Access control on your wired network, across hybrid networks, and into your cloud services requires identity and authentication controls, but there is much more to the IoT device security than simply whether a device is managed or unmanaged in terms of security. With the explosion of the number and types of connected devices, identifying BYOD via device fingerprinting has become of critical importance to ensure security, and enforce the right access control to the network and beyond.
Smart devices can connect to one another, control devices, and the network via multiple communication protocols like WiFi, Zigbee, Bluetooth or Bluetooth Low Energy (BLE), and cellular networks, which demands a new approach to establish and control device identity and movement. We’ve seen warnings about hacking smart buildings and bluetooth hacking, but how do you know if a hacked device is present on your network?
Currently device fingerprinting technology provides active and passive mapping using the network information or the application layer of ethernet traffic. Fingerprinting only by network IP or application login can result in insufficient device identification, which results in not being able to correctly profile the device behavior and set adequate controls to protect the device and your infrastructure. With standard fingerprinting, you may not have a true map of the patterns of device behavior on your network. Are there physical locations of the device that may be forbidden, i.e. only in one country? Are there standard hours of connection? Once the device is authenticated, is there a record of what the device accessed or uploaded?
Wootcloud’s HyperContextTM can identify check and create a fingerprint map of any IoT device active in an organization based on the unique characteristics of that device across multiple dimensions. These dimensions represent a new range of threat intelligence previously unsecured, and are not limited to a specific interface of the device. Instead, they include multiple layers of the OSI stack from hardware, application, and logical down to functional operational characteristics.
Within HyperContext, information about the device is collected through many available information sources; including: Radio Frequency (RF), physical interface, protocols available and used, traffic flow, application combined with organizational information from configuration management database (CMDB) and other tools including mobile device management (MDM), endpoint detection and response (EDR), vulnerability assessment (VA), firewall and location mapping. Devices are fingerprinted and learned by supervised and unsupervised machine learning algorithms to reveal patterns embedded in these measurements.
The HyperContext fingerprinting model generates models and signatures for each device to generate the following threat intelligence:
- Association of the physical interfaces of the device with the spectrum of operation for each interface
- Type and category of the device
- Operating system, patch level, services, and applications running on the device
- Functionality or the “purpose in life” of the device
- Micro location of the device, including its mobility patterns and times of visibility
- Ownership information of the device and control information
- Users logged in on the device or headless devices
- Risk and vulnerability details, and other information collected by other tools installed
This collected device data combines with behavior-based analysis of the device data transmissions and sensing interfaces to develop a device identity fingerprint, a device group fingerprint and device operational fingerprint. These fingerprints accurately recognize the device, group devices of same kind together, and establish the device’s normal operation and function. This can then be used to establish an effective zero trust architecture by:
- Automatically identifying new devices seen in the organization as they connect
- Track anomalous behavior of the devices whose fingerprints have been collected
- Offer insights about the risks and threats associated with the device
With the information collected, HyperConsole creates a final device fingerprint for all the IoT in scope, generating labels based on the information which allows you to then expose these labels to the micro-segmentation and policy layers for automated security responses.
If you’d like a HyperContext Demo, our team would be delighted to show you how it works.
Click here for a complementary smart device survey for your group or organization.