Introducing Behavioral Analysis for Devices – Exabeam Entity Analytics
According to Gartner, over 8 billion IoT devices were in use in 2017. Eight billion! Many of these devices are vulnerable due to default credentials, un-updated or proprietary software, or lack of management (or all three). Recent stories of CCTV cameras used to mount denial of service attacks, compromised HVAC systems used to gain entry into corporate networks, medical devices hacked to disrupt medical care, and even drones used to compromise IoT light bulbs, illustrate the scope of the problem.
Unlike a PC or a mobile phone, these devices don’t necessarily have a user in the conventional sense. Sure, they may have an admin or service account, but for a lot of IoT devices, it’s set it and forget it. Users aren’t using the devices, so there is no user behavior to analyze.
Which leaves you with device behavior. Entity Analytics works by first setting a baseline, which represents normal behavior. From normal, the product analyzes activity in device logs to look for suspicious behavior, including:
• trying to access proprietary servers or networks
• uploading or downloading larger than usual volumes of information
• sending packets to unusual locations or in unusual patterns

If an investigation is required, then an analyst can click to see the device’s full activity in a timeline, shown below in Figure 2. In this case the device “Rogue_One” has experienced several security alerts for visiting malicious and suspicious domains, has a number of failed logins from users, and has outbound network connections on abnormal ports. All of which may add points of risk to this device’s risk score.

