beyond a single device
Recency and realtime: contextual freshness matters
Revocation abilities: leveraging comms. & backend
22
![Page 23: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/23.jpg)
#RSAC
Dynamic Security (cont’d)
Statistical modeling and analytics are key characteristics
Data flows & contextual characteristics shaping security
Behavioral modelingWhose behavior? Who are the actors?
“Learning” matters a lot to Dynamic Security
23
![Page 24: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/24.jpg)
#RSAC
”Learning” Security Dynamic Security
“Anything humans can do in 0.1 sec., the right big 10-layer ANN can do too.” -Jeff Dean, Google
24
![Page 25: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/25.jpg)
#RSAC
Dynamic Security Side Effects
Adaptive (active-defense) systems
Self-defending (reactive-defense) systems
Self-organizing (proactive) systems
By applying predictive-modeling & AIWe should predict anomalous behavior, not just detect it
25
![Page 26: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/26.jpg)
#RSAC
Dynamic Security Building Blocks
AI
AI + Big Data + Analytics
AI + Big Data + Analytics + ML/DL
Data Information Actionable IntelligenceAction is the next big thing
Professor Karl Friston, University College London
“Order of Magnitude Labs”, etc.
26
![Page 27: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/27.jpg)
#RSAC
Dynamic Security and Data
Dynamic Security in theory improves with scale
IOT = more data
27
![Page 28: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/28.jpg)
#RSAC
Challenges
BaseliningCurse of dimensionality
Requires cooperating systemsAmong mutually-distrusting actors
PrivacyData sharing: digital equivalent of cognitive dissonanceDataHub @MIT CSAIL: very promising project
Sandy Pentland, Thomas Hardjono, et al.
28
![Page 29: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/29.jpg)
#RSAC
Challenges (cont’d)
simple correlations
statistical significance
29
![Page 30: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/30.jpg)
#RSAC
Conclusion
![Page 31: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/31.jpg)
#RSAC
Summary
Static Security has already reached its limits
Dynamic Security is the natural next step
Prerequisite technologies existBig challenge is composing a cooperative flow
Both on business and technical fronts
Until and unless Dynamic Security is the norm, hackers win
Static Security will still be required for the foreseeable future
31
![Page 32: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/32.jpg)
#RSAC
Apply
You have entered IOT whether or not you know it
Identify which security is your reference: Static or Dynamic?Follow the data and who processes it
Do you need to know the attack vector ahead of the time?
Start creating data models to reason about your system security
Do not throw away Static Security measuresAugment them by Dynamic Security
32
![Page 33: A New Security Paradigm for IOT (Internet Of Threats) · PDF fileSESSION ID: #RSAC Hadi Nahari. A New Security Paradigm for IOT (Internet Of Threats) BAS-M08. Vice President, Security](https://reader033.vdocuments.net/reader033/viewer/2022051723/5ab4c4817f8b9a86428c2ab8/html5/thumbnails/33.jpg)
#RSAC
Thank You!
Hadi [email protected]
hadinahari
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470624469.html