Organizations spend more than ever on security, yet the rate and impact of attacks continue to grow. Is a positive or negative security model the right approach to address today’s concerns, specifically to protect IoT devices?

SPOILER ALERT: you need a hybrid model based on behavioral analytics.

Traditional approaches to cybersecurity simply can’t keep pace with attackers becoming increasingly specialized, organized, and sophisticated. Security leaders and practitioners know that a new approach to security is needed, but navigating the myriad buzzwords and claims about artificial intelligence (AI), machine learning (ML), and behavioral analytics can be challenging. With that in mind, I want to explain how and why a new approach using behavioral analytics (including AI/ML analytics algorithms) solves real-world security problems today.

The Negative Security Model

A negative security model will “allow everything” by default while attempting to identify the “bad.” This approach is a mainstay of security tools such as antivirus software or IDS/IPS and has dominated cybersecurity for most of its brief history.

Just as credit card companies use rules and known attributes to identify fraud, negative security controls use rules and signatures to identify known threats previously seen in the wild. When the threat is seen again, security tools can detect and block the malicious traffic, malware, exploit, URL, etc.

Negative security controls are good at identifying known threats. However, tools using these controls can only identify and block what they are told to block. A signature must exist, or a tool must be configured to block malicious activity. Ongoing care and feeding are required to keep tools up to date with the latest signatures and configurations to detect and stop threats.

A negative security model alone is essentially defenseless against widespread zero-days such as the recent Log4j vulnerability, which impacted thousands of enterprise products and created massive exposure for virtually every modern organization.

Depending entirely on negative controls for threats has some serious limitations, and organizations need both negative and positive controls to protect their assets and environments.

The Positive Security Model

A positive security model is the opposite of a negative security model and works by defining allowed actions. Instead of defining a blocklist of “bad” actions, the positive security model defines what is “good” or allowed. Think of positive security as the doorman at an invitation-only party as a simple analogy. Instead of identifying and blocking “bad” attendees, the positive security doorman uses the guest list to define who should be let in.

A network firewall is a classic example of a positive security tool. Only specific, required network ports are open, while all other ports and traffic are denied by default.

A tool using the positive security model can address the shortcomings of a tool using the negative security model by providing a far more proactive approach to security. Instead of constantly chasing the “bad,” a positive model focuses on what applications, users, and devices need to do their job. Everything else is flagged or blocked. It doesn’t matter if an attacker targets a zero-day vulnerability – anything that doesn’t match the “good” list or vastly differs from normal activity will be denied.

As a simple example, attackers often gain initial access to an environment by using phishing emails to get a user to click a link or open an attachment. The attacker can easily evade negative security controls by altering a URL or malware payload. As controls become more sophisticated, so do attackers by changing their tools and methodologies.

Once on a user’s device, the attacker will target other assets in the environment in an attempt to move laterally, often using protocols such as SMBv1 or RDP. Since this movement is outside the norms of valid activity, positive security controls can recognize and deny the abnormal behavior without prior knowledge of the methods used or the specific threat.

Blending Security Models With Behavioral Analytics

To meet today’s security challenges, a blend of negative and positive controls is essential. More importantly, behavioral analytics must be applied to enable a positive security model, control an organization’s complex communication patterns and address security challenges in ways never possible before.

Positive security is more complicated than simply allowing communications or opening ports on a firewall. Instead of focusing on individual traits or indicators, positive security requires understanding the more complicated world of behavior.

Consider the different scenarios of medical devices in a research facility, outpatient care, and a critical care environment. Some of the devices may be similar in make and model; however, their use and criticality in each environment will dictate different requirements, priorities, and risk tolerance.

A system needs awareness of a device’s purpose, the services or assets it needs to access, and how similar devices in the environment behave to provide the right level of protection.

In recent years, anomaly detection and behavioral analytics have been hot topics in security but have delivered mixed results. The ultimate goal for successful solutions today is to leverage behavioral analytics for truly reliable and valuable insights. For that, we need to cover three essentials.

1. Get all the right data from the best sources

Instead of simply identifying specific behavior as abnormal, the goal of positive security is to enforce controls that keep devices and data safe while ensuring each device can function in the environment as needed. Positive security requires a deep understanding of what each device is, its role, purpose, and communication patterns. To get this level of deep understanding requires large amounts of ground truth data. Arguably, the network provides the most accurate and reliable source of data needed to understand this level of detail.

An agent-based approach will result in blind spots across the exploding population of unmanaged devices that include IoT, IoMT, OT, and other connected devices. Agents are notoriously painful to manage, and for many unmanaged devices, agents are either not available or difficult to develop. It’s virtually impossible to ensure agent compatibility with the myriad combinations of connected device hardware, software, and firmware. Agents impact performance in the best case and completely disable devices in the worst case.

