In 2020, Microsoft purchased a top IoT vendor called CyberX, which focused on predicting, detecting, and stopping breaches in IoT and OT networks. This capability has been rebranded as Microsoft Defender for IoT and is part of the Defender platform, integrated with the wider Microsoft security suite.

Defender for IoT (D4IoT) is a software-as-a-service (SaaS) solution from Microsoft. It requires an additional license beyond the Microsoft 365 E5 Security stack.

At a high level, Defender for IoT:

  • Is an agentless solution that listens on a Switch SPAN port to give visibility on your device landscape.
  • Delivers a complete inventory and monitoring capabilities for IoT and OT devices without impacting device performance
  • Can also use a micro agent that is most likely deployed by the device vendor but can be deployed to “modern” devices (running on Ubuntu).
  • Can use a hybrid network scan relying on the Defender for Endpoint (DFE) to extend your device inventory.
  • Has a direct connector and alert pipeline into Microsoft Sentinel.

Here at Open Systems, our customers don’t want to manage and optimize these tools themselves – that's where our Microsoft expertise comes in. The Open Systems MDR+ managed detection and response service empowers our customers’ teams to focus on security strategy and efficacy, instead of managing the tools.

Exploring the Azure control plane of IoT

Now, let’s get into the details. Say your organization is pretty excited about using D4IoT. What would the back-end infrastructure look like in Azure? What are the best practices you need to consider?

We’ll start with the Azure high level recommendations around areas, such as your subscriptions, Identity and Access Management (IAM) and general Security settings. The latest version of D4IoT doesn’t use or need us to deploy an IoT Hub in Azure. There are a number of Azure artifacts that are used (like event hubs, but they are provisioned in the background).

With IoT we have two major concepts when it comes to Azure: management and security. Azure has a raft of tools to help you manage your devices but securing them with D4IoT doesn’t require any of the management artifacts.

Azure Subscription Format

The hub-and-spoke model is generally accepted as the most accepted way to organize Azure. The hub generally has “admin” components like Authentication, Monitoring, Routing, Security artifacts, and so forth.

To deploy D4IoT and feed the alerts into Sentinel, you need a Sentinel instance. And for that you need a Log Analytics workspace.

The most basic steps we should take to secure our subscriptions are:

  • Use MFA for access to your subscriptions
  • Use conditional access policies that control access to your subs
  • Use Defender for cloud apps to protect subscription access

What’s Next?

Securing IoT and OT can feel like a daunting task, but there are plenty of resources to help you along. Microsoft has a fair amount of documentation, from introductory documentation to in-depth information on Defender for IoT if you choose to go that route.

And, as a five-time Microsoft Gold Partner, a Member of the Microsoft Intelligence Security Association, and the Microsoft Security MSSP of the Year for 2022, Open Systems has unique expertise and experience with the entire Microsoft security ecosystem. If you’re a Microsoft enterprise customer, or you’re thinking of becoming one, and have questions about how you can put Microsoft to work protecting your IoT/OT assets, contact us today.