Archive

Archive for the ‘IoT’ Category

Securing your IoT with Edge Secured-core devices

June 21st, 2022 No comments

A recent study conducted by Microsoft in partnership with Ponemon Institute included a survey of companies that have adopted IoT solutions and 65 percent of them mentioned that security is a top priority when implementing IoT. Attacks targeting IoT devices put businesses at risk. Impacted devices can be bricked, held for ransom, employed as launch points for further network attacks, or used for malicious purposes. Among many consequences, we often see intellectual property (IP) and data theft and compromised regulatory status, all of which can have brand and financial implications on the business. 

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

  • Ensuring data privacy (46 percent).
  • Ensuring network-level security (40 percent).
  • Security endpoints for each IoT device (39 percent).
  • Tracking and managing each IoT device (36 percent).
  • Making sure all existing software is updated (35 percent).
  • Updating firmware and other software on devices (34 percent).
  • Performing hardware/software tests and device evaluation (34 percent).
  • Updating encryption protocols (34 percent).
  • Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
  • Securely provisioning devices (33 percent).
  • Shifting from device-level to identity-level control (29 percent).
  • Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

  • Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
  • Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
  • Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
  • Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
  • Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
  • Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

ASUS PE200 Lenovo ThinkEdge SE30 Intel NUC AAEON SRG-TG01

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.

Categories: cybersecurity, IoT Tags:

Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Trickbot, a sophisticated trojan that has evolved significantly since its discovery in 2016, has continually expanded its capabilities and, even with disruption efforts and news of its infrastructure going offline, it has managed to remain one of the most persistent threats in recent years. The malware’s modular nature has allowed it to be increasingly adaptable to different networks, environments, and devices. In addition, it has grown to include numerous plug-ins, access-as-a-service backdoors for other malware like Ryuk ransomware, and mining capabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable against detection, including continuously improving its persistence capabilities, evading researchers and reverse engineering, and finding new ways to maintain the stability of its command-and-control (C2) framework.

This continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.

The Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.

This analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We published this tool to help customers ensure these IoT devices are not susceptible to these attacks. We’re also sharing recommended steps for detection and remediating compromise if found, as well as general prevention steps to protect against future attacks.

Diagram showing an attacker having access to a C2 server, a compromised IoT device, and a target network, all of which have a line of communication running through them. To the right of each component, corresponding attack chain routines related to it are depicted.
Figure 1. Trickbot attack diagram

How attackers compromise MikroTik devices for Trickbot C2

The purpose of Trickbot for using MikroTik devices is to create a line of communication between the Trickbot-affected device and the C2 server that standard defense systems in the network are not able to detect. The attackers begin by hacking into a MikroTik router. They do this by acquiring credentials using several methods, which we will discuss in detail in the following section.

The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH shell commands.

Diagram showing a Trickbot-affected device using port 449 to communicate to a compromised IoT device. The IoT device, in turn, uses port 80 to communicate to the Trickbot C2.
Figure 2. Direct line of communication between the Trickbot infected device and the Trickbot C2

Accessing the MikroTik device and maintaining access

Attackers first need to access the MikroTik shell to run the routing commands. To do so, they need to acquire credentials. As mentioned earlier, based on our analysis, there are several methods that attackers use to access a target router:

  • Using default MikroTik passwords.
  • Launching brute force attacks. We have seen attackers use some unique passwords that probably were harvested from other MikroTik devices.
  • Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contains passwords.

To maintain access, the attackers then change the affected router’s password.

Redirecting traffic

MikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed through SSH protocol using a restricted set of commands. These commands can be easily identified by the prefix “/”. For example:

/ip
/system
/tool

These commands usually won’t have any meaning on regular Linux-based shells and are solely intended for MikroTik devices. We observed through Microsoft threat data the use of these types of commands. Understanding that these are MikroTik-specific commands, we were able to track their source and intent. For example, we observed attackers issuing the following commands:

/ip firewall nat add chain=dstnat proto=tcp dst-port=449   to-port=80 action=dst-nat to-addresses=<infected device> dst-address=<real C2 address>

From the command, we can understand the following:

  • A new rule, similar to iptables, is created
  • The rule redirects traffic from the device to a server
  • The redirected traffic is received from port 449 and redirected to port 80

The said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports 443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the past.

This analysis highlights the importance of keeping IoT devices secure in today’s ever evolving threat environment. Using Microsoft threat data, Microsoft’s IoT and operational technology (OT) security experts established the exact methods that attackers use to leverage compromised IoT devices and gained knowledge that can help us better protect customers from threats.

Defending IoT devices against Trickbot attacks

As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices.

An open-source tool for MikroTik forensics

While investigating MikroTik and attacks in the wild, we observed several methods of attacking these devices in addition to the method we described in this blog. We aggregated our knowledge of these methods and known CVEs into an open-source tool that can extract the forensic artifacts related to these attacks.

Some of this tool’s functionalities include the following:

  • Get the version of the device and map it to CVEs
  • Check for scheduled tasks
  • Look for traffic redirection rules (NAT and other rules)
  • Look for DNS cache poisoning
  • Look for default ports change
  • Look for non-default users

We have published the tool in GitHub and are sharing this tool with the broader community to encourage better intelligence-sharing in the field of IoT security and to help build better protections against threat actors abusing IoT devices.

How to detect, remediate, and prevent infections

Organizations with potentially at-risk MikroTik devices can perform the following detection and remediation steps:

  • Run the following command to detect if the NAT rule was applied to the device (completed by the tool as well):
/ip firewall nat print

If the following data exists, it might indicate infection:

chain=dstnat action=dst-nat to-addresses=<public IP address> 
to-ports=80 protocol=tcp dst-address=<your MikroTik IP> dst-port=449
chain=srcnat action=masquerade src-address=<your MikroTik IP>
  • Run the following command to remove the potentially malicious NAT rule:
/ip firewall nat remove numbers=<rule number to remove>

To prevent future infections, perform the following steps:

  • Change the default password to a strong one
  • Block port 8291 from external access
  • Change SSH port to something other than default (22)
  • Make sure routers are up to date with the latest firmware and patches
  • Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router

Protect IoT devices and IT networks with Microsoft Defender

To harden IoT devices and IT networks against threats like Trickbot, organizations must implement solutions that detect malicious attempts to access devices and raises alerts on anomalous network behavior. Microsoft Defender for IoT provides agentless, network-layer security that lets organizations deploy continuous asset discovery, vulnerability management, and threat detection for IoT, OT devices, and Industrial Control Systems (ICS) on-premises or in Azure-connected environments. It is updated regularly with indicators of compromise (IoCs) from threat research like the one described on this blog, and rules to detect malicious activity.

Meanwhile, Microsoft 365 Defender protects against attacks related to highly modular, multi-stage malware like Trickbot by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate Trickbot’s end-to-end attack chain—from malicious attachments and links it sends via emails to its follow-on activities in endpoints. Its rich set of tools like advanced hunting also lets defenders surface threats and gain insights for hardening networks from compromise.

In addition, working with the Microsoft Defender for IoT Research Team, RiskIQ identified compromised MikroTik routers acting as communication channels for Trickbot C2 and created detection logic to flag devices under threat actor control. See RiskIQ’s article.

To learn more about securing your IoT and OT devices, explore Microsoft Defender for IoT.

David Atch, Section 52 at Microsoft Defender for IoT
Noa Frumovich, Section 52 at Microsoft Defender for IoT
Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)

The post Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure appeared first on Microsoft Security Blog.

Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE

March 14th, 2022 No comments

It wasn’t long ago that medical devices were isolated and unconnected, but the rise of IoT has brought real computing power to the network edge. Today, medical devices are transforming into interconnected, smart assistants with decision-making capabilities.

Any device in a medical setting must be designed with one core priority in mind: delivering patient care. Medical professionals need instant access to data from devices with minimal friction so they can focus on what they do best. But at the same time, any device holding sensitive medical records must be secure.

To balance these needs, security software for medical devices must be lightweight enough to maximize the performance of the device without overloading the processor, taxing battery life, or putting the user through cumbersome processes. It must be high-performing and reliable with great battery life, so the device is always ready and works every time it’s needed.  

Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT.

By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.

Combining HCL’s CARE and Microsoft Defender for IoT

As a long-time Microsoft partner, HCL brings deep expertise in applications, systems integration, network engineering, and managed services.

Built on Microsoft Azure, HCL’s CARE Platform has been designed and developed with security best practices and standards in mind. The platform provides the foundation and platform that medical device manufacturers need to develop innovative high-performance healthcare services and devices while ensuring an integrated security approach from the cloud to the network edge.

By including Microsoft Defender for IoT in the device itself, device builders are able to create secure-by-design, managed IoT devices. Defender for IoT offers continuous asset discovery, vulnerability management, and threat detection—continually reducing risk with real-time security posture monitoring across the device’s operating system and applications.

Partner Director of Enterprise and OS Security for Azure Edge and Platform at Microsoft, David Weston, highlighted the value of this collaboration saying, “By partnering with HCL to incorporate Defender for IoT into HCL’s CARE, we see a bright future for medical device manufacturers to build secured medical devices, with minimal effort.” Sunil Aggarwal, Senior Vice President at HCL and Client Partner for Microsoft, added, “HCL’s CARE enables medical original design manufactures (ODMs) and original equipment manufacturers (OEMs) to quickly develop new devices and solutions focused on patients’ needs. By including Defender for IoT, those devices benefit from Microsoft’s deep security expertise, thousands of security professionals, and trillions of security signals captured each day.”

The combined Microsoft and HCL solution for healthcare IoT provides the high-performance security needed to protect the sensitive data on the medical device—in transit and in the cloud. By using a combination of endpoint and network security signals, the system can monitor what’s happening on the network, in the operating system, and at the application layer while keeping a pulse on the integrity of the device. This combination of external and internal security signals yields advanced security not often found on medical devices, which are typically monitored using only network data.   

Advanced threat detection with Defender for IoT

CARE’s use of Defender for IoT offers the best possible security using Defender’s agent-based monitoring. This means security is built directly into IoT devices with the Microsoft Defender for IoT security agent, which supports a wide range of operating systems including popular Linux distributions. With an agent, richer asset inventory, vulnerability management, and threat detection and response is possible.  

Image shows devices are monitored and assessed for vulnerabilities and security recommendations. A prioritized list of recommendations are listed. The combination of Network and Endpoint signals enable a deeper assessment and broader range of detections.

Figure 1. Devices are monitored and assessed for vulnerabilities and security recommendations. The combination of network and endpoint signals enables a deeper assessment and a broader range of detections.

Defender for IoT security monitors the security of the device and enables the following scenarios for medical device manufacturers using HCL’s CARE with Defender for IoT:

  • Asset inventory: Gain visibility to all your IoT devices so operators can manage a complete inventory of their entire healthcare IoT fleet.
  • Posture management: Identify and prioritize misconfigurations based on industry benchmarks and software vulnerabilities or anomalies in the software bill of materials (SBOM) that may arise from supply chain attacks and use integrated workflows to bring devices into a more secure state.
  • Threat detection and response: Leverage behavioral analytics, machine learning, and threat intelligence based on trillions of signals to detect attacks through anomalous or unauthorized activity.  
  • Microsoft Security integration: Defender for IoT is part of the Microsoft security information and event management (SIEM) and extended detection and response (XDR) offering, enabling quick detection and response capabilities for multistage attacks that may move across network boundaries.
  • Third-party integration: Integrates with third-party tools you’re already using, including SIEM, ticketing, configuration management database (CMDB), firewall, and other tools.

Powerful automated services for detection and response

HCL’s CARE Gateway and CARE Device Agent complement Defender for IoT’s security and can help capture application-level security events and send them into Defender for IoT analytics services, such as an attempt to connect an unknown device, use of invalid provisioning credentials, attempts to run unauthorized commands remotely, short-and-lengthy remote access sessions, anomalies related to data transfer rate, event sequence anomalies, and more.

Diagram shows a medical device with the H C L's Care and Defender for I o T Agents. Using the agents, the devices send security and other types of events to the H C L Care Gateway which forwards the data to the Azure I o T hub in Azure. Security events are forwarded to the Defender for I o T cloud services while non security events are sent to the H C L's Care Core and business app.

Figure 2. Medical devices send security and other types of events to HCL’s CARE Gateway which forwards data to the Azure IoT hub. Security events are forwarded to the Defender for IoT cloud services while non-security-related events are sent to HCL’s CARE Core and business app.

Integrating HCL’s CARE with Defender for IoT can protect and monitor connected medical devices and gateways too. The CARE Platform integrated with Defender for IoT provides a powerful solution to secure healthcare devices:

  • CARE Cloud runs in Azure, utilizing Azure cloud security services to ensure that customers’ health data is secure and accessible only to authorized persons.
  • CARE Device Gateway keeps devices isolated from the public internet.
  • The Defender for IoT micro agent can help to capture events at the system level and push them to Defender for IoT analytics services, along with the service level events captured by gateway itself.
  • Device Agent connects to Device Gateway to get events out. It can also capture device software level events and push them to Defender for IoT analytics services through the Device Gateway.
  • CARE Cloud can make critical events captured at Defender for IoT analytics services actionable, such as gracefully isolating medical devices from the network and alerting device owners.
  • CARE Reusable Modules and design guidelines make the application and connected device secure by enabling secure design, development, and deployment. This includes static and dynamic application security testing and software composition analysis.
  • CARE can also act on critical events by alerting the device owners’ IT security, and sending commands to devices for network isolation, graceful shutdown, and other preconfigured actions.

Find out more

Both Microsoft and HCL are excited to bring this new platform and security technologies to the medical device industry, and we invite you to learn more about how HCL’s CARE and Defender for IoT deliver the security that medical device manufacturers need. Using these technologies, manufacturers can focus more on medical and patient innovation and the quicker delivery of new solutions to the marketplace.

These new security capabilities are available today. Medical device manufacturers and OEMs should check out HCL’s CARE, Microsoft Defender for IoT, and Microsoft’s recently announced Edge Secured-core preview.  

If you are an IoT solution builder, reach out to the Azure Certified Device team. We are ready to work with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE appeared first on Microsoft Security Blog.

New research shows IoT and OT innovation is critical to business but comes with significant risks

December 8th, 2021 No comments

The need for much improved IoT and operational technology (OT) cybersecurity became clearer this year with recent attacks on network devices,1 surveillance systems,2 an oil pipeline,3 and a water treatment facility,4 to name a few examples.

To better understand the challenges customers are facing, Microsoft partnered with the Ponemon Institute to produce empirical data to help us better understand the state of IoT and OT security from a customer’s perspective. With this data, we hope to better target our cybersecurity investments and to improve the efficacy within Microsoft Defender for IoT, and our other IoT-related products. Ponemon conducted the research by surveying 615 IT, IT security, and OT security practitioners across the United States.

To get an overview of the key findings from the 2021 The State of IoT and OT Cybersecurity in the Enterprise, download the full report.

IoT adoption is critical despite significant security challenges

The research showed that a large majority of respondents believe that IoT and OT adoption is critical to future business success. As a result, they are advancing IoT and OT projects as a key priority.

  • 68 percent of respondents say senior management believes IoT and OT are critical to supporting business innovation and other strategic goals.
  • 65 percent of respondents say senior management has made it a priority for IT and OT security practitioners to plan, develop, or deploy IoT and OT projects to advance business interests.

Within this group, only a small minority of organizations slowed, limited, or stopped IoT and OT projects even though a majority believe that generally these types of devices are not built with security in mind and that they represent one of the least secured aspects of their IT and OT infrastructure.

  • 31 percent of IT security practitioners have slowed, limited, or stopped the adoption of IoT and OT projects due to security concerns.
  • 55 percent of respondents do not believe IoT and OT devices have been designed with security in mind.
  • 60 percent of respondents say IoT and OT security is one of the least secured aspects of their IT and OT infrastructure.

Based on the data, it appears that business interests are currently taking priority over the increased security risks that organizations assume, as they advance their IoT and OT projects. This puts security and risk leaders in a difficult place and explains why IoT and cyber-physical systems security has become their top concern for the next three to five years.5

“We believe this unique research highlights the obstacles organizations face as they use IoT and OT to drive business innovation with technologies that are more easily compromised than traditional endpoints,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “On a positive note, a vast majority of security and risk leaders recognize the threat and have made shoring up their IoT and OT defenses a top priority for the next 12 to 24 months.”

Outdated IoT and OT assumptions are putting organizations at risk

In the past, there was a common assumption about IoT and OT devices that is no longer true. It was assumed that IoT and OT devices were typically segmented from traditional endpoints (workstations, servers, and mobile) or that they were deployed within separate air-gapped networks. The research confirmed that devices on IT and OT networks are frequently connected directly or indirectly to the internet, making them targets that can be breached from outside of the organization. The latest evolution to the Mozi attack1 is a great example of how a business network can be breached through network gear running on the edge of business networks.

  • 51 percent of OT networks are connected to corporate IT (business) networks, like SAP and remote access.
  • 88 percent of respondents say their enterprise IoT devices are connected to the internet—for instance, for cloud printing services.
  • 56 percent of respondents say devices on their OT network are connected to the internet for scenarios like remote access.

It’s critical that these dated assumptions are removed from organizational thinking so that proper mitigations can be put in place.

Key security challenges for IoT and OT devices

When it comes to securing IoT and OT devices, the top challenge is related to visibility. Per the research, only a small subset of respondents shared that they had a complete view of all their IoT and OT asset inventory.

  • 29 percent of respondents mentioned that their organizations have a complete inventory of IoT and OT devices. Among them, they have an average of 9,685 devices.

But visibility isn’t just about building a complete asset inventory. It’s also about gaining visibility into the security posture of each IoT and OT device. Questions like “Is the device optimally configured for security,” “Are there any known vulnerabilities in the device’s firmware,” “Is the device communicating or connected directly to the internet,” and “Is the device patched with the latest firmware build?” are some of the questions that organizations need answers to but struggle with for their IoT and OT devices.

