Endpoints are destinations of transmission activity within your IoT networks. While many IoT networks adhere to a hub/spoke architecture (sometimes referred to as a Star network), other models (such as a mesh network where IoT devices can talk to each other) are also becoming prevalent.
Monitoring the number of sources and destinations that communicate with an IoT deployment is useful to ensure that devices only interact with known and trusted servers. New or unexpected connections may indicate unauthorized communication channels and compromised devices.
Each endpoint is a potential attack vector. Compromising a single node can have a cascading impact, effectively compromising the network.
This information is tracked in the Destination Endpoints dashboard widget. The widget provides a filtered list of all sources and destinations that were active on that day, and all the information needed to triage activity, such as:
- The number of devices.
- Data volumes.
- Ports and protocols that were used.
As part of a deep forensic analysis, you can click through the list of destination addresses, to identify all devices which transacted with a specific URL on a specific day. This view presents additional information, such as:
- The device identifiers.
- The amount of data sent.
- The connection port used.
- The connection protocol used.
From there, you can drill-down to specific devices to identify all communication to and from these devices.
If you click a device checkbox, you have the option to Block Endpoint(s) or Allow Endpoint(s).
Note: The Block/Allow feature is supported only for Fusion NA devices.
Threat Analysts or SOC Analysts can subsequently use the date selector to identify how and when these devices were compromised. Additionally, they can take one or more remediatory actions, such as:
- Enforce a Connection Lock that prevents access to unauthorized endpoints or IP addresses.
- Block traffic to/from the device.
- Patch the device (out-of-band).
See Edit SIMs for details.
The ability to monitor the source or destination IPs contacted by an IoT network, can be a powerful tool to detect malicious activity. Events such as pivoting attacks or device hijacking (for data theft) can severely disrupt business continuity.
To take closed-loop remediation action, you can click Block SIM to block the device in-line. A pop-up window appears. Read how blocking SIM works, and then click YES, BLOCK.