Understanding device behavior requires a “show me, don’t tell me” approach, and looking at device communication flows over the network provides the best source of truth.

To quote Batman, “It’s not who you are underneath, it’s what you do that defines you.”

Normal behavior informs the positive security model for a specific device profile, and normal behavior can be determined by baselining communications flows and understanding the systems it communicates with. With this understanding, policies can align with a zero trust framework limiting device communications to the required systems and nothing else.

Ordr collects and analyzes network data to create a baseline of normal behavior, and map communication flows for every device. The baseline for each device is automatically tuned, updated, and compared to the device’s historical behavior and similar devices in the environment. Device flow information is enriched with device context, threat insights (threat intelligence, third-party vulnerability databases, and reputation data), network data (from switches, routers, and wireless controllers), and additional data (IPAM, DNS, CMDB, Active Directory) as we continuously analyze the activity of every device. All of this data is collated into the Ordr Data Lake and continuously analyzed to identify any changes in behavior.

2. Organize the data for effective analysis

We need to know every device’s “what, where, and why.” An algorithm won’t magically generate needed answers from massive amounts of data. Getting valuable insights requires organizing data hierarchically with relationships properly established.

Is the device a patient monitor, a security camera, or a printer?

Where is the device located, and why does it behave the way it does?

What data and systems does the device serve, and what does it require?

Ordr organizes data to see the interrelationships between devices, the network, and how data flows in all directions to answer these questions. Ultimately, all this context is organized in terms of the device itself. While analyzing hundreds of thousands of records may still be required, analyzing organized data is far more manageable and focused than iterating over massive amounts of data.

Analyzing organized data enables focus on specific types of devices and behaviors to uncover valuable security insights. Analyzing organized data can be used to learn how patient monitors behave as a generic device and a specific model of monitor. We can understand how other similar devices in the network behave to identify unique traits and specific needs in each organization.

Analyzing organized data can help answer important questions that drastically change a security team’s ability to respond to an event. For example, when a hospital sees a malicious outbound DNS request, there may be no need for action if the request is from a visitor’s laptop on the guest network. On the other hand, it would cause serious concern if the malicious request came from a hospital-owned infusion pump. Ordr provides these insights by properly organizing and analyzing data.

3. Understanding and explaining behavior

Once we know where to look, we need to understand what we see in terms of behavior on the network. Having partial information for security is not helpful, and this is where most cybersecurity behavioral analysis attempts fall short. If a security tool can’t explain in detail what was detected, an analyst has to do the work to understand what happened. A tool that generates anomalies it can’t explain will quickly drown security analysts in work or, more likely, cause them to miss critical events. It’s not enough to say a learning algorithm triggered an alert. More context is required to instill confidence and to ensure priority for action.

Ordr analyzes network data to create a baseline of behavior for each device in an environment. That baseline is then combined and analyzed with the baseline of other devices. With this approach, Ordr identifies activity outside of normal behavior for the device, its cohorts in the environment, or similar devices deployed globally.

Additional details such as the specific device, physical location, internal and external connections, and communication information are critical to ensure that incident response teams have enough detail. Proving this detail in an easy-to-understand, graphical way with the flexibility to customize the view is critical for any AI-based tool to be useful.

Analysis to uncover attribution and explainability is complicated. Making this easy for security teams is one of the essential traits of Ordr. The image below shows the enormous scale of analysis needed for a single Ordr customer deployment.

Ordr ultimately rolls behavior up to the device level. The center of the diagram above highlights the Ordr database of behavioral patterns for over 500,000 devices.

Understanding the behavior of these devices requires the analysis of 96 million network flows. However, to truly perform attribution and achieve understanding, we need to analyze the 100 streams that make up each flow and the packets that make up each stream. This essential task is where the analysis gets complex, and most behavioral analysis systems fall short.

To achieve positive controls, we must understand and use automation to control behavior. There are too many devices and network segments for security teams to understand the complexities of each one. Instead, security tools must understand and control behaviors in the same set-it-and-forget-it way that traditional firewalls control network ports.

Providing this level of simplicity to security teams requires a new type of analysis and a new type of security solution. One that we at Ordr continue to build and optimize.

Ordr’s Unique Approach to IoT Security

While most behavioral analytics solutions have failed to live up to the hype, Ordr provides actionable and practical answers to secure your connected devices without creating new headaches for users or security teams.

