Improve Your Security Posture with Claroty xDome Integration with Amazon Security Lake

By Ashok Mahajan, Sr. Partner Solutions Architect, ISV Startups – AWS
By Ryan Dsouza, Principal Solutions Architect – AWS

Claroty

Industrial digital transformation is accelerating the convergence of operational technology (OT) with information technology (IT). As critical infrastructure organizations explore how this can deliver a clear competitive advantage, they are leveraging Internet of Things (IoT), cloud computing, artificial intelligence (AI), machine learning (ML), and other digital technologies.

The increasing connectivity between OT and IT, along with the growing number of connected devices, increases the attack surface which organizations need to protect.

This requires a broad, integrated, and automated defense-in-depth security approach since the traditional approaches to security often aren’t effective. Without full visibility and control of traffic entering and exiting OT networks, a cyber event can quickly spread between IT and OT environments.

In the 10 security golden rules for industrial IoT (IIoT) solutions, Amazon Web Services (AWS) recommends deploying security audit and monitoring mechanisms across OT, IIoT, and cloud environments, collecting security data in a security data lake and analyzing them using SIEM tools within a security operations center (SOC).

In this post, we show how to stream security events from Claroty xDome to Amazon Security Lake to centralize your security data for more efficient storage, query, and analysis. This enables customers to quickly analyze multiple years of security data across OT, IIoT, and cloud environments, using their preferred tools for security analytics and building resilient operations by enhancing threat detection and response capabilities.

Claroty is an AWS Partner and cybersecurity software company that secures the safety and reliability of industrial control networks. Claroty xDome is available in AWS Marketplace.

Background

Current security approaches can leave data hidden in silos across your security infrastructure (OT, IIoT, edge and cloud), and makes it cost prohibitive to collect vast amounts of security data over decades and to centralize data for visibility, analytics, security investigations, and incident response.

The growing influx of data from connected devices adds to the complexity, as security teams are already struggling to search and analyze security data at scale. Conducting security investigations across complex heterogeneous factory and cloud environments can be challenging, creating blind spots across data silos which bad actors could exploit.

Identifying and stopping security breaches requires a modern approach to collect, integrate, and normalize your enterprise security data in a central location such as a security data lake. The security data lake can centralize years of security data and streamline the process of accessing this data, which gives your security teams broader visibility to investigate and respond to suspicious activities using their preferred analytics tools, without duplicating data.

Overview of Amazon Security Lake + Claroty xDome

Amazon Security Lake automatically centralizes security data from cloud, edge, IoT, IIoT, OT, and custom sources into a purpose-built data lake stored in your AWS account.

With Security Lake, you can get a more complete understanding of your security data across your entire organization. You can also improve the protection of your workloads, applications, and data.

Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service can normalize and combine security data from AWS and a broad range of enterprise security data sources.

Claroty xDome is a modular cybersecurity solution designed to enable cyber and operational resilience with Industrial Control System (ICS) and OT environments. It provides real-time, in-depth visibility into network assets in order to manage assets, identify, and assess network vulnerabilities and risk, and detect threats originating both internally and externally.

Claroty xDome identifies and monitors the industrial network using asset discovery methods such as passive monitoring, Claroty Edge, and/or integrations with common configuration management database (CMDB) and asset management tools and its library of XIoT protocols.

By parsing asset communications, Claroty xDome is able to quickly and accurately provide network vulnerability insights, communication policy recommendations, and alert network administrators to possible security incidents.

Solution Architecture

In order to realize the full benefits of IT/OT convergence and IIoT, it’s important to manage the risk which comes from connecting these systems to external untrusted networks. To enable security monitoring across OT and IT, critical infrastructure organizations first need to collect OT and IIoT-specific security data to provide ongoing visibility into OT assets, active threats, and vulnerabilities across the whole industrial network.

The integration between Claroty xDome and Amazon Security Lake is designed to provide comprehensive visibility and security for ICS, OT, IIoT, edge, and cloud environments, enabling organizations to protect critical infrastructure and assets.

Amazon Security Lake and Claroty xDome help to bridge the gap between IT and OT security challenges, and empowers security teams with security data across OT/IT into a purpose-built data lake in a customer’s AWS account so that customers can act on security data faster.

