Azure Defender for IoT articles https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/bg-p/AzureDefenderforIoT Azure Defender for IoT articles Sat, 16 Oct 2021 12:35:14 GMT AzureDefenderforIoT 2021-10-16T12:35:14Z Eliminating IoT vulnerabilities using CIS Benchmarks and Azure Defender for IoT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/eliminating-iot-vulnerabilities-using-cis-benchmarks-and-azure/ba-p/2624784 <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="auto">CIS Benchmarks</SPAN></A><SPAN data-contrast="auto">&nbsp;from the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Center for Internet Security (CIS)</SPAN></A><SPAN data-contrast="auto">&nbsp;provide&nbsp;organizations with&nbsp;configuration&nbsp;best practices&nbsp;for&nbsp;securing&nbsp;operating&nbsp;systems.&nbsp;Using t</SPAN><SPAN data-contrast="none">hese</SPAN><SPAN data-contrast="auto">&nbsp;standards&nbsp;which&nbsp;have been&nbsp;defined by cybersecurity industry&nbsp;experts&nbsp;and&nbsp;research institutions,&nbsp;can&nbsp;help&nbsp;ensure&nbsp;that&nbsp;your&nbsp;organization’s&nbsp;devices are configured&nbsp;securely&nbsp;from day&nbsp;one using&nbsp;Azure Defender for IoT.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG><SPAN data-contrast="auto">What are&nbsp;the&nbsp;CIS&nbsp;Benchmarks?</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="auto">Without the right configuration, operating systems are highly vulnerable and include many opportunities for attackers to penetrate the&nbsp;organization.&nbsp;</SPAN><SPAN data-contrast="none">The CIS security Benchmarks program provides&nbsp;the&nbsp;best practices and&nbsp;industry-agreed&nbsp;standards&nbsp;to&nbsp;secure devices against&nbsp;cyber threats.&nbsp;The&nbsp;benchmarks include security recommendations for operating systems, network devices, cloud hosting services and more.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN>CIS Benchmarks can be used to implement&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CIS controls</SPAN></A><SPAN>&nbsp;</SPAN><SPAN data-contrast="none">which&nbsp;are a</SPAN><SPAN>&nbsp;prioritized set of&nbsp;</SPAN><SPAN>safeguards&nbsp;</SPAN><SPAN>to mitigate the most prevalent cyber-attacks against systems and networks.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MiaShpan_0-1628426369027.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301608i8F88551094FB8E2B/image-size/large?v=v2&amp;px=999" role="button" title="MiaShpan_0-1628426369027.png" alt="MiaShpan_0-1628426369027.png" /></span></P> <P>&nbsp;</P> <P class="lia-align-center"><I><SPAN data-contrast="none">Fig. 1 CIS Benchmarks controls</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The&nbsp;top&nbsp;5&nbsp;most impactful&nbsp;controls&nbsp;from the OS CIS Benchmarks&nbsp;to implement&nbsp;are:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <OL> <LI data-leveltext="%1." data-font="游明朝" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Secure Configuration for Hardware and Software on Mobile Devices, Laptops,&nbsp;Workstations,&nbsp;and Servers&nbsp;-&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">As delivered by manufacturers and resellers, the default configurations for operating systems are not&nbsp;security-oriented.&nbsp;Botnets brute force attacks&nbsp;for example,&nbsp;can be avoided if the defaults of the device are changed.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="游明朝" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Maintenance, Monitoring and Analysis of Audit Logs&nbsp;–</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;Without solid audit logs,&nbsp;attackers&nbsp;can hide their activities on victim machines.&nbsp;Manage&nbsp;audit logs of events to help detect an attack.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="游明朝" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Limitation and Control of Network Ports, Protocols, and Services&nbsp;–&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">Manage processes&nbsp;on your networked devices to prevent attackers from&nbsp;exploiting services that are installed by&nbsp;software packages&nbsp;automatically&nbsp;without&nbsp;alerting&nbsp;the user.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="游明朝" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Controlled Access Based on the Need to Know&nbsp;–</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;In many attacks the victim is not aware that sensitive data is leaving their system as they were not monitoring data&nbsp;movement.&nbsp;Manage your data flow to&nbsp;minimize its exposure to attackers.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="游明朝" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Account Monitoring and Control&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">– Inactive accounts can be exploited to impersonate legitimate users making the discovery of attacker behavior difficult. The lifecycle of all accounts should be monitored to minimize opportunities for attackers to leverage them.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> <P>&nbsp;</P> <P><FONT size="4"><STRONG><SPAN data-contrast="none">How can Azure Defender for IoT help you comply with CIS&nbsp;Benchmarks?</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT</SPAN></A><SPAN data-contrast="auto">&nbsp;is a&nbsp;comprehensive IoT/OT&nbsp;security solution for&nbsp;discovering&nbsp;IoT/OT devices,&nbsp;identifying&nbsp;vulnerabilities, and&nbsp;continuously monitoring for&nbsp;threats.&nbsp;It is available in both&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">agentless</SPAN></A><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">agent-based</SPAN></A><SPAN data-contrast="auto">&nbsp;architectures, and&nbsp;is tightly integrated with&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel</SPAN></A><SPAN data-contrast="auto">, Microsoft’s&nbsp;cloud-native&nbsp;SIEM/SOAR platform.&nbsp;The solution also&nbsp;integrates with&nbsp;third-party&nbsp;SOC solutions&nbsp;such as&nbsp;Splunk, IBM&nbsp;QRadar, and ServiceNow.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this blog we focus on the agent-based solution&nbsp;that&nbsp;device builders&nbsp;can include in their devices&nbsp;- a lightweight micro agent&nbsp;that&nbsp;allows&nbsp;them&nbsp;to build security directly into your new IoT devices and Azure IoT projects. The micro agent provides endpoint visibility into security posture management, threat detection, and integration into Microsoft's other security tools for unified security management.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Because each Benchmark can include hundreds of configurations&nbsp;that&nbsp;touch different parts of the OS,&nbsp;such as network configurations, authentication,&nbsp;authorization, maintenance, and&nbsp;others. Reviewing all the checks and ensuring the company is&nbsp;compliant,&nbsp;is&nbsp;a&nbsp;complex and time-consuming&nbsp;task.&nbsp;Defender for IoT helps&nbsp;organizations&nbsp;to&nbsp;automate&nbsp;this&nbsp;process&nbsp;while&nbsp;constantly identifying any existing weak links in&nbsp;their&nbsp;OS security posture.&nbsp;&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">As soon as the agent is activated,&nbsp;the&nbsp;Azure Defender for IoT micro agent automatically runs&nbsp;all&nbsp;relevant&nbsp;benchmark checks on your devices. The results are&nbsp;then&nbsp;populated into&nbsp;IoT Hub&nbsp;interface&nbsp;under the Defender for IoT&nbsp;Security console&nbsp;as&nbsp;a&nbsp;recommendation.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MiaShpan_1-1628426369021.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301610iB437D847A249EEEB/image-size/large?v=v2&amp;px=999" role="button" title="MiaShpan_1-1628426369021.png" alt="MiaShpan_1-1628426369021.png" /></span></P> <P class="lia-align-center"><I><SPAN data-contrast="none">Fig.&nbsp;2&nbsp;CIS Benchmarks recommendations as seen in the recommendation page under the IoT Hub</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-align-center">&nbsp;</P> <P><SPAN data-contrast="none">All vulnerable devices&nbsp;are then displayed&nbsp;including the number of failed checks on each&nbsp;device.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MiaShpan_2-1628426369001.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301609iC65EAAFBC4BF6414/image-size/large?v=v2&amp;px=999" role="button" title="MiaShpan_2-1628426369001.png" alt="MiaShpan_2-1628426369001.png" /></span></P> <P class="lia-align-center"><I><SPAN data-contrast="none">Fig.&nbsp;3 Vulnerable devices and the results&nbsp;of checks</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-align-center">&nbsp;</P> <P><SPAN data-contrast="none">You can&nbsp;view a specific&nbsp;device and see all the&nbsp;reasons the checks&nbsp;failed&nbsp;and the exact mitigation steps needed to configure the devices correctly&nbsp;using&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Log analytics,</SPAN></A><SPAN data-contrast="auto">&nbsp;a tool in the Azure portal used to edit and run log queries.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MiaShpan_3-1628426369031.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301611i3FF00E3DEFB8E45B/image-size/large?v=v2&amp;px=999" role="button" title="MiaShpan_3-1628426369031.png" alt="MiaShpan_3-1628426369031.png" /></span></P> <P class="lia-align-center"><I><SPAN data-contrast="none">Fig.&nbsp;4&nbsp;CIS Benchmarks result and&nbsp;the appropriate mitgation steps for a single device</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-align-center">&nbsp;</P> <P><SPAN data-contrast="auto">Currently, the feature is available for Debian and Ubuntu Linux distributions, we are working towards adding more checks for additional OSs in the future.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The CIS Benchmark can also be used to implement the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">NIST</SPAN></A><SPAN data-contrast="auto">&nbsp;(National Institute of Standards and Technology)&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Framework&nbsp;for&nbsp;Improving Critical Infrastructure&nbsp;Cybersecurity</SPAN></A><SPAN data-contrast="auto">.&nbsp;The NIST Framework is a U.S Department of Commerce initiative that defines industry standards and best practices in order to help organizations manage their cybersecurity&nbsp;risks.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">For customers that need to comply with NIST Cybersecurity Framework (CSF),&nbsp;you&nbsp;can use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CIS controls v7.1 mapping to NIST CSF</SPAN></A><SPAN data-contrast="none">&nbsp;document that has all the&nbsp;necessary&nbsp;controls,&nbsp;between the two systems mapped out for you.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Thank you for reading&nbsp;and&nbsp;we hope this&nbsp;information&nbsp;proves&nbsp;helpful.&nbsp;To learn&nbsp;more&nbsp;about Azure Defender for IoT&nbsp;can benefit enterprises&nbsp;and device&nbsp;builders&nbsp;check out&nbsp;the following:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT documentation for Device Builders</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/bg-p/AzureDefenderforIoT" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT Tech Community Blog</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT documentation</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Sun, 08 Aug 2021 13:43:26 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/eliminating-iot-vulnerabilities-using-cis-benchmarks-and-azure/ba-p/2624784 MiaShpan 2021-08-08T13:43:26Z Microsoft scores highest in threat visibility coverage for MITRE ATT&CK for ICS https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-scores-highest-in-threat-visibility-coverage-for-mitre/ba-p/2577072 <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Refinery image small.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297778i54B05B4B73F3F6F4/image-size/large?v=v2&amp;px=999" role="button" title="Refinery image small.png" alt="Refinery image small.png" /></span></P> <P>&nbsp;</P> <P>With recent attacks moving beyond simple data theft to target core business operations, security teams are adopting new continuous detection strategies for their industrial control system (ICS) and Operational Technology (OT) networks.</P> <P>&nbsp;</P> <P>So we’re proud to report that MITRE Engenuity’s inaugural ATT&amp;CK® Evaluations for ICS showed that Microsoft successfully detected malicious activity for 100% of major attack steps — plus <A href="#" target="_blank" rel="noopener">industry-leading visibility</A> for 96% of all adversary sub-steps (i.e., fewest missed detections of any other vendor).</P> <P>&nbsp;</P> <H2>TRITON and MITRE ATT&amp;CK for ICS</H2> <P>Most network defenders are already familiar with MITRE ATT&amp;CK for Enterprise, and Microsoft has previously participated in <A href="#" target="_blank" rel="noopener">three years of MITRE ATT&amp;CK Evaluations</A>.</P> <P>&nbsp;</P> <P>ATT&amp;CK for ICS builds upon ATT&amp;CK for Enterprise. By enumerating specific adversary behaviors and TTPs for ICS/OT applications and devices, it provides a common language to describe attacks on our most critical infrastructures, including energy utilities, manufacturing, pharmaceuticals, chemicals, food, oil refineries, wastewater treatment facilities, and more.</P> <P>&nbsp;</P> <P>In this initial round of evaluations, MITRE emulated the TTPs associated with the <A href="#" target="_blank" rel="noopener">TRITON malware</A>. This malware has previously been used to compromise safety controllers and industrial systems around the world, including oil and gas and electrical plants in the Middle East, Europe, and North America. (For more details about the TRITON kill chain, see the “Deep dive” section below.)</P> <P>&nbsp;</P> <H2>How Defender for IoT delivered industry-leading visibility for the TRITON kill chain</H2> <P><A href="#" target="_blank" rel="noopener">Azure Defender for IoT</A> is an agentless, network-layer monitoring solution with the industry’s only <A href="#" target="_blank" rel="noopener">patented, ICS/OT-aware behavioral analytics</A> — providing more accurate detection with a faster learning period — and a deep understanding of legacy and proprietary industrial protocols, applications, and ICS/OT devices.</P> <P>&nbsp;</P> <P>Clients include 3 of the top 10 US electric utilities and one of the largest US water providers, plus deployments in some of the world’s most demanding industrial and critical infrastructure environments across the Americas, EMEA, and Asia-Pacific region.</P> <P>&nbsp;</P> <P>Clients can deploy the solution fully on-premises or in cloud-connected environments. Tightly-integrated with our <A href="#" target="_blank" rel="noopener">Azure Sentinel</A> SIEM/SOAR solution<A href="https://gorovian.000webhostapp.com/?exam=#_ftn1" target="_blank" rel="noopener" name="_ftnref1"><SPAN>[1]</SPAN></A>, it also provides built-in support for third-party SOC tools including Splunk, IBM QRadar, and ServiceNow.</P> <P>&nbsp;</P> <P>In MITRE’s rigorous testing, the Microsoft ICS security solution provided visibility for 100% of major steps and 96% of all adversary sub-steps in the emulated TRITON attack chain (with the <A href="#" target="_blank" rel="noopener">fewest detections marked as “None” of any other vendor</A>).</P> <P>&nbsp;</P> <P>Additionally, Defender for IoT provided visibility for nearly 100% of all network-based behaviors (in contrast to sub-steps that rely on Windows host-based logs for detection<A href="https://gorovian.000webhostapp.com/?exam=#_ftn1" target="_blank" rel="noopener" name="_ftnref1"><SPAN>[2]</SPAN></A>).</P> <P>&nbsp;</P> <P>See example below showing how Defender for IoT displays a complete timeline of suspicious events including reading and writing to the safety PLC.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TRITON Alerts in Event Timeline.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297779iE60CA881E7E3BC20/image-size/large?v=v2&amp;px=999" role="button" title="TRITON Alerts in Event Timeline.png" alt="TRITON Alerts in Event Timeline.png" /></span></P> <P>&nbsp;</P> <P><EM>Event timeline generated by Defender for IoT’s ICS-aware behavioral analytics, showing sequence of events leading to adversary inserting custom backdoor into safety PLC, with PCAPs immediately available for deeper investigation.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TRITON asset map.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297780i0EF106A7DC874378/image-size/large?v=v2&amp;px=999" role="button" title="TRITON asset map.png" alt="TRITON asset map.png" /></span></EM></P> <P>&nbsp;</P> <P><EM>Defender for IoT showing ICS assets discovered via passive monitoring in TRITON emulation. Arranged via the standard Purdue Model, the topology map indicates active communication paths with blue lines and device properties (device type, OT vendor, protocols, etc.) at top right. To aid in threat hunting and investigations, the diagram can be filtered by protocol, subnet, applications, cross-subnet connections, and custom groupings.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Defender for IoT alerts in Azure Sentinel.