IoT/OT Blind Spots Across Your Network

At present, hundreds of millions of IoT/OT devices are in use, and that number continues to rise as organizations increasingly adopt such devices to improve productivity, insight and real-time decision making. Unfortunately, IoT/OT devices are particularly at risk to external and internal cyberthreats due to a lack of device patching and overall visibility and contextual understanding across networks. This makes IoT profiling quite difficult.

The healthcare, hospitality and manufacturing sectors are especially vulnerable due to their heavy reliance on ultrasound machines, avionics, building automation, VoIP, medical devices, printers, computers, networking equipment and energy and power infrastructure. To close this IoT/OT device visibility gap, Portnox CLEAR is introducing its IoT/OT Visibility Add-On, which enables organizations to see, profile and classify all IoT/OT devices on the network without an agent.

IoT Profiling in CLEAR: How it Works

Portnox CLEAR utilizes several methods and leverages multiple data points to actively and passively identify, profile and classify IoT/OT devices across enterprise networks, delivering detailed device profile data that takes into account device families, types, models and vendors.

With the IoT/OT Visibility Add-On, Portnox CLEAR can continuously discovers all IP-connected devices without requiring agents, the instant they enter your network. the add-on provides in-depth visibility into those devices using a combination of active and passive discovery, profiling and classification techniques.

IoT Profiling Capabilities with CLEAR

• Device Discover – Automatically discover IoT/OT devices without needing to install yet another third-party agent across managed devices.
• Device Profiling – Classify IoT/OT devices based on type, like MRI machines, printers, sensors and beyond.
• Device Type Enforcement – Continuously monitor IoT/OT devices and enforce network segmentation and access policy based on device type.

IoT Profiling Advantages with CLEAR

• Cloud Delivery – Portnox CLEAR leverages a central cloud database that utilizes crowdsourcing and machine learning to deliver better device predictability.
• Microsegmentation – Automatically segment groups and enforce unique policies to reduce the network attack surface, improve breach containment and strengthen regulatory compliance.
• Access Control – Define and enforce access control policies based on IoT/OT device types.
• Complete Asset Management – Be able to report on and visualize in real-time the device types, locations and level of access for every IoT/OT on the network.

Old-time marathon winner and runner Bill Rodgers once made the comment that, “Every race is totally different.” And if this is true in the relatively predictable world of marathon running, it is even more accurate in the race against cyberterrorism, where – whether we like it or not – each day brings with it unforeseen challenges that threaten the integrity of the network.

The question is how best to approach network protection successfully despite the ongoing development of unexpected threats. The truth is that throughout 2016, we’ve had more than ample opportunity to consider this question. From the involvement of hackers in the U.S. elections to the IoT DDoS attacks of October 21, last year saw some shocking stories of breaches. With all of that behind us, 2017 is not a moment too early to take stock, explore the options – and perhaps, go back to the basics and adopt some old-new security strategies that provide greater visibility, improved resilience, increased automation, and better security.

An Unfortunate Side of “Things”

The distributed infrastructures of today’s networks make businesses more vulnerable to attacks, with IoT and BYOD adding a huge degree of complexity. The threat is simply greater – so much so that, according to Gartner (as quoted on TechCrunch here), the security market is predicted to grow to the whopping size of $120 billion by 2020.
As pointed out in the eBook, The Top 5 Misconception of IoT Network and Device Security, IoT devices represent the weakest link of today’s corporate network. To make matters worse, because most users are unaware of the threat, most devices are not even set up securely. (to learn more, read the eBook preview here.)

Because Seeing is Believing

Part of why IoT and BYOD have changed the situation so drastically is that new devices (both managed and unmanaged) are constantly being connected. Any device connected to the network can potentially function as a gateway into your infrastructure.

It has become all too common for there to be a “disconnect” between the number of devices the average IT administrator thinks is attached to the network, and how many devices are actually there. Shockingly, it is not unusual for the disparity to be as high as 20-30 percent.

In approaching the protection of any network, visibility is key – because you cannot protect what you cannot see.

An Innovative Approach to Today’s Security Challenges

A Next-Gen network visibility and access control management solution such as Portnox CLEAR continues to provide ongoing and comprehensive protection against hackers. With Portnox CLEAR, an organization can be hermetically covered, and IT and CISOs regain the visibility and continuous risk assessment they need.
Portnox CLEAR gives you 100% visibility of all devices, including managed and unmanaged devices. With this comes greater control and security, and the ability to develop new strategies – particularly, segmentation of IoT devices, so that they only access a limited part of the network.

The Need for Speed

Portnox CLEAR handles the complexity of today’s networks through Continuous Risk Analysis (CRA), which provides more flexibility than the approach of a one-time “grant or deny.” CRA is built to provide protection in a reality that involves a broad range of devices as well as “anytime, anywhere” connectivity.
CRA is a response to the need to act fast in the geo-distributed mobile workforce of BYOD and IoT. Replacing the old tactic of periodically scanning, CRA provides a real-time approach to network admission control that allows you to continually assess endpoint risks to the network.

