Blog :: IoT

Using NetFlow and Metadata Analysis to Reduce IoT Security Risks


The Internet of Things (IoT) describes the wide array of devices (beyond traditional computers and mobile phones) that are today, or will be in the future, connected to the internet. According to Gartner, there will be 20.4 billion connected devices by 2020. These internet-connected devices provide valuable functions that make people’s lives easier and improve business outcomes; however, there is a dark side. IoT devices expose new attack surfaces and introduce a vast number of security vulnerabilities. As such, IoT security must quickly become a top priority for IT. Collecting, visualizing, and reporting on IoT device flow data is an extremely effective mechanism for reducing security risks associated with IoT devices. Flow data can be analyzed to look for anomalous behavior that is caused by a breach.

Consumer-Based IoT Devices

Examples of consumer-based IoT devices are security cameras, thermostats, garage door openers, doorbells, refrigerators, dryers, washing machines, Blu-ray players, Alexa, Google Home, wearable fitness trackers, smart watches and TVs, cars, and much more.

Our Connected World

IoT Devices for Enterprises

Business, government, healthcare, education and many other sectors are leveraging IoT to streamline operations, reduce cost, improve product quality, collect big data for analysis, and many other uses. Examples of IoT device functions can include inventory and material tracking, asset tracking, humidity and temperature monitoring, manufacturing process controls, robotics, clinical monitoring and procedure administration, environmental system controls, global positioning tracking, and many more.

The Growing Attack Surface

IoT devices are connected to wired/wireless networks and transmit data via Internet Protocol (IP). They’re small computing devices with an operating system, on-board memory, and internal processing capabilities. In many cases, IoT devices ship and are deployed with default usernames and passwords. To make matters even worse, they are rarely patched.

With these characteristics, the attack surface introduced by IoT is much larger than most people expect. Further complicating matters, IoT device manufacturers who are in a rush to get products to market quickly often overlook embedded security, leaving many devices vulnerable to a wide range of attacks. Organizations must stop deploying IoT devices the same way they deploy computers, laptops, and other devices that employees use to do their jobs. Those devices support a wide array of functions and applications, but IoT devices are different. They are purpose-built.

Purpose-Built Devices

IoT devices are purpose-built with a very narrow set of functions. They communicate with a specific set of IP addresses (servers) using only a small number of protocols and applications. As such, monitoring the flows to and from the devices and establishing a baseline of normal traffic patterns and behavior is straightforward. Based on the data gathered, IT teams can easily apply the principle of least privilege. From this, reporting and alarms can be created to identify if and when even a single packet of data is sent to or received from an IoT device that falls outside of what is considered “normal.” Flow and metadata collectors like Scrutinizer provide real-time monitoring and maintain a historical forensic database, allowing organizations to quickly identify problems, identify root cause, and return to normal.

IoT Security: Least Privilege Approach


The number of IoT devices on IP networks is exploding. These devices often do not include any embedded security features and are rarely, if ever, patched. This introduces a vast number of new vulnerabilities in an organization’s infrastructure and creates a significant attack surface, which bad actors use to gain access and compromise these devices. IoT devices are purpose-built with a narrow set of functions, allowing organizations to gather and monitor flow data and baseline normal traffic patterns. Organizations must stop deploying IoT devices as trusted end systems. Instead, they should leverage the principle of least privilege to identify any anomalous behavior that results from their compromise and quickly remediate the problem. The collection and analysis of flow data is the most efficient and effective mechanism to reduce the security risks associated with deploying IoT devices.

For more information on how Scrutinizer can help, check out our related blog on IoT Security with NetFlow/IPFIX.