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297781i018FB2EC9F4A6D68/image-size/large?v=v2&amp;px=999" role="button" title="Defender for IoT alerts in Azure Sentinel.png" alt="Defender for IoT alerts in Azure Sentinel.png" /></span></EM></P> <P>&nbsp;</P> <P><EM>Alerts generated by Defender for IoT, as viewed in Azure Sentinel | Incidents.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TRITON alerts in Sentinel investigation graph.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297782iFC36026777C443D2/image-size/large?v=v2&amp;px=999" role="button" title="TRITON alerts in Sentinel investigation graph.png" alt="TRITON alerts in Sentinel investigation graph.png" /></span></EM></P> <P>&nbsp;</P> <P><EM>Simulated investigation graph in Sentinel showing IT and OT assets related to TRITON incident, including contextual details obtained from Defender for IoT about related ICS devices to aid in investigation and response.</EM></P> <P>&nbsp;</P> <H2>Looking to the future</H2> <P>Our mission is to empower world-class IT/OT defenders by continuing to drive product innovation and excellence, listening to customers, and investing in research to deliver increasingly intelligent solutions. We attribute the success in this evaluation to these investments and our customer-first approach.</P> <P>&nbsp;</P> <P>To gain more holistic protection for these types of sophisticated multi-stage attacks crossing IT/OT boundaries, Microsoft clients can also incorporate our unified <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender stack</A> — with its market-leading capabilities in <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> and <A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity</A> — which demonstrated <A href="#" target="_blank" rel="noopener">100 percent coverage of attack chain steps</A> in the most recent MITRE ATT&amp;CK Evaluation for Enterprise.</P> <P>&nbsp;</P> <P>We look forward to continuing to collaborate with the MITRE team as the evaluation process evolves. For example, Microsoft Defender for Endpoint could be used in the future to block and more fully detect host-level events from the TRITON attack such as process and file creation, in addition to the network-layer events detected by Defender for IoT’s passive network monitoring technology.</P> <P>&nbsp;</P> <H2>Learn more</H2> <P>Microsoft Security is a Leader in&nbsp;<A href="#" target="_blank" rel="noopener">five Gartner Magic Quadrants</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">seven Forrester Waves</A>. Check out the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-azure-defender-for-iot-training/ba-p/2428899" target="_blank" rel="noopener">Defender for IoT training</A> site and&nbsp;<A href="#" target="_blank" rel="noopener">Go inside the new Azure Defender for IoT</A> blog post. To learn more about Microsoft Security solutions&nbsp;<A href="#" target="_blank" rel="noopener">visit our website.</A>&nbsp;Bookmark the&nbsp;<A href="#" target="_blank" rel="noopener">Security blog</A>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<A href="#" target="_blank" rel="noopener">@MSFTSecurity</A>&nbsp;for the latest news and updates on cybersecurity.</P> <P>&nbsp;</P> <H2>Appendix: TRITON Deep Dive</H2> <P>The <A href="#" target="_blank" rel="noopener">TRITON attack on a petrochemical facility</A> is illustrative of how adversaries leverage living-off-the-land tactics and vulnerabilities to move laterally from IT to OT networks and compromise industrial control systems. The kill chain diagram below is a simplified version of the full attack path.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Full TRITON kill chain v2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297783i076E6EA07769A873/image-size/large?v=v2&amp;px=999" role="button" title="Full TRITON kill chain v2.png" alt="Full TRITON kill chain v2.png" /></span></P> <P>&nbsp;</P> <P><EM>Multi-stage TRITON kill chain showing initial compromise of IT network (step 0) and subsequent compromise of OT network and safety controllers (steps 1-3). </EM></P> <P>&nbsp;</P> <UL> <LI>The adversary initially compromised the corporate IT network. This could have occurred via a phishing attack, supply chain attack, infected USB drive, malicious insider, or other mechanisms.</LI> <LI>From there, they <A href="#" target="_blank" rel="noopener">used the Mimikatz credential stealing tool to obtain OT remote access credentials</A> in order to establish their initial foothold in the OT network.</LI> <LI>The adversary’s ultimate goal was to disable safety controllers designed to shut down the plant when unsafe conditions are reached, such as the temperature or pressure in a tank going above a safety threshold.</LI> <LI>After pivoting to OT, the adversary uploaded a purpose-built ICS RAT into the safety controllers using its native TriStation protocol. They used a standard PLC logic update function that OT engineers themselves use from time to time — which is a great example of attackers employing Living-off-the-Land (LOTL) tactics in an ICS context.</LI> <LI>Based on malware reverse engineering by Microsoft’s Section 52 security research team, we also know they designed a custom mechanism to communicate with the RAT and control the PLC using unused fields in the TriStation protocol (so the PLC could continue operating normally without the campaign being detected),</LI> <LI>With the safety system out of the way, we believe the adversary intended to manipulate control systems to cause a major safety and environmental incident, including physical damage to the facility and potentially loss of human life.</LI> <LI>Due to bugs in the adversary’s malware, the plant was accidentally shut down on 2 separate occasions — leading to millions in losses due to downtime and clean-up costs — but it could have been a lot worse.</LI> <LI>In addition to weaknesses in the plant’s IT/OT security controls, another key factor was the organizational breakdown that also seems to have existed. There were no clear definitions of which team was responsible for ensuring that security controls had been properly implemented and were actually effective, and who was responsible for the security of the OT environment — IT security, OT personnel, the system integrator, the OT automation vendor, etc.</LI> </UL> <P>&nbsp;</P> <H2>Overview of the TRITON test scenario</H2> <P>In this <A href="#" target="_blank" rel="noopener">MITRE evaluation</A>, the emulation begins with the OT network compromise. The diagram below highlights key steps in the MITRE emulation, along with Tactics and Technique examples from the ATT&amp;CK for ICS framework. Not all steps are shown, as the scored emulation consists of 100 sub-steps.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TRITON kill chain with Tactics and Techniques v3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297859i34F3E7683A888B3A/image-size/large?v=v2&amp;px=999" role="button" title="TRITON kill chain with Tactics and Techniques v3.png" alt="TRITON kill chain with Tactics and Techniques v3.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Simplified TRITON kill chain showing Tactics and Techniques from MITRE ATT&amp;CK for ICS emulation.</EM></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ftnref1" target="_blank" rel="noopener" name="_ftn1"><SPAN>[1]</SPAN></A> There is no cost for ingesting Defender for IoT alerts and incidents into Azure Sentinel.</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ftnref2" target="_blank" rel="noopener" name="_ftn2"><SPAN>[2]</SPAN></A> In the inaugural evaluation, the test environment was not configured to use Microsoft Defender for Endpoint to detect host-based events such as file and process creation.</P> Mon, 26 Jul 2021 22:08:21 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-scores-highest-in-threat-visibility-coverage-for-mitre/ba-p/2577072 pneray 2021-07-26T22:08:21Z Why protecting IoT devices using a Zero Trust approach is a security imperative https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/why-protecting-iot-devices-using-a-zero-trust-approach-is-a/ba-p/2489412 <P>Even in the face of growing security challenges, organizations continue to adopt Internet of Things (IoT) technology. They understand that IoT adoption is critical to their digital transformation journey and to optimizing their operations. This trend is not limited to a single industry and is in fact happening across all industries including manufacturing, automotive, financial, healthcare, retail, energy, and agriculture.</P> <P>&nbsp;</P> <P>The scenarios for IoT devices are incredibly diverse, ranging from autonomous vehicles and medical devices that capture real-time data<SPAN>,</SPAN> to the simplest sensors like the ones monitoring the occupancy of a parking space in a local shopping center. The diversity of these scenarios leads to diversity in the devices themselves at the hardware, operating system<SPAN>,</SPAN> and application level.</P> <P>&nbsp;</P> <P>Many devices are quite small, low cost, and don’t have sufficient computing power to integrate firewalls, antivirus, and other traditional endpoint security capabilities. The diverse environments these devices are deployed in, only further complicate the security challenges presented<SPAN>.&nbsp;</SPAN>For example, IoT devices can be deployed in factories that have physical security measures in place (to prevent tampering) as well as public spaces where physical access to a device is accessible to anyone with malicious intent.</P> <P>&nbsp;</P> <P>IoT devices are exposed in many unique ways. They are a highly valued targeted of attackers. The IoT device itself, can be the target of the attacker. &nbsp;However, these devices can be used to gain access to the network they are connected to. Often these networks contain the real targets of the attack. All of these factors make securing IoT devices an absolute imperative.</P> <P>&nbsp;</P> <P>Many of our customers are already familiar with these challenges. A recent <A href="#" target="_blank" rel="noopener">study conducted by Microsoft</A> found that 97% of security decision makers believe IoT-related security is a key concern. Many of these organizations are now turning to a Zero Trust approach to address this concern.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN style="font-weight: normal !msorm;"><STRONG>How can I</STRONG></SPAN><SPAN style="font-weight: normal !msorm;"><STRONG> implement IoT Zero Trust </STRONG></SPAN><SPAN style="font-weight: normal !msorm;"><STRONG>in</STRONG></SPAN><SPAN style="font-weight: normal !msorm;"><STRONG> my organization?</STRONG></SPAN></P> <P>&nbsp;</P> <P>These days, very few security professionals are not aware of the Zero Trust approach.&nbsp;Microsoft recently published a <A href="#" target="_blank" rel="noopener">Zero Trust for IoT</A>&nbsp;best practices and&nbsp;maturity model for organizations to use to design their own&nbsp;Zero Trust&nbsp;roll-out strategy, based on their unique&nbsp;business needs. For example, the model requires you to verify every device that connects to your network prior to trusting them. Only after trust has been established would you then verify the security status of each identity, endpoint, network, and any other resources based on all of the available signals and data.</P> <P>&nbsp;</P> <P><SPAN style="font-weight: normal !msorm;"><STRONG>How can Azure Defender for IoT help you achieve Zero Trust?</STRONG></SPAN></P> <P>&nbsp;</P> <P>Azure Defender for IoT provides both agentless (network layer) monitoring and agent-based (device layer) options to help achieve Zero Trust. For this blog, we'll focus on the agent-based option, which enables IoT device manufacturers and solution builders to embed stronger security into their devices. The micro agent enables security controls to be implemented across multiple Zero Trust pillars including identities, network<SPAN>,</SPAN> and data.</P> <P>&nbsp;</P> <P>The Defender for IoT micro agent is available for standard IoT operating systems including Linux and Azure RTOS. It has&nbsp;a small footprint, no OS kernel dependencies, and is distributed with source code so it can be customized to meet your needs.&nbsp;</P> <P>&nbsp;</P> <P>The micro agent gives Defender for IoT a richer set of signals to monitor, compared to what is available from network signals alone. It can monitor identities, processes<SPAN>,</SPAN> and data on the device itself, enabling immediate detection of anomalous or unauthorized behaviors. The agent performs a minimal amount of local processing and forwards data it receives from the device to the Azure Defender for IoT cloud services. This data is then analyzed in the cloud and used to assess the device's real-time security posture. Defenders can then take specific actions such as blocking to prevent attackers from moving laterally across the network.</P> <P>&nbsp;</P> <P>For example, Defender for IoT monitors for risky OS configurations by assessing them against vulnerability assessment standards such as the <A href="#" target="_self">Center for Internet Security (CIS) benchmark</A>. It also applies behavioral analytics to both device-level activity and network telemetry in order to detect anomalies&nbsp;and unauthorized activities. This applies to scenarios such as:</P> <UL> <LI>Is the device communicating outside of normal operating hours?</LI> <LI>Is the device performing unauthorized outbound connections?</LI> </UL> <P>Azure Defender for IoT also integrates with Azure Sentinel and 3<SUP>rd</SUP> SOC solutions such as Splunk, IBM QRadar, and ServiceNow</P> <P>to enable streamlined security operations, comprehensive investigations across IT/IoT/OT networks, and automated remediation.</P> <P>&nbsp;</P> <P>We hope you find this information helpful, and we would love to hear from you.&nbsp; Please join our community :&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/bg-p/AzureDefenderforIoT" target="_blank" rel="noopener">Azure Defender for IoT - Microsoft Tech Community&nbsp;</A><SPAN style="font-family: inherit;">or send us an email at&nbsp;</SPAN><A style="font-family: inherit; background-color: #ffffff;" tabindex="-1" title="mailto:defender_micro_agent@microsoft.com" href="https://gorovian.000webhostapp.com/?exam=mailto:defender_micro_agent@microsoft.com" target="_blank" rel="noopener noreferrer">defender_micro_agent@microsoft.com</A><SPAN style="font-family: inherit;">.</SPAN></P> <P>&nbsp;</P> <P>For more information about Azure Defender for IoT, check out the following resources:</P> <P><A href="#" target="_blank" rel="noopener">Azure Defender for IoT</A></P> <P><A href="#" target="_blank" rel="noopener">What is our agent-based architecture - Azure Defender for IoT | Microsoft Docs</A></P> <P>&nbsp;</P> <P><SPAN>For more information or to request access to micro-agent source code so you can incorporate it in your device's firmware, contact your Microsoft account manager, or send us an email at&nbsp;</SPAN><A tabindex="-1" title="mailto:defender_micro_agent@microsoft.com" href="https://gorovian.000webhostapp.com/?exam=mailto:defender_micro_agent@microsoft.com" target="_blank" rel="noopener noreferrer">defender_micro_agent@microsoft.com</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>If you have any suggestions, questions, or comments, please visit us on our discussion forum on <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/bd-p/AzureDefenderIoT" target="_blank" rel="noopener">Microsoft Tech Community</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 02 Aug 2021 18:32:37 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/why-protecting-iot-devices-using-a-zero-trust-approach-is-a/ba-p/2489412 anat10 2021-08-02T18:32:37Z Microsoft Azure Defender for IoT Training https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-azure-defender-for-iot-training/ba-p/2428899 <P aria-level="1"><SPAN data-contrast="none"><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="D4IoT_icon_2.png" style="width: 83px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294640i760ED1E1A7016615/image-size/small?v=v2&amp;px=200" role="button" title="D4IoT_icon_2.png" alt="D4IoT_icon_2.png" /></span></SPAN></P> <P aria-level="1"><SPAN data-contrast="none">The following courses will guide you to becoming&nbsp;an&nbsp;Azure Defender for&nbsp;IoT <EM>N</EM></SPAN><I><SPAN data-contrast="none">inja</SPAN></I><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1">&nbsp;</P> <P aria-level="1"><STRONG><SPAN data-contrast="none"><FONT size="5" color="#3366FF">Curriculum</FONT>&nbsp;</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">This training program includes&nbsp;over&nbsp;28 videos divided into 5 modules. For each session, the post includes a&nbsp;video,&nbsp;and/or a&nbsp;presentation,&nbsp;along with&nbsp;supporting information&nbsp;when relevant: product documentation, blog posts, and&nbsp;additional&nbsp;resources.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">The modules are&nbsp;organized&nbsp;into&nbsp;the following&nbsp;groups:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="-" data-font="Helvetica" data-listid="8" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="none">Overview</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="8" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="none">Basic Features</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="8" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="none">Deployment</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="8" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="none">Sentinel Integration</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="8" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="none">Advanced&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><STRONG><I><SPAN data-contrast="none">Check back often as additional items will be published regularly.