How connected assets create security blind spots

Without unified asset visibility and intelligence across the attack surface, there is no security in the modern enterprise, says Desiree Lee, chief technology officer for Data at Armis

At what pace has the connected asset environment accelerated in recent years?
It’s expanding rapidly. There’s been a dramatic increase in both the number and types of devices on networks, many of which companies depend on as a critical part of what makes their business run. By 2025 the number of connected assets will go beyond anything we could have imagined just a few years ago. The biggest change is the migration away from traditional assets – computers filling up the networks and doing the work – to a whole host of other devices. As many as 75% will be non-IT assets containing embedded software. It’s not just controllers that happen to be online. It’s also industrial robots, for instance, in facilities that organisations rely on. Most companies haven’t been able to keep up with this pace of change.

How many of these connected assets are designed for security-first?
They weren’t really designed with security in mind at all. If you have any infrastructure network, manufacturing network or even just a business that’s been around for longer than 20 years, you will no doubt have legacy devices. If you’re in the energy sector, as one example, legacy devices made 20 years ago are what run your business, and they were certainly not designed with security in mind. They were simply built to function, and they’re unmanageable by agents today. The saving grace has been that attackers are generally only now starting to gain the specialist knowledge to understand these kinds of devices that run factories, control dams, water treatment facilities and the like. Until fairly recently businesses were kept reasonably protected, at least relative to how exposed they are. But that’s changing very fast.

Just how exposed are companies to these kinds of threats?
If companies knew how exposed they were on a foundational level, they wouldn’t be so worried about the niche, high-skill attacks from nation states. They’d be far more worried about the openings and gaps that are making them vulnerable to less-skilled attackers. While companies prioritise the subset of traditionally well-safeguarded assets, bad actors are keenly focused on the vastly expanded attack surface of assets inside and outside the perimeter. Assets not actively monitored by security tools or tracked across the attack surface are effectively invisible, and if unchecked bring an uncalculated risk of exposure. Feeble in-depth defences from the edge to the data centre give adversaries the upper hand. The increasing frequency and sophistication of operational technology (OT) attacks is a wake-up call to all asset operators, controls engineering teams, IT network operations and cybersecurity teams.

Asset-centric security is a more realistic way of getting at data-centric security. Through this approach, it’s far easier to categorise an asset. You can say this asset is part of a system that we know has sensitive data somewhere in it

In which industries are you seeing at a particularly heightened risk exposure?
Manufacturers and healthcare providers are key sectors for IoT, but we are also seeing retail experience a surge. Even though retail is not manufacturing, retailers have distribution facilities and their lack of IoT security means they are a target. If you’re in energy or manufacturing, you’ve had this understanding of lots of different devices in your environment for a while. But big retailers with thousands of stores effectively don’t know what’s in them. They’re not used to working with those devices, but they are getting breached through them.

What are potential consequences of a cyberattack on connected assets?
There are a couple of primary goals for cybercriminals. Ransomware is typically an economically motivated attempt to lock up your data until you pay to get it back. That can be very costly financially. But nation state attacks, or really targeted attacks, don’t always have economic motives. Like with the famous NotPetya attack, attackers might be simply trying to destroy the data to thwart operations. On infrastructure attacks, specifically, the goal could be to disrupt or alter what’s happening with, for instance, water treatment. Stuxnet is the most famous OT cyber attack and it ruined a large chunk of Iran’s nuclear centrifuges. As well as causing significant economic, operational and reputational damage, cyberattacks on connected assets can also cause environmental hazards and even threaten people’s safety.

Why do companies need to shift from data-centric security to asset-centric security?
For a long time enterprises tried to implement a data-centric approach to security but this has mostly failed due to the unstructured nature of data. Data-centric security sounds great until you realise it requires a whole bunch of teams in your organisation to go through each device and try to code the individual bits of data on it as high risk or not sensitive. It is incredibly difficult to catalogue and categorise data, and beyond the reach of most organisations. They might have started the project, but they certainly haven’t finished it. Asset-centric security is a more realistic way of getting at data-centric security. Through this approach, it’s far easier to categorise an asset. You can say this asset is part of a system that we know has sensitive data somewhere in it. That’s far simpler than saying ‘here’s the sensitive data on this asset’ and then doing that thousands of times. Moving to an asset-centric approach allows for far quicker implementation of security controls, which then better addresses the needs of the modern enterprise, reduces time to value and increases the ROI on the security investment.

How is Armis helping organisations to secure their connected assets?
Armis’s unified attack surface management platform provides complete visibility with intelligence to secure every asset across the attack surface. We have the ability, in an automated way, to discover assets, identify what they are and also identify what they’re doing. That last piece is critical to understanding the risk of your assets. If it’s an internet-connected server, you know the risk is much higher and the data it has on it is less protected. If it’s a server that’s talking to a bunch of databases, you have an idea that the server is part of a complex system with sensitive data on it. Having an automated way, with human readable device context, to catalogue and categorise asset risk is a huge, foundational part of security. If you can’t identify and quantify risk and see where the gaps are in your environment, it’s simply a matter of time until you are breached and feel the full force of a severe cyberattack.

For more information, visit armis.com

Promoted by Armis