The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  ICS  >  Participants  >  Microsoft  >  TRITON Configuration

Microsoft Configuration


Product Versions

  • Azure Defender for IoT version: 10.0.3
  • Azure Sentinel

Description

Azure Defender for IoT offers agentless, network-layer security for ICS environments that’s rapidly deployed (typically less than one day per site); works with diverse OT automation equipment including proprietary embedded devices and legacy Windows platforms; and integrates with Azure Sentinel and other SOC tools such as Splunk, IBM QRadar, and ServiceNow. Deploy fully on-premises, in Azure-connected, or in hybrid environments where all monitoring is performed locally, sensors are provisioned and managed from the cloud, and selected alerts are forwarded to a cloud-based SIEM.

Event timeline generated by ICS-aware behavioral analytics in Azure Defender for IoT, showing sequence of events leading to adversary inserting backdoor into safety PLC via PLC Program Upload.

Discover and map all your ICS devices

Use passive monitoring to gain a complete inventory of all your ICS assets, with zero performance impact on the control network. Analyze diverse industrial protocols to identify device details including manufacturer, type, serial number, firmware level, and IP/MAC. Visualize your entire ICS network topology, see device communication paths, and quickly identify the root cause of operational issues such as misconfigured devices.

“As is” network map automatically created via passive monitoring, arranged using Purdue Model. Right click on devices to see device details such as device type, OT vendor, protocols, IP/MAC, and when the device was last seen on the control network.

Protect devices with risk-based vulnerability management

Proactively address vulnerabilities in your ICS environment. Identify risks such as unpatched devices, open ports, unauthorized connections, and unauthorized applications. Detect changes to device configurations, PLC code, firmware, and backplanes. Prioritize fixes based on risk scoring.

Risk assessment for overall ICS environment showing risk scoring and summary of vulnerabilities detected, with risk-based mitigation recommendations inside. Report includes vulnerability reports for all devices showing open ports, missing patches ranked by risk, and device security score.

Detect threats with ICS-aware behavioral analytics

Monitor for anomalous or unauthorized activity using patented, ICS-aware behavioral analytics and threat intelligence from our CISA-recognized ICS security research team. Strengthen zero trust by instantly detecting unauthorized or compromised ICS devices. Rapidly triage real-time alerts, investigate historical traffic, and hunt for threats. Catch modern threats like zero-day malware and living-off-the-land tactics missed by static IOCs. Leverage Layer7 deep packet inspection (DPI) to analyze payloads and immediately alert on malicious commands like “PLC Stop” or “Program Upload.” Explore full-fidelity packet captures (PCAPs) for deeper analysis.

Defender for IoT alerts generated by TRITON attack, as viewed in the Sentinel incident view. Sentinel is a SIEM/SOAR solution, deeply integrated with Defender for IoT, that collects enterprise-wide security logs across both IT and OT networks to accelerate investigation of multi-stage attacks like TRITON that initially compromised the IT network and them moved laterally to the OT network.

Proactively address risk for crown jewel assets with automated ICS threat modeling

Automated ICS threat modeling applies proprietary algorithms to risk and vulnerability data in order to simulate the most likely paths of targeted attacks on control networks. By generating a visual representation of all possible attack vector chains — ranked by risk — targeting your most critical OT assets, it enables you to prioritize essential mitigations and simulate what-if scenarios to reduce your attack surface (e.g., “If I isolate or patch this insecure device, does it eliminate the risk to my crown jewel’ assets?”). This enables more effective use of limited skilled resources during narrow maintenance windows.

Automated ICS threat modeling is an attack simulation showing the most likely paths an attacker would take to compromise crown jewel assets, based on the system’s comprehensive analysis of ICS network topology and vulnerabilities. You can then model mitigations such as segmentation and patching to reduce risk to acceptable levels.

Unify IT/OT security with Integrated SIEM/SOAR and XDR

Get a bird's-eye view across IT/OT boundaries with deep integration between Azure Defender for IoT and Azure Sentinel, Microsoft’s cloud-native SIEM/SOAR platform and a Leader in the Forrester Wave report. Plus get built-in integration with other SOC tools such as Splunk, IBM QRadar, and ServiceNow. Leverage Sentinel to automate incident response with ICS-specific playbooks, rules, and dashboards. Use machine learning and threat intelligence derived from trillions of signals collected daily across Microsoft’s global ecosystem (endpoints, Active Directory, Office 365, Xbox Live, Digital Crimes Unit, etc.). Accelerate threat detection and reduce alert fatigue with Microsoft 365 Defender, Microsoft’s extended detection and response (XDR) solution, which automatically consolidates disparate alerts across platforms (Windows, Mac, Linux, Android, and iOS) and domains (identities, endpoints, cloud apps, email and documents).

Investigation graph in Sentinel showing IT and OT assets related to TRITON incident, including contextual details obtained from Defender for IoT about related ICS devices to aid in investigation and response.

Product Configuration

Azure Defender for IoT
  • Triton Test Learning Phase - Learning Mode (default)
  • Triton Test Attack Phase - Learning Mode Disabled

Azure Sentinel
  • Azure Defender for IoT connector enabled
  • CEF connector enabled