To illustrate, consider blending the positive and negative security models along with behavioral analytics to detect the multiple stages of a ransomware attack kill chain. In most instances, Indicators of Compromise (IoCs) are not available immediately after detecting an attack in the wild. In these cases, a positive security model compliments a negative security model by providing greater insight into a potential problem in the network and the attack timeline. Once IoCs are defined, they can be validated using the negative security model.

The screenshot below shows the detection of stages of the kill chain using different security models.

If you have thoughts or questions about this blog, or simply want to learn more about Ordr, reach out to the team for a deep dive discussion.

---

Cybersecurity and cyber threats have been in competitive co-evolution for years, with each side adapting to the other. Historically firewalls, IPS, antivirus, and modern endpoint protection tools have been common elements in the first line of defense to keep the bad guys out. Try as we might, bad things still happen to good networks. Attackers constantly develop new threats, target new vulnerabilities, or bamboozle a busy employee into doing the wrong thing. The first line of defense is never perfect, so it’s critical to develop a solid second line of defense. 

For many organizations, the second line of defense amounts to simply recreating the first line of defense in more places. This approach misses the ways threats differ once inside an organization and also ignores some of the essential advantages defenders have at their disposal.

This post briefly revisits some of the high points in the evolution of cybersecurity and cyber threats, looking at what has worked for defenders, where things have gone wrong, and how lessons learned have helped build new lines of defense. Some deep topics will admittedly be oversimplified. The point of this post is not to denigrate any of the great security tools in use today. Instead, the point is to highlight some of the broad trends and inherent issues security teams need to consider.

An Absurdly Condensed History of the First Line of Cyberdefense

Until recently, many organizations thought of the inside of their network as trusted and the outside Internet as untrusted. Firewalls provided a natural barrier and control point for this boundary, denying unsolicited connections from the untrusted outside by default and leaving a few pinholes open for essential services. Trusted insiders, however, could connect to pretty much any outside service they wanted, and that service would be allowed and trusted. While this approach worked to keep random strangers out, it didn’t work if users and assets on the inside were already compromised. 

Attackers had countless ways to attack. They could send phishing emails containing a malicious link in an attempt to gain access. If an email security solution was in place and the attacker was unsuccessful, they could shift to a new vector not subjected to email checks such as DNS tunneling. If a DNS-based firewall or perhaps a web application firewall (WAF) was in use, an attacker could pivot to target cloud applications. The cat and mouse game continued, so various methods were needed to detect and prevent threats.

Attackers found ways to slip past detections. Modifying malicious payloads ensured previously known signatures didn’t match while encoding, obscuring, or encrypting helped attacks slip past detection logic without being inspected. 

The ever-growing deluge of new vulnerabilities didn’t help. With the recent log4j exploit, setting a username in the apple profile resulted in a new attack vector. Exploiting Microsoft’s hole, a hacker can enter the enterprise by typing something inside the chat window of a video game.

If all else fails for the attacker, one final incredibly effective tool remains – social engineering. Instead of breaking in, an attacker can convince a user to give out passwords or install malicious software in the guise of a valid application or tool.

A New Line of Defense Introduces New Advantages

History has shown the first line of defense is eventually breached, and we must assume adversaries will get in or have already gained access. With access, the attacker typically attempts to move laterally to reach a high-value asset such as a server with all AD credentials, a device with sensitive patient information in a hospital, or a management platform with the ability to coordinate all PLCs on a manufacturing floor. 

While this is all doom and gloom, there are ways to detect and stop attackers by shifting focus from chasing an infinite number of threats to focusing on a smaller number of malicious behaviors. For example, there may be hundreds of thousands of variants for a piece of malware, but when it comes to lateral movement, tools like Mimikatz behave the same when performing actions like pass-the-hash.

The same is generally true of all sorts of secondary attacker actions. For example, when an attacker performs internal reconnaissance, it’s easy to detect when a device starts indiscriminately reaching out to a new or large number of devices. Likewise, SMBv1 is at the center of many Windows vulnerabilities and lateral movement attempts. We can now watch all devices speaking SMBv1 and see which system suddenly communicates to many other systems over SMBv1. The same is true for RDP – a protocol designed for remote diagnostics. We can quickly identify excessive RDP usage that falls outside normal administrator behavior. 

These examples highlight important advantages for defenders. When an attack has moved inside the network, we can see everything as long as we make an effort to look. When an attacker is still outside, we have almost no insight into who they are, what they’ve been doing, and where they’ve been. When they move to our turf, we see the entire battlefield. Instead of only looking at individual traits or actions, we see the complex behaviors across multiple hosts and how they develop over time.

Instead of making a yes/no decision based on a few milliseconds of analysis, we can inform decisions by understanding the complete history of the network, the behavior of all devices in it, and the collective knowledge of how threats behave. Using inputs like this is how Ordr works. 

