Interview by Francisco Maroto – CEO OIES Consulting
Date: 25/ August, 2016
Director Projects – CEO’s Office at Subex Ltd
By active and passive I never tire of repeating the importance of one of the greatest concerns in Internet of Things (IoT), Security.
There have already been many data breaches where smart devices have been the target. But unfortunately, in the IoT ecosystem, first to market is a huge competitive driver, so this mean that Security is many times sacrificed for speed to release. Businesses and consumers need to claim for Security to IoT vendors and regulators.
Today the Director Projects – CEO’s Office at Subex Ltd responds to my questions about the “Past, Present and Future in IoT Security”. Take a look
Oies – As you know, the meaning IoT Security is not well defined, and If you ask 20 people, you would get almost 20 different answer and most would be correct. Let start this interview asking you” What is IoT Security for Subex and why did your company develop an IoT Security Solution?
Subex: At the outset thank you for the opportunity for this interview. An IoT deployment involves multiple systems that include devices, the connectivity, IoT platforms, gateways, field gateways, load balancers, web services, certificate servers, databases, etc; a true IoT security solution should be able to secure all of this infrastructure seamlessly and should be in a position to correlate events from all of these sources to detect and mitigate threats. The IoT security system should be capable of identifying specific IoT protocols such as MQTT, AMQP, CoAP, STOMP, Zigbee, Zwave and any other custom protocols, understand the nature of the topology and communication patterns used in the specific deployment.
As for why IoT security for Subex? Subex has been a market leader in the fraud and security business with over 200 customers and 300 installations worldwide. The attack surface that IoT presents is multiple times larger than the traditional IT scale that incumbent security providers aren’t capable of securing. Subex’s ability to process big data to secure a large number of devices and our pedigree in providing telco scale and telco grade solutions makes IoT a natural vertical that we can cater to.
Oies – In the latest Vodafone Barometer Report 2016, we read regarding IoT Security that “Enterprises are more concerned about data protection than about device or network security”. Are you surprised about this conclusion? Do you believe the results will be different if the information of all IoT breaches and attacks were available?
Subex: This is surprising and not so surprising at the same time. It is not surprising because this result is an indicator of what most enterprises perceive as the threat of an IoT, they tend to equate IoT breaches with IT breaches because that’s the traditional view towards security. Unlike traditional breaches, an IoT breach is not just a data breach, but also a control breach.
The spate of high profile IoT breaches such as the Jeep Hack, Lizard Stresser, Medical pumps, etc. were less about data and more about taking control of the device. Such hacks are potentially life threatening. Devices inherently contain very little data and there could be some PI information that should be protected but the larger threat from IoT breach is the loss of control of the device and the havoc such a breach could have on the device’s environment and the people using the device.
Oies – IoT industry solutions, by default, are complex, they are made up of many parts, from the devices installed in connected assets, through network connections to back-end systems that are hosted in data centers. What assets is Subex IoT Security Solution protecting? and what are the benefits to the customers that deploy Subex IoT Security solution?
Subex: Subex focuses on securing the 3 areas of any organization, The Customer, Brand and Device.
We have seen numerous instances where there has been loss of personal data which is sensitive in nature, loss of control over a connected device and loss of privacy, which are some of the major concerns that a customer is often worried about.
When a device is compromised, often these are rendered inoperable, there is loss of intellectual property and also when a device is compromised, it needs to be patched. OTA may not be possible and fixing costs may run very high.
Every time a security threat occurs in any organization, it makes it to the media, thus causing reputation damage and loss of business. Companies like Target and Asus are classic examples of such an event. The compliance costs associated with such events are very high as well.
Since the inception of Subex Secure, securing these 3 areas have been the foundation of our product.
IoT Ecosystems tend to be extremely complex. A typical deployment includes multiple systems such as platforms, databases, mobile apps, load balancers, web interfaces, certificate servers, etc. All of these systems expose interfaces that can present vulnerabilities to the IoT deployment. A true IoT security solution should be able to secure all these components and should be able to understand traffic from OSI layer 3 to OSI layer 7.
A possible solution is to incorporate multiple systems that detects vulnerabilities across OSI layers 3-7 such as intrusion detection system (IDS), a web application firewall (WAF) and a Security Incident and Event Management system (SIEM) with a built in log analyzer. However, interfacing these systems and correlating events between them could be extremely challenging.
Subex Secure monitors threats from layer 3 of the OSI stack, all the way up to the application layer (layer 7). As stated earlier, an IoT deployment encompasses a wide array of systems that need to be monitored through multiple mechanisms, Subex Secure achieves this by using an extensible architecture capable of accepting multiple types of input feeds and correlating the data from these feeds to look for patterns and threat vectors. This contextual awareness of the solution provides robust end to end monitoring of any IoT deployment.
Subex secure uses a three tier detection strategy to identify threats as they occur on the network. Each tier monitors one or many feeds to secure the IoT Ecosystem. The tiers are signature based detection, heuristics and anomaly based detection.
Subex Secure monitors entities within the IoT ecosystem. Entities include end devices, hubs and other such elements. If a vulnerability is detected, an alarm is raised on the entity. The system uses correlation algorithms to collect all vulnerabilities associated with this entity (alerts) and presents them in a unified view along with the participating records (packets, logs, etc.) chronologically. Part of the correlation is Subex’s patent pending machine learning based Alarm Qualification engine. The presentation of a consolidated alarm with all the records that participated in the vulnerability, enables quick investigation and turnaround times while responding to threats.
