Ordr Appoints Wes Wright as Chief Healthcare Officer Read more here!

I am excited to announce the integration of Ordr Systems Control Engine (SCE) and VMware NSX-T™ Data Center and VMware NSX® Intelligence™.

Ordr Systems Control Engine (SCE): Discovers every connected device, profiles device behaviors and risks, and automates response. Ordr not only identifies devices with vulnerabilities, weak ciphers, weak certificates, and active threats, but also those that exhibit malicious or suspicious behaviors. Ordr enables networking and security teams to easily automate response by dynamically creating policies that isolate mission-critical devices, those that share protected organizationally unique sensitive data (PCI, PHI, PII) or run vulnerable operating systems.

VMware NSX-T Data Center: Includes Distributed Firewall functionality to specify dynamic security policies down to the VM level with the ability to configure east-west and north-south firewalling.

VMware NSX Intelligence: Provides a graphical user interface to visualize the security posture and network traffic flows that have occurred in your on-premises NSX-T Data Center environment.

With the integration, joint customers can now:

  • Achieve cutting edge visibility
  • Accelerate NSX-T Data Center microsegmentation
  • Minimize the potential business impact associated with firewall changes

If your VMware NSX data center firewall microsegmentation team is looking for a method to significantly reduce the overhead of maintaining static NSX-T IPsets and group objects, it is time to consider a solution that is capable of addressing the following scenarios:

  • Automated NSX-T group object creation for non-data center device types
    Since NSX-T provides excellent visibility for the entire data center, the most time-consuming objects to create and maintain are ones which pertain to devices outside of the data center (enterprise campus, branch sites, etc).

Ordr continuously discovers devices as they join campus and branch networks and can automate the creation of corresponding group objects in NSX.

NOTE: Ordr creates NSX objects with a standard prefix of “ordr-“. This allows NSX admins to easily recognize which objects are autogenerated and maintained by Ordr.

  • Automated IP address membership tracking for NSX group objects
    Dynamically creating NSX-T groups is a great start, but this capability alone does not solve the labor-intensive aspect of maintaining IP address membership for each type of device.
    Ordr tracks the IP addresses of each type of device in the campus and branch. If a credit card reader device IP changes, Ordr will automatically update the NSX group with the new IP address.
  • Support for advanced visualizations in the latest version of NSX Intelligence
    Ordr programmatically creates NSX group objects and their members in a format which is compatible with the latest version of NSX Intelligence (announced at VMworld 2020[CI1] ).
    This means that NSX Intelligence is able to render all communications from Ordr-defined and maintained NSX device groups.
    This capability is key for teams who are looking to accelerate their data center security initiatives by gaining a comprehensive understanding regarding all types of campus and branch devices which are communicating to virtual machines in the data center.

How it works:

Step 1

Ordr SCE sensors use advanced deep packet inspection (DPI) techniques to process campus and branch traffic from a SPAN/port mirror, TAP, or packet broker feed

Step 2

Ordr SCE sensors forward metadata to the SCE Analytics system which identifies all the device types (including unmanaged IoT devices) which are communicating on the campus network

Step 3

Ordr SCE Analytics programmatically creates NSX groups and their member IP addresses

NSX Intelligence with Ordr device data in action:

In this example screenshot from NSX Intelligence, we can quickly see that the Alaris Manager VM is receiving unprotected communication from two different device types in the campus network.

NSX group 1: ordr-BD-Alaris-Infusion-Pump

NSX group 2: ordr-Shenzhen-Network-Camera

This type of information can be leveraged to reduce the amount of manual labor associated with understanding source/destination communication for thousands of different campus and branch device types communicating to virtual machines in the data center.

In summary, the Ordr integration with NSX-T Data Center and NSX Intelligence allows teams to achieve greater operational efficiency by automating labor intensive tasks and unlocking rich device type context visibility for all campus and branch devices communicating with virtual machines.

For more on how one of our customers is leveraging this integration today, visit our on-demand VMworld breakout session NSX Intelligence: Visibility and Security for the Modern Data Center – Pt2 [ISNS2496] with Ray Budavari, Sr. Staff Technical Product Manager at VMware, Brandon Rivera, Enterprise Infrastructure Architect at CHRISTUS Health, and myself as we take a deep dive into the integration, and provide a demo of the Ordr and NSX Intelligence capabilities.

VMware & Ordr Overview


Guest blog by Jason Malacko, Director Architecture – Security at Logicalis US

When you’re in the business of helping companies integrate and consume sophisticated technology, you learn that, behind all the questions related to how it works, there are two primary concerns: that it will be simple to use, and that it will deliver its promised value… fast.

At Logicalis we strive to make the complex simple. We recognize that our customers are too busy using technology and don’t want to worry about whether a service or application will be reliable or difficult. That’s why they hire us, after all. So, whether it’s a healthcare organization, manufacturer, state or local government agency, or whatever it is that your organization does, we approach every project as though we are architects of change for our customers, building a technology solution that doesn’t befuddle, but that inspires.

Internet of Things

Recently we’ve been using a lot of connected devices in the solutions we’re designing for our customers. The internet of things (IoT) includes a lot of wonderful tools that make operating a business more efficient and effective.

Think about a typical hospital, for example, and you get a sense of the ways IoT supports a mission of healing. Environmental controls keep temperatures where they need to be in every setting, and that air quality is always excellent. Building and security controls make sure people can get to where they need to go quickly, and that only authorized people are allowed in sensitive spaces; that video cameras keep a constant watch on the premises; and that lighting is on at the right level when it needs to be, and off when a space is vacant. There are devices that facilitate communications, IT operations, administrative duties. And, of course, there are a host of medical devices used to treat and monitor patients, provide therapy, and otherwise support medical staff as they care for the sick and injured.

All of these devices have important roles, but from a security and management perspective, they have to be treated very differently. Ordr has proven to be a valuable member of our partner network, supporting our top-down approach to IoT utilization in pursuit of this ideal.

When beginning a customer engagement, we’ve found that about ten percent of an organization’s devices are out of view of IT operations management. That means there are dozens or possibly hundreds of attack vectors somewhere in the network. It also helps to explain why only 26 percent of companies have launched an IoT initiative they consider to have been a success. That makes device discovery a critical first step in understanding, managing, and protecting the network, and to ensuring your IoT initiative does what you want it to do—with no unpleasant surprises.

Ordr Core

Ordr Core gives us the ability to open a customer’s eyes to the level of risk they didn’t realize they had, but it’s only the first step. Complete device discovery means we can begin the process of assessing risk, identifying device behavior, and categorizing each device’s purpose in the network. From there we can reconcile each device’s role, and implement policy automation to ensure proper device use as well as to implement a critical part of the IoT strategy: segmentation.

Device segmentation is an underappreciated aspect of IoT management and security. Done right, segmentation is about more than simply making sure certain categories of devices are on the right VLAN; it’s about aligning IoT use with security and business objectives. If all you’re doing to put segmentation into effect is grouping like assets—say, keeping medical devices, environmental controls, and facilities management equipment on their own VLANs—you may still be leaving your network vulnerable to attack and, once inside, allowing adversarial elements to quickly move laterally within the network.

Ordr Core excels as a tool that give our engineers the ability to work closely with our customers, show them their level of risk, and bring complex technical solutions with a reliance on IoT into alignment with their needs. When we’re able to do that, it gives our team and the customer confidence that our design will be simple to use, and that it will deliver its promised value… fast.

Want to experience Ordr in your network, request a free sensor here: https://ordr.net/iot-discovery-program-logicalis-labs/


IoT is changing the world as we know it, bringing new opportunities and innovation to almost every industry. We’ve seen this first hand at Ordr, where our customers in healthcare, manufacturing, retail and government are reaping the benefits and efficiencies of IoT.

Whatever the business outcome — from patient diagnostics to inventory management to building access – there is a sensor, system or device that delivers on that promise. The real challenge is ensuring the visibility and security of all these devices. With more than 25 billion IoT devices deployed in 2020, and 75 billion expected in 2025, the downside of playing fast and loose with IoT security can be devastating. As Zeus Kerravala, Principal Analyst at Zeus Research, said, “Every connected device is a potential attack vector, especially when deployed outside the purview of security and IT. In order to secure their devices, organizations must start with visibility into what is actually connected but most organizations don’t have the time or resources to do this manually, and have had to live with the risk of not knowing what’s lurking in the shadows.”

This is why we launched our new IoT Discovery Program – to shine a spotlight on what’s previously been in the shadows. The IoT Discovery Program includes a complete kit – Ordr Core and zero touch provisioning sensor– to discover and classify IoT (and shadow IoT) devices in the enterprise. The IoT Discovery Program is so simple and seamless, it removes resource or project barriers that prevent organizations from truly understanding what is in their network

We’re especially proud to have the IoT Discovery Program available through Ordr channel partners, including Cadre, Carousel Industries, GuidePoint Security, Logicalis, Novacoast, and The Teneo Group. We’ve been working with these strategic partners and their enterprise customers in early deployments of Ordr Core and the IoT Discovery program since the beginning of the year.

The feedback from the program has been overwhelmingly positive, and we hope you’ll give it a try. Our partners are standing by, ready to help you get started today.

