IoT Security | IoT Device Security Management

What is Amazon IoT Device Defender

Amazon IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. Amazon IoT Device Defender continuously audits your IoT configurations to make sure that they aren’t deviating from security best practices. A configuration is a set of technical controls you set to help keep information secure when devices are communicating with each other and the cloud. Amazon IoT Device Defender makes it easy to maintain and enforce IoT configurations, such as ensuring device identity, authenticating and authorizing devices, and encrypting device data. Amazon IoT Device Defender continuously audits the IoT configurations on your devices against a set of predefined security best practices. Amazon IoT Device Defender sends an alert if there are any gaps in your IoT configuration that might create a security risk, such as identity certificates being shared across multiple devices or a device with a revoked identity certificate trying to connect to Amazon IoT Core.

Amazon IoT Device Defender also lets you continuously monitor security metrics from devices and Amazon IoT Core for deviations from the expected behaviors for each device. You can define the appropriate behavior for your devices or use machine learning to model the regular device behavior based on historical data. If something doesn’t look right according to defined behaviors or ML models, Amazon IoT Device Defender pushes an alarm so you can take action to mitigate the issue. For example, traffic spikes in outbound traffic might indicate that a device is participating in a DDoS attack. Amazon IoT Greengrass and Amazon FreeRTOS automatically integrate with Amazon IoT Device Defender to provide security metrics from the devices for evaluation.

Amazon IoT Device Defender can send alarms to the Amazon IoT Console, Amazon CloudWatch, and Amazon SNS. If you determine that you need to take an action based on an alarm, you can use Amazon IoT Device Defender built-in mitigation actions such as adding a thing to a thing group (for example, quarantine) or Amazon IoT Device Management to take additional mitigation steps such as pushing security fixes.

Why is IoT security important

Connected devices are constantly communicating with each other and the cloud using different kinds of wireless communication protocols. While communication creates responsive IoT applications, it can also expose IoT security vulnerabilities and open up channels to malicious actors or accidental data leaks. To protect users, devices, and companies, IoT devices must be secured and protected. The foundation of IoT security exists within the control, management, and set up of connections between devices. Proper protection helps keep data private, restricts access to devices and cloud resources, offers secure ways to connect to the cloud, and audits device usage. An IoT security strategy reduces vulnerabilities using policies like device identity management, encryption, and access control.

What are the challenges with IoT security

A security vulnerability is a weakness which can be exploited to compromise the integrity or availability of your IoT application. IoT devices by nature, are vulnerable. IoT fleets consist of devices that have diverse capabilities, are long-lived, and are geographically distributed. These characteristics, coupled with the growing number of devices, raise questions about how to address security risks posed by IoT devices. To further amplify security risks, many devices have a low-level of compute, memory, and storage capabilities, which limits opportunities for implementing security on devices. Even if you have implemented best practices for security, new attack vectors are constantly emerging. To detect and mitigate vulnerabilities, organizations should consistently audit device settings and health.

Amazon IoT Device Defender helps you manage IoT security

Audit device configurations for security vulnerabilities

Amazon IoT Device Defender audits IoT configurations associated with your devices against a set of defined IoT security best practices so you know exactly where you have security gaps. You can run audits on a continuous or ad-hoc basis. Amazon IoT Device Defender comes with security best practices that you can select and run as part of the audit. For example, you can create an audit to check for identity certificates that are inactive, revoked, expiring, or pending transfer in less than 7 days. Audits make it possible for you to receive alerts as your IoT configuration is updated.

Continuously monitor device behavior to identify anomalies

Amazon IoT Device Defender detects anomalies in device behavior that may indicate a compromised device by monitoring high-value security metrics from the cloud and Amazon IoT Core and comparing them against expected device behavior that you define. For example, Amazon IoT Device Defender lets you define how many ports are open on the device, who the device can talk to, where it is connecting from, and how much data it sends or receives. Amazon IoT Device Defender also allows you to use machine learning models to set device normal behavior, for example, the number of times your devices connect with Amazon IoT cloud every five minutes. Then, it monitors the device communication and traffic and alerts you if something looks wrong according to defined behaviors or ML models, like traffic from devices to a known malicious IP or a spike in connection attempts.

Receive alerts and take action

Amazon IoT Device Defender publishes security alarms to the Amazon IoT Console, Amazon CloudWatch, and Amazon SNS when an audit fails or when behavior anomalies are detected so you can investigate and determine the root cause. For example, Amazon IoT Device Defender can alert you when device identities are accessing sensitive APIs. Amazon IoT Device Defender also provides built-in mitigation actions you can take to minimize the impact of security issues such as adding a thing to a thing group (for example, quarantine), updating a device certificate, replacing default policy version and enabling IoT logging.

How does Amazon IoT Device Defender work

Amazon IoT Core provides the security building blocks for you to securely connect devices to the cloud and to other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption. However, human or systemic errors and authorized actors with bad intentions can introduce configurations with negative security impacts.

Amazon IoT Device Defender helps you to continuously audit security configurations for compliance with security best practices and your own organizational security policies. For example, cryptographic algorithms once known to provide secure digital signatures for device certificates can be weakened by advances in the computing and cryptanalysis methods. Continual auditing allows you to push new firmware updates and redefine certificates to ensure your devices stay ahead of malicious actors.

Amazon IoT Device Defender also enables you to monitor your device fleets to detect any abnormal device behavior by defining static thresholds or using machine learning models. For example, malicious malware may infect your devices and engage them in botnet attacks against remote hosts. Ongoing monitoring of device behaviors including packets out, bytes out and destination IPs can provide the starting point for you to identify a botnet infection and remediate the issue.

When to use Amazon IoT Device Defender for IoT security

When you connect your devices to Amazon IoT Core, it provides the security building blocks for you to securely connect devices to the cloud and to other devices. The building blocks allow enforcing security controls such as authentication, authorization, audit logging and end-to-end encryption. However, human or systemic errors and authorized actors with bad intentions can introduce configurations with negative security impacts.

Continuous compliance and adoption of security best practices

The Amazon IoT security team is continuously updating a knowledge base of security best practices. Amazon IoT Device Defender makes this expertise available in a service and simplifies the process of auditing best practices within your Amazon IoT environment and monitoring device operational and security anomalies on an ongoing basis. Amazon IoT Device Defender helps you reduce the risk of introducing security issues during the development and deployment of your IoT application by automating the security assessment of your cloud configurations and device fleets so you can proactively manage security issues before they impact production.

Attack surface evaluation

With Amazon IoT Device Defender, you can identify attack vectors applicable to your specific IoT devices. Having this visibility allows you to prioritize eliminating or hardening the relevant system components based on the operational requirements. For example, you can configure Amazon IoT Device Defender to detect use of insecure network services and protocols with known security weaknesses. Upon detection, you can plan the appropriate remediation to prevent unauthorized device access or possible data disclosure.

Threat impact analysis

Amazon IoT Device Defender can facilitate impact analysis of publicly or privately disclosed attack campaigns on your IoT devices. You can define detection rules in Amazon IoT Device Defender based on known indicators of compromise to identify vulnerable devices or devices already compromised. For example, the detection rules can monitor IoT devices for indicators such as network connections to known malicious command and control servers and backdoor service ports open on devices. You can also turn on ML Detect in Amazon IoT Device Defender based on machine learning models using historical device data and identify abnormality of device behaviors without you needing to define normal behavior thresholds. For example, ML Detect can continuously ingest and evaluate IoT device message size data and identify message size anomalies, which can point to issues such as credential abuse.

Customers

“Amazon IoT Device Defender provides device behavior monitoring that is a must-have for any IoT company that is building a secure infrastructure.”

- Franz Garsombke, CTO, Rachio

"SolarNow’s business reputation and revenue model is built on zero-tolerance of any controllable service disruption. Amazon IoT Device Defender and Eseye global AnyNet Secure connectivity is the easiest, quickest, and most cost-effective way for us to achieve and scale a high level of device security and anomaly detection. This protects our customers from service interruptions and SolarNow’s reputation for excellent customer service.”

- Peter Huisman, CTO, SolarNow