According to industry experts, threat intelligence (TI) is a key differentiator when evaluating threat protection solutions.
But IoT/OT environments have unique asset types, vulnerabilities, and indicators of compromise (IOCs). That’s why incorporating threat intelligence specifically tailored to industrial and critical infrastructure organizations is a more effective approach for proactively mitigating IoT/OT vulnerabilities and threats.
We've also learned that cloud-based services deliver significant benefits including increased simplicity and scalability, with reduced manual effort — especially important for today's overworked security operations teams.
That's why we're especially excited to announce that TI updates for Azure Defender for IoT can now be automatically pushed to Azure-connected network sensors as soon as updates are released, reducing manual effort and helping to ensure continuous security.
To get started, simply go to the Azure Defender for IoT portal and enable the Automatic Threat Intelligence Updates option for all your cloud-connected sensors. You can also monitor the status of updates from the “Sites and Sensors” page as shown below.
Viewing the status of network sensors and threat intelligence updates from the Azure portal
Threat intelligence curated by IoT/OT security experts
Developed and curated by Microsoft’s Section 52, the security research group for Azure Defender for IoT, our TI update packages include the latest:
IOCs such as malware signatures, malicious DNS queries, and malicious IPs
CVEs to update our IoT/OT vulnerability management reporting
Asset profiles to enhance our IoT/OT asset discovery capabilities
Section 52 is comprised of IoT/OT-focused security researchers and data scientists with deep domain expertise in threat hunting, malware reverse engineering, incident response, and data analysis. For example, the team recently uncovered “BadAlloc,” a series of remote code execution (RCE) vulnerabilities covering more than 25 CVEs that adversaries could exploit to compromise IoT/OT devices.
Leveraging the power of Microsoft’s broad threat monitoring ecosystem
To help customers stay ahead of ever-evolving threats on a global basis, Azure Defender for IoT also incorporates the latest threat intelligence from Microsoft’s broad and deep threat monitoring ecosystem.
This rich source of intelligence is derived from a unique combination of world-class human expertise — from the Microsoft Threat Intelligence Center (MSTC) — plus AI informed by trillions of signals collected daily across all of Microsoft’s platforms and services, including identities, endpoints, cloud, applications, and email, as well as third-party and open sources.
IOCs aren’t sufficient on their own. Enterprises regularly contend with threats that have never been seen before, including ICS supply-chain attacks such as HAVEX; zero-day ICS malware such as TRITON and INDUSTROYER; fileless malware; and living-off-the-land tactics using standard administrative tools (PowerShell, WMI, PLC programming, etc.) that are harder to spot because they blend in with legitimate day-to-day activities.
To rapidly detect unusual or unauthorized activities missed by traditional signature- and rule-based solutions, Defender for IoT incorporates patented, IoT/OT-aware behavioral analytics in its on-premises network sensor (edge sensor).
Threat intelligence complements and enriches the platform’s native analytics, enabling faster detection of IOCs such as known malware and malicious DNS requests, as shown in the threat alert examples below.
Example of SolarWinds threat alert generated from threat intelligence information
Example of malicious DNS request alert generated from threat intelligence information
Summary — Detecting Known and Unknown Threats
Effective IoT/OT threat mitigation requires detection of both known and unknown threats, using a combination of IoT/OT-aware threat intelligence and behavioral analytics.
Azure Defender for IoT offers agentless, IoT/OT-aware network detection and response (NDR) that’s rapidly deployed (typically less than a day per site); works with diverse legacy and proprietary OT equipment, including older versions of Windows that can’t easily be upgraded; and interoperates with Azure Sentinel and other SOC tools such as Splunk, IBM QRadar, and ServiceNow.
Gain full visibility into assets and vulnerabilities across your entire IoT/OT environment. Continuously monitor for threats with IoT/OT-aware behavioral analytics and threat intelligence. Strengthen IoT/OT zero trust by instantly detecting unauthorized or compromised devices. Deploy on-premises, in Azure-connected, or in hybrid environments.
 Of course, clients with on-premises deployments can continue to manually download packages and upload them to multiple sensors from the on-premises management console (aka Central Manager).