In celebration of this partnership, CrowdStrike and Claroty have come together to recommend 6 Best Practices for Securing Industrial Environments. These six steps can be considered a recommendation for organizations deploying both an Endpoint Detection and Response (EDR) solution — such as the CrowdStrike Falcon platform — and a broader network security solution — such as Claroty Continuous Threat Detection (CTD).
This blog series will seek to take a deeper look at each recommended practice, the reasoning behind its necessity, and the manner in which the CrowdStrike-Claroty joint solution addresses each one.
If you are reading this, you will no doubt already have a sense of the complexity and vastness of many industrial networks. Operations, processes, and the systems supporting them have become inextricably connected to the greater OT/IT environment and as this convergence escalates, the amount of unknown devices — and by extension the amount of risk — present in OT networks can be difficult to account for.
Visibility into these unknown ICS network components will be top of mind for many, so the first step to "secure the known" should ideally be undertaken in tandem with the second best practice, which is to "secure the unknown and build comprehensive visibility." However, if you must choose a first priority, it should be to secure what is known to be critical as soon as possible.
Deploying an EDR solution where possible creates an effective spine to the industrial environment's cyber defenses and the information taken in by solutions such as CrowdStrike Falcon brings tremendous value to organizations beyond its core function of securing endpoints. When combined with a broader network-level solution, such as Claroty CTD, EDR solutions also provide an effective tethering point for monitoring, action, and investigations across the entire environment.
Image 1: A view of CrowdStrike Falcon Insight, which provides the highest level of real-time monitoring capabilities spanning across detection, response, and forensics.
An efficient EDR solution will have tightly integrated prevention capabilities to provide the visibility security teams need to uncover attackers as quickly as possible. To do so, an EDR solution records all activities of interest on the hosts for deeper inspection, both in real time and after the fact, and enriches this data with threat intelligence to provide the much needed context for successful threat hunting and investigation.
Image 2: A view within the CrowdStrike Falcon platform of an interactive process tree with full context of the events that occurred.
With advanced EDR solutions, all malicious activities can be automatically detected, presenting teams with real attacks and not distracting them with false positives or benign activity. Powerful response capabilities help teams contain compromised systems for additional forensic investigation with on-the-fly remote access and control to stop attacks in their tracks.
It is important to note that while there are many devices capable of hosting an EDR solution, not every device can or should. The solution provider should be consulted to determine the best strategy for effective coverage in any EDR deployment.