We’ve taken advantage of the extra time to focus on building proactive IoT cyber solutions
by Curtis Blount, CSO
Everyone is dealing with “the ‘rona” differently. We have to get our work done of course but maybe we can find time for some DIY projects around the house. I never knew my sons actually like painting and learning how to do electrical and plumbing. But it takes their mind off of being stuck in the house and it’s a nice distraction from their online college courses.
While the kids are completing those assignments, our dispersed team at InsightCyber has been busy working on NetRadar and refining our business model. With NetRadar, we have been actively discussing and fine-tuning the visualization, dashboards, reporting and the overall look and feel of the platform. We are also working very heavily on the machine learning that provides the foundation of NetRadar’s behavioral/anomaly engine.
Early Returns on Our Research
We currently have several demo and production clients deployed at both large and small organizations that are currently testing NetRadar in their IoT and IT networks. In the background, we have been monitoring traffic patterns and findings some very interesting things.
We are looking at the current malware and IoT botnets that are targeting companies with very specific IoT attacks – and we’re learning a lot. For instance, as we were doing our testing and traffic pattern observations, NetRadar detected an unusual pattern of network reconnaissance at one of our client sites.
The client is a mid-sized company and their network is a mix of IT/OT systems. The activity being detected was slow but persistent – and well-disguised to look like normal traffic. And most interesting of all, the client reported no security incidents or impacts during this time.
We traced the suspicious activity back to a pair of application server computers (running on Windows Server), and to a possible infiltration vector through a consumer IoT device.
This client was doing everything right. They had a baseline Windows Server configuration, up-to-date A/V services in the network, and the affected machines were at the vendor-recommended patch level. But endpoint-security software detected nothing.
Of course, we immediately contacted the client and told them of the activity. They reinstalled the OS on the affected machines and the activity ceased immediately.
This is a perfect example of the power of advanced data collection with behavioral/anomaly analytics to deliver proactive cybersecurity. The customer was able to forestall any incidents that would eventually have resulted from an unknown infiltration that evaded all their standard defenses. The cost was a small fraction of what it would have taken to respond to an actual incident.
By incorporating ML-based anomaly and behavior-based detection, NetRadar is looking well beyond Layer 1-7 and into protocols. It’s well beyond the SIEM model.
Fine-Tuning our Approach
The biggest problem in cybersecurity is how to know when you have problems. That means before they turn into incidents, when there’s still time to fix them by doing something quick and easy. That’s proactive security instead of reactive security.
But how do you do that accurately? Not to mention cost-effectively, and at global scale? To set goals, we asked ourselves:
What if the network itself could tell you when something is wrong?
What if it could automatically detect signs of unknown malwares before there are signatures for them?
What if it could tell you that an industrial machine is operating slightly out of its norms?
What if it could tell you that you have IoT devices that aren’t quite behaving the way you want them to?
And what if it could do all that without architectural changes or deploying new hardware?
That sums up what we’ve spent the past couple of years working on. With a little more time on our hands to focus during lockdown.