Protecting IoT Devices: Behavior Analytics, Vulnerability Scanning and EDR

Strategies for Protecting IoT Devices: Behavior Analytics, Vulnerability Scanning and EDR

February 20, 2020


Reading time
7 mins

Almost 27 billion IoT devices were active in August 2019 and the number is growing daily. These billions of devices can grant incredible accessibility to data and services for organizations, consumers, and unfortunately, attackers. 

Devices on publicly available networks can be discovered and targeted by attackers. These devices can grant attackers access to otherwise secure networks. Devices can even be used to create massive botnets. Some organizations have found that IoT devices are probed within an hour of being connected.

To prevent such attacks from happening to your devices, you need to take preventative measures. In this article, you’ll learn about the top IoT vulnerabilities to address. You’ll also be introduced to some strategies and tools for keeping your IoT devices and connected networks secure.

Understanding vulnerabilities in IoT devices

To protect your IoT devices, you must first understand how these devices are vulnerable. A good source of information to start with is the Open Web Application Security Project (OWASP). OWASP is an independent, non-profit organization that aims to develop best practices and tools for improving web security. 

An example of OWASP efforts is the OWASP Top 10 IoT vulnerabilities list. This list was created in 2018 and is scheduled to be updated sometime in 2020. It identifies the following vulnerabilities as the primary concerns for securing IoT devices. 

  • “Weak, Guessable or Hardcoded Passwords” – passwords are too simple, have been leaked in previous breaches, are automatically provided or have not been changed from the default. This includes passwords for connected services and devices which can be used to gain entry to the host network. 
  • “Insecure Network Services” – applications or software do not provide sufficient security or intentionally enable unauthorized access. This includes malware, applications with unnecessary blanket permissions and applications with compromised systems.
  • “Insecure Ecosystem Interfaces” – interfaces lack sufficient encryption, lack authorization and authentication measures, or do not validate inputs or outputs. Interfaces often include APIs, web portals and cloud portals.
  • “Lack of Secure Update Mechanisms” – updates are delivered without encryption, are not verified before installation or cannot be rolled back. This also includes issues caused when users are not notified of changes created by updates.
  • “Use of Insecure or Outdated Components” – device firmware or software are not updated properly. Alternatively, software components are added that compromise the security of the device.
  • “Insufficient Privacy Protection” – protected information is stored on the device without permission or suitable protections. This includes the lack of encryption and other breaches of data regulations.
  • “Insecure Data Transfer and Storage” – a lack of access controls, encryption or secure transmission of data enables access to data by unauthorized users. 
  • “Lack of Device Management” – remote devices lack monitoring, security policies or management controls necessary to secure information or respond to vulnerabilities.
  • “Insecure Default Settings” – default settings that are too permissive and have not been changed. This can also include security settings that have intentionally been lowered by users against policy or without management direction.
  • “Lack of Physical Hardening” – to harden a device is to reduce its attack surface. Lack of hardening includes leaving unnecessary ports open, not using firewalls or antivirus, and enabling open file sharing. This deficit enables attackers to take control of devices or gain a foothold for future attacks.

3 strategies and tools for protecting IoT

Protecting IoT devices from the vulnerabilities discussed above can be a challenge if you do not have robust device policies in place. The distributed nature of IoT devices requires that your tools and processes include centralized analysis. 

Your security strategies also need to take into account the evolving nature of IoT threats. You can’t rely on traditional antivirus or firewalls alone. The following tools and strategies can help you meet these needs.

1. Behavioral analytics

Behavior analytics focuses on analyzing the behavior of users, entities and systems. It is typically accomplished through the inclusion of user and entity behavior analytics (UEBA) solutions. 

UEBA solutions analyze data for patterns and create a baseline of “normal” activity from this data. The data analyzed can include real-time events, such as data flow and packet information, or previous events found in logs, reports and threat intelligence. 

UEBA solutions apply these baselines as a comparison for real-time activity. When activity does not match the accepted baseline, it is flagged and security teams are alerted to the behavior. 

You can use behavior analytics to identify threats originating both inside and outside your organization. You can also use it to identify attacks perpetrated with compromised credentials that might go undetected. 

You can use UEBA to detect threats that traditional systems cannot because it does not rely on attack signatures or malware identification in the way traditional tools do.

2. Vulnerability scanning

Vulnerability scanning helps you identify components in your devices and create an inventory that you can then monitor. During scanning, information such as operating systems, user accounts and open ports are collected. Many scanning tools also attempt to access system data directly or through the use of default credentials.

Once your inventory is created, scanning tools check your components and their configurations against vulnerability databases. If any components are found to contain vulnerabilities, these issues are highlighted to be addressed by your security team.

Vulnerability scanning does not directly protect your systems. Instead, it is a tool you can use to identify vulnerabilities that need to be addressed. Running periodic vulnerability scans can help you monitor your system components. It can also provide you with greater visibility of components which enables you to better evaluate your attack surface area.

3. Endpoint Detection and Response (EDR)

All IoT devices are endpoints. Endpoints are devices, ports or interfaces that connect your internal systems to external networks, such as the Internet. Endpoints include smartphones, routers, web portals, personal assistants and networked sensors.

EDR solutions are a collection of tools you can use to detect, investigate and respond to suspicious events on endpoint devices. 

Unlike traditional tools that only monitor a single host device, EDR tools monitor endpoints across your system, collecting event and traffic data. This data is collected in a centralized database where EDR tools analyze it for anomalies. If suspicious activity is detected, security teams are alerted. 

Often, EDR tools use machine learning in combination with threat intelligence or UEBA to identify threats that would otherwise go undetected. Many EDR systems can also automatically respond to suspicious events based on policies you set. 

For example, sandboxing (isolating) suspicious applications or blocking IP addresses. This automated response enables you to respond to threats more quickly and can reduce potential damage. 


IoT devices can provide a wealth of valuable information to organizations from a security management standpoint. These devices can also help keep teams productive and customers connected in a way that was previously not possible. However, the agile and distributed nature of IoT devices makes management challenging and creates a security risk. 

With the right tools and an awareness of how your devices are vulnerable can help keep your system and devices secure. We hope this article gave you information on what vulnerabilities you need to focus on and how you can address these issues. 

Using the tools covered here, you can ensure that your security team is alerted as soon as an issue arises. Early detection enables you to quickly and efficiently address issues and keeps your devices secure. 


Similar Posts

Understanding UEBA: From Scored Events to Stories

Understanding UEBA: From Raw Events to Scored Events

Exabeam Alert Triage with Dynamic Alert Prioritization Now Available in Exabeam Fusion and Exabeam Security Investigation

Recent Posts

Understanding UEBA: From Scored Events to Stories

What’s New in Exabeam Product Development – November 2022

Exabeam News Wrap-up – December 1, 2022

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!