Thought Leaders in Internet of Things: Joe Lea, VP of Product at Armis (Part 4)

Joe Lea: For example, Samsung smart TVs makes a DNS request followed by connection attempts once a minute for about 45 minutes. Then they take a nap for an hour. Then they start up and do that process again. We know what default applications are installed. We see traffic that goes to things like the Netflix app. We look at whether the device is stationary or mobile based on where it shows up on the network.

There are about 8,000 different characteristics that we look at that allows us to fingerprint the behavioral profile of devices. That knowledge base gives us the ability to look into an enterprise’s network traffic completely passively and out of band and say, “You have 150 security cameras within the environment, 10,000 MacBook’s, 15,000 Windows machine, servers, a connected HVAC system, voice over IP phones, and here are things you probably didn’t know were on your network but happened to be there. These are things like Raspberry Pi’s, the Alexa somebody brought in from home, the printer that somebody brought in to the office.”

All of these things that show up may not be sanctioned by IT as well as all those things that IT has sanctioned that should be on the network. That’s the technical approach. Another one of our design points is to deploy as seamlessly as possible.

Sramana Mitra: I’m curious about the deployment model because you’re using models of particular devices and behavior based on those models to check for cleanliness of those devices in your architecture and algorithm. How do you deploy? When does the check happen? How frequently? In real time?

Joe Lea: Armis deploys with a virtual appliance. In 90% of the cases, we can do a physical appliance as well. That virtual appliance is called a collector. It sits within the enterprise environment and runs with a connection into the wireless LAN controller or the switch. That collector taps into the switch at a distribution layer and we do a span of the traffic from there. That’s how we ingest all of the network traffic into our collectors.

We’re also able to look at things like firewall logs, active directory, and various network access control systems to supplement. But most of the time, what we’re taking in is the wireless and the wired traffic. That traffic comes into the collector, which is a fairly basic kind of a virtual appliance. It looks at the traffic. The requirements for its operation are minimal. It looks at the traffic and aggregates that down to a set of metadata events that it then sends back to the cloud.

We’re cloud-deployed for the most part. All of the work happens up in the cloud. Then we communicate back to things within the enterprise environment, recognizing that it’s important for us to participate in the overall ecosystem of security tools that are deployed. All of the things that our security teams use to be able to manage, get visibility, and work on security issues across their conventional IT equipment, we participate with all those things with connections back into all of that infrastructure.

Let me talk a bit more about how Armis is classifying those devices and probe to go a bit down to a deeper level. With those data sources, we look at device attributes. We look at the physical layers like Mac addresses and firmware versions. We look at the network characteristics like what operating systems are there, various protocols in use, and the network stack. We look at the behavior. We look at what connections are made, the traffic pattern over time, the direction of the traffic, and the traffic intensity.

There are about 8,000 possible attributes that come into play as factors into a profile engine that determine exactly what the device is and what its unique purpose is. Just identifying what the device is sometimes not enough. For example, one iPad could be a different profile in a retail scenario where it has a square attached to it and it’s taking credit card payments. That is a different profile of activity.

An anomalous circumstance there would look different than the iPad used in a conference room. It is used to take control of the audio/visual equipment or schedule the conference room. That profile is very different from an end user bring-your-own-device from a home iPad where you might be doing things that are entertainment related. We look at profiles and baseline those and understanding what they are. Then we look at anomalies within those profiles rather than just treating it at the device level. It’s a sophisticated modelling of the behavior.

This segment is part 4 in the series : Thought Leaders in Internet of Things: Joe Lea, VP of Product at Armis
1 2 3 4 5