Azure IoT and Security
Blog|by Simon Bisson|27 January 2022
Protecting your data, network, and devices across the complexities of the Internet of Things ecosystem
The Internet of Things isn’t one product, or even from one provider. It’s an ecosystem that links devices on the far edge of a network to complex cloud services, mixing software, hardware, and firmware, and public and private networks, both wired and wireless. So when it comes to securing its IoT tools, Microsoft has a much more complex task than providing security for Windows.
That’s why it describes its Azure IOT security tooling as working from “chip to cloud”, building on Azure Active Directory and its Defender suite of security tools. There’s a lot of work to be done, as most users have concerns about IoT security, covering everything from privacy to network and devices. Part of the problem is that there’s an underlying assumption that IoT will be secure, even though best practices are to build an infrastructure that assumes you have been breached.
Defender for IoT
At the heart of Microsoft’s IoT tooling is Microsoft Defender for IoT. Part of the Microsoft 365 Defender platform, it’s an agentless tool that discovers and secures your devices, offering network layer monitoring. This approach allows you to quickly add security to existing IoT deployments, without having to change hardware or software.
Defender for IoT deploys as a set of physical or virtual appliances that act as network sensors, sitting on network switches in your IoT network, between your devices and your servers. These provide deep packet inspection tools that can identify devices, working at layer 7 so they don’t disrupt operations. Once deployed it starts analysing packets and passing alerts on to your existing security tooling, which doesn’t have to be from Microsoft. So if you’re using Splunk or ServiceNow, Defender for IoT alerts can be handled by existing processes and procedures.
Most of the work analysing packet data happens in the appliance, with five different detection engines. These look for protocol and policy violations, building on what’s identified as normal operation. Other tools monitor for known malware as well anomalous network behaviour. The final tool monitors for network and device outages, adding an additional protection for your IoT environment, helping spot physical attacks on remote devices as well as software issues.
A micro agent for device builders
Microsoft also offers a version of Defender for IoT to device builders. This allows them to build agents into device operating systems or firmware, including support for both Linux and its own Azure RTOS real-time operating system. At its heart is what Microsoft calls a “micro agent”. This doesn’t have all the features of the Defender agents used on PCs and servers, but as it runs at a much lower level, extracting raw security data many of those feature’s aren’t necessary.
The micro agent collects local security data, aggregates it, and then uses Azure send security message SDK to deliver it to Azure IoT Hub. This then forwards the data from edge hubs to the cloud security service for additional processing and analysis. That device data is also linked to network and service data from Azure IoT Hub, to give you a much bigger picture of what is happening on the edge of your network.
Defender for IoT best practices
One advantage of Defender for IoT is that it’s continually updated with best practices, allowing existing hardware to take advantage of new security approaches without needing updates. Using the CIS best practice configurations it helps harden your infrastructure, delivering up to date configuration guides that can help you roll out new network and application policies.
Usefully Defender for IoT also integrates with Azure’s Sentinel SIEM. This uses machine learning to identify attacks on your network that might not be spotted by other tooling, with a single pane of glass view that helps you manage your threat hunting.
Secure device firmware
Microsoft’s IoT security strategy goes beyond its own software and hardware, recognising that one of the key threats to an IoT deployment is device firmware. Small devices often store key authentication data in their firmware, as part of embedded software. While that may not be an issue in its own right, other flaws in device software can compromise that data or allow attackers to misuse hardware.
The recent acquisition of ReFirm Labs allows Microsoft to offer tools to analyse device firmware, building on the open source Binwalk. Using binary images of device firmware, the ReFirm tooling can look for common flaws, open secrets, and other firmware risks. You can make it part of your device CI/CD process, running it over new releases before they’re deployed to your devices using Azure’s tooling.
You can also take advantage of Microsoft’s partnerships with microcontroller vendors and its Azure Sphere platform. Based on the same ARM-based Pluton security processor used in XBox, Azure Sphere provides a cloud integrated way of managing and attesting device software and operating systems. Intended for devices that need an OS, Azure Sphere provides tools for secure boot and for ensuring only signed code can run. Pluton acts as an enhanced security watchdog, protecting keys and monitoring for changes in running software.
Sphere-based microcontrollers are now available from vendors like Mediatek and NXP, and offer standard ARM cores alongside the Pluton security processor. Sphere can be used in new devices or as “guardian” hardware, protecting existing IoT infrastructures and allowing non-IP hardware to interact with modern networks. This can also extend the life of aging SCADA systems, allowing them to operate alongside newer control systems and add security to devices that weren’t designed to work as part of internet-connected environments.
IoT Security solutions for your chosen approach
Microsoft’s IoT security strategy is an interesting one. You can pick an end-to-end approach from Azure RTOS hardware with built-in security agents or Azure Sphere devices, all the way up to Microsoft Defender for IoT and Azure Sentinel. However you’re not locked in to Microsoft’s ecosystem, with tools like Defender able to coexist with your current industrial IoT environments, adding to what you have in place while allowing you to add in the rest of Azure’s IoT tooling.
That mix-and-match approach is one that makes a lot of sense. Organisations may have already deployed large fleets of IoT hardware but will want to add additional security, while new developments might want to jump to custom hardware that builds on secure processors. With a complete range of IoT security products, Microsoft Azure is ready to protect all types of IoT network.
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
Simon has had a varied career starting with being part of the team building the world's first solid state 30KW HF radio transmitter, writing electromagnetic modelling software for railguns, and testing the first ADSL equipment in the UK. He also built one the UK's first national ISPs, before spending several years developing architectures for large online services for many major brands. For the last decade he's been a freelance writer, specialising in enterprise technologies and development. He works with his wife and writing partner Mary Branscombe from a small house in south west London, or from anywhere there's a WiFi signal and a place for a laptop.
Mon 20 February 2023 2:00 pm - 3:30 pm GMT
Intel has launched its fourth-generation Intel Xeon Scalable processor, codenamed Sapphire Rapids, the successor to Ice Lake. Find out more!
Mon 20 February 2023 10:00 am - 11:30 am GMT
Grey Matter has passed the Government-backed Cyber Essentials assessment once again. This certification recognises our data protection efforts.