  • “I am a security researcher focused on all kinds of malware and I was surprised it found all of these issues quickly and the details are amazing” – Mike L., Software Company
  • “Pretty amazed with what Ordr collects and the details of what it collects” – Ron B, Financial Services
  • “Easy to use, plug and play, I got a lot of info quick.” – Chris L., Security Company

Our journey with Ordr Core started some time ago as we met with many enterprise customers regarding their difficulty maintaining a safe and secure network.  As we listened, it became apparent that many companies could not protect themselves from cyber attacks or other intrusions without fully understanding what devices are in their network, complete topological map of their pathways and how they are communicating.  There are many methods of gaining this visibility. But, most technologies involve agents, expensive hardware, along with large network and security teams that can take months, if not years to get started.  We decided to change all that.

Today, we are pleased to announce the commercial availability of the Ordr Core software and our new self-service IoT Discovery Program.  At its essence, Ordr Core is IoT Device Security Made Simple.  It’s foundational software that gives customers granular visibility into all IoT devices, identifying managed and unmanaged devices and any potential security risks—all within minutes. Those who want to move beyond visibility to proactively protect these devices by integrating fully with existing software and infrastructure can easily upgrade to Ordr Premium at any time.

To make it even simpler, as part of the IoT Discovery Program, qualified users get a free zero touch provisioning sensor and the Ordr Core software at no cost for 30 days. Sensor deployment is plug and play. As soon as a sensor is “connected”, it automatically calls home to our cloud dashboard, and Ordr automatically starts classifying all devices and identifying their risks.

Ever wonder how many legacy Windows XP machines are in your network? Are you concerned about which devices might be vulnerable to Ripple20 or Wannacry? Are you worried about which security cameras still have default passwords?  We show you in one elegantly designed user interface.  If there are external communications to malicious URLs or even unusual sites, we tell you right away. To top it off, we will send you an Executive Report at the end of the program with all our findings so that you can take proactive steps to protect your network.

At Ordr, our engineering culture is rooted in the belief in delighting our customers.  We embrace speed and agility, we encourage growth and learning, and working towards delivering the best features for our customers.  Our architecture was designed to scale up or down from the start. We can see everything in a network and provide the context of the various communication pathways between devices, be it internal lateral movement or connection to external web sites of poor reputation. In fact, in one partner forum, an Ordr user said this about our platform, “If Ordr does not profile it, it does not exist”. From details such as device icons in our GUI, to our constellation view and Ordr Flow Genome, we have worked very hard to make the complex elegantly simple.

Ordr Core delivers unparalleled profiling of behavior and risk.  Some of the leading enterprise companies already trust Ordr to tell them what’s on their networks.  Now we can bring this visibility to you in minutes, not weeks or months.  If you are in networking, security, or asset management, go to http://www.ordr.net/sensor to get started.


While watching Keith Whitby, Section Head of Healthcare Technology Management Cybersecurity and Operations at Mayo Clinic, and Pandian Gnanaprakasam, Chief Product Officer at Ordr, discuss strategies for securing connected devices and HIoT in a recent webinar, I found the following to be insightful information that you can apply to your organization’s cybersecurity efforts.

Gaps in Medical Device Security

One of the first steps in securing IoMT and HIoT devices is accounting for the gaps in medical device security. Evaluating equipment coming in, understanding the security risks related to those, and building a plan of mitigating controls that should be applied to equipment are all important aspects of device security, but they must be operationalized.

At Mayo Clinic, previous security assessments were done on an asset by asset basis. This lack of operational framework limited the implementation of device security procedures. Once Mayo Clinic created a standardized process across the organization, the framework could be followed for all medical equipment and new IoT and OT devices.

The Unique Nature of Medical Devices and HIoT

Medical equipment, systems and HIoT are different from standard IoT and IT systems. Hospitals must follow regulatory guidelines from the U.S. Food and Drug Administration (FDA), College of American Pathologists (CAP) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO), while medical devices in physicians’ offices do not have to follow the same rules. HloT devices come with their own unique challenges, from unsupported devices to service keys being required.

Security Challenges: Size and Scope

Medical organizations can span large geographical areas, including multiple states and hundreds of buildings. They can also have tens of thousands of connected medical devices, hundreds of vendors and thousands of models. The magnitude of medical device networks challenges IT teams to efficiently secure many devices at once. Networks of devices can have inventory discrepancies, and mismatched data from their CMMS and NAC.

Medical devices have complex systems that require intensive work to patch and manage vulnerabilities. Part of the process of setting a framework for securing HIoT devices involves figuring out who will be implementing security standards and applications. HIot devices need both specially trained IT technicians and unique applications to deploy security solutions.

Mayo Clinic: HTM Role in Cybersecurity

At Mayo Clinic, the cybersecurity team in Healthcare Technology Management is the operational arm of IT. The team has developed a structured system and standardized approach to securing medical equipment and HIoT systems. They ensure equipment meets organizational and cybersecurity requirements throughout its lifecycle.

