Feature Spotlight: Asset Discovery with NetFlow Support
By Lior Hammer | August 6, 2020
This post is part of our Feature Spotlight series which dives into specific features and capabilities of The Claroty Platform. You can find more posts like this in our the Feature Spotlight section of the Claroty Blog.
We often talk about asset discovery as the first step in securing operational technology (OT) environments because, without knowing which assets are in your environment, you won’t be able to identify or remediate threats and vulnerabilities impacting those assets. As a result, you also won’t be able to accurately assess, much less reduce, risk in that environment.
At Claroty, we provide the extensive OT visibility our customers need primarily through our three well-known asset discovery methods. But on top of those, we’re also able to utilize information from network devices that support NetFlow to further enhance this visibility and the overall value we provide to our customers.
NetFlow and Visibility
As an internal feature of some original equipment manufacturer (OEM) network devices, mainly routers, NetFlow captures statistical data and sends it to a specific destination. Data that is collected can be used to determine parameters of network communication such as protocols, the volume of traffic, and its source and destination.
NetFlow-enabled devices also have an inherent ability to communicate with Claroty Continuous Threat Detection (CTD) hosts. For customers with existing such devices in their OT environments, this can reduce the number of CTD sensors required to deploy The Claroty Platform.
Specifically, these NetFlow-enabled devices can be configured to automatically send NetFlow traffic to CTD. Utilizing this traffic, CTD can create behavioral baselines that can then be leveraged for security enhancements that do not require the full extent of information gathered from deep packet inspection. These enhancements include, for example, the ability to detect unsecured protocols in-use, define alert criteria to be monitored by CTD, and implement policies for the flow of network traffic.
Traditionally, when we talk about achieving visibility with The Claroty Platform we split it up into three discovery methods:
Passive: Continuous, real-time monitoring of OT network with zero additional traffic
Active: Precise, targeted queries of OT assets with generally low-traffic
App DB: Utilize proprietary file formats to retrieve data stored on devices
With the addition of NetFlow as a form of asset discovery and monitoring, Claroty is able to cast a wider net when identifying assets on an industrial network. NetFlow supplements Claroty discovery methodologies in the following ways:
Complementary to Claroty’s existing asset discovery methodologies, NetFlow augments these capabilities to help achieve full visibility. This comes with the added benefit of leveraging existing network hardware, making the solution easier to deploy while reducing the cost of installing additional hardware.
To learn more about Claroty’s enhanced discovery techniques, or to see them in action, request a demo.