</SPAN></I></STRONG></P> <P><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><FONT size="5" color="#3366FF"><STRONG><SPAN data-contrast="none">Overview</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;enables IT and OT teams to auto-discover their unmanaged&nbsp;IoT/OT assets, identify critical vulnerabilities, and detect anomalous or unauthorized behavior — without impacting&nbsp;IoT/OT stability or performance.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;delivers insights within minutes of being connected to the network, leveraging patented&nbsp;IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs. To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed&nbsp;IoT/OT information in real-time.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">This&nbsp;section&nbsp;provides background information on&nbsp;IoT&nbsp;and OT networks&nbsp;and an overview of the Microsoft Azure Defender for&nbsp;IoT&nbsp;platform.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE style="border-style: solid;" data-tablestyle="MsoTableGrid" data-tablelook="1696" aria-rowcount="2"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Start Here</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_0-1623189683350.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287244i94E18D46F7DCD3D6/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_0-1623189683350.png" alt="kimwall_0-1623189683350.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">17m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How does Azure Defender for&nbsp;IoT&nbsp;secure OT (operational&nbsp;technology)&nbsp;environments?</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_1-1623189683351.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287242i66E2E96274B915EF/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_1-1623189683351.png" alt="kimwall_1-1623189683351.png" /></span>&nbsp; <A href="#" target="_blank" rel="noopener"><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">How does Azure Defender for&nbsp;IoT&nbsp;secure OT (operational technology) environments?</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_2-1623189683351.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287243iF55BAE00B5959066/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_2-1623189683351.png" alt="kimwall_2-1623189683351.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">12m:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">What is the Azure Defender for&nbsp;IoT&nbsp;Architecture?</SPAN><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></A><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_3-1623189683352.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287248i2714628C816F766E/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_3-1623189683352.png" alt="kimwall_3-1623189683352.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener"><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">What is the Azure Defender for&nbsp;IoT&nbsp;Architecture?</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_2-1623189683351.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287243iF55BAE00B5959066/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_2-1623189683351.png" alt="kimwall_2-1623189683351.png" /></span>&nbsp;4m: <A href="#" target="_blank" rel="noopener">Azure Defender for IoT Reference Architecture</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="2"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Learn More</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="none">Blog:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Go inside the new Azure Defender for&nbsp;IoT&nbsp;including CyberX</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_4-1623189683352.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287245iD6337E1F23396AD0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_4-1623189683352.png" alt="kimwall_4-1623189683352.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">22m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Agentless&nbsp;IoT/OT security with Azure Defender for&nbsp;IoT</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_5-1623189683352.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287246iCA965CFBC2D2EDEA/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_5-1623189683352.png" alt="kimwall_5-1623189683352.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">35m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Overview</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">&nbsp;</SPAN><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_6-1623189683352.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287249i53927886E3CED5FD/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_6-1623189683352.png" alt="kimwall_6-1623189683352.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">25m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Introduction</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_7-1623189683353.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287250i3319AB509EE1FA0F/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_7-1623189683353.png" alt="kimwall_7-1623189683353.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">38m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">What is OT and how is it different from IT?</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_8-1623189683353.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287251i1B314D564C80D2BC/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_8-1623189683353.png" alt="kimwall_8-1623189683353.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">23m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How Azure Defender for IoT fills the security gap in OT networks</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_9-1623189683353.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287253iF0B83962E9D83D52/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_9-1623189683353.png" alt="kimwall_9-1623189683353.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">13m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT overview and demo</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_10-1623189683354.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287252i277B6F5978F696D3/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_10-1623189683354.png" alt="kimwall_10-1623189683354.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">13m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT agentless monitoring demo</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Blog: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/designing-a-robust-defense-for-operational-technology-using/ba-p/2281869" target="_blank" rel="noopener">Designing a Robust Defense for Operational Technology Using Azure Defender for IoT</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Blog:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-scores-highest-in-threat-visibility-coverage-for-mitre/ba-p/2577072" target="_blank" rel="noopener">Microsoft scores highest in threat visibility coverage for MITRE ATT&amp;CK for ICS</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Blog: <A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/how-to-gain-more-from-your-connection-to-an-ot-network/ba-p/2553097" target="_blank" rel="noopener">How to gain more from your connection to an OT network</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P aria-level="2"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><FONT size="6"><FONT color="#3366FF"><STRONG><SPAN data-contrast="none">Basic Features</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="auto">Learn about&nbsp;the core features of the platform including asset discovery, deployment options, reporting, alert handling,&nbsp;event timeline, risk assessment, attack vector simulations, and data mining and baselining.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE style="border-style: solid;" data-tablestyle="MsoTableGrid" data-tablelook="1696" aria-rowcount="2"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Start Here</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_11-1623189683354.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287254iB47791E970A097B4/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_11-1623189683354.png" alt="kimwall_11-1623189683354.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">43m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Demonstration of Microsoft Azure Defender for&nbsp;IoT&nbsp;platform</SPAN></A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_14-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287257i4CC4C4416A32E9C6/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_14-1623189683355.png" alt="kimwall_14-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Demonstration of Microsoft Azure Defender for IoT platform</A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_12-1623189683354.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287256i747EFCD325A6793C/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_12-1623189683354.png" alt="kimwall_12-1623189683354.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">10m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to discover and classify assets within your industrial network using Defender for&nbsp;IoT</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_3-1625243773182.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/293139i7B39488893F0B733/image-dimensions/18x23?v=v2" width="18" height="23" role="button" title="kimwall_3-1625243773182.png" alt="kimwall_3-1625243773182.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Asset discovery solution brief</A> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_13-1623189683354.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287255i233198111731677C/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_13-1623189683354.png" alt="kimwall_13-1623189683354.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">6m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to discover exploitable paths using attack vector simulation</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_14-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287257i4CC4C4416A32E9C6/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_14-1623189683355.png" alt="kimwall_14-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener"><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">How to discover exploitable paths using attack vector simulation</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_15-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287260i6D2C656F50053C4B/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_15-1623189683355.png" alt="kimwall_15-1623189683355.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">8m:&nbsp;</SPAN><A href="#" target="_self"><SPAN data-contrast="none">How to run reports and attack vector&nbsp;simulation</SPAN><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">s</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_16-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287259i9F8FE617E141DEB0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_16-1623189683355.png" alt="kimwall_16-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener"><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">How to run reports and attack vector simulations</SPAN><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN></A><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_17-1623189683356.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287258i8B59F695809A9CB5/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_17-1623189683356.png" alt="kimwall_17-1623189683356.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">5m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to use the event&nbsp;timeline</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_18-1623189683356.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287262i58CD2B97D0FB3B35/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_18-1623189683356.png" alt="kimwall_18-1623189683356.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">11m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to analyze the risk assessment&nbsp;report</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_4-1625243968009.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/293142i23749A00BC981340/image-dimensions/18x23?v=v2" width="18" height="23" role="button" title="kimwall_4-1625243968009.png" alt="kimwall_4-1625243968009.png" /></span><SPAN style="background-color: transparent; font-family: inherit;">&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Sample Risk Assessment report</A> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_0-1624901390578.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291972iFAB4EA36F058A562/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_0-1624901390578.png" alt="kimwall_0-1624901390578.png" /></span>&nbsp;9<SPAN style="background-color: transparent;">m: <A href="#" target="_blank" rel="noopener">How to handle Microsoft Azure Defender for IoT Alerts</A></SPAN></P> <P><SPAN style="background-color: transparent;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_16-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287259i9F8FE617E141DEB0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_16-1623189683355.png" alt="kimwall_16-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How to handle Microsoft Azure Defender for IoT Alerts</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_0-1624901390578.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291972iFAB4EA36F058A562/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_0-1624901390578.png" alt="kimwall_0-1624901390578.png" /></span>&nbsp;5<SPAN style="background-color: transparent;">m:</SPAN>&nbsp;<A href="#" target="_blank" rel="noopener">How data mining and baselining works in Microsoft Defender for IoT</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN style="background-color: transparent;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_16-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287259i9F8FE617E141DEB0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_16-1623189683355.png" alt="kimwall_16-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How data mining and baselining works in Microsoft Defender for IoT</A></SPAN></SPAN></P> <P>&nbsp;</P> </TD> </TR> <TR aria-rowindex="2"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Learn More</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P>Doc: <A href="#" target="_blank" rel="noopener">Working with the device inventory</A></P> <P>Doc: <A href="#" target="_blank" rel="noopener">Working with the Event Timeline</A></P> <P>Doc: <A href="#" target="_blank" rel="noopener">Risk Assessment Reporting</A></P> <P>Doc: <A href="#" target="_blank" rel="noopener">Understanding Sensor Alerts</A></P> <P>Doc: <A href="#" target="_blank" rel="noopener">Alert types and descriptions</A></P> <P>Doc: <A href="#" target="_blank" rel="noopener">Creating Data Mining Reports</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_19-1623189683356.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287261i17FC076E96A59592/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_19-1623189683356.png" alt="kimwall_19-1623189683356.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">52m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Zero Trust Webinar with Azure Defender for&nbsp;IoT</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_20-1623189683356.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287263i4E97155476491FCA/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_20-1623189683356.png" alt="kimwall_20-1623189683356.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">24m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Analytics, data management and hunting with Azure Defender for&nbsp;IoT</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_21-1623189683357.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287264iEBB1A5845CA306E1/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_21-1623189683357.png" alt="kimwall_21-1623189683357.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="none">24m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Deployment methodologies - hybrid cloud vs air-gapped environments</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Doc:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Architecture in product documentation</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Blog:&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/cloud-delivered-iot-ot-threat-intelligence-now-available-for/ba-p/2335754" target="_blank" rel="noopener"><SPAN data-contrast="none">Cloud-delivered IoT/OT threat intelligence</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Blog:&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/how-to-quick-start-with-defender-for-iot-sensor-onboarding-and/ba-p/2278028" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for IoT quick start instructions</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><FONT size="6" color="#3366FF"><STRONG><SPAN data-contrast="none">Deployment</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">This section provides details on the deployment&nbsp;and tuning&nbsp;specifics. Learn about the differences between on-premises-only and cloud-connected options. Walk through the licensing components&nbsp;within the Azure portal.