Getting visibility into potential threats from the emerging Internet of thing world isn't just about knowing a device is present, but also what it's doing. Security vendor ForeScout on May 26 announced an update to its CounterACT platform that provides enhanced visibility into IoT, all the way down to the power levels used by devices as an indicator of potential risk.
ForeScout has a rapid-release software methodology that is similar to a software-as-a-service (SaaS) approach, though technically CounterACT is not a SaaS offering, according to Rob Greer, the company's chief marketing officer and senior vice president of products.
"The CounterACT platform is delivered as a core software version—in this case, 7.0 and pluggable software modules that facilitate in-service upgrades," Greer told eWEEK. "These specific capabilities are offered in new versions of the Switch and Wireless software modules for CounterACT 7.0."
The CounterACT platform itself provides Network Access Control (NAC) capabilities among its numerous features. CounterACT has preadmission enrollment capabilities that limit endpoint network access until endpoint posture is determined to be compliant, he said. If an endpoint is compliant, the endpoint's network access is changed to the appropriate level for that user and endpoint device type. If the endpoint is not compliant, CounterACT initiates remediation activities. Once the endpoint is validated to be compliant by CounterACT, the network access is changed to the appropriate level for that user and endpoint device type, Greer said.
As part of the existing feature set, CounterACT could already discover Power over Ethernet (PoE) devices and classify them in some cases based on generic techniques such as monitoring their network traffic.
"The new capabilities enhance the classification of PoE devices based on their identification strings and power consumption profile," Greer said. "For example, security badge readers can be classified distinctly from security cameras rather than being identified as embedded Linux devices."
Simply detecting a power spike in a connected device doesn't necessarily mean that the device is infected with malware or is under attack. Greer noted that it can't be readily distinguished whether a power spike was induced by malware or by legitimate heavy usage.
There are, however, some use cases where power utilization can indicate a risk. For example, if a switch port goes from no PoE consumption to PoE power consumption and the location of the switch is such that no PoE devices should ever connect. As such, based on a CounterACT policy, that PoE port is shut down.
Another example is if a switch port is known to have a video surveillance camera with PoE power consumption of a specific number of watts. Later it is determined that the port is no longer drawing power, but still sending and receiving data. The port is disabled due to the potential security risk that an alternative device is connected to that port.
"With IoT device proliferation growing to over 30 billion devices by 2020, we will continue to add new ways of discovering and classifying IoT devices," Greer said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.