Previous posts in this series provided an overview of threat intelligence, its role within the IoT space, and how it can be used to prevent threats at the network perimeter in IoT Gateways. With the evolution of internet-connected devices and their growing resource capabilities, these “things” will increasingly become connected directly to the internet, forgoing connectivity through traditional perimeter appliances, and in essence becoming their own gateways or firewalls. This evolution will require a new approach to security in terms of moving protective mechanisms from robust perimeter equipment into the devices themselves. This post focuses on how the use of separation kernel technology can help in this move from security at the perimeter to enabling the use of threat intelligence on the device.
An effective way of bringing threat intelligence to devices is through the use of a separation kernel. Separation kernel technology provides a mechanism for controlling the flow of data and commands between an operating system and the hardware on which the operating system resides. In its simplest form, it is a tiny kernel that sits between all hardware functions on a device and the operating system. This separation provides a mechanism for identifying threats outside of a host operating system. Here are two very straightforward ideas on how to quickly implement threat intelligence at the device level through the use of separation kernels:
- Traffic Flow Monitoring: Most gateway or perimeter devices provide a mechanism for traffic flow analysis through the use of packet inspection and threat intelligence. This can be achieved on a device by building tiny monitoring applications that live in a secure memory space outside of a host operating system, but are accessible by the separation kernel. Traffic can be analyzed in this secure space for threats so action can be taken before it is allowed to pass into the operating system or out of the device. This essentially brings the ability to apply network security and policy management to the “thing”.
- Malicious File Identification: Using the same model described above, it would be possible to analyze files outside of a user’s operating system by identifying threats before they have access to user memory and application space. Files could be assembled in a secure memory space for hashing and looked up in a cloud-based ecosystem for threat determination. In the case of unknown files, additional analysis could be performed locally to identify any threats before they have access to the user memory or application space.
These are only two basic examples of what could be done through the use of cyber threat intelligence on a device. As the Internet of Things continues to expand, there will undoubtedly be more and more approaches that bring existing network and perimeter security to the device. The next and final installment of this series will explore some of these ideas.