4. Security: Not just a buzzword anymore!
When everything is connected to
everything else, for better or for
worse, everything matters.
Source: Bruce Mau, Massive Change
Any business that fails to invest
heavily in the IoT in the next 10 years
is unlikely to be able to remain
competitive. Source: McKinsey
A network of physical objects (things)
that contain embedded technology
to sense or interact with their internal
state or external environment. The
IoT comprises an ecosystem that
includes things, communication,
applications and data analysis.
Source: Gartner
8. …Mind the gap!
Meaning… what?
Gaps in visibility
Gaps in knowledge of the devices
Gaps in knowledge of activity
9. Who drives this bus, anyway?
We still don’t do simple things well.
“Security is a process, not a product. Products provide some
protection, but the only way to effectively do business in an
insecure world is to put processes in place that recognize the
inherent insecurity in the products. The trick is to reduce your
risk of exposure regardless of the products or patches.”
- Bruce Schneier, Information Security
10. Who drives this bus, anyway?
We still don’t do simple things well.
“There is no patch for human stupidity.” – Various
11.
12. Security cannot be an afterthought!
In the mad rush to connect everything, proper
security controls and designs must be considered.
SHOULD a device be able to be seen by other
devices? What is ‘proper’ traffic? What does normal
traffic look like? Should it be segregated? Should it
be encrypted?
Slow down – just a second.
13. Security cannot be an afterthought!
Have you designed a security strategy?
What policy or procedure does it fall under?
Who controls it?
Who does it talk to?
When does it talk?
What happens when you’re breached?
14. “This is what we call a target-rich
environment…”
Look at all the edge devices to poke at!
If your edge device is breached, how do you know? Can you
stop it at the gateway? Can you stop it at the device? Can
you identify the data that was exfiltrated? Can you show me
the ingress and egress paths?
Collector/aggregation points
Devices
Cloud-based systems
15. Or a security officer, or a network administrator, or…
I’m a Security Analyst!
Is security awareness part of your organization at each level of
IT? Do you provide options for visibility into security data for
other roles, where relevant?
More eyes can discover “ah ha” moments. Automation helps
cull the anomalies, but the human brain (thus far) still can
make that intuitive leap.
This is a random, unpublished public IP on a mid-sized cable modem network. The scanning is done programmatically, with very little user intervention. But I’m sure you’re fine.
This is a random, unpublished public IP on a mid-sized cable modem network. The scanning is done programmatically, with very little user intervention. But I’m sure you’re fine.
Gaps in visibility
Lack of aggregated view of events
Lack of knowledge of SSL traffic
Lack of knowledge of site-to-site traffic
Lack of knowledge of BYOD device traffic
Gaps in knowledge of the devices
Lack of collection of all devices
Lack of centralized asset control
Lack of control of BYOD assets
Less visibility of VDI resources
(deploy now, fix later!)
Gaps in knowledge of activity
Who owns that?
Who did that?
Are they supposed to that?
Is that thing supposed to do that?
Why did that thing do that?
How LONG has that thing been doing that?
Are your teams aware of each other?
Security vs. Desktop vs. Network vs. Audit vs. Users
Clear guidelines around BYOD?
Are you communicating with your peers?
You don’t have to fly blind, or in a vacuum. Share your experiences, get feedback.
Connected LED bulbs leak WiFI passwords (true)
Authenticate!
ASSUME the network is compromised.
Trust no one.
Are your teams aware of each other?
Security vs. Desktop vs. Network vs. Audit vs. Users
Clear guidelines around BYOD?
Are you communicating with your peers?
You don’t have to fly blind, or in a vacuum. Share your experiences, get feedback.