Microsoft Defender and network devices (lab setup)
This blog is about setting up a lab environment for Microsoft Defender products which require network devices (switch). The following Microsoft Defender products are in-scope of this blog:
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT (Enterprise IoT)
I used a Cisco SG250 which is a 8-port managed switch with all the required features.
The required features of the managed switch are:
- SNMP (Simple Network Management Protocol) is required for the authenticated network scan.
- SPAN (Switch Port ANalyser) which is a port-mirroring / port-monitoring feature required to discover OT and/or IoT devices.
Pro-tip: you can use any switch as long it supports SNMP and SPAN
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint (MDE) device discovery can scan the network (agentless) for supported O.S. devices and IoT (Internet of Things). The third scan feature is called authenticated network device discovery.
A dedicated MDE device scans the network, authenticated via SNMP for deeper analysis. The discovered network devices are presented in the Network devices inventory including risk level (incidents and alerts) and exposure level (security recommendations)
The setup requires three steps:
- Setup SNMP authentication
- Download & install scanner
- Add new scan
Setup SNMP authentication
SNMP authentication is required for the scanning device to access the scanned network device for deep analysis, for ease of simplicity where are going to use a community string (pre-shared key). Logon to the management console of the network device.
- Display mode: Advanced
- SNMP -> Communities -> Add
Add the the SNMP Community String (SecretString in our example).
Download & install scanner
Download the scanner from the Authenticed scans in the Settings of Microsoft 365 Defender -> Device discovery section.
Install the software (MdatpScanAgentSetup.msi) on a device with MDE installed.
When the installation is done, activate the MDE network scanner.
Open a web browser, access https://microsoft.com/devicelogin and enter the code which activates the device in MDE as network scanner.
Add new scan
Add new scan creates a network device scan job which scans IP-range(s). Enter a name, scanning device, subnet and the community string for authentication.
The scan device is now ready to scan the network periodic for network devices and discover threats and vulnerabilities. The example below are discovered vulnerabilities including the security recommendations.
Microsoft Defender for IoT (Enterprise IoT)
Microsoft Defender for IoT and Enterprise IoT sensors are both dual-homed (one NIC connected to the IT/Internet network and one NIC connected to the OT network on the SPAN port of the switch) physical or virtual servers which ‘scan’ (listen) the network for network traffic on the switch via the SPAN port. In our example we use the IoT network as an example.
Pro-tip: the sensor will scan all types of devices including computer/server, IoT and OT devices
Microsoft Defender for IoT is optimized for OT networks/devices and Enterprise IoT is optimized for IT networks with IoT devices.
The setup requires two steps:
- configure the SPAN port
- deploy the sensor
Configure the SPAN port
The required SPAN configuration of the switch port (in our example port 8 / SPAN is listening on port 2 t/m 5 for connected IoT devices, Raspberry Pi’s in my lab). Logon to the management console of the network device.
- Display mode: Advanced
- Status and statistics -> SPAN Sources (port 2 t/m 5 in our example)
- Status and statistics -> SPAN Destinations (port 8 in our example)
Deploy sensor
The Microsoft Defender for IoT portal, section Sites and sensors, has the options to onboard a sensor. The OT sensor is a pre-defined image, the EIoT sensor is a bash command (requires Linux O.S. installed, I used Ubuntu 20.04).
See my previous blog which includes the deployment of the EIoT sensor.
After deployment of the EIoT (or OT) sensor, the device inventory of Microsoft Defender for IoT presents the discovered (IoT in our example) devices.
I hope this blog can help people to setup their own lab environment to test the Microsoft Defender products which requires network devices.
