Blog / 4 min read
Industrial cybersecurity vendors often speak about asset discovery as if it's a commoditized capability. To Claroty, this would be like saying that the bricks of a house are as structurally important as the wallpaper. In this piece, we will to look deeper into Claroty's three asset discovery methods, what makes each one unique, and how they work together.
How industrial cybersecurity solutions reveal network assets and their communication patterns is often overlooked for the reasons why we need visibility in the first place. We've written extensively on why full visibility is foundational for managing risk in industrial environments, as well as the barriers to achieving it. A quick recap would tell us that without full visibility into the industrial environment, an organization has no benchmark or baseline against which to measure and understand the vulnerabilities, threats, and resulting risks that may be present within it.
The process of gaining full visibility into the industrial environment is often challenging due to a variety of factors ranging from antiquated equipment sets that use a multitude of often-proprietary communication protocols, to complex and inherently insecure network configuration. These conditions lead to a reality where enterprises have very little insight into what is actually connected to their industrial network, making comprehensive visibility the first step in enhancing their security posture. Claroty is purpose-built for revealing industrial networks, and it starts with our three methods for asset discovery: Passive monitoring, Active queries, and AppDB parsing.
For the reasons mentioned above, using multiple discovery techniques is important in order to obtain the most comprehensive view of your industrial network. Through years of research and development efforts, as well as close relationships with a number of industrial automation vendors, Claroty is able to maintain support for the industry's largest library of industrial protocols. Backed by this caliber of protocol coverage, the following three methods of asset discovery enable us to reveal and contextualize 100% of known, poorly understood, and previously invisible assets. For our customers, the result is a centralized, always up-to-date inventory of OT, IoT, and IIoT assets as well as their behavioral baselines.
Passive: This form of asset discovery is common among ICS vendors and is generally the first form of discovery that an enterprise will employ to map its network. This is because it is a safe and simple way to gain a large amount of network visibility with little to no network impact. Passive data monitoring works by reconfiguring a switch in the industrial network with a SPAN, mirror, or monitor port to copy data and send it to Claroty for processing. This one-way data transfer ensures that Claroty cannot negatively impact the industrial environment while it gathers enriched information about network assets such as their firmware version, model numbers, rack slot data, and configuration files. Passive monitoring also allows Claroty to identify risks and vulnerabilities present within assets such as CVEs or show signs of potentially erroneous or malicious behavior.
Active: In order to target more specific parts of the network, such as deeper and more complex layers of the environment, an enterprise can use Active queries. Active queries allow the system to identify and extract data from devices directly and in the protocol that they are designed to accept. For example, Claroty's system can request information from a PLC in the same communication message that comes from an engineering workstation. Utilizing this method helps to ensure that Claroty's queries are precise and completely safe and non-disruptive because they do not encumber the network with unnecessary traffic.
AppDB: This unique, non-intrusive asset discovery method allows Claroty to ingest and parse backup configuration files for industrial devices, such as PLCs, directly. AppDB is ideal for parts of the network that are air-gapped, cannot be connected to directly, and/or contain assets that cannot be discovered via the passive or active techniques. By ingesting backup configuration files for these assets, Claroty is able to provide immediate visibility into the network and can monitor multiple networks simultaneously while eliminating the need to connect to them.
Although the majority of network assets can be discovered within minutes of deploying passive monitoring, depending on how frequently these assets communicate, it can take weeks to fully map out behavioral patterns. Utilizing a mix of all three asset discovery techniques can dramatically reduce this timeline while providing for a more comprehensive look at the industrial environment.
For example, after beginning a passive data acquisition run you're able to detect the majority of assets on the network within a matter of minutes based solely on current network traffic. However, your network contains assets that only communicate on a weekly basis and others that are air-gapped for security purposes. This is where Claroty asset discovery's multiple techniques come into play.
For assets that communicate infrequently, it can be difficult to assess their behavioral patterns on a passive basis in order to create a baseline by which anomalous behavior can be detected. Knowing this, you submit active queries to those assets in order to extract information directly from them, preempting the long wait for their next communication. For the assets that are air-gapped, you send data from your enterprise's backup & restore system to Claroty so that these devices can be identified and their data added to the asset database.
By using all three of these methods in conjunction with one another, you're able to quickly and comprehensively create and maintain a constantly up-to-date asset database, complete with enriched asset information, behavioral baselines, unpatched CVEs, and configuration files.