Claroty Support L1 - Architecture components and terms.pptx
LeninHernnCortsLlang
1,162 views
13 slides
Aug 29, 2023
Slide 1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
About This Presentation
Claroty Support L1 - Architecture components and terms.pptx
Slide Content
Claroty Support Architecture & Must know terms Presenter Name Title Date
Support – Must Know Terms Deployment Architecture April 17, 2020 2 Copyright © 2020 Claroty Ltd. All rights reserved Level 4 Corporate IT Network Level 3.5 IT/OT DMZ Zone Level 3 Operations Level 2 Process Network Level 0 Field Devices Level 1 Control Network Claroty EMC Jump Box Repl. Historian Claroty CTD Server SCADA Server Claroty CTD Sensor HMI Historian Operator Station DNS SCADA Server HMI RTU RTU PLC Pump Valve Sensor Fan Actuator Valve Pump Fan Claroty CTD Sensor Analytics Log Mgmt. SIEM Security Operations Center Enterprise Network with Claroty Platform Deployed PLC
Support – Must Know Terms CTD’s main functionalities April 17, 2020 3 Copyright © 2020 Claroty Ltd. All rights reserved Level 4 Corporate IT Network Level 3.5 IT/OT DMZ Zone Level 3 Operations Level 2 Process Network Level 0 Field Devices Level 1 Control Network Claroty EMC Jump Box Repl. Historian Claroty CTD Server SCADA Server Claroty CTD Sensor HMI Historian Operator Station DNS SCADA Server HMI RTU RTU PLC Pump Valve Sensor Fan Actuator Valve Pump Fan Claroty CTD Sensor Analytics Log Mgmt. SIEM Security Operations Center Enterprise Network with Claroty Platform Deployed PLC Network Traffic Data Dissection Baseline Entity Event Alert Story Assets Policy Rules Virtual Zones
Support – Must Know Terms Training vs. Operational April 17, 2020 4 Copyright © 2020 Claroty Ltd. All rights reserved Training Mode Operational Mode CTD constructs baseline of communication No anomaly detection No operational behavior alerts No asset information related alerts Threat detection enabled All system functionalities are enabled CTD Monitors for anomaly
Support – Must Know Terms CTD Services April 17, 2020 5 Copyright © 2020 Claroty Ltd. All rights reserved Level 4 Corporate IT Network Level 3.5 IT/OT DMZ Zone Level 3 Operations Level 2 Process Network Level 0 Field Devices Level 1 Control Network Claroty EMC Jump Box Repl. Historian Claroty CTD Server SCADA Server Claroty CTD Sensor HMI Historian Operator Station DNS SCADA Server HMI RTU RTU PLC Pump Valve Sensor Fan Actuator Valve Pump Fan Claroty CTD Sensor Analytics Log Mgmt. SIEM Security Operations Center Enterprise Network with Claroty Platform Deployed PLC Icsranger (Manager) Icsranger (Watchdog) Co-manager RabbitMQ
Support – Must Know Terms CTD Workers April 17, 2020 6 Copyright © 2020 Claroty Ltd. All rights reserved Network Traffic Data Dissection Baseline Entity Event Alert Story Assets Policy Rules Virtual Zones NetSniffer Dissector/ DissectorNG Preprocessor Concluder Enricher Baseline tracker
Support – Must Know Terms CTD DB April 17, 2020 7 Copyright © 2020 Claroty Ltd. All rights reserved Leecher Bridge front-end DB (PSQL) back-end DB (MYSQL)
Support – Must Know Terms CTD example flows April 17, 2020 8 Replication – The data replication from back-end to front-end and eventually the UI is: When there is a change in the MYSQL it creates call files bim.log The leecher rapped those files with CTD frame and pass the to the bridge The bridge moves the data to PSQL The UI will query the PSQL and present the data Asset creation: Net-sniffer get the data using tcpdump The data is dissected, and relevant information is gathered ( Events,Baselines ) The pre-processor verifies that the data is new and if so, it passes it to the processor The processor inserts the data into the MYSQL DB MYSQL Leecher Bridge PSQL Net-sniffer Dissector Processor MYSQL
Support – Must Know Terms CTD example flows April 17, 2020 9 Events – The data replication from back-end to front-end and eventually the UI is: Net-sniffer get the data using tcpdump The dissector creates an event The pre-processor verifies that the data is new and if so, it passes it to the processor The processor inserts the data into the MYSQL DB Alerts: The concluder queries the MYSQL for events with no alerts association The events are then added to existing alert/new alert The cap saver attached pcap file to the alert The Enricher adds relevant data Net-sniffer Dissector Processor MYSQL Concluder MYSQL Capsaver Enricher
Support – Must Know Terms CTD Architecture April 17, 2020 10 CTD Server – The CTD server is located at the site level, typically based on a core switch and digests data from the monitored network. CTD Server can be deployed at the following component architectures: CTD can work as stand alone CTD can be connected to a single or multiple EMCs CTD can have sensors and sensor light components connected to them CTD Server is built out of all available workers: Splinter Dissector NG Dissector Pre-processor Processor Concluder Capsaver Web
Support – Must Know Terms CTD Workers April 17, 2020 11 EMC – The Enterprise Management Console receives information from multiple or a single site and provides enterprise wide visibility and management capabilities. This component cannot sniff data. EMC can be deployed at the following component architectures: Multiple CTD servers can be connected to the EMC EMC is built out of the following workers: Bridge Web Notification Mailer
Support – Must Know Terms CTD Workers April 17, 2020 12 Sensor – The purpose of the sensor is to extend the monitored segments of CTD server, the sensors are without DB components so it sends the data to the site Sensor can be deployed at the following component architectures: Can only operate if connected to CTD No UI Cannot be connected to the EMC Sensor is built out of the following workers: Splinter Dissector/ Dissector_NG Snort reader
Support – Must Know Terms CTD Workers April 17, 2020 13 SensorLite – The purpose of the sensor is to extend the monitored segments of CTD server, the sensors are without DB components, so it sends the data to the site. The difference between the sensor and sensor lite is that the sensor performs dissection of the data before it passes it to CTD server while sensor lite does not dissect any data. Sensor can be deployed at the following component architectures: Can only operate if connected to CTD No UI Cannot be connected to the EMC The senso lite has no workers, it’s a remote TCPDUMP
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,162
- Slides 13
- Age 826 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views