‘Git-R-Done’ Networking and Other IoT Security Perils
More than a decade ago, the Nebraskan comedian Daniel Whitney, better known as Larry the Cable Guy, made famous the catchphrase “Git-R-Done!” One of the meanings of that adaptable term is to finish a task quickly, without getting bogged down by excessive trepidation.
But while an expedited approach might work when, say, running a length of coaxial cable through a building, slipshod IoT deployment strategy can be perilous in terms of its cybersecurity ramifications.
Yet a “hope-for-the-best” IoT strategy is common in many enterprise organizations, said Jon Green, vice president and chief technology officer, security at Aruba Networks. And as a result, many organizations, from hospitals to universities to enterprise companies, are left with significant security vulnerabilities.
To help those organizations minimize risk, Aruba Networks is working with clients to first obtain awareness of the endpoints on their network, and build a cybersecurity strategy based on the foundation of that awareness.
In the following interview, Green explains how Aruba Networks works with clients to first improve their networking awareness and ultimately develop a mature cybersecurity strategy. He also shares his thoughts on the current state of the cybersecurity industry and the hype surrounding certain AI technologies deployed in the field.
The responses have been edited for brevity:
Now that IoT is maturing, what are you seeing from your customers from a cybersecurity standpoint?
Green: From an IoT standpoint, we see a ton of [security challenges]. We’re seeing all sorts of things joining our networks. Universities and hospitals are probably where we see the bulk of this. In the general enterprise space, we’re seeing an awful lot of smart TVs. Printers have always been there. But smart lights, temperature sensors, room occupancy sensors — all these sorts of things are showing up on networks, sometimes with the organization having little to no knowledge of it.
What advice do you have for organizations working to get a grip on their IoT deployments?
Green: At a high level, we want to have some form of identity attached to every single network connection, whether it’s wired or wireless. And that might be nothing more than a MAC address. Then, we’ll make sure there are systems in place that are profiling the network and showing what’s connected and what we know about it.
Then, we’ll work to get high-quality authentication. Two-factor is usually going to be a laptop or a tablet or something that has some concept of good authentication. But we’ll use the best method we can. And simultaneously, we’ll look at many different methods of trying to identify and categorize those devices.
The second phase for us is asking: “Once I know what you are, what should you be allowed to do?”
An example of that concept would be if you have a smart television on the network, you can identify what it needs to do, and control access to it.
The 2016 Mirai botnet is still one of the best-known IoT-related attacks. How much cyber progress have we made since then?
Green: The biggest news that I’ve seen are in consumer-type routers. I haven’t seen a big change from most of the device vendors themselves. It’s kind of like they are telling themselves: “Well, I wasn’t subject to Mirai, so what do I need to worry about?”
Several governments, though, have woken up after Mirai. That’s where the big change is seen. I’ve noticed this out of China, India and a couple of other places. There’s talk about it in the U.S. And California passed a law recently that said: “You cannot have default passwords in products that you sell.” So I feel like the governments have picked up more than the device vendors have.
What’s your perspective on the relationship between network engineers and cybersecurity staff?
Green: A network engineer has done their job if they deliver packets from A to B quickly, with high reliability and so on. A security person would prefer if nobody is delivering packets across the network because that means the attack traffic is blocked as well. Obviously, we want something in the middle there. That’s why it’s really important that networking people and networking companies really embrace security.
Aruba started out in 2002 as a Wi-Fi company and WEP encryption was broken around then. From an enterprise standpoint, people were saying “no” to Wi-Fi. So we really focused on building security into our products to convince people they were safe in the enterprise space. We had to do a whole lot more than meet the minimum requirements.
Security was also in our DNA. For instance, Keerti [Melkote], our founder and I both spent time at Nortel Shasta where we did a lot of work on security for DSL and broadband. We ended up with the right set of people in the company who had that kind of background. We knew how to build firewalls. We knew how to build authentication systems.
And then some of the acquisitions we made such as with the ClearPass product lines up with security just as much as it does with networking.
