Sponsored by:
By Jonathan Langer
Despite the vulnerabilities that threaten to destroy trust in the connected world, businesses now recognize that accessing data from an exploding number of connected endpoints is a competitive imperative. As a result, investment capital has flowed freely and dozens of startups have entered the Internet of Things (IoT) cybersecurity solution market.
Because the healthcare IoT solution market is especially hot, a number of vendors whose solutions were originally designed for application across industry have made the pivot. And it makes sense. After all, modern medical devices are designed for remote control, so there’s not much imagination required to understand the potential patient risks.
Regardless of industry vertical, all of the market’s solution providers promote visibility as foundational. You cannot manage what cannot be seen. And while most are also able to passively identify (i.e. parse mirrored network traffic) and categorize connected device-types, in fact, they do differentiate on their methods and the granularity of their device fingerprints.
While the “automated” identification of a device is surely a step forward, if device-specific attribution is lacking, then potentially game-changing integration opportunities are rendered meaningless. For example, automating the capture of Firmware-level details, including Operating System (OS)-specifics, Application Versions, etc., and correlating them to the details of known vulnerabilities, thereby having the visibility required to instantly identify potentially affected devices, should be viewed as nothing short of core capability. And you cannot do it without the device-specifics.
Every vendor uses Deep Packet Inspection (DPI) to fingerprint devices — when they can. For this reason, when the device communication protocol is well documented (e.g. DICOM, HL7), DPI is always used because the approach is passive, effective and deterministic. However, when the communication protocols are proprietary, which is common, especially in healthcare, most vendors default to statistical, behavior-based modeling techniques. If there’s a religious war brewing in the cybersecurity solution space, there isn’t much question that it will be centered on DPI (a deterministic approach) versus all others (probabilistic). Regardless, when you’re shopping the solution market, here’s an area where your competitive evaluations should definitely focus.
The cybersecurity of connected devices is top of mind across industry C-Suites. Fortunately, the solution to the problem requires resolution to long-standing gaps in the tools used by cross functional teams who benefit from these solutions. In healthcare, it’s IT/IS security, biomed, clinical engineering and even supply chain/procurement. In other verticals, simply substitute maintenance engineering and/or shop-floor operations management. The point is, because the data these systems publish can be effectively integrated to the existing tools/workflows of a large cross-section of users, evaluation teams should have cross-functional representation. Put another way, these solutions should not be evaluated in an IT/IS security vacuum.
Moving from risk avoidance to risk reduction — from more effective mitigation strategies to proactive remediation. And it’s happening in nicely packaged solutions that can help create security policy and through integrations, ensure enforcement.
And finally, because many of the market’s leading vendors are also capturing device utilization metrics, evaluators should ask for example use-case details. Bottom line: if you get a blank stare, move on. A cybersecurity solution that delivers ROI to procurement — who would have thought?