https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

IoT security

‘Git-R-Done’ Networking and Other IoT Security Perils

The head of security for Aruba Networks opens up in this Q&A about the current state of IoT security.
  • Written by Brian Buntz
  • 17th June 2019

More than a decade ago, the Nebraskan comedian Daniel Whitney, better known as Larry the Cable Guy, made famous the catchphrase “Git-R-Done!” One of the meanings of that adaptable term is to finish a task quickly, without getting bogged down by excessive trepidation.

But while an expedited approach might work when, say, running a length of coaxial cable through a building, slipshod IoT deployment strategy can be perilous in terms of its cybersecurity ramifications.

Yet a “hope-for-the-best” IoT strategy is common in many enterprise organizations, said Jon Green, vice president and chief technology officer, security at Aruba Networks. And as a result, many organizations, from hospitals to universities to enterprise companies, are left with significant security vulnerabilities.  

To help those organizations minimize risk, Aruba Networks is working with clients to first obtain awareness of the endpoints on their network, and build a cybersecurity strategy based on the foundation of that awareness.

In the following interview, Green explains how Aruba Networks works with clients to first improve their networking awareness and ultimately develop a mature cybersecurity strategy. He also shares his thoughts on the current state of the cybersecurity industry and the hype surrounding certain AI technologies deployed in the field.  

The responses have been edited for brevity:

Now that IoT is maturing, what are you seeing from your customers from a cybersecurity standpoint?

Green: From an IoT standpoint, we see a ton of [security challenges]. We’re seeing all sorts of things joining our networks. Universities and hospitals are probably where we see the bulk of this. In the general enterprise space, we’re seeing an awful lot of smart TVs. Printers have always been there. But smart lights, temperature sensors, room occupancy sensors — all these sorts of things are showing up on networks, sometimes with the organization having little to no knowledge of it.

What advice do you have for organizations working to get a grip on their IoT deployments?  

Green: At a high level, we want to have some form of identity attached to every single network connection, whether it’s wired or wireless. And that might be nothing more than a MAC address. Then, we’ll make sure there are systems in place that are profiling the network and showing what’s connected and what we know about it.

Then, we’ll work to get high-quality authentication. Two-factor is usually going to be a laptop or a tablet or something that has some concept of good authentication. But we’ll use the best method we can. And simultaneously, we’ll look at many different methods of trying to identify and categorize those devices.

The second phase for us is asking: “Once I know what you are, what should you be allowed to do?”

An example of that concept would be if you have a smart television on the network, you can identify what it needs to do, and control access to it.

The 2016 Mirai botnet is still one of the best-known IoT-related attacks. How much cyber progress have we made since then?

Green: The biggest news that I’ve seen are in consumer-type routers. I haven’t seen a big change from most of the device vendors themselves. It’s kind of like they are telling themselves: “Well, I wasn’t subject to Mirai, so what do I need to worry about?”

Several governments, though, have woken up after Mirai. That’s where the big change is seen. I’ve noticed this out of China, India and a couple of other places. There’s talk about it in the U.S. And California passed a law recently that said: “You cannot have default passwords in products that you sell.” So I feel like the governments have picked up more than the device vendors have.

What’s your perspective on the relationship between network engineers and cybersecurity staff?

Green: A network engineer has done their job if they deliver packets from A to B quickly, with high reliability and so on. A security person would prefer if nobody is delivering packets across the network because that means the attack traffic is blocked as well. Obviously, we want something in the middle there. That’s why it’s really important that networking people and networking companies really embrace security.

Aruba started out in 2002 as a Wi-Fi company and WEP encryption was broken around then. From an enterprise standpoint, people were saying “no” to Wi-Fi. So we really focused on building security into our products to convince people they were safe in the enterprise space. We had to do a whole lot more than meet the minimum requirements.

Security was also in our DNA. For instance, Keerti [Melkote], our founder and I both spent time at Nortel Shasta where we did a lot of work on security for DSL and broadband. We ended up with the right set of people in the company who had that kind of background. We knew how to build firewalls. We knew how to build authentication systems.

And then some of the acquisitions we made such as with the ClearPass product lines up with security just as much as it does with networking.

What role do you see networking vendors playing in cybersecurity in general?

Green: In the networking space, anybody can be a networking vendor these days. The chipsets are all commodity at this point. You can get your own Ethernet switch to market very quickly and very easily. But enterprise-grade networking, I think, really has to have a security component in it. And you now see some companies kind of retrofitting security architecture back into the network with stuff like software-defined access and that sort of thing. That’s a good attempt. It’s trying to solve a problem that’s out there, but can end up being unnecessarily complicated. You’re trying to retrofit security as opposed to it being there from the beginning.

What do you make of the growing attention network security — especially related to 5G hardware — the national level in the United States?

Green: It’s a big deal. If you can’t trust your network infrastructure, how do you trust the traffic that’s going on top of it?

I own two different functions at Aruba. One is security of our products. And so as part of that, we have our own hacker groups, Aruba Threat Labs. We go out and try to break our own products and do bug hunting and things like that. But I also own security products. So I think you have to have both.

Aruba Networks does a lot of work with medical customers. How much progress do you see in there?

Green: Things like WannaCry really were disruptive to health care networks in general. So there has been kind of a great awakening there. It’s not necessarily up to the level that the banking sector is but I think it’s getting there quickly.