  • 42 percent of respondents claimed they lack the ability to detect vulnerabilities on IoT and OT devices.
  • 64 percent of respondents have low or average confidence that IoT devices are patched and up to date.

Another dimension of visibility that customers are seeking solutions for is related to the ability for organizations to become aware of IoT and OT devices that are involved in attacks. Most of the survey respondents have low to average confidence that the tools they have deployed will be successful in detecting compromised devices.

  • 61 percent have low or average confidence in the ability to identify whether IoT devices are compromised.

Another important aspect of visibility worth mentioning is that customers struggle with the ability to efficiently determine how compromised IoT and OT devices are part of broader end-to-end incidents. To resolve attacks completely and decisively, organizations frequently use manual investigation processes to correlate and make sense of the end-to-end attack. Meanwhile, attackers use this time to broaden the attack and get closer to the end goal.

  • 47 percent of respondents say their organizations are primarily using manual processes to identify and correlate impacted IoT and OT devices.

IoT and OT attacks are not hypothetical

The Ponemon research shows us that a good percentage of the surveyed respondents are encountering IoT and OT attacks. Nearly 40 percent of respondents told us that they’ve experienced attacks where the IoT and OT devices were either the actual target of the attack (for example, to halt production using human-operated ransomware) or were used to conduct broader attacks (such as lateral movement, evade detection, and persist). Most respondents felt these types of attacks will increase in the years to come.

  • 39 percent of respondents experienced a cyber incident in the past two years where an IoT or OT device was the target of the attack.
  • 35 percent of respondents say in the past two years their organizations experienced a cyber incident where an IoT device was used by an attacker to conduct a broader attack.
  • 63 percent of respondents say the volume of attacks will significantly increase.

One thing to keep in mind with these last three statistics is that the study also showed that customers have low to average confidence in their ability to detect when IoT and OT devices have been compromised. Based on this, it’s likely that the real numbers are higher.

The new Microsoft Defender for IoT is available now for your feedback

Last month at Ignite, we announced that Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to help secure enterprise IoT devices connected to IT networks such as Voice over Internet Protocol (VoIP), printers, and smart TVs. This complements the product’s existing support for industrial systems and critical infrastructure like ICS/SCADA. Additionally, we announced that Defender for IoT is part of the Microsoft SIEM and XDR offering bringing its AI, automation, and expertise to complex multistage attacks that involve IoT and OT devices.

An open investigation dashboard for P L C programming and related alerts.

Figure 1. Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident responses.

Microsoft Security would now like to invite you to try out the new public preview of the integrated solution that addresses the challenges surfaced in the Ponemon research, such as complete asset inventory, vulnerability management, threat detection, and correlation. Try the public preview functionality within the Microsoft 365 Defender console or within the Microsoft Defender for IoT experiences. We look forward to hearing and integrating your feedback for the new Microsoft Defender for IoT.

More details on the public preview and roadmap can be viewed in our Ignite session.

Video with link to the Accelerate digital transformation by securing your Enterprise I o T devices with Microsoft Defender for I o T session with Nir Krumer, Principal P M Manager, and Chris Hallum, Senior Product Marketing Manager.

Figure 2. Nir Krumer, Principal Program Manager, and Chris Hallum, Senior Product Marketing Manager, discuss securing your Enterprise IoT devices with Microsoft Defender for IoT.

Learn more

More information on the current release of Microsoft Defender for IoT, which offers OT security, can be found in the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1This is why the Mozi botnet will linger on, Charlie Osborne, ZDNet. 1 September 2021.

2‘Thousands’ of Verkada Cameras Affected by Hacking Breach, IFSEC Global Staff, Dark Reading. 10 March 2021.

3Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

4‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town, Frances Robles, Nicole Perlroth, New York Times. 8 February 2021.

5Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, Gartner. 13 April 2021.

The post New research shows IoT and OT innovation is critical to business but comes with significant risks appeared first on Microsoft Security Blog.

How Microsoft Defender for IoT can secure your IoT devices

November 2nd, 2021 No comments

Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks specifically targeting IoT devices used in enterprise environments as well as operational technology (OT) devices used in industrial systems and critical infrastructure (like ICS/SCADA). It’s not surprising since 60 percent of security practitioners believe IoT and OT security is one of the least secured aspects of their organization and less than 50 percent of organizations have deployed solutions designed specifically to secure their IoT and OT devices. Customers recognize that these types of devices are often unpatched, misconfigured, and unmonitored, making them the ideal targets for attackers.

To address these risks, we’re excited to announce Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to secure enterprise IoT devices connected to IT networks [like Voice over Internet Protocol (VoIP), printers, and smart TVs], so organizations can take advantage of a single integrated solution that can secure all of their IoT and OT infrastructure. Access to the public preview of these new capabilities will be available on November 30, 2021.

Threats and customer challenges

In the past, attacks on IoT and OT devices for many organizations seemed like a hypothetical threat but in recent years organizations have learned otherwise. We’ve seen attacks on cameras and VoIP devices,1 smart building automation,2 service providers providing IoT services, and then there have been ransomware attacks—like the ones that shut down a major gas pipeline3 and global food processor. All of these highlight the challenge of securing IoT and OT devices.

There are many ways attackers will attempt to compromise and take advantage of enterprise IoT devices. They can be used as a point of entry, for lateral movement, or evasion just to name a few examples. The following chart below depicts a cyber kill chain involving two IoT devices. One is used as a point of entry, and another is used for lateral movement that inevitably leads to the exfiltration of sensitive information.

Within seconds attackers can find exploitable IoT targets that can become a point of entry into a business network. Once inside they can find sensitive information within minutes. In a hours time valuable data can be exfiltrated and for sale on the Darkweb.

Figure 1: Attackers scan the internet for vulnerable internet-facing IoT devices and then use them as a point of entry. Next, they will perform reconnaissance and lateral movement to achieve their goals.

While most organizations recognize IoT and OT security as the least secured aspects of their organization, they continue to deploy devices at high rates and with little hesitation due to the demand for digital transformation and to remain competitive. Due to this, Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than what they are used to today and a vast majority of that new surface area will be unmanaged IoT and OT devices.

When it comes to IoT and OT security, organizations face a long list of challenges. Some of the top challenges include:

  • Lack complete visibility to all their IoT and OT asset inventory.
  • Lack detailed IoT and OT vulnerability management capabilities.
  • Lack of mature detections for IoT and OT-specific attacks.
  • Lack of insights and automation that an integrated SIEM and extended detection and response solution can bring.

Because of these threats and challenges, security and risk leaders ranked the IoT and cyber-physical systems as their top concerns for the next three to five years.4

Microsoft Defender for IoT is part of the Microsoft SIEM and XDR offering

We recognize that IoT is just one of the security inputs in a comprehensive threat protection strategy. For that reason, adding agentless enterprise IoT support to Microsoft Defender for IoT and making it part of our broader SIEM and XDR offer, enables us to deliver comprehensive security for all your endpoint types, applications, identities, and more. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices. With it, organizations get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Learn more about Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel.

Our customers tell us that the biggest challenge they face when it comes to securing enterprise IoT devices is gaining enough visibility to locate, identify, and secure their complete IoT asset inventory. Defender for IoT takes a unique approach to solve this challenge and can help you discover and secure your IoT devices within Microsoft 365 Defender environments in minutes. We’ll share more about our unique approach in the passive, agentless architecture section below.

The Defender for IoT console in Azure provides users with access to IoT and OT Device Inventory, Alerts and Security Recommendations. The Device Inventory view provides users with a list of devices and top details about them. When selecting a device instance more detailed device properties can be seen.

Figure 2: View your complete IT and IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile) within a single unified view.

The second biggest challenge our customers face is related to vulnerability management. Defender for IoT can perform assessments for all your enterprise IoT devices. These recommendations are surfaced in the Microsoft 365 console (for example, Update to a newer version of Bash for Linux).

The Security Recommendations view in the Microsoft 365 Defender console includes recommendations for enterprise IoT devices. Recommendations like, upgrade your IoT devices firmware to a more secure version, is a common example. In the view you see how many devices are applicable to each recommendation as well as the risk level.

Figure 3: Prioritize vulnerabilities and misconfigurations and use integrated workflows to bring devices into a more secure state.

The third biggest challenge we hear about is related to threat detection. To ensure we have leading-edge efficacy for enterprise IoT threats, we’ve tasked Section 52, our in-house IoT and OT security research team, to ensure we have the best possible detection capabilities. Section 52’s work recently enabled Defender for IoT to rank number 1 in threat visibility coverage in the MITRE ATT&CK for ICS evaluation, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps (with fewest missed detections of any other vendor).

Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT and OT-specific intelligence collected by our Section 52 security research team. Because Section 52 works in close collaboration with domain experts across the broader Microsoft security research and threat intelligence teams—Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)—we enable our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts. This will lead to high efficacy incident response.

Incidents in the Incident view of the Microsoft 365 Defender console are inclusive of all endpoint types including workstations, servers mobile and network devices and now with the new version of Microsoft Defender for IoT these same Incidents will also include enterprise IoT devices when applicable.