Putting It All in Context

Portnox CLEAR also offers an unprecedented degree of context awareness, monitoring changes in hundreds of parameters and correlating multiple context attributes. This provides an adaptive and more analytic approach to risk determination, and facilitates the development of security assessments that are much more comprehensive – taking into account considerations such as time, network location, user identity, and scenario.
Context awareness is particularly significant to today’s cybersecurity because it facilitates the discovery of anomalies – both as relate to device behavior, and as relate to the status of the network.

100% Visibility and Real-Time Access Control

Portnox CLEAR offers ongoing network visibility and access management control so that you can keep your network safe, with real-time risk assessment that mitigates the cybersecurity threats.
As a cloud-based endpoint security management solution with context-aware security assessment capabilities, Portnox CLEAR is up to the challenge of optimally protecting the security of your network.

All Hail, SASE!

SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise.

According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go.

SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack.

The Fundamentals of Secure Access Service Edge

According to Gartner, cloud-centric digital business, users, devices, and the networked capabilities they require secure access to are everywhere, and what security and risk professionals in a digital enterprise needs is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where to connect entities to the networked capabilities they need access to.

Implementing a SASE architecture would benefit enterprises by providing:

• Lower costs and complexity – Network Security as a Service should come from a single vendor. Consolidating vendors and technology stacks should reduce cost and complexity.
• Agility – Enable new digital business scenarios (apps, services, APIs), and data shareable to partners and contractors with less risk exposure.
• Better performance/latency – latency-optimized routing.
• Ease of use/transparency – Fewer agents per device; less agent and app bloat; consistent applicate experience anywhere, any device. Less operational overhead by updating for new threats and policies without new HW or SW; quicker adoption of new capabilities.
• Enable ZTNA – Network access based on identity of user, device, application – not IP address or physical location for seamless protection on and off the network; end-to-end encryption. Extended to endpoint with public Wi-Fi protection by tunneling to the nearest Point of Presence (POP).
• More effective network and network security staff – Shift to strategic projects like mapping business, regulatory, and application access requirements to SASE capabilities.
• Centralized policy with local enforcement – Cloud-based centralized management with distributed enforcement and decision making.

SASE & Network Access Control

In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses.

The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection.

New Jersey-based Schuman Cheese has a long, storied history of delivering world-class cheese products to the U.S. market. Operating across several facilities in New Jersey, Illinois, Wisconsin and California, the company maintains a workforce of more than 400, with revenues topping $500 million annually.

A Deep Dive with Portnox CORE

About four years ago, Schuman Cheese went out in search of a network access control (NAC) solution to help the company manage network access across its many wired ports. Lead by IT Infrastructure Administrator, Andrew Sayegh, Schuman Cheese came across Portnox CORE while conducting research online, and determined the platform was worth pursuing. “We initially had a demo, then did a proof of concept, which was very easy to get up and running,” Sayegh went on to say. “We found that the visibility that Portnox CORE gave us for each port in use across the company was unparalleled. We really loved the platform off the bat.”

We found that the visibility that Portnox CORE gave us for each port in use across the company was unparalleled. We really loved the platform off the bat. – Andrew Sayegh, IT Infrastructure Administrator @ Schuman Cheese

Assessing NAC Alternatives like Cisco ISE

Simultaneously, Sayegh and his team were investigating Cisco’s Identity Services Engine (ISE), a legacy onpremise NAC solution. “I had previous experience with ISE, but I still needed another engineer to help me configure and implement it. Had I done it alone, it would’ve taken me a full week or more to complete,” said Sayegh.

After some time using with ISE and comparing it to Portnox CORE, Sayegh and his team felt the choice was obvious. “If ISE ever went down, we wouldn’t know how to fix it on fly. We’d have to find a temporary solution to allow people to reconnect to WiFi and wired ports. It was just always a struggle, especially with over 200 people connecting to our wireless network everyday.”

Closing the WiFi Security Gap Where ISE Fell Short

More recently, years after selecting to deploy Portnox CORE across the company’s wired network, Sayegh and the Schuman Cheese IT security team set their sites on trying to rectify lingering access control issues related to ISE across its wireless network.

“We conducted a test of Portnox CLEAR – your cloud NAC service – for access control across our WiFi environment. It took literally ten minutes to set up with the help of Portnox’s support engineer,” Sayegh continued. “It was just so easy to use out of the gate.”

The Pandemic & Cloud Adoption

“Since we’re a food manufacturer, we still needed to have people in our facilities and warehouses on site during the pandemic. These folks would need to be able to connect to WiFi primarily,” said Sayegh. “The implementation of Portnox CLEAR for WiFi gave us much needed access control that was flexible and easy to enforce during this period of uncertainty.”

Despite the challenges posed by the pandemic, Sayegh and his team continued a campaign of cloud adoption when it came to new security tools – of which Portnox CLEAR fit in well. “We are making a real push to adopt cloud-based tools – that was a major factor in us bringing in CLEAR to support our access control policies across WiFi alongside CORE for wired,” Sayegh stated.

The hybrid use of CORE (on-premise) with CLEAR (cloud-delivered) for network access control has been exceptionally effective for Schuman Cheese, especially now as employees return to the office post-pandemic and increased wired network usage surges alongside continued WiFi reliance. Sayegh concluded: “It’s been very easy to work across both NAC solutions to enforce our network access control policies and keep the network secure.