Simplify how you protect and connect your IoT devices and OT networks with VersaONE
In today’s hyper-connected world, the explosive growth in the Internet of Things (IoT) coupled with the changing threat landscape has forced the need to rethink how enterprises connect and secure devices on their networks. At Versa, we understand the critical need for robust and simpler-to-manage security solutions that protect your OT networks and IoT devices from emerging threats. Versa IoT Security is an integral part of our VersaONE universal SASE platform, delivering comprehensive visibility and top-tier security combined with simplicity and efficiency.
Softer targets for hackers
You can’t extend IT security controls like agents onto IoT/OT devices given their specialized and diverse operating systems. And in many cases, IoT networks cannot be segmented, which invites lateral movement once compromised.
Untimely updates
The diversity of devices and lack of unifying client software combined with their sheer volume make timely update management and fast patching of known vulnerabilities cumbersome, if not unachievable.
Limited Visibility and Control
Traditional networking and security management tools often cannot provide adequate visibility or control over IoT devices, especially when they are deployed in distributed or remote locations.
Grounded in a Zero Trust framework and advanced threat detection capabilities, Versa’s IoT security significantly reduces the risk of breaches and data loss. Notably, our micro-segmentation prevents lateral movement when compromises occur.
Versa’s agentless technology provides an accurate catalogue of IoT/OT devices connected to the network along with their network location and visibility into their network activity, automatically baselining their behavior and detecting anomalous activity.
With Versa’s unified SASE architecture, your team can reduce the need for multiple security products and vendors, simplifying management and lowering overall IT costs.
Versa’s universal SASE platform is designed to scale seamlessly with an organization’s needs, accommodating the rapid proliferation of IoT devices without sacrificing performance or security.
IoT & OT device visibility
Versa provides superior visibility to IoT devices in the network through comprehensive device discovery, advanced application identification, and precise device fingerprinting. Our inline approach ensures real-time detection of all connected devices with great accuracy while deep packet inspection (DPI) uses signatures and heuristics to automatically identify over 3,500 applications and protocols, including specialized IoT and SCADA signatures.
Zero Trust security for every device
Versa’s ability to extend its Zero Trust approach to “things” reflects the necessity of strict access controls and continuous verification – of not just users but also devices in order to safeguard network resources and correctly apply device-specific policy.
Advanced threat and data protection
Versa’s advanced security capabilities, including advanced threat protection, data loss prevention and real-time anomaly detection inspect device communications for threats, data exfiltration, and apply dynamic segmentation to manage sophisticated threats in IoT environments. This robust approach ensures comprehensive security without compromising performance.
Flexible security architecture
Versa’s hybrid SASE architecture (both cloud-native and on-premises) offers flexible and scalable security that grows with your IoT device network, simplifying the addition of new devices without extra security overhead. Integrating advanced security functions with networking capabilities in a single platform, Versa ensures seamless management and consistent protection. This comprehensive approach enhances security while reducing operational complexity across diverse IoT environments.
Versa IoT Security is uniquely positioned to address a variety of IoT security use cases due to its integration of networking and security services directly into the cloud. This architecture is particularly advantageous for environments where there are large numbers of devices distributed across multiple locations. The use cases that Versa can address include:
Use case
Employees or systems require secure remote access to IoT devices and data from various locations, including from home or while on the move.
Versa solution
Secure, identity-aware access control, ensuring that only authorized users and devices can access critical systems, regardless of their location. This is often managed through Zero Trust Network Access (ZTNA) which enforces strict identity verification. Guest access on specific Wi-Fi access points can be segmented from the corporate IT network.
Use case
IoT environments often include a diverse array of devices needing clientless authentication before they can connect and interact with networks.
Versa solution
Versa supports robust asset discovery and can segment network access based on device profiles and compliance status, reducing the risk of a compromised device being used to attack the IT network. Enforcement occurs inline, in the path of traffic in the OT network itself.
Use case
IoT devices often can’t use traditional endpoint protection clients, leaving them vulnerable to malware, ransomware, and other cyber threats which can disrupt operations.
Versa solution
Versa is able to provide “clientless” security or deploy remote enforcement nodes that include malware protection, URL and content filtering, intrusion prevention, User and Entity Behavior Analytics (UEBA), and other advanced security capabilities that can actively monitor and filter traffic to detect and respond to threats in real time.
Use case
Enterprises need comprehensive visibility into their OT and IoT device behaviors and traffic to manage access and security effectively.
Versa solution
Versa offers enhanced visibility and control over devices, their connectivity, and their network activities. This enables better monitoring, management, and optimization of IoT traffic.
Versa’s DPI engine and URL filtering engine provide deep visibility into the network activity of any device. The Versa DPI engine supports the identification of over 3,500 applications and protocols, including a rich set of IoT and SCADA protocol signatures, ranging from common standards like MQTT, CoAP, and Modbus to specialized protocols such as DNP3, OPC Unified Architecture, and IEC 60870-5-104. The URL filtering engine provides visibility into types of network access by automatically categorizing the applications.
Device fingerprinting identifies specific IoT devices on the network by capturing and analyzing a range of attributes, such as the device’s operating system, browser type, system settings, installed software, and even hardware configurations. Versa may also collect data related to network behavior and patterns of interaction with the network. Using the collected data, Versa applies advanced algorithms to generate a unique fingerprint for each device.
