Archive

Archive for the ‘IoT security’ Category

Securing Azure datacenters with continuous IoT/OT monitoring

February 22nd, 2021 No comments

Real people. IT professionals build and maintain the LinkedIn server farm which operates on 100% renewable energy. Power is hydro-generated and managed efficiently on-site with minimum new draw from external grid. State-of-the-art facility uses eco-friendly solutions such as using reclaimed water to cool the data center.

Figure 1: Industrial cooling system for datacenters.

As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure—and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024.

We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.

A changing threat landscape

In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.

Microsoft offers end-to-end IoT security solutions for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching—making them soft targets for adversaries looking to pivot deeper into corporate networks.

For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP. OT security translates directly into three main types of business risks:

  • Revenue impact: In 2017, WannaCry malware shut down major automotive manufacturers and affected more than 200,000 computers across 150 countries, with damages ranging into billions of dollars. The same year, NotPetya ransomware nearly shut down the mighty Maersk shipping company and several CPG companies. The attack crippled Merck’s production facilities resulting in losses of $1.3 billion. Last year, LockerGoga shut down the systems of Norwegian aluminum manufacturing company Norsk Hydro and several other plants. In 2020, Ekans (snake spelled backward) ransomware became the latest OT threat by specifically shutting down industrial control systems (ICS).
  • IP theft: IP includes proprietary manufacturing processes, formulas, designs, and more. In one instance, Microsoft Security Response Center (MSRC) discovered hackers were compromising vulnerable IoT devices using their default credentials. Once inside, the hackers scanned the network to see what other systems they could access to get sensitive IP. One in five North American-based corporations reports that they have had IPs stolen within the last year.
  • Safety risks: The Triton attack on a petrochemical facility targeted safety controllers with the intent to cause major structural damage and possible loss of life. The attackers gained a foothold in the IT network then used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new avenues of attack for compromising unmanaged OT devices.

The U.S. Cybersecurity and Infrastructure Agency (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:

  1. Create an up-to-date, detailed inventory and map of your OT network.
  2. Use the asset inventory or map to prioritize risks, such as unpatched systems, unauthorized connections between subnets, or unauthorized connections to the internet.
  3. Implement continuous monitoring with anomaly detection.

Azure datacenters—a strategic resource

Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.

Infographic showing details about Microsoft datacenters around the world

Figure 2: Microsoft datacenters.

The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.

To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform in mid-2019. Microsoft subsequently acquired CyberX in June 2020 and recently released Azure Defender for IoT, which is based on CyberX’s agentless security platform.

Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.

Azure Defender for IoT is now deeply integrated with Azure Sentinel and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.

Microsoft datacenters: Ingestion, detection, and investigation.

Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.

How it works

Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer—creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.

Microsoft datacenter security monitoring and response:

  • Improves the quality of critical environment inventory for risk-based analysis.
  • Correlates significant security events across multiple sources.
  • Advances detections across industrial control system (ICS) networks for known malware, botnet, and command/control traffic.
  • Enables machine learning support for insider threat-detection via user and entity behavior analytics (UEBA).
  • Deploys OT and IT incident-response playbooks using Azure Logic Apps integrated with Microsoft SOC. For example, we implement OT and IT playbooks for scenarios like ransomware or malware, botnet, insider threat, and untracked data-bearing devices.
  • Detects anomalous activity while reducing noise.

In addition, the Microsoft cloud security stack—Microsoft Threat Intel Center (MSTIC) is being expanded with OT capabilities and threat intel.

OT and IT: Bridging the cultural divide

OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:

  • Mature and boost IT security practices for OT: Patching an OT system isn’t the same as updating IT; there can be dangerous repercussions in the form of factory downtime or safety risks. Empathy is important; the liberties enjoyed in the IT world can’t be blindly applied on OT. However, don’t throw away IT security best practices—boost them with OT capabilities.
  • Embrace the security journey: Whether you’re in OT or IT, security improvements move like a dial, not a switch. Agree on your guiding principles and tenants, then constantly improving collaboration between OT and IT teams.
  • Understand the OT persona: IT teams should get to know what a day in the life of an OT person looks like. Our team shadowed OT activity by making site visits, which helped build understanding and establish working relationships.
  • Appreciate the other team’s priorities: When working with OT, this means understanding the importance of safety and availability. What might be a simple system patch in IT could cause downtime or a safety issue in OT. Establish a common vocabulary and metrics to work out issues together.
  • Acknowledge preconceptions: OT often feels like the IT security approach will cause disruptions and downtime, leading to audits, escalations, or worse. For that reason, our approach became: “Hey, we found a problem. Let’s solve it together.”
  • Be proactive versus reactive: Do security assessments together and keep the right people in the loop. Set up two-way trainings, such as joint tabletop or red team exercises, and plan for “worst day” scenarios. Create dedicated websites and SharePoint sites where people can reach out with confidence that their concerns will be addressed.

For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring.”

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing Azure datacenters with continuous IoT/OT monitoring appeared first on Microsoft Security.

Announcing the general availability of Azure Defender for IoT

January 27th, 2021 No comments

As businesses increasingly rely on connected devices to optimize their operations, the number of IoT and Operational Technology (OT) endpoints is growing dramatically—industry analysts have estimated that CISOs will soon be responsible for an attack surface multiple times larger than just a few years ago.

Today we are announcing that Azure Defender for IoT is now generally available.

Defender for IoT adds a critical layer of security for this expanding endpoint ecosystem. In contrast to user devices (laptops and phones) and server infrastructure, many IoT and OT devices do not support the installation of agents and are currently unmanaged and therefore invisible to IT and security teams. Without this visibility, it is extremely challenging to detect if your IoT and OT infrastructure has been compromised. Further increasing risk, many of these devices were not designed with security in mind and lack modern controls such as strong credentials and automated patching.

As a result, there is understandable concern about Cyber-Physical System (CPS) risk in OT and industrial control system (ICS) environments such as electricity, water, transportation, data centers, smart buildings, food, pharmaceuticals, chemicals, oil and gas, and other critical manufactured products. Compared to traditional IT risk, the business risk associated with IoT and OT is distinct and significant:

  • Production downtime, resulting in revenue impact and critical shortages.
  • Theft of proprietary formulas and other sensitive intellectual property, causing loss of competitive advantage.
  • Safety and environmental incidents, leading to brand impact and corporate liability.

