 Thank you all for joining us today. There's been a lot of questions in regards to, you know, the deployment of IOT and what does that mean and how do I get the data or the most data out of those demonstrations or those devices that are being connected to provide me information or to automate a lot of tasks. And the challenges with that, you know, most people don't think about security as being part of that equation. And that's something that we're going to be talking about today in regards to what should be thought about in terms of security. What is ITPRO's role in the securing of IOT architecture and what resources are available for the ITPRO to utilize to ensure that the organization they protect from an infrastructure standpoint includes IOT in the conversation. Very excited to have Matt with me today because Matt is a solutions architect, senior solutions architect on the defender suite for IOT. He's going to take us through a journey in terms of hands-on demonstrations of deploying and securing of IOT devices into the field and what ITPRO should know in regards to the securing of those architectures. So Matt, thank you for joining me today. Yeah, thanks for having me. This is really exciting. First question I'm going to ask you, why should IT professionals get involved with IOT? Yeah, it's a great question. You know, when we think of IOT, we usually think of the smart devices in our homes, but I also think about OOT or operational technology and devices that are set on a factory floor or sitting maybe in a utility company or a power plant and devices that actually run a business. And when you think about that, those devices might be susceptible to attack vectors. They might have vulnerabilities on them. And so when I think about how do we secure those devices, a product called Azure Defender for IOT comes to mind, but the reason why IT should care is traditionally these OT devices, right? These water pumps or CNC machines or whatever they may be, they're traditionally air gapped. They're disconnected from the enterprise network. They're disconnected from the internet. But over time, we're starting to see that there's significant advantages to the business by connecting those OT devices to the enterprise network and ultimately to the internet. And so that obviously opens my attack surface and it opens up the door of risk. But that is a growing trend that everybody from a CIO to a CSO to an IT professional is now starting to look at. And so that's where we start to think about how do we secure that IOT and OT environment tease umbrella, if you will, of responsibility? So yeah, it's a great question. So what's interesting, we mentioned defenders. And defender is something that a lot of IT professionals are familiar with regards to securing your architecture. And it's so great to have that extendability to IOT and its architecture for that single pin of glass to understand what's going on in their architecture because the new hybrid includes IOT devices on the edge, also capturing information, as you said, or automating tasks in the OT world. What resources are available to IT pros through the defend these devices are secured? Yeah, absolutely. So Microsoft has a product called Azure Defender for IOT. And this thing's pretty incredible. We'll jump into some demos here in a moment. But when we look at this slide, it's really busy. There's a lot happening, but I'll kind of walk you through it. So Azure Defender for IOT, it's basically a sensor and it sits on the network and it's sit on that network, whether it's through a network tap or a span port on the switch, and it's doing deep packet inspection on all traffic going to and from those OT devices, whether they're sensors or they're programmable logic controllers or some kind of operational device. And it's looking at that network traffic. It's looking to see what kind of packets are going to and from it, is anything malicious or suspicious activity, so on and so forth. And so it's hands off, right? It's not being intrusive, it's just sitting there and listening on the network. And so that's able to then bring that intelligence back into a management console. We have these OT devices and we'll go through a demo of that here in a moment and I'll show you the reports and the alerts and everything you can pull up on that. Now that is where we have an offline sensor. So I mentioned an air gap network. So this could be deployed in an air gap network. It's just a virtual machine or it's an appliance. So if you choose to go that route and you can sit there on that offline network and you can monitor it using the management console or you can have what's called an online sensor and that connects it to the Azure cloud. And so then you could do integrations with Azure Sentinel and IoT Hub and other technologies up there in Azure to be able to get even more data analytics and be able to provide even more deeper protection for the OT environment. And so what we're looking at here in this slide at the top is those cloud environments for being able to do all the security analytics and the business analytics, but then down at the bottom that's the architecture of Defender for IoT. And over on the far left, there's a important concept we wanna understand and that's called the Purdue model. And I encourage everybody watch this. If you're not familiar with it go out and do a little bit of homework and research on it. It's really important to understand because this represents the OT network hierarchy, if you will, in the OT environment. And so if you think about that physical machinery, I mentioned like a CNC machine or a water pump, that's level zero. And then you've got your controls, maybe those OT devices, those sensors that are monitoring those physical machines, that's level one, level two might be, hey, you're in an operations center and you've got technicians watching water flow on those water pumps as an example. And they're using those devices, that's your supervisory network. And then level three is your enterprise network or user set, servers, printers. And if you understand that Purdue model, and when you work with the Defender for OT technology, that allows you to then figure out, okay, where do I need to secure what gaps do I have? And then where can I start mitigating some of that risk? So I'll kind of pause there, but there's a lot happening on the slide, but it's really exciting because Microsoft is bringing this security technology to the OT world, which traditionally we didn't really have this, right? And it's been a little bit more of a challenge to secure that. So Anthony, should we jump into some demos