Figure 4: View prioritized incidents that are inclusive of IT and IoT devices all in a single dashboard to reduce confusion, clutter, investigation times, and alert fatigue.

Finally, one of the last things our customers have shared is that they struggle with finding solutions that will enable them to securely meet the promise of IT and OT network convergence initiatives.5 Most tools have difficulty providing analysts with a user experience that can correlate and render multi-stage attacks that cross IT and OT network boundaries.

Because Microsoft Defender for IoT is part of the broader Microsoft SIEM and XDR offer, we can provide analysts with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. Analysts can perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, analysts can stop attacks and bring their environments back to a pre-breach state far more quickly.

Incident views in Microsoft Sentinel can include endpoints of all types including IoT and OT as well as those that span across multiple networks and network segments. All of these endpoints will be rendered in a single contiguous incident graph so you can easily visualize the end to end attack.

Figure 5: Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident response.

Passive, agentless architecture

Some of the key design principles for Defender for IoT are to be non-invasive and to be easy to deploy. By using the existing Microsoft Defender for Endpoint clients, which are often deployed pervasively across an organization’s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.

Defender for IoT can leverage a diverse set data sources to simplify its deployment. Existing Defender for Endpoint customers can get value from Defender for IoT within minutes as M D E clients can be used as network sensors. A dedicated network sensor can be deployed to ensure you get the most complete visibility. Supported third party network sensors can be used as well.

Figure 6: A hybrid sensor approach using Defender for Endpoint clients as sensors provide customers with broad visibility on day one. Deploying the network sensor or using one from a third-party can ensure complete visibility and can be deployed over time.

Microsoft Defender for IoT is an open platform that allows customers to integrate third-party network data to enrich the information coming from multiple sources. For example, organizations that have already deployed Corelight’s open Network Detection and Response (NDR) platform and its Zeek-based network sensors can connect it to Defender for IoT enabling it to access raw network data from Corelight. From here Defender for IoT will apply its behavioral analytics and machine learning capabilities to discover and classify devices as well as protect, detect, and respond to attacks.

Learn more about our Corelight partnership and its integration within Microsoft Defender for IoT.

Get ready for the upcoming public preview!

While we’re excited to share all this news with you today, were even more excited to hear your feedback. Please join the new Microsoft Defender for IoT public preview which will be available on November 30, 2021. In the first build of the preview, you will have access to five main capabilities:

  • An integrated view of IoT and OT Device Inventory available in the Azure console.
  • Microsoft Defender for Endpoint clients will act as IoT network sensors and will add devices to Microsoft 365 Defender Device Inventory.
  • An integrated IoT and OT Network Sensor will be available for deployment.
  • IoT Threat and Vulnerability Assessments will be available in the Microsoft 365 Defender console.
  • Support for third-party network sensors.

Additional new capabilities are expected to be released soon, including richer security recommendations, detections, and responses.

More details on the upcoming public preview and roadmap can be viewed in our Ignite session.

Screen view of YouTube video "Accelerate digital transformation by securing your Enterprise IoT devices with Microsoft Defender for IoT."

More information on the current release of Microsoft Defender for IoT (formerly Azure Defender for IoT) which offers OT security can be found in the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Microsoft: Russian state hackers are using IoT devices to breach enterprise networks, Catalin Cimpanu, ZDNet. 5 August 2019.

2Hackers are hijacking smart building access systems to launch DDoS attacks, Catalin Cimpanu, ZDNet. 2 February 2020.

3Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

4Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, Gartner. 13 April 2021.

5When IT and Operational Technology Converge, Christy Pettey, Gartner. 13 January 2017.

The post How Microsoft Defender for IoT can secure your IoT devices appeared first on Microsoft Security Blog.

How to apply a Zero Trust approach to your IoT solutions

May 5th, 2021 No comments

For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid work models to implementing new technology to help optimize operations, the last year has seen a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly found themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.

IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT devices presents a couple of additional layers of complexity because of the incredible diversity in design, hardware, operating systems, deployment locations, and more. For example, many are “user-less” and run automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have also been deployed using infrastructure and equipment not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments—ranging from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in unique ways and can offer high-value targets to attackers.

Graphic depicting the technical characteristics of IoT and their unique challenges. Characteristics include running automated workloads, aging infrastructure, and limited connectivity.

Figure 1: Technical characteristics of IoT and their challenges.

Embracing Zero Trust for your IoT solutions

As organizations continue to drive their digital transformation efforts, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to securing and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that assumes breach and treats every access attempt as if it originates from an open network.

In October 2019, we published a whitepaper with our official guidance on implementing a Zero Trust security model, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven’t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.

A practical approach for implementing Zero Trust for IoT

Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities, their devices, and limit their access. These include explicitly verifying users, having visibility into the devices they’re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure (like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems (like stopping a factory production line).

Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT solutions:

  • Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions.
  • Least privileged access to mitigate blast radius. Implement device and workload access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads.
  • Device health to gate access or flag devices for remediation. Check security configuration, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build ongoing risk profiles.
  • Continual updates to keep devices healthy. Utilize a centralized configuration and compliance management solution and a robust update mechanism to ensure devices are up to date and in a healthy state.
  • Security monitoring and response to detect and respond to emerging threats. Employ proactive monitoring to rapidly identify unauthorized or compromised devices.

Cover preview of the new Zero Trust Cybersecurity for the Internet of Things whitepaper. Includes faded image of a factory worker walking across factory floor. Today, we’re publishing a new whitepaper on how to apply a Zero Trust approach to your IoT solutions based on our experience helping other customers and securing our own environment. In this whitepaper, we break down the requirements above in more detail as well as provide guidance on applying Zero Trust to your existing IoT infrastructure. Finally, we’ve also included criteria to help select IoT devices and services for a Zero Trust environment.

Read the Zero Trust Cybersecurity for the Internet of Things whitepaper for full details.

Additional resources:

Watch The IoT Show: Zero Trust for IoT for a Channel9 interview where I explain the key capabilities of Zero Trust for IoT and how Microsoft solutions enable your journey.

Watch the playback of this week’s Azure IoT Security Summit for an overview of our IoT Security solutions and guidance on how to prevent security breaches, address weak spots, and monitor the health of your IoT devices in near real-time to find and eliminate threats.   

For more information about Microsoft Zero Trust please visit our website. Check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to apply a Zero Trust approach to your IoT solutions appeared first on Microsoft Security.

Categories: cybersecurity, IoT, Zero Trust Tags:

“BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks

April 29th, 2021 No comments

Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash. These remote code execution (RCE) vulnerabilities cover more than 25 CVEs …

“BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks Read More »

Categories: BadAlloc, IoT, OT, RTOS Tags:

5 steps to enable your corporate SOC to rapidly detect and respond to IoT/OT threats

March 15th, 2021 No comments

As organizations connect massive numbers of IoT/OT devices to their networks to optimize operations, boards and management teams are increasingly concerned about the expanding attack surface and corporate liability that they represent. These connected devices can be compromised by adversaries to pivot deeper into corporate networks and threaten safety, disrupt operations, steal intellectual property, expose resources for Distributed Denial of Service (DDoS) botnets and cryptojacking, and cause significant financial losses.

For example, in June 2017, a destructive cyber attack known as “NotPetya” infected thousands of computers globally and resulted in dozens of enterprises experiencing significant financial losses. One of NotPetya’s victims, a global shipping and logistics company, lost $300 million as a result of production downtime and cleanup activities.

Why industrial and critical infrastructure OT networks are at risk

According to CyberX’s 2020 Global IoT/ICS Risk Report, which analyzed network traffic from over 1,800 production OT networks, 71 percent of OT sites are running unsupported versions of Windows that no longer receive security patches; 64 percent have cleartext passwords traversing their networks; 54 percent have devices that can be remotely managed using remote desktop protocol (RDP), secure shell (SSH), and virtual network computing (VNC), enabling attackers to pivot undetected; 66 percent are not automatically updating their Windows systems with the latest antivirus definitions; 27 percent of sites have direct connections to the internet.

These vulnerabilities make it significantly easier for adversaries to compromise OT networks, whether their initial entry is via systems exposed to the internet or via lateral movement from the corporate IT network (using compromised remote access credentials, for example).

CISOs are increasingly accountable for both IT and IoT/OT security. However, according to a SANS survey, IT security teams lack visibility into the security and resiliency of their OT networks, with most respondents (59 percent) stating they are only “somewhat confident” in their organization’s ability to secure their industrial IoT devices.

How should organizations secure their IoT/OT environments?

Organizations need to invest in strengthening their IoT/OT security and structure the appropriate policies and procedures so that new IoT/OT monitoring and alerting systems will be successfully operationalized.

A key success factor is to obtain organizational alignment and solid collaboration with teams that will operate the system. In many organizations, these teams have traditionally worked in separate silos. Visibility and well-defined roles and responsibilities between IoT/OT, IT, and security personnel are key for a successful alignment. Although there can be more connectivity between the IT and the IoT/OT networks, they are still separate networks with different characteristics. Personnel operating the IoT/OT network are not always security trained, and the security staff are not familiar with the IoT/OT network infrastructure, devices, protocols, or applications. In particular, the top priority for OT personnel is maintaining the availability and integrity of their control networks—whereas IT security teams have traditionally been focused on maintaining the confidentiality of sensitive data.

