The convergence of IT and operational infrastructures forces companies to find the appropriate protection solutions. Microsoft Defender for IoT improves the security of OT environments by ensuring asset management, threat identification and removal, and a proactive approach by detecting vulnerabilities that can be exploited by attackers.
Protecting operational networks has become a necessity in the context of accelerated digitization of industrial processes and IT-OT convergence.
The challenge is generated by the fact that the security of OT devices still remains deficient – the update rate for operating systems is considerably slower compared to that of IT systems, and applying patches is difficult in production environments.
The complexity of updating critical infrastructure elements to respond to modern threats, as well as the associated risks of interrupting or disrupting production processes, make many organizations adopt the solution of freezing operating system configurations to minimize potential instabilities and avoid additional integration costs.
But as these OT systems “age”, the number of attack vectors increases, along with the risk of potential security breaches. As a result, operational environments have become an increasingly targeted target for cyber attackers, who know that devices in the OT network are not always as well protected as IT systems. According to Microsoft’s statistics, in recent years, the attack surface has tripled in size, and the level of security implemented can no longer keep up with the ever-increasing threats. According to the cited source, in the period 2020-2022, there was a 78% increase in the number of critical vulnerabilities of industrial control equipment produced by known suppliers.
Microsoft Defender improves the resilience of operational environments
Assessing the security level of industrial control systems and applying appropriate protection measures requires dedicated solutions and specific skills and competencies.
To support companies facing such challenges, Microsoft launched Defender for IoT, a scalable platform that is rapidly deployed either on-premises or in the cloud, as the beneficiary decides, and integrates directly into existing operational environments, with various equipment from all major OT suppliers.
The Microsoft solution is specially designed to meet the main needs of organizations operating operational environments, ensuring:
• Identification – The Microsoft Defender platform automatically discovers and identifies all devices when they are connected, providing rich context about each device (IP/MAC address, device manufacturer, device type, communication, protocols used, etc.). Security managers thus gain extended visibility into operational environments and can validate which devices are authorized to connect to the network.
• Protection – Once vulnerable assets are identified, companies can take steps to protect them using attack vector analysis, vulnerability management, network segmentation, etc. Thus, one can minimize the attack surface and eliminate vulnerabilities using an approach based on risk prioritization, which identifies and visualizes the most likely paths of attack.
• Detection – By continuously monitoring all equipment for unusual or suspicious activity, threats can be detected and neutralized before any operational process is disrupted. Microsoft’s platform uses technologies for machine learning and behavioral analysis, continuously monitors threats and issues real-time alerts that indicate suspicious or unauthorized activity.
• Response – If a cyber attacker was able to penetrate the network, Microsoft Defender’s action guidelines recommend a series of specific measures to block the attacker before other devices or data are compromised.
• Recovery – In the event of an attack, Microsoft Defender provides detailed information about the incident so that security managers can quickly understand what they are dealing with and what resources have been affected and restore systems to their pre-attack state.
• Risk and Compliance Management – Addresses the main issues of the CISO, who currently lacks visibility into the risks associated with ICS/SCADA systems and operational technologies, while also providing management of OT assets and NIS compliance requirements.
Why Microsoft Defender for IoT is the market leader
With more than 24,000 billion signals collected daily from the global Microsoft ecosystem, the Defender platform for operational environments provides scalable protection with a high level of effectiveness.
A first competitive advantage of Microsoft Defender for IoT is given by the fact that the solution can be implemented in less than a day. At the same time, the agentless feature allows monitoring of all network activity without affecting OT devices. The platform inspects an “out of band” copy of the network traffic and therefore has zero impact on the performance of the OT environment.
Another important advantage is that, regardless of the topology or regulations specific to a certain industry, the platform reduces the complexity of the processes of managing and securing operational environments. Microsoft’s solution generates insights within minutes of connecting to the network and leverages machine learning and built-in automation mechanisms, reducing the effort to configure rules.
