As organizations connect massive numbers of IoT/ OT devices to their networks to optimize functionings, boards and management squads are increasingly concerned about the expanding attempt surface and corporate liability that they represent. These connected devices is likely to be compromised by antagonists to pivot deeper into corporate networks and threaten safety, disrupt functionings, steal intellectual property, expose resources for Distributed Denial of Service( DDoS) botnets and cryptojacking, and induce significant financial losses.
For example, in June 2017, a destructive cyber onslaught known as “NotPetya” infected thousands of computers globally and resulted in dozens of enterprises experiencing significant financial losses. One of NotPetya’s victims, a global shipping and logistics company, lost $ 300 million as a result of production downtime and cleanup activities.
Why industrial and critical infrastructure OT networks are vulnerable
According to CyberX’s 2020 Global IoT/ ICS Risk Report, which analyzed network traffic from over 1,800 production OT networks, 71 percentage of OT sites are running unsupported versions of Windows that no longer receive security patches; 64 percent have cleartext passwords spanning their networks; 54 percent have devices that are able remotely managed applying remote desktop protocol( RDP ), secure shell( SSH ), and virtual network computing( VNC ), enabling attackers to pivot undetected; 66 percent are not automatically updating their Windows systems with the latest antivirus definitions; 27 percentage of sites have direct connections to the internet.
These vulnerabilities make it significantly easier for adversaries to compromise OT networks, whether their initial enter is via systems exposed to the internet or via lateral movement from the corporate IT network( employing compromised remote access credentials, for example ).
CISOs are increasingly accountable for both IT and IoT/ OT security. Nonetheless, according to a SANS survey, IT security teams absence visibility into the security and resiliency of their OT networks, with most respondents( 59 percent) stating they just “somewhat confident” in their organization’s ability to secure their industrial IoT devices.
Organizations need to invest in strengthening their IoT/ OT security and structure the appropriate policies and procedures so that new IoT/ OT monitoring and alerting systems will be successfully operationalized.
A key success factor is to achieve organizational alignment and solid collaboration with teams that will operate the system. In many organizations, these squads have traditionally worked in separate silos. Visibility and well-defined roles and responsibilities between IoT/ OT, IT, and security personnel are key for a successful alignment. Although there can be more connectivity between the IT and the IoT/ OT networks, “theyre still” separate networks with different characteristics. Personnel operating the IoT/ OT network are not ever security trained, and the security staff are not familiar with the IoT/ OT network infrastructure, machines, protocols, or applications. In particular, the top priority for OT personnel is maintaining the availability and integrity of their control networks–whereas IT security squads have traditionally been focused on maintaining the confidentiality of sensitive data.
Azure Defender for IoT is an agentless, network-layer IoT/ OT security platform that’s easy to deploy and provides real-time visibility to all IoT/ OT devices, vulnerabilities, and threats–within minutes of being connected to the OT network. Based on technology from Microsoft’s acquisition of CyberX, Azure Defender for IoT applies specialized IoT/ OT-aware behavioral analytics and threat intelligence to auto-discover unmanaged IoT/ OT assets and rapidly detect anomalous or unauthorized activities in your IoT/ OT network. Additionally, it enables you to centralize IoT/ OT security monitoring and governance via built-in integration with Azure Sentinel and third-party SOC solutions such as Splunk, IBM QRadar, and ServiceNow.
According to SANS, there’s a clear difference between the detection of an attack on corporate companies versus industrial and critical infrastructure organisations with control networks. While 72 percent of organizations without OT environments saw a compromise within seven days, only 45 percent of organizations with OT environments were able to do the same.
Reducing the time between compromise and detecting is a key catalyst for enabling your SOC with real-time IoT/ OT alerts and detailed contextual information about your IoT/ OT assets and vulnerabilities.
To operationalize security alerts from the IoT/ OT network, you must integrate them with your existing SOC workflows and tools. Given the significant investments that organizations have already stimulated in a centralized SOC, it builds sense to bring IoT/ OT security into their existing SOC and to expand the SOC responsibilities to be able to manage IoT/ OT incidents as well. This next step will create a productive working environment between the teams. Integration of the SOC within the IoT/ OT environment can create a competitive advantage for the organization.
Modern SOCs rely heavily on SIEM solutions to operate efficiently. This means that IoT/ OT security alerts and investigation processes should be delivered to the SOC team via their favor SIEM solution. SIEM solutions provide security value by normalizing and correlating data across the enterprise, including data ingested from firewalls, applications, servers, and endpoints.
As of today, most of our clients( 78 percent) who have deployed Azure Defender for IoT and have SIEM, have integrated( or are in the process of integrating) IoT/ OT security into their SIEM platform and SOC workflows.
