: IoT Security Solution Structure
Focus
Focus

IoT Security Solution Structure

Table of Contents

IoT Security
Solution Structure

The
IoT Security
solution involves multiple components working together to discover, classify, and secure IoT devices on your network.
Using AI and machine learning,
IoT Security
automatically discovers and identifies all network-connected devices and constructs a data-rich, dynamically updating inventory. In addition to identifying IoT devices and IT devices (laptops and servers for example),
IoT Security
provides deep visibility into network behaviors, establishing what’s normal and discerning what’s suspicious. When it detects a device vulnerability or anomalous behavior posing a threat,
IoT Security
notifies administrators, who can then take action to investigate and remediate the issue.
To accomplish all this, the cloud-based
IoT Security
app works with Palo Alto Networks next-generation firewalls, logging service, and update server, and optionally with Panorama and integrated third-party products. These elements of the
IoT Security
solution collaborate to carry out the following tasks:
  • Firewalls with
    IoT Security
    subscriptions collect information about network traffic and forward their logs to the logging service, which streams metadata to
    IoT Security
    for analysis.
  • The update server provides firewalls and Panorama with a regularly updated device dictionary file of device attributes (profile, vendor, category, and so on) that Security policy rules use for device identification, or
    Device-ID
    .
  • IoT Security
    recommends Security policy rules based on Device-ID to firewalls. When Panorama provides centralized firewall management,
    IoT Security
    works through it to recommend Security policy rules to managed firewalls. When Panorama is not in use,
    IoT Security
    interacts directly with firewalls.
  • IoT Security
    maps IP addresses to devices and notifies firewalls of their corresponding device attributes so they can enforce Device-ID-based Security policy rules that reference attributes in IP address-to-device mappings.
With a third-party integrations add-on license for your
IoT Security
account, you are able to expand
IoT Security
capabilities to include product-specific features and those of the integrated products to include IoT.
Learn about the major components that constitute the
IoT Security
solution:

1 - Device Data Collection

For
IoT Security
to identify IoT devices and establish a baseline of their acceptable network behaviors, it needs to analyze their network activity. That’s where next-generation firewalls come in. They log network traffic to which they apply Security policy rules and then forward logs to the logging service where
IoT Security
accesses them. Depending on whether your
IoT Security
subscription includes data storage, the logging service either streams metadata to your
IoT Security
account and
Cortex Data Lake
instance or just to your
IoT Security
account.
Detailed Instructions

2 - Data Analysis

IoT Security
uses AI and machine-learning algorithms to analyze numerous aspects of the network behavior of a device and classify it within three levels or tiers. At the broadest tier,
IoT Security
identifies behavioral similarities that enable its algorithms to assign a device to a device category, such as security camera, even if it doesn’t yet know the exact vendor and model. At the next tier,
IoT Security
gathers more granular behavioral attributes shared by certain vendors and models of security cameras to assign it a device profile. At the third tier, the algorithms create a model of unique behaviors for this individual security camera, such as its usage pattern.
In addition to device identification,
IoT Security
applies proprietary and supplemental machine-learning technologies to threat detection. It automatically detects device vulnerabilities and notifies
IoT Security
administrators. It also detects anomalous network behavior indicative of attack or reconnaissance and generates security alerts.
Detailed Instructions

3 - IoT Device Protection

IoT Security
coordinates with next-generation firewalls to recommend Security policy rules for IoT device traffic. After identifying devices and establishing a baseline of acceptable network behavior,
IoT Security
automatically generates recommended Security policy rules for device profiles based on the network behavior it observes. Panorama or firewall administrators then import the recommendations to Panorama or directly to firewalls where they decide which ones to add to their policy set.
Firewalls and Panorama must have a list of device profiles or other device attributes for Device-ID-based Security policy rules. This list is provided as a device dictionary file from the update server, which firewalls and Panorama check regularly for updates to download.
So that firewalls apply imported Device-ID-based rules appropriately,
IoT Security
continually sends the firewall IP address-to-device mappings, which include the profile and other attributes of all devices monitored and protected by
IoT Security
.
IoT Security
also integrates with Prisma Access to identify and secure devices.
Detailed Instructions

4 - Third-party Integrations

In addition to protecting IoT devices by coordinating with next-generation firewalls,
IoT Security
also integrates with third-party products to do the following:
  • Increase device inventory and enrich device context—sometimes for
    IoT Security
    and sometimes for the integrated third-party product
  • Broaden the coverage of specific features in integrated products to include IoT
  • Expand the capabilities of
    IoT Security
    ; for example, through integrations that allow you to do vulnerability scanning, quarantine devices with critical vulnerabilities or security alerts, and apply access control lists (ACLs) to IoT devices
IoT Security
integrates with other products through a third-party integrations add-on, which is based on a
Cortex XSOAR
module.
Detailed Instructions

5 - Using Prisma Access instead of Next-generation Firewalls

When using
IoT Security
with Prisma Access, the process for collecting device data is similar to the previous description of data collection except that you substitute Prisma Access for firewalls. In addition,
IoT Security
can coordinate with Prisma SD-WAN ION devices to collect data at branch sites. When Prisma Access and SD-WAN forward data logs to the logging service,
Cortex Data Lake
must be used.
IoT Security
sends Security policy rule recommendations through Panorama to Prisma Access. It sends IP address-to-device mappings to Prisma Access directly. Likewise, the update server sends device dictionary updates directly to Prisma Access as well as to Panorama.
Detailed Instructions

Recommended For You