LICENSED FOR DISTRIBUTION

Market Trends: Grow Your IoT Security Business by Investing in Real-Time Discovery, Visibility and Control

Published: 31 January 2017 ID: G00320238

Analyst(s):

Summary

"Real-time discovery, visibility and control" has become important in planning for IoT security. Technology product management leaders must understand detection, identification and security trends for all IoT devices connecting to the infrastructure to grow IoT security business revenue.

Overview

Key Findings

  • Full enterprise visibility into all varieties of IoT devices that are both on-network and off-network, along with the detection of interactions between these devices, is now a prerequisite to IoT security.

  • Real-time discovery, visibility and control solutions are typically less expensive than complete NAC offerings and may be "good enough" for buyers (for example, network managers) who are seeking only visibility into the devices that are on their networks.

  • In addition to traditional on-premises solutions, IoT requires true subscription-based business, delivery and management models, as well as pricing that scales to IoT device volumes.

Recommendations

To grow their IoT security business, technology product management leaders should:

  • Enable full wired and wireless device visibility by offering agentless discovery capabilities, in addition to agent-based technologies in their product portfolio.

  • Satisfy security needs of a variety of IoT endpoints by cautiously building vulnerability scanning capabilities into their products across all types of communications, radio frequencies and protocols.

  • Enable buyers to avoid the perils of specific providers' expensive upgrades to the latest software and hardware by designing "vendor-agnostic" and "easy-to-deploy" discovery, profiling and visibility products.

  • Support new IoT usage scenarios by offering subscription-based business models based on the number of endpoints or size and characteristics of the IoT project.

Introduction

Endpoints of the Internet of Things (IoT) are estimated to grow at a 32.9% compound annual growth rate (CAGR) from 2015 through 2020, reaching an installed base of 20.4 billion units (see "Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, 2016" ). These IoT endpoints come in all shapes and sizes. Some of them are "dumb" devices, while some are "smart." Some of them are resource-constrained, while others are resource-full. The type of communications they leverage varies as well, from Wi-Fi, ZigBee, Z-Wave and Bluetooth, to varied types of radio frequencies. Not having visibility into all of these IoT endpoints and networks is a top concern for chief information security officers (CISOs); for more information, see "Real-Time Discovery, Visibility and Control Are Critical for IoT Security." In the consumer and industrial IoT verticals, lack of network and device visibility is a top concern of CISOs responsible for security and risk management, as they don't know what assets they have, if assets are connected to the internet or not, and if protection is required. Discovery is a prerequisite to IoT security.

Real-time discovery, visibility and control market trends and vendors that we discuss in this document cater to the needs of buyers dealing with varied types of endpoints. These vendors offer products and services to discover any type of IoT endpoint that is independent of the communication protocol used. Their products and services provide visibility into IoT networks and endpoints so that end users can know what types of connected IoT assets they have and then secure them.

The diversity of the IoT also makes IoT device and network discovery, visibility and control hard to architect and manage for IoT solution architects. Users, smart and dumb devices, IoT gateways, platforms, applications, and services play a role in IoT solutions. These "users and entities" must be discovered, profiled and managed to establish a secure and trusted IoT. IoT demands trusted authentication, device onboarding, behavior monitoring, distributed vulnerability scanning, risk assessments, policy enforcements and trusted communication to and from any type of device.

To address these issues, security mechanisms that leverage IoT asset discovery, visibility and control are gaining momentum in consumer and industrial verticals. This report examines three market trends and associated technologies that have propelled the rise of security via discovery, visibility and control in the IoT era (see Figure 1).

Figure 1. Market Trends in Securing IoT via Discovery, Visibility and Control
Research image courtesy of Gartner, Inc.

ICS = industrial control system

Source: Gartner (January 2017)

As these trends gather steam, Gartner believes that discovery, visibility and control will soon become a mandatory part of many IoT solutions. Similar to other IoT environments, an appropriate partnering strategy is paramount to be successful in this marketplace.

Market Trend

Full Enterprise Visibility Into All Varieties of IoT Devices That Are Both On-Network and Off-Network, Along With the Detection of Interactions Between These Devices, Is Now a Prerequisite to IoT Security

Technology advancements, industry initiatives and research projects regarding IoT security are highlighting the growing demand for strategies and solutions that provide discovery, visibility and control into IoT assets, devices and networks for the enterprise. The global information security market is forecast to grow at a CAGR of 7.8% from 2016 through 2020, with healthy growth in many segments (see "Forecast Analysis: Information Security, Worldwide, 2Q16 Update" ). Real-time discovery, visibility and control serves as one solution to address cyberattacks on varied types of IoT assets and data. To establish protection from hackers and vicious software and malware attacks, discovery, visibility and control solutions are increasingly being accepted. The need to develop guarded and secure IoT network infrastructures has generated the demand for these products.

