MY TAKE: ‘Network Detection and Response’ emerges as an Internet of Things security stopgap

By Byron V. Acohido

There’s no stopping the Internet of Things now.

Related: The promise, pitfalls of IoT

Companies have commenced the dispersal of IoT systems far and wide. Data collected by IoT devices will increasingly get ingested into cloud-centric networks where it will get crunched by virtual servers. And fantastic new IoT-enabled services will spew out of the other end.

The many privacy and security issues raised by IoT, however, are another story. The addressing of IoT privacy and security concerns lags far, far behind. Commendably, the global cybersecurity community continues to push companies to practice cyber hygiene. And industry groups and government regulators are stepping up efforts to incentivize IoT device makers to embed security at the device level.

Very clearly, something more is needed. That’s where a cottage industry of security companies in the Network Detection and Response (NDR) space comes into play. NDR vendors champion the notion that it’s a good idea for someone to be keeping an eagle eye on the rivers of packets that crisscross modern enterprise networks, especially packets flooding in from IoT systems. That can be done very efficiently today, and would markedly improve network security without waiting for better security practices or tougher industry standards to take hold, they argue.

I had a fascinating discussion about this with Sri Sundaralingam, vice president of cloud and security solutions at ExtraHop, a Seattle-based supplier of NDR technologies. We spoke at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are the key takeaways:

IoT surge

According to Fortune Business Insights, the global IoT market will top $1.1 trillion by 2026, up from $190 billion in 2018. That’s a compounded annual growth rate of a whopping 24.7 percent.

IoT systems are on track to make our homes, commercial buildings, workplaces and transportation systems much smarter and more autonomous than they are today.

The security issue is that many of the organizations hustling to make this happen have yet to embrace robust cyber hygiene practices for their legacy operations, much less for their expanding cloud-based and IoT-enabled operations. Onboarding more IoT systems will only make things much more complex. Systemic weaknesses, such as shrinking IT security spending and the huge shortage of skilled security analysts – especially true at mid-sized organizations — will only worsen, Sundaralingam says.


Not much relief can be expected from IoT device makers. They’re hustling, too; eager to cash in, security by design is not their highest priority. That’s why it is common for IoT devices to get shipped with default passwords that can’t be changed, or settings that transmit passwords in clear text. Today millions of IoT devices are vulnerable right out of the box. And even devices that are relatively safe out of the box, over time, likely won’t be updated as new vulnerabilities are discovered, he says.

“These are specialized types of devices, so what you can do with them is very limited,” he observes. “And as you deploy more of them, you’re creating more possible initial landing points for anyone who wants to get into your network, and then move from there to figure out where your crown jewels are.”

Tracking packets

The one thing that’s very possible to do today is to monitor the network packets emanating from IoT devices. NDR involves applying machine learning, advanced data analytics and rule-based detection to the tracking of packets. ExtraHop’s technology, for instance, is designed to scrutinize and continually analyze the packets coursing inside an organization’s network, from all corners of the network. Sundaralingam broke it down for me like this:

“We can extract rich metadata from the network traffic that we’re monitoring. We’re able to run our machine learning and behavioral models on the packets to look for anomalies or suspicious behaviors. An alert gets triggered to notify the IT team or security team to any suspicious behaviors, and we provide the tool to help investigate.

“When any suspicious behavior gets detected, we can tell very quickly where else in the network this particular device tried to connect to and what kinds of sensitive data it may have tried to collect . . . we help the security analysts understand the blast radius, and then they can take remediation steps to help contain it.”

ExtraHop’s technology is designed to assimilate any new IoT system added to the network. Machine learning is leveraged to group devices and systems in logical ways, and also to discern  routine traffic patterns, which serve as baselines. These baselines solidify as more and more packets run through, meaning anomalies appear in higher relief.

“As you deploy more and more IoT devices, the system will continue to detect them and group them and monitor them and apply the same capabilities,” he says. “So wherever you’re deploying IoT devices, you’re able to expand a network detection and response capability to those areas.”

Addressing complexity

The rapid expansion of IoT systems wouldn’t be possible without the parallel expanding utilization of cloud infrastructure, i.e. processing power and data storage supplied by Amazon Web Services, Microsoft Azure and Google Cloud. In fact, migration to cloud services arguably is happening faster and more broadly than IoT adoption, which makes sense — infrastructure has to come first.

Given that companies are more often than not expanding their IoT systems off of hybrid cloud infrastructures ExtraHop has sought out partnerships with the top three cloud services providers, Amazon, Microsoft and Google. Sundaralingam’s break down:

“There’s a different level of complexity in the cloud environment. You have container and serverless capabilities; you can scale up and scale down very quickly. There’s a need to monitor workloads, which pop up and then can go away within hours.

“Monitoring network traffic makes sense because that’s where ground truth lies. So if there is any malicious or suspicious activity going on, such as somebody moving across your cloud network, trying to figure out where your crown jewels are, we can use network detection response capabilities to identify those patterns, detect the early stages of an attack, and then take some remediation actions to stop it.”

ExtraHop’s partnership with Amazon, Microsoft and Google revolve around facilitating access to packets moving in and out of the Big Three cloud services to individual cloud infrastructure subscribers. “They’re providing virtual taps into these cloud environments so that we can have access to packets, and then we can enable the customers to be able to monitor their virtual networks in the cloud,” Sundaralingam explains.

It’s going to be instructive to see how much of a difference NDR technologies make over the long haul. NDR technologies could very well help keep the expansion of IoT on track – by helping to address the attendant privacy and security concerns. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone