Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks specifically targeting the IoT devices used in enterprise environments (e.g.: VoIP devices, printers, cameras, smart TVs, digital assistants, etc). In the past, attacks on IoT devices for many organizations seemed like a hypothetical threat however in recent years organizations have learned otherwise. We’ve seen attacks on devices of all kinds including cameras and VoIP devices1, smart building automation2 and recently service providers providing IoT services3 enabling supply chain attacks just to name a few. Each of these highlight the challenge of securing IoT devices.
Last month we announced that Microsoft Defender for IoT is adding agentless monitoring capabilities to help secure enterprise IoT devices connected to IT networks. Additionally, we announced that it will be part of the Microsoft SIEM and XDR offering enabling Defenders to easily secure IoT devices using the tools they already know. Today we’re announcing that the public preview of this new integrated solution is available for you to try and provide feedback on.
With it each of the Defender for IoT capabilities for securing enterprise IoT devices can be experienced directly within the Microsoft 365 Defender portal enabling you to secure and perform incident response on all of your IT related endpoint and not just the traditional ones (i.e.: workstations, servers, mobile). The new capabilities for IoT devices include:
- Device discovery
- Vulnerability management
- Detections and responses
- Correlation of IoT events and alerts into Incidents
Figure 1: The IoT Devices view under Device Inventory lists each device as well as properties about them including type, vendor, model just to name a few.
In addition, posture related recommendations for enterprise IoT devices will start appearing in the Security recommendations view. Since IoT devices are rarely updated one of the you’re likely to encounter are those suggesting that you update the firmware on devices where it’s not up to date and includes exploitable vulnerabilities. In the image below you will see that we support non-Windows platforms like Linux which are commonly used for IoT devices of all types.
Figure 2: Prioritize vulnerabilities and misconfigurations and use integrated workflows to bring devices into a more secure state.
Incidents, for those of you who are less familiar with them, are one of the most powerful features within our SIEM and XDR solution. They provide a single place to view and investigate an attack across stages, from initial access to impact. By bringing together signals from endpoints, identities, cloud apps, email and documents and applying artificial intelligence (AI) we can automatically investigate, and correlate attacks end to end, just like an experienced analyst would. This enables defenders to focus on the most critical alerts providing them with a complete and coherent picture of each attack in a single dashboard.
Another capability in the preview can be found in the Incidents view. You’ll find that Incidents are now inclusive of enterprise IoT devices so if they’re being used as a point of entry, for lateral movement, persistence or all of the above you’re going to be able to easily determine this.
Figure 2: View prioritized incidents that are inclusive of IT and IoT devices all in a single dashboard to reduce confusion, clutter, investigation times, and alert fatigue.
These are just a few examples of what is possible with the current preview build and we hope you’re excited to try them out. During the preview process all of the capabilities mentioned above will be further enriched and improved based on your feedback. Enterprise IoT specific detections and responses will be added later during the preview phase of the product cycle.
As implied above securing enterprise IoT devices with Microsoft 365 Defender and Defender for IoT also requires the use of Microsoft Defender for Endpoint. Click here to enable the public preview of the new Defender for IoT features within the Microsoft 365 Defender experience and please send us your feedback.
More information on the current release of Microsoft Defender for IoT which currently offers OT security can be found in the following resources
- Microsoft Defender for IoT website
- Microsoft Defender for IoT demonstration video
- Blog - Microsoft scores highest in threat coverage for MITRE ATT&CK for ICS
- Blog - New OT threat-monitoring solution for Sentinel
1Microsoft: Russian state hackers are using IoT devices to breach enterprise networks, Catalin Cimpanu, ZDNet. 5 August 2019.
2Hackers are hijacking smart building access systems to launch DDoS attacks, Catalin Cimpanu, ZDNet. 2 February 2020.
3Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals, William Turton, Bloomberg. 9 March 2021.