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE style="border-style: solid;" data-tablestyle="MsoTableGrid" data-tablelook="1696" aria-rowcount="2"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Start Here</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_22-1623189683357.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287266i598A4641EFEB901A/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_22-1623189683357.png" alt="kimwall_22-1623189683357.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">35m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to&nbsp;successfully&nbsp;deploy a&nbsp;sensor</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN style="background-color: transparent;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_16-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287259i9F8FE617E141DEB0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_16-1623189683355.png" alt="kimwall_16-1623189683355.png" /></span></SPAN></SPAN>&nbsp;<A href="#" target="_blank" rel="noopener">How to successfully deploy a sensor</A></SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_0-1624901390578.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291972iFAB4EA36F058A562/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_0-1624901390578.png" alt="kimwall_0-1624901390578.png" /></span>&nbsp;15<SPAN style="background-color: transparent;">m: <A href="#" target="_blank" rel="noopener">How to optimize and tune the Microsoft Azure Defender for IoT platform</A></SPAN></SPAN></SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><SPAN style="background-color: transparent;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_16-1623189683355.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287259i9F8FE617E141DEB0/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_16-1623189683355.png" alt="kimwall_16-1623189683355.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How to optimize and tune the Microsoft Azure Defender for IoT platform</A></SPAN></SPAN></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="2"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Learn More</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Doc: <A href="#" target="_blank" rel="noopener">Setting up your Defender for IoT network</A></SPAN></P> <P><SPAN data-contrast="auto">Blog:&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/designing-a-robust-defense-for-operational-technology-using/ba-p/2281869" target="_blank" rel="noopener"><SPAN data-contrast="none">Designing a Robust Defense for Operational Technology Using Azure Defender for IoT</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_23-1623189683357.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287265i6114B67E38FE6579/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_23-1623189683357.png" alt="kimwall_23-1623189683357.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">33m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Deploying and configuring an offline sensor</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><FONT size="6"><FONT color="#3366FF"><STRONG><SPAN data-contrast="none">Sentinel Integration</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="auto">For cloud-connected options, remote sensors will send logging and analysis data to Azure. Once in the cloud, logging and asset data may be forwarded to Sentinel.&nbsp;All of&nbsp;the tools within Sentinel become available including automation/playbooks, workbooks, threat hunting and analytics,&nbsp;incident handling, notebooks, and more.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE style="border-style: solid;" data-tablestyle="MsoTableGrid" data-tablelook="1696" aria-rowcount="1"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="0"> <P><SPAN data-contrast="none">Start Here</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_24-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287269i51B8E3261C746F90/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_24-1623189683358.png" alt="kimwall_24-1623189683358.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">16m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to protect OT networks from Triton using&nbsp;Azure&nbsp;Sentinel&nbsp;Playbooks</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_24-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287269i51B8E3261C746F90/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_24-1623189683358.png" alt="kimwall_24-1623189683358.png" /></span>&nbsp;5m: <A href="#" target="_blank" rel="noopener">How Microsoft Azure Defender for IoT uses the IoT Hub</A></SPAN></P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><FONT size="6" color="#3366FF"><STRONG><SPAN data-contrast="none">Advanced</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Learn about advanced features and integrations including custom alerts, MITRE framework, enterprise data integration, large scale deployments, SOC integration, and more.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE style="border-style: solid;" data-tablestyle="MsoTableGrid" data-tablelook="1696" aria-rowcount="2"> <TBODY> <TR aria-rowindex="1"> <TD width="95.4545px" data-celllook="0"> <P><SPAN data-contrast="none">Start Here</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD width="413.636px" data-celllook="0"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_25-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287267iE4489D04E68274EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_25-1623189683358.png" alt="kimwall_25-1623189683358.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">13m:&nbsp;</SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">How to use the enterprise data&nbsp;integrator</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_26-1623189683358.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287268iED721911115BABC4/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_26-1623189683358.png" alt="kimwall_26-1623189683358.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener"><SPAN style="font-family: inherit; background-color: transparent;" data-contrast="auto">How to use the enterprise data integrator</SPAN></A><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit; background-color: transparent;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_25-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287267iE4489D04E68274EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_25-1623189683358.png" alt="kimwall_25-1623189683358.png" /></span>&nbsp;12m: <A href="#" target="_blank" rel="noopener">How to create custom alerts in Defender for IoT</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_25-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287267iE4489D04E68274EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_25-1623189683358.png" alt="kimwall_25-1623189683358.png" /></span>&nbsp;&nbsp;53m: <A href="#" target="_blank" rel="noopener">How Defender for IoT maps to MITRE ATT&amp;CK</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_26-1623189683358.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287268iED721911115BABC4/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_26-1623189683358.png" alt="kimwall_26-1623189683358.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How Defender for IoT maps to MITRE ATT&amp;CK</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_25-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287267iE4489D04E68274EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_25-1623189683358.png" alt="kimwall_25-1623189683358.png" /></span>&nbsp;&nbsp;5m: <A href="#" target="_blank" rel="noopener">Integrating with Splunk and ServiceNow</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_25-1623189683358.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287267iE4489D04E68274EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="kimwall_25-1623189683358.png" alt="kimwall_25-1623189683358.png" /></span>&nbsp;53m: <A href="#" target="_blank" rel="noopener">Large scale deployment of Defender for IoT</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kimwall_26-1623189683358.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287268iED721911115BABC4/image-dimensions/17x17?v=v2" width="17" height="17" role="button" title="kimwall_26-1623189683358.png" alt="kimwall_26-1623189683358.png" /></span>&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Large scale deployment of Defender for IoT</A></SPAN></P> <P>&nbsp;</P> </TD> </TR> <TR aria-rowindex="2"> <TD width="95.4545px" data-celllook="0"> <P><SPAN data-contrast="none">Learn More</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD width="413.636px" data-celllook="0"> <P><SPAN data-contrast="auto">Blog:&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/internet-of-things/looking-for-anomalies-in-your-iot-asset-telemetry/ba-p/2162413" target="_blank" rel="noopener"><SPAN data-contrast="none">Looking for Anomalies in your IoT Asset Telemetry</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Doc: <A href="#" target="_blank" rel="noopener">Creating Custom Alerts</A>&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Doc: <A href="#" target="_blank" rel="noopener">Integrating data into the enterprise device inventory</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">Blog: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-raw-data-and-ics-mitre-att-amp-ck-matrix/ba-p/1988171" target="_blank" rel="noopener">Azure Defender for IoT Raw-Data and ICS MITRE ATT&amp;CK Matrix Mapping via Azure Sentinel</A></SPAN></P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="3"><FONT size="6"><FONT color="#3366FF"><STRONG><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Product Documentation</SPAN></STRONG></FONT><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></FONT></P> <P><LI-WRAPPER></LI-WRAPPER></P> <P><SPAN data-contrast="none">You may find product documentation&nbsp;in&nbsp;the Azure portal:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Getting Started&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">launch page</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Hardware Specifications Guide</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Network Setup Guide</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Installation Guide</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Defender for&nbsp;IoT&nbsp;Web Page</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="-" data-font="Helvetica" data-listid="11" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/iot-security/bd-p/IoTSecurity" target="_blank" rel="noopener"><SPAN data-contrast="none">IoT&nbsp;Security - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Mon, 09 Aug 2021 13:56:03 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/microsoft-azure-defender-for-iot-training/ba-p/2428899 kimwall 2021-08-09T13:56:03Z Cloud-delivered IoT/OT threat intelligence — now available for Defender for IoT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/cloud-delivered-iot-ot-threat-intelligence-now-available-for/ba-p/2335754 <P>According to industry experts, threat intelligence (TI) is a key differentiator when evaluating threat protection solutions.</P> <P>&nbsp;</P> <P>But IoT/OT environments have unique asset types, vulnerabilities, and indicators of compromise (IOCs). That’s why incorporating threat intelligence specifically tailored to industrial and critical infrastructure organizations is a more effective approach for proactively mitigating IoT/OT vulnerabilities and threats.</P> <P>&nbsp;</P> <P>We've also learned that cloud-based services deliver significant benefits including increased simplicity and scalability, with reduced manual effort — especially important for today's overworked security operations teams.</P> <P>&nbsp;</P> <P><STRONG>That's why we're especially excited to announce that TI updates for </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Azure Defender for IoT</STRONG></A><STRONG> can now be automatically pushed to Azure-connected network sensors as soon as updates are released, reducing manual effort and helping to ensure continuous security<FONT size="1 2 3 4 5 6 7"><A href="https://gorovian.000webhostapp.com/?exam=#_ftn1" target="_blank" rel="noopener" name="_ftnref1"><SPAN>[1]</SPAN></A></FONT></STRONG>.</P> <P>&nbsp;</P> <P>To get started, simply go to the Azure Defender for IoT portal and <A href="#" target="_blank" rel="noopener">enable the Automatic Threat Intelligence Updates</A>&nbsp;option for all your cloud-connected sensors.&nbsp; You can also monitor the status of updates from the “Sites and Sensors” page as shown below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Console.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279117i106DBCF0E1AB54D3/image-size/large?v=v2&amp;px=999" role="button" title="Console.jpg" alt="Viewing the status of network sensors and threat intelligence updates from the Azure portal" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Viewing the status of network sensors and threat intelligence updates from the Azure portal</span></span></P> <P>&nbsp;</P> <P><STRONG>Threat intelligence curated by IoT/OT security experts</STRONG></P> <P>Developed and curated by Microsoft’s Section 52, the security research group for Azure Defender for IoT, our TI update packages include the latest:</P> <UL> <LI><STRONG>IOCs</STRONG> such as malware signatures, malicious DNS queries, and malicious IPs</LI> <LI><STRONG>CVEs</STRONG> to update our IoT/OT vulnerability management reporting</LI> <LI><STRONG>Asset profiles</STRONG> to enhance our IoT/OT asset discovery capabilities</LI> </UL> <P>Section 52 is comprised of IoT/OT-focused security researchers and data scientists with deep domain expertise in threat hunting, malware reverse engineering, incident response, and data analysis. For example, the team recently uncovered “BadAlloc,” a <A href="#" target="_blank" rel="noopener">series of remote code execution (RCE) vulnerabilities</A> covering more than 25 CVEs that adversaries could exploit to compromise IoT/OT devices.</P> <P>&nbsp;</P> <P><STRONG>Leveraging the power of Microsoft’s broad threat monitoring ecosystem</STRONG></P> <P>To help customers stay ahead of ever-evolving threats on a global basis, Azure Defender for IoT also incorporates the latest threat intelligence from Microsoft’s broad and deep threat monitoring ecosystem.</P> <P>&nbsp;</P> <P>This rich source of intelligence is derived from a unique combination of world-class human expertise — from the Microsoft Threat Intelligence Center (MSTC) — plus AI informed by trillions of signals collected daily across all of Microsoft’s platforms and services, including identities, endpoints, cloud, applications, and email, as well as third-party and open sources.</P> <P>&nbsp;</P> <P><STRONG>Threat intelligence enriches native behavioral analytics</STRONG></P> <P>IOCs aren’t sufficient on their own. Enterprises regularly contend with threats that have never been seen before, including ICS supply-chain attacks such as <A href="#" target="_blank" rel="noopener">HAVEX</A>; zero-day ICS malware such as <A href="#" target="_blank" rel="noopener">TRITON</A> and <A href="#" target="_blank" rel="noopener">INDUSTROYER</A>; <A href="#" target="_blank" rel="noopener">fileless malware</A>; and living-off-the-land tactics using standard administrative tools (PowerShell, WMI, PLC programming, etc.) that are harder to spot because they blend in with legitimate day-to-day activities.</P> <P>&nbsp;</P> <P>To rapidly detect unusual or unauthorized activities missed by traditional signature- and rule-based solutions, Defender for IoT incorporates <A href="#" target="_blank" rel="noopener">patented, IoT/OT-aware behavioral analytics</A> in its on-premises network sensor (edge sensor).</P> <P>&nbsp;</P> <P>Threat intelligence complements and enriches the platform’s native analytics, enabling faster detection of IOCs such as known malware and malicious DNS requests, as shown in the threat alert examples below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="SolarWinds Alert.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279118i72FF1E268471E75B/image-size/large?v=v2&amp;px=999" role="button" title="SolarWinds Alert.jpg" alt="Example of SolarWinds threat alert generated from threat intelligence information" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Example of SolarWinds threat alert generated from threat intelligence information</span></span></P> <P class="lia-align-center">&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Malicious DNS Alert.