The Six Levels of Control

Aristotle, born in 384 BC, had some specific thoughts on how to formulate dramatic stories that have lasted to this day. Screenwriters still rely on its basic framework. In “Poetics”, Aristotle wrote that drama has to include a simple structure where there is always a beginning, a middle, and an end tied together with a unity of theme and purpose. Aristotle’s “Poetics” discusses further how there are six elements for a drama to be cohesive and coherent. There is a plot, character, thought, diction, music, and spectacle. A compelling story, an interesting hero, a theme, the tone, clear music and something memorable to tie it all together, it’s a formula that has stood the test of time.

Similarly, we see security in a proactive and holistic framework with six elements, in this case, six levels of control. It’s a cohesive framework which ties everything together it’s comprehensive and it ties everything together. Our six levels of control include Devices, Vulnerability, Network, Behavior, External Communications, and Application & User Control. Taken by each element alone there is some value but it’s the overall cohesiveness that makes for unity when it comes to proactive protection. Here’s our take on the six elements of control:

Device Control

First off is device control. Before we implement any security measure it helps to know exactly what we have. Hospitals with all the equipment and devices oftentimes might not really have full visibility into all their assets. Some medical systems go through mergers or divestitures and its often difficult to find all the equipment, let alone which infusion pump or MRI machine is being utilized or not.

At Ordr we do device visibility comprehensively, getting all the nitty-gritty details such as the make, model, serial number and modalities of all the assets connected to the network. Once the data is collected, it’s important to know where the devices are actually connected and we can pinpoint the exact location and even the port to where something is plugged in.

Vulnerability Control

Unpatched software and outdated operating systems can leave you vulnerable and we can tell you exactly what device needs upgrading or patching. Sometimes equipment or devices may be hiding somewhere but if it does end up being connected and starts communicating with the network, we will see it and let you know.

The problem with software versions is that there are so many upgrades to keep track of. Lingering old Windows 7 machines can be a problem since its no longer supported and we can tell you exactly which machines you need to keep track of.  When we find these Windows 7 devices, we can segment it and keep its traffic within its own zone away from the regular traffic.

Network Control

The boundaries for many hospital networks are now blurred and stationary perimeter firewall protecting us from all attacks is no longer the rule. Malware can be downloaded to many devices often unintentionally by remote or telecommuting workers and damage can occur when someone reconnects to the corporate network.

Malware, once it gets in, is often programmed to perform reconnaissance and to understand devices that are near its proximity so that it can spread. This unusual side to side movement in the network is what you need to stop and contain right away before it does any harm.

Behavior Control

I’m not a psychiatrist but I know abnormal behavior when I see it. Likewise in a hospital, we know what each and every medical device should be doing and how they should act. Whether its sending images and video streams to the video servers at the data center for a camera for example or an MRI machine being accessed by lab technicians at specific times.

If there is any deviation from normal behavior, we can sound the alert. And it’s not just the changes from the daily routine that we can see, our engine can monitor how each device acts in a normal setting relative to its peer group. A thermostat talking to the finance department, that should not happen. Some traffic flow trying to disable security controls or install rootkits? We will shut it down.

External Communications Control

Traffic to certain countries should raise alarms. If someone clicks a URL and there is traffic flow to Iran, Syria, or North Korea, there could be trouble brewing and it’s something you need to know about right away. Even within the U.S., there might be well-intended sites but it can be a trap for ransomware. Now going to a different country, that is fine its just specific suspicious ones that we block proactively.

A fortified firewall is one thing but with so many RDP sessions, many of which are not closed after a remote session, and with no one actively monitoring all these sessions, a corporation can be left unprotected. As a remedy, we work hand in hand with existing firewalls as we make the firewall even smarter by providing the context behind each IP traffic, understanding what the device is and what it is doing when it ventures out to an external website. Policy updates are written automatically to that firewall, providing security managers the added peace of mind.

Application and User control

There are supervisory command applications such as Telnet, FTP, SSH, SNMP, and others. As an example, SSH works by enabling secure system administration and file transfers over insecure networks. Uses encryption to secure the connection between a client and a server. All user authentication, commands, outputs, and file transfers are encrypted to protect against attacks in the network. SSH and other command applications are used to operate and debug and fix things and we can help you keep track of all these sessions.

