Discover IoT Devices and Take Inventory
Focus
Focus
Device Security

Discover IoT Devices and Take Inventory

Table of Contents

Discover IoT Devices and Take Inventory

Device Security uses machine learning to analyze network traffic data and identify IoT devices.
Where Can I Use This?What Do I Need?
  • Device Security (Managed by Strata Cloud Manager)
  • (Legacy) IoT Security (Standalone portal)
One of the following subscriptions:
  • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
  • Device Security X subscription
Unlike IT assets that are generally multi-purpose hardware, IoT devices are purpose-built systems. These devices are designed to perform a few tasks on a very repetitive basis, and the Device Security solution provides deep visibility into normal and suspicious network behaviors.
Each IoT device exhibits unique characteristics on the network. When an unknown device joins the network, one or more Palo Alto Networks firewalls log its network traffic and then send the logs to the logging service. These logs include session logs, containing metadata about traffic flow, and enhanced application logs, containing data from packet payloads. Device Security accesses the data from the logging service and uses its advanced machine-learning algorithms and three-tier profiling system to analyze network behaviors and form a baseline for the device. It then compares that baseline with the behaviors of other known devices. By doing so, it determines the unique personality of the device and creates a profile for it consisting of device type, category, vendor, model, operating system, and many more. Device Security automatically builds a behavioral profile for the device, including a baseline of acceptable behaviors and communication patterns with other devices.
Device Security continuously learns and maintains a rolling baseline of device behaviors. The time required for building an initial profile depends on several factors:
  • How active are the devices on the network? Device Security can profile a device that produces a lot of traffic faster than a device that produces a little because it has more data to analyze.
  • How many devices of the same type are there on the network? The more devices of the same type there are the faster the profiling works because it can aggregate knowledge learned from multiple devices simultaneously.
  • How complicated is the behavior of an individual device? For example, Device Security learns the behavior of a network-connected thermostat much faster than that of a surgical robot in a hospital.
The devices that Device Security discovers on the network and identifies appear on the Devices page in the Device Security portal.