Corporate IT security pros need to consider the Internet of Things as a new and dangerous attack vector – oh, and we all should be particularly worried about the safety of our cars, says the top executive at Palo Alto Networks.
“You need to be completely rethinking endpoint security and you need to be seeking out technology that will actually prevent things at endpoints before [malware] lands,” says Palo Alto CEO Mark McLaughlin in a recent interview with Network World.
+ FULL INTERVIEW: Register to read the full transcript from the interview +
IoT endpoint devices may connect directly to other, more valuable assets on a network or they may provide a toe-hold from which attackers can move around laterally inside a network until they gain access to high-value data, McLaughlin says.
He says the way to go is to defend the endpoints – which is what Palo Alto does – but at least initially that will have to be done using risk analysis to determine which endpoints warrant the defenses.
“I think the way to think about endpoint security is ‘What’s the value of what you’re trying to protect?’ If my refrigerator is talking to Safeway automatically to say, ‘On your next Peapod [visit] bring some more milk because I’m out of milk,’ and you’re the bad guy, and you knew that, I’m not sure that I really care,” he says.
But it could be less innocuous. “If you penetrated the refrigerator and that got malware into the fridge and that went into the store system, could it get to the payment database? Yeah, that’s possible. That’s an example of saying maybe you do want to protect your refrigerator.”
The test of which IoT devices to defend is whether the consequences of a compromise are dire enough. “I think you’re definitely going to want it on the car you buy in three years from today, which is more and more just a computer wrapped around wheels,” he says. “I think you want them on ATM machines. I think most retailers in the world right now would like to have it on their point-of-sale devices right now. I think it just depends on what the value of the data flowing through the endpoint is as to where you’re going to invest your money.”
Meanwhile, corporate network security is already facing stiff challenges that have many experts saying that breaches are inevitable – something McLaughlin isn’t willing to concede.
“It’s as if you and I would go home tonight and say to our families, ‘Somebody is going to break into the house, probably every night. They’re going to walk around, they may take stuff, take whatever they want, but they’re coming in any time they want to every day of the week, and there’s really nothing we can do about that, so we just have to be OK with that,’” he says. “Nobody’s OK with that. That’s sort of the equivalent.”
He says that in the past people have faced threats that perhaps they were unable to eliminate completely but that were minimized to the point of being acceptable. That’s what he says will happen with network security. “The problem right now is that that may take a decade or something but we’re in the midst of that, probably at the earlier part of that than the later part of it,” he says, “and when your face is that close to the paper and you’re living it every day, it’s easy to not be able to see the light at the end of the tunnel.”
The goal of improved security is to make successful attacks so difficult and therefore expensive that only a few well-financed actors can carry them out. These would include wealthy private organizations and governments, and the remedies might not be technological.
Some of the answer may be diplomatic, with countries coming to agreements on what is acceptable behavior. There may be treaties such as those banning chemical and nuclear weapons, with economic sanctions being imposed against violators, he says.
Other solutions could include giving economic incentives to businesses that practice better cybersecurity as a way to move the needle toward better protected networks. Incentives could mirror insurance discounts granted to safe drivers, for example. Rates for cyber insurance policies could be tied to applying industry best practices for security, he says.
Despite these efforts, breaches may seem to become more prevalent over the short term for two reasons, he says. First, they may actually be more prevalent because the vast majority of current security infrastructure is legacy technology that doesn’t effectively prevent new types of attacks. Second, new laws and regulations will likely call for more reporting of incidents, so those that might have escaped notice before, won’t, giving the appearance of more incidents.