Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Cloud-delivered IoT/OT threat intelligence — now available for Defender for IoT
Published May 10 2021 10:43 AM 26.6K Views
Microsoft

According to industry experts, threat intelligence (TI) is a key differentiator when evaluating threat protection solutions.

 

But IoT/OT environments have unique asset types, vulnerabilities, and indicators of compromise (IOCs). That’s why incorporating threat intelligence specifically tailored to industrial and critical infrastructure organizations is a more effective approach for proactively mitigating IoT/OT vulnerabilities and threats.

 

We've also learned that cloud-based services deliver significant benefits including increased simplicity and scalability, with reduced manual effort — especially important for today's overworked security operations teams.

 

That's why we're especially excited to announce that TI updates for Azure Defender for IoT can now be automatically pushed to Azure-connected network sensors as soon as updates are released, reducing manual effort and helping to ensure continuous security[1].

 

To get started, simply go to the Azure Defender for IoT portal and enable the Automatic Threat Intelligence Updates option for all your cloud-connected sensors.  You can also monitor the status of updates from the “Sites and Sensors” page as shown below.

Viewing the status of network sensors and threat intelligence updates from the Azure portalViewing the status of network sensors and threat intelligence updates from the Azure portal

 

Threat intelligence curated by IoT/OT security experts

Developed and curated by Microsoft’s Section 52, the security research group for Azure Defender for IoT, our TI update packages include the latest:

  • IOCs such as malware signatures, malicious DNS queries, and malicious IPs
  • CVEs to update our IoT/OT vulnerability management reporting
  • Asset profiles to enhance our IoT/OT asset discovery capabilities

Section 52 is comprised of IoT/OT-focused security researchers and data scientists with deep domain expertise in threat hunting, malware reverse engineering, incident response, and data analysis. For example, the team recently uncovered “BadAlloc,” a series of remote code execution (RCE) vulnerabilities covering more than 25 CVEs that adversaries could exploit to compromise IoT/OT devices.

 

Leveraging the power of Microsoft’s broad threat monitoring ecosystem

To help customers stay ahead of ever-evolving threats on a global basis, Azure Defender for IoT also incorporates the latest threat intelligence from Microsoft’s broad and deep threat monitoring ecosystem.

 

This rich source of intelligence is derived from a unique combination of world-class human expertise — from the Microsoft Threat Intelligence Center (MSTC) — plus AI informed by trillions of signals collected daily across all of Microsoft’s platforms and services, including identities, endpoints, cloud, applications, and email, as well as third-party and open sources.

 

Threat intelligence enriches native behavioral analytics

IOCs aren’t sufficient on their own. Enterprises regularly contend with threats that have never been seen before, including ICS supply-chain attacks such as HAVEX; zero-day ICS malware such as TRITON and INDUSTROYER; fileless malware; and living-off-the-land tactics using standard administrative tools (PowerShell, WMI, PLC programming, etc.) that are harder to spot because they blend in with legitimate day-to-day activities.

 

To rapidly detect unusual or unauthorized activities missed by traditional signature- and rule-based solutions, Defender for IoT incorporates patented, IoT/OT-aware behavioral analytics in its on-premises network sensor (edge sensor).

 

Threat intelligence complements and enriches the platform’s native analytics, enabling faster detection of IOCs such as known malware and malicious DNS requests, as shown in the threat alert examples below.

 

Example of SolarWinds threat alert generated from threat intelligence informationExample of SolarWinds threat alert generated from threat intelligence information

 

Example of malicious DNS request alert generated from threat intelligence informationExample of malicious DNS request alert generated from threat intelligence information

Summary — Detecting Known and Unknown Threats

Effective IoT/OT threat mitigation requires detection of both known and unknown threats, using a combination of IoT/OT-aware threat intelligence and behavioral analytics.

 

With new cloud-connected capabilities provided with v10.3 of Azure Defender for IoT, industrial and critical infrastructure organizations can now ensure their network sensors always have the latest curated threat intelligence to continuously identify and mitigate risk in their IoT/OT environments — with more automation and fewer distractions for busy SecOps teams.

 

Learn more

Go inside the new Azure Defender for IoT including CyberX

Update threat intelligence data - Azure Defender for IoT | Microsoft Docs

What's new in Azure Defender for IoT - Azure Defender for IoT | Microsoft Docs

See the latest threat intelligence packages

 

About Azure Defender for IoT

Azure Defender for IoT offers agentless, IoT/OT-aware network detection and response (NDR) that’s rapidly deployed (typically less than a day per site); works with diverse legacy and proprietary OT equipment, including older versions of Windows that can’t easily be upgraded; and interoperates with Azure Sentinel and other SOC tools such as Splunk, IBM QRadar, and ServiceNow.

 

Gain full visibility into assets and vulnerabilities across your entire IoT/OT environment. Continuously monitor for threats with IoT/OT-aware behavioral analytics and threat intelligence. Strengthen IoT/OT zero trust by instantly detecting unauthorized or compromised devices. Deploy on-premises, in Azure-connected, or in hybrid environments.

 

[1] Of course, clients with on-premises deployments can continue to manually download packages and upload them to multiple sensors from the on-premises management console (aka Central Manager).

 

1 Comment
Co-Authors
Version history
Last update:
‎May 13 2021 06:21 AM
Updated by: