{"id":92903,"date":"2021-02-22T11:00:58","date_gmt":"2021-02-22T19:00:58","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92903"},"modified":"2023-09-11T16:00:22","modified_gmt":"2023-09-11T23:00:22","slug":"securing-azure-datacenters-with-continuous-iot-ot-monitoring","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/02\/22\/securing-azure-datacenters-with-continuous-iot-ot-monitoring\/","title":{"rendered":"Securing Azure datacenters with continuous IoT\/OT monitoring"},"content":{"rendered":"
<\/p>\n
Figure 1: Industrial cooling system for datacenters.<\/em><\/p>\n As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure\u2014and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025<\/a>. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024<\/a>.<\/p>\n We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.<\/p>\n In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.<\/p>\n Microsoft offers end-to-end IoT security solutions<\/a> for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching\u2014making them soft targets for adversaries looking to pivot deeper into corporate networks.<\/p>\n For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP<\/a>. OT security translates directly into three main types of business risks:<\/p>\n The U.S. Cybersecurity and Infrastructure Agency<\/a> (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:<\/p>\n Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries<\/a>. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily<\/a>. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.<\/p>\n <\/p>\n Figure 2: Microsoft datacenters.<\/em><\/p>\n The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.<\/p>\n To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform<\/a> in mid-2019. Microsoft subsequently acquired CyberX<\/a> in June 2020 and recently released Azure Defender for IoT<\/a>, which is based on CyberX’s agentless security platform.<\/p>\n Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.<\/p>\n Azure Defender for IoT is now deeply integrated with Azure Sentinel<\/a> and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.<\/p>\n <\/p>\n Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.<\/em><\/p>\n Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer\u2014creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.<\/p>\n Microsoft datacenter security monitoring and response:<\/p>\n In addition, the Microsoft cloud security stack\u2014Microsoft Threat Intel Center<\/a> (MSTIC) is being expanded with OT capabilities and threat intel.<\/p>\n OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model<\/a>. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:<\/p>\n For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring<\/a>.”<\/p>\n To learn more about Microsoft Security solutions, visit our website<\/a>.\u00a0Bookmark the\u00a0Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" Learn how Microsoft ensures operational resilience for Azure datacenters with Azure Defender for IOT and Azure Sentinel <\/p>\n","protected":false},"author":98,"featured_media":92913,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3676,3685],"products":[3726],"threat-intelligence":[],"tags":[3742,3921],"coauthors":[1916],"class_list":["post-92903","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-iot-security","topic-siem-and-xdr","products-microsoft-sentinel","tag-azure","tag-living-off-the-land"],"yoast_head":"\nA changing threat landscape<\/h2>\n
\n
\n
Azure datacenters\u2014a strategic resource<\/h2>\n
How it works<\/h2>\n
\n
OT and IT: Bridging the cultural divide<\/h2>\n
\n
Learn more<\/h2>\n