Understanding applications is one thing but what’s also important is to understand the flow and what is actually happening within the session. If there is a regular port 22 session with a known device that is fine but we proactively ring the alarm if the SSH session is coming from a different or even worse an unknown un-authorized person. Since plain text authentication can be readily stolen and be used to extricate massive amounts of sensitive data, we can alert you right away if there is any use of an insecure protocol and/or any extraction of any data. We can further add controls to only those who are allowed to access the data.

Proactive and Comprehensive Security, Aristotle will be Proud

At Ordr we take a holistic view of security understanding the granular details of control and having a system that learns and adapts. “We are what we repeatedly do. Excellence, then, is not an act, but a habit” said, Aristotle. Devices, Vulnerability, Network, Behavior, External Communications, and Application & User Control it all fits together with the Ordr framework and this is what we do.

Thoughtful details of traffic sessions and flow genome are factored in our engine and we ingest more information every day repeatedly to make our system smarter as we strive for excellence. Take control with Ordr.

Part VI of VI on Control

Who, What and For Real?

With all the antics and the daily drama, it’s not easy keeping up with the Kardashians.  Kim, Kourtney, Khloe, how do you keep up with everything they do? An oftentimes, it is quite unexpected what they do. Thinking about the Kardashians made me empathize with the hospital IT staff who have the unenviable task of keeping tabs of all the users and applications that are crisscrossing a major healthcare network. How do we easily keep track of everything without multiple systems that need to be stitched together?

When thousands of people are moving about in and out of a hospital, understanding what each and every user is doing is not easy. The problem is made more difficult since not all users are created equal and access for some people to certain devices is allowed but access to others is not. An MRI machine, for example, some medical personal are allowed to use it but some people are not. Easy stuff right with access control, right? But it can get complicated.

User profiles are often set up via an Active Directory yet sometimes a user can be created locally on the fly so it’s important to discern the difference between the two as this can be a big area of potential security weakness. Sometimes, profiles are created as users log in to a device and just add more new users, forgetting to delete the user if the session was a one-timer. For real, this happens more than you think. It helps to be contextually aware to understand not just who has access, but when the login occurred, and how long a session for a particular medical device lasted. A user provisioned on a CT scanner can potentially have access to the entire patient record database in a hospital. Think about that, the least protected device is potentially the gateway to the most valuable data.

Access and Convenience via Applications

Who doesn’t love apps that give users access with convenience? In hospitals and other enterprises for that matter, mission-critical business applications are used to come in and out of the network helping to drive overall productivity with the added convenience of remote use. Doctors use mobile applications all the time and it’s important from a security point of view that an organization understands what devices were accessed and whether or not it was done so appropriately via the corporate network or inadvertently by the guest network. Sometimes we see credentials shared across multiple users so it is important to safeguard how many people are claiming to be an admin for example.

In the application kingdom, there are supervisory protocols like TELNET (port 23), FTP (port 21), SSH (port 22), SNMP (161) and others that are usually used by system administrators. As an example, SSH enables an administrator to securely connect to a remote server and perform necessary operations on that server. These supervisory applications are routinely used by admins to operate, debug, transfer data and fix things on the servers. And these applications are used in all Operating Systems including Microsoft Windows.

Understanding applications is one thing but what’s also important is to understand the flow and what is actually happening in a session. If there is a regular port 22 session with a known regular device that is fine but shouldn’t someone proactively ring the alarm if the SSH session comes from a different or even worse from an unknown un-authorized person? And wouldn’t it be helpful to know which stations are performing how many sessions to quickly understand any abnormal behavior?

Stealing the Keys

The problem in relying on supervisory commands to operate critical devices can leave you vulnerable if by chance the credentials are stolen. If this occurs, then brace yourself as anything can happen. Hackers can change code, manipulate machines, it can be quite the issue so if anything, the faster the detection, the more damage can be contained.

Application control is essential and it is important to quickly see something that looks out of the normal behavior as this can be an early sign of malicious behavior. If there are specific pediatric centric applications, take the necessary step to see who and when it is accessing and for what purpose. Is a medical device being accessed too often? It may not be just a utilization issue but rather an indication that something is off.

Take Control

The Ordr system control engine has the ability to track every user and every application, all the time. It’s one holistic platform for all your visibility needs. We can provide the insight into each medical machine, and tell you who logs in, when the machine was used and for how long. That’s helping you take control. We can further map specific devices to specific users to provide the granular detail helping you to take proactive security to the next level.