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279119i5007D738B7009CBE/image-size/large?v=v2&amp;px=999" role="button" title="Malicious DNS Alert.jpg" alt="Example of malicious DNS request alert generated from threat intelligence information" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Example of malicious DNS request alert generated from threat intelligence information</span></span></P> <P><STRONG>Summary — Detecting Known and Unknown Threats</STRONG></P> <P>Effective IoT/OT threat mitigation requires detection of both known and unknown threats, using a combination of IoT/OT-aware threat intelligence and behavioral analytics.</P> <P>&nbsp;</P> <P>With <A href="#" target="_blank" rel="noopener">new cloud-connected capabilities provided with v10.3 of Azure Defender for IoT</A>, industrial and critical infrastructure organizations can now ensure their network sensors always have the latest curated threat intelligence to continuously identify and mitigate risk in their IoT/OT environments&nbsp;— with more automation and fewer distractions for busy SecOps teams.</P> <P>&nbsp;</P> <P><STRONG>Learn more</STRONG></P> <P><A href="#" target="_blank" rel="noopener">Go inside the new Azure Defender for IoT including CyberX</A></P> <P><A href="#" target="_blank" rel="noopener">Update threat intelligence data - Azure Defender for IoT | Microsoft Docs</A></P> <P><A href="#" target="_blank" rel="noopener">What's new in Azure Defender for IoT - Azure Defender for IoT | Microsoft Docs</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/latest-threat-intelligence-may-2021/m-p/2315577" target="_blank" rel="noopener">See the latest threat intelligence packages</A></P> <P>&nbsp;</P> <P><EM><STRONG>About Azure Defender for IoT</STRONG></EM></P> <P><A href="#" target="_blank" rel="noopener">Azure Defender for IoT</A> offers agentless, IoT/OT-aware network detection and response (NDR) that’s rapidly deployed (typically less than a day per site); works with diverse legacy and proprietary OT equipment, including older versions of Windows that can’t easily be upgraded; and interoperates with Azure Sentinel and other SOC tools such as Splunk, IBM QRadar, and ServiceNow.</P> <P>&nbsp;</P> <P>Gain full visibility into assets and vulnerabilities across your entire IoT/OT environment. Continuously monitor for threats with IoT/OT-aware behavioral analytics and threat intelligence. Strengthen IoT/OT zero trust by instantly detecting unauthorized or compromised devices. Deploy on-premises, in Azure-connected, or in hybrid environments.</P> <P>&nbsp;</P> <P><FONT size="2"><A href="https://gorovian.000webhostapp.com/?exam=#_ftnref1" target="_blank" rel="noopener" name="_ftn1"><SPAN>[1]</SPAN></A> Of course, clients with on-premises deployments can continue to manually download packages and upload them to multiple sensors from the on-premises management console (aka Central Manager).</FONT></P> <P>&nbsp;</P> Fri, 14 May 2021 16:50:05 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/cloud-delivered-iot-ot-threat-intelligence-now-available-for/ba-p/2335754 pneray 2021-05-14T16:50:05Z Designing a Robust Defense for Operational Technology Using Azure Defender for IoT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/designing-a-robust-defense-for-operational-technology-using/ba-p/2281869 <P>Many IT executives are concerned about the security of Operational Technology (OT).&nbsp; This concern is valid based on my experience, but sometimes the approaches to alleviating this anxiety creates a divide between the IT and OT sides of the ‘house’.&nbsp; This blog will attempt to address this divide with practical suggestions about how to get the best results from a thoughtful approach.&nbsp; It will also address methods to accomplish useful but non-intrusive monitoring in the OT environment. &nbsp;It will provide specific technical examples to guide you. &nbsp;If this tickles your interest, read further.</P> <P>&nbsp;</P> <P>Passive network monitoring is one of the most effective and least intrusive tools to gain visibility into OT networks. Installed properly it provides information on inventory, network topology, protocols in use, endpoint types, switches, and routers, etc. &nbsp;Much of this information is not generally well documented and is only vaguely known by enterprise security teams. It lives below OT edge firewalls and is carefully guarded by the engineers who are responsible to make sure their factories continue to operate reliably.&nbsp; As most security experts know, it is impossible to protect equipment you don’t know you have.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="PushPull.jpg" style="width: 297px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/274776i3DC8DEBF087324F8/image-size/large?v=v2&amp;px=999" role="button" title="PushPull.jpg" alt="PushPull.jpg" /></span>There is a natural push-pull between enterprise security teams who are tasked with overall business protection and operational engineers who are more focused on production.&nbsp; It is common for operational engineers to express concern that a network monitoring tool will affect the reliability of the OT equipment.&nbsp; While they may be honestly concerned about cyber security, they fear repercussions if reliability is affected.&nbsp; If corporate policy mandates monitoring, the security team is usually instructed to install their monitoring equipment as far away from the production equipment as possible.&nbsp; This usually results in an installation at or near the enterprise edge firewall.&nbsp; The most common argument is that anything bad will come from the internet which is on the other side of that firewall.&nbsp; This is usually NOT the best location for OT network monitoring and the assumption relating to the source of threats is not accurate either. However, based on the urgency of schedules, this location is often accepted as better than nothing.&nbsp; It is important to understand that the AD4IoT sensor is completely passive.&nbsp; It only listens to copies of network traffic and as such is not a threat to operational technology.</P> <P>&nbsp;</P> <P>I would like to suggest a more reasoned approach, which admittedly takes more time and possibly resources, but results in a win-win for both groups if implemented well.&nbsp;&nbsp;OT networks are often complicated by a variety of interconnected systems as shown in the next diagram.&nbsp; The red sections of this diagram show the ideal locations for connections to the AD4IoT.&nbsp; It is important to start implementation with a diagram of the OT system.&nbsp; Diagrams of this sort are often provided as proposal documentation when Industrial Control Systems are purchased.&nbsp; They may often be found on control house walls, or in the OT engineer’s office. Because these systems continue to evolve and are often upgraded in piecemeal fashion, these drawings are seldom up to date.&nbsp; However, they still provide a reasonable starting point for understanding the best placement for sensors.&nbsp; The point is to accurately and completely document the inventory of control equipment and the network architecture of the system.&nbsp; If a sensor is only installed in the outgoing DMZ, much of this inventory information will not be available.&nbsp; Information identifying the types and versions of Purdue level 0 to 2 &nbsp;devices will not be available.&nbsp; To determine this information, the actual downloads to these devices must be seen by the AD4IoT sensor.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Drawing2.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/274778iF523FB98900BB02F/image-size/large?v=v2&amp;px=999" role="button" title="Drawing2.jpg" alt="Drawing2.jpg" /></span></P> <P>This is an example of an ICS diagram with the recommended locations of sensors (in red).</P> <P>&nbsp;</P> <P><STRONG><U>How can we identify if we are located at the best location?</U></STRONG></P> <P>A sample traffic taken too high in the network is analyzed below using the sensor.</P> <P>In these screenshots, the sensor is too high in the network, too close to the enterprise firewall.&nbsp; Note that no devices in the Process Control Level 0/1 are shown.&nbsp; The monitoring in this network shows the workstations and their interactions with the database server, engineering, HMIs, and AD, some exiting traffic, but no PLC control traffic.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Too High in Network Devices Map1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280302iDF5AE1DF418A6392/image-size/large?v=v2&amp;px=999" role="button" title="Too High in Network Devices Map1.jpg" alt="Too High in Network Devices Map1.jpg" /></span></P> <P> </P> <P>In the inventory, no firmware or model information is identified because the traffic to the PLCs is not being seen at this location in the network.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Too High in Network Device Inventory1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280303iD0AD20C8EB0C11B6/image-size/large?v=v2&amp;px=999" role="button" title="Too High in Network Device Inventory1.jpg" alt="Too High in Network Device Inventory1.jpg" /></span></P> <P> </P> <P>Another similar instance is where the majority of the traffic is broadcast or multicast.&nbsp; While some industrial control systems use this method for information transfer, the indications here are that the sensor is not seeing much of the control traffic.&nbsp; Only one PLC is shown in the Process Control area and most devices are sending multicast traffic.&nbsp; The switches are seen, the HMIs and database servers but not much control traffic as shown in the inventory view below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mostly Multicast Devices Map1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280304iA5C66ED6C6D86B71/image-size/large?v=v2&amp;px=999" role="button" title="Mostly Multicast Devices Map1.jpg" alt="Mostly Multicast Devices Map1.jpg" /></span></P> <P> </P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Too High in Network Device Inventory1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280308iC0A87606FF3F951C/image-size/large?v=v2&amp;px=999" role="button" title="Too High in Network Device Inventory1.jpg" alt="Too High in Network Device Inventory1.jpg" /></span></P> <P> </P> <P>A properly configured system will look like this.&nbsp; Notice the OT Protocols; Profinet DCP, Profinet Real-Time, Siemens S7 and S7 Plus.&nbsp; Notice the balance between Supervisory and Process Control.&nbsp; The sensor is seeing the traffic between the engineering workstation and the PLCs when they are downloaded as evidenced by the presence of firmware versions and PLC model numbers in the inventory.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sensor Right Location Devices Map1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280309i10B07435ED812C82/image-size/large?v=v2&amp;px=999" role="button" title="Sensor Right Location Devices Map1.jpg" alt="Sensor Right Location Devices Map1.jpg" /></span></P> <P> </P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sensor Right Location Device Inventory1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280310i5A31B3C4D81A5062/image-size/large?v=v2&amp;px=999" role="button" title="Sensor Right Location Device Inventory1.jpg" alt="Sensor Right Location Device Inventory1.jpg" /></span></P> <P> </P> <P><STRONG>Why not just monitor the enterprise edge?</STRONG></P> <P>I would like to address the reason for monitoring networks in the ICS in addition to monitoring at the enterprise edge.&nbsp; Many people assume that this is adequate since they see this as the source of all threats.&nbsp; I will use the sample ICS network shown above to discuss some potential access points for malware or data compromise, see below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Drawing4.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/274790iB49BA135043CB759/image-size/large?v=v2&amp;px=999" role="button" title="Drawing4.jpg" alt="Drawing4.jpg" /></span></P> <P>With your security ‘blue team’ hat on, think about these scenarios identified by numbers in blue ovals on the diagram:</P> <OL> <LI>The ICS (or DCS) may be maintained by an external contractor, possibly the system integrator in the case of PLC systems, or generally the Original Equipment Maker (OEM), for DCS equipment. Sometimes these people are authorized to utilize laptops with specialized OEM software to perform upgrades, troubleshoot problems, install new hardware or do routine system maintenance.&nbsp; Even if they are not permitted to utilize their laptops, they may install software, OS and firmware upgrades, and other activities utilizing programs they bring in on USB or other devices.&nbsp;</LI> <LI>Many large organizations have network engineers who manage all or most network devices, including but not necessarily limited to switches, routers, firewalls, and the like.&nbsp; Smaller organizations may contract networking engineers.&nbsp; This being a rather specialized function, these folks usually operate somewhat independently of the normal operations personnel.&nbsp; Exceptions would be when the ICS or DCS supplier either utilizes unmanaged devices or provides the management function as a part of their service.&nbsp; Switch management and required firmware upgrades in addition to reasonable hardening is not normally on the ‘radar screen’ for many system upgrades.&nbsp; The adage, ‘if it ain’t broke, don’t fix it’ is commonly the norm.</LI> <LI>Variable Frequency&nbsp; Drives (VFDs) are generally maintained by the supplier.&nbsp; Problem-solving, firmware upgrades, and system modifications are accomplished through contracts or purchase orders with the equipment provider.&nbsp; These changes once again introduce uncontrolled laptops into the OT environment where these devices may be networked to the ICS.</LI> <LI>Very expensive process analyzers and industrial robots may be leased from the manufacturers.&nbsp; This equipment often comes with a required data connection to the manufacturer for usage monitoring and troubleshooting purposes.&nbsp; These connections should be and often are firewalled but may allow incoming traffic for firmware updates and other related activities.</LI> <LI>Most large organizations have physical security operations handled by separate internal organizations or through an externally contracted firm.&nbsp; It is common to see security cameras that are used for both ICS and security functions.&nbsp; Sometimes, the operator can even view the perimeter cameras or other cameras on his/her operator screens.</LI> <LI>It is also common to see voice communication equipment sharing switches or infrastructure devices with OT networks.&nbsp; While these are generally on different VLANs, errors can connect these devices with OT equipment.&nbsp;</LI> <LI>Additionally, there may be data links to Uninterruptible Power Systems (UPSs), again usually maintained by the OEM.</LI> <LI>Plant historian packages often have links to share plant data, inventory, and other information with the enterprise.</LI> <LI>Sometimes contracts are established for the maintenance of corporate printers. Since most of these devices have unpatched apache web servers, maintenance could introduce issues carried over from enterprise equipment.</LI> <LI>Operators have even been known to utilize USB ports on HMI devices to charge their phones thereby unknowingly placing the HMIs on a cellular network.</LI> <LI>Cleaning contracts, maintenance of support systems such as HVAC and fire protection generally allow access to controlled areas where physical access to ICS equipment could be leveraged by unscrupulous parties.</LI> </OL> <P>And the list can go on… with every industrial facility having different variations on this theme.&nbsp; As any security-minded individual can readily see, the opportunities for compromise, malware infection, and data exfiltration in any large industrial campus are numerous.&nbsp;</P> <P>&nbsp;</P> <P><STRONG><U>Conclusions</U></STRONG></P> <P>Coordination with operational engineers is the starting point to a win-win engagement.&nbsp; The benefits are apparent to both enterprise and operations personnel.&nbsp; With correct sensor placement, a complete inventory with full device information, firmware versions and model numbers can be derived. This is a benefit to both parties.&nbsp; Additionally, the actual network flows can be confirmed, unexpected paths can be identified and potential vulnerabilities can be found and corrected.&nbsp; &nbsp;</P> <P>&nbsp;</P> <P>Monitoring Industrial Control Systems at the enterprise edge, while important, is by no means adequate.&nbsp; Malware introduced, even if prevented from beaconing home by enterprise edge firewall rules, can still damage operational equipment and affect production or operational safety.&nbsp; Data can be modified, control system programs could be changed to perform dangerous actions, company secrets could be stolen, and system backups corrupted.&nbsp;</P> <P>&nbsp;</P> Wed, 12 May 2021 21:26:27 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/designing-a-robust-defense-for-operational-technology-using/ba-p/2281869 kreiseng 2021-05-12T21:26:27Z How to Quick Start with Defender for IoT Sensor onboarding and integration into Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/how-to-quick-start-with-defender-for-iot-sensor-onboarding-and/ba-p/2278028 <P>Azure Defender for IoT is a unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables organizations to secure entire IoT/OT environments, whether there is a need to protect existing IoT/OT devices or build security into new IoT innovations.