Azure Defender for IoT
Author: Ronald Fung
Creation Date: 15 May 2023
Next Modified Date: 15 May 2024
A. Introduction
The Internet of Things (IoT) supports billions of connected devices that use both operational technology (OT) and IoT networks. IoT/OT devices and networks are often built using specialized protocols, and may prioritize operational challenges over security.
When IoT/OT devices can’t be protected by traditional security monitoring systems, each new wave of innovation increases the risk and possible attack surfaces across those IoT devices and OT networks.
Microsoft Defender for IoT is a unified security solution built specifically to identify IoT and OT devices, vulnerabilities, and threats. Use Defender for IoT to secure your entire IoT/OT environment, including existing devices that may not have built-in security agents.
Defender for IoT provides agentless, network layer monitoring, and integrates with both industrial equipment and security operation center (SOC) tools.
B. How is it used at Seagen
As a biopharma research company using Microsoft Azure, you can use Azure Defender for IoT to protect your IoT devices and networks from cyber threats. Here are some ways you can use Azure Defender for IoT:
Identify and manage IoT devices: Azure Defender for IoT allows you to discover and identify all your IoT devices across your network. You can use the Azure portal or APIs to view detailed information about your IoT devices and manage them effectively.
Monitor IoT device behavior: Azure Defender for IoT provides real-time monitoring of your IoT devices to detect any abnormal behavior. You can use Azure Sentinel or Azure Monitor to monitor your IoT devices and configure alerts for any suspicious activity.
Analyze IoT device data: Azure Defender for IoT allows you to analyze your IoT device data to detect patterns and identify anomalies. You can use Azure Stream Analytics or Azure Data Explorer to analyze your IoT device data and gain insights into your IoT environment.
Secure IoT devices and networks: Azure Defender for IoT provides security features such as device hardening, network segmentation, and role-based access control to help you secure your IoT devices and networks. You can use Azure Security Center to manage your IoT security policies and configure security alerts.
Integrate with other Azure services: Azure Defender for IoT can be integrated with other Azure services such as Azure IoT Hub, Azure Event Hubs, and Azure Functions. This allows you to secure your IoT devices and networks across different Azure services and applications.
C. Features
Agentless device monitoring
If your IoT and OT devices don’t have embedded security agents, they may remain unpatched, misconfigured, and invisible to IT and security teams. Un-monitored devices can be soft targets for threat actors looking to pivot deeper into corporate networks.
Defender for IoT uses agentless monitoring to provide visibility and security across your network, and identifies specialized protocols, devices, or machine-to-machine (M2M) behaviors.
Discover IoT/OT devices
in your network, their details, and how they communicate. Gather data from network sensors, Microsoft Defender for Endpoint, and third-party sources.Assess risks and manage vulnerabilities
using machine learning, threat intelligence, and behavioral analytics. For example:Identify unpatched devices, open ports, unauthorized applications, unauthorized connections, changes to device configurations, PLC code, firmware, and more.
Run searches in historical traffic across all relevant dimensions and protocols. Access full-fidelity PCAPs to drill down further.
Detect advanced threats that you may have missed by static indicators of compromise (IOCs), such as zero-day malware, fileless malware, and living-off-the-land tactics.
Respond to threats
by integrating with Microsoft services such as Microsoft Sentinel, other partner systems, and APIs. Integrate with security information and event management (SIEM) services, security operations and response (SOAR) services, extended detection and response (XDR) services, and more.
Defender for IoT’s centralized user experience in the Azure portal lets the security and OT monitoring teams visualize and secure all their IT, IoT, and OT devices regardless of where the devices are located.
Support for cloud, on-premises, and hybrid OT networks
Install OT network sensors on-premises, at strategic locations in your network to detect devices across your entire OT environment. Then, use any of the following configurations to view your devices and security value:
Cloud services:
While OT network sensors have their own UI console that displays details and security data about detected devices, connect your sensors to Azure to extend your journey to the cloud.
From the Azure portal, view data from all connected sensors in a central location, and integrate with other Microsoft services, like Microsoft Sentinel.
Air-gapped and on-premises services:
If you have an air-gapped environment and want to keep all your OT network data fully on-premises, connect your OT network sensors to an on-premises management console for central visibility and control.
Continue to view detailed device data and security value in each sensor console.
Hybrid services:
You may have hybrid network requirements where you can deliver some data to the cloud and other data must remain on-premises.
In this case, set up your system in a flexible and scalable configuration to fit your needs. Connect some of your OT sensors to the cloud and view data on the Azure portal, and keep other sensors managed on-premises only.
For more information, see System architecture for OT system monitoring.
Extend support to proprietary OT protocols
IoT and industrial control system (ICS) devices can be secured using both embedded protocols and proprietary, custom, or non-standard protocols. If you have devices that run on protocols that aren’t supported by Defender for IoT out-of-the-box, use the Horizon Open Development Environment (ODE) SDK to develop dissector plug-ins to decode network traffic for your protocols.
Create custom alerts for your plugin to pinpoint specific network activity and effectively update your security, IT, and operational teams. For example, have alerts triggered when:
The sensor detects a write command to a memory register on a specific IP address and Ethernet destination.
Any access is performed to a specific IP address.
For more information, see Manage proprietary protocols with Horizon plugins.
Protect enterprise IoT networks
Use one or both of the following methods to extend Defender for IoT’s agentless security features beyond OT environments to enterprise IoT devices.
Add an Enterprise IoT plan in Microsoft Defender for Endpoint for added alerts, vulnerabilities, and recommendations for IoT devices in Defender for Endpoint. An Enterprise IoT plan also provides a shared device inventory across the Azure portal and Microsoft 365 Defender.
Onboard an Enterprise IoT network sensor in Defender for IoT (Public Preview) to extend Defender for IoT device visibility to devices that aren’t covered by Defender for Endpoint.
Enterprise IoT devices can include devices such as printers, smart TVs, and conferencing systems and purpose-built, proprietary devices.
For more information, see Securing IoT devices in the enterprise.
Defender for IoT for device builders
Defender for IoT also provides a lightweight security micro-agent that you can use to build security straight into your new IoT innovations.
For more information, see the Microsoft Defender for IoT for device builders documentation.
Supported service regions
Defender for IoT routes all traffic from all European regions to the West Europe regional datacenter. It routes traffic from all remaining regions to the East US regional datacenter.
D. Where Implemented
E. How it is tested
Testing Azure Defender for IoT involves ensuring that the service is functioning correctly and securely, and meeting the needs of all stakeholders involved in the project. Here are some steps to follow to test Azure Defender for IoT:
Define the scope and requirements: Define the scope of the project and the requirements of all stakeholders involved in the project. This will help ensure that Azure Defender for IoT is designed to meet the needs of all stakeholders.
Develop test cases: Develop test cases that cover all aspects of Azure Defender for IoT functionality, including device discovery, threat detection, and reporting. The test cases should be designed to meet the needs of the organization, including scalability and resilience.
Conduct unit testing: Test the individual components of Azure Defender for IoT to ensure that they are functioning correctly. This may involve using tools like PowerShell or Azure CLI for automated testing.
Conduct integration testing: Test Azure Defender for IoT in an integrated environment to ensure that it works correctly with other systems and applications. This may involve testing Azure Defender for IoT with different operating systems, browsers, and devices.
Conduct user acceptance testing: Test Azure Defender for IoT with end-users to ensure that it meets their needs and is easy to use. This may involve conducting surveys, interviews, or focus groups to gather feedback from users.
Automate testing: Automate testing of Azure Defender for IoT to ensure that it is functioning correctly and meeting the needs of all stakeholders. This may involve using tools like Azure DevOps to set up automated testing pipelines.
Monitor performance: Monitor the performance of Azure Defender for IoT in production to ensure that it is meeting the needs of all stakeholders. This may involve setting up monitoring tools, such as Azure Monitor, to track usage and identify performance issues.
Address issues: Address any issues that are identified during testing and make necessary changes to ensure that Azure Defender for IoT is functioning correctly and meeting the needs of all stakeholders.
By following these steps, you can ensure that Azure Defender for IoT is tested thoroughly and meets the needs of all stakeholders involved in the project. This can help improve the quality of Azure Defender for IoT and ensure that it functions correctly in a production environment.
F. 2023 Roadmap
????
G. 2024 Roadmap
????
H. Known Issues
There are several known issues that can impact Azure Defender for IoT. Here are some of the most common issues to be aware of:
False positives: Azure Defender for IoT can sometimes flag legitimate traffic as malicious, leading to false positives. It is important to tune the service to avoid false positives and ensure that legitimate traffic is not blocked.
Performance issues: If the service is not properly sized, it can impact performance and availability, causing issues with the speed and reliability of Azure Defender for IoT.
Security issues: Security is a critical concern when it comes to Azure Defender for IoT. It is important to ensure that Azure Defender for IoT is secured and that access to the solution is restricted to authorized personnel.
Compatibility issues: Azure Defender for IoT may not be compatible with all platforms, devices, or languages. It is important to ensure that Azure Defender for IoT is compatible with the organization’s existing infrastructure before implementation.
Scalability issues: Scalability issues can arise when scaling up or down the service. It is important to ensure that the service can scale to meet the needs of the organization.
Integration issues: Integration issues can arise when integrating Azure Defender for IoT with other systems and applications. It is important to ensure that Azure Defender for IoT is designed to work seamlessly with other systems and applications to avoid integration issues.
Testing issues: Testing issues can arise when testing Azure Defender for IoT. It is important to ensure that testing is carried out thoroughly and that all aspects of Azure Defender for IoT functionality are tested.
Overall, Azure Defender for IoT requires careful planning and management to ensure that it is functioning correctly and meeting the needs of all stakeholders involved in the project. By being aware of these known issues and taking steps to address them, you can improve the quality of Azure Defender for IoT and ensure the success of your project.
[x] Reviewed by Enterprise Architecture
[x] Reviewed by Application Development
[x] Reviewed by Data Architecture