Ordr Appoints Wes Wright as Chief Healthcare Officer Read more here!

Segmentation Done Right Part 1 of 3

When I was in middle school standing in the cafeteria lunch line, there was always that feeling of nervousness before the spaghetti or tuna casserole(or aloo tikka masala if you are familiar with the Indian school lunch trays) hit my lunch tray with its unique thud. After the entrée, I would shuffle my feet to the left to receive my overcooked peas and carrots. Last but not least was a big scoop of extra syrupy canned peaches. Ah, the joys of being in 7th grade. The good thing about public school lunch was that at least the lunch tray was compartmentalized and my noodles only caught a little bit of that extra sugary-extra sweet peach syrup. Segmentation, what a great idea.

Contain the Damage

Reminiscing about my school noodles made me think about the benefits of network segmentation which is the division of a network into smaller more manageable groups. These zones can be separated from each other with controls in between to help control and keep zones safe and secure. If for example, there was a cyberattack and a device is compromised, the segmentation will keep the damage from spreading as the damage is confined to a specific zone or segment. Think blast radius control. Unusual lateral side to side movement is also kept in check when a network is properly segmented.

It’s Recommended

No alt text provided for this image

It sounds simple enough, separate the network into its own compartment to limit the spillover effect and zones can readily consist of VLAN/subnets, groups or segments, hence the name. In terms of application, one can deploy network segmentation using existing network infrastructure or even via deploying new next-generation firewalls into specific zones. The National Institute of Standards and Technology (NIST) in its framework for zero trust architecture recommends segmentation for enhanced identity governance.

Factors to Consider

Getting started with segmentation takes a little bit of thought. How big will the zones be? How many devices of similar types would be in each zone? What about the regulatory environment? The regulatory side can have a say in how things are portioned as well. For example, if your business deals with payments the PCI-DSS standard will state a clear demarcation between payment card authorization and point of sale. In hospitals, one would want to keep life-saving equipment separated from the IT devices.

No alt text provided for this imageSo how does one begin and are segments rigid in a “set it and forget it” way? How can segments evolve as network requirements change? How is it going to adapt to changing business policies? It helps to start off the right way with a segmentation project by considering the various enterprise departments and the level of fine-grained control required. Furthermore, consider the zones of vulnerability, as plenty of exploits and attacks can occur from inside the network. Departmental segmentation can be done with firewalls but if you want to get more granular control, it very quickly amounts to deploying a large number of small hardware firewalls everywhere on the campus, which is not practical nor cost-effective.

Network segmentation by itself is a great methodology, but if your organization does not know how your applications communicate with your endpoints, then you may risk having incoherent policies at your control points, which reduces the solution’s effectiveness and usefulness of segmenting. Also, segmentation applied without precision, can even impact the day to day operations of a company, so something to consider when it comes to implementation. The other factor to consider is the growth and expansion of your network as you want a segmentation method that is scalable with your business requirements.

Slice and Dice Your Way to Segmentation

When you use a platform from Ordr, you can get as granular as you like. Beyond buildings, sites, departments, and floors, one can segment a network via business requirements and even perform grouping by device functions, even for the same class of devices. For example at a casino, we can separate all the cameras into various groups based on their function, physical surveillance cameras for regulatory compliance (watching the slot machines) vs. general use security cameras observing foot traffic. High-risk assets vs. mission-critical assets are another way to consider the segmentation process.

Segmentation similar to the lunch tray can work great when it’s done right. There is no spillover or cross-contamination and things are in a nice tidy order. Next week we will discuss the limitations and shortcomings of existing approaches and dive deeper into modern methods for segmenting the network the right way.

Read Segmentation Done Right – Part 2


The Six Levels of Control

Aristotle, born in 384 BC, had some specific thoughts on how to formulate dramatic stories that have lasted to this day. Screenwriters still rely on its basic framework. In “Poetics”, Aristotle wrote that drama has to include a simple structure where there is always a beginning, a middle, and an end tied together with a unity of theme and purpose. Aristotle’s “Poetics” discusses further how there are six elements for a drama to be cohesive and coherent. There is a plot, character, thought, diction, music, and spectacle. A compelling story, an interesting hero, a theme, the tone, clear music and something memorable to tie it all together, it’s a formula that has stood the test of time.

Similarly, we see security in a proactive and holistic framework with six elements, in this case, six levels of control. It’s a cohesive framework which ties everything together it’s comprehensive and it ties everything together. Our six levels of control include Devices, Vulnerability, Network, Behavior, External Communications, and Application & User Control. Taken by each element alone there is some value but it’s the overall cohesiveness that makes for unity when it comes to proactive protection. Here’s our take on the six elements of control:

Device Control

No alt text provided for this imageFirst off is device control. Before we implement any security measure it helps to know exactly what we have. Hospitals with all the equipment and devices oftentimes might not really have full visibility into all their assets. Some medical systems go through mergers or divestitures and its often difficult to find all the equipment, let alone which infusion pump or MRI machine is being utilized or not.