Building a Second Line of Defense with Ordr

Ordr analyzes network traffic and traits of each host to conclusively identify each device, whether it is a laptop, server, or the wide variety of IoT, IoMT, or OT devices. The platform builds global and local baselines for normal behavior of every device and allows organizations to identify suspicious or malicious behavior quickly. As soon as a risk or threat is identified, the platform can automatically create and implement policies to isolate any affected hosts and prevent the spread of an attack.

Ordr’s capabilities provide a logical approach to building a second line of defense. Every device is identified and protected based on its unique needs and functions, regardless of being managed or unmanaged. The entire environment is monitored for signs of threats and malicious behaviors, regardless of how those threats got in. Thanks to automation, Ordr enables a robust second line of defense at a fraction of the effort and cost of traditional threat prevention tools.

If you want to learn more about Ordr technology, reach out for a deep dive demo.

---

Identity is a foundational component of modern security models, allowing organizations to control the data or services a user or account should be able to access. The explosion of IoT, IoMT, OT and other connected devices introduces significant gaps in identity-based security while creating new challenges and posing questions:

What is an identity for these devices that do not inherently have what we think of as an identity? 

How can we close the gap and bring identity-based controls to these critical devices? 

This post looks deeper into the challenges, these questions, and how Ordr helps provide answers in a straightforward and automated way.

It’s the End of Identity as We Know It…and I Feel Fine?

There are several methods organizations use to establish and verify identity for their users and assets. Unfortunately, none of these methods work well for the new class of connected devices.

Traditional devices such as laptops and workstations can be associated with a specific user and can be reliably linked to that user’s identity. Security teams can also verify the identity of a device by installing certificates or using USB keys. When a high-value asset is accessed, multi-factor authentication mechanisms can be leveraged by sending the user a passcode via email or text to be provided for additional verification.

The new class of connected devices are rapidly increasing in numbers and can be found everywhere in enterprise environments. Connected devices include everything from consumer products and phones to printers and media displays. In industrial settings IIoT and OT devices span the range of sensors to the multi-million dollar equipment essential to manufacturing lines. In healthcare, IoMT includes a vast array of medical devices from health monitoring equipment to magnetic resonance imaging (MRI) scanners that are critical to delivering care and ensuring patient safety.

Connected devices are increasingly critical infrastructure in organizations across industries, yet these devices can’t be managed the same as traditional devices. The simple task of installing enterprise certificates or endpoint agents is virtually impossible since many of these devices run embedded operating systems or are agentless. Even if agents could be installed, the vast diversity of hardware and software variations of IoT devices makes it almost impossible for vendors to develop and support agents.

Connected devices are commonly found with software stacks from various sources layered on embedded and customized operating systems. For these devices, any tool that uses a map of the processes to perform behavioral analysis is virtually useless.

Integrated firmware running on connected devices typically prevents any new software from being installed to ensure security and device reliability. As an example, new software can’t be installed on a piece of medical equipment once it’s gone through FDA certification.

Multi-factor authentication is another non-starter for IoT. An infusion pump can’t be expected to receive and provide a passcode to verify its identity.

Bringing Ordr to the Chaos of IoT Identity

With all of these limitations, how is identity determined and used for connected devices? The best unique identifier (not identity) is a device MAC address or serial number. MAC addresses are at least trackable (although easily spoofable), but serial numbers are nearly impossible to track and manage.

Ordr takes a new approach that doesn’t require IT and security teams to manually track the endless minutia of device details or do anything to update or change devices. Instead, Ordr automatically and passively analyzes the behavior of each device and recognizes a device’s identity based on what it actually does (i.e., the device communication).

To illustrate, let’s look at a device that claims to be a printer. Does it act like a printer? How do we know how a printer should act?

To answer this a large number of printers must be studied to understand what printers normally do, the protocols they speak, destinations they connect with, packet patterns they exhibit, etc.

With sufficient sampling a baseline can be established and used to verify if a new “printer” behaves like all the other printers previously seen – if it walks and squawks like a printer, then it’s probably a printer.

It’s also important to understand normal behavior for a particular environment. It’s not enough to know if a printer is behaving within the norms of other printers – it’s essential to know if the printer is behaving like my other printers. Is it talking to the appropriate management server, using the appropriate network segments, and so on.

The combination of global and local insights into behavior gives a very reliable approach to understanding a device’s identity. Just as importantly, it is a passive, hands-off approach that doesn’t require more work from staff or to change anything on the device itself.

As a result, Ordr is able to easily establish identity and continuously monitor it throughout its life cycle. Reach out to us to learn more about how Ordr can help with identity and security for all your IoT, IoMT, OT and other connected devices.

---