Securing your IoT Application with Azure Security Center

in this new episode of the IOT show we're going to talk security for IOT applications FM is part of the azure security team actually one of the top architects and will tell us all about what you need to know whether you're an OT or IT to secure your azure IOT application hi everyone this is the IOT show and I'm Olivia your host thanks for coming and joining us I have FM Judas with me FM is a architect in the Azure Security Center team and we're going to talk security nothing thanks for joining us on the show today sure thank you do you want to elaborate a bit about who you are your role and what your team is doing yeah I've been in Microsoft for many years okay most of them working on security okay for the last four five years I've been focusing on Azure security I being chief architect of azure Security Center and for the last year or so I've been kind of diving into IT security running a team that develops what we are announcing today our extension of what we created in agile to IOT and my goal today I'm sure we will come back to you yeah with all kind of you know dive ins and an explanation and so on it's a it's a very rich product okay but today I kind of wanted to start with explaining our kind of goals and now understanding ok what is important for it to security and from that people hopefully will understand why we created this product in a certain way ok awesome so as your security Center is like awesome tool for monitoring and making sure your applications in the cloud are secure IOT brings this new part which is like outside of that realm of cloud is the devices and very often people think of IOT security is you know I need to secure that device it's not hacked and I need to make sure that you know the data is you know what we it says it is right how you're approaching security for an IT application so the first thing I normally tell to my customers when I talk to them it's for us IOT security is not equal ok to the security of your device ok the security of your devices is part of it ok but what you really need to think about it is the security of your solution ok and your solution is much more than just devices okay and if you don't mind and people can see this this is just announcer that we are extending our offer but the point is why are we extending and not talking only about dietary securities that's exactly the question and the reason why we are extending and not talking about only the security about the devices is in this picture this is essentially representation of any IOT solution okay built around hub okay you can actually take this picture you know and apply to non as your harp and so on okay it will look the same okay and the point is when you look at it from security expert and you do what is called threat analysis okay you understand that the security of the device is a small part of it okay you can have a solution exist with absolutely secure devices okay and no security what server as a whole if I would like to you know look at this and and and pretend the time hacker I would not necessarily start by hacking into one of the million devices that you have I might attempt to hack into your storage database okay also that is already there and if not maybe into the processing into the compute and if not maybe into the hub the hub itself okay it's a very important sophisticated service that we have okay if you didn't configure it correctly if you don't use it correctly if you don't monitor it okay it can be hard to and if I was a hacker on your hub there is no need for me to have Isis yes so so that's our starting point okay from the security perspective we looked at this picture and say okay what do we need to build for our customer to make sure they understand the security of their solution and to end they understand they control the monitor yes all of that okay so this is our starting based on this understanding of what is I which is security okay what is important to execute here are the goals that we put okay we want to have to enable our customers to see in one place okay and to end security state of that solution from application from devices to edge devices to hobb to all the compute storage and so on because they have inertia okay everything that belongs in their mind because they build it okay they understand which part belongs to IT solution which is something else okay now in this unifying end-to-end view we will show some two types of things okay one is by analyzing the way they use hub the way they use compute the way they use devices okay we will provide them with a set of what we call recommendations okay if you follow these recommendations you will make your IOT solution more secure more harder ok this as a set of recommendation and then we will constantly monitor real-time events again across all of your solution from devices to to agile and will produce a set of what we call actionable alert okay understandable actionable alerts that we say a based on everything that we see okay this part okay is potential under attack yes this part is potentially compromised could it be something like hey you're seeing a pattern changing abruptly in telemetry for example or a device that's been sending at a low frequency suddenly start sending a lot of data let me give you some example bus for the emendations and and and far less okay so you know some recommendation can be you know kind of people straightforward who people to understand let's say a device that is misconfigured okay and we and we have a several baselining okay how how a device should be configured to be securely okay but some other recommendations are not so obvious to some people for example okay if you have 20 administrators to your hub only 2 of them are active ok you are not secure yeah this is one of the biggest issues okay the people have okay having too many administrators okay so this is you know kind of less obvious recommendations that you will see okay on the left side again okay some of the other herbs that you will see are kind of quite obvious okay a device that is communicating with an IP address okay that we know is part of a botnet and Microsoft has one of the largest threat intelligence apertures in the world okay we see a lot of things we have a entire team of people okay that look so common threats and constantly update okay how our leads fired when they are fired on top of that's interesting because we're basically working based on knowledge like decades of securing not only its based on the knowledge but it's constantly updated but so when I'm going to talk to you and say I'm going to tell you that we have we are going to ship with 40 built-in alert okay this doesn't mean that these Arabs are kind of shipped and forgot okay it means that we have a team of people constantly updating the algorithm went to files Elliot okay so algorithms are running but people are updating the algorithm okay so III saw some examples of recommendation here's some examples of alerts again you know some something is a device connected to a bed IP what we call okay unknown all suspicious unknown bed application or command line running on most devices okay coming back to a previous example okay if we see an administrator okay that never did certain action okay suddenly wakes up and there's omit many times okay this is suspicious of course if you would follow the recommendation and reduce the number of you know unnecessary administrator it might not happen but again security is all about layers okay you need to be you need to follow a recommendation to be as secure as possible and after that you need to kind of monitor what's going on constantly okay so this is so this is what what we kind of our main goal in our kind of main view okay on what is important for IT security okay next I'm going to switch and show you a little bit of us and talk about actually we have to do types of UX and I'm going to explain why we have to okay and what are they let's jump in it like it so here we are in IOT hub port oh okay and what you will see starting today when when when we go public it's essentially a new section in in hub portal it's called security you touch you touch security you start with an overview and what you see is what I told you ok you see you see a set of recommendations ok and a set of alert ok you see kind of two sets here and and the point is that you know IOT solution is a funny thing you might have let's say a hundred resources in Azure ok but you might have a million devices ok so put these numbers together kind of doesn't make sense ok so so we kind of separated so it will be easier to see how many alerts and recommendations you have about devices and how many others and recommendations you have no resources but in principle ok this is view on in your entire solution ok now the quest the first question is what is my solution ok so something as obvious ok the device is connected to this half are definitely part of your ihe solution ok but others are less obvious ok and to control and define what is your solution you go here what is called resources ok ok and what you see here is what I already defined as part of my IT solution ok so it is divided into two parts one part it's these are our resources that we automatically identify as part of your solution if you you know definitely say the subscription to which IOT hub belongs is important ok but also it's easy to understand the storage was a vent hub that is connected to the hub ok because you configured explicitly and some other things it is up to the customer to define ok which compute which VM scale said or storage or database and so on ok and you can easily define it here you know you want to add the resource ok you pop up here all your resources click add who added the reasons okay you go sometimes later maybe you need to remove a resource okay you go here remove the research and and it is done okay so here how you where you define what and this is your knowledge your definition what is your IOT solution boundaries now this is a very simple concept okay but you know for a security person it's huge yeah and it is huge because it actually doesn't exist okay until now until now you have kind of people in OT sitting you know in in best case okay looking only at the health and only as I was coming for mochi yeah so you could have this ot security people sitting in the front of dashboard saying well I'm fine everything green everything perfect and having no idea that the connections that they know exist okay between this hub and some storage okay end up in the storage that right now has an alert about it okay okay and but you can see now once you define the solution okay if you go into alert you will see a list of alerts okay across your devices your hub and the resources in ashes that you just define Thanks okay you can go you can understand what is this alert about you can understand what are if if the sub device is what what devices what what about what devices is Solaris or and if this is resource in Azure what what about what resource in Azeroth is the same the same here you have a list of recommendation again okay it is important for you also this is anchored inside IOT hub and it's built for IOT people it is important for you to know not only the security state of your I achieve part but also the security state of everything that is connected to thank you and here where you can look at it okay assume that you read the recommendations you apply whatever is recommended so you'll see actually the metrics change can become green exactly their way to say I know that that situation is specific to me so I'm gonna actually prove that or say it's it's okay so yes there is several ways in which you can adapt okay what we show to what you have okay one way is to come and configure indeed this recommendation I