Network Intrusion Detection Systems (NIDS) #1: Combining active and passive monitoring with Microsoft Defender for IoT
by josheph bell
October 20, 2025
Although it is difficult to determine the actual extent of IoT usage in industrial and production environments – usually found there in the form of IIoT (Industrial Internet of Things – with any degree of accuracy, the number is likely to be significant. In the latest study by CIO and COMPUTERWOCHE in cooperation with Avanade and A1 Digital on this question, the partners assume that around half of all surveyed businesses are already using IIoT, and around one-fifth of the businesses surveyed are planning to introduce IIoT applications in the short or medium term.
It should not come as a surprise that IIoT applications are on the rise, as their benefits for businesses range from driving greater operational efficiency through providing real-time data analysis of machines and processes to enabling more effective predictive maintenance, more efficient energy, resource and personnel planning, and more efficient supply chain and logistics processes through automated warehouse and material workflows. In short, IIoT applications – when correctly implemented and fully integrated into all relevant processes – offer significant opportunities for optimization in almost every area important to industry and production.
IoT and OT security with Microsoft Defender for IoT
However, IIoT environments must meet another important requirement in addition to being “correctly implemented” and “fully integrated”. They must also be secured. Like any other software solution used by a business, IIoT applications initially increase the available attack surface for attackers and other cyberthreats, especially operational technology networks (OT), which are typically less thoroughly secured than IT networks.
To mitigate this risk effectively, businesses can use a range of different tools. Microsoft Defender for IoT is one of the solutions most commonly used for this purpose, providing comprehensive threat detection for IoT/OT environments with multiple options for deployment, from cloud to hybrid to on-premises models. As with many other IoT security solutions, Microsoft Defender for IoT offers both active and passive monitoring capabilities. Both of these monitoring modes offer their own advantages, and by combining both, businesses can create an effective Network Intrusion Detection System (NIDS).
What is passive monitoring?
Passive monitoring involves monitoring incoming and outgoing network communications without actively interfering with the relevant data traffic or transmitting additional data packets through the network. This means not only logging all data packets traveling through the network, but also analyzing and logging network protocols and assets to detect and identify potential threats such as anomalies, vulnerabilities or unauthorized devices without disrupting or interrupting regular network operations.
As a result, passive monitoring does not pose any risk of downtime or loss of performance due to using up additional bandwidth, making it ideal for monitoring environments where operational continuity and efficiency is a top priority, such as production floors or critical infrastructure. IoT/OT security solutions such as Microsoft Defender for IoT typically use this approach.
What is active monitoring?
Unlike passive monitoring, active monitoring involves transmitting test queries, pings or additional data packets designed for monitoring purposes through the network in order to test responses to them and thereby identify vulnerabilities and misconfigurations, among other potential issues. For example, this allows businesses to trigger and test specific firewall actions based on simulated threats, collect configuration data from devices in the network, or assess vulnerabilities through interactions with network devices.
Active monitoring also can detect vulnerabilities that may not be noticed during passive monitoring. In addition, IT security managers can use this approach to validate alerts directly to identify potential threats and initiate countermeasures more quickly to establish a more effective proactive defense. Active monitoring can be performed by Microsoft Defender for IoT through integrations and advanced configurations.
Passive + Active = NIDS
The most comprehensive level of protection can be achieved through combining passive and active monitoring, enabling businesses to detect potentially dangerous anomalies in their networks – for example due to unauthorized access, unknown devices or malware – at an early stage, respond faster to incidents and security breaches, and more easily conduct investigations of incidents through the forensic data obtained beforehand.
This approach of comprehensive network monitoring is also known as a Network Intrusion Detection System (NIDS). NIDS solutions such as Microsoft Defender for IoT offer passive and active network monitoring capabilities, are optimized for IIoT and OT application scenarios, and provide useful integration options, such as automatically triggering firewalls actions when threats are detected. A NIDS solution not only minimizes a wide range of risks before they can become a threat, but also ensures compliance with often complex industry regulations such as NIST, ISO 27001, or ISA/IEC 62443.
Stay tuned for the next two articles in this series, coming soon on the 28th of October.