A number of drivers are intensifying the demand for discovery, visibility and control solutions. These include:

  • Bring your own device (BYOD) requirements

  • Data security needs for IoT data flows

  • Rogue IoT device detection

  • Bluetooth and other wireless security evolutions

  • Compliance with regulations and guidance regarding IoT security

  • IoT incident response needs

  • Asset discovery of varied known and unknown types of IoT devices in enterprise infrastructure

  • Endpoint profiling of IoT endpoints

Agentless design and endpoint profiling and authentication capabilities have further led to expansion:

  • Enhanced ease of deployment and diminished system complexity, due to agentless design of products when compared with their agent-based counterparts, have further led to the expansion of discovery, visibility and control market trends. Growing adoption of IoT and machine-to-machine (M2M) communications added significantly to demand.

  • Improvements in endpoint profiling and authentication mechanisms to control network access for all IoT endpoints; proliferation of artificial intelligence technologies to profile and model the behavior of IoT endpoints; an increased number of radio frequency (RF) IoT devices and the possibility of RF-based attacks to enterprise; and the need for broad-spectrum endpoint visibility all have led to market expansion.

In "Market Guide for IoT Security," real-time discovery, visibility and control vendors are being classified as capable of addressing the evolving enterprise IoT network security needs.

Buyer Trend

IoT discovery, visibility and control software is widely used in the energy and utilities, finance, healthcare, manufacturing, and retail sectors. Increased focus on endpoint profiling of new types of IoT assets in these sectors, as well as wireless IoT device protection in and outside of enterprise networks, will drive growth in coming years. These sectors have stringent security requirements, and they often invest in solutions to find out unauthorized device connections — and users. These solutions help in safeguarding business continuity and security risk and threat management. Because discovery, visibility and control solutions are vendor-agnostic and do not require agents to run at endpoints, they are able to scale to IoT volumes.

The market for IoT security products will grow as a function of the industry sector's adoption of IoT and will address risks in specific sector use cases (see "Forecast: IoT Security, Worldwide, 2016" ). Due to the distributed nature of IoT and the large volume of IoT devices, buyers are looking for solutions that are not priced per device.

Regional Trend

  • North America: The use of real-time discovery, visibility and control products is expected to gain prominence in North America. IoT security via discovery, visibility and control will likely be a profitable area, and several vendors are making strong investments in solutions. These factors have helped drive growth prospects in the region.

  • Asia/Pacific: Asia/Pacific is likely to become a profitable region for the industry. Increased adoption of mobile, social and RF technologies is expected to contribute significantly to the growth in the region.

Technology Trend

On the technology front, security providers from diverse backgrounds are using different approaches to discovery, visibility and control of IoT vulnerabilities. The following highlights some example capabilities:

  • Use of artificial intelligence to model the normal behavior of IoT endpoints and use of that model to test the current behavior of IoT endpoints to detect anomalies

  • Monitoring of new radio-borne threats in rogue cell towers, rogue Wi-Fi hot spots, rogue Wi-Fi access points; vulnerable wireless keyboards; vulnerable wireless mice; unapproved cellular devices (for example, 2G Global System for Mobile Communications [GSM], 3G wideband code division multiple access [WCDMA] and 4G Long Term Evolution [LTE]); unapproved wireless cameras; new thermostats and building sensors that transmit on frequencies like ZigBee (short range) or LoRa (up to a one mile range); and vulnerable building alarm systems, such as window, door and motion detectors

  • Bluetooth data exfiltration

  • Continuous indexing of all devices connected to the public internet

Recommendations:

  • Offer agentless discovery capabilities, in addition to agent-based technologies, for full wired and wireless device visibility.

  • Build vulnerability scanning across all types of radio frequencies and protocols to satisfy security needs of a variety of resource-constrained IoT devices.

  • Design vendor-agnostic and easy-to-deploy discovery, profiling and visibility products that won't require expensive upgrades to the latest software and hardware from specific vendors.

  • Implement subscription- and usage-based business models to address new devices and usage scenarios. Basing pricing on the number of endpoints can get expensive for clients focusing on IoT use cases.

