The role of security convergence in protecting network airspace security

Technology has been a primary driver behind the evolution of security over the last 25 years. Here, Sarb Sembhi and James Willison, Consultants for the IFSEC Converged Security Centre, highlight the growth of internet-connected devices impacting on cooperate networks, and the challenges for security teams in protecting their network airspace as a result of this trend.

What do we mean by network airspace?

As the name suggests, Network Airspace consists of everything ‘in the air’ around your corporate offices which is connecting to a network. Getting a better understanding of it enables corporations to more efficiently assess how people and the technology they are carrying is connecting to the corporate network. It will also provide insight into the technology outside your network which may be attempting to analyse your network more than you currently do.

Tools to understand your network airspace are no different than tools to understand who comes in and out of your building, or who and what connects to your wired network – it is just another tool in your arsenal to better understand security risks and determine the appropriate response based on policies and response playbooks.

IFSEC and the converged security debate

For 2022, the Converged Security Theatre is back, partnering with Advancis, we will showcase technologies making converged security a reality.

When the two of us first started to talk about convergence at industry events it was obvious that there were many uses of the term, and although some overlapped, others didn’t, with conversations included the following:

• Communications convergence – this included telecoms convergence of voice calls over the internet, and separately the convergence of wired hardware using coaxial wires to using networking wires. This leads us conveniently to convergence related to networks.
• Wired convergence, we use the term loosely, in that whereas once devices may have had their own separate type of cable, today they can all share the same existing networking cables.
• Technology convergence, this again meant so many things to different professions and industries. It includes the standardisation of many of the hardware and software components that make up a computing or security device or service.
• Security convergence, this has been called many different things over the last 25 or so years, but the drivers for it are to provide a more effective single team to respond to any and all security related risks with all the relevant information to hand.

As technology has enabled a growth of IoT devices with increased processing power, for security staff this will impact many aspects of converged security.

So, what’s changed?

Everything and nothing! What we mean by nothing is that the outcomes to be achieved remain similar, however the tools we have available to achieve them through technology have changed a lot. Such tools and systems include CCTV and surveillance systems, access control systems, fire and intruder systems, HVAC, lifts and escalators – these are still operated by the same teams and people that always operated them.

But there is now greater input from other departments, and in particular due to the technology involved, the IT and cyber security teams. Here, we illustrate why everything has changed in this regard with a few examples:

• Growth of IoT – for years we have been hearing and reading analyst reports and security vendors warning of the impending doom of the billions of connected devices we would see by the year 2025. Increasingly, more and more of the technology we see developed each day is based on some aspect of IoT, even if the final product is not considered to be IoT, such as vehicles. The technology components going into them are converging as standard components more than ever, due to the sensory or programmed functionality they provide out of the box.
• Mobile phones – most of today’s smart phones are more powerful than any computer that a world leader had on their desk 10 years ago, not only in processing terms but also in networking capability and connection terms; they can send and receive data quicker than ever. Further, they come equipped with fast 3G-5G, Bluetooth, NFC, Infra-red, etc. Finally, they are able to provide a point of presence (equivalent to the routers of yester-year) for several devices.
• Personal Devices – one of the biggest growth areas of IoT products has been personal consumer devices including watches, health monitors and children’s toys. Similar to mobile phones these all connect to other devices for control and data sharing. They are designed so that the powerful functionality is all part and parcel of being connected via Wi-Fi, or at least Bluetooth.
• Smart everything – this has to include, smart homes, smart buildings, smart cities, smart manufacturing/industry, smart white goods, and more. Each of these contribute to the whole by the number of connection points they create, as well as the vulnerabilities they expose which would previously not have existed. Some of these connections are 3G-5G, and have their own network rather than piggy-backing your corporate one.
• IoT components – the software and hardware going into components has been converging to a point where embedded systems, OS’s, modules (encryption, connection, etc.), services, applications, code libraries, etc. are standardised, such that a vulnerability in a single component used in multiple types of devices and systems will make all those users vulnerable – creating greater impact.
• Point of Presence – this basically means that a device is able to create the equivalent of a hotspot for (an)other device(s) to connect to it. For example, the same technology available to printers called Wi-Fi Direct can and has been implemented by many other devices – all of which end up either opening an otherwise secure network to an open one, or just another big security hole amongst other existing security holes.
• Wired vs wireless – once upon a time all network connections were wired, and wireless entered the corporate world as “shadow IT”, however most organisations now provide some form of wireless connectivity for staff use.
• Internal wireless vs surrounding wireless airspace – the way wireless networks work is that to be available they have to be willing to accept a connection from another device and communicate the request back. This essentially means that despite choosing to make your network SSID hidden, it is still visible through passive listening. So, no matter what your organisation does or does not attempt to hide, it is visible to anyone listening.

