Blog :: IoT

IoT Security with NetFlow/IPFIX


With billions of devices coming online yearly, the world of IoT (Internet of Things) is upon us. Unfortunately, like any new technology, form and function greatly outweigh security, leaving businesses and individuals exposed. Due to this general disregard early on, IoT security with NetFlow is quickly becoming a focus and pushing companies into better monitoring practices.

During CiscoLive! in Las Vegas this year, Chief Security and Trust Officer for Cisco John Stewart presented the security keynote and focused primarily on the world of IoT. There are currently around 10 billion IoT devices, and there will be an expected 30 billion by 2020. Though impressive, this number is scary to those interested in security.

Let’s do a bit of a rewind before moving into the juicy conjecture that is security.

IoT (Internet of Things)

IoT - Internet of Things

The Internet of Things, as the name suggests, is a worldwide connection of various devices. Phones, webcams, cars, smart lights, Barbie play houses, etc. can all connect to the internet. I’m sure you’ve seen in movies or even know someone that can turn on their house lights with a phone app. The convenience and city-of-tomorrow feel is astounding, but if you lean toward the more security-centric train of thought, it gets a little bit less ooh and ahh and a bit more terrifying.

Security Concerns

With all of these devices coming online, security should always be a top concern, but it amazes me how lax people can be about it. The Mirai botnet comes to mind; it’s malware that looks for your IoT devices and takes advantage of people not changing their default password and inputs them to gain control. Once controlled, your webcam, router, or modem becomes part of the botnet, capable of banning together to take down systems around the world. Mirai is one major media example of how IoT vulnerabilities can be leveraged to do harm. The big issue that is coming up more and more when I talk to customers is data exfiltration. IoT devices can be used to harvest valuable data, not only for the companies that build them, but also for the bad actors that want to steal the information. Tools like bring these fears to light by allowing anyone to search through the billions of internet-connected systems.

Moving Forward

Even though IoT devices are taking the world by storm, it is still early enough to implement change. The CTO for ARM, Mike Muller, discusses the idea that instead of being reactionary with security, companies should start striving for security out of the box. With changes like locked down architecture, kernels, and varying keys, the industry can put the right foot forward. There’s no reason why all devices in a chain should follow the one that goes down. These are currently just ideas moving forward; we still have 10 billion IoT devices to contend with today.

Finding all of the vulnerabilities and ending all of the attacks is a pipe dream. Like it or not, there is a very high likelihood that something you own or something within your network is going to get hit. John Stewart stated during his keynote that it takes on average 100 days before a company knows that they have been hit. That is far too long and companies like Cisco are aiming to reduce that mean time to know. But what can you do today to reduce that time?

IoT Security with NetFlow/IPFIX

Instead of waiting for the newest “security” cure-all to come out, why don’t we start using our already existing network architecture? Many routers, switches, and firewalls are now flow/IPFIX capable. Unlike SNMP that will give me ups and downs, or packet capture that will consume a metric ton of storage, flows allow me to follow conversations through my network and turn all of my nodes into individual security cameras. With a proper network traffic analytics system, I can take these conversations, baseline them over a period of time, and then run rules against the traffic to alert me within minutes of an attack.

Flow Analytics

With IoT devices in mind, a customer called me worried that he had seen unusual countries within his network traffic. After digging in, we discovered that it was DNS traffic being sent out from a smart home’s Phillips lights. Yes, light bulbs were beaconing over DNS. We’re all familiar with DNS tunneling and its uses for data exfiltration, but this was a first. What a time to be alive as a network security professional when I have to worry about Barbie playhouses and light bulbs exfiltrating data or becoming part of a botnet.

If you want to learn more about IoT security or finally get some visibility into your network, contact the NetFlow Knights and download Scrutinizer today!