Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

Ordr

Request a Demo Search

Month: August 2020

Recently Ordr spent time talking to our clients about the Cybersecurity Maturity Model Certification (CMMC): what it is, why it’s important, and how they can prepare for it as it relates to the world of devices and IoT. Ordr is the leader in IoT cybersecurity, ranging from mid-market businesses to large enterprises; many of whom offer services to the Department of Defense (DoD). Because of this, it is incumbent on us to know how the CMMC will apply to our clients infrastructure and to be able to help our clients achieve certification. We realize, and educate our clients that the DoD’s new CMMC isn’t just another framework.

To help our forward-looking clients meet future CMMC requirements, Ordr is already working to map the security controls that IoT and device components require against the CMMC checklist. In order to plan for the CMMC, it is crucial that our clients and potential clients understand how IoT and device configurations are being considered as part of this new maturity model.

First let’s break down what CMMC is. In the Fall of 2020, the US Government will begin requiring organizations to become compliant with CMMC. This is being done primarily to help more organizations fix low rates of compliance associated with NIST 800-171. CMMC will become a requirement designed to permit only businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) obviously recognizes that all contractors are not alike, and is using the modifications of the CMMC and its “levels” to make this compliance endeavor more palatable for a broader swath of potential contracting organizations. The CMMC is a tiered model that has the potential to impact every business in the Defense Industrial Base (DIB). To be sure, this is no “small” endeavor.

Soon – contractors in the DoD supply chain will need to be evaluated against this maturity model by a third-party auditor. CMMC contains seventeen capability domains, each of which encompasses a different area of security. Each of these domains will be evaluated on a level from one to five — five being the most mature — and the organization will be assigned an overall CMMC level based on their evaluation results.

CMMC is a big deal for DIB companies because the level that an organization achieves will determine which DoD contracts they’re eligible to bid on and win. Get a 5, the world is your oyster; get a 1 and it limits your available opportunities.

For sure CMMC is daunting. The capability domains outlined in CMMC are very broad, and entail everything from physical security to personnel security to asset management and essentially any other applicable security control that the government can think of. That sounds nearly impossible, and it certainly could be, but in reality CMMC happened to help organizations understand the complexity and breadth of achieving a true security posture. Hopefully CMMC will help mitigate some of the pencil whipping and box checking security failures that have plagued contractors in the past.

Because CMMC is broad, it is critical that any organization wanting to compete and win lucrative contracts heed the call to ensure they consider their IoT/OT security vulnerabilities, as well as their other security controls and programs. Modern exploits and attacks usually cross IT/OT infrastructures at some point. After all, everything is “connected” today. This means that without IoT visibility and accountability the entire network is potentially threatened, and the CMMC auditors know that.

There are very few CMMC domains that don’t apply to IoT network devices. Asset discovery, threat detection, incident response are part of any intelligent or complete response package. One can easily see why they are integral to the CMMC requirements.

While CMMC has many other requirements, much of what it mandates can be summed up pretty simply. Here are a few basic considerations that can help set your organization on the right track to achieving CMMC compliance specifically related to your IoT/OT network devices.

1) Do you have visibility, access, analytics or even the capability to understand IoT devices?

You can’t defend what you don’t cannot see. And you cannot defend any enterprise if you don’t know about the totality of devices or “assets” in a network. Ordr works with organizations to gain that visibility into their IT and IoT networks. In doing this our systems help your team understand how those assets communicate and are connected to each other.

Without that insight and knowledge, it’s impossible to prioritize risks, detect active threats already operating in your environment, or prove that your security posture is strong enough and doing its job. All of those things are key to CMMC compliance across a variety of domains. Being candid, it is impossible to fully secure your networks without having IoT/OT network device visibility.

2) How resilient is your overall IoT/IT network architecture?

CMMC focuses on building a stronger cybersecurity posture in DoD supply chain contractors, and as part of that, CMMC requires an organization to detail how they have built a strong overall approach for securing all network connected devices.

Part of having a sound security posture is to make sure that all devices only communicate with the internet as intended. Stronger network segmentation improves security. Ordr makes network segmentation easy by using ML/AI-assisted automation..

3) Can you identify and remediate IoT/OT device vulnerabilities in your network?

Key CMMC requirements focus on identifying and addressing vulnerabilities across all devices and infrastructure components. For networks with IoT/OT devcies, that could mean CVEs, malfunctioning devices, or the presence of unauthorized ports or rogue applications. CMMC requires that you’re able to detect and prioritize vulnerabilities like this. If your organization cannot do this, you will have a hard time achieving higher levels of compliance. Ordr shines in this area and can rapidly enable this action.

4) Can you detect exploits with all your IoT/OT devices?

IoT and device threats are a very different animal than detecting threats that target legacy IT systems and endpoints. Typically, embedded IoT/ICS devices do not support agents and may not be visible to your IT teams or tools. Because of this gap in security, your organization may be required to incorporate IoT and device aware analytics to detect abnormal machine behavior that could help identify an attack.

This is not an area where current IT approaches can be used in the IoT/OT device environment. The requirements for these unmanaged devices are very different.

Lastly, Ordr can be deployed to help avoid the pain and cost of an extended audit. Like every other federal certification requirement, a 3rd party is going to audit your company for compliance, and that will include your IoT devices, device security controls and asset inventory. Think about this from a financial perspective. With auditors, time is money. If an organization pays an auditor an hourly rate of $300 per hour – the longer it takes the auditor to review and understand your environment, including all the IoT devices, the more billable hours and costs you will accumulate. To minimize the time and costs, it makes sense to have an accurate inventory and full visibility of every asset, including IoT devices, before the auditors arrive. With auditors, nothing exists unless it is documented. Ask Ordr to assist with preparing for your CMMC and FISMA audits.

To see how Ordr maps to CMMC in our White Paper.

Bringing Ordr to CMMC Compliance for Unmanaged Devices

While my career started on the technical side, first with helpdesk support and then to a technical support engineer, I have enjoyed the journey into Sales. Through this journey, I find that the best part of my day is when I get to work with customers and partners on solving technical problems. While working with organizations in the Midwest region, this is a top issue I frequently hear about, “I am concerned about smart speakers with the ability to listen and share data. I want to track them down so I can understand what are out there and where they’re located, so I can understand the risk, remove them, and educate our users about the risks.”

While devices like Amazon Alexa and Google Home are top of mind, devices like smart lights, connected thermostats, and more are equally of concern. Any device that you can audibly address and say, “Hey Siri”, “Hey Google”, “Hey Alexa!”, or “Hey, thing” to, has the ability to be a threat to organizations.

These concerns are nothing new in the security community and while this Washington Post article gives a good background on the scope and concerns around this topic, there are still billions of IoT devices and a noticeable fraction of those smart speakers. The reality is these devices can be used against organizations, if someone is enterprising enough to take advantage of them.

Example:

In large hospitals, I’ve have seen smart speakers located in board rooms, executive offices, a front information/security desk, a desk in a 911 dispatch center, a SOCs on an analysts desk, and more. These devices bring risk to an organization through external threats and especially insider threats. One individual could walk into a board room and say, “Hey Alexa, record the next two hours,” or remotely access the device for listening, before a board meeting, sharing organizationally unique sensitive data.

While there are many articles to highlight how devices users can review and delete recordings, they still pose a tremendous threat to organizations, especially when they don’t know if/where they exist.

  • PC Mag – review and delete recordings
  • ZD Net – research from Check Point on exploiting these devices

In my tenure at Ordr, I have worked with various organizations to locate these devices and secure their network. Here are some foundational steps I walk through:

Step 1.  Find the devices/continuously monitor for these device types: 

This is an easy one for Ordr.

  • Ordr has profiles for all of these types of systems.
  • Ordr is always on as well, so this is continuous. Not just a point in time or scheduled check for systems like this. No scanning required either – so no drops in coverage.
  • How does Ordr see these systems? Just send a copy of your wireless traffic to an Ordr SCE Sensor. Ordr can see your Corporate and Guest Wireless (as that is where most of these live).
  • Ordr discovers and classifies these systems, automatically. Here is a screen shot of a few examples of these types devices profiled by top manufacturers:

Sonos:

 

Amazon:

 

Google:

 

You get the point.

Step 2:  Contextual Detail:

You will need to know where the device is, when it first appeared, where is it communicating, etc. You have more questions at this point, and Ordr has the answer.

Here is an example of the information Ordr will give you:

Device Profile - Amazon Alexa

You need and get network detail on IP, MAC address, which wireless network it is connected on, access point it is connected to, location information, the VLAN it is on, as well as when the device was first detected and last seen on the network by Ordr. These devices come and go, so the Network Stats will capture historical anchoring into the environment to track the device while it has been in your environment.

