Unlike IT assets that are generally multi-purpose hardware, IoT devices are purpose-built systems. These devices are designed to perform a few tasks on a very repetitive basis, and the Device Security solution provides deep visibility into normal and suspicious network behaviors.

Each IoT device exhibits unique characteristics on the network. When an unknown device joins the network, one or more Palo Alto Networks firewalls log its network traffic and then send the logs to the logging service. These logs include session logs, containing metadata about traffic flow, and enhanced application logs, containing data from packet payloads. Device Security accesses the data from the logging service and uses its advanced machine-learning algorithms and three-tier profiling system to analyze network behaviors and form a baseline for the device. It then compares that baseline with the behaviors of other known devices. By doing so, it determines the unique personality of the device and creates a profile for it consisting of device type, category, vendor, model, operating system, and many more. Device Security automatically builds a behavioral profile for the device, including a baseline of acceptable behaviors and communication patterns with other devices.

Device Security continuously learns and maintains a rolling baseline of device behaviors. The time required for building an initial profile depends on several factors:

The devices that Device Security discovers on the network and identifies appear on the Devices page in the Device Security portal.