Security for

Internet of Things (IoT) Devices

www.opaq.com

Contact: info@opaq.com www.opaq.com

TABLE OF CONTENTS

Table of Contents

Introduction .................................................................................................................................................................................... 01

The Challenge ............................................................................................................................................................................. 01

The OPAQ Solution .................................................................................................................................................................. 03

Security Functions that Support IoT ........................................................................................................................... 05

Example Use Cases for IoT................................................................................................................................................. 07

Conclusion ..................................................................................................................................................................................... 07

i

1Siobhan Gorman, Wall Street Journal, China Hackers Hit U.S. Chamber, Dec. 21, 2011

IntroductionThe Internet of Things is comprised of specialized electronic devices with embedded computers connected to networks. IoT devices serve a broad range of functions in our homes (and on our bodies); in commercial and enterprise businesses; and in public utility and industrial systems. Such devices will soon outnumber humans on the planet 2:1. Very few of these devices were engineered with inherent cybersecurity protections or controls, including the basic capabilities to authenticate users and upgrade firmware or software.

Contact: info@opaq.com www.opaq.com

The ChallengeA key security challenge most IoT devices presently is that they autonomously follow their embedded programming to communicate to cloud or on-premise systems or other IoT devices while enabling few security controls and presenting users few options for adding them. Nevertheless, at their core most IoT devices are running some derivative of a general purpose open source operating system that can be repurposed by bad actors to do bad things.

1

These conditions result in several types of serious security risks. Compromised devices can be used as entry points into business networks, opening the broader network up for further entrenchment by an attacker. The network is then vulnerable to malicious activity such as a ransomware attack or a data breach.

Some years ago computer systems operated by the U.S. Chamber of Commerce were attacked1, leading to significant data loss. Forensic research indicated the attackers utilized room thermostats and office printers to maintain a backdoor on the organization’s network, thus enabling a continued presence even as workstations and servers were cleaned up. The threat of persistence via IOT devices has only increased in recent years as these sorts of devices have proliferated.

INTRODUCTION

Contact: info@opaq.com www.opaq.com

THE CHALLENGE

2

Another substantial risk is that compromised IoT devices can be brought under control by an outside force and directed to perform malicious acts outside the organization’s network.

An external command and control (C&C) server communicates with the devices to direct their nefarious activities. In 2016, hundreds of thousands of compromised IoT devices such as surveillance cameras and residential routers were controlled by the Mirai botnet, which subsequently attacked the Dyn Internet domain name service. The hours-long denial of service attack caused dozens of major Internet platforms and services to become unavailable to large swathes of users in Europe and North America.

With minimal onboard security controls in these devices, the only recourse security managers have had was to inventory, monitor and isolate them to the best of their ability.

In a world where light bulbs, coffee makers, and smart watches are Wi-Fi-enabled, just keeping knowledgeable about all IoT devices that

have been introduced into an environment is a Sisyphean task.

Understanding normal communications behavior and creating policies to enable just these behaviors while detecting and blocking others is more than can be reasonably accomplished in all but the most sophisticated security environments.

As a result, where practical, companies may partition off network segments dedicated to IoT devices. However, many organizations are not doing that, particularly resource-constrained midsize enterprises that struggle to even maintain basic security hygiene. Organizations need an easy-to-deploy, non-disruptive, yet robust security solution to help them effectively reduce security risks inherent in IoT devices.

The OPAQ SolutionOPAQ’s Security-as-a-Service cloud platform is comprised of fully-integrated products that are configured, operated and managed from a single interface. The OPAQ cloud platform comes with integrated and automated security features for IoT that are configured through the portal and delivered via an agent and the cloud service.

Contact: info@opaq.com www.opaq.com

THE OPAQ SOLUTION

With the OPAQ Cloud, segmenting IoT devices on internal networks can be accomplished without wrestling with complex switch configurations or sniffing network traffic to develop policies.. Rather, OPAQ uses endpoint agents on Windows, MacOS, Linux that provide visibility into internal network traffic and enable Software-Defined Network Segmentation. A single security policy configured in the OPAQ cloud portal orchestrates the delivery of security across all endpoint and network security capabilities within the OPAQ platform, eliminating much of the cost and complexity involved with traditional network security.

3

Contact: info@opaq.com www.opaq.com

HOW IT WORKS

4

How It Works

DATA CENTER, OFFICES,AND REMOTE USERS

INTEGRATED SECURITY CAPABILITIES DELIVERED FROM THE CLOUD

FULLY ENCRYPTEDSD-WAN

3RD PARTYAND IOT

WEB APPLICATIONSAND MOBILE

CLOUD IaaSAND SaaS

A SINGLE MONITORING, MANAGEMENT,AND REPORTING PORTAL

OPAQ: Enterprise-Grade Security from the CloudSimplifying the way security is delivered

Network + Security Integrated into a Single Cloud Platform

HYBRID IT

WAFaaS

FWaaS

Endpoint

Cloud SIEM

Endpoint Protection

Cloud SIEM

Firewall-as-a-Service

Web Application Firewall-as-a-Service

OPAQ modular products include the following — all deployed at the click of a mouse: The OPAQ cloud platform is a self-contained cloud service with ISP-grade peering to most major SaaS vendors and OPAQ’s proprietary, secure SD-WAN.

The flexibility of the OPAQ Cloud enables security managers to select the precise level and functionality required for their specific application, all without writing a single line of integration code or deploying any products, save the endpoint agent that provides control, connectivity and inventory over hosts—all centrally managed from the OPAQ Cloud portal.