At Ordr we do device visibility comprehensively, getting all the nitty-gritty details such as the make, model, serial number and modalities of all the assets connected to the network. Once the data is collected, it’s important to know where the devices are actually connected and we can pinpoint the exact location and even the port to where something is plugged in.

Vulnerability Control

No alt text provided for this imageUnpatched software and outdated operating systems can leave you vulnerable and we can tell you exactly what device needs upgrading or patching. Sometimes equipment or devices may be hiding somewhere but if it does end up being connected and starts communicating with the network, we will see it and let you know.

The problem with software versions is that there are so many upgrades to keep track of. Lingering old Windows 7 machines can be a problem since its no longer supported and we can tell you exactly which machines you need to keep track of.  When we find these Windows 7 devices, we can segment it and keep its traffic within its own zone away from the regular traffic.

Network Control

No alt text provided for this imageThe boundaries for many hospital networks are now blurred and stationary perimeter firewall protecting us from all attacks is no longer the rule. Malware can be downloaded to many devices often unintentionally by remote or telecommuting workers and damage can occur when someone reconnects to the corporate network.

Malware, once it gets in, is often programmed to perform reconnaissance and to understand devices that are near its proximity so that it can spread. This unusual side to side movement in the network is what you need to stop and contain right away before it does any harm.

Behavior Control

I’m not a psychiatrist but I know abnormal behavior when I see it. Likewise in a hospital, we know what each and every medical device should be doing and how they should act. Whether its sending images and video streams to the video servers at the data center for a camera for example or an MRI machine being accessed by lab technicians at specific times.

No alt text provided for this imageIf there is any deviation from normal behavior, we can sound the alert. And it’s not just the changes from the daily routine that we can see, our engine can monitor how each device acts in a normal setting relative to its peer group. A thermostat talking to the finance department, that should not happen. Some traffic flow trying to disable security controls or install rootkits? We will shut it down.

External Communications Control

Traffic to certain countries should raise alarms. If someone clicks a URL and there is traffic flow to Iran, Syria, or North Korea, there could be trouble brewing and it’s something you need to know about right away. Even within the U.S., there might be well-intended sites but it can be a trap for ransomware. Now going to a different country, that is fine its just specific suspicious ones that we block proactively.

A fortified firewall is one thing but with so many RDP sessions, many of which are not closed after a remote session, and with no one actively monitoring all these sessions, a corporation can be left unprotected. As a remedy, we work hand in hand with existing firewalls as we make the firewall even smarter by providing the context behind each IP traffic, understanding what the device is and what it is doing when it ventures out to an external website. Policy updates are written automatically to that firewall, providing security managers the added peace of mind.

Application and User control

No alt text provided for this imageThere are supervisory command applications such as Telnet, FTP, SSH, SNMP, and others. As an example, SSH works by enabling secure system administration and file transfers over insecure networks. Uses encryption to secure the connection between a client and a server. All user authentication, commands, outputs, and file transfers are encrypted to protect against attacks in the network. SSH and other command applications are used to operate and debug and fix things and we can help you keep track of all these sessions.

Understanding applications is one thing but what’s also important is to understand the flow and what is actually happening within the session. If there is a regular port 22 session with a known device that is fine but we proactively ring the alarm if the SSH session is coming from a different or even worse an unknown un-authorized person. Since plain text authentication can be readily stolen and be used to extricate massive amounts of sensitive data, we can alert you right away if there is any use of an insecure protocol and/or any extraction of any data. We can further add controls to only those who are allowed to access the data.

Proactive and Comprehensive Security, Aristotle will be Proud

At Ordr we take a holistic view of security understanding the granular details of control and having a system that learns and adapts. “We are what we repeatedly do. Excellence, then, is not an act, but a habit” said, Aristotle. Devices, Vulnerability, Network, Behavior, External Communications, and Application & User Control it all fits together with the Ordr framework and this is what we do.

Thoughtful details of traffic sessions and flow genome are factored in our engine and we ingest more information every day repeatedly to make our system smarter as we strive for excellence. Take control with Ordr.


Part VI of VI on Control

Who, What and For Real?

With all the antics and the daily drama, it’s not easy keeping up with the Kardashians.  Kim, Kourtney, Khloe, how do you keep up with everything they do? An oftentimes, it is quite unexpected what they do. Thinking about the Kardashians made me empathize with the hospital IT staff who have the unenviable task of keeping tabs of all the users and applications that are crisscrossing a major healthcare network. How do we easily keep track of everything without multiple systems that need to be stitched together?