Traditional security tools developed for IT networks are unable to address these risks as they lack awareness of specialized industrial protocols such as Modbus, DNP3, and BACnet and this different class of equipment from manufacturers like Rockwell Automation, Schneider Electric, Emerson, Siemens, and Yokogawa.

Proactive IoT and OT security monitoring and risk visibility

With Defender for IoT, industrial and critical infrastructure organizations can now proactively and continuously detect, investigate, and hunt for threats in their IoT and OT environments. Incorporating specialized IoT and OT aware behavioral analytics and threat intelligence from our recent acquisition of CyberX, Azure Defender for IoT is an agentless security solution for:

  • Auto-discovery of IoT and OT assets.
  • Identification of vulnerabilities and prioritizing mitigations.
  • Continuously monitoring for IoT and OT threats, anomalies, and unauthorized devices.
  • Delivering unified IT and OT security monitoring and governance. This is achieved via deep integration with Azure Sentinel, Microsoft’s cloud-native SIEM and SOAR platform, for sharing rich contextual information about IoT and OT assets and threats related to incidents. Support is also provided for other SOC workflows and security stacks including Splunk, IBM QRadar, and ServiceNow.

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration.

Fast and flexible deployment options

Defender for IoT is agentless, has deeply embedded knowledge of diverse industrial protocols, and makes extensive use of machine learning and automation, eliminating the need to manually configure any rules or signatures or have any prior knowledge of the environment.

This means that Defender for IoT can typically be rapidly deployed (often in less than a day), making it an ideal solution for organizations with tight deadlines and short plant maintenance windows. Plus, it uses passive, non-invasive monitoring via an on-premises edge sensor which analyzes a copy of the network traffic from a SPAN port or TAP—so there’s zero impact on IoT and OT network performance or reliability.

To provide customers flexibility and choice, Defender for IoT offers multiple deployment options:

  • On-premises for highly regulated or sensitive environments.
  • Azure-connected for organizations looking to benefit from the scalability, simplicity, and continuous threat intelligence updates of a cloud-based service, plus integration with the Azure Defender XDR.
  • Hybrid where security monitoring is performed on-premises but selected alerts are forwarded to a cloud-based SIEM like Azure Sentinel.

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub (optional). 

Proven in some of the world’s most complex and diverse environments

The technology delivered with Defender for IoT has been deployed in some of the world’s largest and most complex environments, including:

  • Three of the top 10 U.S. energy utilities, plus energy utilities in Canada, EMEA, and APAC.
  • Three of the top 10 global pharmaceutical companies.
  • Global 2000 firms in manufacturing, chemicals, oil and gas, and life sciences.
  • One of the world’s largest regional water utilities.
  • Building management systems (BMS) for data centers and smart buildings worldwide, including in Microsoft’s own Azure data centers.
  • Multiple government agencies.

Getting started with Azure Defender for IoT

You can try Defender for IoT for free for the first 30 days and for up to 1,000 devices. After that, you pay on a per-device basis in increments of a thousand devices. Visit the product page and getting started pages to learn more.

For more detailed product information:

  • Read our blog post describing the product architecture and capabilities in more detail, titled “Go inside the new Azure Defender for IoT.”
  • Watch our 30-minute Ignite session with a demo showing how integration with Azure Sentinel and IoT and OT-specific SOAR playbooks enable faster detection and response to multistage attacks that cross IT and OT boundaries, using the TRITON attack on a petrochemical facility as an example.
  • If you’re currently using Azure Defender for IoT, read our article about updating it with the latest threat intelligence package for detecting threats related to the compromise of the SolarWinds Orion product and theft of FireEye’s Red Team tools.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Announcing the general availability of Azure Defender for IoT appeared first on Microsoft Security.

Go inside the new Azure Defender for IoT including CyberX

November 25th, 2020 No comments

In 2020, the move toward digital transformation and Industry 4.0 took on new urgency with manufacturing and other critical infrastructure sectors under pressure to increase operational efficiency and reduce costs. But the cybersecurity model for operational technology (OT) was already shown to be lacking before the pandemic. A series of major cyberattacks across industries served as a wake-up call that the traditional “air-gapped” model for OT cybersecurity had become outdated in the era of IT/OT convergence and initiatives such as Smart Manufacturing and Smart Buildings. And the IoT and Industrial Internet of things (IIoT) are only getting bigger. Analysts predict we’ll have billions of IoT devices connected worldwide in a few years, drastically increasing the surface area for attacks.

Company boards and management teams are understandably concerned about increased safety and corporate liability risks as well as the financial impact of crippling downtime posed by IoT/OT breaches. They’re also concerned about losing sensitive IP such as proprietary formulas and product designs, since manufacturers are eight times more likely to be attacked for cyberespionage than other sectors, according to the 2020 Verizon DBIR.1

In my recent Microsoft Ignite presentation, Azure Defender for IoT including CyberX, I was joined by Nir Krumer, Principal PM Manager at Microsoft, to examine how the new Azure Defender for IoT incorporates CyberX’s agentless technology and IoT/OT-aware behavioral analytics, minimizing those risks by providing IT teams with continuous IoT/OT visibility into their industrial and critical infrastructure networks. You’re invited to view the full presentation and review some highlights below.

IT versus OT

Unlike information technology (IT) security, OT security is focused on securing physical processes and assets rather than digital assets like containers and SQL databases. Physical assets include devices like turbines, mixing tanks, HVAC systems in smart buildings and data centers, factory-floor machines, and more. In OT, the top focus is always on safety and availability. Availability means that your production facilities must be resilient and keep operating, because that’s where the revenue comes from. However, the biggest difference from IT security is that most chief information security officers (CISOs) and SOC teams today have little or no visibility into their OT risk, because they don’t have the multiple layers of controls and telemetry as we have in IT environments. And OT risk translates directly into business risk.