Step 3: Removal of the Device

If you can’t get to the device physically, you can remove it from the wireless network. With Ordr integrated into your switches, NAC solution, or Firewall solution, you can either remove the device connectivity completely, or push a policy to restrict its access….until you can address the educational moment with your colleague.

Below is an example of the communications this Amazon Alexa device had in the environment, and where you would push Ordr policy from our Flow Genome to your existing security systems.

Flow Genome - Amazon Alexa

I hope you found this to be helpful.

“Hey Siri, leave comment below.”

In the past few years, the United States has made more moves against technology companies that are based in China or backed by the Chinese government. To name a few:

  • Hikvision – IoT cameras
  • Dahua – IoT cameras
  • iFlytek – voice recognition software
  • Megvii – image recognition and deep-learning software
  • SenseTime – facial, text, and image recognition, object detection, medical image analysis, and more
  • Yitu Technologies – facial and speech recognition, natural language processing, and more
  • And attempts to ban Huawei – telecommunications equipment

In late 2019, in response to the discovery of backdoors that facilitated communication between cameras made in China and destinations inside China, the U.S. government amended the National Defense Authorization Act to prohibit the U.S. government from purchasing and installing Chinese-made surveillance cameras. Other governments around the world followed suit.

Along with the NDAA amendments, the government advised that all federal agencies would have to remove the devices by August 13, 2019. At last check, there were still thousands of the devices in service. Once deployed, it seems, the cameras have been difficult to account for—despite a Department of Homeland Security mandate that federal agencies be able to track every device attached to their networks.

“There are all kinds of shadowy licensing agreements that prevent us from knowing the true scope of China’s foothold in this market,” The Freedonia Group’s Peter Kusnic told Bloomberg News. “I’m not sure it will even be possible to ever fully identify all of these cameras, let alone remove them. The sheer number is insurmountable.”

Depending on who you ask, by 2025 there will be between 41.6 billion and 83 billion IoT devices deployed to networks worldwide. A vast majority of these devices were created for ease-of-use by consumers, rather than with security in mind. Yes, both can exist in an ideal world, but for IoT devices, it is very uncommon. These devices often have obsolete or unsupported operating systems, unpatched vulnerabilities, and a lack of proper communication protocols.

As we know from the experience of the federal government, once deployed it can be difficult to find these devices making it nearly impossible to remove them if needed. Organizations are continuing the plight to ensure all connected devices are accounted for and the U.S. government is now attempting to do that through a number of directives from the National Institute of Standards and Technology (NIST) designed to ensure secure deployment, management, and operation of all network connected devices. These include standards like the NIST Cybersecurity Framework (CSF) and the Federal Information Processing Standard (FIPS) 140-2, requiring validated cryptography for device communications.

But, as the U.S. federal government’s experience with Chinese surveillance cameras illustrates the issue of unmanaged devices – one that every organization must grapple with. How do you find and secure the devices that are putting your organization at risk (Mirai, dark_nexus, malware, C2 takeovers, etc.)?

To find out more about how Ordr can help your organization discover and classify all network devices, identify high-risk devices (CVEs, FDA recalls, etc.), and give your team the ability to assign policies that protect your enterprise OR how we are the only IoT security company to support both NIST CSF and FIPS 140-2, click here.

Overview:

On July 23, the National Security Agency (NSA) along with the Cybersecurity and Infrastructure Security Agency (CISA) urged all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their Operational Technologies (OT) assets. The alert was issued because in the past few months, threat actors have leveraged internet connected devices to exploit critical infrastructure. OT and IoT devices and systems are designed for ease-of-use rather than with security in mind and thus don’t have the means to detect or mitigate malicious activity. The design of these devices and systems combined with the data that they transmit and share via the internet, make them easily exploitable.

“…civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests”

Some of the observed Tactics, Techniques, and Procedures (TTPs) as defined by the MITRE ATT&CK framework are:

  • Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
  • Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
  • Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
  • Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
  • Use of vendor engineering software and Program Downloads [T843].
  • Modifying Control Logic [T833] and Parameters [T836] on PLCs.

While Alert AA20-205A discusses OT specifically, IoT is also relevant in this alert, because the alert tackles the 16 “critical infrastructure” sectors as defined by CISA:

Bolded below are the 9 critical infrastructure sectors that are largely impacted by IoT

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

How Ordr can help:

“At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term.”

