Question: What do you do when you can't patch your IoT endpoints?
Dr. Mike Lloyd, CTO of RedSeal: Internet of Things devices are great because they aren't as complicated as phones, laptops, or servers. General-purpose computers cause headaches. Unfortunately for security, IoT devices are also a curse for the same reason – precisely because they aren't flexible. The security toolchain and ecosystem we've built up assumes we can put stuff on network endpoints, but IoT "things" are different. Agents? Scanning? Patching? Antivirus? None of that works in the new world of IoT widgets. Worse, many of these devices are built en masse by companies focused on price point, with no intention of supporting patching.
The answer, in a word, is segmentation. You have to treat these fragile endpoints like the boy in the bubble: They have a compromised immune system, so isolate them from the digital germs being cooked up continually around the Internet.
Do your smart lightbulbs really need open access to your databases? Probably not. Industrial networks know this; they were traditionally air-gapped (although that has broken down over time). Segmentation is easy in principal – just separate the network you use for X for the one you use for Y. The reason to do so is clear: You want to limit the blast radius. But the inconvenient truth is that segmentation is hard. Defenders have to map out their zones and ensure the as-built matches the as-designed. This requires diligence, but it's a great job for automation. Software can be taught to find any defensive gaps.
Do you have questions you'd like answered? Send them to [email protected].