OT Security Firm Claroty Expands IoT Tracking Focus Footprint

OT Security Firm Claroty Expands IoT Tracking Focus Scope

Having started with a focus on OT security, the startup will help customers track a wider variety of connected devices.

Written by Brian Buntz
22nd July 2019

A promotional blurb on cybersecurity security startup Claroty’s website boasts the firm is fluent in industrial protocols. “We were born and raised in the world of Modbus, Profibus and DeviceNet.” It continues: “We think in S7 and dream in DNP3. We go beyond Ethernet/IP into the realms of the most arcane Fieldbus and serial protocols.”

Now, it is adding IoT devices to that list, defining “Internet of Things” as a sort of umbrella term for nontraditional networked devices. “Put me in the camp of someone who thinks ‘IoT’ is used way too cavalierly,” said Dave Weinstein, chief security officer at Claroty. “What we mean by IoT, with respect to operational technology networks, is basically everything else — everything other than an OT device or something that’s clearly a traditional [networked] IT device.”

The latest version of Claroty’s Continuous Threat Detection OT security software, release 3.5, is designed to enhance network visibility to include such IoT miscellany. The software also includes new functionality to help security professionals deal with false alarms.

“As a former CISO and CTO myself, one of the biggest pain points that my teams had was just getting overburdened by all these alerts coming in. We would spend countless hours chasing down alarms that turned out in many cases just to be false positives,” Weinstein said.

Security professionals, who are generally most familiar with traditional IT devices, often struggle to make sense of anomalous network data from OT or IoT devices. “The triage process is really painful because they often just don’t understand what they see in their queue,” Weinstein said.

Claroty built an alert algorithm to ensure an alert fed into its central interface represents a security or operational security event. “That’s opposed to what the rest of the industry is doing, which is literally alerting on every single change on the network,” Weinstein said. “They’re saying these are machine-to-machine networks and they’re repeatable and predictable. If there’s a change, because of the criticality of the equipment, somebody needs to know about it,” he continued. “That sounds great. But in practice, it’s just an absolute disaster for security teams.”

Claroty has developed a machine learning algorithm using training data to improve the performance of the system over time. “I guess we could call it ‘AI’ if we wanted to, but frankly, you know, that carries a different meaning than what we are actually doing.”

One thing such IoT devices have in common with traditional industrial equipment networks is the increased attack surface they create. IT and security professionals clearly understand the cyber-risk such devices pose. But many struggle to get a concrete picture of how many IoT devices they have on their network, according to Weinstein.

“I’ll give you kind of a tangible anecdote that we see all the time that applies to OT networks as much as IoT devices,” Weinstein said. “We will walk into a manufacturing facility or a plant from a Fortune 500 company with significant IT security operations already in place. We’ll ask the person in charge to hand over an inventory of the assets on their network,” he continued. That individual will tend to hand over a manually populated list of devices. “And we’ll use that as a baseline to compare their inventory against whatever we discover and we’ll spend a couple of hours listening to their traffic. Nine times out of 10, we will discover an order of magnitude greater number of devices than what they have in their inventory.”

While a number of other security startups offer a similar pitch as far as network visibility is concerned, Claroty has more support than many of its competitors. It’s attracted roughly $100 million in venture funding since its founding, thanks in part to its skill in monitoring OT devices and industrial cybersecurity.

“And actually equally, if not more important than the dollar figure is the partners that we’ve brought with us along the way who have backed us,” Weinstein added. Notably, those partners include three of the top industrial automation vendors — Siemens, Rockwell Automation and Schneider Electric, which manufacture a large share of OT systems internationally.

The three companies participated in Claroty’s last funding round and are also customers and go-to-market partners. “We leverage them as our channel partners,” Weinstein said. “A big part of our story has been building a really solid technology, tailor-made for OT networks, and then amassing an ecosystem of partners, both on the go-to-market side, but also the investor side that is highly credible in the field of operational technology.”

The company’s current customer base more than a dozen distinct industries in more than 20 countries.

Given Claroty’s wide reach, the main thrust of its latest Continuous Threat Detection OT security software is more about giving current customers new capabilities than attracting new ones. “It’s not so much about expanding the market as much as it is about delivering more within our existing core verticals and customer environment,” Weinstein said.