Apart from a robust and holistic security solution that secures your IoT deployments, Subex also provides analytical services to the customer to derive key information critical to the company’s business.
With all the data that is processed from various sources such as the device, the network etc. Subex has this ocean of information which many other task focused downstream systems may be unaware of and which most of the other security solutions out there do not leverage.
Subex is capable of profiling entities within an IoT ecosystem, these include customers, devices, the network, etc. Data collected for these profiles can then be mined to provide security analytics, network analytics, B2C/B analytics and marketing analytics.
Oies – In the absence of standards in IoT, there are many battles (protocols, platforms, networks,..). Does Subex, as a leading global provider of Business and Operations Support Systems (B/OSS) for communications service providers (CSPs) see a winner in the IoT networks battle? Is your IoT Security solution network agnostic, I mean can the solution be used with existing cellular, satellite, WIFI;.. and new networks like LoRA, SigFox, Ingenu, LTE,…? What is the danger of taking M2M communications to the Internet of Things?
Subex: Our opinion is that the IoT market is big with enough variations and use cases for every one of the providers to survive and thrive. The market is also relatively new and it is too early to pick a winner among all the providers. Considering the nascent nature of the technology the best providers will move forward through partnerships and affiliations.
Subex actively seeks out partnerships with large IoT platform vendors, system integrators and device manufacturers to bring in out-of-the-box functionalities to its security solution. These partnerships allow Subex Secure to integrate the solution into the IoT ecosystems seamlessly. Some of the benefits of Subex’s partnerships are off the shelf capability to integrate with APIs offered by other vendors for data capture, device quarantining, remote attestation and device patching. IoT continues to be an evolving landscape with no standards and consensus, in such a scenario inclusive agreements benefit both Subex Secure and its customers.
Subex Secure is capable of securing well known network protocols and architectures such as Wifi, LTE, Zigbee as well as any of the new network architectures that you have mentioned. We have designed our solution keeping in mind the evolutionary nature of the technologies that IoT present with an emphasis on the ability to quickly react and configure our system to accept data from existing and new network types.
Oies – What are the industries and use cases that can benefit more out of Subex’s IoT Security solution? What do you think is the biggest threat to IoT around the world?
Subex: We will start by answering the second part of the question first. Over the last couple of years, the media crescendo around hacking and privacy has reached a very high pitch. Starting from the Target Hack to the 60 minutes’ documentary featuring the hacking of a congressman’s cellphone. Hacking has entered mainstream media with the Mr. Robot TV series. The backlash to the NSA decryption program Bullrun is well documented. The average customer is becoming aware and concerned about diluted nature of security being implemented in every day products. The media focus on IoT security is increasing and coupled with growing consumer concerns could potentially curtail IoT adoption. Surveys have shown that security remains the biggest barrier to IoT adoption. Unless the industry takes appropriate steps to counter these fears, there is a likelihood that the promise that IoT provides will not find takers simply because security is not addressed and consumers do not feel comfortable enough.
Any system with a connected device can be secured using Subex Secure. The solution is flexible to meet the needs of most IoT verticals. Subex maintains a honeypot network focused on IoT with an ever increasing list of architectures and configurations to emulate devices, protocols and deployments of most verticals. We are making investments in SCADA and OPC-UA to understand OT deployments better and help secure the convergence of IT and OT systems.
Oies – What trends do you predict for the future of IoT Security?
Subex: The IoT security market size is estimated to be around $37 Billion dollars by 2021 growing at a CAGR of 36%. We expect many more players to try and enter this market but Subex with its early mover advantage should be able to maintain a strong beach head for market expansion.
Security is a ground up problem and we expect device manufacturers to factor security in from the device design stage of the product lifecycle. As standards get defined around IoT, security will become ubiquitous with features such as remote attestation being built into the device and their solutions. The next couple of years are going to be truly exciting and we look forward to the innovation that we, our partners and customers will jointly bring to the market.
Oies – What are the challengers in gaining customer trust in IoT?
Subex: Gaining a customer’s trust starts with a compelling use case that the IoT solution provides, which should provide greater benefits to the customer than the value of information that he/she provides. The customer should be assured that the information collected is stored securely and all possible mechanisms are in place to prevent malicious misuse of their information. Adherence to strict compliance standards and publishing of those adherences help. Also making user agreements less complex and clear about what information is collected, how is it transported and stored, what is done to protect this information and what is done with the information, basically a lot more transparency is needed. It is also important to have clear incident response plans when an event occurs, how a company responds to an incident and the extent they go to safeguard the customer, the service and brand could also be a testament to their intentions.
Oies – Any additional comments or recommendations you’d like to make concerning IoT security?
Subex: IoT Security is a very important piece in IoT ecosystem and any organization that is looking at investing into an IoT Security Solution must carefully evaluate all the capabilities of the solution. The threats related to IoT are ever evolving and an IoT Security Solution must not only be effective against existing threats but must also be capable of identifying and mitigating future threats. Also, the IoT Security solution must be one place where all the threats related to IoT can be viewed and actioned upon.
One last thing from my side, remember “Do not stop asking for security in IoT”
Thanks in advance for your Likes and Shares
Thoughts ? Comments ?