Blog Post

Microsoft Defender for IoT Blog
7 MIN READ

Azure Defender for IoT: Agentless Security for OT

pneray's avatar
pneray
Icon for Microsoft rankMicrosoft
Sep 22, 2020

Summary

Azure Defender for IoT delivers agentless security for continuously monitoring Operational Technology (OT) devices in industrial and critical infrastructure networks. Incorporating IoT/OT-aware behavioral analytics from Microsoft's recent acquisition of CyberX, Azure Defender for IoT is available for on-premises deployments during Public Preview, with Azure-based deployment options to follow. Azure Defender for IoT is also deeply integrated with Azure Sentinel — the industry's first cloud-native SIEM/SOAR platform — and integrates with third-party tools like Splunk, IBM QRadar, and ServiceNow.

 

Accelerating Digital Transformation

As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity — requiring continuous network connectivity and real-time intelligence from plant operations — the security traditionally afforded by air-gapped Operational Technology (OT) networks is eliminated. Adding to the risk are greatly increased numbers of unmanaged IoT/OT devices. Boards and management teams are understandably concerned about the increased financial and liability risk.

 

These IoT/OT devices monitor and control Cyber-Physical Systems (CPS) such as industrial robots, building automation, mixing tanks, gas pipelines, and turbines[1]. Adversaries targeting this expanded attack surface can have a major corporate impact including costly production downtime, safety and environmental incidents, and theft of intellectual property such as proprietary formulas and manufacturing processes.

 

While Microsoft offers a number of end-to-end IoT security solutions for new or “greenfield” IoT deployments — including Azure IoT Hub, Azure Sphere and lightweight agents for embedded operating systems — most of today’s IoT/OT devices are “unmanaged” because they do not get provisioned, are not monitored, and lack built-in security such as agents or automated updates.

 

As a result, most IT security organizations have limited or no visibility into their OT networks. What’s more, these devices are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.

 

Network security monitoring tools developed for IT networks are unable to address these environments because they’re blind to specialized industrial protocols (Modbus, DNP3, BACnet, etc.). They also lack an understanding of the specialized device types, applications, and machine-to-machine (M2M) behaviors in IoT/OT environments.

 

Azure Defender for IoT minimizes the risks created by digital transformation by providing IT teams with new visibility into industrial and critical infrastructure networks upon which our global community depends — in manufacturing, pharmaceuticals, chemicals, smart buildings, data centers, warehousing & logistics, life sciences, energy and water utilities, oil & gas, mining, retail, and transportation.

 

To learn more, check out the details below and view our on-demand technical presentation and demo at Ignite 2020.

 

Try Azure Defender for IoT for Free During Public Preview

Azure Defender for IoT is a rebranding of Azure Security Center for IoT. This rebranding is part of today's announcement of Azure Defender, an evolution of the threat protection technologies in Azure Security Center for protecting Azure and hybrid environments.

 

With the new capabilities provided by Azure Defender for IoT, Microsoft is making a major investment to help organizations understand their IoT/OT risk posture, mitigate risk, and continuously monitor for threats.

 

Incorporating agentless technology from Microsoft’s recent acquisition of CyberX, Azure Defender for IoT enables IT and OT teams to auto-discover their IoT/OT assets, identify critical vulnerabilities, and detect anomalous behavior with IoT/OT-aware behavioral analytics and machine learning — all without impacting IoT/OT stability or performance.

 

Available for on-premises deployments during Public Preview in October (with Azure-based deployment options to follow), Azure Defender for IoT is designed to fit right into existing environments, including diverse automation equipment from all major OT suppliers (Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, etc.).

 

To enable rapid detection and response for attacks that often cross IT/OT boundaries, it’s deeply integrated with Azure Sentinel — the industry’s first cloud-native SIEM/SOAR platform — and also integrates out-of-the box with third-party tools like Splunk, IBM QRadar, and ServiceNow.

 

Integration with existing SOC workflows is key to removing IT/OT silos while delivering unified monitoring and governance across both IT and OT. To help automate this complex security challenge, we’re also beefing up Azure Sentinel’s built-in IoT/OT security capabilities with IoT/OT-specific SOAR playbooks and IoT/OT threat intelligence.

 

Combined with previous support in Azure Security Center for IoT for protecting managed IoT devices connected via Azure IoT Hub, these new capabilities enable organizations to accelerate their digital transformation initiatives with a single solution for both managed (or “greenfield") devices and unmanaged devices.

