Discover IoT Devices and Take Inventory
Device Security uses machine learning to analyze network
traffic data and identify IoT devices.
Where Can I Use This? | What Do I Need? |
|
One of the following subscriptions:
Device Security subscription for an advanced
Device Security product (Enterprise,
OT, or Medical)
Device Security X subscription
|
Unlike IT assets that are generally multi-purpose
hardware, IoT devices are purpose-built systems. These devices are
designed to perform a few tasks on a very repetitive basis, and
the Device Security solution provides deep visibility into normal and
suspicious network behaviors.
Each IoT device exhibits unique characteristics on the network.
When an unknown device joins the network, one or more Palo Alto
Networks firewalls log its network traffic and then send the logs
to the logging service. These logs include session logs, containing
metadata about traffic flow, and enhanced application logs, containing
data from packet payloads. Device Security accesses the data from the
logging service and uses its advanced machine-learning algorithms
and three-tier profiling system to analyze network behaviors and
form a baseline for the device. It then compares that baseline with
the behaviors of other known devices. By doing
so, it determines the unique personality of the device and creates
a profile for it consisting of device type, category, vendor, model,
operating system, and many more. Device Security automatically builds
a behavioral profile for the device, including a baseline of acceptable
behaviors and communication patterns with other devices.
Device Security continuously learns and maintains a rolling baseline
of device behaviors. The time required for building an initial profile
depends on several factors:
How active are the devices on the network? Device Security
can profile a device that produces a lot of traffic faster than
a device that produces a little because it has more data to analyze.
How many devices of the same type are there on the network?
The more devices of the same type there are the faster the profiling
works because it can aggregate knowledge learned from multiple devices
simultaneously.
How complicated is the behavior of an individual device?
For example, Device Security learns the behavior of a network-connected
thermostat much faster than that of a surgical robot in a hospital.
The devices that Device Security discovers on the network and identifies
appear on the Devices page in the Device Security portal.