IoT Device Applications Discovery
Table of Contents
IoT Device Applications Discovery
IoT Security uses machine learning to discover the applications
that IoT devices on your network use.
Knowing which applications your network-connected
IoT devices use and how many devices use them can prove useful,
especially when defending against a potential threat. For example,
if you know a widely used application was recently compromised,
you can check which devices use it and respond in proportion to
how critical the application is. If it’s non-essential for business,
you can create policy recommendations for firewalls to block that application.
If it is essential and there is a new version, you can assign operations
the task to upgrade all devices that use it. And if it is essential
and there isn’t a new version yet, segment all devices that use
it and restrict access to them only to people and resources that
are necessary for them to function. Having visibility into the applications
on your network allows you to take swift action to safeguard your
assets when danger threatens.
On the page, IoT Security displays all the applications that have been
spotted in use by the IoT devices on your network.
The Applications page shows the total number of unique applications detected for IoT devices
matching the site and time-range filters set at the top of the page.
The IoT Security portal disregards the device-type filter on this page and
always shows applications for "All IoT" devices, as indicated by the blue icon at
the top of the page.
Although IoT Security displays devices and networks as soon as it discovers and
identifies them, it collects data about detected applications over the course of a day
and then compiles a list. It then displays that list on the Applications page until it
compiles the next daily list of applications detected on the network. When you start
using IoT Security, you might notice that it begins showing data on the Devices
and Networks page before showing anything on the Applications page. This can happen
because IoT Security hasn't generated a list of applications yet. After it does,
it will continue doing that every day thereafter.
If you set the time-range filter for 1 Day, 1
Week, or 1 Month, the Applications
page shows numbers for the time range you set. However, because
IoT Security organizes the applications it detects into daily lists,
the time-range filter for 1 Hour shows the
same set of unique applications as 1 Day,
which is the smallest list of applications you can see. In addition,
IoT Security doesn’t maintain application details for more than
a month. Therefore, the time-range filter for 1 Year shows the
same set of unique applications as 1 Month,
which is the largest list of applications you can see.
IoT Security provides data from Applipedia about each of the applications it
monitors. When a new application appears, you can use this data to determine if it's
expected or not and also to see the level of risk it introduces to your network. For
example, the following shows the application description, characteristics, and security
information that IoT Security retrieves from Applipedia for DNS:
Here's the same information about DNS presented in Applipedia:
The following summarizes the different characteristics and types
of security information that IoT Security retrieves from Applipedia
and displays for each application.
Application Characteristics | |
|---|---|
Category | A broad application type to which an individual application
belongs |
Subcategory | A more specific application type for an individual application |
Risk Level | The level of risk that’s inherent in an application
as determined by the characteristics listed in the next table, on
a scale of increasing risk from 1 to 5 |
Standard Ports | The protocol and standard service port numbers that
the application uses |
Technology | How an application functions: network-protocol, client-server,
peer-to-peer, or browser-based |
Application Security Information | |
|---|---|
Evasive | Yes = The application uses a port or protocol for something
other than its originally intended purpose with the intention of
evading firewall policy enforcement. |
Excessive Bandwidth | Yes = The application consumes at least 1 Mbps on a
regular basis through normal use. |
Prone to Misuse | Yes = The application is often used for nefarious purposes
or is easily set up to expose more than the user intended. |
Capable of File Transfer | Yes = The application has the capability to transfer
a file from one system to another over a network. |
Tunnels Other Applications | Yes = The application can transport other applications
inside its protocol. |
Used by Malware | Yes = Malware has been known to use the application
for propagation, attack, or data theft, or the application has been
distributed with malware. |
Has Known Vulnerabilities | Yes = The application has at least one publicly reported
vulnerability. (Web-based applications are always set to Yes because
HTTP always has vulnerabilities.) |
Widely Used | Yes = The application likely has more than 1,000,000
users. |
SaaS | Yes = The application is cloud based and provided through
Software as a Service (SaaS). No = The application is hosted on premises. |
Many of these explanations come from the KB article "How to Determine Risk Level
of Application, Spyware, and Anti-Virus". There you
can read more about the information that Applipedia provides and
how risk scores are calculated.
To see data from Applipedia about applications on the Applications
page, either click or hover your cursor over an application name
to view a pop-up with information about the application taken directly
from Applipedia.
In addition, use the column picker to show information from Applipedia
in columns on the Applications page.
Click a number in the Number of Devices column to open the Devices page with
a filter applied to show only devices that use the corresponding
application.
Clicking or hovering your cursor over the blue text of an entry
in the Profiles column displays a list of all profiles that use
that application.
