Derk is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: FAQ | Most Valuable Professionals. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs. Read the interview below!
Figure 1: Picture of Derk from the Microsoft Security Engineering Partner Airlift eventPersonal Story and Credibility
Q: Tell us a bit about your role and background: how did you become focused on securing Internet of Things (IoT) and Operational Technology (OT) devices?
A: Let’s start with a disclaimer: my passion for Microsoft Security is very broad, from offensive to defensive, from XDR to SIEM, and from IT to OT. One cannot exist without the other.
I studied computer science back in the 90s, and the same month I started to work in IT, I studied and passed the MCSE (6 books at the time) exams. For the last 25+ years, I've worked as a Microsoft partner with some personal highlights: MCM (Microsoft Certified Master) Exchange in 2010, Microsoft MVP in 2021, and CCP Discussion Leader for Defender for IoT in 2024.
The moment I was reading the book ‘Countdown to Zero Day’ back in 2014 about Stuxnet, OT security became an important aspect in my life and still is to this day because human lives are at stake.
Q: What’s been your proudest moment as a security practitioner where Defender for IoT played a critical role?
My proudest moments are more general in detecting bad actors in the environment via Microsoft Security products, probably in the reconnaissance phase, and preventing bad things from happening like domain dominance or global malware deployment. Truly make the world a safer place.
Blueprint 1: Deployment and Adoption Strategy
Q: When organizations are just starting with Defender for IoT, what are the first three steps you recommend for a successful rollout?
A: Step one should be asset inventory; you cannot protect what you don’t know.
Step two is to look at the network topology; are the IT and OT devices in separate networks (Purdue model even), or are the IT and OT devices interconnected (IT/OT convergence) in the same network? This is important for the solution.
And the third and final step is to look at the surrounding assets because it’s not always a stand-alone solution but a better together solution with Defender for Endpoint, Defender for Identity, Sentinel, etc.
Q: What common mistakes or misconceptions do you see teams make when deploying Defender for IoT?
A: Deploy Defender for IoT without knowing the environment, for example: deploy Defender for IoT in a flat network with some OT devices but many IT devices. First, you pay extra because the Site license is based on the number of assets. Second, you get a lot of noise in alerting because an OT use case is alerting on internet connectivity, while IT connects to the internet all the time.
Q: Can you share your own checklist or framework for configuring Defender for IoT to get quick wins in the first 30–60 days?
A: Microsoft has an excellent checklist and framework on the Microsoft Learn site, but as mentioned before, first look at your network topology and know your devices. An outcome of a Defender for IoT Proof of Concept can be that you finally understand your network topology, which you did not before (all based on assumptions) and how subnets/VLANs are interconnected.
Blueprint 2: Operational Excellence
Q: What features or policies have given your security team the biggest efficiency gains?
A: Better together, so deploy Defender for IoT as the core solution for OT networks and devices but add Defender for Endpoint on the Windows and/or Linux devices in the network and Defender for Identity is there is an OT Active Directory. Second (my personal opinion) I think that internet-connected (in a secure manner like IP, Port, DNS ACLs or even data diodes) is more secure as an air-gapped network because even air-gapped needs updates (firmware, operating system, threat intel, etc.) and we come back to my personal statement is that 99% of all OT attacks start from IT (e.g. USB-key in air-gapped network is IT for me).
Q: How do you structure your team’s workflows so that Defender for IoT alerts integrate smoothly into daily operations?
A: Educate the team of Defenders, first prevention is better than the cure but seeing outdated software on OT devices does not mean you can patch them instantly, downtime can be very expensive, or the supplier may not exist anymore. And secondly, pure OT alerts are different from your typical IT alerts like a command to shut down a PLC.
Q: Could you walk us through a “playbook” that your team uses to detect, respond, and remediate IoT/OT threats?
A: As mentioned before, 99% of all OT attacks start from IT, so the integration of Defender for IoT in Defender XDR is, in my opinion, a game changer with advanced features like Attack Disruption to automatically stop an attack without human intervention if the true positive rate is 99+%.
Blueprint 3: Driving Business Outcomes
Q: How do you measure and report the value of Defender for IoT back to business stakeholders?
A: It should be part of the overall Security Policy, although there are far less alerts on OT compared to IT, the impact is much greater because it’s often critical infrastructure, not always in the sense with lives at stake but also the right to exist of an organization.
Q: Without naming company names, can you share an example where Defender for IoT directly identified a threat or misconfiguration, ultimately better securing an organization?
A: Not directly a threat but Defender for IoT showed how flat the network was and that literally all devices could communicate to each other, you don’t want that in case of a worm malware.
Blueprint 4: Scaling and Maturing Use
Q: Once the basics are in place, what’s the path to advanced adoption and security?
A: Adding the better together story with Defender XDR (existing of Defender for Endpoint, Defender for IoT and Microsoft Sentinel). Also, a secured cloud connection that provides real-time analytics, up-to-date threat intelligence, etc.
Q: How do you expand Defender for IoT's impact across other tools or workflows (e.g., integration with SIEM, automation, Advanced Hunting)?
A: I think, unless you are 100% air-gapped due to policy, the connection with Microsoft Defender XDR and Microsoft Sentinel is a must because of IT/OT convergence as mentioned before.
Blueprint 5: Community and Advocacy
Q: Why do you share your experiences with the wider community, and how has it benefited you in return?
A: I think OT security in a crisis (look at what happens in Ukraine) is far more important than getting back investments in AI. Best of both worlds I think AI can make OT security even more efficient and practical.
I always say: if you know, you do; if you understand, you teach. If I can only help one person with an answer or via my blogs, I’m happy 😊
Q: What’s one “field lesson” you’d want every new Defender for IoT user to know before they begin?
A: Start with a Proof of Concept, and often it’s a surprise how the network is routed and which assets are connected.
Q: How can others follow your blueprint to both adopt Defender for IoT effectively and become champions in the practitioner community?
A: Join the CCP program and read my blogs Derk van der Woude – Medium. Again, my blogs are very broad about Security because Security is a very broad topic and everything is connected, directly or indirectly. I learned the most from setting up my physical home lab.
Microsoft