Announcing the general availability of Azure Defender for IoT

As businesses increasingly rely on connected devices to optimize their operations, the number of IoT and Operational Technology (OT) endpoints is growing dramatically—industry analysts have estimated that CISOs will soon be responsible for an attack surface multiple times larger than just a few years ago.

Today we are announcing that Azure Defender for IoT is now generally available.

Defender for IoT adds a critical layer of security for this expanding endpoint ecosystem. In contrast to user devices (laptops and phones) and server infrastructure, many IoT and OT devices do not support the installation of agents and are currently unmanaged and therefore invisible to IT and security teams. Without this visibility, it is extremely challenging to detect if your IoT and OT infrastructure has been compromised. Further increasing risk, many of these devices were not designed with security in mind and lack modern controls such as strong credentials and automated patching.

As a result, there is understandable concern about Cyber-Physical System (CPS) risk in OT and industrial control system (ICS) environments such as electricity, water, transportation, data centers, smart buildings, food, pharmaceuticals, chemicals, oil and gas, and other critical manufactured products. Compared to traditional IT risk, the business risk associated with IoT and OT is distinct and significant:

  • Production downtime, resulting in revenue impact and critical shortages.
  • Theft of proprietary formulas and other sensitive intellectual property, causing loss of competitive advantage.
  • Safety and environmental incidents, leading to brand impact and corporate liability.

Traditional security tools developed for IT networks are unable to address these risks as they lack awareness of specialized industrial protocols such as Modbus, DNP3, and BACnet and this different class of equipment from manufacturers like Rockwell Automation, Schneider Electric, Emerson, Siemens, and Yokogawa.

Proactive IoT and OT security monitoring and risk visibility

With Defender for IoT, industrial and critical infrastructure organizations can now proactively and continuously detect, investigate, and hunt for threats in their IoT and OT environments. Incorporating specialized IoT and OT aware behavioral analytics and threat intelligence from our recent acquisition of CyberX, Azure Defender for IoT is an agentless security solution for:

  • Auto-discovery of IoT and OT assets.
  • Identification of vulnerabilities and prioritizing mitigations.
  • Continuously monitoring for IoT and OT threats, anomalies, and unauthorized devices.
  • Delivering unified IT and OT security monitoring and governance. This is achieved via deep integration with Azure Sentinel, Microsoft’s cloud-native SIEM and SOAR platform, for sharing rich contextual information about IoT and OT assets and threats related to incidents. Support is also provided for other SOC workflows and security stacks including Splunk, IBM QRadar, and ServiceNow.

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration.

Fast and flexible deployment options

Defender for IoT is agentless, has deeply embedded knowledge of diverse industrial protocols, and makes extensive use of machine learning and automation, eliminating the need to manually configure any rules or signatures or have any prior knowledge of the environment.

This means that Defender for IoT can typically be rapidly deployed (often in less than a day), making it an ideal solution for organizations with tight deadlines and short plant maintenance windows. Plus, it uses passive, non-invasive monitoring via an on-premises edge sensor which analyzes a copy of the network traffic from a SPAN port or TAP—so there’s zero impact on IoT and OT network performance or reliability.

To provide customers flexibility and choice, Defender for IoT offers multiple deployment options:

  • On-premises for highly regulated or sensitive environments.
  • Azure-connected for organizations looking to benefit from the scalability, simplicity, and continuous threat intelligence updates of a cloud-based service, plus integration with the Azure Defender XDR.
  • Hybrid where security monitoring is performed on-premises but selected alerts are forwarded to a cloud-based SIEM like Azure Sentinel.

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub (optional). 

Proven in some of the world’s most complex and diverse environments

The technology delivered with Defender for IoT has been deployed in some of the world’s largest and most complex environments, including:

  • Three of the top 10 U.S. energy utilities, plus energy utilities in Canada, EMEA, and APAC.
  • Three of the top 10 global pharmaceutical companies.
  • Global 2000 firms in manufacturing, chemicals, oil and gas, and life sciences.
  • One of the world’s largest regional water utilities.
  • Building management systems (BMS) for data centers and smart buildings worldwide, including in Microsoft’s own Azure data centers.
  • Multiple government agencies.

Getting started with Azure Defender for IoT

You can try Defender for IoT for free for the first 30 days and for up to 1,000 devices. After that, you pay on a per-device basis in increments of a thousand devices. Visit the product page and getting started pages to learn more.

For more detailed product information:

  • Read our blog post describing the product architecture and capabilities in more detail, titled “Go inside the new Azure Defender for IoT.”
  • Watch our 30-minute Ignite session with a demo showing how integration with Azure Sentinel and IoT and OT-specific SOAR playbooks enable faster detection and response to multistage attacks that cross IT and OT boundaries, using the TRITON attack on a petrochemical facility as an example.
  • If you’re currently using Azure Defender for IoT, read our article about updating it with the latest threat intelligence package for detecting threats related to the compromise of the SolarWinds Orion product and theft of FireEye’s Red Team tools.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.