Using behavioral analysis, Versa assesses the patterns of URL access and other network behavior to identify devices. For example, an IoT device might regularly access specific URLs at predictable times for data upload, or an OT device might interact with control servers using fixed URLs. Identifying these patterns helps in categorizing the devices and applying appropriate security policies, as well as establishing baseline behavior for anomaly detection.
URL filtering capabilities analyze the URLs accessed by network traffic, which can be indicative of the type of device or the application being used. For instance, specific IoT devices may regularly communicate with certain cloud services, or industrial control systems might access URLs related to specific industrial applications.
Versa’s IoT security performs dynamic risk assessment of devices by continuously monitoring their behavior and interactions within the network. Using advanced analytics and machine learning, Versa evaluates the risk level of each device based on its activity patterns, identifying potential threats in real-time. This approach allows for the immediate adjustment of security policies and access controls, ensuring that high-risk devices are promptly isolated and mitigated. By dynamically assessing risk, Versa enhances overall network security and proactively protects against evolving threats in IoT environments.
Versa Networks facilitates 802.1x-based Network Access Control (NAC) for OT networks and IoT devices through multiple authentication strategies. It employs X.509 certificate-based authentication, leveraging customer-provided certificates for devices capable of advanced security protocols, and offers MAC-based authentication as an alternative for simpler devices that cannot manage certificates. These authentication methods are supported by a RADIUS backend, which controls the authentication process and manages the connections of client machines (supplicants). Versa’s system also includes capabilities to control port access, allowing or denying entry and assigning devices to specific VLANs or network layers based on their authenticated status. This approach uses standard client software that supports EAP and EAP-TLS protocols, ensuring a secure and regulatory-compliant network environment for IoT and OT devices.
With the devices classified and the network segmented, Versa then applies policy-based traffic management. These policies dictate how traffic should be handled based on the device and application class, the type of data involved, and the required security posture. Using Quality of Service (QoS) rules, Versa can prioritize traffic based on its importance, ensuring that high-priority device communications are transmitted quickly and reliably, even during times of high network congestion. Policies can specify bandwidth allocation, access permissions, and prioritization levels. For instance, traffic from critical IoT sensors monitoring real-time manufacturing data might be given higher priority over routine IT data traffic.
Versa is able to apply Zero Trust principles to “things,” not just users, which means that no device (or user) is inherently trusted, regardless of their location relative to your network perimeter. This approach requires strict identity verification and authentication before granting access to network resources. For OT and IoT devices, this means enforcing policies that control access based on continuous verification of the device’s security posture and behavior.
To minimize the potential impact of a security breach, Versa uses segmentation and micro-segmentation techniques to divide the network into smaller, controlled zones. Each OT or IoT device is confined to its specific segment, which isolates critical infrastructure elements and sensitive data from the broader network. This limits the pathways available to an attacker and reduces the risk of lateral movement for staged attacks.
Versa offers Next Generation Firewall (NGFW) protection specifically tailored for IoT devices, leveraging advanced traffic identification and control mechanisms across multiple layers of the network. This includes inline identification of IoT application traffic and protocols; layer 4-7 protocol identification and control; an extensive database of application signatures and classes; web traffic identification and control; as well as policy-based compliance enforcement.
Versa Networks employs a robust IP reputation and geo-location filtering system to protect OT networks and IoT devices from a range of cyber threats. The system includes a comprehensive database of IP addresses known for malicious activities, covering both IPv4 and IPv6 addresses across multiple countries. By enforcing geo-location-based actions and matching traffic based on source and destination IPs, Versa effectively blocks communications with IPs associated with malware distribution, command and control (C&C) centers, phishing, botnets, and other security threats. This protection is dynamically maintained with near real-time updates to the IP reputation lists as part of Versa’s Security Package, ensuring that OT and IoT devices are safeguarded against the latest observed threats and attack vectors.
Versa Networks provides robust protection for OT networks and IoT devices through its Next-Generation Intrusion Prevention System (NG-IPS), which incorporates both signature-based and anomaly-based detection mechanisms. This system is designed to defend against a wide range of vulnerabilities, including those discovered over the last decade, as well as current Zero-Day attacks, by using an extensive library of vulnerability signatures that are frequently updated. These updates ensure real-time protection and include coverage for vulnerabilities disclosed in Microsoft’s regular updates and emerging threats identified through JavaScript attack vectors. The NG-IPS supports custom user-defined signatures and the Snort rule format, enhancing its adaptability and effectiveness in identifying and mitigating targeted attacks and early signs of host compromise. This comprehensive approach, validated by rigorous penetration testing, ensures high levels of security for critical infrastructure within OT and IoT environments.
Versa provides real-time discovery of connected devices, enabling organizations to maintain an up-to-date inventory of all IoT and OT devices on their network. This feature helps in identifying new devices as soon as they connect to the network, monitoring their behavior, and ensuring that they are properly managed and secured.
By profiling and classifying devices based on their type, function, and behavior, Versa allows for detailed visibility into the network. This classification is crucial for applying appropriate security policies and for monitoring specific groups of devices more closely, particularly those considered critical or vulnerable.
Versa provides comprehensive analytics on network performance and traffic patterns. This feature not only aids in security analysis but also helps in optimizing network performance by identifying bottlenecks, unusual traffic flows, and other operational issues.
The platform includes tools for generating detailed security and compliance reports. These reports offer insights into network security posture, incident responses, and audit trails, which are essential for maintaining compliance with industry regulations and internal standards.
Organizations can customize dashboards to monitor the health and security of their OT and IoT environments effectively. The system allows for setting alerts based on specific events or thresholds, ensuring that network administrators are promptly notified of potential issues.