Key features and benefits include:

• Centralization: Amazon Security Lake automatically centralizes an organization’s security data from cloud providers and on-premises sources such as OT into a purpose-built data lake in a customer’s AWS account, enabling customers to aggregate, normalize, and store data in a consistent format.
• Automation: Security Lake automatically orchestrates the end-to-end process from data lake creation, and normalizes AWS log and security findings to OCSF, thus saving time and reducing costs for security teams.
• Integration: Security Lake combines AWS and third-party sources such as Claroty xDome that support OCSF, and optimizes data into a format that’s easy to store and query, enabling customers to use their preferred security and analytics tools.
• Improved security visibility: Security Lake provides greater visibility for security teams to identify and understand events, and reduce the time to resolve security issues.
• Simplifying OT-IT convergence: Security Lake can provide the data that IT/OT stakeholders need to complete security work without creating barriers or slowing down processes. This helps bridging the IT/OT gap and improve the maturity of your cybersecurity program.

Figure 1 – Claroty xDome and Amazon Security Lake integration architecture.

Configuration and Integration Steps

Prerequisites

• You must have Amazon Security Lake enabled in your account.
• You must have Claroty xDome installed in your network and have access to the Claroty dashboard.

Amazon Security Lake integrates with multiple third-party services either as source or subscriber. Claroty xDome acts as source for Amazon Security Lake, and this integration involves the following steps.

Step 1: Adding a Custom Data Source in Amazon Security Lake

1. Sign in to the AWS Management Console and search for Amazon Security Lake. Alternatively, you can open the Amazon Security Lake console.
2. By using the AWS region selector in the upper-right corner of the page, select the region where you want to create the custom source.
3. Choose Custom sources in the navigation pane, and then choose Create custom source.
4. Note the External ID as it appears in the Claroty – AWS Security Lake integration form in the Claroty dashboard:
   • Log in to the Claroty xDome dashboard.
   • Click the Settings tab in the navigation bar and select System Settings from the drop-down menu.
   • Select Claroty Supported from the sidebar menu.
   • Select SIEM from the Integration Category drop-down, or search for Amazon Security Lake. Click Add, and the Amazon Security Lake integration configuration dialog will open.

Figure 2 – Claroty dashboard-AWS Security Lake integration page.

5. In the Create custom data source page, enter the information for the following fields and click Create:
   • Data source name: Enter a regionally unique name for your custom source; example: Claroty-xDome.
   • OCSF event class: Select Security Finding.
   • Account ID: Enter the account ID provided by Claroty xDome team.
   • Service access: Create a new role or use an existing role.
   • External ID: Paste the External ID as copied in step before from the Claroty dashboard.

Figure 3 – Create custom source in Amazon Security Lake.

6. Next, navigate to AWS Identity and Access Management (IAM) in your console, and select Roles under Access Management. Copy the Role ARN that was created and will provide access to Claroty xDome to write to your security lake. If you’re using the Security Lake console, it will create all necessary IAM roles.

Figure 2 – Role ARN for access by Claroty.

Step 2: Set Up Amazon Security Lake Integration in xDome

Before exporting data into Amazon Security Lake, you need to add and configure the integration from the Claroty xDome self-service integrations page.

1. Log in to the Claroty xDome dashboard.
2. Click the Settings tab in the navigation bar and select System Settings from the drop-down menu.
3. Select Claroty Supported from the side-bar menu.
4. Select SIEM from the Integration Category drop-down, or search for Amazon Security Lake.

Figure 4 – Claroty dashboard add integration.

5. Click + Add.
6. The Amazon Security Lake integration configuration dialog will open.
7. Add the Amazon S3 bucket URI, and the ARN of the role copied in Step 1 above, and then select the region where you have created the source.

Figure 5 – Claroty integration config.

8. Add the Name for the integration and any notes.
9. Configure the types of alerts on the Export Alerts Left Navigation tab. Select All or the one you want to send, and then click Apply.

Figure 6 – Claroty integration alert type config.

Congratulations! You have enabled Claroty xDome findings to Amazon Security Lake.

Conclusion

In this post, you learned how to stream operational technology (OT) security alerts from Claroty xDome to Amazon Security Lake. This enables you to centralize security data visibility from cloud and on-premises sources such as OT, IIoT, and edge across your accounts and regions.

This gives you the visibility to manage the risk which comes from OT/IT convergence and improve your organization security posture when implementing IIoT and digital transformation projects.

The xDome solution can be extended by collecting data from AWS services and using third-party integrations.

For more information, check out the Claroty integration guide and Amazon Security Lake resources. You can also learn more about Claroty xDome in AWS Marketplace.

.

.

Claroty – AWS Partner Spotlight

Claroty is an AWS Partner and cybersecurity software company that secures the safety and reliability of industrial control networks.

Contact Claroty | Partner Overview | AWS Marketplace