Threats and customer challenges<\/h2>\n
In the past, attacks on IoT and OT devices for many organizations seemed like a hypothetical threat but in recent years organizations have learned otherwise. We’ve seen attacks on cameras and VoIP devices,1<\/sup> smart building automation,2<\/sup> service providers providing IoT services, and then there have been ransomware attacks\u2014like the ones that shut down a major gas pipeline3<\/sup> and global food processor. All of these highlight the challenge of securing IoT and OT devices.<\/p>\n There are many ways attackers will attempt to compromise and take advantage of enterprise IoT devices. They can be used as a point of entry, for lateral movement, or evasion just to name a few examples. The following chart below depicts a cyber kill chain<\/a> involving two IoT devices. One is used as a point of entry, and another is used for lateral movement that inevitably leads to the exfiltration of sensitive information.<\/p>\n Figure 1: Attackers scan the internet for vulnerable internet-facing IoT devices and then use them as a point of entry. Next, they will perform reconnaissance and lateral movement to achieve their goals.<\/em><\/p>\n While most organizations recognize IoT and OT security as the least secured aspects of their organization, they continue to deploy devices at high rates and with little hesitation due to the demand for digital transformation and to remain competitive. Due to this, Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than what they are used to today and a vast majority of that new surface area will be unmanaged IoT and OT devices.<\/p>\n When it comes to IoT and OT security, organizations face a long list of challenges. Some of the top challenges include:<\/p>\n Because of these threats and challenges, security and risk leaders ranked the IoT and cyber-physical systems as their top concerns for the next three to five years.4<\/sup><\/p>\n We recognize that IoT is just one of the security inputs in a comprehensive threat protection strategy. For that reason, adding agentless enterprise IoT support to Microsoft Defender for IoT and making it part of our broader SIEM and XDR offer, enables us to deliver comprehensive security for all your endpoint types, applications, identities, and more. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices. With it, organizations get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Learn more about Microsoft 365 Defender<\/a>, Microsoft Defender for Cloud<\/a>, and Microsoft Sentinel<\/a>.<\/p>\n Our customers tell us that the biggest challenge they face when it comes to securing enterprise IoT devices is gaining enough visibility to locate, identify, and secure their complete IoT asset inventory. Defender for IoT takes a unique approach to solve this challenge and can help you discover and secure your IoT devices within Microsoft 365 Defender environments in minutes. We\u2019ll share more about our unique approach in the passive, agentless architecture section below.<\/p>\n Figure 2: View your complete IT and IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile) within a single unified view.<\/em><\/p>\n The second biggest challenge our customers face is related to vulnerability management. Defender for IoT can perform assessments for all your enterprise IoT devices. These recommendations are surfaced in the Microsoft 365 console (for example, Update to a newer version of Bash for Linux).<\/p>\n Figure 3: Prioritize vulnerabilities and misconfigurations and use integrated workflows to bring devices into a more secure state.<\/em><\/p>\n The third biggest challenge we hear about is related to threat detection. To ensure we have leading-edge efficacy for enterprise IoT threats, we\u2019ve tasked Section 52, our in-house IoT and OT security research team, to ensure we have the best possible detection capabilities. Section 52\u2019s work recently enabled Defender for IoT to rank number 1 in threat visibility coverage in the MITRE ATT&CK for ICS evaluation<\/a>, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps (with fewest missed detections of any other vendor).<\/p>\n Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT and OT-specific intelligence collected by our Section 52 security research team. Because Section 52 works in close collaboration with domain experts across the broader Microsoft security research and threat intelligence teams\u2014Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)\u2014we enable our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts. This will lead to high efficacy incident response.<\/p>\n Figure 4: View prioritized incidents that are inclusive of IT and IoT devices all in a single dashboard to reduce confusion, clutter, investigation times, and alert fatigue.<\/em><\/p>\n Finally, one of the last things our customers have shared is that they struggle with finding solutions that will enable them to securely meet the promise of IT and OT network convergence initiatives.5<\/sup> Most tools have difficulty providing analysts with a user experience that can correlate and render multi-stage attacks that cross IT and OT network boundaries.<\/p>\n Because Microsoft Defender for IoT is part of the broader Microsoft SIEM and XDR offer, we can provide analysts with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. Analysts can perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, analysts can stop attacks and bring their environments back to a pre-breach state far more quickly.<\/p>\n Figure 5: Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident response.<\/em><\/p>\n Some of the key design principles for Defender for IoT are to be non-invasive and to be easy to deploy. By using the existing Microsoft Defender for Endpoint<\/a> clients, which are often deployed pervasively across an organization\u2019s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.<\/p>\n Figure 6: A hybrid sensor approach using Defender for Endpoint clients as sensors provide customers with broad visibility on day one. Deploying the network sensor or using one from a third-party can ensure complete visibility and can be deployed over time.<\/em><\/p>\n Microsoft Defender for IoT is an open platform that allows customers to integrate third-party network data to enrich the information coming from multiple sources. For example, organizations that have already deployed Corelight\u2019s open Network Detection and Response (NDR) platform<\/a> and its Zeek-based network sensors can connect it to Defender for IoT enabling it to access raw network data from Corelight. From here Defender for IoT will apply its behavioral analytics and machine learning capabilities to discover and classify devices as well as protect, detect, and respond to attacks.<\/p>\n Learn more about our Corelight partnership<\/a> and its integration within Microsoft Defender for IoT.<\/p>\n While we\u2019re excited to share all this news with you today, were even more excited to hear your feedback. Please join the new Microsoft Defender for IoT public preview<\/a> which will be available on November 30, 2021. In the first build of the preview, you will have access to five main capabilities:<\/p>\n Additional new capabilities are expected to be released soon, including richer security recommendations, detections, and responses.<\/p>\n More details on the upcoming public preview and roadmap can be viewed in our Ignite session<\/a>.<\/p>\n More information on the current release of Microsoft Defender for IoT (formerly Azure Defender for IoT) which offers OT security can be found in the following resources:<\/p>\n To learn more about Microsoft Security solutions,\u00a0visit our\u00a0website<\/a>.\u00a0Bookmark the\u00a0Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n 1<\/sup>Microsoft: Russian state hackers are using IoT devices to breach enterprise networks<\/a>, Catalin Cimpanu, ZDNet. 5 August 2019.<\/p>\n 2<\/sup>Hackers are hijacking smart building access systems to launch DDoS attacks<\/a>, Catalin Cimpanu, ZDNet. 2 February 2020.<\/p>\n 3<\/sup>Hackers Breached Colonial Pipeline Using Compromised Password<\/a>, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.<\/p>\n![\"Within](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Attackers-use-enterprise-IoT-devices-to-compromise-corporate.png\")
<\/p>\n\n
Microsoft Defender for IoT is part of the Microsoft SIEM and XDR offering<\/h2>\n
![\"The](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Device-inventory.jpg\")
<\/p>\n![\"The](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture2-Azure-IOT.png\")
<\/p>\n![\"Incidents](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture3-Azure-IoT-and-OT.png\")
<\/p>\n![\"Incident](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture4-Azure-Defender-for-IoT.png\")
<\/p>\nPassive, agentless architecture<\/h2>\n
![\"Defender](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/617c28c2aa647-617c28c2aa649Passive-non-invasive-arch.jpg.jpg\")
<\/p>\nGet ready for the upcoming public preview!<\/h2>\n
\n
![\"Screen](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Accelerated-digital-transform-video.png\")
<\/a><\/p>\n\n
\n