You have legacy operational technology (OT) devices and IoT devices.
You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business operations.
Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
To apply Zero Trust principles to legacy operational technology (OT) and IoT devices while minimizing the risk of disrupting business operations, threat monitoring and passive traffic monitoring are essential. Threat monitoring allows for the continuous observation of network traffic, system logs, and other data sources to detect potential threats and respond promptly. Passive traffic monitoring, on the other hand, involves monitoring network traffic without actively sending packets or generating traffic, thereby minimizing disruptions. Given the sensitivity and potential for disruption in OT environments, passive techniques are preferred over active scanning or software patching, which may not always be practical or effective.
From MCRA slide 17 (OT): "Many well-established IT security best practices like software patching aren’t practical or fully effective in an OT environment, so they can only be selectively applied (or have a limited security effect). Basic security hygiene for OT starts with network isolation (including good maintenance/**monitoring** of that isolation boundaries), **threat monitoring**, and carefully managing vendor access risk."
In some legacy environments where modern authentication protocols are unavailable such as operational technology (OT), network controls may be used exclusively. - Slide 61, MCRA Slide 17 - OT - Safety/Integrity/Availability Hardware Age: 50-100 years (mechanical + electronic overlay) Warranty length: up to 30-50 years Protocols: Industry Specific (often bridged to IP networks) Security Hygiene: Isolation, threat monitoring, managing vendor access risk, (patching rarely)
Adapt processes to Operational Technology (OT) - Adjust your tools and processes to the constraints of OT environments as you integrate them. These environments prioritize safety and often have older systems which don't have patches available and may crash from an active scan. Focusing on approaches like passive network detections for threats and isolation of systems is often the best approach. https://learn.microsoft.com/en-us/training/modules/use-microsoft-cybersecurity-reference-architecture-azure-security-benchmarks/3-recommend-for-protecting-from-insider-external-attacks
"The solution must minimize the risk of disrupting business operations." patching is absolutely not non-disruptive
BD is the answer. OT Security hygiene is different because these systems frequently weren’t built with modern threats and protocols in mind (and often rely on ‘end of life’ software). Many well-established IT security best practices like software patching aren’t practical or fully effective in an OT environment, so they can only be selectively applied (or have a limited security effect). Basic security hygiene for OT starts with network isolation (including good maintenance/monitoring of that isolation boundaries), threat monitoring, and carefully managing vendor access risk.
B and D seem most suitable here, both are mentioned on slide 17 of MCRA. It doesn't look like C - Software patching is a valid answer. Look at slide 17 of MCRA it states "Many well-established IT security best practices like software patching aren’t practical or fully effective in an OT environment, so they can only be selectively applied (or have a limited security effect). ", so this confirms it isn't practical, so it can't be "best practice".
ChatGTP: The two security methodologies that should be included in the recommendation for applying Zero Trust principles to OT and IoT devices based on the MCRA while minimizing the risk of disrupting business operations are: B. Threat monitoring: Continuous monitoring and analysis of network traffic, system logs, and other data sources can help detect and respond to threats and attacks targeting OT and IoT devices. Threat monitoring can help identify indicators of compromise (IoCs) and provide early warning of potential security incidents. D. Passive traffic monitoring: Passive traffic monitoring involves monitoring network traffic without actively sending packets or generating traffic. This approach can help minimize the risk of disrupting business operations while still providing visibility into network activity and potential security incidents. Passive traffic monitoring can also help identify anomalies and suspicious activity that may indicate a security threat.
Option A, active scanning, and option C, software patching, are not necessarily the best practices for applying Zero Trust principles to OT and IoT devices, as they can potentially disrupt business operations and cause compatibility issues with legacy devices. While software patching can help mitigate vulnerabilities, it should be done in a controlled and tested manner to avoid introducing new issues or downtime.
ChatGPT may lead you to the right answer, but please don't comment on what it explains.
On Exam 8 Apr 2024 scored 764
D. Passive Traffic Monitoring: Passive traffic monitoring involves observing network traffic without actively scanning or disrupting devices. This approach aligns with Zero Trust principles by allowing you to gain insights into the behavior of devices without introducing potential risks associated with active scanning. It helps in understanding the normal traffic patterns and identifying anomalies or suspicious activities without impacting the operation of OT and IoT devices. B. Threat Monitoring: Threat monitoring is essential for actively monitoring and analyzing security events to detect and respond to potential threats. Implementing threat monitoring aligns with Zero Trust principles by continuously assessing the security posture of OT and IoT devices. This proactive approach enables the identification of security incidents and allows for timely responses to mitigate risks, all while minimizing disruptions to business operations.
MCRA Slide 65 "Apply zero trust principles to securing OT and industrial IoT environments" : Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Answer correct based on slide 60 of the MCRA passive collection) – provides data gathering with passive traffic monitoring to avoid disruption of OT and IIoT operations. This passive approach is critical because active scanning can slow or disrupt business operations (potentially altering sensitive physical operation timing or potentially crashing older OT computer systems). Security Hygiene - threat monitoring
I continue with this options based on MCRA slides... A is someting performance reducing progress so option D is more reliable and option B since question says "which security methodolgy"
what is mcra slide mentioned in comments how do i find it
https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra
BD is correct
BD right
I would go with threat monitoring and patching (rarely, according to MCRA, but there is nothing about passive traffic monitoring)
Read the notes in slide 17 --> Microsoft’s approach to threat monitoring is focused on bringing modern security approaches that also deeply respects the constraints and sensitivity of these systems. The approach is based on technology developed by CyberX (recently acquired and integrated into Microsoft). The solution consists of Network TAP/SPAN (passive collection) – provides data gathering with passive traffic monitoring to avoid disruption of OT and IIoT operations.
Many well-established IT security best practices like software patching aren’t practical or fully effective in an OT environment, so they can only be selectively applied (or have a limited security effect).