To be effective, IT security teams will need to adapt their existing procedures and policies to be inclusive of the IoT/OT security world.

Gaining continuous security operations center (SOC) visibility into IoT/OT risk with Azure Defender for IoT

Azure Defender for IoT is an agentless, network-layer IoT/OT security platform that’s easy to deploy and provides real-time visibility to all IoT/OT devices, vulnerabilities, and threats—within minutes of being connected to the OT network. Based on technology from Microsoft’s acquisition of CyberX, Azure Defender for IoT uses specialized IoT/OT-aware behavioral analytics and threat intelligence to auto-discover unmanaged IoT/OT assets and rapidly detect anomalous or unauthorized activities in your IoT/OT network. Additionally, it enables you to centralize IoT/OT security monitoring and governance via built-in integration with Azure Sentinel and third-party SOC solutions such as Splunk, IBM QRadar, and ServiceNow.

According to SANS, there’s a clear difference between the detection of an attack on corporate companies versus industrial and critical infrastructure organizations with control networks. While 72 percent of organizations without OT environments detected a compromise within seven days, only 45 percent of organizations with OT environments were able to do the same.

Reducing the time between compromise and detection is a key catalyst for enabling your SOC with real-time IoT/OT alerts and detailed contextual information about your IoT/OT assets and vulnerabilities.

Detect and respond to IoT/OT incidents faster

To operationalize security alerts from the IoT/OT network, you must integrate them with your existing SOC workflows and tools. Given the significant investments that organizations have already made in a centralized SOC, it makes sense to bring IoT/OT security into their existing SOC and to expand the SOC responsibilities to be able to manage IoT/OT incidents as well. This next step will create a productive working environment between the teams. Integration of the SOC within the IoT/OT environment can create a competitive advantage for the organization.

Modern SOCs rely heavily on SIEM solutions to operate efficiently. This means that IoT/OT security alerts and investigation processes should be delivered to the SOC team via their preferred SIEM solution. SIEM solutions provide security value by normalizing and correlating data across the enterprise, including data ingested from firewalls, applications, servers, and endpoints.

As of today, most of our customers (78 percent) who have deployed Azure Defender for IoT and have SIEM, have integrated (or are in the process of integrating) IoT/OT security into their SIEM platform and SOC workflows.

Integrating IoT/OT security with your SIEM in five steps:

Step 1: Forward IoT/OT security events to the SIEM

The first step in a successful SOC integration is to integrate IoT/alerts with your organizational SIEM. This capability is supported out of the box with Azure Defender for IoT. After integrating Azure Defender for IoT with a SIEM, clients typically spend a short time tuning which alerts are forwarded to the SIEM to reduce alert fatigue.

Azure Defender for IoT drop-down menu showing built-in integrations with broad range of SIEM, ticketing, firewall, and NAC systems

Figure 1: Azure Defender for IoT integrates out-of-the-box with a broad range of SIEM, ticketing, firewall, and NAC systems.

Step 2: Identify and define IoT/OT security threats and SOC incidents

The second step is agreeing on which IoT/OT security threats the organization would like to monitor in the SOC, based on the organizational threat landscape, industry needs, compliance, and more. Once relevant threats are defined, you can define the use cases that constitute an incident within the SOC.

For example, a common use case is an unauthorized change to OT equipment, such as an unauthorized change to Programmable Logic Controller (PLC) code—since this can take down production and potentially cause a safety incident. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversary initially compromised a Windows workstation in the OT network and then uploaded a malicious back door to the PLC using a legitimate industrial control system (ICS) command (you may recognize this as an excellent example of an OT-specific living-off-the-land tactic).

This type of activity is immediately detected when Azure Defender for IoT detects a deviation from the OT network baseline, such as a programming command sent from a new device. Azure Defender for IoT incorporates Layer 7 Deep Packet Inspection (DPI) and patented IoT/OT-aware behavioral analytics using Finite-State Machine (FSM) modeling to create a baseline of OT network activity. Compared to generic baselining algorithms developed for IT networks (which are largely non-deterministic), this approach is optimized for the deterministic nature of OT networks—resulting in a faster learning period with fewer false positives and false negatives. Additionally, deeply analyzing high-fidelity network traffic, including at the application layer, enables the platform to identify malicious OT commands and not just deviations in source/destination information.

In this particular use case, unauthorized changes to PLC ladder logic code can be an indication of either new functionality or parameters being programmed into the PLC, which typically only happens on rare occasions: an error on the part of a control engineer or a misconfigured application. In all these cases, the SOC should investigate with plant personnel to determine if the activity was malicious or legitimate.

Step 3: Create SIEM detection rules

Once IoT/OT security threat use cases are defined, you can create detection rules and severity levels in the SIEM. Only relevant incidents will be triggered, thus reducing unnecessary noise. For example, you would define PLC code changes performed from unauthorized devices, or outside of work hours, as a high severity incident due to the high fidelity of this specific alert.

Step 4: Define SOC workflows for resolution

The fourth step is to define workflows for resolution. This will also help remove ambiguity between IT security and OT teams about who is responsible for investigating unusual activities (note that unclear roles and responsibilities were also an important factor in the TRITON incident, until a second attack two months later).

The goal is to enable Tier 1 SOC analysts to handle most IoT/OT incidents and only escalate to specialized IoT/OT security experts when needed. This means defining the appropriate workflow for mitigation and creating automated investigation playbooks for each use case.

For example, when the SOC receives an alert that PLC code changes have been initiated, check first if the programming device is an authorized engineering workstation, and then if it occurred during normal work hours, whether it happened during a scheduled change window, etc. If the answer to these questions is no, you should immediately disconnect the rogue workstation from the network (or block it with a firewall rule, if possible).

Here’s an example of a logical workflow for resolution:

Example of a built-in automated SOAR playbook for Azure Sentinel initiated by an OT-specific alert generated by Azure Defender for IoT

Figure 2: Example of a built-in automated SOAR playbook for Azure Sentinel initiated by an OT-specific alert generated by Azure Defender for IoT

Step 5: Training and knowledge transfer

The fifth step is to provide comprehensive training to all stakeholders – for example, teach the SOC team about the unique characteristics of OT environments, so they can have intelligent conversations with IoT/OT personnel when resolving incidents and can implement remediation actions that are relevant (and not harmful) for OT environments.

Azure Defender for IoT and Azure Sentinel: Better together

Azure Sentinel is the first cloud-native SIEM/SOAR platform on a major public cloud. It delivers all the advantages of a cloud-based service, including simplicity, scalability, and lower total cost of ownership; provides a bird’s eye view across IT and OT to enable rapid detection and response for multistage attacks that cross IT/OT boundaries (like TRITON); incorporates machine learning combined with continuously-updated threat intelligence from trillions of signals collected daily.

Azure Defender for IoT is deeply integrated with Azure Sentinel, providing rich contextual information to SOC analysts beyond the basic information provided by simple Syslog alerts. For example, it provides detailed information about which IoT/OT assets associated with an alert including device type, manufacturer, the protocol used, firmware level, etc.

Azure Sentinel has also been enhanced with IoT/OT-specific SOAR playbooks. The integrated combination of these two solutions helps SOC analysts detect and respond to IoT/OT incidents faster—so you can prevent incidents before they have a material impact on your firm.

In the screenshot below, you can see a built-in Sentinel investigation experience for an IoT/OT security use case:

Interactive investigation graph in Azure Sentinel, produced from real-time OT monitoring data generated by Azure Defender for IoT

Figure 3: Interactive investigation graph in Azure Sentinel, produced from real-time OT monitoring data generated by Azure Defender for IoT. 

Learn more

If you’d like to learn more and see a full demo of how Azure Defender for IoT and Azure Sentinel can be used together to detect and investigate a sophisticated attack, check out our Microsoft Ignite session or read the blog “Go inside the new Azure Defender for IoT including CyberX.”

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 steps to enable your corporate SOC to rapidly detect and respond to IoT/OT threats appeared first on Microsoft Security.

Categories: cybersecurity, IoT, IoT security, SIEM Tags:

Securing Azure datacenters with continuous IoT/OT monitoring

February 22nd, 2021 No comments

Real people. IT professionals build and maintain the LinkedIn server farm which operates on 100% renewable energy. Power is hydro-generated and managed efficiently on-site with minimum new draw from external grid. State-of-the-art facility uses eco-friendly solutions such as using reclaimed water to cool the data center.

Figure 1: Industrial cooling system for datacenters.

As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure—and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024.

We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.

A changing threat landscape

In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.

Microsoft offers end-to-end IoT security solutions for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching—making them soft targets for adversaries looking to pivot deeper into corporate networks.