and take a look at the product? Yes, definitely. All right, let me share my desktop then and give me just one moment here to pull this up. I get really excited about this. So this is Defender for OT and this is the management console that you sign into. And so I'm in my lab environment, I have one sensor, it's an online sensor. And what I log in, I got a nice beautiful dashboard here of things that are happening. Immediately I'm gonna click on devices map. And devices map is going to lay out a network topology of the environment. Now remember this sensor, it's on a span port on my network switch. And so it's looking at all traffic doing deep pack inspection. So it's also discovering all devices on those networks. And so immediately it starts building out a Purdue model visualization of my network. So here you have my enterprise network and that's where there's internet connectivity I found and found some other devices that supervisory network we talked about. Maybe it's an operations center or a technician watching critical machinery and then process control would be where those OT devices actually sit. And what's cool about this is I can zoom in and I can view details about what it discovered. And so this might be beneficial if I'm sitting in a security operations center or I'm just maybe an IT pro or a security pro that just wanna get deeper visibility into OT network. And immediately when I zoom in you can see some of these devices have some colors on them. And if we zoom in a little bit more you can see that they have some alerts and there's some other details about it. But I can also see the lines being drawn. I can see, okay, what's the relationship with these different devices and how are they connected? And anytime I can right click on these devices and look at the properties of it, I'm able to understand what this device is and be able to come in here and maybe say, hey, I authorized this, this device is supposed to be there. This is an expected device. That's important later. So keep that authorization in mind. But this allows me to just view some of these devices. If we come down here and look at some of these OT devices and I look at the properties of those, here we have a Siemens programmable logic controller and I can view the backplane of it and the different slots in that hardware. And so I can view version of the firmware. I can look at, what are these devices? I got a MAC address, I got all sorts of information, like what kind of protocols is it using? So this device map is extremely helpful in understanding what's on the network and then kind of being my point in time where I want to go out and investigate what's happening. And so lots of information can be derived here from this network map. And I can create different views and I can slice and dice it and I can even hide some of these networks. So you can imagine this is my lab environment, but you can imagine if this was a large production environment you'd have hundreds if not thousands of devices here. And so over on the left side is where I can go through and set different filters. I can create device groups and really slice and dice them. The view of this is the device inventory and the device inventory gives me a table view instead of a map view. And the reason why this is important is you need to find something in a pinch. You can set some filters here and even sort some of these columns or you can just add new columns. And so for example, remember I told you about those authorized devices where I could just add a column for is authorized. And when I do that, I could scroll over to the right and I could just do a quick filter and say show me all unauthorized devices where is authorized equals false. And so now I've got a quick and dirty view here of just the unauthorized devices. The other reason why this view is important is I can export this. And so we'll give that a moment to process but I can export it out to a CSV and then I can import that into maybe my CMDB system. I can import it into, if I'm an incident responder, import it into that system through my triage and that just goes out to a CSV file, maybe clean it up, put it into a nice report or PowerPoint deck. Now if I'm using the on-premises management console which is another server and I'll talk more about that in a second, I can import data into this. So remember the sensors out there discovering the network and it's listening to all traffic and it's building this view but I can use the API here. I can import data into this table to be able to add additional devices if I need to. And so that could be handy as well. Now when I first log into the management console here into the sensor, you're probably gonna wanna go to alerts as well. What's happening in the environment? And so immediately here in my environment when I click on alerts, this allows me to see what we consider if you will important alerts, what's happening? And so we have different types of alerts, anomalies, policy violations, alerts where we discovered malware or some kind of malicious activity, operational alerts where maybe there's changes trying to be made on an OT device. And so what's interesting about this is I could immediately open up one of these alerts and Defender for IoT will give me a nice description of what's happening, give me some context here around it. And then each one of these alerts will recommend some next steps and how to remediate that. Now I could also click on these devices and it brings me back to the devices map and then I can see the relationship of those devices. And then from there, I can again view properties and I can drill into it and triage it. Now if we go back for a second, the other interesting thing about this is at the top here, I've got some buttons. I can download the packet capture file or the P-CAP file. Remember the sensor is just monitoring all network traffic. And so if I wanted to here, I can download that P-CAP file, open it up in Wireshark or my favorite tool of choice and then be able to see full context around that packet capture, what was happening before, what was happening after. I can even export this alert out to a report which we'll come back to here in a moment. So I can work with these alerts, I can pin them over to my pinned alerts, maybe those. Now, you probably saw a button here. And let me scroll down a bit so you can see this. You probably saw a button here called learn and acknowledge. So what this does is the system is using machine learning basically to learn about the environment. And so if I tell it to learn, this tells the defender for IoT, hey, this is expected to happen. I'm authorizing this activity, this is normal. I want you to learn from it so I don't see that alert again. So that's what learn does. And then acknowledge simply archives the alert, acknowledges the alert. Hey, I'm done looking at the alert, I'm gonna archive it because my triage is over. Now, here's an alert that we have a policy violation. This is where we had some kind of unauthorized program being uploaded to a programmable logic controller from perhaps maybe a suspicious device. Now, again, defender for IoT, it's very intelligent, it's smart. It knows what OT protocols are and it knows how to interpret OT commands being sent across these protocols. So here's where it took an excerpt of that packet capture and it tells me immediately what's happening there. And then again, it gives me some remediation steps. So that's a little bit about working with alerts. And I can export these out, I can acknowledge everything at the same time if I want to. Even at the top, I've got some nice filters I can set where I can just do a free form search and say, hey, show me all alerts, maybe for the S7 protocol from Siemens and there you go. But what I really want to get to is reports. And so if we go down here to data mining, this is where I can create some custom reports and that then show up in the reports view. In cybersecurity, it's all about the data. And so if I have the data available, I can get new insights to what's happening. I can build a better site picture around what's happening and get more context. And so the sensors collect in a lot of data. So being able to harness that is key. And so I can come in here and click on the plus sign and I can create custom reports. Now the challenge is you have to know what you're looking for, right? But if you have an idea of what you're looking for, you can come in here and choose between just a multitude of categories here and I can build some custom reports and add some filters. So for example, maybe I might want to scroll down here and see, hey, show me all devices that are using plain text passwords. So I'm gonna choose that and then maybe I can add some filters here. Maybe filter it to specific networks or specific devices. That could be an interesting report for devices using plain text passwords. Another common one I see a lot of organizations doing is CVEs. So I'll show you an actual report of this here in a second but being able to identify all vulnerabilities with these OT devices. So that could be critical as well. So building these reports can be extremely powerful. In fact, let me pull up the CVE report. So we just double click on it. Here is where it discovered some devices in the OT environment and it said, well, wait a second, there's some known vulnerabilities here. It gives me the CVE number. It gives me a nice little description about that vulnerability. I can then export this out to a CSV, maybe clean it up, put it into a report. And so it makes a nice way for me to just do kind of a health check, if you will, on the environment. So these reports can be extremely useful. What else is really useful is trends and statistics. So take that reporting concept to the next level. This is awesome. So this is where I can create custom dashboards based on different types of data and add what we call widgets to that dashboard. So I click on add widget here. You have 45 different widgets you could choose from. And so I could slice and dice this however I like. So maybe I might want to see, hey, show me all traffic by port. And so that brings up a nice little visualization. I can click on this and kind of separate it and do my filter. I can even click on the funnel icon here and go back in time if I want to. But that might be critical for me to understand, hey, what kind of traffic is going across this OT environment? I once saw an organization that had a lot of FTP traffic taking place and that turned out to be something suspicious. So you never know what you can get when you start looking at these different reports. And so my favorite ones here is just, hey, devices by operating system. What are you seeing out there? Devices by vendor. So trends and statistics and being able to add these widgets and create custom dashboards can be critical. Now, one of my other favorite ones here is if I go to event timeline, being able to understand what's happening before a potential incident and being able to understand what's happened after a potential incident. And so the event timeline just kind of puts everything together in chronological order. And so we're gonna go back in time here in a second and oops, I wanna choose July 1st, not today. I'm gonna go back and choose that again. July 1st at 8 a.m. And so we're gonna go back in time a little bit and we're gonna look at what happened on July 1st. Well, actually on June 30th, it looks like it discovered something suspicious where a new device was detected on the network. And I can kind of follow the breadcrumbs here. Hey, I detected this new device and then look at that, this new device that it detected is sending some kind of programming change to a programmable logic controller. And if I click on more, I can view a little bit more about that and I can even click on the alert to go out to it. And then here's the actual programming change on the right. So that might be suspicious from this new device. There's a script that it's trying to install. And in fact, I can even click on programming timeline and see exactly what it was doing. So I wish I had you guys all day because I would love to go into this with you because it's a great story, but that can be extremely useful when trying to figure out, okay, what is this suspicious device doing to making a change on this OT device? So using the event timeline helps me correlate, you know, what's what happened before, what even happened after and just build a better, you know, hypothesis of what might be happening with this incident. So that's really cool. Two more things here that we can start to wrap up. Over on the left side, I get really excited about the risk assessment. So again, this is the OT environment. A lot of these OT devices have been in production, right? And even in an air gap network and mission critical devices, you can't really update them. It might be life-threatening to do so. It might be severely business impacting if you update them. And so being able to run a assessment report, which I already have one up here, allows me to understand where's the risk set in this environment. Now what's really cool about this is I can customize the logo up here. I can add maybe my company's logo or if I'm a consulting firm, I can