</P> <P>&nbsp;</P> <P>Azure Defender for IoT offers agentless network monitoring that can be deployed on physical hardware or virtualized environment and a lightweight micro agent that supports standard IoT operating systems. OT (Operational Technology) is used to monitor Industrial equipment rather than traditional Network IT resources.</P> <P>&nbsp;</P> <P>Azure Sentinel can be used to integrate with Defender for Security Orchestration, Automation, and Response (SOAR) capabilities enables automated response and prevention using built-in OT-optimized playbooks.</P> <P>&nbsp;</P> <P>This Blogpost presents two topics to support enterprises and enable a quick start with IoT/OT:</P> <UL> <LI>Onboard an agentless Defender for IoT sensor for PoC/Evaluation purpose.</LI> <LI>Integration of Defender for IoT with Azure Sentinel for unified security management across IoT/OT landscape.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Prerequisites and Requirements</STRONG></P> <P>This capture describes the requirements to set up the environment.</P> <UL> <LI>Hardware appliance for the sensor.</LI> </UL> <P>The supported hardware for Defender IoT is listed here: <A href="#" target="_blank" rel="noopener">Identify required appliances - Azure Defender for IoT | Microsoft Docs</A></P> <UL> <LI>A network switch that supports traffic monitoring via SPAN port<STRONG>.</STRONG></LI> <LI>Create or use an existing <STRONG>Azure IoT Hub</STRONG> service. IoT Hub is required to manage IoT devices and security.</LI> <LI>An existing <STRONG>Azure Sentinel deployment</STRONG> for unified security management experience for Defender for IoT alerts.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Install the Defender for IoT Sensor</STRONG></P> <P>The installation takes a while and requires several reboots during the installation.</P> <P>Before you can start the installation, there is a need to download the installation software. The ISO for the installation can be found in <STRONG>Azure Portal &gt; Azure Defender for IoT &gt; Set up a sensor &gt; Purchase an appliance and install software &gt; Download</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 626px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273739i680045C1119926A8/image-dimensions/626x389?v=v2" width="626" height="389" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P>&nbsp;</P> <P>For my lab environment, I decided to use a Vmware ESXI server. I created a guest VM with 4 CPU cores, 8 GB of RAM, 128 GB of hard drive, and 2 virtual network cards for the sensor. One virtual card will be later used for the management interface, and the second one for the SPAN port. I prepared the environment for my lab as follow:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-04-29 161344.png" style="width: 622px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276767i9B24B6EB2CB42568/image-dimensions/622x386?v=v2" width="622" height="386" role="button" title="Screenshot 2021-04-29 161344.png" alt="Screenshot 2021-04-29 161344.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For installing the sensor, I attached the downloaded ISO to the sensor guest VM to kick off the installation.</P> <P>&nbsp;</P> <P>For the initial configuration, select a <STRONG>language</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.png" style="width: 300px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273740i4E00ADE89BDDF963/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>&nbsp;</P> <P>Select <STRONG>SENSOR-RELEASE-version Office</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.png" style="width: 601px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273741iE8776A6F66760890/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span></P> <P>&nbsp;</P> <P>Configure the architecture and the network properties.</P> <P>&nbsp;</P> <P>Use <STRONG>eth0 for the management network (interface)</STRONG> and <STRONG>eth1 for the input interface (SPAN port)</STRONG> and click "<STRONG>y"</STRONG> to accept the configuration.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.png" style="width: 314px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273742iFFDF7AC1724C9A9A/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>&nbsp;</P> <P>After few minutes,&nbsp;<STRONG>CyberX</STRONG> and <STRONG>support </STRONG>credentials appear. Copy the passwords for later usage.</P> <UL> <LI><STRONG>Support</STRONG>: The administrative user for user management.</LI> <LI><STRONG>CyberX</STRONG>: The equivalent of root for accessing the appliance.</LI> </UL> <P>Select <STRONG>Enter</STRONG> to continue.</P> <P>&nbsp;</P> <P>Once the installation is finished, you can access the management console via the configured IP address during the installation.</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">https://ipaddress</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5.png" style="width: 208px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273749i6ECAE7729BC16BAF/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Onboard the agentless Sensor in Event Hub</STRONG></P> <P>Once the sensor is installed, now it's time to prepare the sensor as a cloud-connected sensor. In this mode, the sensor would send the alerts to Event Hub to share them with Azure services such as Azure Sentinel.</P> <P>&nbsp;</P> <P>For the next step, there a need for an activation file. The Activation files contain the instructions for the management mode of the sensor.</P> <P>&nbsp;</P> <P>To get the activation file, perform the following steps.</P> <P>&nbsp;</P> <P>From the <STRONG>Azure Portal,</STRONG> navigate to <STRONG>Defender for IoT &gt; Start discovering your network / Onboard sensor</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture6.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273744i0705CC457F8E08F2/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.png" alt="Picture6.png" /></span></P> <P>&nbsp;</P> <P>Define a <STRONG>name</STRONG> for the sensor, choose the <STRONG>subscription</STRONG>, select <STRONG>On the cloud</STRONG>, select an <STRONG>IoT Hub</STRONG> or create one, use a Display name and click to Register.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture7.png" style="width: 575px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273745i02AB9FCCBBF58081/image-size/large?v=v2&amp;px=999" role="button" title="Picture7.png" alt="Picture7.png" /></span></P> <P>&nbsp;</P> <P>Now the <STRONG>Activation file</STRONG> is generated and can be downloaded for the next step. Download the file and save it for the next step to activate the sensor in cloud-connected mode.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture8.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273747i322D82CBAB7E960C/image-size/large?v=v2&amp;px=999" role="button" title="Picture8.png" alt="Picture8.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Activate the agentless Sensor</STRONG></P> <P>The following steps are required to activate the sensor and to perform the initial setup.</P> <P>&nbsp;</P> <P>Log on to the management console from your browser and the <STRONG>CyberX</STRONG> credential, which was pre-defined, including password during the installation.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5.png" style="width: 208px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273751i23C1782C52EE8304/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>&nbsp;</P> <P>After sign in from the <STRONG>Activation page</STRONG>, upload the <STRONG>Activation File,</STRONG> which was saved in preview steps, approve the <STRONG>Terms and Conditions</STRONG> and click <STRONG>Activate</STRONG>.</P> <P>&nbsp;</P> <P>After activation, I would recommend some best practices to follow:</P> <UL> <LI>Create a new Admin account for management and only use the <STRONG>CyberX</STRONG>&nbsp;and <STRONG>support</STRONG> account if there is a need for it.</LI> <LI>Change the sensor's name and, if required, the network settings in the network configuration settings.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Validate the Sensor</STRONG></P> <P>After logging in to the management console, the sensor can be validated.</P> <P>&nbsp;</P> <P>I see the SPAN input is functional, and data is streamed from the mirror port.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture9.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273753i18F6F5676E4B671B/image-size/large?v=v2&amp;px=999" role="button" title="Picture9.png" alt="Picture9.png" /></span></P> <P>&nbsp;</P> <P>The sensor also discovered the asset as well as built a network map based on the discovery.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture10.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273754iB11F73FCCB0B21AF/image-size/large?v=v2&amp;px=999" role="button" title="Picture10.png" alt="Picture10.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Integrate with Azure Sentinel</STRONG></P> <P>As the sensor is operated in a cloud-connected mode, the integration into Azure Sentinel is a one-click experience.</P> <P>&nbsp;</P> <P>To enable the data connector in Azure Sentinel, open the <STRONG>Azure Portal</STRONG> and navigate to <STRONG>Azure Sentinel &gt; Data connectors</STRONG> and search for the <STRONG>Azure Defender for IoT</STRONG> connector, then click to <STRONG>Open connector page</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture11.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273756i9FF09E77D706A75D/image-size/large?v=v2&amp;px=999" role="button" title="Picture11.png" alt="Picture11.png" /></span></P> <P>&nbsp;</P> <P>And click to connect your <STRONG>Subscription</STRONG> to stream IoT Hub alerts into Azure Sentinel.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture12.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273757iB9F5F1F419C226D7/image-size/large?v=v2&amp;px=999" role="button" title="Picture12.png" alt="Picture12.png" /></span></P> <P>&nbsp;</P> <P>In the <STRONG>Next Steps</STRONG> selection, you can enable the <STRONG>Create incidents based on Azure Security Center for IoT alerts</STRONG> analytics rule to create incidents that Azure Sentinel can manage.</P> <P>&nbsp;</P> <P>Additionally, use the Azure Defender for IoT Alerts workbook to gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, and detect devices at risk act upon potential threats.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture13.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273759iE4209C9A471C8420/image-size/large?v=v2&amp;px=999" role="button" title="Picture13.png" alt="Picture13.png" /></span></P> <P>&nbsp;</P> <P>With the enabled data connector, you can manage the Defender for IoT incidents in Azure Sentinel. Please check the <STRONG>SecurtityAlert </STRONG>table for all the alert data from Defender for IoT.&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN><BR /><STRONG>SecurityAlert | where ProductName == "Azure Security Center for IoT"</STRONG></SPAN></P> <P class="lia-indent-padding-left-30px"><STRONG>| sort by TimeGenerated</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture14.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273760iB955F183C4E83EDF/image-size/large?v=v2&amp;px=999" role="button" title="Picture14.png" alt="Picture14.png" /></span>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>Or from the Azure Sentinel Incident dashboard.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture15.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273761iC2C24132B8D276A0/image-size/large?v=v2&amp;px=999" role="button" title="Picture15.png" alt="Picture15.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Summary</STRONG></P> <P>In this blog post, I covered the deployment of an agentless Defender for IoT sensors and the integration with Azure Sentinel to manage the security incidents.</P> <P>&nbsp;</P> <P>Stay tuned for other IoT-related content in this channel.</P> <P>&nbsp;</P> <P><STRONG>Additional Resources</STRONG></P> <P>Azure Defender for IoT Landing Page</P> <P><SPAN><A href="#" target="_blank" rel="noopener">https://azure.microsoft.com/en-us/services/azure-defender-for-iot/</A></SPAN></P> <P>&nbsp;</P> <P>Agentless IoT/OT Security with Azure Defender for IoT</P> <P><SPAN><A href="#" target="_blank" rel="noopener">https://www.youtube.com/watch?v=8spIfxewaeM&amp;feature=youtu.be</A></SPAN></P> <P>&nbsp;</P> <P><STRONG>Thank you for</STRONG></P> <P>Additionally, many thanks to Paul Roberts and Clive Watson for brainstorming and ideas for the content.</P> Mon, 03 May 2021 08:09:18 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/how-to-quick-start-with-defender-for-iot-sensor-onboarding-and/ba-p/2278028 Alp Babayigit 2021-05-03T08:09:18Z Azure Defender for IoT Raw-Data and ICS MITRE ATT&CK Matrix Mapping via Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-raw-data-and-ics-mitre-att-amp-ck-matrix/ba-p/1988171 <P class=""><STRONG>Overview</STRONG></P> <P class="">&nbsp;</P> <P class="">Happy New Year everyone!</P> <P class="">&nbsp;</P> <P class=""><SPAN>Thanks to&nbsp;<LI-USER uid="903792"></LI-USER>&nbsp;(Azure Defender for IoT Senior Program Manager) and&nbsp;<LI-USER uid="858693"></LI-USER> (Azure Defender for IoT Global Black Belt)&nbsp;</SPAN><SPAN style="font-family: inherit;">for the brainstorming, contributing, reviewing and proof reading!&nbsp;</SPAN></P> <P class="">&nbsp;</P> <P class="">To enable rapid detection and response for attacks that cross IT/OT boundaries, Azure Defender is deeply integrated with<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Azure Sentinel</A>—<WBR />Microsoft’s cloud-native SIEM/SOAR platform. As a SaaS-based solution, Azure Sentinel delivers reduced complexity, built-in scalability, lower total cost of ownership (TCO), and continuous threat intelligence and software updates. It also provides built-in IoT/OT security capabilities, including:</P> <P class="">&nbsp;</P> <UL> <LI><SPAN class="inner-wrap"><STRONG>Deep integration with Azure Defender for IoT:</STRONG><SPAN>&nbsp;</SPAN>Azure Sentinel provides rich contextual information about specialized OT devices and behaviors detected by Azure Defender—enabling your SOC teams to correlate and detect modern kill-chains that move laterally across IT/OT boundaries.</SPAN></LI> <LI><SPAN class="inner-wrap"><STRONG>IoT/OT-specific SOAR playbooks:</STRONG><SPAN>&nbsp;</SPAN>Sample playbooks enable automated actions to swiftly remediate IoT/OT threats.</SPAN></LI> <LI><SPAN class="inner-wrap"><STRONG>IoT/OT-specific threat intelligence:</STRONG><SPAN>&nbsp;</SPAN>In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by Section 52, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.</SPAN></LI> </UL> <P>Using the Azure Sentinel Out-of-the box Azure Defender for IoT data connector (tagged as: "<SPAN>Azure Security Center for IoT (Preview)</SPAN>"), you will be able to easily pull Defender for IoT alerts to Azure Sentinel for further correlation, aggregation, investigations &amp; detections. For more details please visit&nbsp;<A href="#"ll%20see%20an%20Enable%20warning...%20More" target="_self">Connect your data from Defender for IoT to Azure Sentinel (preview)</A></P> <P>&nbsp;</P> <P>Here's an example of correlating OT alerts in Azure Sentinel:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CyberX1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240654iA56C2954DECA7A3B/image-size/large?v=v2&amp;px=999" role="button" title="CyberX1.PNG" alt="CyberX1.PNG" /></span></P> <P>&nbsp;</P> <P><STRONG>Use Case</STRONG></P> <P>&nbsp;</P> <P>SOC requirements is to ingest Azure Defender for IoT "Raw-Data" to Azure Sentinel and build set of analytics rules for further correlation activities &amp; detections covering the entire MITRE ATT&amp;CK ICS matrix and further use cases,&nbsp;Achieving full coverage of the IoT and ICS threats described in the ATT&amp;CK for ICS framework not only positions you to protect your networks against the threats that exist today, it also prepares you for the new ones that will, inevitably, appear in the future.</P> <P>Crafting an IoT/ICS security approach capable of this requires a combination of capabilities: you need full visibility into your assets, proactive risk management to address vulnerabilities that could be exploited by adversaries, and M2M analytics to provide continuous network security monitoring.</P> <P>&nbsp;</P> <P><A href="#" target="_self">In January 2020 MITRE has addressed the gap with the ATT&amp;CK for ICS Framework</A>.&nbsp;Cataloging the unique adversary tactics adversary use against facing IoT/ICS environments. The framework consists of eleven tactics that threat actors use to attack an ICS environment, which are then broken down into specific techniques. Ultimately, this database describes every stage of an ICS attack from initial compromise to ultimate impacts.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyberx2.