Microsoft Defender for IoT / OT environments

This blog is a high level overview of Microsoft Defender for IoT and the integration with Azure Sentinel.

IT (Information Technology) is secure by default (at least it should be) and internet connected. OT (Operational Technology) is the opposite, it’s often Old Technology with availability in mind (not Security that’s why it’s an isolated network).

IoT (Internet of Things) is invading our corporate and home networks which increases the network exposure, often with security in mind but not always with vulnerability management in mind (even if you use a complex password on an IoT device, how often is the device updated compared to your computer or phone).

Azure Defender for IoT architecture

Azure Defender for IoT (previous CyberX) is part of the Azure Defender suite to monitor IoT/OT networks with zero impact on OT network performance (very critical). The Azure for IoT sensor requires two NICs (Network Interface Cards) connected to the OT (isolated) and IT (internet) network.

The OT network is connected via the SPAN (Switched Port ANalyser) port on the (core) switch for agentless monitoring.

For test / demo environments one switch with SPAN port (still required dual NIC sensor) is sufficient. The sensor can be a physical appliance or virtual appliance.

The deployment can be Offline (air-gapped) and Online (Online requires Azure IoT hub). The advantage of online is automatic updates of Threat Intelligence; OT IOCs (Indicators of Compromise), the Offline sensor requires manual updates (download the file from Azure Defender for IoT and upload in the sensor console).

Azure Defender for IoT features

Azure Defender for IoT provides the following main features:

  • Device discovery
  • Network mapping
  • Alerts
  • Risk assessment report

Device discovery provides insights in known and rogue (unknown) devices connected to the network

Network mapping provides an overview (Purdue layered model) of the device connections (the red devices have alerts). Selecting a device highlights the connections to other devices.

Alerts provide an overview of alerts (attacks or anomalies on the systems). These can be simulated via pcap files.

Pcap (re)play requires two NICs connected to the network on the sensor

Azure Defender (part of Azure Security Center) provides an overview of all Azure Defender for IoT (Hub) alerts.

Azure Sentinel (Microsoft Cloud-native SIEM) includes a default Azure Defender for IoT data connector to ingest the Security alerts in the Log Analytics workspace for triage and remediation.

The events and alerts are visible in the Azure Sentinel Dashboard and Incident console for the SOC (Security Operations Center) analyst.

This latest addition of Microsoft combines IT and OT to provide an integrated overview of the old and new world to correlate Security data and provide a better consolidated Security threat overview for the SOC (Security Operations Center).

Chief Technology Officer @ Nedscaper