As recent history shows, attacks on OT are already underway. The TRITON attack on the safety controllers in a Middle East petrochemical facility was intended to cause major structural damage to the facility and possible loss of life. The attackers got their initial foothold in the IT network but subsequently used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new ways of compromising unmanaged OT devices, which historically haven’t supported agents and are typically invisible to IT teams.

Purdue Model traversal in TRITON attack

Figure 1: Purdue Model traversal in TRITON attack.

How Azure Defender for IoT works for you

By incorporating agentless technology from Microsoft’s recent acquisition of CyberX, Azure Defender for IoT enables IT and OT teams to identify critical vulnerabilities and detect threats using IoT/OT-aware behavioral analytics and machine learning—all without impacting availability or performance.

In our Ignite presentation, we broke down five key capabilities provided by the product’s agentless security for unmanaged IoT/OT devices:

  • Asset discovery: Because you cannot protect what you do not know you have, Azure Defender tells you what IoT/OT devices are in your network and how they’re communicating with each other. Also, if you’re implementing a Zero Trust policy, you need to know how these devices are connected so you can segment them onto their own network and manage granular access to them.
  • Risk and vulnerability management: Azure Defender helps you identify vulnerabilities such as unauthorized devices, unpatched systems, unauthorized internet connections, and devices with unused open ports—so you can take a prioritized approach to mitigating IoT/OT risk for your crown jewel assets. These are the critical devices whose compromise would have a major impact on your organization, such as a safety incident, loss of revenue, or theft of sensitive IP.
  • Continuous IoT threat monitoring and response: Azure Defender continuously monitors the OT network using Layer 7 Deep Packet Inspection (DPI), informing you immediately when there has been unusual or unauthorized behavior, and empowering you to mitigate an attack before it causes a production failure or safety incident. It incorporates a deep understanding of all major industrial protocols (including Modbus, DNP3, Siemens S7, Ethernet/IP CIP, GE-SRTP, and Yokogawa) and patented, IoT/OT-aware behavioral analytics to detect threats faster and more accurately, with a far shorter learning period than generic baselining algorithms.
  • Operational efficiency: When you have malfunctioning or misconfigured equipment, you need to quickly figure out what went wrong. By providing deep visibility into what’s going on in the network—such as a misconfigured engineering workstation that’s constantly scanning the network—you can help your IoT/OT engineers quickly identify and address the root cause of those issues.
  • Unified IT/OT security monitoring and governance: Azure Defender for IoT is deeply integrated with Azure Sentinel and also supports third-party tools such as Splunk, IBM QRadar, and ServiceNow. This helps break down silos that slow communication between IT and OT teams, and creates a common language between them to quickly resolve issues. It also enables you to quickly address attacks that cross IT/OT boundaries (like TRITON), as well as leverage the workflows and training you spent years building in your security operations center (SOC)—so you can apply them to IoT and OT security as well.

Deployment Architecture

So, how does this system get deployed? Azure Defender for IoT uses a network sensor to capture a copy of the network traffic through the switch port analyzer (SPAN). It uses a technique called passive monitoring or network traffic analysis (NTA) to identify assets, vulnerabilities, and threats without impacting the performance or reliability of the IoT/OT network. The solution can be 100 percent on-premises, connected to Azure, or a hybrid of the two (for example, by forwarding alerts to Azure Sentinel).

Azure Defender for IoT uses an on-premises network sensor to capture and analyze all OT traffic. The solution can be deployed on-premises, connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Figure 2: Azure Defender for IoT uses an on-premises network sensor to capture and analyze all IoT/OT traffic. The solution can be deployed fully on-premises, or connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Azure Sentinel integration

To enable rapid detection and response for attacks that cross IT/OT boundaries, Azure Defender is deeply integrated with Azure Sentinel—Microsoft’s cloud-native SIEM/SOAR platform. As a SaaS-based solution, Azure Sentinel delivers reduced complexity, built-in scalability, lower total cost of ownership (TCO), and continuous threat intelligence and software updates. It also provides built-in IoT/OT security capabilities, including:

  • Deep integration with Azure Defender for IoT: Azure Sentinel provides rich contextual information about specialized OT devices and behaviors detected by Azure Defender—enabling your SOC teams to correlate and detect modern kill-chains that move laterally across IT/OT boundaries.
  • IoT/OT-specific SOAR playbooks: Sample playbooks enable automated actions to swiftly remediate IoT/OT threats.
  • IoT/OT-specific threat intelligence: In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by Section 52, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.

You are invited to watch our Microsoft Ignite presentation to learn more about Azure Defender for IoT, including a live demo of how deep integration with Azure Sentinel can be used to investigate multistage IT/OT attacks like TRITON.

Visit the Azure Defender for IoT website to learn more and try it for free during Public Preview. You can also learn more about Microsoft Security solutions by visiting our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1 2020 Verizon DBIR, pages 36 and 59.

The post Go inside the new Azure Defender for IoT including CyberX appeared first on Microsoft Security.

Addressing cybersecurity risk in industrial IoT and OT

October 21st, 2020 No comments

As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need to ensure safety in manufacturing, oil and gas facilities, public utilities, transportation, civic infrastructure, and more.

Analysts predict that we’ll have roughly 21.5 billion IoT devices connected worldwide in 2025, drastically increasing the surface area for attacks. Because embedded devices often go unpatched, CISO’s need new strategies to mitigate IIoT/OT risks that differ in crucial ways from those found in information technology (IT). The difference needs to be understood by your Board of Directors (BoD) and leadership team. Costly production outages, safety failures with injuries or loss of life, environmental damage leading to liability—all are potentially disastrous scenarios that have moved IIoT and OT to the center of cyber threat management.

An evolving threat landscape

Both IIoT and OT are considered cyber-physical systems (CPS); meaning, they encompass both the digital and physical worlds. This makes any CPS a desirable target for adversaries seeking to cause environmental contamination or operational disruption. As recent history shows, such attacks are already underway. Examples include the TRITON attack—intended to cause a serious safety incident—on a Middle East chemical facility and the Ukrainian electrical-grid attacks. In 2017, ransomware dubbed NotPetya paralyzed the mighty Maersk shipping line and nearly halted close to a fifth of the world’s shipping capacity. It also spread to pharma giant Merck, FedEx, and numerous European firms before boomeranging back to Russia to attack the state oil company, Rosneft.

