A10 Networks Q&A: IoT Device Security Demands Deliberation

Lee Chen has helped establish a trio of networking companies. He first cofounded Centillion Networks in 1993 (later acquired by Nortel) and then Foundry Networks in 1996 (eventually acquired by Brocade Communications Systems) before creating A10 Networks in 2004. Along the way, he’s often found himself focusing on cybersecurity, a growing focus for A10, which offers network segmentation tools and assistance with workload security and locking down applications. 

In the following Q&A, Chen shares his thoughts on the current state of IoT device security, including the increasing frequency and sophistication of IoT-focused attacks, the growing importance of machine learning in cybersecurity and the evolving responsibilities of network administrators. Along the way, he touches on the surge in politically motivated hacking, the popularity of network virtualization and the need for deliberation when launching IoT projects. 

What do you make of the level of sophistication of IoT attacks in 2018?

Chen: There is rising sophistication. There is an uptick in countries targeting other countries. Many countries have an army of cyber attackers and they are targeting specific government targets, coordinating their attacks around specific events and activities. They are hacking for a political purpose. But traditionally, most attacks involving IoT were very simple, involving, for instance, gamers and sometimes teenagers.

On the other hand, it is very easy to launch attacks, which are still common. There are websites you can go to where, if you spend $100, you can initiate an attack. There are also hackers who subscribe to an open source model, who publish their code online.

While volumetric DDoS attacks get a lot of attention, we are also seeing “low and slow” attacks that are hard to detect.

You also have these professional attackers as well who are using more of a basic ransomware approach.

But I think attacks are getting more sophisticated all the time, but the protection will get more sophisticated all the time, as well. The only way, I think, to address it is to make things easier for the user. It can be very tiring, right? Trying to chase all of these new attacks all the time. The solution has got to be sophisticated, but also very user-friendly based on analyzing behaviors and traffic profiles based on machine learning. Machine learning can help with traffic profiling, attack detection and mitigation. It can help you determine when there is peace and when you are at war. If you are at war, ML can help with reporting so a user can know what the next step is and how to prevent similar attacks in the future. All of this can be done through intelligent automation — a machine learning / AI type of technology.

How important do you see ML and AI for IoT device security in terms of helping IoT projects scale?

Chen: Scale certainly creates a new challenge. If you look at the mobile network, traditionally, everything is IP-based. Everything is becoming virtualized to drive “network efficiency” and agility, right? It is easier to provision. On the other hand, it’s harder to troubleshoot and harder to manage because everything is virtual. What happens when something happens that drains your memory?

So, I think in the future, analytics will become very important. Not only will you be able to use analytics to capture current data, you’ll be able to learn continuously and adapt using machine learning. You can track behaviors over time. Visibility and control, I think, are a must have for virtualized, next-generation virtualized or 5G networks.

How big of a change is it for people like network administrators who have to take a more active role with software for their job?

Chen: I think everything they have today is still needed, but on the other hand, they really need a visual solution and to be able to automate a lot of their tasks. Otherwise, it is very difficult to manage. You can’t take the time to chase new attacks. The size, the frequency of those attacks is just going to increase.

We did a study between 2015 and 2017 and we found that the frequency of cyberattacks increased by 400 percent. Then the volume increased by 300 percent. 

You look at IoT-based attacks, I think it’s in February 2018, we recently saw a 1.35 terabit-per-second attack. Shortly thereafter, we saw a 1.7 terabit-per-second attack. We saw that transition, from 1.35 to 1.5 terabits in just five days. 

And these are volumetric attacks. What happens when somebody uses multivector attacks, the challenge will be much bigger.

We should not expect the network administrator or security operators to be able to address all of this manually. I think the solution needs to provide visibility. If you can’t see it, you can’t prevent it. You need to do a good data analysis to know what’s going on. It’s really the technology vendors’ responsibility to provide instant reports and mitigation templates to recommend to customers what they should do. The vendor has to provide a better solution, and that’s through machine learning and automation.

What are your thoughts on patching in an IoT device security context?

IoT security, I think, is hard explain for consumers. I don’t know how many people think about the security of their home routers, smart refrigerator, Echo and connected thermostats,

In a corporate environment, you can have policies for things like patching and updating passwords, but it isn’t always diligently enforced. Someone might purchase an IoT device and install it in the enterprise and you might not recognize that it’s really connected to your corporate network. 

The other thing is IoT will never be sophisticated. You can’t expect a $200 device to have a powerful CPU, lots of memory and strong security built in. You need to have a network solution to detect DDoS attacks, APTs, etc. Cybersecurity software can’t prevent all types of attacks. You need a multilayered solution.

What are your thoughts on the defense-in-depth security approach in an IoT world? The traditional model here was a castle and moat, but, with IoT, security is much more distributed?

Chen: Yes, it’s going to become really a community type of thing. Multiple corporations need to cooperate. If one company detects a threat, they need to inform others. If IoT is everywhere, an attack could come from anywhere. There are so many endpoints. You can’t expect to just patch one place and fix everything.

One thing I have heard anecdotally is that there is an uptick in rogue IoT devices. What are your thoughts on that?

Chen: I think eventually, close to 100 percent of network traffic will be encrypted. It won’t be easy to know what that data means. If you have sensitive data, you probably don’t want to send it out over the air. Every corporation should have a sound security policy to ensure that it doesn’t, say, have financial data transmitted wirelessly.

What are you seeing this year with IoT adoption in the enterprise?

Chen: I think many corporations are rushing to implement IoT. The technology needs to be mature before you implement it. You always have the learning curve with a new technology. You don’t want to go out and deploy a large variety of IoT devices in the beginning — you want to standardize things. Corporations need to be really careful. They can’t make a rash decision because you want to be the first to do something. It’s better to have a small trial first and then build.