Introduction to IoT Security

Learn the basics about the underlying mechanisms and fundamental capabilities of the Palo Alto Networks IoT Security solution.
IoT Security is an on-demand cloud subscription service designed to discover and protect the growing number of connected “things” on your network. Unlike IT devices such as laptop computers that perform a wide variety of tasks, IoT devices tend to be purpose-built with a narrowly defined set of functions. As a result, IoT devices generate unique, identifiable patterns of network behavior. Using machine learning and AI, IoT Security recognizes these behaviors and identifies every device on the network, creating a rich, context-aware inventory that’s dynamically maintained and always up to date.
After it identifies a device and establishes a baseline of its normal network activities, it continues monitoring its network activity so it can detect any unusual behavior indicative of an attack or breach. If it detects such behavior, IoT Security notifies administrators through security alerts in the portal and, depending on each administrator’s notification settings, through email and SMS notifications.
IoT Security also uses those behaviors and device identities to automatically generate security policy recommendations that allow IoT devices to continue doing normal network activities and block them from doing anything unusual. Panorama or next-generation firewalls can then import these policies and enforce them.
Panorama can only import policy recommendations if it has been onboarded to Cortex Data Lake™. Throughout this guide, whenever it says that IoT Security sends something to a firewall, it is assumed that it was either sent directly to the firewall or indirectly through Panorama.
iot-security-dataflow-with-panorama.png
The firewall collects metadata from the network traffic of IoT devices, generates enhanced application logs, and forwards them to Cortex Data Lake. The IoT Security cloud then fetches metadata from these logs for analysis and employs AI and machine-learning algorithms to detect and identify IoT devices using its patented three-tier deep-learning engine:
Tier 1: Device category
—IoT Security first identifies the category to which an IoT device belongs. For example, it might identify network behaviors common to all security cameras.
Tier 2: Device profile
—IoT Security next constructs a profile of the device, learning its vendor, make, and model. For example, it might discover that the camera behaves in ways that uniquely identify it, such as checking a particular server for software updates for example.
Tier 3: Device instance
—IoT Security continues its analysis until it discerns behaviors unique to a specific instance of the identified security camera.
3-tier-deep-learning-engine.png
IoT Security looks at over 200 parameters in network traffic metadata, including DHCP option 55 parameter lists, HTTP user agent IDs, protocols, protocol headers, and a host of others. It matches the network traffic patterns of new devices with those of previously identified devices to identify the same types or similar types of devices, even those it is encountering for the first time.
Depending on various factors such as how much network traffic IoT devices generate and how varied their behavior patterns are, IoT Security typically identifies most IoT devices with a high level of confidence during the first day it starts accessing metadata from Cortex Data Lake. After that, IoT Security continues to increase the number of confidently identified devices until it identifies all or nearly all of them. During this time, you can log in to the IoT Security portal to check that the device inventory is being populated and monitor its progress.
A confidence score indicates the level of confidence IoT Security has in its identification of an IoT device. IoT Security has three confidence levels: high, medium, and low.

Recommended For You