In 2019, Microsoft observed a Russian state-sponsored attack using IoT smart devices—a VOIP phone, an office printer, and a video decoder—as entry points into corporate networks, from which they attempted to elevate privileges. Attackers have even compromised building access control systems to move into corporate networks using distributed denial-of-service (DDoS) attacks; wherein, a computer system is overwhelmed and crashed with an onslaught of traffic.

The current model

Since the 1990’s, the Purdue Enterprise Reference Architecture (PERA), aka the Purdue Model, has been the standard model for organizing (and segregating) enterprise and industrial control system (ICS) network functions. PERA divides the enterprise into various “Levels,” with each representing a subset of systems. Security controls between each level are typified by a “demilitarized zone” (DMZ) and a firewall.

Conventional approaches restrict downward access to Level 3 from Levels 4, 5 (and the internet). Heading upward, only Layer 2 or 3 can communicate with Layers 4 and 5, and the lowest two Levels (machinery and process) must keep their data and communications within the organization’s OT.

But in our IIoT era, data no longer flows in a hierarchical fashion as prescribed by the Purdue Model. With the rise of edge computing, smart sensors, and controllers (Levels O, 1) now bypass firewalls and communicate directly with the cloud, creating new risks for system exposure.

Modernizing this model with Zero Trust principles at Levels 4 and 5 can help bring an organization’s IIoT/OT into full compliance for the cloud era.

A new strategy

Consequence-driven cyber-informed engineering (CCE) is a new methodology designed by Idaho National Labs (INL) to address the unique risks posed by IIoT/OT. Unlike conventual approaches to cybersecurity, CCE views consequence as the first aspect of risk management and proactively engineers for potential impacts. Based on CCE, there are four steps that your organization—public or private—should prioritize:

  1. Identify your “crown jewel” processes: Concentrate on protecting critical “must-not-fail” functions whose failure could cause safety, operational, or environmental damage.
  2. Map your digital estate: Examine all the digital pathways that could be exploited by adversaries. Identify all of your connected assets—IT, IoT, building management systems (BMS), OT, smart personal devices—and understand who has access to what, including vendors, maintenance people, and remote workers.
  3. Spotlight likely attack paths: Analyze vulnerabilities to determine attack routes leading to your crown jewel processes, including possible social engineering schemes and physical access to your facilities.
  4. Mitigate and protect: Prioritize options that allow you to “engineer out” cyber risks that present the highest consequences. Implement Zero Trust segmentation policies to separate IIoT and OT devices from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.

Making the case in real terms

Your leadership and BoD have a vested interest in seeing a return on investment (ROI) for any new software or hardware. Usually, the type of ROI they want and expect is increased revenue. But returns on security software often can’t be seen in a quarterly statement. That means cybersecurity professionals have to present a solid case. Here are some straightforward benefits to investing in IIoT/OT cybersecurity software that you can take into the boardroom:

  • Prevent safety or environmental costs: Security failures at chemical, mining, oil, transportation, or other industrial facilities can cause consequences more dire than an IT breach. Lives can be lost, and costs incurred from toxic clean-up, legal liability, and brand damage can reach into the hundreds of millions.
  • Minimize downtime: As the NotPetya and LockerGoga attacks demonstrated, downtime incurs real financial losses that affect everyone—from plant personnel all the way up to shareholders.
  • Stop IP theft: Companies in the pharmaceutical industry, energy production, defense, high-tech, and others spend millions on research and development. Losses from having their intellectual property stolen by nation states or competitors can also be measured in the millions.
  • Avoid regulatory fines: Industries such as pharmaceuticals, oil/gas, transportation, and healthcare are heavily regulated. Therefore, they are vulnerable to large fines if a security breach in IIoT/OT causes environmental damage or loss of life.

The way forward

For today’s CISO, securing the digital estate now means being accountable for all digital security—IT, OT, IIoT, BMS, and more. This requires an integrated approach—embracing people, processes, and technology. A good checklist to start with includes:

  • Enable IT and OT teams to embrace their common goal—supporting the organization.
  • Bring your IT security people onsite so they can understand how OT processes function.
  • Show OT personnel how visibility helps the cybersecurity team increase safety and efficiency.
  • Bring OT and IT together to find shared solutions.

With attackers now pivoting across both IT and OT environments, Microsoft developed Azure Defender for IoT to integrate seamlessly with Azure Sentinel and Azure Sphere—making it easy to track threats across your entire enterprise. Azure Defender for IoT utilizes:

  • Automated asset discovery for both new greenfield and legacy unmanaged IoT/OT devices.
  • Vulnerability management to identify IIoT/OT risks, detect unauthorized changes, and prioritize mitigation.
  • IIoT/OT-aware behavioral analytics to detect advanced threats faster and more accurately.
  • Integration with Azure Sentinel and third-party solutions like other SIEMs, ticketing, and CMDBs.

Azure Defender for IoT makes it easier to see and mitigate risks and present those risks to your BoD. Microsoft invests more than USD1 billion annually on cybersecurity research, which is why Azure has more compliance certifications than any other cloud provider.

Plain language and concrete examples go far when making the case for IIoT/OT security software. Your organization should define what it will—and more importantly, will not—tolerate as operational risks. For example: “We tolerate no risk to human life or safety”; “no permanent damage to the ecosystem”; “no downtime that will cost jobs.” Given the potential for damages incurred from downtime, injuries, environmental liability, or tarnishing your brand, an investment in cybersecurity software for IIoT/OT makes both financial and ethical sense.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Addressing cybersecurity risk in industrial IoT and OT appeared first on Microsoft Security.

Rethinking IoT/OT Security to Mitigate Cyberthreats

August 26th, 2020 No comments

We live in an exciting time. We’re in the midst of the fourth industrial revolution—first steam, followed by electricity, then computers, and, now, the Internet of Things.

