Why the Deck Is Stacked in Internet of Things Security

Why the Deck Is Stacked in IoT Security

The explosion of connected devices is forcing security professionals to take more of a business-minded approach.

Written by Brian Buntz
20th May 2017

David Sklansky’s fundamental theorem of poker says: “Every time you play your hand the way you would if you could see your opponents’ cards, you gain, and every time your opponents play their cards differently from the way they would play them if they could see your cards, you gain.”

Network security can be like that: One of the primary objectives in both poker and security is to create an information asymmetry against your opponent, constantly assessing your risk and asking when you are justified in acting on that risk, says Zulfikar Ramzan, ‎CTO at RSA Security. In both security and poker, you can rarely get a complete picture of what is going on, but you are constantly looking for a “tell” that could give you a decisive advantage over your opponent.

IoT security, however, can be like playing against an opponent with a card—or multiple cards—up their sleeve. Peter Tran, GM and senior director of RSA’s Advanced Cyber Defense division, “Vegas rules no longer apply where the odds always favor the ‘house.’ It’s anyone’s game now. With IoT, there’s no security equivalent to a UL or Good Housekeeping seal of approval. You’re not always playing with a standard 52-card deck. It’s entirely possible that, several years from now, we’ll have 52 billion IoT devices—all with their own unique tells.”

“Most organizations have a large number of IoT devices and little control over what those devices can or can’t do,” Ramzan says. “If you are trying to secure an IoT network, taking a one-size-fits-all approach is not going to work. You are going to have blind spots, so you will have to prioritize how you focus your efforts based on what matters most to your organization from a business perspective.”

In many ways, however, we have already entered this world. Antivirus companies have shifted their focus. “If you think about the security industry 20 years ago, the focus of antivirus was eradicating every virus,” Ramzan explains. The model was based on the ideal of detecting and thwarting every risk. “By about 2008 or 2009, it was becoming clear inside the industry that the old model was broken because the attackers were too fast in coming up with new viral strains,” he adds. “They weren’t coming up with brand new viruses, but they were just taking the same old ones and changing them enough to slip by.” There are roughly 800,000 new variants of malicious code generated every day, according to Tran’s research. Over the past four years, that amounts to approximately 1.2 billion variations. The sheer scale is “mind numbing,” Tran says.

The Internet of Things continues this trend—both because the technology offers the promise of creating business efficiencies and new business models but also because it opens up new risks to organizations’ operations and brand reputation.

“For the first time, I think we are at an inflection point where security truly has to be more of a business enabler than a matter of having to do security for its own sake,” Ramzan notes. “Ultimately, when you look at the board and CEO level, security has to be tied to what the overall business goals are—otherwise, security initiatives are not going to have any legs.”