Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

10/29/2019
09:50 AM
Dr. Mike Lloyd
Dr. Mike Lloyd
Edge Features
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

What Do You Do When You Can't Patch Your IoT Endpoints?

The answer, in a word, is segmentation. But the inconvenient truth is that segmentation is hard.

Question: What do you do when you can't patch your IoT endpoints?

Dr. Mike Lloyd, CTO of RedSeal: Internet of Things devices are great because they aren't as complicated as phones, laptops, or servers. General-purpose computers cause headaches. Unfortunately for security, IoT devices are also a curse for the same reason – precisely because they aren't flexible. The security toolchain and ecosystem we've built up assumes we can put stuff on network endpoints, but IoT "things" are different. Agents? Scanning? Patching? Antivirus? None of that works in the new world of IoT widgets. Worse, many of these devices are built en masse by companies focused on price point, with no intention of supporting patching.

The answer, in a word, is segmentation. You have to treat these fragile endpoints like the boy in the bubble: They have a compromised immune system, so isolate them from the digital germs being cooked up continually around the Internet.

Do your smart lightbulbs really need open access to your databases?  Probably not. Industrial networks know this; they were traditionally air-gapped (although that has broken down over time). Segmentation is easy in principal – just separate the network you use for X for the one you use for Y. The reason to do so is clear: You want to limit the blast radius. But the inconvenient truth is that segmentation is hard. Defenders have to map out their zones and ensure the as-built matches the as-designed. This requires diligence, but it's a great job for automation. Software can be taught to find any defensive gaps.

Do you have questions you'd like answered? Send them to [email protected].

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dr. Mike Lloyd, CTO of RedSeal, has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Mike was CTO at RouteScience ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
11/21/2019 | 2:02:02 PM
Slowly migrate them off the network
If the organization was able to purchase them, then there should be no reason why they can buy more or at least put in the budget. If we are talking about NOW, then use NAC (Network Access Controls) devices and put them behind that device, that way only specific users and applications can access them.

Todd
The Edge Cartoon Contest: You Better Watch Out ...
Flash Poll