The Claroty Blog

Claroty's Fall '18 Release Delivers Network Segmentation & Virtual Zones and Other Significant Enhancements

| Patrick McBride

During a very eventful Spring and Summer, including a big funding announcement, new partnerships, awards, and major customer wins, our R&D teams were also very busy developing amazing new functionality for the Claroty Platform.  Adding to what we believe is the industry’s most complete ICS cybersecurity platform, our Fall release incorporates several significant enhancements:

Virtual Zones & Network Segmentation- We all know that segmenting your network is a vital security control. This includes both segmentation between business and OT networks, and micro segmentation within the OT network. While effective for reducing risk, micro segmentation within OT networks can be a very difficult and time-consuming task. I’m very pleased to announce Claroty’s new virtual zones capability in Continuous Threat Detection (CTD), which automatically creates virtual network segments and network map to accelerate physical segmentation projects.

The system now analyzes the network and produces “virtual zones”; that is, groups of devices that are supposed to be communicating with each other based on observed behavioral patterns.  The system also automatically updates these zones as new devices are added to the network.  In addition, this new functionality generates alert policies for communications between assets, highlights alerts generated because of potentially dangerous communications across zones and provides a network map to accelerate physical segmentation efforts.

Look for a deeper dive into the zones and segmentation features in a separate blog post in the next couple weeks.

Improved Alert Handling & Recommended Mitigation Steps- We’ve also added additional context to make it even easier for security teams to efficiently investigate alerts and we help reduce resolution times by including recommended mitigation steps.

Improved Insights Description- Insights in the alerts screen have been improved to make them more descriptive and intuitive.  In addition, we’ve extended the protocols identified in the unsecured protocols insights and provide an explanation for why the protocol is not secure. Last, we’ve added the ability to click and filter by the related assets in each Insight.

Risk Assessment Report- Many of our partners use our Security Assessment Report to present the results of a network audit to their customers.  We’ve enhanced this report, making it more customizable and easier to understand.

We’ve added the ability for partners to add their branding to the report.  Partners can now also add a custom site name and description to the report to make it easier to connect the assessment to a specific site. We also separated the assessment report into “security alerts”, which are raised when a known attack such as a man-in-the-middle attack or a port scan attack is identified, and “process integrity alerts”, which are raised when a critical change to a process (e.g., a configuration download/upload, mode change, etc.).

Baseline Value Display & Alerting- Some communication protocols contain additional values representing various process-related information such as voltage, temperature, pressure, etc. Claroty’s Continuous Threat Detection can now parse the numerical or textual value and incorporate it into the asset’s baseline.  Users can then set up alerts to trigger is the value crosses minimum or maximum limits.  IEC-101 is now supported, and additional protocols will follow.

Syslog Message Enhancements- We increased the customization of syslog output, so administrators can now select which sites send syslogs and whether to send security alerts, integrity alerts, or both.  We also added the ability to send periodic system health-check information via syslog.

Enhanced System Manageability- We improved usability to make configuring new protocols easier within the user interface. We’ve also made it easier to ensure Continuous Threat Detection is up kept up to date at all remote sites by reporting whether the CTD version at each site is current and enabling administrators to push updates out to multiple remote site with a single click.

Granular CVE Matching- We have reworked the way that common vulnerabilities and exposures (CVEs) are presented in insights.  Asset vulnerabilities are now reported as high, medium or low depending on the granularity of asset data (e.g., vendor, model, firmware version, etc.) we are able to match to the CVE.

Export Asset Information to External DB- We’ve added the ability to export all asset information we discover into an external configuration management database (CMDB).

These new capabilities are all part of the Claroty Platform­ and built on Claroty’s advanced CoreX engine. This fully integrated platform is unparalleled in its depth, coverage and scalability. It provides:

  • Real-time Threat Detection including advanced anomaly and signature-based detection for complete coverage of known and unknown threats and analysis tools for ICS threat hunting.
  • Continuous Vulnerability Monitoring enabling customers to uncover and remedy network configuration “hygiene” issues and identify assets with known vulnerabilities (CVEs).
  • Secure Remote Access with policy- and workflow-based access control and session monitoring.
  • Enterprise Scalability including a consolidated “single pane of glass” management console for multi-plant environments and integration with existing security systems (e.g., SIEM, log management, security analytics, etc.).
  • Cost-effective Deployments in remote, bandwidth- or compute-constrained environments, leveraging an advanced sensor-based architecture suitable for use cases such as electric transmission or oil/gas pipelines.

Stay informed about all updates by subscribing to this blog, and if you would like more detail on any of these enhancements, request a demo.

Subscribe to the Blog