As use of IoT devices explodes, detecting vulnerabilities becomes nascent industry
Using a device’s personality profile to detect behavior anomalies, companies can bolster security
By Rodika Tollefson, ThirdCertainty
The number of machine-to-machine connected devices—the Internet of Things—is growing faster than the world population. Cisco estimates that M2M connections will grow from 4.9 billion in 2015 to 12.8 billion by 2020 (estimated world population in 2020: 7.7 billion).
Growth in IoT security expenditures is as robust. Gartner puts endpoint IoT security spending at $1,183 billion in 2015, and estimates $3,010 billion in 2020.
“Everybody’s realizing that IoT security is a serious problem,” says Xu Zou, CEO and co-founder of Silicon Valley startup ZingBox.
But many vendors are trying to solve the problem with incremental changes to existing products that are repackaged for IoT, Zou says.
“We found that existing products with these incremental changes cannot efficiently secure IoT devices,” he says.
Related video: As Internet of Things expands, so do risks
The security challenge could stifle the industry. May Wang, ZingBox co-founder and chief technology officer, points to last year’s IoT-enabled DDoS attack as an example.
“I heard many voices saying that we should slow down or even stop IoT deployment because of that,” she says.
Yet deployment is inevitable and IoT holds much potential for both consumers and businesses.
“The right thing to do is not to slow down or stop IoT deployment, but to address security issues,” Wang says.
ZingBox’s answer is IoT Guardian, a built-from-scratch solution that comes out of Wang’s and Zou’s extensive work in networking and security.
After a beta launch last summer, the cloud-based software was publicly released in February. Now, ZingBox is flexing its muscles to become a thought leader in the nascent—and hot—space of IoT security. The vision, in Wang’s eyes, is to become “the driving force to collaborate with all parties to move IoT security forward.”
The ZingBox approach
Through deep, machine-based learning, IoT Guardian detects IoT devices within a company. Once discovered, they can be protected based on what ZingBox calls the devices’ personality profiles.
Guardian creates each profile based on the type of device (e.g. X-ray machine vs. thermostat), manufacturer-specific differences and “per instance” (i.e., how the customer uses it).
“We can learn the device’s personality no matter how it evolves over time,” Zou says.
Without touching the device or accessing sensitive information, Guardian extracts metadata like MAC addresses, IP statistics and traffic packets. Based on metadata and device personality, it detects uncharacteristic behaviors in real time.
Customers can choose to have ZingBox automatically block suspicious tasks or to analyze the information and act on it in-house.
Smartphones are multifunctional devices. In contrast, each IoT device is designed for specific tasks, so it has a limited set of behaviors and flow patterns, Zou says. This commonality inspired the idea of device personalities.
Launched through the Stanford-StartX Fund, ZingBox took a year and a half to build a team—coming from places like Cisco, Palo Alto Networks, FireEye, Google and Yahoo—and develop a beta product.
Wang says launching the startup was an easy decision. She says, “I asked myself: How many times could it happen in a person’s life, that this big wave is coming and it falls right inside the domain of my expertise?”
Cisco, Symantec and Rapid7 are among the established leaders moving into this vertical. Zou expects to see more vendors coming up with solutions, and feels that competition is good news, both for the industry and customers.
“IoT security needs more attention and better solutions, for sure,” he says.
This stage of IoT security is similar to PC development in the 1980s, Wang says, adding that she hopes this nascent industry doesn’t pay the same price before establishing security protections.
“Lots of innovation is needed in this field because of the new challenges of IoT,” she says. “Not only in technological areas but also in terms of organization, policy and legal.”
More stories related to Internet of Things security:
Security of the Internet of Things takes on new urgency
Data security even more critical as Internet of Things multiplies, morphs
Why more attacks leveraging the Internet of Things are inevitable
Retailers expected to spend billions on Internet of Things