The “stuff” of technology can seem like it rules our lives; business technology, home management systems, consumer wearable tech. For people in information security, for a long time it was all about devices, servers, networks and things with flashing lights. The ‘stuff’ of networks and network security: firewalls, switches, HIDS, packet sniffers, spam filters, and so on, defined how we thought about the discipline, but as we’ve learned, ‘stuff’ doesn’t grab your CEO’s password. Nor does it steal the design to your new cell phone, or rip off your entire customer database from your data center. People do that. At times it’s on purpose, and sometimes by accident. But when you dig far enough, you’ll find a person at the bottom of pretty much every major breach.

For the past several years, as a society and an industry, we’ve paid a high price for not focusing first and foremost on people. A price paid in records lost, credit cards stolen and the collective weight of increasing government oversight through compliance mandates. But there really is light at the end of the tunnel as we now shift to think in terms of the identity of the user, their behavior and the context of their activity set against what is normal for them. We are, slowly but surely, moving away from the failed, device-centric mindset of ten or more years ago. However, we now run the risk of falling back into those very same bad habits, only this time on a much, much larger scale.

The Internet of Things (IoT) promises so much. Ubiquitous, on tap computing power that is so deeply embedded in our lives that it’s everywhere, all the time. Sensors in cars that track our driving skills, body sensors that watch our health, smart power grids acting on information based on the behaviors of suppliers and consumers, smarter houses that know when we’re away, manufacturing processes that are self-monitoring and correcting – the list is dizzying.

And so the question arises, how are we going to keep all this ‘stuff’ safe and secure? 

Here we are again; we’re lured into thinking about all those devices and making them safe. Yet the simple, brutal answer is that to make all the things that comprise the IoT safe and secure wouldn’t require just good programming, it would require an act of God. We’ve been unable to make devices secure when there are a few million of them, so any attempt to build a fully secure IoT is nothing short of downright quixotic. So rather than repeat the whole sorry process, why not skip to the end and start thinking now about how to look for the behavior that indicates what devices have been attacked?  We can learn from the last five years by extending the approaches we’ve taken with the ‘Internet of Fallible Humans’ and extending it to the ‘Internet of Hackable Things.’

What would this look like? The focus would be to build in the ability to look for changes in behavior that indicate something is amiss. Understand the full context of what the device is. Give every device, every actuator, every sensor an identity, and manage them. Monitor activity, watch the data flow, check for changes, because when someone hacks one of these devices, there will be changes. Changes in behavior, based on an understanding of what type of device it is, and therefore what is normal, are the best, perhaps only, indicator that the device is under attack, especially when there will be so very many devices, consumer and otherwise, inside our corporate and personal networks.

Most importantly, monitoring identities and behavior are also the best way for businesses to stay ahead of the bad guys. Trying to guess what attack vector they will use next and head them off is always a losing proposition, because they have all the time in the world to think of a new one. But once they are in, it’s essentially impossible to make use of the device without changing its behavior, therefore tipping us off that we need to take action. 

I’m hopeful that this time we’ll really get it right. That this time, we won’t focus on the ‘stuff,’ and it’ll all be ok. Because, let’s be honest, we’ve got it wrong plenty of times before.