Detecting Operational Technology Threats with Claroty and LogRhythm

Operational Technology Security with LogRhythm

Attacks on operational technology (OT) have been rising in the for the last decade.[1] The rise began with the Stuxnet worm that attacked Programmable Logic Controllers (PLCs) in SCADA systems and has increased sharply in the last few years. Much of this increase is largely due to the migration of ransomware from IT environments to OT environments. NotPetya malware, especially, has focused its attacks on critical infrastructure, threatening the loss of data and paralyzing corporations and government agencies.

Claroty and LogRhythm for Effective Operational Technology Visibility

To support protection and best practice guidelines, you might consider implementing OT security platforms such as Claroty in OT infrastructure. Claroty Continuous Threat Detection (CTD) provides visibility, threat monitoring, and insights into industrial control system (ICS) networks.

When integrated with the LogRhythm SIEM Platform’s full stack of capabilities, your team will receive consolidated, centralized security visibility of your OT environment. LogRhythm’s platform ingests security events from Claroty CTD and correlates these events with other data from solutions such as antivirus or endpoint detection and response (EDR) and provide risk-based analytics to detect attacks in your environment.

LogRhythm RespondX also offers security orchestration, automation and eesponse (SOAR) features for rapid response options to help reduce both mean time to detect (MTTD) and mean time to respond (MTTR).

Operation Technology Security Events and Use Cases

Although, protecting IT environments and OT environments have their differences, there are some similarities when it comes to detecting lateral movement from a malware attack.

We will explore how integrated Claroty CTD with the LogRhythm SIEM can help you detect EternalBlue, a common high-impact malware that utilizes lateral movement.

Investigate a Malware Infection

Using scenario-based analytics, LogRhythm can correlate events from Claroty that are related to EternalBlue to provide a holistic view of your OT environment.

LogRhythm dashboard of investigating a malware infection
Figure 1: LogRhythm collects and classifies Claroty events that relate to malware infection

Gather Forensic Evidence

 It’s important to gather forensic evidence to help your team identify, understand, and stop an attack quickly. Forensic evidence also serves as important intel when looking into other investigations.

The Claroty and LogRhythm integration allows you to see the original logs from the Claroty system in the LogRhythm dashboard. This dashboard will show your team where an attack started and help it decide the next best steps to take.

LogRhythm dashboard of forensic evidence
Figure 2: LogRhythm retains Claroty’s original logs as forensic evidence

Detect Asset Changes in Your OT Environment

While there are similarities when detecting malware in IT and OT environments, there is a significant difference in monitoring “new asset” events in OT environments.

In typical IT environments, “new asset” events don’t raise eyebrows because the use of dynamic host configuration protocol (DHCP) and bring your own device (BYOD) practices cause frequent asset changes. However, in OT environments, “new asset” events are less common and require monitoring. If a new asset registers, it could simply be an approved system, or it could be an attacker trying to penetrate your OT environment.

Detect Asset Changes in Your OT Environment in LogRhythm SIEM
Figure 3: LogRhythm detects “New Asset” from Claroty’s logs

Detect Mode Changes in Your OT Environment

Claroty CTD detects anomalies in customer environments such as configuration changes, baseline deviation, and OT system mode changes. These are important changes to monitor in OT environments because they do not happen frequently.

Detect Mode Changes in Your OT Environment
Figure 4: LogRhythm detects “Mode Change” from Claroty’s logs

Monitor Any Change in Your OT Environment

LogRhythm provides a Claroty Change Monitoring Dashboard to monitor any changes in your OT environment in one view. This dashboard provides trend information about when most changes happen within your environment, so you can see when there is an anomaly. This dashboard is available in the dashboards section in Community under Shareables.

Monitor Any Change in Your OT Environment with LogRhythm
Figure 5: Claroty Change Monitoring Dashboard

OT Security Threat Hunting with Claroty

Dashboards are a vital component for investigation, because they provide a status on your OT security environment status in a glance. Most analysts’ first step during a threat-hunting exercise is to look at the alarms view in their LogRhythm dashboard. The alarms view provides notifications on what events or traffic require further investigation.

Alarms view in their LogRhythm dashboard
Figure 6: The LogRhythm Alarms view alert you to suspicious incidents or events

With the LogRhythm Alarms view, you can prioritize investigation and drill down to the correlated events that triggered the alarms for further analysis.

LogRhythm SmartResponse Automation
Figure 7: New alarm with highest risk value is linked to a SmartResponse™ automation action

High-priority alarms, like ransomware alarms, can be linked to LogRhythm SmartResponse™ automation to trigger actions. With SmartResponse, you can enable actions like vulnerability scans, quarantine of an infected host, and disabling user accounts in seconds.

Control and Manage Events in One Platform

With the Claroty dashboard, you can use LogRhythm as centralized platform to control and manage all events in your OT environment.

In the dashboard, you can identify an attack on your OT environment, understand if the attack came from inside or outside your environment, and do further analysis.

Claroty dashboard in LogRhythm
Figure 8: The LogRhythm Claroty Dashboard gives you a centralized view of your OT environment

To gather more information, LogRhythm provides pivot-searching capabilities. By double-clicking data in the dashboard, which in this case is “possible malware” under common events, you can identify which hostname or IP address generated the event.

In the same dashboard, you can also run a SmartResponse automation task for your firewall’s policy to add the infected system into a block list and quarantine the infected hostname or IP address.

Automation in LogRhythm NextGen SIEM
Figure 9: Pivot Search and SmartResponse action allows you to investigate further and automate tasks

Geolocation Capabilities

LogRhythm Geolocation Dashboard Dashboard
Figure 10: LogRhythm Dashboard with integrated geolocation capabilities

LogRhythm also provides a dashboard for interactive network visualization with integrated geolocation capabilities. This geolocation information helps you identify the country where an attack originated from and temporarily block any traffic in and out of that country until a ransomware outbreak is reduced.

Rapid Case Creation

LogRhythm Case Management allows you to organize the data you gather during investigation in a central repository to ensure you don’t overlook anything from the case.

By using Case Management, you can build a case to show a relationship between the ransomware information and malware classification information you gathered from your Claroty dashboards. With this information, you’re able to track the incident and add all related events, forensic files, and any additional notes all in the same user interface.

LogRhythm Case Management
Figure 11: Case Management gives you a place to organize all the data from an investigation in one central place

LogRhythm also incorporates Case Management into our Web Console using playbooks. You can attach playbooks to cases to give an analyst step-by-step guidance on how to resolve an incident effectively and efficiently.

LogRhythm Playbooks
Figure 12: LogRhythm Playbooks are included with Case Management to give anyone on your team step-by-step instructions to resolve an incident

Incident Metrics

Once you resolved the issue and moved to closing the case, you should use incident metrics to strengthen your teams’ operations. LogRhythm’s incident metrics show MTTD and MTTR value can help improve your incident management processes.

LogRhythm Metrics Dashboard
Figure 13: LogRhythm MTTD and MTTR dashboard help improve incident management processes

Manage OT Environment Security Incidents

As cyberattacks on OT environments continue to increase, it will be critical to have a NextGen SIEM platform that can meet the unique security needs of an OT environment. LogRythm’s integration options allow teams in OT environments to manage events from a range of solutions, make correlations from events, and automate security workflow tasks from one platform.

To get started, visit the Community to download our Claroty CTD CEF configuration guide.

[1] Fortinet Operational Technology Security Trends Report, Fortinet, May 13, 2019