JSOF recently published information on 19 vulnerabilities they found in the Treck TCP/IP stack used by many device manufacturers that enables their devices to communicate over a network. The vulnerabilities were originally discovered in September of last year.
While there is no indication that these vulnerabilities have been exploited in the wild, any threat to the TCP/IP stack impacts the fundamental networking core of a device. The vendor list of vulnerable devices is long, and JSOF has confirmed the impact to 15 vendors including Baxter, Intel, Caterpillar, Cisco, Aruba, HP, and Xerox; all have issued their own advisories and patches.
However, the list of affected devices continues to grow as this vulnerability has been present inside the Treck stack for likely more than 20 years and implemented in millions of devices since then. Organizations need to assess their exposure by identifying any vulnerable assets in their inventory, and then respond by either patching or implementing compensating controls to protect at-risk devices.
Ordr now offers a solution for organizations to detect and mitigate risks from Ripple20 vulnerabilities. Ordr Systems Control Engine (SCE) can:
Identify vulnerable assets impacted by Ripple20 via our new Ripple20 scanner
Passively identify devices that are vulnerable to Ripple20 through device classification comparisons with known vulnerable device lists
Detect active exploitation of Ripple20 using our built-in intrusion detection engine
Proactively protect devices from Ripple20 attacks by dynamically generating policies and enforcing them on network devices or next-generation firewalls.
For more information, please refer to our security bulletin here. The Ordr solution for Ripple20 will be available in the 7.2.7 release and also simultaneously deployed and supported in 7.2.5 and 7.2.6 which are already live at customer sites.
We thank JSOF for their support and collaboration.
Peter Drucker may have directed his famous adage, “you can’t manage what you can’t measure,” to business managers, but these words ring just as true for network and security managers. Technology leaders constantly measure and manage risk, performance, capacity, and numerous other metrics.
However, there’s an important corollary: You can’t measure what you can’t see. Without visibility, measurement and management become almost impossible.
Nowhere is this more true than with enterprise networks. They are complex, constantly evolving, and continually connecting more and more devices. Comprehensive visibility into the traffic, devices, behaviors, and risks allows network and security managers to take the key measurements needed to make smart decisions. However, hooking a multitude of “monitoring solutions” to a network can create problems with performance, SPAN/Tap availability, and complexity.
This is where Gigamon and Ordr work together to provide a comprehensive infrastructure for network and device visibility.
The Gigamon Visibility and Analytics Fabric collects full-fidelity information from your physical, virtual, and cloud network infrastructures, optimizes the traffic via de-duplication and advanced filtering, and creates a consistent and centralized interface for viewing all data in motion. This can particularly benefit complex or distributed organizations, allowing centralized monitoring of east-west (internal) traffic as well as north-south (datacenter-to-internet) traffic. Enterprises benefit from full visibility into network traffic, regardless of its origin or destination.
Ordr SCE leverages the Gigamon Visibility and Analytics Fabric to passively inventory and classify every device on a network, from traditional IT devices such as workstations, printers and servers, to IoT devices such as medical devices, building automation, and security cameras, to operational technology (OT) such as manufacturing tools, sensors, and PLCs. Ordr then takes this visibility to the next level: not just identifying network devices, but identifying their behavior, their communication patterns, and their risks.
When deployed onto the Gigamon infrastructure, Ordr can be deployed more quickly, with less (or less expensive) hardware, and with less contention for SPAN or TAP ports on network switches. Additionally, Gigamon’s ability to centralize traffic often means a more comprehensive inventory of devices that are connected to complex, highly distributed networks. More visibility means better management of risks.
Interestingly, encryption adds another twist to the visibility story. While internal use of TLS improves security in many ways, it can also blind network analysis tools to the data needed to identify security breaches like advanced persistent threats (APTs), remote access trojans (RATs) and crypto mining. Gigamon Visibility and Analytics Fabric addresses this challenge too. Its TLS decryption support offers a secure window into encrypted traffic, giving Ordr complete visibility into encrypted inbound, outbound, and internal networks.
