Jun 02 2016

What to Do When Mobile and IoT Explode the Attack Surface

Information security was hard enough when we had to lock down all of the servers, desktops and laptops. That seems like child’s play compared to what we face now. You could pretty easily count your server infrastructure and PCs were simply a function of your company employee count. Mobile and Internet of Things (IoT) change that equation as we outlined earlier this week in our new White Paper, Take Back Control of Your Information Security. I thought I’d cover part of the ground from that analysis and expand on a couple of concepts here.

Mobile and IoT are not only here to stay, they will only grow in scale and complexity over the next decade. This is one of the three most profound shifts facing information security defense to arise in the past five years (N.B. The other two are enterprise cloud adoption and growing emphasis on detection and response). While executives from the business side of the house have rushed headlong into mobile and IoT seeking greater efficiencies, they have been slow to recognize the new risks that these tools introduce.

It is imperative that enterprises consider their existing and expanding mobile and IoT investments from a security perspective now. Most people don’t recognize how big this problem is, how big it can be and how complex it is to address. Just as attack vectors migrated from servers to PCs, they are now drifting to the newest endpoints – many of which are surprisingly insecure.

How Big is the Problem?

PwC’s Global State of Information Security 2016 survey reported that 86% of enterprises experienced an embedded systems security compromise in 2015. That is up from just 34% in 2014. An AT&T report published March 2016 revealed that 25% of companies already have IoT either in pilot or production and 85% expect to deploy the technologies. And yet, the study also reported that only 22% of information security teams are fully or highly confident that their connected devices are secure.

Mobile has similar numbers. A 2016 Ponemon Institute study concluded that 67% of enterprises have experienced a breach through a mobile attack vector. It also suggested that mobile malware is costing organizations “$12.8 million per year, or $9,485 per infected device.”

How Big is the Attack Surface Expansion?

The Ponemon study also estimated that the average global enterprise has 53,844 mobile devices with 6% having more than 200,000 and only 13% having fewer than 5,000. Let’s face it. We are at the point where almost every worker has a smartphone and many use those to access or interact with company data at some point. Veracode estimated in 2015 that the average enterprise has 2,400 unsafe applications residing on employee mobile devices and Ponemon concludes that 3% of devices are compromised in some way.

The IoT attack surface is even larger. Gartner estimates that nearly 2.4 billion IoT devices will be operational in U.S. business this year growing to seven billion in 2020. IDC forecasts that the global number in 2020 will be 30 billion. Combined, mobile and IoT represent an exponential expansion of the enterprise attack surface. However, device volume is only part of the problem.

What are the New Variables?

Information security teams must also deal with a new set of variables when dealing with mobile and IoT that includes:

  1. Lack of physical, technical, and policy control over mobile devices
  2. Constraints in compute power and memory on IoT devices
  3. Lack of staff sophistication in mobile and IoT platforms
  4. More data that needs to be logged and analyzed for security incidents

Enterprises widely embraced bring your own device (BYOD) policies over the past five years. Tech Pro Research suggests 74% of businesses either use or plan to employ BYOD in 2016. These employee-owned devices do not afford the same level of application and use control that servers and company-owned computers do. This means that information security teams must protect a large perimeter of mobile endpoints with limited ability to restrict behavior that may increase cyber risk.

Another key variable is the computing constraints common to IoT devices. While mobile devices typically have significant memory and high powered processors onboard, IoT devices rarely do. Many do not have enough compute power to have security solutions onboard and must rely on network-based tools for proactive protection.

Tools have a role to play in protecting devices from cyber attacks, but you need people to run those tools. Few information security teams have in-house expertise on iOS, Android, industrial control systems, SCADA or other embedded operating systems. Few people have combined expertise in these platforms and information security.

Finally, IDC predicts that IoT alone is expected to generate 10% of all data by 2020. Cisco estimates that 30.6 exabytes of traffic will flow through mobile devices by 2020. SIEMs are struggling to ingest data that is being generated by servers and PCs and can’t even touch Netflow and PCAP due to scalability and cost constraints. The rapid growth in mobile and IoT data will put even greater strain on information security infrastructure that is already missing compromises today leading to an average breach dwell time of 146 days.

What is Required

There are a number of common recommendations related to mobile and IoT devices. Some include planning for security before deployment, segmenting networks, restricting access by these devices to certain assets, scanning them regularly for malware, and hiring or training staff in embedded systems. You might not be surprised, but I am going to add another requirement to that list. A scalable information security analytics tool will be essential to regularly assess whether these devices have been compromised. A tool like IKANOW can handle the scale associated with data generated by these devices and draw meaningful insights that SIEM and endpoint protection software will miss.

Given the rapid growth in attack surface, it is no wonder information security professionals are feeling like they have less control over their IT environment. Information security analytics will be one tool that can help them improve their ability to secure mobile and IoT assets and quickly detect compromises.

To learn more about gaining more control over your information security environment or request an IKANOW demo, click the buttons below.

Download White Paper Request a Demo

Share Post
Chris Morgan

Cofounder and Chief Technology Officer. Chris Morgan is responsible for technology innovation and delivering high-quality security analytics solutions to clients. He has more than 15 years of experience in research and development, software engineering, software development and product management. Morgan studied management at the Wharton School of Business of the University of Pennsylvania and economics and computer science at Virginia Polytechnic and State University.