This post is part of our Feature Spotlight series, which dives into specific features and capabilities of The Claroty Platform. You can find more posts like this in the Feature Spotlight section of The Claroty Blog.
Operational technology (OT) assets exist on multiple levels throughout the network, perform vastly different tasks, and require varying levels of human interaction. The security challenges that a disparate network of OT assets can create are compounded by the fact that many such assets utilize proprietary protocols that make them incompatible with traditional security tools and therefore difficult to identify and monitor. As we've written about in the past, understanding the barriers to OT visibility is the first step to overcoming this challenge.
As visibility into the network grows, so does the number of potential system alerts. Once assets are identified and information about them is gathered, determining which assets pose the highest risk to your network is a critical next step in securing that network.
Claroty Continuous Threat Detection (CTD) uses a granular mechanism to score risk for each asset on the network. This self-learning algorithm enables users to identify and further understand the nature of an asset's risk in order to better prioritize and remediate related alerts and vulnerabilities.
Within CTD, five parameters are scored individually to arrive at each asset's overall risk score: vulnerability, criticality, accessibility, infection, and threat. These parameters are categorized as low, medium, or high risk for each asset based on the following criteria:
Vulnerability: CTD matches every asset to the latest common vulnerabilities and exposures (CVE) data from the National Vulnerability Database and determines the vulnerability level based on the overall number of CVEs within the asset as well as their corresponding common vulnerability scoring system (CVSS) scores. This parameter is also shaped by the protocols in use by the asset and how secure they are.
Criticality: The criticality parameter, which is based on each asset's functional qualities and network privileges, reflects how important the asset is to the overall network and how much damage could be inflicted were it to be compromised.
Accessibility: The accessibility parameter is based on an asset's network location (i.e. its subnet), its communication with risky assets and/or zones, and the asset's own network behavior (i.e., how many open ports it contains).
Infection: The infection parameter indicates the extent of an asset's ability to spread malicious content to other assets and is based on the asset's policies, baseline behaviors, privileges, and protocols.
Threat: The threat parameter indicates whether the asset is already considered a threat and is based on open alerts. It also reflects asset insights that potentially indicate suspicious behavior, such as talking with external or ghost assets.
The image below provides an example of what this looks like within Claroty CTD. This particular asset has a high risk score, with each of the five parameters providing context into why they are scored a certain way. A graphical representation of this information is also provided to help users prioritize remediation efforts. For example:
The high vulnerability score is largely due to the large number of unpatched CVEs. CTD Insights provides the user with information on how to rectify this.
The asset's infection score indicates that it has high proximity to communications between important zones. Network administrators can utilize this information to prioritize the upkeep and monitoring of these zones to ensure they are protected against anomalous behavior.
Image 1: Claroty CTD asset risk score details.
The asset risk score is critical beyond providing important information about a specific asset. To understand that, let's take a look at the overall structure of The Claroty Platform's risk scoring. Claroty's network risk scoring comprises multiple layers, in ascending order: assets, virtual zones, and site. Each layer's risk score is influenced by its own parameters as well as the overall score of the layers below it. For example, a virtual zone's risk score is influenced by its own metrics as well as the risks associated with the assets in that zone.
Image 2: Hierarchy of Claroty risk assessment.
These three layers are interdependent and are calculated dynamically to ensure the most up-to-date score is available. When multiple sites are present, a consolidated risk score is calculated within Claroty Enterprise Management Console (EMC), Claroty's centralized management platform.
A site's overall hygiene score acts as a barometer of an OT network's security posture. Understanding the risk environment, down to the individual asset, is an essential step in preventing attacks on the network.