The first step in a successful SOC integration is to integrate IoT/ alerts with your organizational SIEM. This capability is supported out of the box with Azure Defender for IoT. After integrating Azure Defender for IoT with a SIEM, clients typically invest a short time tuning which alertings are forwarded to the SIEM to reduce alarm fatigue.
The second stair is agreeing on which IoT/ OT security threats the organization would like to monitor in the SOC, based on the organizational threat landscape, industry needs, conformity, and more. Once relevant menaces are defined, you can define the use suits that constitute an incident within the SOC.
For example, a common use case is an unauthorized change to OT equipment, such as an unauthorized change to Programmable Logic Controller( PLC) code–since this can take down production and potentially cause a safety incident. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversary initially compromised a Windows workstation in the OT network and then uploaded a malicious back door to the PLC applying a legitimate industrial control system( ICS) command( you may recognize this as an excellent example of an OT-specific living-off-the-land tactic ).
This type of activity is immediately saw when Azure Defender for IoT sees a difference from the OT network baseline, such as a programming command sent from a new machine. Azure Defender for IoT incorporates Layer 7 Deep Packet Inspection( DPI) and patented IoT/ OT-aware behavioral analytics employ Finite-State Machine( FSM) modeling to create a baseline of OT network activity. Compared to generic baselining algorithms developed under IT networks( which are largely non-deterministic ), such approaches is optimized for the deterministic nature of OT networks–resulting in a faster read interval with fewer false positives and false negatives. Additionally, profoundly analyzing high-fidelity network traffic, including at the application layer, enables the platform to identify malicious OT commands and not just irregularities in source/ destination information.
In this particular use case, unauthorized changes to PLC ladder logic code can be an indication of either new functionality or parameters being programmed into the PLC, which typically only happens on rare occasions: an error on the part of a control engineer or a misconfigured application. In all these cases, the SOC should investigate with flower personnel to determine if the activity was malicious or legitimate.
Pace 3: Create SIEM detection rules
Once IoT/ OT security threat employ cases are defined, you can create detection rules and severity levels in the SIEM. Merely relevant incidents will be triggered, thus reducing unnecessary noise. For instance, you would define PLC code varies performed from unauthorized devices, or outside of work hours, as a high severity incident due to the high fidelity of this specific alert.
Pace 4: Define SOC workflows for solving
The fourth pace is to identify workflows for solving. This will likewise help remove ambiguity between IT security and OT teams about who is responsible for investigating unusual activities( note that unclear roles and responsibilities were also an important factor in the TRITON incident, until a second assault 2 months later ).
The goal is to enable Tier 1 SOC analysts to handle most IoT/ OT incidents and merely escalate to specialized IoT/ OT security experts when needed. This entails defining the appropriate workflow for mitigation and creating automated investigation playbooks for each use case.
For example, when the SOC receives an alert that PLC code changes have been initiated, check first if the programming device is an authorized engineering workstation, and then if it passed during normal work hours, whether it happened during a scheduled change window, etc. If the answer to these questions is no, you should immediately disconnect the rogue workstation from the network( or block it with a firewall rule, if possible ).
Here’s an example of a logical workflow for solving 😛 TAGEND
Step 5: Training and knowledge transfer
The fifth step is to offer comprehensive training to all stakeholders- for example, teach the SOC team about the unique characteristics of OT environments, so they can have intelligent conversations with IoT/ OT personnel when resolving incidents and can implement remediation acts that are relevant( and not harmful) for OT environments.
Azure Sentinel is the first cloud-native SIEM/ SOAR platform on a major public cloud. It delivers all the advantages of a cloud-based service, including simplicity, scalability, and lower total cost of ownership; provides a bird’s eye view across IT and OT to enable rapid detecting and response for multistage strikes that traverses IT/ OT bounds( like TRITON ); incorporates machine learning combined with continuously-updated threat intelligence from trillions of signals collected daily.
Azure Defender for IoT is deeply incorporated within Azure Sentinel, furnishing rich contextual information to SOC analysts beyond the basic information provided by simple Syslog alerts. For example, it provides details on which IoT/ OT assets associated with an alarm including device form, manufacturer, the protocol applied, firmware level, etc.
Azure Sentinel has also were reinforced with IoT/ OT-specific SOAR playbooks. The integrated combining of these two answers assists SOC analysts detect and respond to IoT/ OT incidents faster–so you can avoid incidents before they have a material impact on your firm.
If you’d like to learn more and realise a full demo to seeing how Azure Defender for IoT and Azure Sentinel can be used together to detect and investigate a sophisticated strike, check out our Microsoft Ignite sessionor read the blog “Go inside the new Azure Defender for IoT including CyberX.”
To learn more about Microsoft Security solutions visit our website . Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post 5 steps to enable your corporate SOC to rapidly detect and respond to IoT/ OT menaces showed first on Microsoft Security .
Read more: microsoft.com