Traditional NAC Vendors and Products Are Evolving in Support of IoT

As reflected in "Market Guide for Network Access Control," network access control (NAC) solutions are a natural fit to address IoT security challenges. Visibility has long been a key driver for NAC, as network managers often implement NAC products to show the mix of devices on their corporate networks. As the IoT trend gains momentum, and the quantity and diversity of endpoints on the networks grow, this mix of devices will become more diverse and more numerous. NAC vendors are in a good position to evolve their products to discover and profile IoT devices, as well as to enforce the appropriate network policies (for example, block or allow network access).

NAC vendors face competition from several pure-play IoT security vendors. In "Market Guide for Network Access Control," Gartner identifies four categories of IoT security. The vendors categorized as "real-time visibility and control" are the ones that will likely be competing for the same IoT budget dollars as NAC vendors. This includes vendors such as Bastille, Great Bay Software, Pwnie Express, Qadium and ZingBox, although they also represent possible partnership opportunities.

Buyer Trend

NAC solutions have been purchased traditionally by the network manager, since they are the ones that need the visibility into which devices are connected to their network. Even in the era of IoT, early indications reflect that it remains the network manager that is driving the purchases of IoT security solutions, whether they be from an NAC vendor or from a specialty IoT real-time visibility and control vendor. Visibility is the key feature to emphasize. While many network managers will speak of the requirement to enforce policies (for example, blocking a noncompliant device from accessing the network), this is rarely done in enterprise environments. Instead, the trend has been for network managers to use these solutions to monitor which devices are connecting to their networks. When they receive alerts about noncompliant devices, they often prefer to respond manually versus automatically. The manual response gives the network manager a chance to explore why a device is noncompliant, instead of automatically blocking the device (and its user) from the network. We expect this trend of manual response to continue as we see more IoT devices connected to the network.

Technology Trend

We have seen an early trend, in which strong discovery and "profiling" technology are important for succeeding in the market for IoT security. This trend mimics developments in the NAC market, where we continue to see a broad range of profiling capabilities. Some vendors provide only passive profiling — they monitor network traffic and, based on the patterns they see, categorize endpoints into specific profiles (for example, printer, telephone, security camera, PC and so forth). Other vendors also add active profiling, probing an endpoint with Nmap and interpreting the response, to get a more accurate categorization of the device.

As IoT gains momentum, we expect a strengthening of the trend in which a diverse set of devices accesses the network. This trend represents an opportunity for NAC vendors, which should continually aim to strengthen their profiling technology. In addition to delivering active and passive profiling, NAC vendors can work closely with device manufacturers to include device "templates" in their solutions. For example, device templates would more accurately identify endpoints, such as security cameras, HVAC systems, printers and other devices that connect typically to corporate networks.

Some of the IoT security vendors have technology that discovers devices that are off the corporate network, such as Bluetooth devices and others that emit radio signals (for example, cellular and wireless dongles). These vendors may be good partners or acquisition targets for the larger NAC vendors.

Recommendations:

  • Continually enhance your profiling technology to ensure that it accurately discovers and categorizes traditional network devices, as well as IoT devices.

  • Monitor the activity of IoT security vendors, particularly those that specialize in device visibility and control. These solutions are typically less expensive than complete NAC offerings and may be "good enough" for network managers that are seeking only visibility into the devices that are on their networks. NAC vendors that seek to expand into the IoT market should consider partnering or even acquiring a pure-play IoT vendor.

IT/OT Integration, Proliferation of IoT Devices in Industrial Settings and the Disappearance of the "Air Gap" Will Demand Visibility Into Industrial Assets for a Secured ICS

The information culture of IT and the engineering culture of operational technology (OT) in many industries are already in a convergence and alignment process. This has resulted in changes to governance, organization and infrastructure to create a strategic approach to both software security and physical security concerns in those industries. These changes occur in part due to the introduction of IT and IoT infrastructure. IoT infrastructure in the form of sensors, actuators, networks and services support the ability of industrial IoT (IIoT) to enhance, extend and replace OT infrastructure, where needed.

Former strategies of network isolation through air gaps (that is, physical separation of networks to achieve isolation) commonly practiced between IT and OT networks are now supplemented and/or replaced with more-refined techniques of both isolation and segmentation. These isolation and segmentation techniques could potentially involve unidirectional gateways and industrial bridges supporting proprietary or specific network and application protocols. In IIoT, not all networks are created equal, and the different classes of devices and networks require new or expanded forms of segmentation as they are linked to IT networks.

