By Grant Geyer | October 28, 2020

The requirements for securing your operational technology (OT) network have changed drastically since the COVID-19 pandemic began. Remote work is now the norm, economic uncertainty has amplified the consequences of operational disruption, adversaries eager to exploit these conditions persist — and you’ve had no choice but to adapt.

Arming you to continue protecting what powers your business — no matter the circumstances — is at the heart of our latest iteration of The Claroty Platform.

Announced today, the platform’s new enhancements aim to help organizations adapt their OT security posture to the expanded attack surface, variable work conditions, and other challenges brought on or exacerbated by the global pandemic. This means not only arming our customers to keep threats and adversaries outside of their OT environments, but also equipping them to seamlessly and securely allow defenders and responders inside of those environments.

With Continuous Threat Detection (CTD) 4.2 and Secure Remote Access (SRA) 3.1, The Claroty Platform is the industry’s first complete OT security solution to offer remote incident management as a fully integrated capability spanning the entire incident lifecycle. Customers are now even better-equipped to detect, investigate, and respond to OT incidents across the broadest possible attack surface area from any location. Here’s a quick look at how:

Detection

Rapid detection of OT threats helps minimize response times and, as a result, exposure to risk. We realize this is especially crucial currently given that the uncertainty and change fueled by COVID-19 seem to have emboldened adversaries. Indeed, out of 1,100 IT and OT security executives polled in a recent survey, 56% have faced more threats and 70% have seen adversaries use new tactics against their organization since the pandemic began.

Our new enhancements to the platform support rapid detection by delivering deeper, faster insight into unauthorized or suspicious activity from remote users, process value changes, and greater alert context backed by the collective wisdom of the Claroty community. Highlights include:

  • The ability to receive alerts related to OT remote user activity. The platform’s Enterprise Management Console (EMC) can now receive alerts when OT remote users partake in both common operational behaviors as well unauthorized activities via SRA. This helps the security operations center (SOC) identify, prioritize, and take action against such activities that could impact OT process integrity or otherwise endanger operational continuity.
  • Wisdom of the Crowd. Alerts from CTD 4.2 are now enriched with insights into how similar events or indicators have manifested in other OT environments across Claroty’s entire customer base. This context reduces alert fatigue and guides prioritization decisions by giving SOC analysts confidence as to whether an alert indicates a true threat or false positive.

Investigation

We’ve observed that investigating OT incidents has also grown more challenging for many organizations since the start of COVID-19, and this is largely due to the expansion of remote workforces. One part of the issue is that many commonly used remote access tools obfuscate user activity, making it difficult to correlate activity from remote users with other events. This can be particularly problematic when such activity is unauthorized and/or pertains to incidents or user errors that could impact OT process integrity.

Another part of the issue is that investigating OT incidents typically requires onsite access to network assets and forensic data, but physical distancing and travel restrictions related to the pandemic limit responders from obtaining this access. Without it, effectively and efficiently investigating such incidents becomes nearly impossible.

Eager to help our customers overcome these challenges, we designed CTD 4.2 and SRA 3.1 with the following enhanced capabilities:

  • Ability to investigate OT remote user activity. When the platform’s EMC receives an alert related to a remote session via SRA, customers can now more-easily investigate it. Live monitoring and full-length recordings for each SRA session can be accessed within such alerts, thereby optimizing investigations for incidents tied to OT remote user activity.
  • Ability to investigate OT incidents remotely. While the EMC has always been accessible from a secure browser connection, its enhanced ability to receive (and enable users to investigate) alerts related to SRA sessions further supports remote investigations of OT incidents. Customers can now leverage the EMC to remotely investigate alerts related to remote user activity; and if access to OT assets is also required to collect forensic data or support further analysis, this can be easily obtained remotely via SRA.
  • Ability to gain greater insight into business criticality. A key part of any incident investigation is understanding the criticality of the involved assets in the context of the business. Customers can now enrich assets across all sites globally with Global Custom Attributes such as business criticality, asset owner, and other important context to help drive investigation processes. Once defined, these attributes can be easily accessed and adjusted for any and all assets as needed from the EMC.

Response

As the third focal point of our enhancements to The Claroty Platform, OT incident response is also among the toughest security functions to carry out amid conditions surrounding COVID-19. With a greater number of OT remote connections comes an increased likelihood that employees or third-parties may remotely make changes that could impact OT process integrity.

Quickly responding to these types of incidents is crucial for supporting remediation, which is why we included the following additions to the platform as part of CTD 4.2 and SRA 3.1:

  • Ability to immediately disconnect remote users. When the EMC receives an alert related to an active SRA session, administrators now have the option to immediately disconnect the session directly from the EMC. This capability helps limit incidents from escalating in order to minimize the impact on OT process integrity.
  • New integrations with ServiceNow and Swimlane. The ease of tools that support OT incident response can impact response times. By integrating The Claroty Platform with these types of existing tools, customers can leverage its response capabilities without having to expand their tech stacks or overcome a new learning curve. More specifically, the new integration between The Claroty Platform and ServiceNow enables customers to manage all OT, IoT, and IT asset information, as well as all related workflows, on a single pane of glass within ServiceNow’s CMDB and ticketing systems. Meanwhile, the platform’s new integration with Swimlane populates all CTD alert information within the Swimlane SOAR platform where users can easily leverage it to define, automate, and orchestrate corresponding response and remediation workflows.

As I noted earlier, these enhancements provided by CTD 4.2 and SRA 3.1 now distinguish The Claroty Platform as the first of its kind to offer fully integrated remote incident management capabilities that empower organizations to adapt their OT security posture for even the most difficult and uncertain of circumstances. I couldn’t be prouder of the entire Claroty team for helping us reach this milestone, and I’m honored to stand behind a product that will help our customers overcome some of their toughest challenges to better protect what matters most.

Claroty CTD 4.2 and SRA 3.1 will be generally available this quarter. To learn more about The Claroty Platform, request a demo.