AWS Partner Network (APN) Blog

Improve Your Security Posture with Claroty xDome Integration with AWS Security Hub

By Ryan Dsouza, Principal Solutions Architect – AWS
By Yoni Salomon, Principal Solutions Architect – Claroty

Claroty-AWS-Partners-2023
Claroty
Claroty-APN-Blog-CTA-2023

Industrial digital transformation is driving changes to the operational technology (OT) landscape, making it more connected to the internet, IT systems, and solutions.

The trend of OT/IT convergence and use of industrial internet of things (IIoT) technologies for industrial digital transformation is expected to continue along with the growing number of connected devices. OT and IIoT systems are important to supporting critical infrastructure and maintaining national security—and security of these systems is a top priority.

As critical infrastructure customers adopt IIoT and new technologies to improve operational efficiencies and reduce unplanned downtime, they should be aware of the additional cybersecurity risk of connecting OT to IT and IIoT systems.

Among the risks are an expanding cyber-attack surface, which may lead to an increase in security events. These events could originate in OT and move to IT, or vice versa, which makes security monitoring across the full attack surface important. In addition, legacy OT systems are insecure by design, were developed without cybersecurity in mind, and lack modern security features.

With OT/IT convergence, there is greater access to critical OT systems and increasing susceptibility to malware and ransomware. A cybersecurity event in OT can cause operational shutdowns and may have environment, health, and safety implications. Even in cases where the OT system are not directly impacted, the knock-on impacts can result in OT networks being shut down due to safety concerns over the ability to safely operate and monitor OT networks.

Given these significant risks to the security of OT, Amazon Web Services (AWS) recommends following the 10 security golden rules for IIoT solutions, including deploying security monitoring and centrally managing alerts across OT, IIoT, and cloud.

In this post, we describe how Claroty xDome and AWS Security Hub can be used for security and vulnerability monitoring and provide visibility of security events to teams responsible for operational monitoring, without the costly and often time-consuming effort needed to integrate OT security solutions into existing Security Operations Center (SOC) solutions.

Claroty is an AWS Partner and cybersecurity software company that secures the safety and reliability of industrial control networks. Claroty xDome is available in AWS Marketplace.

Solution Overview

Claroty xDome is now directly integrated with AWS Security Hub, and this integration allows you to ingest alerts and vulnerability data from xDome into Security Hub, with minimal configuration. This enables customers to implement security monitoring across OT, IIoT, and cloud environments with AWS Security Hub.

Claroty xDome is a modular cybersecurity solution designed to enable cyber and operational resilience with Industrial Control System (ICS) and OT environments. It provides real-time, in-depth visibility into network assets in order to manage assets, identify, and assess network vulnerabilities and risk, and detect threats originating both internally and externally.

Claroty xDome leverages the broadest and deepest portfolio of Extended Internet of Things (XIoT) which encompasses all cyber physical devices connected to the internet protocol coverage, along with Claroty Team82’s domain-specific research into these protocols, to provide a highly detailed, centralized inventory of XIoT assets.

Claroty xDome provides asset visibility through three distinct, highly flexible methods that can be combined or used separately based on the unique needs of each OT environment:

  • Passive monitoring: Continuous monitoring of network traffic to identify and enrich asset details and communication profiles.
  • Claroty Edge: Strategically placed, quick, and safe querying of difficult or otherwise unreachable parts of the network.
  • Integration ecosystem: Seamlessly integrate with common configuration management database (CMDB) and asset management tools to further enrich asset details and optimize enterprise asset management.

Claroty xDome identifies and monitors the industrial network using these asset discovery methods and its library of XIoT protocols. By parsing asset communications, Claroty xDome is able to quickly and accurately provide network vulnerability insights, communication policy recommendations, and alert network administrators to possible security incidents.

AWS Security Hub provides a centralized view of your security posture in AWS and helps check your environment against security standards and current AWS security recommendations. AWS Security Hub ingests findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Systems Manager Patch Manager.

Traditionally, OT and IT/cloud teams have worked on separate sides of the air gap as laid out in the Purdue Model. This can result in siloed OT, IIoT, and cloud security monitoring solutions, creating blind spots bad actors could exploit.

In order to realize the full benefits of IT/OT convergence and IIoT, IT and OT teams are better off if they join forces to mount the most effective defense and build trust. The convergence trend is not limited to newly-connected devices; it also applies to how security and operations are now working closely together.

Customers who are already using AWS Security Hub to get a comprehensive view of their security state in AWS can now bring in security events from their Claroty xDome security monitoring solution using the Claroty xDome out-of-the-box Security Hub integration to get a single-pane-of-glass view for their security teams.

With the direct integration of Claroty xDome to AWS Security Hub, you can view alerts and vulnerabilities seen within your OT/IIoT network, alongside events from other AWS security services to centrally view and improve the security posture of your on-premises OT, IIoT, as well as cloud-based environment.

In addition, with the direct integration of AWS IoT Device Defender with AWS Security Hub, you can send audit and detect findings from modern IoT/IIoT devices to Security Hub. This helps customers view and manage security alerts centrally in Security Hub and can improve your security posture across OT, IIoT, and cloud which is essential when implementing IIoT solutions.

Claroty-xDome-Security-Hub-1

Figure 1 – Security monitoring architecture.

Solution Configuration Walkthrough

Prerequisites

  • You must have AWS Security Hub set up in the region where you’re deploying the solution. To set this up, refer to the documentation.
  • You must have Claroty xDome installed within your network.

AWS Security Hub integrations allow aggregating security finding data from several AWS services and from supported AWS Partner Network (APN) security solutions.

The “Integrations” page in the AWS Security Hub console provides access to all of the available AWS and third-party product integrations. The AWS Security Hub API also provides operations to allow you to manage integrations.

Claroty-xDome-Security-Hub-2

Figure 2 – AWS Security Hub console showing Claroty xDome integration.

Step 1: Set Up Claroty xDome Integration in AWS Security Hub

Navigate to AWS Security Hub > Integrations in your AWS account to see and accept findings from Claroty xDome for your use case.

  • Under the Integrations section, filter for integrations and enter Claroty.
  • Choose Accept findings.

Congratulations! You have enabled accepting Claroty xDome findings to AWS Security Hub. You can continue with following sections to set up the integration in Claroty xDome.

Step 2: Set Up AWS Security Hub Integration in Claroty xDome

In your Claroty xDome account:

  • Log in to Claroty xDome.
  • Go to Setting > Claroty Supported.
  • Scroll down to AWS Security Hub and click +Add.
  • Type in your AWS account ID.
  • Select the AWS region.
  • Click Apply.

Claroty-xDome-Security-Hub-3

Figure 3 – AWS Security Hub configuration in Claroty xDome.

If you want to export alerts:

  • Under Integration Tasks, choose Export Alerts.
  • Select the alert types and attributes of the alerts you want to send to Security Hub.
  • Click Apply.

Claroty-xDome-Security-Hub-4

Figure 4 – Selecting alerts in Claroty xDome to export to AWS Security Hub.

If you want to export vulnerabilities:

  • Under Integration Tasks, choose Export Vulnerabilities.
  • Select the vulnerability types, CVSS threshold, and attributes of the vulnerabilities you want to send to Security Hub.
  • Click Apply.

Claroty-xDome-Security-Hub-5

Figure 5 – Select vulnerabilities in Claroty xDome to export to AWS Security Hub.

AWS Security Hub Findings

When a CVE is sent to AWS Security Hub, you will see the following:

Claroty-xDome-Security-Hub-6

Figure 6 – Vulnerability information seen in AWS Security Hub.

To get more details regarding the asset, you should click on the Finding ID and look for the Asset ID.

Claroty-xDome-Security-Hub-7

Figure 7 – Finding JSON in AWS Security Hub.

In the xDome console, go to Devices and search for the Asset ID and in the asset page, and look for the relevant vulnerability.

Claroty-xDome-Security-Hub-8

Figure 8 – Asset view in Claroty xDome.

When an alert is sent to AWS Security Hub, you will see a finding that looks like this and follow the same steps as above to look for the alerts in the xDome console.

Claroty-xDome-Security-Hub-9

Figure 9 – Security alert in AWS Security Hub.

Congratulations! You have enabled the integration between Claroty xDome and AWS Security Hub for near real-time security monitoring across OT, IIoT, and cloud environments.

Conclusion

In this post, you learned how to stream operational technology (OT) security events (alerts and vulnerability data) from Claroty xDome to AWS Security Hub. This enables you to gain a centralized view of security findings across both your OT and cloud environments when implementing Industrial Internet of Things (IIoT) solutions.

By ingesting OT security events into AWS, customers are able to combine OT telemetry data with security data to get additional context and deeper insights and situational awareness of their OT, IIoT, and cloud security posture.

The xDome solution can be extended by using additional AWS services to correlate AWS Security Hub findings from multiple AWS security services. To learn more, read this AWS blog post.

Resources:

.
Claroty-APN-Blog-Connect-2023
.

Claroty – AWS Partner Spotlight

Claroty is an AWS Partner and cybersecurity software company that secures the safety and reliability of industrial control networks.

Contact Claroty | Partner Overview | AWS Marketplace