In 2020, the move toward digital transformation and Industry 4.0 took on new urgency with manufacturing and other critical infrastructure sectors under pressure to increase operational efficiency and reduce costs. But the cybersecurity modeling for operational engineering( OT) was already shown to be lacking before the pandemic. A series of major cyberattacks across industries served as a wake-up call that the traditional “air-gapped” model for OT cybersecurity had become outdated in the age of IT/ OT convergence and initiatives such as Smart Manufacturing and Smart Buildings. And the IoT and Industrial Internet of things( IIoT) are only getting bigger. Analysts predict we’ll have billions of IoT machines connected worldwide in a few years, drastically increasing the surface area for attacks.

Company committees and handling teams are understandably subjects of concern increased safety and corporate liability hazards as well as the financial impact of crippling downtime posed by IoT/ OT violates. They’re also concerned about losing sensitive IP such as proprietary formulas and product designs, since producers are eight times more likely to be attacked for cyberespionage than other sectors, according to the 2020 Verizon DBIR.1

In my recent Microsoft Ignite presentation, Azure Defender for IoT including CyberX, I was joined by Nir Krumer, Principal PM Manager at Microsoft, to examine how the new Azure Defender for IoT incorporates CyberX’s agentless technology and IoT/ OT-aware behavioral analytics, minimise those risks by providing IT teams with continuous IoT/ OT visibility into their industrial and critical infrastructure networks. You’re invited to view the full presentation and review some highlightings below.

IT versus OT

Unlike information technology( IT) security, OT security is focused on securing physical processes and assets rather than digital assets like containers and SQL databases. Physical assets include devices like turbines, mixing tanks, HVAC systems in smart houses and data centers, factory-floor machines, and more. In OT, the top focus is always on safety and availability. Availability means that your production facilities must be resilient and keep operating, because that’s where the revenue comes from. However, the biggest difference from IT security is that most chief information security officers( CISOs) and SOC squads today have little or no visibility into their OT risk, because they don’t have the multiple layers of controls and telemetry as we have in IT environments. And OT risk translates immediately into business risk.

As recent history indicates, assaults on OT are already underway. The TRITON attack on the safety controllers in a Middle East petrochemical facility was intended to cause major structural damage to the facility and possible loss of human life. The attackers got their initial foothold in the IT network but subsequently employed living-off-the-land( LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives antagonists new ways of compromising unmanaged OT machines, which historically haven’t supported agents and are typically invisible to IT teams.

Purdue Model traversal in TRITON attack

Figure 1: Purdue Model traversal in TRITON attack.

How Azure Defender for IoT working for you

By incorporating agentless technology from Microsoft’s recent acquisition of CyberX, Azure Defender for IoT enables IT and OT teams to identify critical vulnerabilities and detect threats use IoT/ OT-aware behavioral analytics and machine learning–all without impacting availability or performance.

In our Ignite presentation, we broke down five key capabilities provided by the product’s agentless security for unmanaged IoT/ OT machines 😛 TAGEND

Asset discovery: Because you cannot protect what the hell are you do not know you have, Azure Defender tells you what IoT/ OT machines are in your network and how they’re communicating with each other. Also, if you’re implementing a Zero Trust policy, you need to know how these devices are connected so you can segment them onto their own network and manage granular access to them. Danger and vulnerability handling: Azure Defender helps you identify vulnerabilities such as unauthorized machines, unpatched systems, unauthorized internet connections, and machines with unused open ports–so you can take a prioritized approach to mitigate IoT/ OT risk for your crown jewel assets. These are the critical machines whose compromise would have a major impact on your organization, such as a safety incident, loss of revenue, or theft of sensitive IP. Continuous IoT threat monitoring and response: Azure Defender continuously monitors the OT network employing Layer 7 Deep Packet Inspection( DPI ), informing you immediately when there has been unusual or unauthorized behavior, and empowering you to mitigate an attack before it induces a production failing or safety incident. It incorporates a deep understanding of all major industrial protocols( including Modbus, DNP3, Siemens S7, Ethernet/ IP CIP, GE-SRTP, and Yokogawa) and patented, IoT/ OT-aware behavioral analytics to detect threats faster and more accurately, with a far shorter learn interval than generic baselining algorithms. Operational efficiency: When you have malfunctioning or misconfigured equipment, you need to quickly figure out what went wrong. By providing deep visibility into what’s going on in the network–such as a misconfigured engineering workstation that’s constantly scanning the network–you can help your IoT/ OT engineers promptly identify and address the root cause of those issues. Unified IT/ OT security monitoring and governance: Azure Defender for IoT is deeply integrated with Azure Sentinel and also supports third-party tools such as Splunk, IBM QRadar, and ServiceNow. This helps break down silos that slow communication between IT and OT squads, and generates a common language between them to quickly resolve issues. It likewise enables you to quickly address strikes that traverses IT/ OT bounds( like TRITON ), as well as leveraging the workflows and training courses you expended years building in your security procedures center( SOC )– so you can apply them to IoT and OT security as well.

Deployment Architecture

So, how does this system get deployed? Azure Defender for IoT uses a network sensor to capture a print of the network traffic through the switching port analyzer( SPAN ). It employs a technique called passive monitoring or network traffic analysis( NTA) to identify assets, vulnerabilities, and threats without impacting the performance or reliability of the IoT/ OT network. The solution is likely to be 100 percentage on-premises, connected to Azure, or a hybrid of the two( for example, by forwarding alertings to Azure Sentinel ).

Azure Defender for IoT uses an on-premises network sensor to capture and analyze all OT traffic. The solution can be deployed on-premises, connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Figure 2: Azure Defender for IoT uses an on-premises network sensor to capture and analyze all IoT/ OT traffic. The answer can be deployed amply on-premises, or connected to Azure, or in hybrid surroundings where the SIEM is cloud-based, as with Azure Sentinel.

Azure Sentinel integration

To enable rapid detection and response for assaults that cross IT/ OT borders, Azure Defender is deeply incorporated within Azure SentinelMicrosoft’s cloud-native SIEM/ SOAR platform. As a SaaS-based solution, Azure Sentinel delivers reduced complexity, built-in scalability, lower total cost of ownership( TCO ), and continuous threat intelligence and software updates. It also provides built-in IoT/ OT security capabilities, including 😛 TAGEND

Deep integration with Azure Defender for IoT: Azure Sentinel offer rich contextual informed about specialized OT machines and behaviours detected by Azure Defender–enabling your SOC teams to correlate and detect modern kill-chains that move laterally across IT/ OT borders. IoT/OT-specific SOAR playbooks: Sample playbooks enable automated the measures in place to swiftly remediate IoT/ OT threats. IoT/OT-specific threat intelligence: In addition to the trillions of signals accumulated daily, Azure Sentinel now incorporates IoT/ OT-specific threat intelligence provided by Section 52, our specialized security research squad focused on IoT/ OT malware, campaigns, and adversaries.

You are invited to watch our Microsoft Ignite presentation to learn more about Azure Defender for IoT, including a live demo to seeing how deep integrated in Azure Sentinel can be used to investigate multistage IT/ OT assaults like TRITON.

Visit the Azure Defender for IoT website to learn more and try it for free during Public Preview. You can also learn more about Microsoft Security solutions by visiting our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1 2020 Verizon DBIR, pages 36 and 59.

The post Go inside the new Azure Defender for IoT including CyberX appeared first on Microsoft Security .

Read more: