Intro
OT/IoT devices, including Programmable Logic Controllers (PLCs), Human-Machine Interface (HMIs), Engineering Workstations, Network Devices, and more, are becoming increasingly prevalent in organizations. Often, these devices are used as entry points for attacks, but they can also be used by attackers to move laterally.
Today's CISOs and SOC teams must deal with new threats from cyber physical systems (CPS) and parts of the organization they were never previously responsible for. This is because digital business requires IT/OT connectivity, which has removed the air-gap that once existed between IT and OT.
For Security Operations Centers (SOCs), monitoring IoT/OT networks presents a number of challenges, including the lack of visibility for security teams into their OT networks, the lack of experience among SOC analysts in managing OT incidents, and the lack of communication between OT teams and SOC teams.
The new IoT device entity page is designed to help your SOC investigate incidents that involve IoT/OT devices in your environment, by providing the full OT/IoT context through Microsoft Defender for IoT, our agentless IoT/OT security monitoring solution, to Sentinel. This enables SOC teams to detect and respond more quickly across all domains to the entire attack timeline.
How the IoT entity page can improve your investigation
When SOC teams come across an IoT/OT equipment entity associated with an incident in Sentinel, the SOC team can select the entity and be taken to an IoT/OT entity page, a data sheet of useful contextual information. Additionally, the SOC team can “Hunt” IoT/OT devices using the Entity behavior blade.
This can help the SOC team:
The IoT/OT entity page provides details about the device that can help streamline the SOC workflow, including:
You will also find a timeline showing all alerts and activities related to the selected timeframe.
In the next phase, more exciting content will be added to the IoT entity page, including: Insights & recommendations, vulnerabilities and more to enhance the security posture.
Use case example
Triton is a use case that we can use to demonstrate how this feature can be used to help the SOC team investigate incidents.
Triton is a Saudi Arabian cyber-attack: A cyber-attacker took control of the controllers in order to shut down safety systems and possibly cause equipment at the plant to malfunction.
A Host is scanning the OT network. This is defined as an alert in MDIoT, and as an incident within Sentinel. While the operation may be legitimate, it can also be an attacker technique to get a hold of a critical PLC, as in the below Triton attack kill chain.
The new IoT entity page we're introducing today aims to help SOC teams more easily address unified IT/OT SOC challenges.
What will the analyst be looking for on the entity page?
For more information
About Microsoft Defender for IoT & Sentinel better together
Defender for IoT's built-in integration with Sentinel helps bridge the gap between IT & OT security challenge. Sentinel enables SOC teams to reduce the time taken to manage and resolve OT incidents efficiently by providing out-of-the-box capabilities to analyze OT security alerts, investigate multistage IT/OT attacks, utilize Azure Log Analytics for threat hunting, utilize threat intelligence, and automate incident response using SOAR playbooks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.