Ariana Grande and Nicki Minaj performing “side to side” is one thing, but unusual network traffic moving side to side (internal lateral movement), now that’s a whole different story. An in a healthcare environment where sensitive customer information is stored and lifesaving equipment is connected, it can be downright dangerous. In part 3 of 6 in our series on Control, we dive deeper into Network Control and the concept of traffic control of internal lateral movement to help you maintain order in your healthcare facility.

Trouble in Louisiana

Remember when Louisiana’s governor issued a state of emergency in response to a rash of malware infections that hit the public schools? In the northern part of the state, the ransomware attacks crippled these schools when malware was embedded and allowed to spread quickly throughout the campus. Sorely needed files were encrypted and criminals demanded payment in exchange for the decryption key.  How did this happen? Clearly someone with a lot of resources found and exposed a vulnerable spot in the network.

What Perimeter?

Firewalls are one thing but people and devices move around constantly. What is the purpose of a stationary perimeter if there is constant movement in the network? Consider, for example, a hard-working healthcare worker (Bob) at a regional hospital who goes home late at night and connects to the web and accidentally clicks on a few bad URLs here and there. Without his knowledge, he has just downloaded malware onto his trusty laptop. The next day when a connection is made to the hospital network, this is when the malware does its thing, performing reconnaissance to understand the devices near its proximity so it can spread. This side to side movement is what you need to stop and contain right away.

Know What You Have

Adding anti-virus software is one thing but consider many medical devices that can’t be patched in the first place or think of the headache of keeping a log to make sure all devices are patched. Most often, we find that many hospitals don’t know what’s exactly in their network in the first place. Assuming you’ve taken the necessary steps to add full visibility, the next necessary step is to implement network control specifically network traffic control.

The Traffic Tower

If and when a breach occurs, the quick remedial action to take is to ensure that the malware does not spread. Ordr’s traffic control can ensure that the damage is restricted to a small contained area and the whole hospital network does not go down. When routers, switches, gateways, and firewalls all have flow-based whitelisting enabled, a bad packet from Bob’s laptop computer will be stopped and it will never make its way to a camera or a medical device in a different part of the network.

We can take it further with rule-based automation. For example, if we find that a camera is trying to have dataflow to a particular VLAN that it shouldn’t and the flow looks unusual, we can shut it down right there and then. It starts with total visibility and having the smarts to see all the internal traffic movements, up and down and side to side. Worried about MAC/IP spoofing? We take care of that too.

Much Happening Behind the Scenes

Network control is also about who gets in and out of your network. The point of entry can be wired or wireless, it can be serial or VPN. Doctors, nurses, visitors connect all the time to the healthcare network. It’s important to have the smarts to know what’s happening with the traffic flows, all the stream of information moving north and south and also side to side. And just like Ariana Grande and Nicki Minaj, we’re good friends with Infoblox and we play nice with Cisco ISE. Go ahead, do a little dance, Ordr has you covered.

Part 4 of 6 in our Series

You and I See an Innocuous Camera…

Step into a major contract manufacturer and the machines are buzzing and whirling with activity. Production lines are busy cranking out the latest consumer electronics and cameras are everywhere making sure the quality process and controls are in ship-shape order. Major facilities here and overseas can have thousands of cameras installed along a production line.

All-day long these digital cameras stream images and video to the data center maintaining diligent logs to track production line quality. The problem is of course that cameras have been an easily exploitable weakness for cyber attacks. It gets more confounding since oftentimes, cameras come configured with default passwords. Alarmingly, it is very easy to hack into a camera and instruct the camera to send its recording to a remote suspicious site. Upgrade the password across all these hundreds of cameras? It won’t accomplish much asides give you a list of new passwords. Furthermore, industrial cameras are embedded systems so you cant even upgrade the OS or install any anti-virus even if you wanted to.

Dealing with Anomalies

Firewalls, anti-virus, and vulnerability detection tools are all available to help us deal with the constant ongoing threats but how do you deal with sophisticated malware attacks which can infiltrate a camera of all things? Much can be accomplished with signature detection and we at Ordr work closely with well-known sources to identify and see deep into signatures for anything that might provide clues of ill intent. We rely on signatures to identify what we consider “known” malware.

There are numerous anti-malware solution providers that identify objects, adding new signatures to its known database and we work them as well. These repositories grow each day and hold data on hundreds of millions of signatures that identify and classify malicious objects. Signature protection against malware works, it is relatively easy to use and it’s a tried and true method of catching the millions of older but still persistent threats that are roaming out there.

But Signatures Only Get You So Far

The problem in this sophisticated age of cyber attacks is that some versions of code may not always be recognized by this mapping approach of signatures. New versions of nasty code can appear that are not readily recognized by traditional signature-based technologies. A study by Cisco found that 95% of malware files analyzed weren’t even 24 hours old.

Worse yet, sometimes signatures can morph and hide. Think about that for a second, malware changing to avoid detection. It’s actually not that hard, some code permutation change here, a register renamed there or code shrunk or expanded and malware can avoid the traditional signature detection.

NotPetya: The Dangers of Hidden Signatures

When NotPetya surfaced, it was originally thought that it was another annoying resurfacing as it had a similar code structure and signature to that of the original Petya ransomware.

NotPetya, however, was way worse and way more sinister. NotPetya got its name from Petya but alarmingly, though it looked similar to Petya, the ransomware message was only a disguise. There was no real money demanded, no real unlocking code at all. The intention of NotPetya was all destructive and to irreversibly encrypt a computer master boot record.

NotPetya was designed to not just encrypt the master boot record (MBR) but to overwrite it with the attacker’s own MBR and with no access to MBR, the user can not access the OS on the computer leaving it inoperable. The signature told security managers that NotPetya was ransomware but NotPetya was actually a highly descriptive data wiper disguised as Petya. Identifying signatures is a start but to really understand what’s happening in your network, one needs to understand the behaviors of the devices with respect to its peer group, history, and context.

Ensuring the Camera is in its best Behavior

If we go back to the example of the cameras at the factory floor, we know what the device should be doing, sending images and video streams to the video servers at the data center. If there is any deviation from this behavior, we will see it right away and we can shut things down immediately.

It’s not just the changes from the daily routine that we can see, our engine can monitor how each device acts in a normal setting relative to its peer group. Time series is also factored in that we can see if a camera’s behavior is deviating or is different from what its behavior was in the prior weeks.

If there is some strange communication between a camera and remote suspicious site, our proactive system can prevent this since it’s smart enough to know that a particular camera never had this session in the past. Even if there is a request going into the camera from an external site, we will sound the alarm. An attempt to extract a video without permission? This is a behavior violation. Unusual communications, we catch that too. If it’s a behavior violation, Ordr will prevent it right away.  A thermostat talking to the finance department, that should not happen. Some traffic flow trying to disable security controls or install rootkits? We will shut it down.

Ordr Keeps Learning

Threats are dynamic and constantly evolving. Having a system that understands signature can help in a hyperconnected environment but to have real proactive protection a system must contextually be aware and have the insight to understand behaviors. Diving deeper into historic patterns can also help capture baseline deviations that might fly under the radar.

At Ordr our system is constantly expanding its behavior library, understanding what is normal and what is out of character for each and every device type. We complement your current tools and we work with what you already have. Ordr helps you quickly identify all the friends, eliminate all the foes and ensure all your devices behave the way they should.

Get Your Healthcare Facility in Order in 2020, Part 1 of 6

Yes, there are a lot of bad actors out there and cybercriminals are rampant. If anything the more devices we connect, the more difficult it is to manage everything. So what do we do to protect ourselves in 2020 and bring some sense of order back to our enterprise? In this current series, we will dive deeper into some of the actions we can implement to take back control of our network. The way we frame our view on control is across many levels such as i) device control, ii) vulnerability control, iii) network control, iv) behavior control, v) application control, and last but not least, vi) external communication control.

Device Control

First Things First, Know What You Have

Before we get started cleaning things out and bringing some harmony into our lives it helps to know what we have. Hospitals, for example, can go multiple rounds of mergers and acquisitions and oftentimes might not really have full visibility into all the assets. Think about the IT turnover in some organizations and its sometimes quite hard to find where all the IoT devices are buried, let alone which MRI machines are being used or not. And Doctors are great, we love them, they provide great care for patients… but do they need to bring all these random devices into the office and connect them to the network? Where did all these Echo Dots come from?

Doing inventory the right way means collecting all the nitty-gritty details such as the make, model, serial number and modalities of all the assets connected to the network. Everything. Once the data is collected, it’s important to know where the devices are actually connected. It’s nice to find out that these devices are out there buts it’s even better to understand where exactly the device is connected in the network, which building, and which floor. We call it visibility with precision.

We oftentimes rely on spreadsheets but it gets too unwieldy when it comes to keeping track of the growing number of devices connected to the network. Having a system to automate visibility can help update that spreadsheet and you might be surprised what else is out that didn’t make it to the that excel spreadsheet stored in Dropbox. Only after we have a complete holistic view of what’s in the network, only then can we take the next steps in our journey to bring order.

Black or Whitelisting

A quick one on blacklisting vs whitelisting. If we have a good baseline and know about all the malicious parties out there then it’s a matter of simply blacklisting to keep applications, infrastructure and the networks secure. The problem is we don’t always know if a device can be trusted so we think whitelisting might be a better approach. It’s like the approach of Zero Trust model which is rooted in the view that organizations should not automatically trust anything inside or outside the perimeter of its network. Instead, the viewpoint is to verify anything and everything that is trying to connect to the network. Whitelisting in our view is to make sure things are safe before the access is granted.

Turn that Frown Upside Down

Inform the CFO you are so busy and you need 6 more MRI machines and try not to stare at the furrowed eyebrows in response. Instead, think about the centralized asset management team or the biomedical team that informs the CFO that there are idle machines in building four which can be moved to high traffic areas. Yes, its true, device visibility can spark joy for the CFO. At Ordr we can take things even a step further, showing peak vs average utilization of expensive leased equipment and helping your hospital or healthcare system make better financial decisions.

Even More Joy

Once you know exactly what you have with proper device control multiple benefits start lining up. In case a tech calls the IT department with a problem with the CT scanner, for example, they will know exactly the location, the serial number, the IP address, everything ready to start the fix. Think of an audit, when it occurs, every device is present and accounted for making compliance something joyful, not a chore. Okay, maybe that is a stretch.

The good news is that with order, everything works what you already have. There is no need for upgrades of switches as we just monitor the data flow and we integrate with your inventory or CMMD systems. Bring some organizational harmony to the Biomed, IT and Security teams of your healthcare organization with proper device control.