What role do you see networking vendors playing in cybersecurity in general?
Green: In the networking space, anybody can be a networking vendor these days. The chipsets are all commodity at this point. You can get your own Ethernet switch to market very quickly and very easily. But enterprise-grade networking, I think, really has to have a security component in it. And you now see some companies kind of retrofitting security architecture back into the network with stuff like software-defined access and that sort of thing. That’s a good attempt. It’s trying to solve a problem that’s out there, but can end up being unnecessarily complicated. You’re trying to retrofit security as opposed to it being there from the beginning.
What do you make of the growing attention network security — especially related to 5G hardware — the national level in the United States?
Green: It’s a big deal. If you can’t trust your network infrastructure, how do you trust the traffic that’s going on top of it?
I own two different functions at Aruba. One is security of our products. And so as part of that, we have our own hacker groups, Aruba Threat Labs. We go out and try to break our own products and do bug hunting and things like that. But I also own security products. So I think you have to have both.
Aruba Networks does a lot of work with medical customers. How much progress do you see in there?
Green: Things like WannaCry really were disruptive to health care networks in general. So there has been kind of a great awakening there. It’s not necessarily up to the level that the banking sector is but I think it’s getting there quickly.
In many ways, hospitals are the place where IoT really started. You had all these connected things and in some cases, they were, life-critical-type devices: heart monitors, infusion pumps, etc. These sorts of things are often networked now.
We see in a lot of cases expensive medical equipment, like MRI scanners, where vendors will attach really cheap consumer-grade networking components to it. They then tell you that because of FDA certification, you can never update the software on those devices. But that’s not true. The FDA certification doesn’t say anything in the sort. There’s also a growing awareness of the risk out there. You just can’t justify not fixing these things anymore.
There’s also a problem in the medical space of organizations still not knowing what’s on their network. We had a customer beta testing a new product of ours called ClearPass Device Insight, which is designed to answer the question of what’s on my network in a much more detailed way than we could do before. And they’d been using it for a couple months and said: “Hey, we found this thing on our network.” Nobody could identify for the life of them what it was. They finally figured out based on using this product that it was a particle accelerator or something like that you wouldn’t think would be in a hospital.
One of the themes I’ve seen more of in recent years is an explosion of supposedly AI-enabled cybersecurity offerings. What do you make of this theme?
Green: It’s overwhelming. I’ve asked venture capitalists: “Why do you keep on funding more security companies? There are 15 companies all chasing the same dollars and solving the same problem.” A VC told me: “Basically, it’s fear of missing out. If we don’t fund this company, and someone else does, then we might miss the next big thing.” But there are too many companies in the space right now. And it is very confusing.”
Gartner even wrote a paper basically directed at marketing departments of security companies, saying: “Stop overusing the terms ‘AI’ and ‘machine learning’ if those terms aren’t warranted because you’re confusing the market.”
I do think that’s a big problem.
What advice do you have for enterprise companies trying to navigate the cyber vendor marketplace?
Green: We see a lot of security companies out there that really solve one thing. They might be really good at it. And that’s good; that’s how we started as well. I don’t think the customers have the patience or the time or the budget anymore to play system integrator.
These vendors will say: “We have APIs, so you can integrate it into the rest of your system.” I don’t think the customers have the time or the people or the money to do this integration. They expect these things to come integrated out of the box with whatever framework they’ve chosen.
People will also say: “Well, I want to buy it all from one vendor.” And I see that point. On the other hand, if you look at some of the vendors that have been snapping up companies left and right, there’s not a whole lot of internal integration that goes on either. You might be able to buy it from the same salesperson. But they look like fundamentally different products, and you haven’t necessarily solved your cybersecurity challenges just by having technologies coming from the same vendor. So there’s probably a big role out there to play for system integrators, VARs, people who do some of this work to take out some of this complexity. But it’s a tough problem. And I think that’s partly why we are seeing the rise of the managed security service providers. Customers, depending on the size of the company, just don’t have the people and the knowledge to do a lot of that stuff anymore.