Protecting IoT With EDR Cyber Security by Gilad David Maayan


Internet of Things (IoT) technology covers a wide range of systems and devices, starting with consumer IoT like smart TVs, and commercial IoT like smart health systems and pacemakers. IoT can also be found in industrial environments such as factories, where it is used for predictive maintenance and evaluating industrial big data. 

Smart cities rely on IoT for city-wide connectivity and communication, as smart sensors are put to work monitoring networking, utility, transport, and energy systems. In the military, IoT technologies are made into weapons used for reconnaissance and biometric combat. 

There are currently 30.73 billion IoT devices installed worldwide, and the numbers should reach 75.44 billion by 2025. That makes IoT security a crucial aspect of the continual health of all systems, networks, and devices connected and installed throughout the world. 

This article explains current IoT security challenges, and proposes solving these issues through the application of EDR security technologies.

What Is EDR?

Endpoint Detection and Response (EDR) is a set of technologies and practices you can use to monitor activity, identify suspicious behavior, and respond to threats on endpoint devices. EDR specifically focuses on increasing visibility in endpoints. The primary goal of EDR solutions is to alert security teams to attack activity and enable them to quickly investigate and contain attacks.

EDR solutions include three main components:

  • Data collection agent— event data is aggregated in a single database. Collected data includes communications, logins, and process executions.
  • Detection engine — analyzes collected data can correlate activity to detect malicious or suspicious events.
  • Dashboard — provides security teams with access to real-time information and analyses of suspicious events. 

EDR Features

EDR solutions, such as Cynet EDR security, provide a variety of features to help you secure your endpoints. Some commonly included features are:

  • Inclusion of threat intelligence—enables you to correlate activity and Indicators of Compromise (IoCs) with known attack patterns and methods. This improves your ability to identify and respond to attacks.
  • Real-time alerting—tools continuously monitor endpoints and provide real-time alerts for suspicious activity.
  • Perimeter-wide visibility — centralizes and correlates data across endpoints. This can help you identify when your perimeter is being tested and help you identify attack origins. 
  • Automated response capabilities—enable you to set policies defining automatic actions taken when an incident is detected or an alert fired. Actions can include blocking traffic, disabling processes, or wiping devices.

What Types of Threats Does EDR Detect?

EDR specializes in detecting attacks and behavior that traditional tools miss. In particular, EDR is good for detecting:

  • Fileless attacks—fileless attacks take advantage of system memory and processes to infiltrate systems and run malicious scripts. These attacks can bypass traditional, signature-based detection tools since no signature is left behind. EDR can help detect these attacks through data correlation and enable you to prevent data exfiltration.
  • Credential abuse—enables you to identify suspicious behavior patterns in “legitimate users”. Without behavior analysis, attacks performed with legitimate credentials are difficult to detect since credentials pass authentication and verification measures. These attacks may be performed by malicious insiders or with stolen credentials. 

IoT Security Challenges

Although EDR is designed to protect endpoints, like IoT devices, securing these devices can present a variety of challenges. 

Lack Of Physical Hardening

Physical hardening refers to physically securing the hardware and physical connections of a device or system. It is especially important for securing remote or publicly accessible devices, like IoT sensors. Unfortunately, these devices often lack physical security measures, making devices easy to tamper with or abuse. Part of the reason for this lack is the drive for low-cost devices, which doesn’t emphasize security.

Botnet Attacks

The remote and often vulnerable nature of IoT makes these devices prime targets for attackers looking to create a botnet. Botnets use a large number of hijacked devices to perform actions dictated by the attacker. For example, spamming a site for a Direct Denial of Service (DDoS) attack. Attackers can take advantage of out-of-date and vulnerable devices to add to their botnet, effectively harnessing your resources for attacks.

Industrial Espionage & Abuse of Privacy

Many IoT devices include visual and auditory sensors, i.e. cameras and microphones. If a device is compromised, these sensors can be used by hackers to steal data in real-time. For example, devices can enable attackers to eavesdrop on sensitive conversations or observe the patterns of security guards. If devices store data, rather than streaming directly to a server, attackers can also access any data saved on the compromised device.

Conclusion: How EDR Protects IoT Devices

In combination with strong security policies, EDR can help you address the challenges of securing IoT devices. 

IoT devices typically stream data, meaning every second you are not in control of your devices, you are losing data. If you cannot identify attacks in real-time, you stand to lose significant amounts of this data. EDR provides real-time visibility and alerting that enables you to quickly identify and contain suspicious activity. The inclusion of automatic response features further decrease response time and allow you to halt activity at the first sign of an incident.

EDR’s combination of threat intelligence and AI enables the detection of a wider range of attacks, including those using novel methods. This is especially important for protecting IoT devices as security measures within the devices are generally not standardized. This lack of standardization often means that attack methods and tools don’t follow known patterns. Without AI-based detection, these attacks are likely to be overlooked.

Additionally, you can use the IoT data collected and correlated by EDR solutions to generate threat intelligence. This intelligence can help you configure and deploy IoT devices in more secure ways. If you share this information with IoT manufacturers you can help them improve the base security of devices, minimizing vulnerabilities from the start.

About the Author:

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.



February 25, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
3 years ago

Good article. Protecting a contemporary business network is a hard task. A contemporary business network connects remote devices like smartphones, laptops, notebooks, tablets, or other wireless devices through different environments: on-premises, cloud, or hybrid. The mobile devices contain valuable information that should be protected. A lost or stolen phone could turn into a critical security breach. These devices are commonly positioned outside of the firewalls, on the edge of the network, and are called endpoints. The endpoint protection software is installed on all network servers and all endpoint devices. The servers manage the analysis and response, and the clients (endpoints)… Read more »

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023