It seems the mass media reports every day on some large organization getting hacked. But the situation faced by the consumer and SOHO markets often goes “under the radar.” This underreporting can lead to a false sense of security. Sometimes, though, indicators leak out. For example, several years ago, it was reported that electronic car theft was on the rise: thieves had exploited vulnerability in wireless key fobs’ interfaces, and these crimes were now exceeding the number of physical break-ins nationwide. This indicates that not only does the nation state pirate have the capability to perform cybercrime, the neighborhood crook does as well. 

Now, with the profusion of IoT devices, crooks can not only steal your identity, they can break into your home or small office and steal whatever they want. The loss might include physical items as well as critical family and business records, and there can be unintended collateral damage. Irreplaceable family photos can be lost, basic functions of the physical home or office can be damaged, and more. For someone with health problems, or who is working in the medical industry, the damage can even be (or have) life-threatening repercussions. 

Rules for basic security

The United States FTC has become so concerned about consumer and SOHO IoT devices being shipped without adequate initial security that it created some rules to require basic password security. Let’s look at an example. In the Netherlands, a farmer put smart-Internet-connected tags on cows. Hackers took control of the unused cycles (the overwhelming majority) to mount DDoS attacks (Distributed Denial of Service, which involve bombarding a system with so many simultaneous connects or transactions that it collapses, forcing the system owner to pay ransom). The cow tags numbered in the hundreds. When hackers started using thousands of baby monitors and children’s toys to mount DDoS attacks, the FTC was compelled to take action.  

These rules are a good start, but they do not come close to solving the problem. Having the most basic security in IoT products when they are shipped is good. What is truly needed is a way to configure these products in a secure fashion in the context of the suite of products (including gateways, etc.) in a physical or virtual location. Because of software updates, new product additions, and more, “configure and forget” is simply not good enough. There must be a way to reconfigure devices and products to meet changing conditions. Even the best set-up cannot be assumed to be 100 percent effective in keeping hackers out. There must be a better way to detect successful breaches and remediate them.

Looking at CSPs and the potential

Today, CSPs are the primary way that users in the consumer and SOHO markets connect to the Internet. As such, they touch each user’s Internet portal. Furthermore, they have geographically distributed resources—very important for technical reasons discussed below. Finally, they already have a billing relationship with the users. This puts them in a unique position to launch a cost-effective service to protect, detect, and remediate cyberattacks. Finally, many of them already have experience offering security as a service (SASS, more commonly called MSSP). The challenge is that these MSSP services, being highly manual expensive offerings, don’t scale to the consumer and SOHO markets. 

Moving to these markets requires a very large increase in scale, complexity, and volatility. Corporate-focused MSSP services are already:

• Drowning in behavioral data that is key to detecting attacks that get through the outer defenses;
• Struggling with the profusion of products, layers of technology, and generations;
• Running as fast as they can to keep up with the speed of change.