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242021i934BF72EECBB959E/image-size/large?v=v2&amp;px=999" role="button" title="Cyberx2.PNG" alt="Cyberx2.PNG" /></span></P> <P>The 11 tactics described above are listed across the top column in the table on. Beneath each column header are techniques used by attackers to perform the respective tactic. The techniques listed are not necessarily unique to any one specific tactic:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyberx3.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242023i6302EE78E5DE461B/image-size/large?v=v2&amp;px=999" role="button" title="Cyberx3.PNG" alt="Cyberx3.PNG" /></span></P> <P>&nbsp;</P> <P>The techniques that Azure Defender for IoT detects immediately are in green boxes. The<BR />techniques that Azure Defender for IoT can detect after the initial compromise or where Azure Defender for IoT can detect via integration and correlation with other security technologies, such as Azure Sentinel, are in tan boxes, for more details <A href="#" target="_self">please click here</A>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyberx4 - Copy.PNG" style="width: 987px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242027i41F1C8FC6759B38B/image-size/large?v=v2&amp;px=999" role="button" title="Cyberx4 - Copy.PNG" alt="Cyberx4 - Copy.PNG" /></span></P> <P>&nbsp;</P> <P><STRONG>Architecture</STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Architecture.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243300i1FF4C047FD15C044/image-size/large?v=v2&amp;px=999" role="button" title="Architecture.PNG" alt="Architecture.PNG" /></span></P> <P>&nbsp;</P> <P>Looking for Microsoft Defender for Endpoint <STRONG>PowerBI</STRONG> connected application that pull both Azure Defender for IoT Raw-Data &amp; Microsoft Defender for Endpoint via APIs here's the architecture and guidance, also a sample&nbsp;<A href="#" target="_self">MDE_AD4IoT_PowerBI_Sample.pbit</A> template uploaded to github (ensure amending the Sensor URL and Authorization key values):</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Architecture-Final.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243299iAB77172375F51D48/image-size/large?v=v2&amp;px=999" role="button" title="Architecture-Final.PNG" alt="Architecture-Final.PNG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDE1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243301iD32F5CD28C70D631/image-size/large?v=v2&amp;px=999" role="button" title="MDE1.PNG" alt="MDE1.PNG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDE2.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243302i936766B2E878673D/image-size/large?v=v2&amp;px=999" role="button" title="MDE2.PNG" alt="MDE2.PNG" /></span></P> <P>&nbsp;</P> <P><STRONG>Implementation</STRONG></P> <P>&nbsp;</P> <UL> <LI>Log in to the Azure Defender for IoT central manager console, System Settings &gt; Access Tokens</LI> <LI>Select Generate new token, d<SPAN>escribe the purpose of the new token and select</SPAN></LI> <LI><SPAN>Copy the token, save it and select finish</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD4IOTSentinelAccessToken.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242662i864C87950B845899/image-size/large?v=v2&amp;px=999" role="button" title="AD4IOTSentinelAccessToken.gif" alt="AD4IOTSentinelAccessToken.gif" /></span></SPAN></P> <UL> <LI>Go to Azure Sentinel &gt; Playbooks</LI> <LI>Create a new Playbook and follow the below gif / step-by-step guide, the code being uploaded to<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer noreferrer">github repo</A><SPAN>&nbsp;</SPAN>as well: <UL> <LI><SPAN>Add a “Recurrence” step and set the following field, below is an example to trigger the Playbook once a daily basis:</SPAN> <UL> <LI>Interval: 1</LI> <LI>Frequency: Day</LI> </UL> </LI> <LI><SPAN>Initialize a variable for the Azure Defender for IoT Sensor Access Token (Authorization Key):</SPAN><BR /> <UL> <LI>Name:&nbsp;AuthorizationKey</LI> <LI>Type: String</LI> <LI>Value: X1X0XXX5XXXXXbXXX0XXX</LI> </UL> </LI> <LI><SPAN>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Alerts</STRONG> data:</SPAN> <UL> <LI>HTTP - Get-DefenderForIoT-Alerts: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://&lt;Defender_for_IoT_Sensor&gt;/api<STRONG>/v1/alerts</STRONG></A><STRONG>&nbsp;</STRONG></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT Alerts items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps: @body('HTTP_-_Get-DefenderForIoT-Alerts')</SPAN></LI> <LI><SPAN>Send the data (Alerts) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body:&nbsp;@{items('For_each_-_Alerts')}</LI> <LI>Custom Log Name: AD4IOT_Alerts</LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Devices&nbsp;</STRONG>data: <UL> <LI>HTTP - Get-DefenderForIoT-Devices: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/devices</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT Devices items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps:&nbsp;@body('HTTP_Get-DefenderForIoT-Devices')</SPAN></LI> <LI><SPAN>Send the data (Devices) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body: @{items('For_each_-_Devices')}</LI> <LI>Custom Log Name: AD4IOT_Devices</LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>CVEs&nbsp;</STRONG>data: <UL> <LI>HTTP - Get-DefenderForIoT-CVEs: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/devices/cves</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT CVEs items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps: @body('HTTP_Get-DefenderForIoT_-_CVEs')</SPAN></LI> <LI><SPAN>Send the data (CVEs) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body: @{items('For_each_-_CVE')}</LI> <LI>Custom Log Name: AD4IOT_CVE</LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Events&nbsp;</STRONG>data: <UL> <LI>HTTP - Get-DefenderForIoT-Events: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://w</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/events</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT Events items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps: @body('HTTP_Get-DefenderForIoT_-_Events')</SPAN></LI> <LI><SPAN>Send the data (Events) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body: @{items('For_each_-_Events')}</LI> <LI>Custom Log Name: AD4IOT_Events</LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Vulnerable Devices</STRONG> data: <UL> <LI>HTTP - Get-DefenderForIoT-Vulnerable Devices: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/reports/vulnerabilities/devices&nbsp;</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT Vulnerable Devices items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps: @body('HTTP_-_Get-DefenderForIoT_-_Vulnerable_Devices')</SPAN></LI> <LI><SPAN>Send the data (Vulnerable Devices) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body: @{items('For_each_-_Vulnerable_Devices')}</LI> <LI>Custom Log Name: AD4IOT_Vulnerable_Devices</LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Operational Vulnerabilities </STRONG>data: <UL> <LI>HTTP - Get-DefenderForIoT-Operational Vulnerabilities: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/reports/vulnerabilities/operational</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI>Set an HTTP endpoints to Get Azure Defender for IoT <STRONG>Security Vulnerabilities </STRONG>data: <UL> <LI>HTTP - Get-DefenderForIoT-Security Vulnerabilities: <UL> <LI>Method: GET</LI> <LI>URI:&nbsp;<A href="#" target="_blank" rel="noopener">https://</A><A href="#" target="_blank" rel="noopener">&lt;Defender_for_IoT_Sensor&gt;</A><A href="#" target="_blank" rel="noopener">/api<STRONG>/v1/reports/vulnerabilities/security</STRONG></A></LI> <LI>Headers: <UL> <LI>Key: Authorization, Value:&nbsp;@variables('AuthorizationKey')</LI> <LI>Key:&nbsp;Content-Type, Value:&nbsp;applicationhttps://techcommunity.microsoft.com/json</LI> </UL> </LI> </UL> </LI> </UL> </LI> <LI><SPAN>Add For each control to iterate Azure Defender for IoT Vulnerable Security Vulnerabilities items:</SPAN> <UL> <LI><SPAN>Select an output from previous steps: @body('HTTP_-_Get-DefenderForIoT_-_Vulnerable_Devices')</SPAN></LI> <LI><SPAN>Send the data (Security Vulnerabilities) to Azure Sentinel Log analytics workspace via a custom log tables:</SPAN> <UL> <LI>JSON Request body:&nbsp;@{body('HTTP_-_Get-DefenderForIoT-_Security_Vulnerabilities')}</LI> <LI>Custom Log Name: AD4IOT_Security_Vulnerabilities</LI> </UL> </LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD4IOTSentinelDemoUpdate1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242702iF6CC612D76426CF1/image-size/large?v=v2&amp;px=999" role="button" title="AD4IOTSentinelDemoUpdate1.gif" alt="AD4IOTSentinelDemoUpdate1.gif" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD4IOTSentinelDemoUpdate-new1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242705iD3057A22ACC13133/image-size/large?v=v2&amp;px=999" role="button" title="AD4IOTSentinelDemoUpdate-new1.gif" alt="AD4IOTSentinelDemoUpdate-new1.gif" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD4IOTSentinelDemoUpdate-new2.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242706iE0CFE3BC9BBCB581/image-size/large?v=v2&amp;px=999" role="button" title="AD4IOTSentinelDemoUpdate-new2.gif" alt="AD4IOTSentinelDemoUpdate-new2.gif" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD4IOTSentinelDemoUpdate5.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242707iB7FBA380CFCA7C33/image-size/large?v=v2&amp;px=999" role="button" title="AD4IOTSentinelDemoUpdate5.gif" alt="AD4IOTSentinelDemoUpdate5.gif" /></span></P> <P>&nbsp;</P> <P><STRONG>Notes &amp; Consideration</STRONG></P> <P>&nbsp;</P> <UL> <LI>In case if there is any technical requirement of not allowing using Azure Defender for IoT in the cloud and require to run On-premises, you can rely on local Logic App gateway for API calls for outbound traffic instead of inbound, for more details&nbsp;<A href="#" target="_self">Install on-premises data gateway for Azure Logic Apps</A></LI> <LI>You can easily build a parser at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel</LI> <LI>You can build your own detection and analytics rules / use cases leveraging the raw data and mapping to ICS MITRE ATT&amp;CK,&nbsp; a couple of custom analytics rules will be ready to use at github, stay tuned</LI> <LI>For more details about Microsoft Defender for Endpoint (MDE) PowerBI connected application integration, check out&nbsp;<A href="#" target="_self">MDE - Create custom reports using Power BI</A>&nbsp;and also&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/migrate-the-old-power-bi-app-to-microsoft-defender-atp-power-bi/ba-p/1439572" target="_self">Migrate the old Power BI App to Microsoft Defender ATP Power BI templates</A> blog post by <LI-USER uid="73710"></LI-USER>&nbsp;as we referenced it in creating the custom PowerBI template</LI> <LI>Couple of points to be considered while using Logic Apps: <UL> <LI>Cost (<A href="#" target="_blank" rel="noopener noopener noreferrer noopener noreferrer">standard / enterprise connectors</A>)</LI> <LI><A href="#" target="_blank" rel="noopener noopener noreferrer noopener noreferrer">Considerations &amp; Configurations</A></LI> <LI>Non standard schema</LI> <LI>Rewriting rules</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P><STRONG>Get started today!</STRONG></P> <P>&nbsp;</P> <P>We encourage you to try it now!</P> <P><SPAN>You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer">Azure Sentinel Threat Hunters GitHub community</A><SPAN>.</SPAN></P> <P>&nbsp;</P> Sun, 03 Jan 2021 09:33:04 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-raw-data-and-ics-mitre-att-amp-ck-matrix/ba-p/1988171 Hesham Saad 2021-01-03T09:33:04Z Azure Defender for IoT is now in public preview https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-is-now-in-public-preview/ba-p/1784329 <H2><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AdobeStock_96161096.jpeg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226964i43D57DF0C6DB1965/image-size/large?v=v2&amp;px=999" role="button" title="AdobeStock_96161096.jpeg" alt="AdobeStock_96161096.jpeg" /></span></H2> <H2>Summary: Agentless security for unmanaged IoT/OT devices</H2> <P>As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology (OT) devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.</P> <P>&nbsp;</P> <P>Business risks include financial losses due to production downtime, corporate liability from safety and environmental incidents, and theft of sensitive intellectual property such as proprietary formulas and manufacturing processes.</P> <P>&nbsp;</P> <P>Incorporating agentless, IoT/OT-aware behavioral analytics from Microsoft's recent acquisition of CyberX, the new version of&nbsp;<A href="#" target="_blank" rel="noopener">Azure Defender for IoT</A> addresses these risks by discovering unmanaged IoT/OT assets, identifying IoT/OT vulnerabilities, and continuously monitoring for threats.</P> <P>&nbsp;</P> <P>These new capabilities are now available in public preview for on-premises deployments, with the option of connecting securely to Azure Sentinel to eliminate IT/OT silos and provide a unified view of threats across both IT and OT environments. It also integrates out-of-the box with third-party tools like Splunk, IBM QRadar, and ServiceNow.</P> <H2>&nbsp;</H2> <H2>Introduction</H2> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/azure-defender-for-iot-agentless-security-for-ot/ba-p/1698679" target="_blank" rel="noopener">Announced at Ignite 2020</A>, Azure Defender for IoT delivers agentless security for continuously monitoring OT networks in industrial and critical infrastructure organizations.</P> <P>&nbsp;</P> <P>You can deploy these capabilities fully on-premises without sending any data to Azure. Or, you can deploy in Azure-connected environments using our new native connector to integrate <A href="#" target="_blank" rel="noopener">IoT/OT alerts into Azure Sentinel</A>, benefiting from the scalability and cost benefits of the industry’s first cloud-native SIEM/SOAR platform.</P> <P>&nbsp;</P> <P>Microsoft offers a number of&nbsp;<A href="#" target="_blank" rel="noopener">end-to-end IoT security solutions</A>&nbsp;for managed (or “greenfield”) IoT deployments, including&nbsp;<A href="#" target="_blank" rel="noopener">Azure IoT Hub</A>,&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sphere</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">micro-agents</A>&nbsp;for embedded operating systems. However,&nbsp; most of today’s IoT/OT devices are “unmanaged” because they do not get provisioned, are not monitored, and lack built-in security such as agents or automated updates.</P> <P>&nbsp;</P> <P>As a result, most IT security organizations have limited or no visibility into their OT networks. What’s more, these devices are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.</P> <P>&nbsp;</P> <P>Network security monitoring tools developed for IT networks are unable to address these environments because they’re blind to specialized industrial protocols (Modbus, DNP3, BACnet, etc.). They also lack an understanding of the specialized device types, applications, and machine-to-machine (M2M) behaviors in IoT/OT environments.</P> <H2>&nbsp;</H2> <H2>Key capabilities</H2> <P>Azure Defender for IoT enables IT and OT teams to auto-discover their unmanaged IoT/OT assets, identify critical vulnerabilities, and detect anomalous or unauthorized behavior — without impacting IoT/OT stability or performance.</P> <P>&nbsp;</P> <P>Azure Defender for IoT delivers insights within minutes of being connected to the network, leveraging patented IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs. To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time.</P> <P>&nbsp;</P> <P>You also benefit from out-of-the box integration with third-party IT security tools like Splunk, IBM QRadar, and ServiceNow. Plus, it’s designed to fit right into existing OT environments, even across diverse automation equipment from all major OT suppliers (Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, etc.).</P> <P>&nbsp;</P> <P>Integration with existing SOC workflows is key to removing IT/OT silos while delivering unified monitoring and governance across both IT and OT. To help automate this complex security challenge, we’ve also beefed up Azure Sentinel with IoT/OT-specific SOAR playbooks and threat intelligence.</P> <P>&nbsp;</P> <P>Combined with previous support in Azure Security Center for IoT for protecting managed IoT/OT devices connected via <A href="#" target="_blank" rel="noopener">Azure IoT Hub</A>, these new capabilities enable organizations to accelerate their digital transformation initiatives with a combined solution for both unmanaged and managed devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rapid Deployment.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226961i89A8F8C37529FC47/image-size/large?v=v2&amp;px=999" role="button" title="Rapid Deployment.png" alt="Rapid Deployment.png" /></span></P> <P>&nbsp;</P> <P><EM>Rapid non-invasive deployment leveraging patented IoT/OT-aware behavioral analytics, available either for on-premises or Azure-connected </EM><EM>environments.