Monitor Your IoT Security Deployment Using Best Practices

These are daily, weekly, and monthly IoT Security maintenance best practices.
When maintaining your IoT Security deployment, it’s helpful to view the maintenance in terms of daily, weekly, and monthly tasks.

Daily

  • Check security alerts that you learn about through email or SMS notifications or by scanning the Security Alerts page in the IoT Security portal (
    Alerts
    Security Alerts
    ) and respond as appropriate for their severity and urgency.
  • Review system alerts in the IoT Security portal (
    Alerts
    System Alerts
    ) and the Firewalls page (
    Administration
    Sites and Firewalls
    Firewalls
    ) to check that firewalls are connected to IoT Security. If a firewall is disconnected, IoT Security stops analyzing log data and no new device detections and identifications occur. Serious events that increase risk to your devices and your network could be missed.
  • Scan the Devices page for newly discovered devices and confirm that their network access is authorized. Unauthorized devices pose a threat if they did not undergo an onboarding process that provisions them to do all the following: connect to appropriate network segments, use only approved applications, and (if the devices support it) run required endpoint protection.

Weekly

  • On the Firewalls page in the IoT Security portal, watch for unusually large shifts in log volume from firewalls. An unexpected spike or dip might indicate anomalous network activity or a change to the configuration or connection of a firewall.
  • Track the network activity of high-value devices on the Devices page in the IoT Security portal. If a normally active device is unexpectedly inactive, check the last time it was active (you can also do this on the Devices page). Investigate further if the length of inactivity raises concern.
  • Review the weekly Risk report to check for any new risks and track the status of work remediating existing risks.
  • Check that the firewall regularly receives IP address-to-device mappings from IoT Security to ensure no devices are missing from policy enforcement. Use the following two CLI commands to check the connection status between the edge servers and firewall and which mappings the firewall received:
    show iot icd statistics verdict
    – Shows statistics about the IP address-to-device mappings, or verdicts, that the ICD (Identity Client Daemon) running on the edge server in front of the IoT Security cloud sent to the IoTd (IoT daemon) running on the firewall.
    show iot ip-device-mapping all
    – Shows which IP address-to-device mappings (verdicts) the firewall received.

Monthly

  • When there’s a network expansion, look for new network segments. If necessary, deploy more firewalls to provide additional coverage and make sure traffic from devices in these segments reaches the firewall and is reported to Cortex™ Data Lake.
  • Review user audit logs in the IoT Security portal (
    Administration
    Audit Logs
    ) for unusual activities, such as unexpected configuration changes.
  • Use Policy Optimizer (
    Policies
    Security
    Policy Optimizer
    ) in the firewall web interface to check if recommended policies added to the firewall are being used and make adjustments to policy rules as needed.

Recommended For You