Claroty's approach to Passive Monitoring offers continuous visibility into industrial environments by fusing our leading protocol coverage and DPI technology with unmatched flexibility that enables customers to easily combine this collection method with any of our four others to suit their needs.
This approach also embodies two tenets of our industrial cybersecurity portfolio:
First, we recognize there is no one-size-fits-all collection method or approach to XIoT asset discovery because each customer, OT environment, and industrial cybersecurity journey is unique.
Second, we also recognize that to achieve a truly comprehensive asset inventory, Passive Monitoring (or any singular collection method) alone won’t cut it. Most customers seeking 100% visibility must combine multiple methods to get there.
This limitation isn't a weakness of Claroty’s technology — it’s a vendor-agnostic reality of collection itself. It’s also why Claroty is proud to be the only vendor to offer a whopping five highly flexible, mix-and-match collection methods designed to empower you to gain full visibility across your industrial environment, your way.
Passive Monitoring has long been the industry's default method for asset discovery in industrial environments. Here's why:
Passive Monitoring creates no additional traffic and does not interact directly with assets. As a result, it has no impact on the OT environment and thus poses no risk to operational availability, integrity, or safety.
A key reason why Passive Monitoring has long been the industry’s status quo for asset discovery is that it can typically identify and reveal rich details on most types of XIoT assets within most OT environments.
Passive Monitoring analyzes traffic continuously, enabling it to not only pinpoint any changes in the OT environment — but also automatically update the asset inventory to reflect those changes in real-time.
Beyond discovering assets, Passive Monitoring also delivers visibility into communication baselines, operational behaviors, potential threats, and other insights integral across the industrial cybersecurity journey.
Have questions about Passive Monitoring? You're not alone! See below for answers to questions we often receive about this collection method — and if you're seeking additional information or would like to speak with one of our experts, contact us here.
A: Passive Monitoring works by reconfiguring a switch in the OT network with a SPAN, mirror, or monitor port to copy the packets of traffic sent between the network’s assets. These copied data points are then sent to an on-premise or cloud-based server for analysis via deep packet inspection (DPI), which identifies the respective assets and their vendor, model, operating system, and other details.
The depth and accuracy of these details are critical to the effectiveness and efficiency of a range of subsequent use cases such as asset management, vulnerability & risk management, network protection, threat detection, and more.
A: Passive Monitoring is the status-quo collection method for asset discovery in industrial environments. But while the method itself is widely available in the market, Claroty's approach is differentiated.
Unlike other vendors' offerings, the Passive Monitoring built-in to Claroty CTD and xDome can be easily combined with our other collection methods to suit each customer’s needs. Since our solutions also support an unmatched 450+ protocols, they are uniquely compatible with — and able to discover — even the most obscure types of OT, IoT, and other XIoT assets.
A: Yes. Since Passive Monitoring works by inspecting traffic, it is not suitable for discovering assets that seldom communicate (and, thus, seldom generate traffic). The redundant assets typically found in electric grids — and that only communicate in failover situations — are among many common examples of this.
But even among assets that do generate traffic frequently, some are still problematic for Passive Monitoring due to their specific protocols. For example, Modbus, a protocol widely used by BMS assets, typically reveals very little about an asset in its communications. So while Passive Monitoring might be able to identify that a Modbus asset is, for instance, an elevator, it may not be able to pinpoint its vendor, firmware, or other details that are key to protecting that elevator and the critical function it serves.
A: While Claroty's approach to Passive Monitoring makes it highly effective, no singular collection method (whether from Claroty or elsewhere) is a silver bullet. Passive Monitoring in particular simply cannot discover certain types of assets and details due to how they communicate and other limitations that exist to varying degrees in nearly all industrial environments. Unfortunately, this reality can be easy to overlook amid the abundance of misinformation and misleading claims from other vendors — most of which offer only Passive Monitoring as their sole collection mention.
Recognizing how crucial it is for our customers to have 100% visibility into the assets that underpin their operations, Claroty has long been committed to delivering it. This is why we're proud to be the only vendor to offer five distinct collection methods. While using Passive Monitoring alone will nearly always be insufficient, combining it with our Safe Queries, Claroty Edge, and/or other methods has been consistently proven to empower our customers with the truly full visibility they need (and can't get anywhere else).
A: Passive Monitoring has long been proven safe for even the most fragile, critical, and complex OT networks because it does not touch, alter, or otherwise impact any assets or operations.
Most concerns around potential risks to OT availability, integrity, and/or safety stem from the use of technologies or mechanisms that are not purpose-built for OT networks and/or that otherwise generate traffic that OT systems simply cannot tolerate. Since Passive Monitoring generates no traffic whatsoever — and, at least in the context of Claroty's portfolio, is only offered within solutions that are truly purpose-built for OT — it does not pose any such risks.
Claroty xDome is a highly flexible, modular, SaaS-based platform that supports all use cases and capabilities across your entire industrial cybersecurity journey.
Claroty Continuous Threat Detection (CTD) is a robust industrial cybersecurity platform that supports on-premise deployment needs without compromise.
Passive Monitoring is only one of the five highly flexible, mix-and-match collection methods that we offer our industrial cybersecurity customers. Our others include:
Claroty Edge is a unique method that uses our patented technology to deliver easy and non-disruptive — yet comprehensive — visibility into all types of assets in OT environments in just minutes without any additional hardware or configuration.
Safe Queries, which are Claroty’s differentiated approach to active scans, send highly targeted queries to segments of the OT environment to identify and enrich the assets present — all with unmatched precision and no risk of disruption.
Pioneered by Claroty, project file analysis discovers and enriches assets in a rapid, highly effective, non-intrusive manner by parsing the configuration and other project files typically stored on workstations in OT environments.
Claroty’s vast technical ecosystem includes ready-made integrations with CMDB, EDR, and dozens of other tools that extend the value of customers’ existing investments while enhancing the visibility provided by our other collection methods.