“The general aim around utilising security convergence has always been to provide a single view of security risks so that they can be responded to most effectively. In a physical building it is possible to control the entry and exit points, and monitor known employees compared with visitors via physical access control systems. Much like this, in a wired network it is possible to monitor all entry points from going through a firewall, VPN and other networking infrastructure.”

What does this mean?

There are many impacts from the above list, but some of the main cyber security related issues include:

• Wireless technology connections are already more prominent than wired connections. Whereas wired networks and connections are hidden from anyone outside of your network, wireless connections are visible to everyone. On wireless networks your whole wireless infrastructure is exposed in ways that your wired infrastructure isn’t.
• Infrastructure which was once wired became more attractive to implement on the basis that it could use existing wired networking infrastructure, alongside power over ethernet and wireless networks. This means that we need to be protecting all our infrastructure in ways that we didn’t need to previously.
• Our desire for networking connections at both a personal and corporate level is a bigger driving force for purchasing decisions than most other considerations, despite some obvious security issues.
• The standardisation of components leading to a greater number of devices and people being affected has raised the value of discovering vulnerabilities in these components for malicious use compared to the past.

Put simply, there has been a huge increase in the number of devices on corporate networks in recent years, and they will only continue to grow. The growth in the types of connectivity options available makes understanding what is and is not a corporate network more complex. Current estimates are that the secure wired connections make up only around a maximum of 20% of all network connections in most organisations.

To put that into perspective further, most organisations will have an average of 10-15 wireless networks around their airspace, but there are likely to be over 1500 networks around their office site. These other networks may include other nearby corporate networks, but also hotspots created by users, or their technology such as tablets and cars.

Mark Dodge, Chief Business Officer, at Kaseware, adds: “The proliferation of networked devices presents significant challenges to those that are tasked with managing and mitigating risk on behalf of their organisations; not only with respect to keeping pace with existing and emerging threats, but also in how best to manage and make sense of the vast amounts of information that these threats provide. A comprehensive converged security strategy should include data aggregation and data analysis tools to reveal hidden links in the mountains of information, thereby enhancing the ability to detect and defend against multiple types of security threats.”

What does this mean for security convergence?

The general aim around utilising security convergence has always been to provide a single view of security risks so that they can be responded to most effectively. In a physical building it is possible to control the entry and exit points, and monitor known employees compared with visitors via physical access control systems. Much like this, in a wired network it is possible to monitor all entry points from going through a firewall, VPN and other networking infrastructure.

However, with more devices and services operating on the wireless networks where anyone can set up their own connections, security teams need to monitor not just people and their computers, but also the corporate surveillance systems, building infrastructure, printers, coffee machines, and personal devices.

What we are now seeing is a more complex set of relationships between a human, their traditional devices, newer devices, infrastructure devices, their uses, their interconnections, and so forth.

This is exactly the type of challenge that a modern converged security operations centre (SoC) will need to consider, as it will no longer be obvious as to who or what is a vulnerability based on what can be seen on a CCTV camera, or an innocent laptop connecting to the network and a smart watch with a known app, but an unknown malicious exploit.

Understanding the context of communications which are often not seen and the technology behind them, as well as the individual, is becoming ever more important.

Learn about the future of Converged SoCs

To learn more about how a converged security operation can better protect your network airspace and physical security devices, come and join us at IFSEC International in London between 17-19 May, where industry thought leaders will be presenting on sector use cases and exploring how convergence works in real-world scenarios. Advancis is the official converged security partner for 2022, with several technology partners also set to join the feature on the show floor.