Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
SCALING UP IOT SECURITYIoT Security Foundation Conference December 2018
Leo Dorrendorf
Security architect
Diverse product
range
Multiple R&D teams
Different security
levels
Updated standards
and regulation
Supply chain
security
Evolving threat
intelligence
Rising attacks
The challenges of IoT security architecture
Rising attacks on IoT
Global Number of
IoT devices (Billions)Source: Statista
Number of detected malwares
Against IoT devicesSource: Kaspersky Lab
Number of reported
Infected devicesSource: VDOO Research
Auto-analyzed IoT
embedded systems
3,737Aggregated IoT
vulnerabilities
162,151 500-day
vulnerabilities
Our research
The state of IoT security
The problems with the manual approach
Quick Scalable Reusable Standardized
The advantages of the automated approach
Quick Scalable Reusable Standardized
The IoT security process
Training Requirements Design Implementation Release
1 2 3 4 65
Verification
Creating a requirements database
Internal research
Industry standards
Industry publications
Public threat intelligence
REQ.1
REQ.2
REQ.3
REQ.4
Linking related objects
REQ.1
REQ.2
REQ.3
REQ.4Industry standards
Attack methods
Device attributes
Scan results
Filtering relevant requirements
SD card
Wi-Fi
USB
Ethern
et
HW
RN
G
Relevant
RequirementsREQ.1
REQ.2
REQ.3
REQ.4
Integrating existing standards
https://xkcd.com/927
shared under the Creative Commons license by its author
Integrating existing standards
REQ.1
REQ.2
REQ.3
REQ.4
Mapping requirements
Filtering to a selected standard
REQ.1
REQ.2
REQ.3
REQ.4
Relevant
Requirements
Automatic scanning for requirement status
Device
firmware
Requirement
status
REQ.1
REQ.2
REQ.3
REQ.4
Security as part of continuous integration
v0.1 v0.5 v1.0
REQ.1
REQ.2
REQ.3
REQ.4
REQ.1
REQ.2
REQ.3
REQ.4
REQ.1
REQ.2
REQ.3
REQ.4
Post-release protection
Vulnerable
software
Fundamental fix
Countermeasures
Conclusion
01 What is the right security level for my product?
02 What do I already have in my product?
03 What gaps do I have?
04 How to bridge the gaps?
06 How can I maintain trust and security?
05 How can I be trusted by my customers?
Conclusion
Massive data set (over 20K firmwares)
THANK [email protected] @leodorrendorf