want to change okay I don't want it's not applicable to me for example okay it can't be okay you can also and we will dive into it maybe some other control which alerts we produce okay in your environment and which not okay and on the one thing I want to show today and this is because it's related to this something as I said we are going to ship this number of changes of time gross austerity about 40 built-in alert built-in type of other so in which we discover different types of attacks okay but it is also possible that you as a cheap person that it understands your particular solution know something that we cannot know of you okay it's okay so it is possible so what we did we we created a bunch of out of 20 customizable alert okay and you can define them here okay you can you can define them you can define a group of devices because you can know it's applicable for this group but not for other good and inside this group of devices okay you can go and you can add customizer left okay so there is a list of this customized alert okay you can open it up give it a name create a minimal threshold maximum threshold how often and so on and say okay for this group of devices okay I want this I want to be notified month and and you know what you will find here is a bunch of kind of things that are that you can configure specifically for your device for your solution how many times the device connected to hub from what IP it connected okay so you know if suddenly connects from different IP or PC you didn't define you will get another how much data it's and things like this so these are these are customizable alerts right here okay now so this is what we created for ot security yes okay now let's switch gear okay and as I stole you know I'm I am I worked for the last four five years on agile security or something and and when we go to as a security center okay let's go there it's just typically a tool is more used by IT guys right yes yeah okay so so we have today in enterprise IT security if you ask me what is the biggest problem okay is it you can have your IT security personnel or your security analyst sit in front of their dashboard and seeing everything green exactly yes and today it's it's practically impossible to find an enterprise in which your IT security people are even aware okay what's going on in the OT part okay and and you know it might have been kind of you know acceptable 20 years ago okay but today it's not a because IOT is everywhere okay B because these two are not separate okay you might think that they are separate but they are not the whole point of what we are building around a variety hub it's exactly the same as already hub if the things that connect your devices to your IT I like to call it a gateway yes but it's a gateway between these two between yeah so if you are a customer of IOT hub you cannot say anymore okay that ot it's something completely I should not be aware because there are connections okay so so based on this what we did is essentially introduced this view of recommendations and alert about ot part about the heart about the devices inside the general view of AC okay so we are surfacing it here okay as parts of I people okay at least be aware okay they might not have the knowledge or expertise to address some of this okay they might call in 280 okay and you know if you ask me couple years from now if you are IT security person or IT security analyst and you don't understand IT you're a bad security analyst yes so it's it the two are coming together yes okay you cannot you cannot want to live in a separate and you you make it something which is by default with a security center basically you connect these two worlds seamlessly exactly yes okay so in in AC now this is a main part of it sees that you are looking at okay so in AC now if you go into a recommendation K you have a prioritized list of recommendation across your IT now okay which includes all of your IT solutions IOT solution as well okay so you will see here MFA for administrators but also IOT devices installed and so on okay and you can first of all go over this prioritization understand okay I have something important to do in my I owe T part now okay the same thing if you go into alert okay so now you see at one place okay also add again prioritize others across GOI T and ot environment this is again you know I can't stress how important it is okay both from me as a security person okay to give customers this view and and to explain to them how important it is for them to connect this to okay and it's probably it's probably if you ask me the most important things that we did here okay in terms of concept okay it is this part yeah enable people to understand the security from the device to the last resource they are using inside – yes but in essence what what we did is several things okay so we built on top of what we already have in okay reusing as much as possible okay but we edit several things so we edit now deep understanding and deep monotonic of the hub itself this was a very important effort okay it's a it's a sophisticated set is very sophisticated service with many options okay and people need to understand how to make it secure and monitor it constantly okay and then we also extended our aperture of signals that we can receive to the devices itself okay and and regarding the devices we do several things okay first of all we are monitoring the way device connects to the hub okay we have an internal logs that we mined if you wish a monitor okay so and we can understand a lot from this internal look okay we can understand from what IPS they are coming and what certificates are using about communications they are using and and what is normal methods they are using and so on and so on so even without kind of additional information that we might encourage you and enable you to send from the device we can provide you with a set of recommendations on RF about