Last month at Ignite we announced that Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to help secure enterprise IoT devices connected to IT networks (e.g.: VoIP devices, printers, cameras, smart TVs, digital assistants, etc.). This complements the product’s existing support for industrial systems and critical infrastructure (e.g.: ICS/SCADA). Additionally, we announced that Defender for IoT is part of the Microsoft SIEM and XDR offering bringing its AI, automation, and expertise to complex multistage attacks that involve IoT/OT devices. Today we’re announcing that the public preview of the Defender for IoT is now available.
For organizations familiar with Defender for IoT they have come to know that its key capabilities include:
During the preview phase of the product cycle each of the capabilities will be made available for enterprise IoT devices however in this first build of the preview you will find that we’ve focused most of our efforts on integrating our discovery and vulnerability management features within the Microsoft SIEM and XDR offering. Detections and responses for enterprise IoT devices will be added later in the preview product cycle.
To experience these capabilities within our SIEM and XDR offering customers must be running the public preview of Microsoft Defender for Endpoint which is used as the integration point for Microsoft Defender for IoT capabilities. Once enabled customers can start taking advantage of IoT device discovery and vulnerability management within the Microsoft 365 Defender console experience.
Figure 1: The IoT Devices view under Device Inventory lists each device as well as properties about them including type, vendor, model just to name a few.
One thing that those familiar with Defender for IoT will find very interesting is the fact that device discovery of enterprise IoT devices is not dependent on the deployment of the Defender for IoT network sensor. This is because we have updated Defender for Endpoint managed devices to act as passive network sensors. In most circumstances they’ll be able to discover a majority of the enterprise IoT devices however it is important to note that to gain complete visibility the Defender for IoT network sensor should be deployed in parallel. There are number of scenarios where this will be helpful. For instance, if there is a network segment where no Defender for Endpoint managed endpoints are present the Defender for IoT network sensor will need to be used to give us the visibility into that segment.
In addition, posture related recommendations for enterprise IoT devices will start appearing in the Security recommendations view. Since IoT devices are rarely updated one of the you’re likely to encounter are those suggesting that you update the firmware on devices where it’s not up to date and includes exploitable vulnerabilities. In the image below you will see that we support non-Windows platforms like Linux which are commonly used for IoT devices of all types.
Figure 2: Prioritize vulnerabilities and misconfigurations and use integrated workflows to bring devices into a more secure state.
Incidents, for those of you who are less familiar with them, are one of the most powerful features within our SIEM and XDR solution. They provide a single place to view and investigate an attack across stages, from initial access to impact. By bringing together signals from endpoints, identities, cloud apps, email and documents and applying artificial intelligence (AI) we can automatically investigate, and correlate attacks end to end, just like an experienced analyst would. This enables defenders to focus on the most critical alerts providing them with a complete and coherent picture of each attack in a single dashboard.
Another capability in the current build of the preview can be found in the Incidents view. You’ll find that Incidents are now inclusive of enterprise IoT devices so if they’re being used as a point of entry, for lateral movement, persistence or all of the above you’re going to be able to easily determine this.
Figure 3: View prioritized incidents that are inclusive of IT and IoT devices all in a single dashboard to reduce confusion, clutter, investigation times, and alert fatigue.
That covers each of the key capabilities that you’ll find in the current build of the preview within the Microsoft 365 Defender console experience. We’re super excited that customers already running Defender for Endpoint can turn on the preview and start experiencing Defender for IoT capabilities within minutes. Detection and responses will soon be added, and we’ll blog about those additions when they arrive.
While the focus of the initial build of the public preview is on our integration within the Microsoft SIEM and XDR offering, we have some additional capabilities that we would like to invite you to try. These include:
As you can see in the image below the Defender for IoT console provides a unified experience for all of your enterprise IoT and OT device inventory. It will be comprehensive of everything on both the IT and OT networks. Vulnerability management detections and responses will also be added to the experience later on during the preview product cycle.
Figure 4: View your complete enterprise IoT and OT device inventory within a single unified view.
To discover enterprise IoT devices and view them in the Defender for IoT console you will need to deploy the enterprise IoT network sensor. Later on, in the preview product cycle this functionality will be integrated into a single combined sensor that covers everything you need for both enterprise IoT and OT devices.
These are just a few examples of what is possible with the current preview build and we hope you’re excited to try them out. During the preview process all of the capabilities mentioned above will be enriched and improved based on your feedback.
Click here to try the public preview functionality within the Microsoft 365 Defender console. Click here try and the new preview capabilities within the Microsoft Defender for IoT experiences. Please send us your feedback.
More details on the upcoming public preview and roadmap can be viewed in our Ignite session:
More information on the current release of the Microsoft Defender for IoT solution for OT security can be found in the following resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.