1. Get Real-Time, Granular Visibility to Understand Asset Risks
The connected devices on Palmer College campuses include everything from laptops and printers to thermal imaging systems and security cameras. While faculty computers are relatively easy to monitor and update, securing internet-connected medical devices and operational technology is vastly more complicated.
We need these devices to educate our students. But many of these machines hold massive amounts of data, some of which is confidential and must be protected.
Unlike other higher education IT assets, medical devices and operational technology are expected to be in use for 10 years or more. These devices often run on older (sometimes proprietary) operating systems that can’t be easily updated or patched without taking them offline — and any time a medical device has to be taken offline, it’s costly to our college.
This created quite a conundrum for us, considering that any connected device can be compromised by cybercriminals. We realized it’s essential to have real-time, granular visibility into all the devices on our network at any given moment. Classifying the devices by make, model, serial number and operating system is also important. This level of detail will reveal the vulnerabilities each device brings, such as recalls or obsolete operating systems that could be easily compromised.
2. Know Where Your Assets Are in Your Network
While it’s important to profile devices in granular detail, along with the risks they bring, this step alone is not enough. You also need to understand where each device is in relation to your network’s topology.
Understanding a device at a network topology level (such as VLAN or subnet) is important for security and compliance. For example, you don’t want a lab device to be on the same VLAN as a vulnerable vending machine because one contains sensitive data.
As a part of your incident response strategy, you need to be able to quickly locate exactly which building, hallway and room a high-risk device is in. If you’re trying to segregate a potentially compromised device, you might also want to know the VLAN and subnet associated with the device so that you can create the appropriate segmentation policies to isolate the machine.
Having a real-time asset inventory can potentially save you from wasting hours locating devices during an emergency.
3. Know How Your IT Assets Communicate
Unlike users, devices have very specific communication patterns. If you understand what the normal baseline behavior is, you can detect unusual behaviors that may indicate a potential compromise.
You will also want to map device communication patterns so you can monitor devices that are communicating to the internet or those that are using supervisory protocols (such as Remote Desktop Protocol, Secure Shell or Telnet). You can even use these communication patterns to ensure devices are working correctly.
For example, are your managed devices communicating to the anti-virus update server? Integration with Active Directory also enables you to monitor which user is accessing what device and when, correlating this data with the network they logged in from and maintaining an accurate access record for each device user.
Before finding an automated solution, we used a security information and event management system to identify suspicious traffic, and we manually matched IP addresses to VLANs and switches to find devices. Obviously, this approach couldn’t scale.