CISO Series: Why Visibility is Foundational for OT Vulnerability Management
By Galina Antova | April 30, 2020
When it comes to securing your operational technology (OT) environment, an ounce of prevention is worth a pound of cure. While the ability to detect and remediate threats is fundamental to any comprehensive cyber-defense strategy, security teams should strive to eliminate opportunities for adversaries to enter their organization’s OT network in the first place. Enter vulnerability management.
To reduce risk, your team must be able to identify, prioritize, and remediate common vulnerabilities and exposures (CVEs) effectively and efficiently. But like many other core facets of cybersecurity, vulnerability management is uniquely challenging when dealing with OT environments due to myriad factors. Since vulnerability management is one of the most nuanced—and often vexing—facets of OT security, let’s start by focusing on its most foundational element: visibility.
Identifying All OT Assets Within Your Environment
OT vulnerability management is not possible without OT visibility. Before your team can evaluate which vulnerabilities to prioritize, they must first determine which CVEs exist within your OT environment. And in order to identify which CVEs are present, your team needs a comprehensive, detailed, and up-to-date inventory of every single asset in your OT network.
As I discussed at length in a previous installment of our CISO Starter Series, security teams often struggle to glean meaningful visibility into OT assets for a host of reasons. When it comes to asset inventory and vulnerability management, the following challenges are particularly troubling:
It’s common for companies to operate a mix of old and new assets from multiple vendors across dozens, or even hundreds, of physical sites.
OT assets communicate using proprietary, vendor-specific protocols, so they can only be identified and inventoried using specialized, purpose-built technology.
Many offerings advertised as OT inventory solutions are in fact quite rudimentary, only capable of identifying basic attributes. But in order to determine which vulnerabilities are present within their OT environment, teams need visibility into more granular attributes, such as the exact model, firmware version, and configuration of an asset.
Claroty has spent years curating the broadest, deepest coverage of OT protocols in the industry, making it possible for users to identify and glean granular data for every single asset within even the most complex, idiosyncratic environments. Our newly enhanced Continuous Threat Detection (CTD) 4.1 delivers a detailed, real-time view of your environment with the introduction of our OT Asset Inventory Dashboard. This new dashboard allows your team to understand your environment at the micro level with an additional overlay of asset-specific analytics, while also simplifying asset inventory by providing a customizable, single-pane view.
Matching Your Assets to CVEs
A detailed, accurate inventory of OT assets is a prerequisite for identifying vulnerabilities, but that’s just half of the puzzle. To pinpoint vulnerabilities in your environment, you must also be able to match your OT assets with a database indicating which CVEs are present in which assets. Any such vulnerability database must comprehensively cover a vast array of asset models, firmware versions, and configurations in order to accurately identify all CVEs. And since many OT assets can have a useful life spanning several decades, extensive backlogs of older technologies which may still be in use must be accounted for.
As you can imagine, amassing a truly comprehensive vulnerability database is no small feat. Complicating matters further, most OT lacks any clear form of Common Platform Enumeration (CPE). Without a standardized way of describing and identifying classes of applications, operating systems, and hardware devices, the process of matching OT assets to CVEs is often time-consuming, inaccurate, and inefficient. And since the National Vulnerability Database (NVD) typically announces hundreds of new CVEs in a given month, even the most sophisticated security teams can easily find themselves in an overwhelming, never-ending game of catch-up.
To address this common challenge, Claroty has developed an extensive database of vulnerable protocols, configurations, external connections, and other CVEs. By automatically mapping customers’ assets to our vulnerability database, Claroty enables customers to identify OT security flaws with accuracy, ease, and efficiency.
Claroty CTD 4.1 eliminates false positives and tedious manual efforts, detecting exact-match CVEs with nuance and precision. And since the Claroty research team’s latest vulnerability discoveries—as well as the latest CVEs from the NVD—are added to our vulnerability database as soon as they are available, you can rest assured knowing you’ll automatically be notified of any previously unknown security flaws present within your OT environment.
To learn more about the Claroty Platform and its new features, request a demo.