These changes, whether introduced by OT modernization, IT infrastructure used in OT scenarios or new IIoT requirements, have similarities in approach. They all require some means of discovering and identifying the connected assets; determining and tracking their characteristics, attributes and entitlements on the network; and managing this asset information over time, preferably in a seamless and integrated manner, with traditional IT techniques of doing the same.

A strategic digital security practice for a network of IT, OT, IoT and physical security devices depends on this foundation of visibility and asset management. The directory or database of "entities" (whether people, devices or applications) serves as a basis for access control, prevention, protection, anomaly and incident detection and response, and remediation in a digital security system.

Buyer Trend

Many of the tools needed to succeed in embracing a total digital security strategy are already owned by buyer organizations; namely:

  • Asset management, identity and access management (IAM)

  • Enterprise mobility management

  • Anomaly detection and response

  • Different forms of firewalls

However, there will be some buyer organizations — particularly those with OT assets — that may require modified or upgraded versions of those tools, depending on the requirements and extent of IoT devices embraced. However, the majority of organizations will use digital security consulting and system integration services to primarily develop architecture, design and management approaches to digital security.

Buyers also will need to evaluate and use cloud-based security solutions to supplement their existing IT security systems, should specialization due to device type or use case demand.

Manufacturing, transportation, utilities and healthcare are growth areas for IoT, due primarily to their industrial requirements:

  • In manufacturing, tracking product components and products through a supply chain, assuring their integrity for use in mission-critical systems, identifying and securing connected components in complex machines (such as automobile control and infotainment systems) are all examples of discovery, visibility and control.

  • In utilities, using sensors and actuators in smart grid environments to assess performance, perform power generation, transmission and distribution functions, and maintain such environments requires a means to secure those components.

  • In the commercial and consumer sectors, building automation, facilities management, retail, information and entertainment markets will represent significant growth opportunities in the underlying industrial systems required to build, distribute and maintain them (see "Forecast: IoT Security, Worldwide, 2016" ).

Regional Trend

The requirement for discovery, visibility and control of OT environments is global. Overall growth for digital security in OT is also global, although early estimates indicate that the North American and the Asia/Pacific regions will have considerable momentum in most areas, while EMEA and South America will have slightly less momentum. Because discovery, visibility and control needs are not confined to digital security, the markets in those regions for such solutions (both in terms of revenue and size) are estimated to be greater than that of digital security estimates derived from primary research. Most of these regions will realize this growth predominantly in services.

Each region's OT security need will depend on a number of factors that include:

  • Economic growth and opportunity

  • The need for infrastructure modernization and/or expansion

  • The regulatory environment of countries within that region associated with cybersecurity

  • The pace of technical standards development across OT and IoT security

  • That organization's role in supply chains for delivering digital solutions for OT

Technology Trend

Technology growth will expand across the physical spectrum of industrial IoT and control systems, as well as the software spectrum:

  • Passive discovery techniques will allow for finding industrial assets on networks sensitive to active scanning techniques that are frequently performed by IT security products. Identification, visualization and asset tracking functionalities are expanding to include specialized industrial assets and IIoT devices. This same functionality can be used for traditional mobile devices, tablets, laptops and servers, and to accurately display mesh network and other network configurations found in industrial IoT networks.

  • Advances in embedded security technologies will improve cryptography, authentication and detection. Efforts to establish a hardware "root of trust" will join existing software-based root-of-trust approaches to establish a life cycle of device integrity.

  • Anti-tampering designs, trusted execution environments and support for network diversity (wired and wireless, Internet Protocol [IP] and non-IP) are evolving and integrating with existing IT security technologies.

  • Advanced machine-learning techniques to not only model the industrial IoT devices and networks, but also improve product or service functionality when tracking devices in real-time, event-driven industrial environments are evolving to address specific security use cases.

  • Deep packet inspection methods are being used to get information on industrial devices and the processes.

  • A model for an "identity of things" will evolve to integrate asset management, IAM and other security disciplines required to maintain attributes and entitlements of entities in an IoT network. This model will allow organizations to leverage existing tools to enhance an IoT security architecture and develop a dynamic approach to discovery, visibility and control.

  • A device-to-cloud security strategy will accelerate the integration of security broker technologies into IoT networks. Cloud-based IoT security services for discovery, asset tracking, monitoring and detection will expand, particularly for small or midsize businesses (SMBs) as their use of IoT devices expands.