In many ways, hospitals are the place where IoT really started. You had all these connected things and in some cases, they were, life-critical-type devices: heart monitors, infusion pumps, etc. These sorts of things are often networked now.

We see in a lot of cases expensive medical equipment, like MRI scanners, where vendors will attach really cheap consumer-grade networking components to it. They then tell you that because of FDA certification, you can never update the software on those devices. But that’s not true. The FDA certification doesn’t say anything in the sort. There’s also a growing awareness of the risk out there. You just can’t justify not fixing these things anymore.

There’s also a problem in the medical space of organizations still not knowing what’s on their network. We had a customer beta testing a new product of ours called ClearPass Device Insight, which is designed to answer the question of what’s on my network in a much more detailed way than we could do before. And they’d been using it for a couple months and said: “Hey, we found this thing on our network.” Nobody could identify for the life of them what it was. They finally figured out based on using this product that it was a particle accelerator or something like that you wouldn’t think would be in a hospital.

One of the themes I’ve seen more of in recent years is an explosion of supposedly AI-enabled cybersecurity offerings. What do you make of this theme?

Green: It’s overwhelming. I’ve asked venture capitalists: “Why do you keep on funding more security companies? There are 15 companies all chasing the same dollars and solving the same problem.” A VC told me: “Basically, it’s fear of missing out. If we don’t fund this company, and someone else does, then we might miss the next big thing.” But there are too many companies in the space right now. And it is very confusing.”

Gartner even wrote a paper basically directed at marketing departments of security companies, saying: “Stop overusing the terms ‘AI’ and ‘machine learning’ if those terms aren’t warranted because you’re confusing the market.”

I do think that’s a big problem.

What advice do you have for enterprise companies trying to navigate the cyber vendor marketplace?

Green: We see a lot of security companies out there that really solve one thing. They might be really good at it. And that’s good; that’s how we started as well. I don’t think the customers have the patience or the time or the budget anymore to play system integrator.

These vendors will say: “We have APIs, so you can integrate it into the rest of your system.” I don’t think the customers have the time or the people or the money to do this integration. They expect these things to come integrated out of the box with whatever framework they’ve chosen.

People will also say: “Well, I want to buy it all from one vendor.” And I see that point. On the other hand, if you look at some of the vendors that have been snapping up companies left and right, there’s not a whole lot of internal integration that goes on either. You might be able to buy it from the same salesperson. But they look like fundamentally different products, and you haven’t necessarily solved your cybersecurity challenges just by having technologies coming from the same vendor. So there’s probably a big role out there to play for system integrators, VARs, people who do some of this work to take out some of this complexity. But it’s a tough problem. And I think that’s partly why we are seeing the rise of the managed security service providers. Customers, depending on the size of the company, just don’t have the people and the knowledge to do a lot of that stuff anymore.

Tags: Security Features

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Microsoft Extends Secured-Core Program to IoT Devices
  • Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration
  • Unmanned Robotic Combat Vehicle Being Tested
  • Image shows a Close up of lens on black background
    Carnegie Mellon Researchers Invent System to Find Hidden Cameras

Roundups

View all

IoT Product Roundup: Canonical, InfluxData, Wiliot and More

23rd June 2022

IoT Product Roundup: Cisco, Telit, Draganfly and More

9th June 2022

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Image shows Unilever's Alberto Prado at AI Summit 2022 in London

AI Summit 2022: Unilever’s Alberto Prado

Prado talks about how Unilever is using AI to accelerate the speed of new discoveries and gives them access to more breakthrough innovation

Image Shows John Lewis' Barry Panai at AI Summit London 2022

AI Summit 2022: John Lewis’ Barry Panayi on AI in Retail

Panayi talks about data and AI in retail and how individuals and the technology can work together

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

IoT Product Roundup: Nokia, Energous, Dashbot and more dlvr.it/STRKDh https://t.co/YgTAI5SXSB

6th July 2022
IoTWorldToday, IoTWorldSeries

A new #IoT bug monitoring system from @CENSIS121 is helping the UK’s #forestry industry fight pests, and save money… twitter.com/i/web/status/1…

6th July 2022
IoTWorldToday, IoTWorldSeries

NHTSA Boss Hints at Federally Regulating Autonomous Vehicles dlvr.it/STQrrw https://t.co/Yjp1UKuaE5

6th July 2022
IoTWorldToday, IoTWorldSeries

Nvidia Powered Driverless Three-Wheelers Set to Debut dlvr.it/STQq0H https://t.co/RrYyVPgFzB

6th July 2022
IoTWorldToday, IoTWorldSeries

New Drone System Aims for Full Autonomy dlvr.it/STQnvV https://t.co/S4O8hb6gQh

6th July 2022
IoTWorldToday, IoTWorldSeries

Bosch, VW Approved to Develop Automated Driving dlvr.it/STQllD https://t.co/neI30dVmC6

6th July 2022
IoTWorldToday, IoTWorldSeries

🤔 Looking for 3 Strategies to Avoid IoT Key Theft? We’ve got you covered! As tech companies continue to develop an… twitter.com/i/web/status/1…

5th July 2022
IoTWorldToday, IoTWorldSeries

AI Summit 2022: Unilever’s Alberto Prado dlvr.it/STMpRN https://t.co/1dyLREr8N6

5th July 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X