Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

The history of enterprise computing is one of increasing scale, complexity and heterogeneity. First there was client-server computing, ushering in the PC era where there was a computer for every employee and several switch ports in every cubicle. And then the mobile enterprise, with a new generation of employees using their laptops, tablets and smartphones all the time, everywhere.

With each leap forward, IT and business leaders have scrambled to catch up and to protect their most critical data, applications and resources. We’re still gasping from the effort it took to control BYOD. But as hard as that was, the challenge was fundamentally one of human scale. Most users had a small handful of devices. Some ran Windows, some IOS, some Linux. IT could assign most of those users to a relatively small number of roles (often as simple as “guests” vs. “employees”). Yes, certain classes of employees had different levels of access, but in truth IT rarely had to define more roles than there were departments on an org chart. Great vendors stepped forward with intelligent solutions to make role-based access work (mobility controllers, next-generation firewalls, NAC and identity management). A small number of insanely hard-working employees in IT and Security could keep up. Barely.

We are now experiencing the emergence of the hyper-connected enterprise, in which everything is connected. The HVAC system. Security cameras. Point of Sale devices. Digital signage. Sensors. Heart rate monitors and infusion pumps. Complex, multi-million dollar manufacturing systems. IoT devices of every kind. If these things aren’t working, productivity plummets, revenue drops and lives are impacted. And if business leaders don’t know where they are or how they are being used, they risk spending millions on unnecessary cap ex.

In every dimension, the challenge for IT and business leaders is several ordrs (sorry!) of magnitude greater than it was a few short years ago. Instead of 3-4 devices per employee, a Fortune 500 organization or healthcare system will have millions of connected devices, from hundreds of different manufacturers, many running a proprietary OS. Each class of devices is purpose-built — with specifically defined functions, unique behavior patterns and potential vulnerabilities. Where IT used to administer a small handful of user roles, these devices have no users and ‘roles’ do not apply. Instead of managing users, they need to regulate each individual device. And that means they need to define and enforce thousands of specific policies.

The resulting complexity is literally inhuman in scale. A seemingly simple task like completing an inventory of connected devices is neither simple nor feasible for human beings at such scale. It’s about as simple and feasible as counting the stars in the sky. Even if your staff could do it, the data they gathered would be out of date before their report was compiled. If humans can’t even count the devices, there’s no possible way they can monitor them, understand their myriad functions or apply appropriate security policies to them. And if the CFO asks them for a report on usage of these systems and devices as she’s preparing next year’s capital budget? Good luck.

The only way to address this inhuman complexity is by mapping the ‘device flow genome’ through the application of advanced machine learning at a truly massive scale, continuously processing enormous amounts of data to identify everything that is connected and baseline their behavior patterns. Once you can do that, you can identify unusual or dangerous patterns and using actionable AI to automatically create policies that prevent incidents from occurring. That’s what we mean by true ‘closed-loop security.’ And then, because of all the data you’d be processing, you could deliver incredibly valuable insights to business stakeholders about how those devices and systems are being used and how they are performing. That can save organizations millions and extend the life of their assets.

That may sound far-fetched, costly and difficult to implement, but it’s not. In fact, most organizations already have the necessary infrastructure and tools in place: routers and switches, wireless controllers, next-generation firewalls, NAC, and the intelligent vendor-provided systems that operate them . The problem is that even the largest organizations don’t have enough people to interact with each of those intelligent solutions to harness their power at the scale necessary. What’s been missing is a systems control engine capable of processing the massive amounts of data being generated by all of the systems and devices in the hyper-connected enterprise – and translating that information into actionable policies that your smart infrastructure can enforce.

That’s why Ordr exists and that’s what the Ordr Systems Control Engine does. At a massive scale, for the largest enterprises in the world. It’s complex. But we’re a team of networking and security veterans, and we’ve been working for years to build a solution capable of handling that complexity while making your life simple.

The hyper-connected enterprise is here. Take control.


Incredibly complex problems cannot be solved without first establishing a baseline of understanding the elements of the problem in very fine grain detail. In the medical community, for example, development of targeted therapy for many serious diseases was comparatively ineffective before the mapping and sequencing of more than 3 billion nucleotides in the human genome. The Human Genome Project, a 15-year collaborative effort to establish this map of human DNA, has enabled the advancement of molecular medicine at a scale that was once impossible. Similarly, IT, Security and Business leaders cannot address the myriad challenges of the hyper-connected enterprise without fully mapping the device flow genome of each network-connected device and system. There are millions of connected devices, from simple IoT devices to multi-million-dollar functional systems, in a Global 2000 corporation, major healthcare system, retail chain or large industrial enterprise. The global volume of non-traditional network-connected devices – IoT devices – is doubling every few years and will exceed 20 Billion by 2020, according to experts.

This challenge is enormous, because it requires complete understanding of both the fixed characteristics of each device, as well as the constantly changing context in which it operates. To do this at scale, you must be able to apply sophisticated machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network. If you can do that, you can immediately identify potential ‘mutations’ in the genome – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences. At the time, you can leverage artificial intelligence to define and implement actionable policies that prevent future recurrences. That’s the only reliable way to protect critical assets and deliver true closed-loop security in the hyper-connected enterprise. And that’s exactly what we set out to do when we founded Ordr a few years ago.

There are solutions on the market today that seek to “fingerprint” devices, discovering their IP address, using MAC address lookup to identify the device manufacturer, and applying other rudimentary techniques to build a generic profile of the device. Fingerprinting allows you to answer some important but very basic questions: How many devices are connected to my network and to which ports and VLANs are they connected? How many of these devices are from Manufacturer X? Gathering more specific information has typically required agents installed on each endpoint. That is simply not possible in the hyper-connected enterprise, as the scale and heterogeneity of these devices quickly breaks traditional IT and security models.

Instead, by fully mapping the device flow genome automatically, without any modifications to the device or the existing enterprise infrastructure, within hours, Ordr identifies and enables you to act on critical information:

  • 5 of your critical manufacturing systems are running software other than your standard configuration, with known vulnerabilities;
  • 2 devices have been infected with Wannacry ransomware and are actively attempting to connect to peers;
  • 3 of your X-ray machines are being used at 90% capacity while 2 are only operating at 40%;
  • 6 of your heart-rate monitors are models are subject to an FDA recall;
  • Your elevator control system is attempting to contact your internal HR application;
  • 80% of your security cameras are still using the manufacturer’s default password;
  • All digital signage on your network communicate with the manufacturer for updates and patches, but one of them is also communicating with a suspicious server in Kiev and appears to be exfiltrating PCI data.

Mapping the device flow genome allows Ordr to provide these types of actionable insight across millions of devices within the hyper-connected enterprise. This requires comprehensive real-time collection, correlation and analysis of vast amounts of information about each device:

  • Device Make, Model and Modality – Classification and grouping of similar device types at a hierarchical level to facilitate efficient administration and regulation of those devices requires, specific information on the manufacturer, device type, model, modality and even the serial number.
  • OS and Software Versions – Device operating system, including current OS patches, all software components installed (software bill of materials), anti-virus software etc.
  • Known Vulnerabilities – Detection of potential port exploitation, results of vulnerability scans, and correlation of all known vulnerabilities from the device manufacturer and third-party sources (national vulnerability database, FDA recalls, etc.).
  • Network Parameters – Complete information on network connectivity, switch port, wireless access point, VLAN/subnet (and comparison of each device’s VLAN/subnet membership relative to similar ‘peer’ devices).
  • Device-Level Session and Flow Data – Data on connection attempts, number of sessions, data rate, location, ‘last seen’ time and location, usage patterns, etc.
  • Flow-level Conversation Patterns – Ability to assess conversation at the flow-level communication to baseline normal behaviors compared to its peer group and to its own and detect anomalies.
  • Internal Communications – Accurate detection of devices propagating malware, using well-known signatures like the one that looks for reconnaissance
  • External Communications – Real-time comparison of external communication patterns to the permitted external/internet sites for each device profile (for software updates, etc.) is needed to defend against external attacks and identify communication with hostile sites with poor reputation scores like phishing sites
  • Applications and Users – Full understanding of applications running on each device, as well as the users on the device
  • Servers – Data on all the servers to which each device connects

The purpose-built Ordr Systems Control Engine is the only software product with the capability to perform this real-time mapping at massive scale. The unique Ordr SCE architecture is specially designed to collect and analyze device and system data – at line speed – from multiple sources within the enterprise, including:

  • Full packet capture data from backbone core routers that include all the file transfers, http sessions, peer-to-peer traffic, client-server traffic, and application-level interactions.
  • Network infrastructure data from switches, routers, WLAN controllers, NAC solutions etc.,
  • Device probes like SNMP for inherent device information from various MIB repositories
  • Protocol decodes of proprietary protocols like DICOM, Modbus and Patient Monitoring systems
  • Parsing results from well-known data plane signatures from security vendors
  • User and location information that includes Active Directory users with roles and privileges, and location feeds, etc.
  • Ingest network device Information like Netflow
  • On-demand vulnerability scans for onboarding as well as information collected from other periodic vulnerability scan reports information like provide open ports
  • Network layer control plane protocols like DHCP
  • Utilization and performance data like frequency and duration of operation and connection attempts.

Accurate mapping also requires integrating information from IT Service Management, Enterprise Asset Management, location information, and threat information from national level exchanges.

Ordr SCE takes all of this information and applies sophisticated machine learning with ANN (Artificial Neural Network) training models to classify and profile everything on your network. That gives us a full understanding of each device – what it is, how it’s configured, and what behaviors it is supposed to exhibit – with unprecedented granularity. Once that is done, it becomes possible to detect anomalies and come up with actionable policies, using AI techniques, to regulate and protect your devices and critical data assets, in real-time and at scale.

This level of intelligence with depth that you’ll never be able to get from simple device fingerprinting. Customers using SCE’s device flow genome have been able to:

  • Correctly identify a SIEMENS AXIOM-Artis X-Ray Angiography medical device rather than label it as Tyran Computer Corp system due to the OUI from the embedded network interface card
  • Reveal devices connected behind gateway systems from vendors like Capsule Datacaptor.
  • Rationalize inventory with other systems that do not have knowledge of MAC or IP addresses, and instead use serial numbers
  • Find an uncontrolled user device from the IT side talking to a factory OT control system
  • Spot non-standard software in a camera that was reaching back to get updates from a site in a questionable geography
  • Accurately finding WannaCry infestations and enumerate every compromised device and the source of the problem

Mapping the device flow genome is incredibly complex, but it’s exactly that complexity that makes it so useful, and we’ve taken great care to present this detail to you in its simplest, most usable form. We make the incredibly complex incredibly simple.

The only effective way to address massively complex problems is to have an intricately detailed understanding of the elements of the problem. That’s the only way to develop treatments that improve human health and longevity. And that’s the only way to take control of the hyper-connected enterprise.


Did you know that Windows 7 end of life is on January 14, 2020?  This is only 300 days away, and today over 40% of the desktops deployed are still running this 10 year old OS.  I can’t even imagine the number of imbedded IoT, OT, and Medical Devices where this OS is still used.  This is going to be a big issue for the security community in 2019 to get their arms around this Windows 7 End of Life, the impact it will have on their security posture, and in medical and industrial fields – the safety risks it will expose to their patients and workers.

Here is a great article highlighting the EOL in more detail.

3 Ways Ordr Can Help You Take Control of Windows 7

  • Ordr Discovery | Inventory | Categorization:  Ordr captures the OS detail on devices as we do our automated Discovery, Inventory, Categorization and analysis of the traffic flows (Flow Genome).

Here is an example of a GE Ultrasound Machine, but the same would apply to other systems:

  • Ordr integrates with CMDB / ITAM / CMMS Systems:  If you integrate Ordr with your CMDB / IT Asset Management / CMMS system – say ServiceNow, Nuvolo, etc – you can further improve your visibility by leveraging the real-time always on view of the Ordr solution, to then update your records as you work to identify systems that need to be updated, who the device owners are, location of the equipment, where it is in its lifecycle, and perform post upgrade validation to close out the update work and document the remediation.

Here is a view of the same Ultrasound Machine as above, with the integrated asset detail from a CMMS system:

  • Asset Info to Action:  Armed with all this detail, Security and Network teams can start working with the appropriate lines of business (HTM in my example case), to figure out a plan to either upgrade the system, replace the system, or if can’t replace it and you are stuck with it on your network –  build security controls around the device.  This is where Ordr helps close the loop.  One key area we can help is our capabilities around the behavior of the device in the network, the Flow Genome. Below you can see the 24 baselined normal flows Ordr has detected during this devices time on the network under monitoring.

See below, we will use this information in step 4:

Time to Take Control!   OK, so you are stuck with the Windows 7 device on your network beyond 1/14/2020.  You are armed with the information in steps 1 – 3.  What do you do about it?  How do you build in the right controls?  This does depend on the environment, where there are firewall systems, NAC, network infrastructure that supports ACLs, etc. I will give you the most common actions I have seen, that should fit most of the customer environments you are working in.

Common controls Ordr can help you achieve

  • Leave the device as is, but monitor it:   This is probably the most common control.   Monitor the device and respond to any alerts, change in behavior.  There is concern especially with OT and Medical Devices around putting limiting controls in place.  The good news is Ordr can alert on Behavior Violations, meaning if the device starts communicating outside of its Normal Baseline Flow.  Ordr can be integrated into a workflow management system, send out email alerts on its own, fire off events to a SIEM or other Orchestration tool, or have a screen like the one below up in your SOC for human monitoring.

Below is a screen shot of our Incident Summary & Device Risk Dashboard:   The Behavior Viol. count under Internal Communications is where we highlight behavior anomalies detected by the Flow Genome.  All of this is linked to the events to quickly see and understand the reason for the alarm.

  • Build a specific VLAN with ACLs for this Device Type:  One approach to segmentation is with a custom VLAN for a device type, in this case GE Ultrasound Devices.  The good part about Medical IoT, and IoT in general, is there is usually a consistent communication pattern for how it behaves on the network.  In the case of a VLAN configuration with Access Control Lists for communication, the Security, HTM, and Network team could build the rule set for this ACL and limit the communication behavior.  Or, you could let Ordr generate the ACL for you, that you apply in the environment.  Here is an ACL based on the example system above:

  • Integrate with your Network Access Control (NAC) solution:   In this case Ordr can talk with your NAC system to put this device in a specific group (TAG), where there are ACL and/or TrustSec TAGs to identify and control access of this device.  All of the attributes shown above can be shared, and the NAC solution can handle the controls around this device.
  • Integrate with your Firewall system:  Many customers are leveraging firewalls as part of their segmentation approach.  Beyond the normal Internal to External (North / South) traffic control / protections from a firewall, they are putting more Firewall systems in the internal network (East / West) to segment the network.  This helps with controlling the traffic flow, gives inspection points, and also gives the chance to apply other security tools of an Advanced Firewall feature set and the audit logging of the communication internally.  Ordr integrates with firewall systems to either apply Firewall ACL’s to the traffic discovered by the Flow Genome, or to apply a Security TAG to the firewall. Many of these firewalls support Tagging as well for device groups, so you don’t have to build individual policies for each device.  Ordr can give information to North/South and East/West firewall systems, to help with segmentation control.

What other strategies and ideas do you have to Take Control of the Windows 7 End of Life?  Let us know.


Ordr. Four simple letters that will undoubtedly elicit varying reactions from our customers, partners, friends and family. We certainly think – and hope – the vast majority will be excited and positive. That’s been our experience as we’ve shared the brand name with those closest to us. They find it to be friendly, approachable, elegant in its simplicity. We look forward to hearing how you responded, how you think it might be relatable to your job, your organization, IoT security, and your need to take control of your hyper-connected enterprise.

Since the CloudPost Networks founding a few years ago, we have been singularly focused on developing comprehensive solutions to the very real problems you face every day. We’ve been focused on helping you identify everything that’s connected to your network, the scale and breadth of which seems to expand endlessly. We’ve been focused on finding ways to collect and process extremely detailed info on each device, exactly what each is doing, and presenting that in a way that’s actually usable and actionable for you. And we’ve been focused on integrating with your existing network and security infrastructure so you can better use that infrastructure to secure and protect your entire organization. We absolutely had to get that development right before we spent a lot of time, money and resources on marketing. And we had to be sure that what we said from a marketing perspective was completely rooted in truth, not fluff or aspiration.

The time has come for us to share our story with a broader audience. We have no doubt that our IoT security solution will be well-received and we are brimming with excitement to share it with the world. So excited, in fact, that we think it deserves a distinctive brand name.

What’s in the Name?

Ordr. The name is a key component in building our brand. A foundation on which we can build. A name appears on our website but our brand exists in the minds of the people who know us. Our brand is rooted in our company culture, our pedigree. It’s revealed in our commitment to our customers, how we communicate, how we respond to challenges. It’s our pursuit of knowledge, as we strive to continually learn from – and to share what we’ve learned with – our customers and partners. It’s how we demonstrate our integrity and ethics. How we hold ourselves to a higher standard to speak truth. And it’s how we continually innovate in product development. We have the beginnings of a world-class brand, and we hope you’ll be with us and help us build that brand into the future.

Enough about the elements of the brand, you say. What’s the name really mean and why did you choose it? Great questions. We have enormous aspirations and think there is no limit to what we can achieve, as long as we stay focused on the needs of our customers. Our founders helped create companies that changed our industry forever. We’re here to build a company that lasts. So we wanted a name that is flexible and expandable and future-proof. We didn’t want a name that constrains us to a single market or tries to cleverly illustrate something our technology delivers today. The world will be very different in two, five or ten years. And so will Ordr.

Simple, Elegant IoT Security

We wanted a name that is elegantly simple, like the IoT security product we are developing. We wanted a name that communicates a feeling, a state of mind. We wanted a name that creates a question and a little bit of curiosity. Because we’re curious people.

So we chose Ordr. It’s simple. It’s easy to understand. It has some serious intellectual and scientific pedigree, as used in biological classification. It describes structure, command, organization. It conveys feeling of calm. And it lets you know that you are in control. Out of chaos, comes Ordr.

We think we chose a name that does a pretty darn good job of communicating who we are and what we do–IoT security. We think it forms a good foundation on which we can build a lasting brand. A brand we can all be proud of.

We hope you feel the same, and we hope you’ll be with us every step of the way.

Ordr. Take control.