Making Network Segmentation Easier and More Effective

In a blog I wrote several months ago, I spoke about how industrial organizations can reduce OT cyber risk through network segmentation. The point of that blog was to introduce you to Claroty's Virtual Zones functionality, which helps industrial organizations accelerate their network segmentation efforts based on the detailed network insight provided by our Continuous Threat Detection’s (CTD) solution.  I'm very pleased to tell you today about some significant enhancements we've made in this area and introduce you to Virtual Zones+.

It's been a while since I've talked about segmentation, so I think a little recap is appropriate.  In my original post, I explained why network segmentation is one of the most impactful actions industrial asset owners can take to reduce the risk of a major security incident.  However, I also talked about the challenges of implementing network segmentation.  Segmentation projects can be lengthy and expensive, and in some cases not applicable to the lower layers of your OT network as defined by the Purdue Model.   And even after the initial segmentation scheme is complete, organizations struggle to keep it updated as their network architecture inevitably expands and changes.  So the benefits of these projects can be short-lived. 

I believe we made a real difference in making segmentation easier to implement with Virtual Zones, and over the last 9 months, customers have told us how much they appreciate the benefits.  But it was clear we could take these benefits further, so we've introduced Virtual Zones+ to continue what we started.  Here's how it works:

Virtual Zones+ is designed for large enterprises with complex  IT, OT, and IoT footprints. It automatically tags assets with similar network traffic parameters into logical groups. Once grouped, the system identifies the relationships between logical groups and automatically generates granular communication policies. The policies assign permission levels to each zone, along with a specific level of trust to help the end-user understand the risk posed by every logical connection between the zones. 

Policies & Zones

Behind the scenes, IoT- and OT-specific application firewall-like rules and alerting policies are consequently created by the system - based on the assets’ type and observed communication patterns. All policies are summarized in a familiar and user-friendly interface (similar to a firewall management interface) - allowing end-users to visualize inter- and intra-zone communications.

Furthermore, through CTD’s firewall integrations, end-users can proactively enforce network segmentation policy violations by identifying and restricting anomalous or non-compliant communications across zones.

Virtual Zones Blog - 3

For specific situations requiring specific customization, users can quickly review and modify automatically generated rules, as well as create new ones based on their risk appetite. In this case, users can achieve a high level of flexibility and extreme accuracy in personalizing the system’s alert creation procedure to achieve the following:

  • Create and control policy alerting rules from an intuitive user interface

  • Customize alert mechanism to match security requirements and needs

  • Increase transparency into the alert creation and resolving process


Virtual Zones Blog - 2

Beyond enforcing policy-based segmentation, our alert-based integrations enables organizations to mitigate active attacks. For example, Claroty can send real-time alerts about unapproved devices or compromised assets on the network, allowing existing firewalls to automatically quarantine or otherwise isolate the communicating device until properly investigated, approved, or fixed.

Click here to see how you can accelerate network segmentation initiative with the help of CTD’s Virtual Zones+ feature.