For years, security teams have worried about new or unauthorized devices connecting to the corporate network. First it was laptops in the 80s, then smartphones in the 90s, but it wasn’t until the mid-2000s that security teams began to see where things were headed: a world that is increasingly dominated by “smart” devices that attach to the enterprise network, expand the attack surface, and must be governed for security implications. Handling this problem is very different than securing corporate-owned laptops or phones connecting to an on-premises network, and enterprises are now seeking ways to manage the Internet of Thing (IoT) landscape.
It has been estimated that there are currently more than 26 billion IoT devices connected to the internet[i], and few of them can be managed by traditional methods. Traditional agent-based endpoint protection is ineffective, given that many IoT devices cannot host an agent. Firmware in IoT often ships with hardcoded passwords that cannot be easily changed, and updates are often not automated in the way security teams are used to. Traditional firewalls don't see the access layer, and next-generation firewalls that segment networks still rely on protocols like IP addresses that are easily changed by attackers. Network access control (NAC) systems, for their part, are difficult to implement and manage, and they have limited ability to detect when an IoT device has been compromised or is acting outside the norm.
For the above reasons, organizations need a different method to handle IoT devices, in particular, unmanaged devices on which an agent cannot be placed.
Untraditional endpoint protection
Armis was founded in 2015 by CEO Yevgeny Dibrov and CTO Nadir Izrael to provide an agentless security platform for unmanaged and IoT devices. Working for 2 years in stealth mode, the company emerged in 2017 after landing $17 million in funding. More recently, Armis’ technology so impressed Insight Partners that the firm was acquired at a valuation of $1.1 billion.[ii]
Armis’ platform was built with the notion that agents cannot be placed on most IoT devices connecting to corporate networks: the smart TV in your conference room, visiting board members’ smart phones, HVAC or smart lighting systems, or the robotic arm in your manufacturing plant. Yet, every device poses a risk, especially if you can’t see it, don’t know the security posture of the device, and can't control it. Thus, visibility is the first component to Armis’ solution.
The platform is deployed on the network as a virtual appliance which connects to a local aggregation point (e.g., span port or wireless LAN controller). This allows Armis to see every device on the network and glean information about it: device type, manufacturer, compliance status, history of updates, number of wireless protocols, MAC and IP address, access control lists, rogue clients, CPU and network utilization, and more.
The Device Knowledgebase
Next, this information is shared with the Armis’ Device Knowledgebase, a central repository that the company says tracks over 110 million devices. The Knowledgebase incorporates behavior information—how the device typically communicates, which protocols are in use, normal rates of data transmission—to allow Armis to classify each device, assess its risk, and detect when it has been compromised. “The Device Knowledgebase,” said Michael Parker, CMO at Armis, during a recent call, "is the key to our success. It characterizes a device to the level of what it is and what it should be doing, with far greater granularity than anything that has ever been developed.”
The Knowledgebase first allows Armis to generate a hardware and software inventory of everything on the network or in the nearby airspace. The old saying “you can’t secure what you can’t see” applies here. Further, Armis generates a risk score for each device, including any CVEs associated with each device. These actions are accomplished without installation of an agent and without network scanning, which can disrupt normal functioning of certain types of IoT devices.
Finally, Armis’ threat detection engine uses the Knowledgebase as a set of “known good” device behaviors. The platform will alert administrators anytime behavior deviations are observed, or Armis can natively enforce policy by automatically disconnecting a suspicious device or quarantining it for further inspection. Notably, Armis integrates with respected technology partners so enforcement can also occur via the customer’s firewall or NAC, ensuring that controls like network segmentation and encryption remain in place. Similarly, alerts can be forwarded to the customer’s SIEM or ticketing system so that operators don’t need to continuously check yet another vendor dashboard, saving the customer time and effort.
All in all, the marketing team presented a nice briefing, highlighting common use cases of asset inventory and visibility, threat detection, and incident response. But the key here is really scalability and control at the access layer. As more and more IoT devices are added to corporate environments, whether sanctioned by IT and security teams or not, and as device types proliferate through use cases for “connected everything,” the best way to manage the attack surface is through behavioral profiling. If a platform can identify every communication request, the device requesting communication, what it’s trying to communicate with, and assess whether its behaviors are normal, organizations will have a better chance at reducing risk and preventing security incidents.
The traditional device vulnerability management space has become crowded, but Armis focuses on securing untraditional endpoints that appear with every new IoT device type. The company can tout an impressive customer base, demonstrating their efficacy, and the support of leading investors, which means they’ll be around to innovate as the IoT landscape continues to expand.