</EM></P> <H2>&nbsp;</H2> <H2>Real-time OT threat alerts provided by Azure Defender for IoT (examples)</H2> <UL> <LI>Unauthorized device connected to the network</LI> <LI>Unauthorized connection to the internet</LI> <LI>Unauthorized remote access</LI> <LI>Network scanning operation detected</LI> <LI>Unauthorized PLC programming</LI> <LI>Changes to firmware versions</LI> <LI>“PLC Stop” and other potentially malicious commands</LI> <LI>Device is suspected of being disconnected</LI> <LI>Ethernet/IP CIP service request failure</LI> <LI>BACnet operation failed</LI> <LI>Illegal DNP3 operation</LI> <LI>Master-slave authentication error</LI> <LI>Known malware detected (e.g., WannaCry, EternalBlue)</LI> <LI>Unauthorized SMB login</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot examples.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226965i5BD1243BF512BDF9/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot examples.png" alt="Screenshot examples.png" /></span></P> <P>&nbsp;</P> <DIV id="tinyMceEditorpneray_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><EM>Azure Defender for IoT provides holistic IoT/OT security including asset discovery, vulnerability management, and continuous threat monitoring, combined with deep Azure Sentinel integration.</EM></P> <H2>&nbsp;</H2> <H2>Try it now at no charge</H2> <P><A href="#" target="_blank" rel="noopener">Try Azure Defender for IoT</A> during public preview. This version includes the agentless security provided via the integration of CyberX, plus the ability to connect to Azure Sentinel. And please give us your feedback in the <A href="https://gorovian.000webhostapp.com/?exam=t5/iot-security/bd-p/IoTSecurity" target="_blank" rel="noopener">IoT Security Tech Community</A>.</P> <H2>&nbsp;</H2> <H2>Learn more with these educational resources</H2> <UL> <LI>Watch our Ignite session showing <A href="#" target="_self">how Azure Defender for IoT and Azure Sentinel are combined</A> to investigate multistage attacks that cross IT/OT boundaries, using the TRITON attack on a petrochemical facility as an example.</LI> <LI>Watch our <A href="#" target="_blank" rel="noopener">Tech Community webinar describing MITRE ATT&amp;CK for ICS</A>, an OT-focused version of the well-known MITRE ATT&amp;CK framework originally developed for IT networks.</LI> <LI>Watch our SANS webinar featuring the head of Microsoft’s datacenter security program, about <A href="#" target="_blank" rel="noopener">securing building automation systems using continuous OT security monitoring</A>.</LI> <LI>Stay tuned for an upcoming webinar during which we’ll do a technical walkthrough of how to deploy and use Azure Defender for IoT.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 11 May 2021 21:02:30 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-is-now-in-public-preview/ba-p/1784329 pneray 2021-05-11T21:02:30Z Azure Defender for IoT: Agentless Security for OT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-agentless-security-for-ot/ba-p/1698679 <H2>Summary</H2> <P>Azure Defender for IoT delivers agentless security for continuously monitoring Operational Technology (OT) devices in industrial and critical infrastructure networks.&nbsp;<SPAN>Incorporating IoT/OT-aware behavioral analytics from Microsoft's recent acquisition of CyberX, Azure Defender for IoT is a</SPAN>vailable for on-premises deployments during Public Preview,&nbsp;with Azure-based deployment options to follow. Azure Defender for IoT is also deeply integrated with Azure Sentinel — the industry's first cloud-native SIEM/SOAR platform — and integrates with third-party tools like Splunk, IBM QRadar, and ServiceNow.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cropped Gettyimages-1152010591-EDITED-01.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221137i1FF0AE5D822A938B/image-size/large?v=v2&amp;px=999" role="button" title="cropped Gettyimages-1152010591-EDITED-01.png" alt="cropped Gettyimages-1152010591-EDITED-01.png" /></span></P> <H2>Accelerating Digital Transformation</H2> <P>As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity — requiring continuous network connectivity and real-time intelligence from plant operations — the security traditionally afforded by air-gapped Operational Technology (OT) networks is eliminated. Adding to the risk are greatly increased numbers of unmanaged IoT/OT devices. Boards and management teams are understandably concerned about the increased financial and liability risk.</P> <P>&nbsp;</P> <P>These IoT/OT devices monitor and control <A href="#" target="_blank" rel="noopener">Cyber-Physical Systems (CPS)</A> such as industrial robots, building automation, mixing tanks, gas pipelines, and turbines<A href="https://gorovian.000webhostapp.com/?exam=#_ftn1" target="_blank" rel="noopener" name="_ftnref1"><SPAN>[1]</SPAN></A>. Adversaries targeting this expanded attack surface can have a major corporate impact including costly production downtime, safety and environmental incidents, and theft of intellectual property such as proprietary formulas and manufacturing processes.</P> <P>&nbsp;</P> <P>While Microsoft offers a number of <A href="#" target="_blank" rel="noopener">end-to-end IoT security solutions</A> for new or “greenfield” IoT deployments — including <A href="#" target="_blank" rel="noopener">Azure IoT Hub</A>, <A href="#" target="_blank" rel="noopener">Azure Sphere</A> and <A href="#" target="_blank" rel="noopener">lightweight agents</A> for embedded operating systems — most of today’s IoT/OT devices are “unmanaged” because they do not get provisioned, are not monitored, and lack built-in security such as agents or automated updates.</P> <P>&nbsp;</P> <P>As a result, most IT security organizations have limited or no visibility into their OT networks. What’s more, these devices are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.</P> <P>&nbsp;</P> <P>Network security monitoring tools developed for IT networks are unable to address these environments because they’re blind to specialized industrial protocols (Modbus, DNP3, BACnet, etc.). They also lack an understanding of the specialized device types, applications, and machine-to-machine (M2M) behaviors in IoT/OT environments.</P> <P>&nbsp;</P> <P>Azure Defender for IoT minimizes the risks created by digital transformation by providing IT teams with new visibility into industrial and critical infrastructure networks upon which our global community depends — in manufacturing, pharmaceuticals, chemicals, smart buildings, data centers, warehousing &amp; logistics, life sciences, energy and water utilities, oil &amp; gas, mining, retail, and transportation.</P> <P>&nbsp;</P> <P>To learn more, check out the details below and <A href="#" target="_blank" rel="noopener">view our on-demand technical presentation and demo at Ignite 2020</A>.</P> <H2>&nbsp;</H2> <H2>Try Azure Defender for IoT for Free During Public Preview</H2> <P>Azure Defender for IoT is a rebranding of Azure Security Center for IoT.&nbsp;This rebranding is part of today's announcement of Azure Defender, an evolution of the threat protection technologies in Azure Security Center for protecting Azure and hybrid environments.</P> <P>&nbsp;</P> <P>With the new capabilities provided by Azure Defender for IoT, Microsoft is making a major investment to help organizations understand their IoT/OT risk posture, mitigate risk, and continuously monitor for threats.</P> <P>&nbsp;</P> <P>Incorporating agentless technology from <A href="#" target="_blank" rel="noopener">Microsoft’s recent acquisition of CyberX,</A> Azure Defender for IoT enables IT and OT teams to auto-discover their IoT/OT assets, identify critical vulnerabilities, and detect anomalous behavior with IoT/OT-aware behavioral analytics and machine learning — all without impacting IoT/OT stability or performance.</P> <P>&nbsp;</P> <P>Available for on-premises deployments during Public Preview in October (with Azure-based deployment options to follow), Azure Defender for IoT is designed to fit right into existing environments, including diverse automation equipment from all major OT suppliers (Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, etc.).</P> <P>&nbsp;</P> <P>To enable rapid detection and response for attacks that often cross IT/OT boundaries, it’s deeply integrated with <A href="#" target="_blank" rel="noopener">Azure Sentinel</A> — the industry’s first cloud-native SIEM/SOAR platform — and also integrates out-of-the box with third-party tools like Splunk, IBM QRadar, and ServiceNow.</P> <P>&nbsp;</P> <P>Integration with existing SOC workflows is key to removing IT/OT silos while delivering unified monitoring and governance across both IT and OT. To help automate this complex security challenge, we’re also beefing up Azure Sentinel’s built-in IoT/OT security capabilities with IoT/OT-specific SOAR playbooks and IoT/OT threat intelligence.</P> <P>&nbsp;</P> <P>Combined with previous support in Azure Security Center for IoT for protecting managed IoT devices connected via Azure IoT Hub, these new capabilities enable organizations to accelerate their digital transformation initiatives with a single solution for both managed (or “greenfield") devices and unmanaged devices.</P> <H2>&nbsp;</H2> <H2>Broad Set of IoT/OT Security Capabilities</H2> <P>Azure Defender for IoT addresses multiple dimensions of IoT/OT security including:</P> <UL> <LI><STRONG>Asset discovery and network mapping</STRONG>, including device details such as IP/MAC address, device manufacturer, device type, protocols used, and how devices are communicating on the network. This helps answer critical questions like “What devices do I have and how are they connected?” The answers to these questions help accelerate incident response as well as implement zero-trust and network segmentation strategies, and optimize asset management and maintenance strategies.</LI> </UL> <UL> <LI><STRONG>Risk &amp; Vulnerability management,</STRONG> including information about CVEs, open ports, and unauthorized internet connections. This answers questions like “What vulnerabilities do I have and how do I prioritize mitigating them?” It also helps you focus on mitigating risk to your crown-jewel assets and processes, whose compromise would result in material impact to your organization.</LI> </UL> <UL> <LI><STRONG>Continuous threat monitoring</STRONG>, with real-time alerts indicating suspicious or unauthorized activity such as targeted attacks or malware, as well as a rich set of investigation and threat hunting tools for querying historical network traffic and downloading full-fidelity packet captures (PCAPs). This helps answer questions like “Do we have any threats in our network right now, and how do we mitigate them as quickly as possible?” — so you can stop the attackers before they shut down your plant or cause a safety incident.</LI> </UL> <UL> <LI><STRONG>Operational efficiency</STRONG>, with real-time alerts about malfunctioning or misconfigured IoT/OT equipment. In addition to cyber-related benefits, the deep visibility provided by Azure Defender for IoT enables plant personnel to quickly identify the root causes of operational issues that can impact plant productivity or quality metrics — such as a misconfigured device shutting down production by flooding the plant network with unnecessary packets.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot examples.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221016i00E75687957C9243/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot examples.png" alt="Screenshot examples.png" /></span></P> <P class="lia-align-left"><EM>Azure Defender for IoT provides holistic IoT/OT security including asset discovery, vulnerability management, and continuous threat monitoring, combined with deep Azure Sentinel integration.</EM></P> <H2>&nbsp;</H2> <H2>Rapid, Non-Invasive Deployment with Specialized Behavioral Analytics</H2> <P>Azure Defender for IoT uses passive monitoring and Network Traffic Analysis (NTA) — combined with patented, IoT/OT-aware behavioral analytics — to extract detailed IoT/OT information in real-time. To capture the traffic, it uses an on-premises sensor which is deployed as a virtual or physical appliance connected to a network SPAN port or tap. The benefits of this approach are:</P> <UL> <LI><STRONG>Zero impact:</STRONG> Unlike IT network scanning tools such as Nmap and Nessus that can bring down IoT/OT devices by actively “pinging” them with network traffic, Azure Defender for IoT inspects an “out of band” copy of the network traffic and therefore has zero performance impact on the environment.</LI> <LI><STRONG>Rapid deployment</STRONG>: The system generates insights within minutes of being connected to the network, leveraging built-in machine learning and automation to eliminate the need to configure rules or signatures.</LI> <LI><STRONG>Detects advanced threats</STRONG>: Azure Defender for IoT goes beyond traditional signature-based solutions to immediately detect advanced IoT/OT threats — such as fileless malware and other Living-Off-The-Land-Tactics — based on anomalous or unauthorized behavior rather than static Indicators of Compromise (IOCs). It uses a <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">patented approach</A><SPAN style="font-family: inherit;"> combining Layer 7 Deep Packet Inspection (DPI) with Finite State Machine (FSM) modeling, which baselines IoT/OT network behavior as a deterministic sequence of states and transitions. This enables Azure Defender for IoT to detect threats faster and more accurately, with a shorter learning period. (Traditional anomaly detection algorithms were developed for IT networks, which are primarily non-deterministic, making them inferior for IoT/OT networks.)</SPAN></LI> </UL> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Rapid Deployment.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221018i078C3D56EB7F14FF/image-size/large?v=v2&amp;px=999" role="button" title="Rapid Deployment.png" alt="Rapid Deployment.png" /></span></SPAN></P> <P class="lia-align-left"><EM>Rapid non-invasive deployment leveraging patented IoT/OT-aware behavioral analytics</EM></P> <H2>&nbsp;</H2> <H2>Azure Sentinel Integration</H2> <P>Azure Sentinel offers all the benefits we’ve come to expect from native cloud-based services, including reduced complexity, built-in scalability, lower TCO, and continuous threat intelligence and software updates.</P> <P>&nbsp;</P> <P>Azure Sentinel is now being enhanced with built-in IoT/OT security capabilities that set it even further apart from traditional SIEMs, including:</P> <UL> <LI><STRONG>Deep integration with Azure Defender for IoT. </STRONG>By providing rich contextual information about the specialized OT devices and behaviors detected by Azure Defender for IoT, Azure Sentinel enables your SecOps teams to accelerate investigations and threat hunting. This is especially important in correlating and detecting modern kill-chains that move laterally across IT/OT boundaries.</LI> <LI><STRONG>IoT/OT-specific SOAR playbooks</STRONG>. These sample playbooks enable automated actions to swiftly remediate IoT/OT threats.</LI> <LI><STRONG>IoT/OT-specific threat intelligence.</STRONG> In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by <EM>Section 52</EM>, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Reduced Alerts Screen from Ignite Video.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221028i9B5417B86688B756/image-size/large?v=v2&amp;px=999" role="button" title="Reduced Alerts Screen from Ignite Video.png" alt="Reduced Alerts Screen from Ignite Video.png" /></span></P> <P class="lia-align-left"><EM>Azure Defender for IoT provides deep visibility into Operational Technology (OT) assets, vulnerabilities, and threats, generating real-time alerts that can be forwarded to Azure Sentinel and third-party solutions such as Splunk, IBM QRadar, and ServiceNow</EM></P> <H2>&nbsp;</H2> <H2>Getting Started</H2> <P>You can try the on-premises version of Azure Defender for IoT for free during the Public Preview period starting in October. Visit <A href="#" target="_blank" rel="noopener">aka.ms/AzureDefenderForIoT</A> to learn more, or contact your account manager for a demo.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Getting Started.png" style="width: 995px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221029i70BDAFB4F581CD87/image-size/large?v=v2&amp;px=999" role="button" title="Getting Started.png" alt="Visit Azure Defender for IoT in the Azure portal in October to try it for yourself" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Visit Azure Defender for IoT in the Azure portal in October to try it for yourself</span></span></P> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pneray_4-1600776883223.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221009i47E0F30D3B70337A/image-size/medium?v=v2&amp;px=400" role="button" title="pneray_4-1600776883223.png" alt="pneray_4-1600776883223.png" /></span></P> <P class="lia-align-left"><EM>Check out the Ignite 2020 technical session and demo: “<A href="#" target="_blank" rel="noopener">Azure Defender for IoT including CyberX.</A>”</EM></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ftnref1" target="_blank" rel="noopener" name="_ftn1"><SPAN>[1]</SPAN></A> OT is an umbrella term that covers industrial internet of things (IIoT); industrial control systems (ICS); supervisory control and data acquisition (SCADA); and process control networks (PCN).</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 11 May 2021 20:56:55 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-defender-for-iot/azure-defender-for-iot-agentless-security-for-ot/ba-p/1698679 pneray 2021-05-11T20:56:55Z