  • Device testing and certification will expand across multiple verticals to address vertical-specific concerns, as well as will incorporate device application security testing and operational requirements.

Recommendations:

  • Build products with features that can modify an enterprise architecture to incorporate an "identity of things" view of devices such as programmable logic controllers (PLCs), industrial PCs, human-machine interfaces (HMIs) and OT services delivered to customers that can be incorporated into customer networks and systems.

  • Expand discovery and asset tracking functionality in product portfolios that extend across the supply chain by improving coordination tools and integration techniques between asset management and identity management solutions.

  • Leverage technological advances in areas such as cloud-based services, embedded security, machine learning and wireless networking to improve discovery, visibility and control functionality in OT and industrial IoT security product and service offerings.

Vendors to Watch

Table 1 outlines several providers making traction in IoT security via the discovery, visibility and control market. This is not intended as a comprehensive or priority list.

A growing ecosystem of providers is seeking to cater to IoT security via discovery, visibility and control requirements. Involvement in this field comes from different backgrounds — from large, established NAC vendors and operational technology security providers to specialist, niche startups.

Table 1.   IoT Security Vendors With Real-Time Discovery, Visibility and Control Product Capabilities

Vendor

Product Capabilities

Aruba, a Hewlett Packard Enterprise company

Network visibility and policy enforcement. Based on 802.1X platform. ClearPass Exchange enables integration with key technology partners.

Auconet

Deployed most commonly as an agentless solution, based on 802.1X. Also offers a multitenant solution to MSSPs offering managed NAC services.

Bastille

Identification of threats, response, location awareness for RF devices and visibility into devices on-premises.

Bradford Networks

Endpoint profiling on wired and WLANs. Network visibility and policy enforcement. Sharing of contextual data and alerts with other security vendors.

Cisco

802.1X-based solution. The pxGrid ecosystem provides a "publish/subscribe" model to distribute contextual information and alerts to all partners.

Claroty

Monitoring and detection. Builds asset inventory, network views and view filters.

CyberX

Primarily vulnerability assessment, investigation, threat intelligence. Develops and maintains OT asset inventory to do so.

Dragos

Passive asset discovery and visualization.

Extreme Networks

Solution includes out-of-band and in-band appliances. Primary use case is for Extreme's switch and WLAN customers.

ForeScout Technologies

Agentless baselining of Windows and OS X endpoints. ControlFabric API enables integration with key technology partners.

Great Bay Software

IoT discovery and visibility, device onboarding and behavior monitoring.

Impulse

Aimed primarily at the higher education and K-12 markets. Solution is delivered as a cloud-managed service.

InfoExpress

Solution includes out-of-band and in-line appliances. Also the Dynamic NAC option uses agent-based enforcement.

Nextnine

Primarily definition and monitoring of security policies and access management. Develops asset inventory with discovery and visualization to do so.

PAS

Primarily inventory, configuration change, patch and compliance management. Develops and maintains inventory of OT assets to do so.

Portnox

Agentless-based approach. Primarily midmarket-focused. Also offers a cloud-based service aimed at MSPs that deliver NAC functionality.

Pulse Secure

802.1X-based solution. The company also offers a VPN solution and a mobile security solution.

Pwnie Express

Discovery, tracking and monitoring of IoT devices, device threat detection and distributed vulnerability scanning.

Qadium

Indexing of devices connected to internet. Discover changes across internet and provide visibility into IoT networks.

Senrio

Discovery, risk scoring and visualization.

Sentryo

Basic asset discovery and tracking for use in other functions.

ZingBox

Machine-learning-based IoT security, discovery, visibility, insights, risk assessment, and policy enforcement

MSP = management service provider
MSSP = managed security service provider
WLAN = wireless LAN

Source: Gartner (January 2017)

Acknowledgments

The author would like to acknowledge the input and review of the following Gartner analysts: Tim Zimmerman, Denise Rueb, Nathan Nuttall, Kevin Knox and Peter Middleton.

Evidence

The analysis and advice provided in this document are built from constant scanning of the market, as well as the aggregation of analyst experience and ongoing interactions with end users and technology and service providers. We have used a range of sources, including:

  • Gartner customer inquiries and conversations with end users and vendors

  • Discussions between Gartner analysts with expertise in key security technologies for IoT markets

  • Secondary research on IoT and related technology announcements, and reports from consortia and security bodies, as cited throughout this document