If the explosion in industrial cybersecurity start-ups the past few years has taught us anything, it’s that the advance of these technologies is expanding our cybersecurity vocabularies as much as it is expanding our knowledge of the threats facing industry. Just a few years ago, terms like whitelisting, DMZs, network segmentation and firewalls comprised much of our industrial cybersecurity terminology. While those terms are still relevant, several new ones have been added to the list, such as: anomaly detection, one-way data diode, threat monitoring and secure file distribution.
The most recent addition to this list of terms is security posture assessment. I was introduced to the term during a meeting with Claroty at the ARC Forum 2018 event. Patrick McBride, chief marketing officer at Claroty, said this term explains the process of “capturing the details of an industrial network to produce a detailed report about an automation network’s environment and provide insights into that network’s configuration and vulnerabilities.” This capability is a new feature in Claroty’s Continuous Threat Detection v2.1 product. He noted that the security posture assessment report spotlights two areas of information: 1) common vulnerabilities and exposure (CVEs) and 2) network hygiene.
Addressing CVEs, McBride said Claroty’s security posture analysis looks across the network and down to the firmware on controllers to assess potential problems. It then provides information about detected problems as well as access to patches that can fix the issue(s). In Claroty’s release about this new update to its CoreX engine, the company says that having this level of specific information ensures that users don’t waste time on vulnerabilities that don’t apply to their specific environment.
McBride described the network hygiene aspect of the security posture analysis to be like assessing the network’s hygiene from the inside out. “It’s like the reverse of Shodan,” McBride said, referencing the well-known site that displays the open ports on Internet connected devices around the world. “The network hygiene analysis provides detailed insights that can include everything from DNS issues to open routes and paths on the network—even use of insecure protocols or unencrypted passwords,” he said.
Other additions to v2.1 of Claroty’s product include:
- OT Attack Vector Analysis. This feature generates specific scenarios simulating possible attack vectors that have the potential of compromising operational assets. According to Claroty, this “empowers security teams with the visibility to proactively mitigate risk and prioritize activities along the paths of greatest potential impact to their processes.”
- Enhanced Threat and Vulnerability Intelligence. This threat and vulnerability feed enables improved detection, more precise threat identification, rapid situational awareness and up-to-date information about the latest weaknesses in industrial devices.
McBride also noted that a key differentiating aspect to Claroty’s CoreX Continuous Threat Detection capability is that it does not need to be populated with malware signatures to recognize issues. “You have to be able to recognize unknowns,” he said. “We model our network using machine learning and statistical pattern matching to detect vulnerabilities. Our understanding of industrial protocols provides the context for the modeling results.”
As an example of Claroty’s ability to do this, McBride explained how the software was able to detect Triton before it became widely known by detecting an anomalous “write” communication to a controller. “CoreX has the ability to recognize unknown threats though its advanced anomaly detection,” he said. “Having this ability allows us to notify a customer that we see a certain type of anomalous behavior on their network and specifically what it changed.”