add my logo. Maybe this is part of a deliverable I get my client. But it gives me a score from zero to 100% on my security posture in the OT environment. And then it gives me a high level here around how many devices we discovered, which devices are vulnerable, which devices might need improvement. And just a nice 20 page report here all about this with a nice executive summary. And then it starts to go into all the different devices. Now what's interesting about this is if you scroll down, this will give you recommendations on how to mitigate these findings in this risk assessment report. It will give you a list of things like here's all the terminology who we use, very in depth. And then it starts to go into, hey, here's your top vulnerable devices. These are vulnerable because we're seeing some alerts on these, we're also seeing some vulnerabilities or CVDs on these as well. And so this might be just a great report to run and then work with your leadership team on, hey, we need to mitigate some of these findings. Let's build an action plan and a strategy to get that done. So the risk assessment's pretty awesome. The last thing I wanna show you here, and then we'll pause for a second is attack vectors. I get really excited about this. So remember the sensor is discovering basically everything on the network. And so because it's discovering it, it understands what protocols it's using, it understands who it's communicating with, what it's doing, attributes about it. And so you can simulate a tax with those devices to almost run like a what if. Hey, what would happen if this device got compromised? And so when I come in here and run a simulation, I can tell it, hey, here's the source device that maybe got compromised. And then the attacker might wanna attack this target device. Or I could just say, hey, all devices, all source devices and all target devices in the environment. And this is unobtrusive. It's not gonna actually go out there and simulate an attack. It's just modeling, if you will, based on its knowledge. And so here's a great example. We have a workstation that if it got compromised because of a known vulnerability, that workstation has a direct network connection to an OT device. And that OT device has an outdated operating system leading to further compromise. So that just simulated an attack vector that I might wanna go out there and build an action plan to mitigate. So attack vectors can be extremely useful on being able to get this going. Now, to set up Defender for IoT, just at a high level. Again, you have an online sensor and an offline sensor depending on your network requirements and which one you go with. But you can either download it as a virtual machine and you just download it right out of the Azure portal or you can purchase an appliance that has it preloaded from a vendor. And so it just kind of depends on the requirements that you have and in which route you wanna go. But as you can see, this is amazing technology. And when we think about how to protect our OT environment, this can be critical to helping us get awareness and then helping us build an action plan to further build that security posture and lower that risk. So Anthony, I'm gonna pause for a second. What do you think? Matt, it's awesome. A lot of the dashboarding and reporting that you shared is what we as IT pros see in the architectural world for defending of VMs and resources inside of Azure and on premises in the hybrid world, which is really good. So it's something where it's easy to jump on and to take advantage of to secure an environment as a whole, including IoT devices. What resources are available to further understand the threats that are coming in and analyze what's actually happening? Yeah, great question. So I mentioned the offline sensor is like an air gap network. But if you go at the online sensor, you can connect it to Azure, which then you can integrate with something like Azure Sentinel, Microsoft's cloud native SIM. And so this is important because now we're gonna bring in signals from defender for IoT, mix that with signals from maybe firewalls and servers and other security products and solutions to be able to get a better site picture and more context around what's happening. And so here we are in Sentinel where I've integrated defender for IoT and immediately I could start pulling up those same alerts that you saw before the management console. And then from here, I can just go in and I could start doing my full triage. And if this was a production environment, I can sit here and look at those alerts from defender for IoT, but then again, I can mix those with other perhaps related alerts from those other security tools. And then being able to run reports on this and build custom dashboards and then think about all the business analytics and collecting data from these devices. I could even then maybe start looking at predictive maintenance of these OT devices by being able to use this data that's collecting. So being able to integrate this with the Azure services like Sentinel can be extremely useful. And even be able to help build a business case for why we might want to change how we architect our OT environment. Matt, this was awesome. We have two more minutes left. Matt, what is the one thing you would want to tell IT professionals on how to get started? Where would they start in all this journey? Yeah, I'm gonna give you two resources. One, the Ninja training. Microsoft has made some significant investments in what we call Ninja training that has videos and it has documentation, all the things you need to learn about to understand this solution. And so we'll put a link there and the resources for the Ninja training but as an excellent resource. And then the second resource is being able to go out there and get hands on, register for the trial, kick the tires on it and being able to follow what you learned in the Ninja training and get hands on. And then just some recommendations to think about if your organization runs OT devices as an OT network or maybe you're working with one of your clients that has it, start asking those questions. How are we securing that? What are the risks? What's our action plan? And remember this solution, it's not intrusive. All it does is listen to those packets on the network and performs all this great analysis. And so you never know what you can find but now's the time to start thinking about how do we secure the OT environment and building an action plan? So Anthony, thanks for having me. This was a lot of fun. I wish we had all data because there's so much to talk about but thanks so much, appreciate it.