Zingbox, a cloud-based, internet-of-things security startup, is coming out with its first product that it says can tell good IoT behavior from bad and sends alerts when it finds activity outside the norm.
Called Guardian, the solution consists of a virtual appliance that gathers and processes network traffic data and sends it to the Zingbox cloud, where it is analyzed for anomalies. When they are found, it can send alerts to security staff or intervene automatically via integration with firewalls, says May Wang, a founder of the company and its CTO.
Zingbox’s cloud analyzes metadata that is gathered from mirror ports on switches and uses it to discover all of the IoT devices on the network, identify what class of device each is and even the make and model. Machine-learning algorithms in the cloud set a baseline for normal behavior for each device based on the data fed to it by the device but also based on data Zingbox has gathered from similar devices owned by other customers.
For example, a hospital might have a GE X-ray machine. The Guardian virtual appliance would gather metadata from that machine and the cloud engine would analyze its behavior. The analysis would also tap data Zingbox has gathered from other customers’ GE X-ray machines and from X-ray machines made by other manufacturers. All of this input is used to establish what is typical, acceptable behavior of the machine in question, Wang says.
The algorithm creates a white list of acceptable activity and uses it to catch the abnormal, and when it does, that triggers a response in the virtual appliance. The response can be an alert to a human security analyst or an automated response via firewalls, Wang says. Most customers choose to run the alerts by a person rather than let the platform block traffic automatically.
Guardian can integrate with firewalls made by Cisco, Fortinet, Palo Alto Networks and SonicWall through APIs to quarantine devices or shut down their network connections.
The platform can be used to do an IoT inventory. “Right now people don’t even know how many IoT devices they have,” Wang says.
Because the architecture is cloud based, Guardian can scale to accommodate large networks. Wang says it already supports 100,000 devices and can handle more. It delivers very few false positives, she says, because most of these devices have relatively fixed behaviors that occur in simple patterns.
Guardian is available now. Pricing is based on the number of devices being monitored and ranges from $10 to $60 per device per year, with the lower prices being charged for a high number of devices.