With the data and security circus that is the RSA Security Conference heading out of San Francisco, we sat down for one more time, this time with John Sirianni – Vice President of Strategic Partners, IoT – for Webroot.
So John, how has Webroot approached this new world of IoT from a security point of view?
Sirianni: So our focus for the IoT markets is to focus on the critical infrastructure providers, those are OEMs and operators that are looking for a way to protect their installations from various threats. We are leading into (this) market with threat intelligence, so as we have had success in the past with OEM security appliance manufacturers, we are bringing threat intelligence to the providers of IoT gateways. So that would be OEMs and manufacturers that are bringing gateways to market to protect their systems.
And that seems to be a topic at RSA, this shift from threat analysis to prediction?
Siriani: Yes, so our history is one of autonomous behavior tracking to understand where the threats are coming from. So being in that industry, we are taking that autonomous assessment of behavior to the IoT. We believe that is the only way you can actually defend, to be up to the current understanding of where threats are emanating from.
So these threats are now coming from billions of IoT nodes…how do you keep up with that?
Sirianni: You have to keep up with the parts of the market that care about it. So, we have seen demonstrated at certain parts of consumer IoT, they really don’t care about whether their devices are secure. And we see that the critical infrastructure – power and energy management, integrated transportation – those are filled with manufacturers and operators that care about their infrastructure and are willing to work with leading security companies to monitor and provide situational awareness to all the activities. You can’t protect it all.
We have seen this before, where the corporate IT departments hid their eyes from personal devices and phones being connected to corporate networks…
Sirianni: What’s different about IoT as compared to business models of the past is IoT is very dependent upon interfaces across industries, data sources, suppliers and vendors, and it all gets quite blurry. As a manufacturer or OEM, you might do a very good job of locking down your systems or providing protections for your systems. But you don’t always have control over your systems that – once deployed – are going to interface with other technologies and vendors inside and outside. So the threats will always come from the easiest source of compromise. Today, some of the easiest sources of compromise are PC and consumer devices, so it’s still up to the operators of the operational technologies and information technologies to do that first job – which is to make sure that those devices that touch the network are protected.
When you think about this collision of cloud, big data analytics and IoT, what’s the nightmare scenario?
Sirianni: Well, I wouldn’t say nightmare scenario, but what I would say is the concept of backhauling everything back up to the cloud isn’t the solution for every business model. We are seeing a lot of analytics and storage – and now security – playing out at the gateway, which is closer to the end-devices and so I believe the industry is starting to get a little smarter about where to add value, and that’s a good thing. Because that prevents threats and (prevents) systems and subsystems that have been compromised from affecting the multitude of systems that are out there. So call it an “air gap” or call it a “breaker” or call it whatever you will, but the separation of systems and function has always been a good approach.
With IoT – where you depend on intercommunications across many value chains that you didn’t expect to in the past – you have to do a better job of watching the interfaces. The thing I worry about – that we’re starting to see – is module manufacturers starting to bring new things to market that are basically small compute modules and that are as powerful as PCs were two years ago. That is made for the makers’ market, and that’s going to enable some wonderful business models. But that is also going to enable hundreds of millions of devices that are Internet-connectible that have no security and that are just standing out there, ready to be used as a massive botnet.
I think one thing the security industry is challenged by is some of the most difficult hacks, and some of the more advanced hacks that are not talked about in the industry.
Sirianni: Not going to talk about it! There are companies involved that have to talk about legalities and liabilities, and it’s not to anyone’s benefit to promote things that have happened. So, what is in the press versus what is technically possible, there is always a gap between the two and the industry is very aggressively learning how to protect – and also how not to tip off – the criminals and the state-sponsored espionage (agencies) on how to use the best techniques. You need to keep some of this close to your chest.
Where do you think we are on the threats from IoT, and how seriously do you think Corporate America is taking this?
Sirianni: I would say most corporations are very highly aware of database and database security. I think the move to encrypting data is well underway, and most of what goes on in the area of healthcare record fraud and credit card exploits are due to databases not being encrypted. So I think that most corporations worldwide are learning very, very quickly. That doesn’t get to the question of data sharing between companies. You need to do your due diligence on your partnerships for IoT and participating in IoT platforms, and make sure that you know what kind of exposures your trading partners are exposed to.