With our comprehensive IoT security platform, Ordr can help organizations address the following recommended steps as outlined in NSA & CISA Alert AA20-205A:

  • Harden Your Network
  • Create and Accurate “As-operated” Network Map Immediately
  • Understand and Evaluate Cyber-risk on “As-operated” Assets
  • Implement a Continuous and Vigilant System Monitoring Program
  • Exercise your Incident Response Plan

Harden Your Network

Hardening your network starts with visibility into what is actually on your network. With the most comprehensive platform for discovering, profiling, and automating action for connected devices, we passively discover high-fidelity context on every connected device, including; make, model, operating system, firmware, version, location, and application/port usage. This device context is enriched with threat intelligence, vulnerability data, FDA/device manufacturer alerts, and incorporated into our data lake. Organizations then have granular, high-fidelity classification into every device in their network for identification of outdated operating systems, FDA recalls, and devices banned by the U.S Commerce Department. This device context can be integrated with asset management systems.

Using Ordr Flow Genome, we leverage real-time machine learning to profile every device, and visualize and baseline every device’s communications. This allows organizations to have a deep understanding of behavior insights like identifying anomalous or suspicious behaviors, such as communications to external malicious domains, lateral movement of malware/trojans and more. We do this through our security engines that scan for activity on infected machines.

This allows organizations to address the following hardening requirements:

  • Identify devices using weak passwords and ciphers – clear text transfer of passwords, default or manufacturer passwords, shared drives, weak ciphers, etc.
  • Identify devices that connect to business, telecommunications, or wireless networks – clearly separate devices into managed, unmanaged, and how devices enter the network.
  • Closely scrutinize and track devices that are internet-accessible – closely scrutinize outbound connections to internet especially from mission critical devices like PLCs etc., and rate those connections with respect to the reputation of the sites they are reaching out to.
  • Closely scrutinize and track devices that have remote management services – extract all administrative protocol interactions like SSH, rlogin, and more to closely monitor manufacturer based remote debugging sessions using protocols like RDP.

Create and Accurate “As-operated” Network Map Immediately

Flow Genome

Ordr Flow Genome provides the most comprehensive profiling of every device communications patterns. We are also able to extract the latest authentication information via Active Directory/LDAP, WinRM/WMI and Kerberos to identify device users so organizations can locate devices associated with a specific owner, or identify the most recent authenticated login to a device. Our constellation map also provides a visual network topology view of where these devices are relative to network VLANs and subnets, allowing organizations to quickly address the “network map” requirement,

Classification Group Traffic Analysis

Understand and Evaluate Cyber-risk on “As-operated” Assets

The Ordr dashboard provides flexibility in searching for and investigating the risks outlined by NSA and CISA. This includes using our device inventory and context to identify devices that have been called out by:

  • Vendor or technical advisories
  • CISA advisories
  • CVE vulnerabilities databases
  • National vulnerability databases

More importantly, Ordr has the capability to automatically segment and isolate any device that is impacted by vulnerabilities, with one touch of a button. These policies can be enforced on any security or networking infrastructure.

Implement a Continuous and Vigilant System Monitoring Program

Incident Summary

Through the Ordr Incident Summary & Device Risk Summary, we can visually show the continuous discovery and monitoring of devices, highlight any new risks to those devices (ie. Ripple20), alert based on severity, and create action for segmentation.

Ripple20 Device Incident

Exercise your Incident Response Plan

We automate the appropriate responses for security and networking teams. These include the automated creation and enforcement of segmentation policies or alerting and triggering a specific security or operational workflow. We also integrate with enforcement points (like switches, CISCO ISE, CPPM, controllers, etc.) to quarantine, blacklist, shutdown or enforce an ACL.

  • Proactive Segmentation – Unlike users, devices should only communicate with specific systems. Ordr dynamically create policies to allow only appropriate device communications. These policies can be automatically enforced on existing infrastructure — firewalls, switches, NAC and wireless LAN controllers.
  • Operational Actions – when a new or unknown device is discovered, we can trigger a centralized workflow with a CMMS or CMDB to ensure proper inventory, authentication, and routing to the right device owners.
  • Security and Incident Response Actions – in the event of a security incident, or if devices have triggered an alert (known vulnerability, weak cipher, weak certificate, active threat, or malicious/suspicious behaviors) we can initiate an incident response workflow in a SIEM or SOAR, or automatically segment the impacted device.

To learn more about how Ordr can help your organization, schedule a demo.