: IoT Device Applications Discovery
Focus
Focus

IoT Device Applications Discovery

Table of Contents

IoT Device Applications Discovery

IoT Security uses machine learning to discover the applications that IoT devices on your network use.
Knowing which applications your network-connected IoT devices use and how many devices use them can prove useful, especially when defending against a potential threat. For example, if you know a widely used application was recently compromised, you can check which devices use it and respond in proportion to how critical the application is. If it’s non-essential for business, you can create policy recommendations for firewalls to block that application. If it is essential and there is a new version, you can assign operations the task to upgrade all devices that use it. And if it is essential and there isn’t a new version yet, segment all devices that use it and restrict access to them only to people and resources that are necessary for them to function. Having visibility into the applications on your network allows you to take swift action to safeguard your assets when danger threatens.
On the NetworksApplications page, IoT Security displays all the applications that have been spotted in use by the IoT devices on your network.
The Applications page shows the total number of unique applications detected for IoT devices matching the site and time-range filters set at the top of the page.
The IoT Security portal disregards the device-type filter on this page and always shows applications for "All IoT" devices, as indicated by the blue icon at the top of the page.
Although IoT Security displays devices and networks as soon as it discovers and identifies them, it collects data about detected applications over the course of a day and then compiles a list. It then displays that list on the Applications page until it compiles the next daily list of applications detected on the network. When you start using IoT Security, you might notice that it begins showing data on the Devices and Networks page before showing anything on the Applications page. This can happen because IoT Security hasn't generated a list of applications yet. After it does, it will continue doing that every day thereafter.
If you set the time-range filter for 1 Day, 1 Week, or 1 Month, the Applications page shows numbers for the time range you set. However, because IoT Security organizes the applications it detects into daily lists, the time-range filter for 1 Hour shows the same set of unique applications as 1 Day, which is the smallest list of applications you can see. In addition, IoT Security doesn’t maintain application details for more than a month. Therefore, the time-range filter for 1 Year shows the same set of unique applications as 1 Month, which is the largest list of applications you can see.
IoT Security provides data from Applipedia about each of the applications it monitors. When a new application appears, you can use this data to determine if it's expected or not and also to see the level of risk it introduces to your network. For example, the following shows the application description, characteristics, and security information that IoT Security retrieves from Applipedia for DNS:
Here's the same information about DNS presented in Applipedia:
The following summarizes the different characteristics and types of security information that IoT Security retrieves from Applipedia and displays for each application.
Application Characteristics
Category
A broad application type to which an individual application belongs
Subcategory
A more specific application type for an individual application
Risk Level
The level of risk that’s inherent in an application as determined by the characteristics listed in the next table, on a scale of increasing risk from 1 to 5
Standard Ports
The protocol and standard service port numbers that the application uses
Technology
How an application functions: network-protocol, client-server, peer-to-peer, or browser-based
Application Security Information
Evasive
Yes = The application uses a port or protocol for something other than its originally intended purpose with the intention of evading firewall policy enforcement.
Excessive Bandwidth
Yes = The application consumes at least 1 Mbps on a regular basis through normal use.
Prone to Misuse
Yes = The application is often used for nefarious purposes or is easily set up to expose more than the user intended.
Capable of File Transfer
Yes = The application has the capability to transfer a file from one system to another over a network.
Tunnels Other Applications
Yes = The application can transport other applications inside its protocol.
Used by Malware
Yes = Malware has been known to use the application for propagation, attack, or data theft, or the application has been distributed with malware.
Has Known Vulnerabilities
Yes = The application has at least one publicly reported vulnerability. (Web-based applications are always set to Yes because HTTP always has vulnerabilities.)
Widely Used
Yes = The application likely has more than 1,000,000 users.
SaaS
Yes = The application is cloud based and provided through Software as a Service (SaaS). No = The application is hosted on premises.
Many of these explanations come from the KB article "How to Determine Risk Level of Application, Spyware, and Anti-Virus". There you can read more about the information that Applipedia provides and how risk scores are calculated.
To see data from Applipedia about applications on the Applications page, either click or hover your cursor over an application name to view a pop-up with information about the application taken directly from Applipedia.
In addition, use the column picker to show information from Applipedia in columns on the Applications page.
Click a number in the Number of Devices column to open the Devices page with a filter applied to show only devices that use the corresponding application.
Clicking or hovering your cursor over the blue text of an entry in the Profiles column displays a list of all profiles that use that application.