For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP. OT security translates directly into three main types of business risks:

  • Revenue impact: In 2017, WannaCry malware shut down major automotive manufacturers and affected more than 200,000 computers across 150 countries, with damages ranging into billions of dollars. The same year, NotPetya ransomware nearly shut down the mighty Maersk shipping company and several CPG companies. The attack crippled Merck’s production facilities resulting in losses of $1.3 billion. Last year, LockerGoga shut down the systems of Norwegian aluminum manufacturing company Norsk Hydro and several other plants. In 2020, Ekans (snake spelled backward) ransomware became the latest OT threat by specifically shutting down industrial control systems (ICS).
  • IP theft: IP includes proprietary manufacturing processes, formulas, designs, and more. In one instance, Microsoft Security Response Center (MSRC) discovered hackers were compromising vulnerable IoT devices using their default credentials. Once inside, the hackers scanned the network to see what other systems they could access to get sensitive IP. One in five North American-based corporations reports that they have had IPs stolen within the last year.
  • Safety risks: The Triton attack on a petrochemical facility targeted safety controllers with the intent to cause major structural damage and possible loss of life. The attackers gained a foothold in the IT network then used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new avenues of attack for compromising unmanaged OT devices.

The U.S. Cybersecurity and Infrastructure Agency (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:

  1. Create an up-to-date, detailed inventory and map of your OT network.
  2. Use the asset inventory or map to prioritize risks, such as unpatched systems, unauthorized connections between subnets, or unauthorized connections to the internet.
  3. Implement continuous monitoring with anomaly detection.

Azure datacenters—a strategic resource

Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.

Infographic showing details about Microsoft datacenters around the world

Figure 2: Microsoft datacenters.

The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.

To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform in mid-2019. Microsoft subsequently acquired CyberX in June 2020 and recently released Azure Defender for IoT, which is based on CyberX’s agentless security platform.

Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.

Azure Defender for IoT is now deeply integrated with Azure Sentinel and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.

Microsoft datacenters: Ingestion, detection, and investigation.

Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.

How it works

Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer—creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.

Microsoft datacenter security monitoring and response:

  • Improves the quality of critical environment inventory for risk-based analysis.
  • Correlates significant security events across multiple sources.
  • Advances detections across industrial control system (ICS) networks for known malware, botnet, and command/control traffic.
  • Enables machine learning support for insider threat-detection via user and entity behavior analytics (UEBA).
  • Deploys OT and IT incident-response playbooks using Azure Logic Apps integrated with Microsoft SOC. For example, we implement OT and IT playbooks for scenarios like ransomware or malware, botnet, insider threat, and untracked data-bearing devices.
  • Detects anomalous activity while reducing noise.

In addition, the Microsoft cloud security stack—Microsoft Threat Intel Center (MSTIC) is being expanded with OT capabilities and threat intel.

OT and IT: Bridging the cultural divide

OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:

  • Mature and boost IT security practices for OT: Patching an OT system isn’t the same as updating IT; there can be dangerous repercussions in the form of factory downtime or safety risks. Empathy is important; the liberties enjoyed in the IT world can’t be blindly applied on OT. However, don’t throw away IT security best practices—boost them with OT capabilities.
  • Embrace the security journey: Whether you’re in OT or IT, security improvements move like a dial, not a switch. Agree on your guiding principles and tenants, then constantly improving collaboration between OT and IT teams.
  • Understand the OT persona: IT teams should get to know what a day in the life of an OT person looks like. Our team shadowed OT activity by making site visits, which helped build understanding and establish working relationships.
  • Appreciate the other team’s priorities: When working with OT, this means understanding the importance of safety and availability. What might be a simple system patch in IT could cause downtime or a safety issue in OT. Establish a common vocabulary and metrics to work out issues together.
  • Acknowledge preconceptions: OT often feels like the IT security approach will cause disruptions and downtime, leading to audits, escalations, or worse. For that reason, our approach became: “Hey, we found a problem. Let’s solve it together.”
  • Be proactive versus reactive: Do security assessments together and keep the right people in the loop. Set up two-way trainings, such as joint tabletop or red team exercises, and plan for “worst day” scenarios. Create dedicated websites and SharePoint sites where people can reach out with confidence that their concerns will be addressed.

For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring.”

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing Azure datacenters with continuous IoT/OT monitoring appeared first on Microsoft Security.

Announcing the general availability of Azure Defender for IoT

January 27th, 2021 No comments

As businesses increasingly rely on connected devices to optimize their operations, the number of IoT and Operational Technology (OT) endpoints is growing dramatically—industry analysts have estimated that CISOs will soon be responsible for an attack surface multiple times larger than just a few years ago.

Today we are announcing that Azure Defender for IoT is now generally available.

Defender for IoT adds a critical layer of security for this expanding endpoint ecosystem. In contrast to user devices (laptops and phones) and server infrastructure, many IoT and OT devices do not support the installation of agents and are currently unmanaged and therefore invisible to IT and security teams. Without this visibility, it is extremely challenging to detect if your IoT and OT infrastructure has been compromised. Further increasing risk, many of these devices were not designed with security in mind and lack modern controls such as strong credentials and automated patching.

As a result, there is understandable concern about Cyber-Physical System (CPS) risk in OT and industrial control system (ICS) environments such as electricity, water, transportation, data centers, smart buildings, food, pharmaceuticals, chemicals, oil and gas, and other critical manufactured products. Compared to traditional IT risk, the business risk associated with IoT and OT is distinct and significant:

  • Production downtime, resulting in revenue impact and critical shortages.
  • Theft of proprietary formulas and other sensitive intellectual property, causing loss of competitive advantage.
  • Safety and environmental incidents, leading to brand impact and corporate liability.

Traditional security tools developed for IT networks are unable to address these risks as they lack awareness of specialized industrial protocols such as Modbus, DNP3, and BACnet and this different class of equipment from manufacturers like Rockwell Automation, Schneider Electric, Emerson, Siemens, and Yokogawa.

Proactive IoT and OT security monitoring and risk visibility

With Defender for IoT, industrial and critical infrastructure organizations can now proactively and continuously detect, investigate, and hunt for threats in their IoT and OT environments. Incorporating specialized IoT and OT aware behavioral analytics and threat intelligence from our recent acquisition of CyberX, Azure Defender for IoT is an agentless security solution for:

  • Auto-discovery of IoT and OT assets.
  • Identification of vulnerabilities and prioritizing mitigations.
  • Continuously monitoring for IoT and OT threats, anomalies, and unauthorized devices.
  • Delivering unified IT and OT security monitoring and governance. This is achieved via deep integration with Azure Sentinel, Microsoft’s cloud-native SIEM and SOAR platform, for sharing rich contextual information about IoT and OT assets and threats related to incidents. Support is also provided for other SOC workflows and security stacks including Splunk, IBM QRadar, and ServiceNow.

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration.

Fast and flexible deployment options

Defender for IoT is agentless, has deeply embedded knowledge of diverse industrial protocols, and makes extensive use of machine learning and automation, eliminating the need to manually configure any rules or signatures or have any prior knowledge of the environment.

This means that Defender for IoT can typically be rapidly deployed (often in less than a day), making it an ideal solution for organizations with tight deadlines and short plant maintenance windows. Plus, it uses passive, non-invasive monitoring via an on-premises edge sensor which analyzes a copy of the network traffic from a SPAN port or TAP—so there’s zero impact on IoT and OT network performance or reliability.

To provide customers flexibility and choice, Defender for IoT offers multiple deployment options:

  • On-premises for highly regulated or sensitive environments.
  • Azure-connected for organizations looking to benefit from the scalability, simplicity, and continuous threat intelligence updates of a cloud-based service, plus integration with the Azure Defender XDR.
  • Hybrid where security monitoring is performed on-premises but selected alerts are forwarded to a cloud-based SIEM like Azure Sentinel.

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub (optional). 

Proven in some of the world’s most complex and diverse environments

The technology delivered with Defender for IoT has been deployed in some of the world’s largest and most complex environments, including:

  • Three of the top 10 U.S. energy utilities, plus energy utilities in Canada, EMEA, and APAC.
  • Three of the top 10 global pharmaceutical companies.
  • Global 2000 firms in manufacturing, chemicals, oil and gas, and life sciences.
  • One of the world’s largest regional water utilities.
  • Building management systems (BMS) for data centers and smart buildings worldwide, including in Microsoft’s own Azure data centers.
  • Multiple government agencies.

Getting started with Azure Defender for IoT

You can try Defender for IoT for free for the first 30 days and for up to 1,000 devices. After that, you pay on a per-device basis in increments of a thousand devices. Visit the product page and getting started pages to learn more.

For more detailed product information:

  • Read our blog post describing the product architecture and capabilities in more detail, titled “Go inside the new Azure Defender for IoT.”
  • Watch our 30-minute Ignite session with a demo showing how integration with Azure Sentinel and IoT and OT-specific SOAR playbooks enable faster detection and response to multistage attacks that cross IT and OT boundaries, using the TRITON attack on a petrochemical facility as an example.
  • If you’re currently using Azure Defender for IoT, read our article about updating it with the latest threat intelligence package for detecting threats related to the compromise of the SolarWinds Orion product and theft of FireEye’s Red Team tools.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Announcing the general availability of Azure Defender for IoT appeared first on Microsoft Security.

