IoT Security Solution Structure

The IoT Security solution involves multiple components working together to discover, classify, and secure IoT devices on your network.
Using AI and machine learning, IoT Security automatically discovers and identifies all network-connected devices and constructs a data-rich, dynamically updating inventory. In addition to identifying IoT devices and IT devices (laptops and servers for example), IoT Security provides deep visibility into network behaviors, establishing what’s normal and discerning what’s suspicious. When it detects a device vulnerability or anomalous behavior posing a threat, IoT Security notifies administrators, who can then take action to investigate and remediate the issue.
To accomplish all this, the cloud-based IoT Security app works with Palo Alto Networks next-generation firewalls, logging service, and update server, and optionally with Panorama and integrated third-party products. These elements of the IoT Security solution collaborate to carry out the following tasks:
  • Firewalls with IoT Security subscriptions collect information about network traffic and forward their logs to the logging service, which streams such metadata to IoT Security for analysis.
  • The update server provides firewalls and Panorama with a regularly updated device dictionary file of device attributes (profile, vendor, category, and so on) that Security policy rules use for device identification, or
    Device-ID
    .
  • IoT Security recommends Security policy rules based on Device-ID to firewalls. When Panorama provides centralized firewall management, IoT Security works through it to recommend Security policy rules to managed firewalls. When Panorama is not in use, IoT Security interacts directly with firewalls.
  • IoT Security maps IP addresses to devices and notifies firewalls of their corresponding device attributes so they can enforce Device-ID-based Security policy rules that reference attributes in IP address-to-device mappings.
With third-party integrations add-on for your IoT Security account, you are able to expand IoT Security capabilities to include product-specific features and those of the integrated products to include IoT.
Learn about the major components that constitute the IoT Security solution:

1 - Device Data Collection

For IoT Security to identify IoT devices and establish a baseline of their acceptable network behaviors, it needs to analyze their network activity. That’s where next-generation firewalls come in. They log network traffic to which they apply Security policy rules and then forward logs to the logging service where IoT Security accesses them. Depending on whether your IoT Security subscription includes data storage, the logging service either streams metadata to your IoT Security account and Cortex Data Lake instance or just to your IoT Security account.
Detailed Instructions

2 - Data Analysis

IoT Security uses AI and machine-learning algorithms to analyze numerous aspects of the network behavior of a device and classify it within three levels or tiers. At the broadest tier, IoT Security identifies behavioral similarities that enable its algorithms to assign a device to a device category, such as security camera, even if it doesn’t yet know the exact vendor and model. At the next tier, IoT Security gathers more granular behavioral attributes shared by certain vendors and models of security cameras to assign it a device profile. At the third tier, the algorithms create a model of unique behaviors for this individual security camera, such as its usage pattern.
In addition to device identification, IoT Security applies proprietary and supplemental machine-learning technologies to threat detection. It automatically detects device vulnerabilities and notifies IoT Security administrators. It also detects anomalous network behavior indicative of attack or reconnaissance and generates security alerts.
Detailed Instructions

3 - IoT Device Protection

IoT Security coordinates with next-generation firewalls to recommend Security policy rules for IoT device traffic. After identifying devices and establishing a baseline of acceptable network behavior, IoT Security automatically generates recommended Security policy rules for device profiles based on the network behavior it observes. Panorama or firewall administrators then import the recommendations to Panorama or directly to firewalls where they decide which ones to add to their policy set.
Firewalls and Panorama must have a list of device profiles or other device attributes for Device-ID-based Security policy rules. This list is provided as a device dictionary file from the update server, which firewalls and Panorama check regularly for updates to download.
So that firewalls apply imported Device-ID-based rules appropriately, IoT Security continually sends the firewall IP address-to-device mappings, which include the profile and other attributes of all devices monitored and protected by IoT Security.
IoT Security also integrates with Prisma Access to identify and secure devices.
Detailed Instructions

4 - Third-party Integrations

In addition to protecting IoT devices by coordinating with next-generation firewalls, IoT Security also integrates with third-party products to do the following:
  • Increase device inventory and enrich device context—sometimes for IoT Security and sometimes for the integrated third-party product
  • Broaden the coverage of specific features in integrated products to include IoT
  • Expand the capabilities of IoT Security; for example, through integrations that allow you to do vulnerability scanning, quarantine devices with critical vulnerabilities or security alerts, and apply access control lists (ACLs) to IoT devices
IoT Security integrates with other products through a third-party integrations add-on, which is based on a Cortex XSOAR module.
Detailed Instructions

5 - Using Prisma Access instead of Next-generation Firewalls

When using IoT Security with Prisma Access, the process for collecting device data is similar to the previous description of data collection except that you substitute Prisma Access for firewalls. When Prisma Access forwards data logs to the logging service, Cortex Data Lake must be used.
IoT Security sends Security policy rule recommendations through Panorama to Prisma Access. It sends IP address-to-device mappings to Prisma Access directly. Likewise, the update server sends device dictionary updates directly to Prisma Access as well as to Panorama.
Detailed Instructions

Recommended For You