Achieving On-Device Security with Minimal Impact

Constrained devices, whether through limited computing capabilities or low power consumption, have been the bane of cybersecurity vendors since the advent of the Internet of Things (IoT). The major obstacle of constrained devices is their limited ability to integrate resource-intensive or costly security solutions on-device. The development of lightweight security solutions is niche area but a growing focus within the cybersecurity industry. A number of innovative startups have commercialized on-device solutions that work within the limits of constrained devices without impacting performance. These include Nanolock, Check Point Software Technologies, Karamba Security, Red Balloon Security, RunSafe Security, Sternum, and Verimatrix. Some are industry-specific, while others offer platform and application agnostic solutions targeting a broad range of IoT devices.  

Hardened devices reduce the attack surface and their exploitability. This lightens the load at the network level, but once such devices are in the field, they also need to be able to protect themselves at runtime and from eventual vulnerabilities introduced by applications installed (or updated) later. For constrained devices, it is through software, more than through embedded hardware, that a competitive ecosystem is emerging.

There are various methods for securing the code base in the firmware for the more constrained devices. Ultimately, these can be categorized into hardening methods and runtime protection. A few key hardening methods include binary debloating/reduction, randomization, embedding integrity verification algorithms into binary and non-binary code, binary analysis for vulnerabilities, bootloader analysis, and anti-tampering checks to prevent modification of binaries or removal of functions. Runtime protection features include prevention of remote code execution, monitoring code and memory usage to detect attacks by embedding defensive payloads, offboard attestation, agent that detects legitimate binaries and hardens the system according to discovered known goods, automatic full-image analysis, application whitelisting, control flow integrity, and anti-tampering static files.

Beyond that, there is an increasing demand for runtime monitoring, often provided as an additional service that can include reporting and recording deep root cause analysis to System-on-a-Chips (SOCs), analysis of telemetry data on security events gathered from payloads, publishing alerts to Security Information and Event Management (SIEM)/Intrusion Detection System (IDS), and analytics systems to detect command injection and access manipulation. The demand for cloud-based analytics, in particular as an extension of runtime monitoring services, can further include device scanning and research attempts through network events, anomalous authentication events, maintenance and software update events, command execution and command injection attempts, file system anomaly events, and so forth.

The market is still relatively niche in terms of offerings in this space, due in part to lack of understanding and cost concerns. However, developments in specific markets, such as defense, automotive, manufacturing, Industry 4.0, aerospace, and medical/healthcare, are key drivers in this space, especially for sensors and accessories that are used in functional safety settings and cyber-physical systems. It is not enough that the broader system or smart device be secure; each individual part must also be as secure as possible, and such efforts need to be initiated upstream. This demand is driving the technologies to maturity and enabling use-cases to grow beyond the original target market to the broader IoT ecosystem.

The primary business models for these more novel types of solutions include a one-time fee for firmware hardening, which is done at the development stage. The runtime protection (often an agent, but not always) can also command a fee per device install. But most importantly, it is the runtime monitoring, proposed as a service or cloud-based solution, with a dashboard proposition in some cases, which will truly drive the market forward. This is what can provide client stickiness and retention. For the vendors, the sales options are varied, as they can offer that service themselves, or enable Original Equipment Manufacturers (OEMs) and  communication and network service providers to add-value through fine-grained device management security.