Microsoft Defender for IoT Ninja Training

Thank you @kimwall for Sharing with the Community 

@kimwall as per @James van den Berg comment - thanks massively for sharing.

Quick question if I may? as I'm under a time crunch

When are the slide decks going to be available?

I'm specifically looking for the L300/400 details of exactly *how* the OT devices are secured in Air-gapped environments if the solution is relying on an agentless solution? how can that protect devices from potentially malicious content on USB devices being introduced inadvertently?

Regards,
Dave C

Hello David. Apologies for the delay in answering your question. I've been out of the country for a few weeks. We are working on getting the slide decks/PDF's posted. However, I do not believe they will help with your specific question. When deploying Defender for IoT in an air-gapped environment, the sensor may be locally accessed and monitored without the need for a central manager. This solution is agentless and out-of-band and therefore not inline to any traffic. This is by design. Most industrial network owners resist solutions which are inline, place packets on the process control network, or require an in-band endpoint agent (any of these could potentially cause unplanned downtime, which is high on the list of things which should never happen in OT networks). Defender for IoT operates on SPAN'd/brokered network traffic and would see malicious activities when they happen - regardless of where they originate, including USB media. Note that the connection of the USB is not something that will be seen with this solution, but any network activity generated will be seen. Using patented machine-to-machine analytics, a baseline is learned and continually adjusted to ensure that good/authorized traffic is always known. When malicious traffic is introduced to the environment, it will inevitably deviate from the baseline of what is known to be good and one or more alerts will be raised at that time. 

Thanks @kimwall,

We had a good discussion with customer and Lior - my bad, as it was the customer leading me astray with their specific use case.
When in reality they should be doing things correctly/securely and not necessarily taking shortcuts?

Regards,

Dave C  

@David Caddick the slide decks have been added

Remind your customers that taking shortcuts frequently results in making it easier for attackers and cost more in the long run. 

@kimwall The Defender for IoT Architecture deck is still referring to CyberX. How much longer should we use that companies names in discussions with our Clients? they were purchase by MS quite a while ago. 

@kimwall  In the Sentinel Integration section, the link to Doc: Security Operations, Automation, and Response with Azure Sentinel does not work

@Dean Gross, thank you for pointing out the mis-functioning link. It has been removed for now. As for references to CyberX, I came to Microsoft as a part of that acquisition  and am very much aware that the name has changed to Azure Defender for IoT. However, in the case of this video and deck, they were recorded shortly after the acquisition so it made sense to mention both. Going forward, this won't be the case, but depending on the session on this page, you may see or hear the previous name a time or two. Old habits die hard, but we are getting there. 

Hi There,

Enjoying this ninja and wondered if you could suggest a pcap source file that might be available to act as a useful training proof of concept that could be imported into a Sensor?

Thank you for all the great material.

Br Pete

Hello @kimwall and all,

I am enjoying studying the pile of material and yesterday my knowledge was further enriched by attending the Microsoft Security Partner Airlift FY22 – Secure OT/IoT Training.

Two questions remain: 1) what is the best way to achieving a certificate and 2) I ran into a mention of AZ-220, does it cover what we are learning on this Ninja page?

Kind regards,

-Frans

Hi There,

Great work and it is very useful.

Thank you for all the great material.

Regards,
Neeraj 

AZ-220 is more focused on sensors in general, managing them, configuring the Azure workspace to use the data sent by them not necessarily sending data to Sentinel but where the data may have a business meaning e.g. condition monitoring, so things like PowerBI might be used along with hot/cold storage to analyse real/non-realtime.

Hi Microsoft Defender for IoT Team,

Will Microsoft be maintaining the CyberX app for QRadar?  We have a customer that is using the CyberX sensors in their production facilities and it is integrated to the QRadar SIEM deployed ion their data center using the CyberX app for QRadar.  This app has not been updated since  2017 .

In the How to use the Enterprise Data Integrator recording, it was mentioned that we could use the native token generation capability to avoid putting passwords into scripts. Can we use Azure Managed Identities or Key Vault with Defender for IoT for this purpose?

It seems certification missing..

Hi ,

Very useful documentation and training

Thank you

Will there ever be a MS accredited Defender for IoT course? These materials are great, but it would be better for clients/consultants alike if one could achieve admin/user/analyst accreditations. 

@kimwall most of this material is over 1 year old and there have been many changes since then. Are there any plans to update this content?