A few years ago, IoT seemed like a futuristic concept that was on the distant horizon. The idea that your fridge would be connected to the internet, constantly uploading and downloading data and ordering things on its own, like new filters or groceries, seemed laughable. Why would anyone want or need such a thing?

Now, IoT and other embedded and operational technologies (OT) are far more pervasive in our lives than anyone could have imagined. Robotics, chemical and pharmaceutical production, power generation, oil production, transportation, mining, healthcare devices, building management systems, and seemingly everything else is becoming part of a smart, interconnected, machine-learning powered system. Machines can now monitor themselves, diagnose problems, and then reconfigure and improve based on the data.

The threat is real

It’s an exciting time, but it’s also an alarming time, especially for CISOs (Chief Information Security Officers) working diligently to employ risk mitigation and keep their companies secure from cyberthreats. Billions of new IoT devices go online each year, and as these environments become more connected with digitization initiatives, their attack surfaces grow.

From consumer goods to manufacturing systems to municipal operations like the power grid, it all needs data protection. The threat is very real. Take the Mirai botnet hack, for example. 150,000 cameras hacked and turned into a botnet that blocked internet access for large portions of the US. We have also seen destructive and rapidly spreading ransomware attacks, like NotPetya, cripple manufacturing and port operations around the globe.  However, existing IT security solutions cannot solve those problems due to the lack of standardized network protocols for such devices and the inability to certify device-specific products and deploy them without impacting critical operations.  So, what exactly is the solution? What do people need to do to resolve the IoT security problem?

Working to solve this problem is why Microsoft has joined industry partners to create the Open Source Security Foundation as well as acquired IoT/OT security leader CyberX. This integration between CyberX’s IoT/OT-aware behavioral analytics platform and Azure unlocks the potential of unified security across converged IT and industrial networks. And, as a complement to the embedded, proactive IoT device security of Microsoft Azure Sphere, CyberX IoT/OT provides monitoring and threat detection for devices that have not yet upgraded to Azure Sphere security. Used together, CyberX and Azure Sphere can give you visibility to what’s happening in your environment while actively preventing exploitation of your connected equipment. The goal is to achieve the mission of securing every unmanaged device to help protect critical operations.

Both Microsoft and CyberX have managed to help protect a large number of enterprises around the world—including leading organizations in manufacturing, pharmaceuticals and healthcare, power utilities, oil and gas companies, data centers, and more, at a global scale.

This success is due to taking a completely different approach, an innovative solution that prioritizes ease of deployment and use—to provide a security solution custom-built for OT and industrial control systems. So, what do you need to do that?

Let’s sit in a plant. Imagine that the process keeps on running, so from an operational perspective, all is fine. But even if operations are moving smoothly, you don’t know if someone is trying to hack your systems, steal your IP, or disrupt your day-to-day processes—you wouldn’t know that until the processes are disrupted, and by then, it’s too late.

To catch these threats, you need to understand what you have, understand the process interaction, validate access to the resources, and understand root cause analysis from other breaches. From a technology perspective, to gain this level of understanding, you need automated and intelligent asset visibility, behavioral analytics capable of understanding OT/IoT behavior, vulnerability management, and threat hunting. To defend against these threats, you will want to deploy an IoT device security solution that implements critical security properties, including defense in-depth, error reporting, and renewable security, that will help keep your connected devices and equipment protected over time.

Where to go from here

For any business looking to learn more about IoT/OT security, a good place to start is by downloading CyberX’s global IoT/ICS risk report. This free report provides a data-driven analysis of vulnerabilities in our Internet of Things (IoT) and industrial control systems (ICS) infrastructure.

Based on data collected in the past 12 months from 1,821 production IoT/ICS networks—across a diverse mix of industries worldwide—the analysis was performed using passive, agentless monitoring with patented deep packet inspection (DPI) and Network Traffic Analysis (NTA). The data shows that IoT/ICS environments continue to be soft targets for adversaries, with security gaps in key areas such as:

  • Outdated operating systems
  • Unencrypted passwords
  • Remotely accessible devices
  • Unseen indicators of threats
  • Direct internet connections

To learn more about protecting your critical equipment and devices with layered and renewable security, we recommend reading The seven properties of highly secured devices. To understand how these properties are implemented in Azure Sphere, you can download The 19 best practices for Azure Sphere.

These are key resources for any businesses looking to increase their IoT security and help mitigate cyberthreats to their organization’s systems and data.

Learn more

Tackling the IoT security threat is a big, daunting project, but Microsoft is committed to helping solve them through innovation and development efforts that empower businesses across the globe to operate more safely and securely.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about protecting your critical equipment and devices with layered and renewable security, reach out to your Microsoft account team and we recommend reading The seven properties of highly secured devices.

The post Rethinking IoT/OT Security to Mitigate Cyberthreats appeared first on Microsoft Security.

Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them

July 2nd, 2020 No comments

Recently, Microsoft announced our acquisition of CyberX, a comprehensive network-based security platform with continuous threat monitoring and analytics. This solution builds upon our commitment to provide a unified IoT security solution that addresses connected devices spread across both industrial and IT environments and provides a trusted, easy-to-use platform for our customers and partners to build connected solutions – no matter where they are starting in their IoT journey.

Every year billions of new connected devices come online. These devices enable businesses to finetune operations, optimize processes, and develop analytics-based services. Organizations are clearly benefiting from IoT as shared in the IoT Signals research report produced by Microsoft. But while the benefit is great, we must not ignore the potential security risks. To talk about how companies can reduce their risk from connected devices, Dr. Andrea Little Limbago joined me on Cyber Tea with Ann Johnson.

Dr. Andrea Little Limbago is a cybersecurity researcher, quant analyst, and computational social scientist at Virtru. With a background in social science, Andera has a unique perspective that I think you’ll find interesting.

Andrea and I talked about the role of automation in attacks and defense and how privacy and security advocates can come together to accomplish their overlapping goals. We also talked about how to safeguard your organization when you can’t inventory all your IoT devices.

It isn’t just businesses that are investing in connected devices. If you have IoT devices in your home, Andrea offered some great advice for protecting your privacy and your data. Listen to Cybersecurity and IoT: New Risks and How to Minimize Them to hear our conversation.

