OT/IoT devices, including Programmable Logic Controllers (PLCs), Human-Machine Interface (HMIs), Engineering Workstations, Network Devices, and more, are becoming increasingly prevalent in organizations. Often, these devices are used as entry points for attacks, but they can also be used by attackers to move laterally.
Today's CISOs and SOC teams must deal with new threats from cyber physical systems (CPS) and parts of the organization they were never previously responsible for. This is because digital business requires IT/OT connectivity, which has removed the air-gap that once existed between IT and OT.
For Security Operations Centers (SOCs), monitoring IoT/OT networks presents a number of challenges, including the lack of visibility for security teams into their OT networks, the lack of experience among SOC analysts in managing OT incidents, and the lack of communication between OT teams and SOC teams.
The new IoT device entity page is designed to help your SOC investigate incidents that involve IoT/OT devices in your environment, by providing the full OT/IoT context through Microsoft Defender for IoT, our agentless IoT/OT security monitoring solution, to Sentinel. This enables SOC teams to detect and respond more quickly across all domains to the entire attack timeline.
How the IoT entity page can improve your investigation
When SOC teams come across an IoT/OT equipment entity associated with an incident in Sentinel, the SOC team can select the entity and be taken to an IoT/OT entity page, a data sheet of useful contextual information. Additionally, the SOC team can “Hunt” IoT/OT devices using the Entity behavior blade.
This can help the SOC team:
- Avoid switching between MDIoT and Sentinel, and use the same familiar processes when investigating OT/IoT incidents
- Gain better visibility into OT/IoT devices
- Assess the risks associated with OT/IoT devices
- View all attack surfaces in one SIEM
- Run SOAR playbooks based on specific device data
The IoT/OT entity page provides details about the device that can help streamline the SOC workflow, including:
- Identify the importance of the device (“crown jewels”) for triage purposes.
- Locate the OT engineer owner of the device (as defined in Defender for IoT) and his contact details for further investigation.
- Identify the business impact of the device (device geo location: Site, Zone, Sensor).
- Backlink to the MDIoT device page for deeper investigation, such as PCAP access and policy changes
- Indicators on the device, such as: Is the device authorized in the network? Is the device defined as an authorized programming device in the network? Is the device defined as authorized to perform scanning-like activities in the network?
- More basic details on the device such as: Type, Vendor, Model, Operating System, Firmware, IPs, MACs, VLANs
You will also find a timeline showing all alerts and activities related to the selected timeframe.
In the next phase, more exciting content will be added to the IoT entity page, including: Insights & recommendations, vulnerabilities and more to enhance the security posture.
Use case example
Triton is a use case that we can use to demonstrate how this feature can be used to help the SOC team investigate incidents.
Triton is a Saudi Arabian cyber-attack: A cyber-attacker took control of the controllers in order to shut down safety systems and possibly cause equipment at the plant to malfunction.
A Host is scanning the OT network. This is defined as an alert in MDIoT, and as an incident within Sentinel. While the operation may be legitimate, it can also be an attacker technique to get a hold of a critical PLC, as in the below Triton attack kill chain.
The new IoT entity page we're introducing today aims to help SOC teams more easily address unified IT/OT SOC challenges.
What will the analyst be looking for on the entity page?
- What is the site/zone (geo-location)? Which production line is impacted?
- What type of device is it?
- Does it have any previous alerts?
- How important is this device?
- Does the device define as "Scanning"?
- Contact information of the site/device owner?
- If legitimate, the analyst can close the incident and use the MDIoT device deep link to suppress or add to baseline.
- If compromised, determine the scope of the breach by looking at the VLANs, and take further actions with the owner to respond.
For more information
About Microsoft Defender for IoT & Sentinel better together
Defender for IoT's built-in integration with Sentinel helps bridge the gap between IT & OT security challenge. Sentinel enables SOC teams to reduce the time taken to manage and resolve OT incidents efficiently by providing out-of-the-box capabilities to analyze OT security alerts, investigate multistage IT/OT attacks, utilize Azure Log Analytics for threat hunting, utilize threat intelligence, and automate incident response using SOAR playbooks