Contact: info@opaq.com www.opaq.com

SECURITY FUNCTIONS THAT SUPPORT IOT

5

Function OPAQ Product Feature Description

Identification

Protection

Firewall-as-a-Service

Firewall-as-a-Service

Endpoint Protection

Endpoint Protection

Endpoint Protection

Endpoint Protection

Palo Alto Networks App-ID

Unmanaged Host Detection

Asset Hardware & Software Inventory

Palo Alto Networks C&C Sinkholing

Software-Defined Network Segmentation

Software-Defined Network Access Control

Automatically classify IoT traffic using Palo Alto Networks App-ID

Detect unmanaged hosts (those without OPAQ agents)

Collects inventory information from network-connected devices

Redirects IoT bot command and control domains to a sinkhole address

Redirects IoT bot command and control domains to a sinkhole address

Prevent IoT and other unmanaged devices from communicating with managed hosts

Security Functions that Support IoTLike any security operation, IoT security consists of five basic functions, all of which the OPAQ cloud platform supports:

1. Identification– Knowing what IoT devices are connected to your network is half the battle

2. Protection – Hardening of the environment, reducing the attack surface area (of the IoT devices and from them), network segmentation and access controls

3. Detection – Monitoring for threats to and from IoT devices

4. Response – Taking immediate action to neutralize threats

5. Recovery – Clean-up to restore normal or enhanced operations following an incident

Contact: info@opaq.com www.opaq.com

INTRODUCTION

6

Function OPAQ Product Feature Description

Protection(cont’d.)

Detection

Recovery

Response

Web Application Firewall-as-a-Service

Firewall-as-a-Service

Firewall-as-a-Service

Endpoint Protection

Firewall-as-a-Service

Cloud SIEM

Web Application Firewall-as-a-Service

Endpoint Protection

Endpoint Protection

Endpoint Protection

Cloudflare IP Reputation Blocking

Firewall Policy Configuration

Palo Alto Networks Threat Prevention

Software-Defined Network Segmentation Policy

Palo Alto Networks Threat Intelligence

Log Analysis Workbench

Cloudflare DDoS Protection

Host Analysis Workbench

Host Analysis Workbench

Device Quarantine – Manual or Automatic

Blocks access to IP using shared network intelligence

Inbound, Outbound and Internal firewall policy configuration console

Inbound, Outbound and Internal firewall policy configuration console

Network segmentation policy configuration by user or host groups

Global store of threat intelligence that informs threat prevention

Security log aggregation, normalization and analysis console

Anticipates and Stops DDoS attacks to or from you

Network access control policies

Console for the investigation of traffic or inventory anomalies

Instantaneous capability to remotely quarantine compromised devices

Note that except for the endpoint agent (which is deployed to workstations, servers and mobile devices) and an optional edge-connect device, the entire security stack is hosted and operated from the OPAQ Cloud.

Cloud SIEM

Cloud SIEM

Endpoint Protection

Log Analysis and Reporting

Controls Monitoring and Reporting

East/West Traffic Behavioral Learning

Security log collection, transformation and metrics generation

Security technical controls compliance mapping, monitoring and reporting

UDP/TCP traffic monitoring and learning of “normal” behavior for constructing policies

SECURITY FUNCTIONS THAT SUPPORT IOT

Contact: info@opaq.com www.opaq.com

EXAMPLE USE CASES FOR IOT

7

Example Use Cases for IoTHere are just a few examples of how the OPAQ solution can strengthen network security for IoT.

PreventunwantedinternaltrafficoriginatingfromIoTdevices

OPAQ Endpoint Protection includes a software agent that installs on devices running Windows, Linux or MacOS. This agent enforces access control policies and monitors all communications behavior. IoT devices on a business network might not run the endpoint agent; however, adjacent servers and workstations will. For example, in an industrial control system where programmable logic computers (PLCs) cannot run third party endpoint agents, the PLCs often communicate with a Windows-based workstation that can run it. With a security policy, the organization can prevent IoT devices from communicating across the network to workstations that aren’t expecting such contact. This prevents a compromised IoT device – perhaps a thermostat or printer – from transmitting a malicious payload like malware to other devices on the network.

PreventunwantedInternettrafficoriginatingfromorgoingtoIoTdevices

OPAQ Firewall-as-a-Service (FWaaS) is hosted in the OPAQ Cloud, which makes it easier for an organization to administer its firewall(s). The default security posture of the OPAQ cloud-based firewall is that all outbound traffic from an organization’s network is prohibited unless it is explicitly authorized. Concerning IoT traffic to and from the Internet, this security posture prevents communications with IP addresses that are not on a whitelist of addresses that a device needs to communicate with, such as the device manufacturer’s website. Therefore, traffic will be blocked to or from command and control servers that could take illicit control of the IoT device.

ConclusionThe OPAQ cloud platform provides a full range of security operations functions - from identification of devices through protection, detection, response and recovery. The OPAQ Cloud can accommodate legacy IoT devices with weak security controls as well as modern devices. The flexibility and modularity of the OPAQ Security-as-a-Service platform presents a unique opportunity for security operations to include IoT controls with enterprise-grade security afforded to other network devices.

About the OPAQ CloudOPAQ is the premier network security cloud company. The OPAQ Cloud empowers midsize enterprises with Fortune 100-grade security-as-a-service on a fully encrypted SD-WAN optimized for speed and performance. With OPAQ, service providers and their midsize enterprises are equipped with a simpli ed ability to centrally monitor security performance and compliance maturity, generate reports, manage security infrastructure, and enforce policies – all through a single interface. For more information, visit opaq.com.

Contact: info@opaq.com