Lack of visibility into the devices currently connected to the network is a widespread problem. Many organizations also struggle to manage security on existing devices. The acquisition of CyberX complements existing Azure IoT security capabilities. I’m excited because this helps our customers discover their existing IoT assets, and both manage and improve the security posture of those devices. Expect more innovative solutions as we continue to integrate CyberX into Microsoft’s IoT security portfolio.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

§  Apple Podcasts—You can also download the episode by clicking the Episode Website link.

§  Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.

§  CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

If you are interested in how businesses across the globe are benefiting from IoT, read IoT Signals, a research report produced by Microsoft.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats

May 28th, 2020 No comments

In recent years, cybersecurity has been elevated to a C-suite and board-level concern. This is appropriate given the stakes. Data breaches can have significant impact on a company’s reputation and profits. But, although businesses now consider cyberattacks a business risk, management of cyber risks is still siloed in technology and often not assessed in terms of other business drivers. To properly manage cybersecurity as a business risk, we need to rethink how we define and report on them.

The blog series, “Managing cybersecurity like a business risk,” will dig into how to update the cybersecurity risk definition, reporting, and management to align with business drivers. In today’s post, I’ll talk about why we need to model both opportunities as well as threats when we evaluate cyber risks. In future blogs, I’ll dig into some reporting tools that businesses can use to keep business leaders informed.

Digital transformation brings both opportunities and threats

Technology innovations such as artificial intelligence (AI), the cloud, and the internet of things (IoT) have disrupted many industries. Much of this disruption has been positive for businesses and consumers alike. Organizations can better tailor products and services to targeted segments of the population, and businesses have seized on these opportunities to create new business categories or reinvent old ones.

These same technologies have also introduced new threats. Legacy companies risk losing loyal customers by exploiting new markets. Digital transformation can result in a financial loss if big bets don’t pay off. And of course, as those of us in cybersecurity know well, cybercriminals and other adversaries have exploited the expanded attack surface and the mountains of data we collect.

The threats and opportunities of technology decisions are intertwined, and increasingly they impact not just operations but the core business. Too often decisions about digital transformation are made without evaluating cyber risks. Security is brought in at the very end to protect assets that are exposed. Cyber risks are typically managed from a standpoint of loss aversion without accounting for the possible gains of new opportunities. This approach can result in companies being either too cautious or not cautious enough. To maximize digital transformation opportunities, companies need good information that helps them take calculated risks.

It starts with a SWOT analysis

Threats and opportunities are external forces that may be factors for a company and all its competitors. One way to determine how your company should respond is by also understanding your weaknesses and strengths, which are internal factors.

  • Strengths: Characteristics or aspects of the organization or product that give it a competitive edge.
  • Weaknesses: Characteristics or aspects of the organization or product that puts it at a disadvantage compared to the competition.
  • Opportunities: Market conditions that could be exploited for benefit.
  • Threats: Market conditions that could cause damage or harm.

To crystallize these concepts, let’s consider a hypothetical brick and mortar retailer in the U.K. that sells stylish maternity clothes at an affordable price. In Europe, online retail is big business. Companies like ASOS and Zalando are disrupting traditional fashion. If we apply a SWOT analysis to them, it might look something like this.

  • Strength: Stylish maternity clothes sold at an affordable price, loyal referral-based clientele.
  • Weakness: Only available through brick and mortar stores, lack technology infrastructure to quickly go online, and lack security controls.
  • Opportunity: There is a market for these clothes beyond the U.K.
  • Threats: Retailers are a target for cyberattacks, customers trends indicate they will shop less frequently at brick and mortar stores in the future.

For this company, there isn’t an obvious choice. The retailer needs to figure out a way to maintain the loyalty of its current customers while preparing for a world where in-person shopping decreases. Ideally the company can use its strengths to overcome its weaknesses and confront threats. For example, the company’s loyal clients that already refer a lot of business could be incented to refer business via online channels to grow business. The company may also recognize that building security controls into an online business from the ground up is critical and take advantage of its steady customer base to buy some time and do it right.

Threat modeling and opportunity modeling paired together can help better define the potential gains and losses of different approaches.

Opportunity and threat modeling

Many cybersecurity professionals are familiar with threat modeling, which essentially poses the following questions, as recommended by the Electronic Frontier Foundation.

  • What do you want to protect?
  • Who do you want to protect it from?
  • How likely is it that you will need to protect it?
  • How bad are the consequences if you fail?
  • How much trouble are you willing to go through in order to try to prevent those?

But once we’ve begun to consider not just the threats but the opportunities available in each business decision, it becomes clear that this approach misses half the equation. Missed opportunity is a risk that isn’t captured in threat modeling. This is where opportunity modeling becomes valuable. Some of my thinking around opportunity modeling was inspired by a talk by John Sherwood at SABSA, and he suggested the following questions to effectively model opportunity:

  • What is the value of the asset you want to protect?
  • What is the potential gain of the opportunity?
  • How likely is it that the opportunity will be realized?
  • How likely is it that a strength be exploited?

This gives us a framework to consider the risk from both a threat and opportunity standpoint. Our hypothetical retailer knows it wants to protect the revenue generated by the current customers and referral model, which is the first question on each model. The other questions help quantify the potential loss if threats materialize and the potential gains of opportunities are realized. The company can use this information to better understand the ratio of risk to reward.

It’s never easy to make big decisions in light of potential risks, but when decisions are informed by considering both the potential gains and potential losses, you can also better define a risk management strategy, including the types of controls you will need to mitigate your risk.

In my next post in the “Managing cybersecurity like a business risk” series, I’ll review some qualitative and quantitative tools you can use to manage risk.

Read more about risk management from SABSA.  To learn more about Microsoft security solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats appeared first on Microsoft Security.

Cybersecurity best practices to implement highly secured devices

May 20th, 2020 No comments

Almost three years ago, we published The Seven Properties of Highly Secured Devices, which introduced a new standard for IoT security and argued, based on an analysis of best-in-class devices, that seven properties must be present on every standalone device that connects to the internet in order to be considered secured. Azure Sphere, now generally available, is Microsoft’s entry into the market: a seven-properties-compliant, end-to-end product offering for building and deploying highly secured IoT devices.

