Povratne informacije Uredi

Tutorial: Integrate CyberArk with Microsoft Defender for IoT

  • Članak
  • 4 min. za čitanje

This tutorial will help you learn how to integrate, and use CyberArk with Microsoft Defender for IoT.

Defender for IoT delivers ICS, and IIoT cybersecurity platform with ICS-aware threat analytics, and machine learning.

Threat actors are using compromised remote access credentials to access critical infrastructure networks via remote desktop and VPN connections. By using trusted connections, this approach easily bypasses any OT perimeter security. Credentials are typically stolen from privileged users, such as control engineers and partner maintenance personnel, who require remote access to perform daily tasks.

The Defender for IoT integration along with CyberARK allows you to:

  • Reduce OT risks from unauthorized remote access

  • Provide continuous monitoring, and privileged access security for OT

  • Enhance incident response, threat hunting, and threat modeling

The Defender for IoT appliance is connected to the OT network via a SPAN port (mirror port) on network devices such as switches, and routers via a one-way (inbound) connection to the dedicated network interfaces on the Defender for IoT appliance.

A dedicated network interface is also provided in the Defender for IoT appliance for centralized management and API access. This interface is also used for communicating with the CyberArk PSM solution that is deployed in the data center of the organization to manage privileged users and secure remote access connections.

The CyberArk PSM solution deployment

In this tutorial, you learn how to:

  • Configure PSM in CyberArk
  • Enable the integration in Defender for IoT
  • View and manage detections
  • Stop the Integration

Prerequisites

  • CyberARK version 2.0.

  • Verify that you have CLI access to all Defender for IoT appliances in your enterprise.

  • An Azure account. If you don't already have an Azure account, you can create your Azure free account today.

Configure PSM CyberArk

CyberArk must be configured to allow communication with Defender for IoT. This communication is accomplished by configuring PSM.

To configure PSM:

  1. Locate, open the c:\Program Files\PrivateArk\Server\dbparam.xml file.

  2. Add the following parameters:

    [SYSLOG]
    UseLegacySyslogFormat=Yes
    SyslogTranslatorFile=Syslog\CyberX.xsl
    SyslogServerIP=<CyberX Server IP>
    SyslogServerProtocol=UDP
    SyslogMessageCodeFilter=319,320,295,378,380

  3. Save the file, and close it.

  4. Place the Defender for IoT syslog configuration file CyberX.xsl in c:\Program Files\PrivateArk\Server\Syslog\CyberX.xsl.

  5. Open the Server Central Administration.

  6. Select the Stop Traffic Light, to stop the server.

    Screenshot of the server central administration stop traffic light.

  7. Select the Start Traffic Light to start the server.

Enable the integration in Defender for IoT

In order to enable the integration, Syslog Server will need to be enabled in the Defender for IoT management console. By default, the Syslog Server listens to the IP address of the system using port 514 UDP.

To configure the Defender for IoT:

  1. In Defender for IoT management console, navigate to System Settings.

  2. Toggle the Syslog Server to On.

    Screenshot of the syslog server toggled to on.

  3. (Optional) Change the port by signing in to the system via the CLI, and navigate to /var/cyberx/properties/syslog.properties, and change listener: 514/udp.

View and manage detections

The integration between Microsoft Defender for IoT, and CyberArk PSM is performed via syslog messages. These messages are sent by the PSM solution to Defender for IoT, notifying Defender for IoT of any remote sessions, or verification failures.

Once the Defender for IoT platform receives these messages from PSM, it correlates them with the data it sees in the network. Thus validating that any remote access connections to the network were generated by the PSM solution and not by an unauthorized user.

View alerts

Whenever the Defender for IoT platform identifies remote sessions that haven't been authorized by PSM, it will issue an Unauthorized Remote Session. To facilitate immediate investigation, the alert also shows the IP addresses and names of the source and destination devices.

To view alerts:

  1. Sign in to the management console.

  2. Select Alerts from the left side panel.

  3. From the list of alerts, select the alert titled Unauthorized Remote Session.

    The Unauthorized Remote Session alert.

Event timeline

Whenever PSM authorizes a remote connection, it is visible in the Defender for IoT Event Timeline page. The Event Timeline page shows a timeline of all alerts and notifications.

To view the event timeline:

  1. Sign in to the Defender for IoT sensor.

  2. Select Event timeline from the left side panel.

  3. Locate any event titled PSM Remote Session.

Auditing & forensics

Administrators can audit, and investigate remote access sessions by querying the Defender for IoT platform via its built-in data mining interface. This information can be used to identify all remote access connections that have occurred including forensic details such as from, or to devices, protocols (RDP, or SSH), source, and destination users, time-stamps, and whether the sessions were authorized using PSM.

To audit and investigate:

  1. Sign in to the Defender for IoT sensor.

  2. Select Data mining from the left side panel.

  3. Select Remote Access.

Stop the Integration

At any point in time, you can stop the integration from communicating.

To stop the integration:

  1. In the Defender for IoT management console, navigate to the System Settings screen.

  2. Toggle the Syslog Server option to Off .

    A view of th Server status.

Clean up resources

There are no resources to clean up.

Next steps

In this article, you learned how to get started with the CyberArk integration. Continue on to learn about our Forescout integration.