On applications, we have the capability to track applications and any device or workstation that uses that specific application. Specifically, command applications such as SSH flows between machines are closely monitored and we can show you all the secure shell sessions of any device at any point in time. Keeping track of the countless users and applications is not easy but we can make it easier in an AI-based system that keeps learning and gets smarter with each use.  Now only if we can automate Kylie Jenner’s jet setting whereabouts.

Part 5 of 6, External Communication Control

Where have you been and where are you going?

At a medical facility, there are so many devices its hard to keep track of all the communications in the network let alone all the traffic going out of the network to the web. Sure we deploy firewalls to keep the bad folks from getting inside but how do we keep track of all the traffic leaving the corporate network into the vast unknown? What if it goes to some bad site or even worse, there are communications between your device and a country on the watch list such as North Korea or Iran? Is there a good way to understand what all your devices are doing at all times? Can we once and for all close the door on external communications vulnerability?

Opening up the Wormhole

Communicating with the outside world is totally normal and at a hospital, we often see specific holes or access tunnels enabled in the firewall so that manufacturers can diagnose and even patch a necessary device. Using a protocol called Remote Desktop Protocol (RDP) the technician of a large medical device manufacturer will use a VPN tunnel to use this opening to control a device from anywhere around the world.

The problem, however, is that hackers can get into this opening if they are quick enough and they can gain access to critical systems at a hospital.  It gets worse. When we talk to many healthcare CISO’s we find that oftentimes these holes are left open inadvertently even after the patching or remote control session is completed. To date, it’s a manual process to keep track of how many people are coming in and out and how many sessions are opened and left unclosed.

Looking Like Swiss Cheese

A fortified firewall is one thing but with so many RDP sessions, many of which are not closed after a session, and nobody actively monitoring all these sessions, a corporation can be left unprotected and the bad guys can get in through the front door. Oftentimes, there can be hundreds of concurrent RDP sessions occurring at a major healthcare center and unlike your home, there is no time-delayed automatic garage door closer.

And because there is no automatic “closer” within enterprise networks that cleans up these open ports once jobs are finished, your “fortified” network can be vulnerable. The good news is that we can help by sending an alert to the firewall that a hole has been left open. We track how many sessions and detail closely, who is coming in and out at all times like a diligent sentry.

Some Bad Countries

Ever wonder how much of your network traffic is going to a destination outside the U.S.? Or which devices are talking to which country? And wouldn’t it help to see if you have devices are communicating with the dark web or blacklisted countries? If someone clicks a URL and there is traffic flow to Iran, Syria, or North Korea, there could be trouble brewing and it’s something you need to know about right away. Even within the U.S., there might be well-intended sites but it can be a ruse for a ransomware site.  Now firewalls know the basics such as the traffic to certain countries but what is missing is the ability to know which device is going to which country and for what specific reason.

China…It’s a Big Country

With all the news regarding spyware and hacks from China, it’s a big red flag if you find out that your devices are sending traffic back and forth from China right? Actually no since many companies have manufacturing and support centers in China. If a GE medical device, for example, opens a communications line to a known site in China, it’s actually fine since this is normal behavior. GE maintains a large help center in China.

Likewise, if a Philips MRI machine is having an active dialogue with a site in the Netherlands, that is perfectly fine as well. However, if that same Philips machine starts talking to China where there is no physical facility owned by Philips, we know that this is a behavior violation and something is out of character. We ring the alarm. Our system is smart enough to know that certain devices can communicate with certain countries while others cannot. We bring all these policy protection and automatically program the firewalls via APIs. Ordr provides the required context of the devices that are talking to an external connection to the firewall. Devices are classified in an orderly fashion by group (manufacturer/make/model) that gets programmed into the firewall. Subsequently, the firewall is updated with all the rules of which group of devices can communicate with which specific websites and countries.

Go Travel…But Be Proactive

At Ordr, we can tell you exactly what all your devices are doing and inform you if anyone “left the garage door open.” We can see all the traffic down to the session of the medical device talking to a country overseas. At a glance, we can display the number of countries that each device are having transactions with.

If device traffic does go overseas and returns only to act unusual or different, we will alert you as well. Proactive protection starts with a comprehensive view of what all your devices are doing and who or what they are talking to. Overseas travel is not easy nor tracking all the external communications but with Ordr you are in control.