Every connected device should be highly secured, even devices that seem simplistic, like a cactus watering sensor. The seven properties are always required. These details are captured in a new paper titled, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere. It focuses on why the seven properties are always required and describes best practices used to implement Azure Sphere. The paper provides detailed information about the architecture and implementation of Azure Sphere and discusses design decisions and trade-offs. We hope that the new paper can assist organizations and individuals in evaluating the measures used within Azure Sphere to improve the security of IoT devices. Companies may also want to use this paper as a reference, when assessing Azure Sphere or other IoT offerings.  In this blog post, we discuss one issue covered in the paper: why are the 7 properties always required?

Why are the seven properties applicable to every device that connects to the internet?

If an internet-connected device performs a non-critical function, why does it require all seven properties? Put differently, are the seven properties required only when a device might cause harm if it is hacked? Why would you still want to require an advanced CPU, a security subsystem, a hardware root of trust, and a set of services to secure a simple, innocuous device like a cactus water sensor?

Because any device can be the target of a hacker, and any hacked device can be weaponized.

Consider the Mirai botnet, a real-world example of IoT gone wrong. The Mirai botnet involved approximately 150,000 internet-enabled security cameras. The cameras were hacked and turned into a botnet that launched a distributed denial of service (DDoS) attack that took down internet access for a large portion of the eastern United States. For security experts analyzing this hack, the Mirai botnet was distressingly unsophisticated. It was also a relatively small-scale attack, considering that many IoT devices will sell more than 150,000 units.

Adding internet connectivity to a class of device means a single, remote attack can scale to hundreds of thousands or millions of devices. The ability to scale a single exploit to this degree is cause for reflection on the upheaval IoT brings to the marketplace. Once the decision is made to connect a device to the internet, that device has the potential to transform from a single-purpose device to a general-purpose computer capable of launching a DDoS attack against any target in the world. The Mirai botnet is also a demonstration that a manufacturer does not need to sell many devices to create the potential for a “weaponized” device.

IoT security is not only about “safety-critical” deployments. Any deployment of a connected device at scale requires the seven properties. In other words, the function, purpose, and cost of a device should not be the only considerations when deciding whether security is important.

The seven properties do not guarantee that a device will not be hacked. However, they greatly minimize certain classes of threats and make it possible to detect and respond when a hacker gains a toehold in a device ecosystem. If a device doesn’t have all seven, human practices must be implemented to compensate for the missing features. For example, without renewable security, a security incident will require disconnecting devices from the internet and then recalling those devices or dispatching people to manually patch every device that was attacked.

Implementation challenges

Some of the seven properties, such as a hardware-based root of trust and compartmentalization, require certain silicon features. Others, such as defense in-depth, require a certain software architecture as well as silicon features like the hardware-based root of trust. Finally, other properties, including renewable security, certificate-based authentication, and failure reporting, require not only silicon features and certain software architecture choices within the operating system, but also deep integration with cloud services. Piecing these critical pieces of infrastructure together is difficult and prone to errors. Ensuring that a device incorporates these properties could therefore increase its cost.

These challenges led us to believe the seven properties also created an opportunity for security-minded organizations to implement these properties as a platform, which would free device manufacturers to focus on product features, rather than security. Azure Sphere represents such a platform: the seven properties are designed and built into the product from the silicon up.

Best practices for implementing the seven properties

Based on our decades of experience researching and implementing secured products, we identified 19 best practices that were put into place as part of the Azure Sphere product. These best practices provide insight into why Azure Sphere sets such a high standard for security. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere, for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions.

We hope that the discussion of these best practices sheds some additional light on the large number of features the Azure Sphere team implemented to protect IoT devices. We also hope that this provides a new set of questions to consider in evaluating your own IoT solution. Azure Sphere will continue to innovate and build upon this foundation with more features that raise the bar in IoT security.

To read previous blogs on IoT security, visit our blog series:  https://www.microsoft.com/security/blog/iot-security/   Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity

The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

Managing risk in today’s IoT landscape: not a one-and-done

April 28th, 2020 No comments

image for Halina's Blog Post_updated-BANNER

The reality of securing IoT over time

It’s difficult to imagine any aspect of everyday life that isn’t affected by the influence of connectivity. The number of businesses that are using IoT is growing at a fast pace. By 2021, approximately 94 percent of businesses will be using IoT. Connectivity empowers organizations to unlock the full potential of the Internet of Things (IoT)—but it also introduces new cybersecurity attack vectors that they didn’t need to think about before. The reality is, connectivity comes at a cost: attackers with a wide range of motivations and skills are on the hunt, eager to exploit vulnerabilities or weak links in IoT. What does it take to manage those risks?

The cybersecurity threat landscape is ever evolving so a solution’s protection must also evolve regularly in order to remain effective. Securing a device is neither a one-time action nor is it a problem that is solely technical in nature. Implementing robust security measures upfront is not enough—risks need to be mitigated not just once, but constantly and throughout the full lifespan of a device. Facing this threat landscape ultimately means acknowledging that organizations will have to confront the consequences of attacks and newfound vulnerabilities. The question is, how to manage those risks beyond the technical measures that are in place?

A holistic approach to minimizing risk

Securing IoT devices against cyberattacks requires a holistic approach that complements up-front technical measures with ongoing practices that allow organizations to evaluate risks and establish a set of actions and policies that minimize threats over time. Cybersecurity is a multi-dimensional issue that requires the provider of an IoT solution to take several variables into account—it is not just the technology, but also the people who create and manage a product and the processes and practices they put in place, that will determine how resilient it is.

With Azure Sphere, we provide our customers with a robust defense that utilizes the evidence and learnings documented in the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state even after it has been compromised. As the threat landscape evolves, renewable security also enables us to counter new attack vectors through updates. This is essential, but not sufficient on its own. Our technology investments are enhanced through similar investments in security assurance and risk management that permeate all levels of an organization. The following sections highlight three key elements of our holistic approach to IoT security: continuous evaluation of our security promise, leveraging the power of the security community, and combining cyber and organizational resilience. 