Microsoft Defender quickly detects advanced threats, outperforming traditional signature-based solutions. For this, the platform uses a series of proprietary technologies – such as Layer 7 Deep Packet Inspection (DPI) or Industrial Finite State Machine (IFSM) – with which it automatically identifies abnormal or unauthorized behavior without using static indicators of compromise (IOC). This way, the platform can detect threats quickly and more accurately, a critical element where, in most operational networks, it is difficult to detect whether a connection request is secure or whether an access request is legitimate.
In the context of security, integrity and resilience of industrial processes, the combination of IFSM, DPI and Machine Learning technologies is particularly valuable, as known attacks, zero-day threats, deviations from the normal course of industrial processes, but also malicious activities performed by insiders can be detected.
Last but not least, the solution supports all important industrial protocols (Modbus, DNP3, GE SRTP, Siemens S7, EtherNet/IP CIP, IEC 61850, BACnet, Emerson DeltaV, Yokogawa VNet/IP, ABB 800xA, etc.).
As a result of all these advanced protection capabilities, Microsoft Defender is one of the most awarded solutions, being the winner of the IoT Security, ICS/SCADA Security and Critical Infrastructure Security sections of the Cyber Security Excellence Awards 2019 and Best SCADA Security Solution at the edition SC Awards 2020. In 2021, Microsoft Defender scored the highest in threat visibility coverage according to the MITRE ATT&CK assessment framework for industrial control systems. (1) In 2022, the Microsoft platform was named for the third consecutive year as the market leader in the niche of solutions for protecting operational environments, according to the 2022 Gartner Magic Quadrant for Global Industrial IoT Platforms. (2)
Maximum efficiency with Safetech Innovations services
Safetech Innovations is an established security service provider on the Romanian market, as well as the main Microsoft partner in the implementation area of the Microsoft Defender for IoT platform. The company has advanced skills in this technology and has more than 100 Microsoft Defender projects implemented to date, accumulating significant relevant experience in this regard.
By leveraging these resources, Safetech can provide companies with complete Microsoft Defender implementation, configuration and customization services, so that the solution optimally covers the specific requirements of customers’ operational environments. At the same time, Safetech integrates the platform with other advanced security solutions within the client’s infrastructure, both from Microsoft (such as Azure Sentinel) and from other manufacturers (such as Splunk, IBM QRadar or ServiceNow).
Another major advantage of collaborating with Safetech is the possibility of integrating the Microsoft Defender for IoT platform with the CERT (Computer Emergency Response Team) services delivered by the company. Through this integration, Safetech’s team of certified CERT specialists can perform early threat detection and deliver rapid responses to emerging threats to avoid damage. Using the information provided by the platform, the CERT team can analyze and deeply understand incidents, identifying the sources and methods of attack, as well as their impact on the infrastructure. Also, by using pre-configured workflows and policies, remediation and protection actions can be implemented automatically, thereby reducing response time and minimizing the impact of attacks.
STI CERT is one of the first private CERT teams established in Romania, it is internationally accredited and provides private companies and public organizations with continuous monitoring of cyber threats and intervention in case of security incidents. STI CERT provides 24/7/365 monitoring services, alerting, incident management and covers all types of cyber security incidents through centralized methods, applied by a team of certified experts and ethical hackers.
The convergence of IT and operational environments is causing the attack surface to grow rapidly, affecting an ever-widening range of industries. By adopting the Microsoft Defender for IoT/OT platform and using the services delivered by Safetech Innovations, companies can keep these risks under control by proactively working to eliminate them.
For more information about our services and commercial offers, we invite you to contact us by email at email@example.com or by phone at 021 316 05 65.
1 – Microsoft scores highest in threat visibility coverage for MITRE ATT&CK for ICS https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot-blog/microsoft-scores-highest-in-threat-visibility-coverage-for-mitre/ba-p/2577072
2 – Microsoft named a Leader in the 2022 Gartner Magic Quadrant for Global Industrial IoT Platform https://azure.microsoft.com/en-us/blog/microsoft-named-a-leader-in-the-2022-gartner-magic-quadrant-for-industrial-iot-platforms/