Addressing cybersecurity risk in industrial IoT and OT

October 21st, 2020 No comments

As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need to ensure safety in manufacturing, oil and gas facilities, public utilities, transportation, civic infrastructure, and more.

Analysts predict that we’ll have roughly 21.5 billion IoT devices connected worldwide in 2025, drastically increasing the surface area for attacks. Because embedded devices often go unpatched, CISO’s need new strategies to mitigate IIoT/OT risks that differ in crucial ways from those found in information technology (IT). The difference needs to be understood by your Board of Directors (BoD) and leadership team. Costly production outages, safety failures with injuries or loss of life, environmental damage leading to liability—all are potentially disastrous scenarios that have moved IIoT and OT to the center of cyber threat management.

An evolving threat landscape

Both IIoT and OT are considered cyber-physical systems (CPS); meaning, they encompass both the digital and physical worlds. This makes any CPS a desirable target for adversaries seeking to cause environmental contamination or operational disruption. As recent history shows, such attacks are already underway. Examples include the TRITON attack—intended to cause a serious safety incident—on a Middle East chemical facility and the Ukrainian electrical-grid attacks. In 2017, ransomware dubbed NotPetya paralyzed the mighty Maersk shipping line and nearly halted close to a fifth of the world’s shipping capacity. It also spread to pharma giant Merck, FedEx, and numerous European firms before boomeranging back to Russia to attack the state oil company, Rosneft.

In 2019, Microsoft observed a Russian state-sponsored attack using IoT smart devices—a VOIP phone, an office printer, and a video decoder—as entry points into corporate networks, from which they attempted to elevate privileges. Attackers have even compromised building access control systems to move into corporate networks using distributed denial-of-service (DDoS) attacks; wherein, a computer system is overwhelmed and crashed with an onslaught of traffic.

The current model

Since the 1990’s, the Purdue Enterprise Reference Architecture (PERA), aka the Purdue Model, has been the standard model for organizing (and segregating) enterprise and industrial control system (ICS) network functions. PERA divides the enterprise into various “Levels,” with each representing a subset of systems. Security controls between each level are typified by a “demilitarized zone” (DMZ) and a firewall.

Conventional approaches restrict downward access to Level 3 from Levels 4, 5 (and the internet). Heading upward, only Layer 2 or 3 can communicate with Layers 4 and 5, and the lowest two Levels (machinery and process) must keep their data and communications within the organization’s OT.

But in our IIoT era, data no longer flows in a hierarchical fashion as prescribed by the Purdue Model. With the rise of edge computing, smart sensors, and controllers (Levels O, 1) now bypass firewalls and communicate directly with the cloud, creating new risks for system exposure.

Modernizing this model with Zero Trust principles at Levels 4 and 5 can help bring an organization’s IIoT/OT into full compliance for the cloud era.

A new strategy

Consequence-driven cyber-informed engineering (CCE) is a new methodology designed by Idaho National Labs (INL) to address the unique risks posed by IIoT/OT. Unlike conventual approaches to cybersecurity, CCE views consequence as the first aspect of risk management and proactively engineers for potential impacts. Based on CCE, there are four steps that your organization—public or private—should prioritize:

  1. Identify your “crown jewel” processes: Concentrate on protecting critical “must-not-fail” functions whose failure could cause safety, operational, or environmental damage.
  2. Map your digital estate: Examine all the digital pathways that could be exploited by adversaries. Identify all of your connected assets—IT, IoT, building management systems (BMS), OT, smart personal devices—and understand who has access to what, including vendors, maintenance people, and remote workers.
  3. Spotlight likely attack paths: Analyze vulnerabilities to determine attack routes leading to your crown jewel processes, including possible social engineering schemes and physical access to your facilities.
  4. Mitigate and protect: Prioritize options that allow you to “engineer out” cyber risks that present the highest consequences. Implement Zero Trust segmentation policies to separate IIoT and OT devices from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.

Making the case in real terms

Your leadership and BoD have a vested interest in seeing a return on investment (ROI) for any new software or hardware. Usually, the type of ROI they want and expect is increased revenue. But returns on security software often can’t be seen in a quarterly statement. That means cybersecurity professionals have to present a solid case. Here are some straightforward benefits to investing in IIoT/OT cybersecurity software that you can take into the boardroom:

  • Prevent safety or environmental costs: Security failures at chemical, mining, oil, transportation, or other industrial facilities can cause consequences more dire than an IT breach. Lives can be lost, and costs incurred from toxic clean-up, legal liability, and brand damage can reach into the hundreds of millions.
  • Minimize downtime: As the NotPetya and LockerGoga attacks demonstrated, downtime incurs real financial losses that affect everyone—from plant personnel all the way up to shareholders.
  • Stop IP theft: Companies in the pharmaceutical industry, energy production, defense, high-tech, and others spend millions on research and development. Losses from having their intellectual property stolen by nation states or competitors can also be measured in the millions.
  • Avoid regulatory fines: Industries such as pharmaceuticals, oil/gas, transportation, and healthcare are heavily regulated. Therefore, they are vulnerable to large fines if a security breach in IIoT/OT causes environmental damage or loss of life.

The way forward

For today’s CISO, securing the digital estate now means being accountable for all digital security—IT, OT, IIoT, BMS, and more. This requires an integrated approach—embracing people, processes, and technology. A good checklist to start with includes:

  • Enable IT and OT teams to embrace their common goal—supporting the organization.
  • Bring your IT security people onsite so they can understand how OT processes function.
  • Show OT personnel how visibility helps the cybersecurity team increase safety and efficiency.
  • Bring OT and IT together to find shared solutions.

With attackers now pivoting across both IT and OT environments, Microsoft developed Azure Defender for IoT to integrate seamlessly with Azure Sentinel and Azure Sphere—making it easy to track threats across your entire enterprise. Azure Defender for IoT utilizes:

  • Automated asset discovery for both new greenfield and legacy unmanaged IoT/OT devices.
  • Vulnerability management to identify IIoT/OT risks, detect unauthorized changes, and prioritize mitigation.
  • IIoT/OT-aware behavioral analytics to detect advanced threats faster and more accurately.
  • Integration with Azure Sentinel and third-party solutions like other SIEMs, ticketing, and CMDBs.

Azure Defender for IoT makes it easier to see and mitigate risks and present those risks to your BoD. Microsoft invests more than USD1 billion annually on cybersecurity research, which is why Azure has more compliance certifications than any other cloud provider.

Plain language and concrete examples go far when making the case for IIoT/OT security software. Your organization should define what it will—and more importantly, will not—tolerate as operational risks. For example: “We tolerate no risk to human life or safety”; “no permanent damage to the ecosystem”; “no downtime that will cost jobs.” Given the potential for damages incurred from downtime, injuries, environmental liability, or tarnishing your brand, an investment in cybersecurity software for IIoT/OT makes both financial and ethical sense.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Addressing cybersecurity risk in industrial IoT and OT appeared first on Microsoft Security.

Rethinking IoT/OT Security to Mitigate Cyberthreats

August 26th, 2020 No comments

We live in an exciting time. We’re in the midst of the fourth industrial revolution—first steam, followed by electricity, then computers, and, now, the Internet of Things.

A few years ago, IoT seemed like a futuristic concept that was on the distant horizon. The idea that your fridge would be connected to the internet, constantly uploading and downloading data and ordering things on its own, like new filters or groceries, seemed laughable. Why would anyone want or need such a thing?

Now, IoT and other embedded and operational technologies (OT) are far more pervasive in our lives than anyone could have imagined. Robotics, chemical and pharmaceutical production, power generation, oil production, transportation, mining, healthcare devices, building management systems, and seemingly everything else is becoming part of a smart, interconnected, machine-learning powered system. Machines can now monitor themselves, diagnose problems, and then reconfigure and improve based on the data.

The threat is real

It’s an exciting time, but it’s also an alarming time, especially for CISOs (Chief Information Security Officers) working diligently to employ risk mitigation and keep their companies secure from cyberthreats. Billions of new IoT devices go online each year, and as these environments become more connected with digitization initiatives, their attack surfaces grow.

From consumer goods to manufacturing systems to municipal operations like the power grid, it all needs data protection. The threat is very real. Take the Mirai botnet hack, for example. 150,000 cameras hacked and turned into a botnet that blocked internet access for large portions of the US. We have also seen destructive and rapidly spreading ransomware attacks, like NotPetya, cripple manufacturing and port operations around the globe.  However, existing IT security solutions cannot solve those problems due to the lack of standardized network protocols for such devices and the inability to certify device-specific products and deploy them without impacting critical operations.  So, what exactly is the solution? What do people need to do to resolve the IoT security problem?

Working to solve this problem is why Microsoft has joined industry partners to create the Open Source Security Foundation as well as acquired IoT/OT security leader CyberX. This integration between CyberX’s IoT/OT-aware behavioral analytics platform and Azure unlocks the potential of unified security across converged IT and industrial networks. And, as a complement to the embedded, proactive IoT device security of Microsoft Azure Sphere, CyberX IoT/OT provides monitoring and threat detection for devices that have not yet upgraded to Azure Sphere security. Used together, CyberX and Azure Sphere can give you visibility to what’s happening in your environment while actively preventing exploitation of your connected equipment. The goal is to achieve the mission of securing every unmanaged device to help protect critical operations.

Both Microsoft and CyberX have managed to help protect a large number of enterprises around the world—including leading organizations in manufacturing, pharmaceuticals and healthcare, power utilities, oil and gas companies, data centers, and more, at a global scale.

This success is due to taking a completely different approach, an innovative solution that prioritizes ease of deployment and use—to provide a security solution custom-built for OT and industrial control systems. So, what do you need to do that?

Let’s sit in a plant. Imagine that the process keeps on running, so from an operational perspective, all is fine. But even if operations are moving smoothly, you don’t know if someone is trying to hack your systems, steal your IP, or disrupt your day-to-day processes—you wouldn’t know that until the processes are disrupted, and by then, it’s too late.

To catch these threats, you need to understand what you have, understand the process interaction, validate access to the resources, and understand root cause analysis from other breaches. From a technology perspective, to gain this level of understanding, you need automated and intelligent asset visibility, behavioral analytics capable of understanding OT/IoT behavior, vulnerability management, and threat hunting. To defend against these threats, you will want to deploy an IoT device security solution that implements critical security properties, including defense in-depth, error reporting, and renewable security, that will help keep your connected devices and equipment protected over time.

Where to go from here

For any business looking to learn more about IoT/OT security, a good place to start is by downloading CyberX’s global IoT/ICS risk report. This free report provides a data-driven analysis of vulnerabilities in our Internet of Things (IoT) and industrial control systems (ICS) infrastructure.

Based on data collected in the past 12 months from 1,821 production IoT/ICS networks—across a diverse mix of industries worldwide—the analysis was performed using passive, agentless monitoring with patented deep packet inspection (DPI) and Network Traffic Analysis (NTA). The data shows that IoT/ICS environments continue to be soft targets for adversaries, with security gaps in key areas such as:

  • Outdated operating systems
  • Unencrypted passwords
  • Remotely accessible devices
  • Unseen indicators of threats
  • Direct internet connections

To learn more about protecting your critical equipment and devices with layered and renewable security, we recommend reading The seven properties of highly secured devices. To understand how these properties are implemented in Azure Sphere, you can download The 19 best practices for Azure Sphere.

These are key resources for any businesses looking to increase their IoT security and help mitigate cyberthreats to their organization’s systems and data.

Learn more

Tackling the IoT security threat is a big, daunting project, but Microsoft is committed to helping solve them through innovation and development efforts that empower businesses across the globe to operate more safely and securely.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about protecting your critical equipment and devices with layered and renewable security, reach out to your Microsoft account team and we recommend reading The seven properties of highly secured devices.

The post Rethinking IoT/OT Security to Mitigate Cyberthreats appeared first on Microsoft Security.

Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity

August 5th, 2020 No comments

Most of us know ‘Improv’ through film, theatre, music or even live comedy. It may surprise you to learn that the skills required for improvisational performance art, can also make you a good hacker? In cybersecurity, while quite a bit of focus is on the technology that our adversaries use, we must not forget that most cybersecurity attacks start with a non-technical, social engineering campaign—and they can be incredibly sophisticated. It is how attackers were able to pivot quickly and leverage COVID themed lures wreak havoc during the onset of the global pandemic. To dig into how social attacks like these are executed, and why they work time and again, I spoke with Rachel Tobac on a recent episode Afternoon Cyber Tea with Ann Johnson.

Rachel Tobac is the CEO of SocialProof Security and a white-hat hacker, who advises organizations on how to harden their defenses against social engineering. Her study of neuroscience and Improv have given her deep insight into how bad actors use social psychology to convince people to break policy. I really appreciate how she is able to break down the steps in a typical social engineering campaign to illustrate how people get tricked.

In our conversation, we also talked about why not all social engineering campaigns feel “phishy.” Hackers are so good at doing research and building rapport that the interaction often feels legitimate to their targets. However, there are techniques you can use, like multi-factor authentication and two-factor communication, to reduce your risk. We also discussed emerging threats, like deep fake videos, attacks on critical infrastructure, and how social engineering techniques could be used against driverless cars. To learn why you should take social engineering seriously and how to protect your organization, listen to Afternoon Cyber Tea with Ann Johnson: Revisiting social engineering: The human threat to cybersecurity on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts — You can also download the episode by clicking the Episode Website link.
  • Podcast One — Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page — Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To find out more information on Microsoft Security Solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity appeared first on Microsoft Security.

Microsoft Joins Open Source Security Foundation

August 3rd, 2020 No comments

Microsoft has invested in the security of open-source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open-source security efforts to improve the security of open-source software by building a broader community, targeted initiatives, and best practices. Microsoft is proud to be a founding member alongside GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat.

Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.

Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance.  Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.

Microsoft has been involved in several open-source security initiatives over the years and we are looking forward to bringing these together under the umbrella of the OpenSSF. For example, we have been actively working with OSSC in four primary areas:

Identifying Security Threats to Open Source Projects

Helping developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects.

Security Tooling

Providing the best security tools for open source developers, making them universally accessible and creating a space where members can collaborate to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community.

Security Best Practices

Providing open-source developers with best practice recommendations, and with an easy way to learn and apply them. Additionally, we have been focused on ensuring best practices to be widely distributed to open source developers and will leverage an effective learning platform to do so.

Vulnerability Disclosure

Creating an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.

We are looking forward to participating in future OpenSSF efforts including securing critical open source projects (assurance, response), developer identity, and bounty programs for open-source security bugs.

We are excited and honored to be advancing the work with the OSSC into the OpenSSF and we look forward to the many improvements that will be developed as a part of this foundation with the open-source community.

To learn more and to participate, please join us at: https://openssf.org and on GitHub at https://github.com/ossf.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Joins Open Source Security Foundation appeared first on Microsoft Security.

Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks

July 23rd, 2020 No comments

The rapidity of change in the cyberthreat landscape can be daunting for today’s cyber defense teams. Just as they perfect the ability to block one attack method, adversaries change their approach. Tools like artificial intelligence and machine learning allow us to pivot quickly, however, knowing what cyber trends are real and which are hype can be the difference between success or struggle. To help you figure where to focus your resources, Kevin Beaumont joined me on Afternoon Cyber Tea.

Kevin is a thought leader on incident detection and response. His experience running Security Operations Centers (SOC) has given him great insight into both the tactics used by attackers and how to create effective cyber teams. While our discussion took place before he joined Microsoft, his insights remain of great value as we look at how current cyber trends will evolve past the pandemic.

In this episode, he shares his cyber experience on everything from the role ransomware plays in the monetization of cybercrime, to what attack vectors may Peak, Plateau, or Plummet, and which trends that are here to stay.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech. As we work on how to help empower every person and organization on the planet achieve more, we must look at how we combine our security learnings with examining how today’s cybersecurity investments will shape our industry and impact tomorrow’s cybersecurity reality.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks appeared first on Microsoft Security.

Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them

July 2nd, 2020 No comments

Recently, Microsoft announced our acquisition of CyberX, a comprehensive network-based security platform with continuous threat monitoring and analytics. This solution builds upon our commitment to provide a unified IoT security solution that addresses connected devices spread across both industrial and IT environments and provides a trusted, easy-to-use platform for our customers and partners to build connected solutions – no matter where they are starting in their IoT journey.

Every year billions of new connected devices come online. These devices enable businesses to finetune operations, optimize processes, and develop analytics-based services. Organizations are clearly benefiting from IoT as shared in the IoT Signals research report produced by Microsoft. But while the benefit is great, we must not ignore the potential security risks. To talk about how companies can reduce their risk from connected devices, Dr. Andrea Little Limbago joined me on Cyber Tea with Ann Johnson.

Dr. Andrea Little Limbago is a cybersecurity researcher, quant analyst, and computational social scientist at Virtru. With a background in social science, Andera has a unique perspective that I think you’ll find interesting.

Andrea and I talked about the role of automation in attacks and defense and how privacy and security advocates can come together to accomplish their overlapping goals. We also talked about how to safeguard your organization when you can’t inventory all your IoT devices.

It isn’t just businesses that are investing in connected devices. If you have IoT devices in your home, Andrea offered some great advice for protecting your privacy and your data. Listen to Cybersecurity and IoT: New Risks and How to Minimize Them to hear our conversation.

Lack of visibility into the devices currently connected to the network is a widespread problem. Many organizations also struggle to manage security on existing devices. The acquisition of CyberX complements existing Azure IoT security capabilities. I’m excited because this helps our customers discover their existing IoT assets, and both manage and improve the security posture of those devices. Expect more innovative solutions as we continue to integrate CyberX into Microsoft’s IoT security portfolio.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

§  Apple Podcasts—You can also download the episode by clicking the Episode Website link.

§  Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.

§  CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

If you are interested in how businesses across the globe are benefiting from IoT, read IoT Signals, a research report produced by Microsoft.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.