Uploaded byAWS Germany
IoT: Detect abnormal device behavior and disconnect devices automatically
The document provides an overview of AWS IoT Device Defender, a managed security service for connected devices that monitors device behavior, detects anomalies, and automates actions like disabling devices if abnormal activities are detected. It covers features like device auditing, behavior monitoring, alert generation, and security vulnerability patching to ensure device security. The document also includes information on pricing and utilization of AWS resources for device management.
More Related Content
Similar to IoT: Detect abnormal device behavior and disconnect devices automatically
![Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/apachesparkgettingstarted-260203175547-8361bcc3-thumbnail.jpg?width=640&height=640&fit=bounds)
IoT: Detect abnormal device behavior and disconnect devices automatically
- 1. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Philipp Sacha, Specialist Solutions Architect IoT, AWS AWS Pop-up Loft Berlin, 12. October 2018 IoT: Detect Abnormal Device Behavior And Disconnect Devices Automatically
- 2. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. What You Will Learn From This Session • Introduction into AWS IoT Device Defender • Monitor device behavior • Detect abnormal device behavior • Disable devices automatically
- 3. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. How do I ensure my connected devices stay secure?
- 4. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit device configurations, define and monitor device behavior Identify drifts in security settings and detect device anomalies Generate alerts Patch security vulnerabilities AWS IoT Device Defender KeepYour Fleet Secure AWS IoT Device Defender is a fully managed IoT security service that enables you to secure your fleet of connected devices on an ongoing basis.
- 5. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit Device Configurations Monitor Device Behavior Generate Alerts Patch Security Vulnerabilities AWS IoT Device Defender KeepYour Fleet Secure Identify Anomalies
- 6. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Audit Device Configurations • Audit device security policies against a set of built-in IoT security best practices • Schedule audits (daily, weekly) or run ad-hoc audits during vulnerable periods such as device deployments • Run audits to spot security gaps • Devices using the same certificate • One device subscribing to data from all other devices • Expiring certificates scheduled Ad-hoc
- 7. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Monitor Device Behavior • Monitors incoming security metrics and data from connected devices • Create your own device profile for expected device behavior such as which IP addresses the device can communicate with • Compares device metrics against expected device behavior such as volume of messages permitted during a 24 hour period
- 8. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Identify Anomalies Blacklist/Whitelist behaviors for: • IP destinations and Geo locations • Connection IPs • Open ports Define thresholds behavior for: • Number of active connections • Number of open ports • Number of outbound packets across all protocols per unit of time • Number of outbound bytes across all protocols per unit of time • Number of authorization failures within 24 hours • Message rate and Message size
- 9. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Generate Alerts • Alerts generated based on identified anomalies and audits • Alerts sent to AWS IoT Console, AmazonCloudWatch, and Amazon SNS • Review historical and contextual information about your fleet when it fails an audit or when behavior deviates from what is expected • View recommended actions to minimize the impact of security issues
- 10. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Patch SecurityVulnerabilities • Take actions that makes sense for your devices and use cases • Revoke permissions • Reboot a device • Reset factory defaults • Push security fixes
- 11. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Detect Abnormal Device Behavior and Act I • Devices are sending messages to AWS IoT Core • Define normal behavior with a security profile • Security Profile • Metric (messages sent, message size, source ip, etc) • SNS topic + IAM role • Thing groups or all devices
- 12. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Detect Abnormal Device Behavior and Act II • Example: normal behavior: 25 < message sent > 200 per 5 mins • Abnormal behavior: Device Defender publishes to SNS topic • Topic holds a Lambda subscription • Lambda disables device in AWS IoT Core • Deactivate device certificate • Connect with device client-id to AWS IoT Core
- 13. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Architecture AWSIoTCore AWSIoT DeviceDefender AmazonSimple NotificationService (SNS) AWSLambda Things SecurityProfile AbnormalBehavior DisableDevice Messages Subscription
- 14. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
- 15. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. IoT Device Defender Pricing • Audit Pricing • Per device audited • Detect Pricing • Per 1M metric datapoints • Free Tier • Pricing: https://aws.amazon.com/iot-device- defender/pricing/
- 16. © 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
Editor's Notes
- #3 Idee: Icons statt Bullet Points
- #5 In 2018, we are building AWS IoT Device Defender to · Continuously audit the policies associated with your devices · It also monitors your device fleet for abnormal behavior that might indicate a potential security issue and it alerts you if something doesn’t look right, like traffic from devices to an unauthorized IP address or spikes in outbound traffic that might indicate that a device is participating in a DDoS attack. · And finally through its integration with IoT device management, IoT Device defender lets you take corrective actions to keep your devices secure That’s exactly what AWS IoT Device Defender does, a new IoT device security service coming in 2018.
- #6 AWS IoT Device Defender keeps your fleet secure. First, it continuously audits the policies associated with your devices to make sure that they aren’t deviating from security best practices and alerts you if something looks like it isn’t compliant. For example, one best practice is not to share certificates across devices. Let’s say during provisioning of additional devices, someone reuses a certificate – this will be flagged and you will get an alert. IoT Device Defender comes with 14 security best practices that you can select and run as part of the audit, and you can add you own as well. The second thing IoT Device Defender does is monitor your device fleet for abnormal behavior that might indicate a potential security issue. IoT Device Defender lets you define the expected device behavior for different sets of metrics. Then it monitors the device fleet and alerts you if something doesn’t look right. For example, IoT Device Defender lets you define what ports should be open on the device, who the device can talk too, and how much data it sends or receives. Then it monitors the device traffic and alerts you if something looks wrong, like traffic from devices to an unauthorized IP address or traffic spikes in outbound traffic that might indicate that a device is participating in a DDoS,. Lastly, through its integration with IoT Device Management, IoT Device Defender lets you take corrective action like re-booting a device, updating its firmware, or revoking its permissions (via change of policy.)