 

Broad Set of IoT/OT Security Capabilities

Azure Defender for IoT addresses multiple dimensions of IoT/OT security including:

  • Asset discovery and network mapping, including device details such as IP/MAC address, device manufacturer, device type, protocols used, and how devices are communicating on the network. This helps answer critical questions like “What devices do I have and how are they connected?” The answers to these questions help accelerate incident response as well as implement zero-trust and network segmentation strategies, and optimize asset management and maintenance strategies.
  • Risk & Vulnerability management, including information about CVEs, open ports, and unauthorized internet connections. This answers questions like “What vulnerabilities do I have and how do I prioritize mitigating them?” It also helps you focus on mitigating risk to your crown-jewel assets and processes, whose compromise would result in material impact to your organization.
  • Continuous threat monitoring, with real-time alerts indicating suspicious or unauthorized activity such as targeted attacks or malware, as well as a rich set of investigation and threat hunting tools for querying historical network traffic and downloading full-fidelity packet captures (PCAPs). This helps answer questions like “Do we have any threats in our network right now, and how do we mitigate them as quickly as possible?” — so you can stop the attackers before they shut down your plant or cause a safety incident.
  • Operational efficiency, with real-time alerts about malfunctioning or misconfigured IoT/OT equipment. In addition to cyber-related benefits, the deep visibility provided by Azure Defender for IoT enables plant personnel to quickly identify the root causes of operational issues that can impact plant productivity or quality metrics — such as a misconfigured device shutting down production by flooding the plant network with unnecessary packets.

Azure Defender for IoT provides holistic IoT/OT security including asset discovery, vulnerability management, and continuous threat monitoring, combined with deep Azure Sentinel integration.

 

Rapid, Non-Invasive Deployment with Specialized Behavioral Analytics

Azure Defender for IoT uses passive monitoring and Network Traffic Analysis (NTA) — combined with patented, IoT/OT-aware behavioral analytics — to extract detailed IoT/OT information in real-time. To capture the traffic, it uses an on-premises sensor which is deployed as a virtual or physical appliance connected to a network SPAN port or tap. The benefits of this approach are:

  • Zero impact: Unlike IT network scanning tools such as Nmap and Nessus that can bring down IoT/OT devices by actively “pinging” them with network traffic, Azure Defender for IoT inspects an “out of band” copy of the network traffic and therefore has zero performance impact on the environment.
  • Rapid deployment: The system generates insights within minutes of being connected to the network, leveraging built-in machine learning and automation to eliminate the need to configure rules or signatures.
  • Detects advanced threats: Azure Defender for IoT goes beyond traditional signature-based solutions to immediately detect advanced IoT/OT threats — such as fileless malware and other Living-Off-The-Land-Tactics — based on anomalous or unauthorized behavior rather than static Indicators of Compromise (IOCs). It uses a patented approach combining Layer 7 Deep Packet Inspection (DPI) with Finite State Machine (FSM) modeling, which baselines IoT/OT network behavior as a deterministic sequence of states and transitions. This enables Azure Defender for IoT to detect threats faster and more accurately, with a shorter learning period. (Traditional anomaly detection algorithms were developed for IT networks, which are primarily non-deterministic, making them inferior for IoT/OT networks.)

Rapid non-invasive deployment leveraging patented IoT/OT-aware behavioral analytics

 

Azure Sentinel Integration

Azure Sentinel offers all the benefits we’ve come to expect from native cloud-based services, including reduced complexity, built-in scalability, lower TCO, and continuous threat intelligence and software updates.

 

Azure Sentinel is now being enhanced with built-in IoT/OT security capabilities that set it even further apart from traditional SIEMs, including:

  • Deep integration with Azure Defender for IoT. By providing rich contextual information about the specialized OT devices and behaviors detected by Azure Defender for IoT, Azure Sentinel enables your SecOps teams to accelerate investigations and threat hunting. This is especially important in correlating and detecting modern kill-chains that move laterally across IT/OT boundaries.
  • IoT/OT-specific SOAR playbooks. These sample playbooks enable automated actions to swiftly remediate IoT/OT threats.
  • IoT/OT-specific threat intelligence. In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by Section 52, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.

Azure Defender for IoT provides deep visibility into Operational Technology (OT) assets, vulnerabilities, and threats, generating real-time alerts that can be forwarded to Azure Sentinel and third-party solutions such as Splunk, IBM QRadar, and ServiceNow

 

Getting Started

You can try the on-premises version of Azure Defender for IoT for free during the Public Preview period starting in October. Visit aka.ms/AzureDefenderForIoT to learn more, or contact your account manager for a demo.

 

Visit Azure Defender for IoT in the Azure portal in October to try it for yourself

 

Check out the Ignite 2020 technical session and demo: “Azure Defender for IoT including CyberX.

 

[1] OT is an umbrella term that covers industrial internet of things (IIoT); industrial control systems (ICS); supervisory control and data acquisition (SCADA); and process control networks (PCN).

 

 

 

 

 

 

Updated May 11, 2021
Version 20.0
  • QServices's avatar
    QServices
    Copper Contributor

    So what is the Difference between Azure defender and Azure Sentinel?