When thousands of people are moving about in and out of a hospital, understanding what each and every user is doing is not easy. The problem is made more difficult since not all users are created equal and access for some people to certain devices is allowed but access to others is not. An MRI machine, for example, some medical personal are allowed to use it but some people are not. Easy stuff right with access control, right? But it can get complicated.

User profiles are often set up via an Active Directory yet sometimes a user can be created locally on the fly so it’s important to discern the difference between the two as this can be a big area of potential security weakness. Sometimes, profiles are created as users log in to a device and just add more new users, forgetting to delete the user if the session was a one-timer. For real, this happens more than you think. It helps to be contextually aware to understand not just who has access, but when the login occurred, and how long a session for a particular medical device lasted. A user provisioned on a CT scanner can potentially have access to the entire patient record database in a hospital. Think about that, the least protected device is potentially the gateway to the most valuable data.

Access and Convenience via Applications

No alt text provided for this image

Who doesn’t love apps that give users access with convenience? In hospitals and other enterprises for that matter, mission-critical business applications are used to come in and out of the network helping to drive overall productivity with the added convenience of remote use. Doctors use mobile applications all the time and it’s important from a security point of view that an organization understands what devices were accessed and whether or not it was done so appropriately via the corporate network or inadvertently by the guest network. Sometimes we see credentials shared across multiple users so it is important to safeguard how many people are claiming to be an admin for example.

In the application kingdom, there are supervisory protocols like TELNET (port 23), FTP (port 21), SSH (port 22), SNMP (161) and others that are usually used by system administrators. As an example, SSH enables an administrator to securely connect to a remote server and perform necessary operations on that server. These supervisory applications are routinely used by admins to operate, debug, transfer data and fix things on the servers. And these applications are used in all Operating Systems including Microsoft Windows.

No alt text provided for this image

Understanding applications is one thing but what’s also important is to understand the flow and what is actually happening in a session. If there is a regular port 22 session with a known regular device that is fine but shouldn’t someone proactively ring the alarm if the SSH session comes from a different or even worse from an unknown un-authorized person? And wouldn’t it be helpful to know which stations are performing how many sessions to quickly understand any abnormal behavior?

Stealing the Keys

No alt text provided for this image

The problem in relying on supervisory commands to operate critical devices can leave you vulnerable if by chance the credentials are stolen. If this occurs, then brace yourself as anything can happen. Hackers can change code, manipulate machines, it can be quite the issue so if anything, the faster the detection, the more damage can be contained.

Application control is essential and it is important to quickly see something that looks out of the normal behavior as this can be an early sign of malicious behavior. If there are specific pediatric centric applications, take the necessary step to see who and when it is accessing and for what purpose. Is a medical device being accessed too often? It may not be just a utilization issue but rather an indication that something is off.

Take Control

The Ordr system control engine has the ability to track every user and every application, all the time. It’s one holistic platform for all your visibility needs. We can provide the insight into each medical machine, and tell you who logs in, when the machine was used and for how long. That’s helping you take control. We can further map specific devices to specific users to provide the granular detail helping you to take proactive security to the next level.

On applications, we have the capability to track applications and any device or workstation that uses that specific application. Specifically, command applications such as SSH flows between machines are closely monitored and we can show you all the secure shell sessions of any device at any point in time. Keeping track of the countless users and applications is not easy but we can make it easier in an AI-based system that keeps learning and gets smarter with each use.  Now only if we can automate Kylie Jenner’s jet setting whereabouts.


For the first time, Ordr is taking our message of proactive protection for today’s modern enterprise to the floor – and a few parties – at the RSA Conference in San Francisco.  Come join us!

Chances are, you’re a security practitioner for a thoroughly modern enterprise; and chances are, you and your team are frantically searching for an agentless security solution to help you address the exploding quantity and variety of devices that need access to your network.  Your organization is rapidly adding non-traditional devices – facilities, IoT, security, OT, line-of-business, convenience, etc. – that simply can’t be secured with the same solutions you use for user-based devices like laptops, tablets and phones.  If you’re anything like us, the idea of these devices attaching to your enterprise without sufficient protection keeps you up at night.

That’s why we developed the industry’s first proactive protection solution for every class of network-connected device and system.  It goes way beyond device discovery and visibility – certainly something at which Ordr excels – and uniquely gives you the ability to act on that visibility to implement and enforce granular protection policies across your existing network and security infrastructure.  It gives you the power to regulate the behavior of every device, to ensure that everything operates in a manner that you control, and to secure every class of device on your terms.  It’s proactive protection for your entire enterprise, your customers, your systems and your brand.

Come see us in San Francisco and we’ll tell you more.

Booth 5584, North Expo Hall
It isn’t sexy, but it’s ours.  And we’d be happy to welcome you in.
We’ll be running product demos on the regular, and will have some really smart folks on hand to answer any questions you might have.  And we’ll have a little swag, so there’s that.

Don’t like crowds?  The crush of people can certainly be overwhelming.  Let’s have a quiet chat instead.  You can schedule a 1:1 meeting with one of our senior executives by reaching out to your Ordr account contact, or simply drop us a note at info@ordr.net and we’ll get you set up.

Like crowds but prefer to chat over some refreshments?  We’ve got you covered there as well.  We’re social people, so we’ll be on hand to share a cheer and some ideas:
Tuesday, 25 February – Cybersecurity Networking Reception co-hosted by our VC partner Wing, YL Ventures, OpenView, Thomvest Ventures, and USVP.  For more info, and to RSVP, click here.
Wednesday, 26 February – Security Leaders Party @ Metreon, the most talked-about event at RSA.  Join us for food, drinks, live entertainment, and some serious knowledge.  RSVP and more information here.

However you choose to get here, just get here.  We’re incredibly excited for the opportunity to chat.


Part 5 of 6, External Communication Control

Where have you been and where are you going?

At a medical facility, there are so many devices its hard to keep track of all the communications in the network let alone all the traffic going out of the network to the web. Sure we deploy firewalls to keep the bad folks from getting inside but how do we keep track of all the traffic leaving the corporate network into the vast unknown? What if it goes to some bad site or even worse, there are communications between your device and a country on the watch list such as North Korea or Iran? Is there a good way to understand what all your devices are doing at all times? Can we once and for all close the door on external communications vulnerability?

Opening up the Wormhole

Communicating with the outside world is totally normal and at a hospital, we often see specific holes or access tunnels enabled in the firewall so that manufacturers can diagnose and even patch a necessary device. Using a protocol called Remote Desktop Protocol (RDP) the technician of a large medical device manufacturer will use a VPN tunnel to use this opening to control a device from anywhere around the world.

The problem, however, is that hackers can get into this opening if they are quick enough and they can gain access to critical systems at a hospital.  It gets worse. When we talk to many healthcare CISO’s we find that oftentimes these holes are left open inadvertently even after the patching or remote control session is completed. To date, it’s a manual process to keep track of how many people are coming in and out and how many sessions are opened and left unclosed.

Looking Like Swiss Cheese

A fortified firewall is one thing but with so many RDP sessions, many of which are not closed after a session, and nobody actively monitoring all these sessions, a corporation can be left unprotected and the bad guys can get in through the front door. Oftentimes, there can be hundreds of concurrent RDP sessions occurring at a major healthcare center and unlike your home, there is no time-delayed automatic garage door closer.

No alt text provided for this image

And because there is no automatic “closer” within enterprise networks that cleans up these open ports once jobs are finished, your “fortified” network can be vulnerable. The good news is that we can help by sending an alert to the firewall that a hole has been left open. We track how many sessions and detail closely, who is coming in and out at all times like a diligent sentry.

Some Bad Countries

Ever wonder how much of your network traffic is going to a destination outside the U.S.? Or which devices are talking to which country? And wouldn’t it help to see if you have devices are communicating with the dark web or blacklisted countries? If someone clicks a URL and there is traffic flow to Iran, Syria, or North Korea, there could be trouble brewing and it’s something you need to know about right away. Even within the U.S., there might be well-intended sites but it can be a ruse for a ransomware site.  Now firewalls know the basics such as the traffic to certain countries but what is missing is the ability to know which device is going to which country and for what specific reason.

China…It’s a Big Country

With all the news regarding spyware and hacks from China, it’s a big red flag if you find out that your devices are sending traffic back and forth from China right? Actually no since many companies have manufacturing and support centers in China. If a GE medical device, for example, opens a communications line to a known site in China, it’s actually fine since this is normal behavior. GE maintains a large help center in China.

No alt text provided for this imageLikewise, if a Philips MRI machine is having an active dialogue with a site in the Netherlands, that is perfectly fine as well. However, if that same Philips machine starts talking to China where there is no physical facility owned by Philips, we know that this is a behavior violation and something is out of character. We ring the alarm. Our system is smart enough to know that certain devices can communicate with certain countries while others cannot. We bring all these policy protection and automatically program the firewalls via APIs. Ordr provides the required context of the devices that are talking to an external connection to the firewall. Devices are classified in an orderly fashion by group (manufacturer/make/model) that gets programmed into the firewall. Subsequently, the firewall is updated with all the rules of which group of devices can communicate with which specific websites and countries.

Go Travel…But Be Proactive

At Ordr, we can tell you exactly what all your devices are doing and inform you if anyone “left the garage door open.” We can see all the traffic down to the session of the medical device talking to a country overseas. At a glance, we can display the number of countries that each device are having transactions with.

If device traffic does go overseas and returns only to act unusual or different, we will alert you as well. Proactive protection starts with a comprehensive view of what all your devices are doing and who or what they are talking to. Overseas travel is not easy nor tracking all the external communications but with Ordr you are in control.

No alt text provided for this image