Together, Gigamon and Ordr give network, security, and business-aligned technical groups (such as clinical engineering) unparalleled visibility into enterprise networks, devices, behaviors and risks. Gigamon customers seeking to identify and protect IT, IoT, IoMT, and OT devices should schedule a free demo of Ordr SCE to see how it can quickly and easily offer new levels of visibility and security for the devices in your network. Ordr customers who wish to optimize their network visibility infrastructure can reach out to Gigamon for a demo or free trial as well.
Full visibility into network flows, devices, and network behaviors with Gigamon and Ordr makes measuring and managing your risk a straightforward task. Peter Drucker would be proud.
For more information on Gigamon and Ordr, check out our solutions brief here, and watch our See, Segment, Secure webinar here:
Automation is the hidden key to a successful IoT implementation. To see why, it’s important to understand the current profile and strategic direction of IoT projects.
In Nemertes’ 2019-2020 IoT research study, we found that 68% of participants were in proof-of-concept (POC) or early production (less than 25% complete) stages of their IoT rollouts. Half of those expected both device counts and project counts to grow at 25% or more per year over the next 3 years. And successful companies (ones that scored in the top 20% for revenue generated, cost savings, or business process improvement) were twice as likely as the rest to anticipate hypergrowth (100% or more per year).
In sum, the wave of IoT initiatives is just beginning, and is nowhere near cresting. Enterprises are seeing extreme growth on two dimensions: device count for existing projects, and the number of IoT projects in the portfolio.
This means that IoT is rapidly getting past the point at which manual control, management, configuration, and security is feasible.
In IT parlance, the devices (and projects) are moving from pets to cattle: transitioning from the need for focused care and attention (pets) to the need for streamlined and scalable systems and processes (cattle).
But what does it mean to “automate” IoT? There are two main areas for automation. The first is visibility. This means knowing how many devices there are in an IoT implementation (auto-inventorying), knowing how they behave, and knowing what behavior is normal vs anomalous.
This information must be collected automatically, and analyzed effectively, to quickly be able to spotlight systems that are behaving anomalously, either due to operational issues or cybersecurity attacks. In cybersecurity environments, we refer to automating the behavioral analysis as “behavioral threat analytics”.
Visibility is critical, but it’s only part of the equation. The second part is automated configuration and policy enforcement. IoT devices must be configured, and the configurations patched and updated based on a standardized policy. And if devices need to be shut down (e.g. if they’ve been infected with bots) that should happen automatically, based on policy triggers. Alerts and manual overrides can be configured, to maintain human control, but in large, complex IoT installations, it’s critical to contain attacks quickly, and have human intervention at the forensic stage.
Why does all this functionality require automation? Quite simply, because of scaling issues. As individual IoT projects blossom, and the number of projects proliferates, doing these things manually is no longer feasible.
The blueprint for developing an effective automation strategy is therefore this: First, think in terms of a developing horizontal IoT architecture that addresses the key issues of management, control, and cybersecurity for all IoT projects, regardless of use cases. (See figure 1)
Second, start by ensuring visibility into every IoT implementation. That means having tools in place to autodetect IoT devices and automatically analyze their behavior, reporting information into a common dashboard.
Third, put in place a policy-based approach to configuration, management, and security. That means having an automated way to take action based on defined policies.
Finally, enhance the automated configuration and management with human alerts and overrides where necessary, to maintain control over the entire infrastructure, automation and all.
The bottom line: The natural consequence of successful IoT projects is growth, and growth drives the need for effective automation. IoT technology practitioners (whether IT or OT) should make sure their IoT initiatives include an IoT automation strategy.
Interested in hearing more? Attend the Ordr and Nemertes webinar on IoT automation on June 9 – “Fast, Secure, Scalable: Why IoT Needs Automation to Succeed”. Register here.