Continuous evaluation of our security promise

All cyberattacks fall somewhere on a spectrum of complexity. On one side of the spectrum are simple and opportunistic attacks. Examples are off-the-shelf malware or attempts to steal data such as credentials. These attacks are usually performed by attackers with limited resources. On the opposite side of the spectrum are threat actors that use highly sophisticated methods to target specific parts of the system. Attackers within this category usually have many resources and can pursue an attack over a longer period of time. Given the multitude of threats across this spectrum, it is important to keep in mind that they all have one thing in common: an attacker faces relatively low risk with potentially very large rewards.

Taking this into account, we believe that in order to protect our customers we need to practice being our own worst enemy. This means our goal is to discover any vulnerabilities before the bad guys do. One proven approach is to test our solution from the same perspective as an attacker. So-called “red teams” are designed to emulate the attacks of adversaries, whereas “purple teams” perform both attacking and defending to harden a product from within.

Our approach to red team exercises is to try to mimic the threat landscape that devices are actually facing. We do this multiple times a year and across the full Azure Sphere stack. This means that our customers benefit from the rigorous security testing of our platform and are able to focus on the security of their own applications. We work with the world’s most renowned security service providers to test our product with a real-world attacker mentality for an extended period of time and from multiple perspectives. In addition, we leverage the full power of Microsoft internal security expertise to conduct regular internal red and purple team exercises. The practice of constantly evaluating our defense and emulating the ever-evolving threat landscape is an important part of our security hygiene—allowing us to find vulnerabilities, update all devices, and mitigate incidents before they even happen.

Leveraging the power of the security community

Another approach to finding vulnerabilities before attackers do is to engage with the cybersecurity community through bounty programs. We encourage security researchers with an interest in Azure Sphere to search for any vulnerabilities and we reward them for it. While our approach to red team exercises ensures regular testing of how we secure Azure Sphere, we also believe in the advantages of the continual and diverse assessment by anyone who is interested, at any point in time.

Security researchers play a significant role in securing our billions of customers across Microsoft, and we encourage the responsible reporting of vulnerabilities based on our Coordinated Vulnerability Disclosure (CVD). We invite researchers from across the world to look for and report any vulnerability through our Microsoft Azure Bounty Program. Depending on the quality of submissions and the level of severity, we award successful reports with up to $40,000 USD. We believe that researchers should be rewarded competitively when they improve the security of our platform, and we maintain these important relationships for the benefit of our customers.

From a risk management perspective, both red and purple team exercises and bug bounties are helpful tools to minimize the risk of attacks. But what happens when an IoT solution provider is confronted with a newly discovered security vulnerability? Not every organization has a cybersecurity incident response plan in place, and 77 percent of businesses do not have a consistently deployed plan. Finding vulnerabilities is important, but it is equally important to prepare employees and equip the organization with processes and practices that allow for a quick and efficient resolution as soon as a vulnerability is found.

Combining cyber and organizational resilience

Securing IoT is not just about preventing attackers from getting in; it’s also about how to respond when they do. Once the technical barrier has been passed, it is the resilience of the organization that the device has to fall back on. Therefore, it is essential to have a plan in place that allows your team to quickly respond and restore security. There are countless possible considerations and moving parts that must all fit together seamlessly as part of a successful cybersecurity incident response. Every organization is different and there is no one-size-fits-all, but a good place to start is with industry best practices such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide. Azure Sphere’s standard operating procedures are aligned with those guidelines, in addition to leveraging Microsoft battle-tested corporate infrastructure.

Microsoft Security Response Center (MSRC) has been at the front line of security response for more than twenty years. Over time we have learned what it means to successfully protect our customers from harm from vulnerabilities in our products, and we are able to rapidly drive back attacks against our cloud infrastructure. Security researchers and customers are provided with an easy way to report any vulnerabilities and MSRC best-in-class security experts are monitoring communications 24/7 to make sure we can fix an issue as soon as possible.

Your people are a critical asset—when they’re educated on how to respond when an incident occurs, their actions can make all the difference. In addition to MSRC capabilities that are available at any time, we require everyone involved in security incident response to undergo regular and extensive training. Trust is easy to build when things are going right. What really matters in the long term is how we build trust when things go wrong. Our security response practices have been defined with that in mind.

Our commitment to managing the risks you are facing

The world will be more connected than it has ever been, and we believe this requires a strong, holistic, and ongoing focus on cybersecurity. Defending against today’s and tomorrow’s IoT threat landscape is not a static game. It requires continual assessment of our promise to secure your IoT solutions, innovation that improves our defense over time, and working with you and the security community. As the threat landscape evolves, so will we. Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. When you choose Azure Sphere, you can rely on our team and Microsoft to manage your risk so that you can focus on the true business value of your IoT solutions and products.

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Managing risk in today’s IoT landscape: not a one-and-done appeared first on Microsoft Security.

Afternoon Cyber Tea: Building operational resilience in a digital world

April 13th, 2020 No comments

Operational resiliency is a topic of rising importance in the security community. Unplanned events, much like the one we are facing today, are reminders of how organizations can be prepared to respond to a cyberattack. Ian Coldwell and I explored a variety of options in my episode of Afternoon Cyber Tea with Ann Johnson.

Ian Coldwell is a Kubernetes containers and cloud infrastructure specialist with a background in penetration testing and DevOps. In their role as a consultant, Ian has helped companies bridge the gaps between security and DevOps. It was a real pleasure to discuss what Ian has learned in these roles, and I think you’ll find our discussion valuable.

During our conversation, Ian and I talked about threat modeling and how to best protect your crown jewels. We also explored what it means to bring security into DevOps. Hint: it’s about more than just new tooling. And, we demystified Kubernetes. Do you wonder which projects are a good fit for Kubernetes, and which are not? Are you concerned about how to keep Kubernetes containers secure? Take a listen to Building operational resiliency in a digital work on Afternoon Cyber Tea with Ann Johnson for actionable advice that you can apply to your own SecDevOps organization.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape in these unprecedented times, and explore the risk and promise of systems powered by artificial intelligence (AI), Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Building operational resilience in a digital world appeared first on Microsoft Security.