the device okay now in addition to this okay we are capable of receiving events and information from the devices itself okay and what we did on this apart are several things okay we created several agent in case if we open source okay you can take them as a package okay deploy it in on your device if it fits your device okay or you can just look at the source okay the big configurated take part that you liked and part you that you don't like and and so on okay create your own okay you can you can write your own agent from scratch okay it's very simple all we did essentially is took the IOT hub SDK and extended it with one single API send security data simple it's implicitly saying that security doesn't need to be complicated exactly and and what and what happens is when we publish a set of schemas so what type of messages we we understand them and if you send us okay the moment that you send a properly formatted message using this API this message will automatically be routed to our service okay okay so if you know how to send messages you know because your is you know build something on around Reggie hub you know how to do this what will happen is that this message will be routed to our service we will process it into more and more kind of useful information recommendation and alerts this message because of the security message will not be counted as part of your IOT hub message now we will understand that this is separate yeah we will build you separately yes security sir okay no no no and and so this way you can create your own agent okay or if you want you can kind of extend your application you know if if you don't want to create a separate standalone agent or maybe it's not applicable you can create part of your application from time to time waking up and sending us information we are we have to receive in case you can of course control how much data you sent as a either by writing your own agent or if you're using our agent okay our agent is an example of how we think you should write an agent so it has a generic part that knows how to communicate this half of the batch your messages or not to send to menu so on and then it has a provider part which is kind of unique for a specific OS okay so we currently have three for you know for some bun to Debian windows IOT core and so on provider so yeah you can extend it to anything you want okay you can take the generic part or you can replace everything everything is possible there's only other two points and I'll stop here I think it's enough from the first time yes so so two things okay I promise the last two things otherwise I will stay here for an hour very good I like it as a righty edge devices okay this is a very unique offer I love this thing okay and for them we we created a different variant of an agent okay that yes we do recommend that you just use this agent it is containerize agent okay so you can deploy it easily any ways that you can deploy any other model to second it is yes it is it is available in marketplace okay you just pick it up you deploy it any way you want okay and what it does essentially once you deploy it it can monitor both the underlying OS okay the docker itself okay okay and the communication between the containers okay so you know you you install it today you will see recommendation about the baseline CIA's by slamming of Ubuntu and shares base landing of docker and so on and finally one more thing okay if you are in security business you you heard our announcement what was it a week or two ago and RSA about as you sent you know okay you saw a cloud-based seem okay and if it is important to you and if and and I think it should be okay ever since that we do here okay is kind of seamlessly integrated into it okay so the data that we collect okay it's it's your choice of course but by by the simple you know yes okay it can be put into Logan oolitic workspaces from which it can be accessible directly but st. you know okay so if you want to use Center essentially sim okay and you will have data from your ot part data from your IT part in Azure data from your on-prem part okay because that's what Sentinel can do and you can then pivot and investigate across all this huge amount of data yes resources yes okay so and and all this is kind of for this part is essentially free of you in terms of in terms of the integration you don't need to you know build something special for this type of integration okay so you guys like all the way from so the UI for ot IT adapted to is there but having that connection between the two worlds the agents open-source with people to adapt Oh thinking we were talking about in the sonority of like I have this this little sensors that will detect that my device has been tempered was like opened the message to Security Center and I can validate yes I have my maintenance guy in OT actually was doing maintenance it's normal or not we have a built-in alert physical access eager words what's left for developers security never ends yes never ends okay so we will never stop developing more analytics and introducing more labs if needed okay and you should never stop thinking about how to make your particle solution more secure okay hopefully what we released today will help ya IOT is not an exception far from it when it comes to all of that Nathan there was a very insightful introduction into the IOT extension for Azure Security Center I look forward to have you back for more in depth you know into the various features will do and well you guys know what you have to do learn more following the links down here and you know give it a try because there's no reason you shouldn't naturally if you've not been convinced I have thanks for watching the IOT show and see you soon thanks Evan

One Comment

  1. 河端善博 said:

    Nice, Please with Azure Security Center in Azure IoT Center, for secure more .

    June 29, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *