Intel Security CTO: Partners Have A Big Part To Play In Protecting Connected Devices

A Scary Time For Cybersecurity

Cybersecurity is going through a whirlwind of changes, and changes with the Internet of Things (IoT) and connected devices have only exacerbated risks that customers are facing.

However, vendors like Intel and Intel Security are working to combat security risks through providing new toolsets to their partner ecosystem, said Intel Security CTO Steve Grobman in an interview with CRN, Tuesday, at Intel Developer Forum.

Also, Intel CEO Brian Krzanich on Tuesday revealed the company's plans to bring more secure IoT applications to market with Enhanced Privacy ID (EPID) technology, which is the mutual authentication of the IoT node with the cloud.

Grobman discussed new areas vendors are looking at to protect against data breaches, and where partners fit into that ecosystem.

What does the Internet of Things mean for cybersecurity?

There's a few things -- one of the things that [CEO Brian Krzanich] stressed in his keynote was the whole maker movement. The connected IoT capability is making it such that we have a lot of new types of devices we've never seen before. The sophistication of these devices has increased dramatically, and from a security standpoint, we know when this sophistication increases, complexity also increases, and so there's a higher risk of a vulnerability.

We're starting to look at things that have traditionally not been an issue. If there was an embedded device that had vulnerable code but wasn't connected, it wasn't exploitable, but the challenge we're moving into now is that as you're adding that connected aspect, you have a diverse set of devices that are vulnerable to attack.

Are customers aware of these risks?

Not to the degree that they should be. When we see individual point issues, there becomes awareness on that point, but the broader issue we need awareness of is that there's a significant amount of compute on any of these devices, whether a car or wearable. These connected devices have a large quantity of software and an element of connectivity where the device itself can be compromised and used to actually be part of an attack against other devices.

That's the situation we saw on the Jeep incident a few weeks ago -- it revealed a series of vulnerabilities within the system, and people could gain entrance through one area and move laterally through the system.

What are you seeing in the business environment (as opposed to the consumer side)?

It's true in both the consumer and business environment. One thing we're seeing in the business environment is tighter integration between industrial systems and traditional business systems. Companies are doing this to get data for analytics and cost efficiencies, but it means cyberdefense needs to comprehend both environments. In the past, you could look at your factory as an isolated, separated environment from your business systems, but we see these two areas having a lot more touch points now where we see the potential for breaches on the business side having influence on the factory side, and vice versa.

We saw that in 2014 [target hacks], where they came in through an HVAC network and moved laterally into the business system or the point-of-sale system.

How are you establishing various protocols for protection?

We know that no matter how much education there is and how well our partner ecosystem is, there will software errors, there will be bugs and, therefore, we have to build a layered set of defense where the end user can monitor and detect attacks.

When we look for detection, part of it is establishing a good understanding of baseline normal operations. If you have a factory environment, there should be well-understood network flows and communications where certain devices should only be talking to other devices under very specific protocols. If you can monitor this and look for aberrations or things outside of the norm and drill into what is potentially causing those, those are the key things [for which] we're building a more centralized protection system.

Do manufacturers have a role in this area?

We need to do things to protect devices from different partners and different parts of the ecosystem.

There's a responsibility on the device manufacturers themselves to ensure that they are thinking about security differently. Unlike the good, old days where manufacturers focused on functionality, they now need to understand secure coding practices, how to build layers of defense, and how to ensure they are running parts of their devices with the minimum amount of privilege that they need to.

How is the partner ecosystem in this area?

We're building our architecture to work in conjunction with all sorts of partners -- we know there needs to be communication between software products in the industry. We created underlying messaging architectures that will work with our partners and the industry in order to get this data we've talked about into places that can be looked at.

The other part is that we're building our tools to be more of a toolset than a preconfigured set of capabilities that will work the same if you're building cars or building a bank. Those are two different industries, and our partners have a part to play in specific verticals. We have lots of managed service providers, consultants and integrators making up a very rich ecosystem to take the building blocks we're creating.

Is there a specific type of partner (MSP, consultant) playing a bigger role in security?

Cybersecurity is such a complex field, it takes all different types of partners.

I think of it as asking, 'What's the most important part of your car, the steering wheel or brakes?' when you need them both. That's where we are with our partner ecosystem. We won't create all the technology on our own, but we know the variability of the different environments this technology will be used in will be so great that there will be a very rich set of partners to execute it.

With the cybersecurity labor market shortage, many organizations will need to decide whether the best way to actually run security operations is to do it themselves, or focus more on an MSP-outsourced operations team.

Talk about Enhanced Privacy ID (EPID) and what it means for the industry.

With IoT, you have different devices, and it is critical that the data center has a high degree of assurance that it's talking to a real device versus a hacker creating a fictitious software model pretending to be a device. If you think about a smart meter or smart grid, you want to make sure the information you're getting in your data center is real, not a hacker.

Intel has concluded we're not going to make every device, and it doesn't make sense for everyone in the industry to come up with their own scheme, so we're anchoring on well-understood cryptographic techniques and practices. [CEO Brian Krzanich's] announcement was about taking the underlying technology that will add security to IoT, and make that more broadly available to the industry.

What security challenges are you seeing in the wearables market?

From the hardware side, Intel is looking at fueling the wearables in all sorts of markets, with authentication being a really good example. In the consumer space, we're thinking not only about how a wearable can help provide security services, like authentication and better ease of use, but we understand that as wearables become more sophisticated, they'll have more and more data, so it's critical to safeguard that information just as you would any other device. In cybersecurity, when you introduce any device, that can become the weakest point and part of a larger breach or attack. The challenge here is we're getting more devices that consumers don't realize can be compromised.