  • Core Team: Mayo Clinic’s Core Team of HTM Cybersecurity developed a security framework for IoT and HIoT based on National Institute of Standards and Technology (NIST) and Association for the Advancement of Medical Instrumentation (AAMI) standards. They also developed a HTM vulnerability management program guide, so that when a vulnerability is found, there is a clear process for remediation.
  • Information Security Engineers: Besides technicians, the HTM team also has HTM associate infosec engineers, who create vulnerability management procedures, apply controls to medical devices and add new equipment to Mayo’s network.
  • SPAD: The Security, Privacy, Architecture, Data team, or Security Assessment Team manages medical device purchases, device intake assessments, and helps to construct security lifecycle profiles at Mayo Clinic.

Cybersecurity Execution

Over the past two years, the HTM Cybersecurity Program has added significant security value, improving intake process efficiency, establishing an algorithm to calculate and track security risks, and more.

Mayo Clinic developed their IoT/HIoT device security through proactive security, building upon multiple areas of cybersecurity, including:

  • Policy & Process: Setting device security standards and leveraging known security incidents, regulatory compliance as well as internal audit observations
  • Lifecycle Profile: Addressing security issues within the equipment lifecycle, creating Security Lifecycle Profiles that provide a roadmap for device security and management from the pre-purchase stage to decommissioning
  • Tools Deployment: Creating a security specific manual for devices, documenting what tools need to be deployed for different device types and models
  • Fleet Risk Assessment: Adopting a fleet approach rather than device by device security
  • Vulnerability Management: Maintaining device security, tracking vulnerabilities and prioritizing remediation
  • SPAD: Initial intake triage and categorization of hardware and software, and routing those devices to the appropriate review groups
  • Patch Management: Deploying a medical device patch installation automation utility tool
  • Training & Industry workgroups: Participating in industry workgroups to contribute medical device security knowledge

How Ordr Can Help

Mayo Clinic identified Ordr as a key tool to execute and automate security operations. Ordr is able to improve data quality for asset inventory, detect networked devices, classify devices, provide insights into connected device actions and help micro-segmentation efforts.

The Ordr Systems Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a demo.

Watch the full Ordr and Mayo Clinic webinar here:

Mayo Clinic Efforts to Secure Connected Devices and HIoT


Any computer security policy is founded on the concept of identifying users and establishing their credentials to authorize them to access system networked resources. Managing usernames and passwords might seem like a trivial task but when a network grows to have many resources and correspondingly many users, the potential for security breaches multiplies.

Integration with Windows Active Directory (AD) provides flexibility for network administrators to adopt a wide range of security policies.

In the most extreme form of “least privilege” access, administrators can lock down each user to allow access only to very specific resources, at specific times, and with specified permissions for specific resources such as file systems, individual files, servers, VPNs, medical workstations, medical and industrial equipment, printers and copiers, and phones.

In practice, this ideal level of control is rarely achieved, and compromises are made to make managing the operation more practical. As a result, many organizations face the following user access challenges:

  • User accounts often grant more access than the employee needs.
  • Sometimes user accounts survive an employee’s termination – for one reason or another they aren’t disabled.
  • In some cases, a user can create “local” user accounts with access privileges.  This is often allowed in systems managed with Windows Active Directory.
  • There can be some systems in the network that do not use the network administrator’s security protocol.
  • IoT Devices (both wired and wireless) and various off the shelf software packages with default passwords (for example: “admin/admin”) appear in corporate network. Most of the time, account management with passwords can become tedious when thousands of IoT devices are deployed in the network, because these devices are typically configured by the manufacturer with default credentials.

While these challenges vary, the end result is the same: an un-authorized user gains access, typically via a VPN or SSH session to some system or device, and from there accesses other privileged resources in the system. In this type of security breach, malware need not be involved, although this may turn out to be a vector for malware. Given the numerous ways in which phishing attacks can install malware agents on an employee-owned corporate laptop, jumping to other devices with weak credentials becomes easier for attackers.

Ordr and Active Directory, RADIUS and wireless Integration

Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, enabling security teams to monitor which user is accessing what device at what time. Ordr provides two key perspective:

  1. User tracking – analysis of all IoT devices accessed by a user.
  2. Device tracking – analysis of which users were logged into a specific device, at what time, duration and more.

Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.

We also track and monitor corporate and guest network users. Corporate resources need to be accessed by corporate users with the right credentials from the corporate network. Ordr can alert or trigger the appropriate incident response workflow when a guest network user crosses over to the corporate network.

Finally, organizations can take advantage of all this rich user authentication during a security incident to provide qualifying details such as which network was the entry point, which device the “user” used to get into the network and what authentication methods they used, in addition to detailed Ordr Flow Genome flows.

Account Misuse Use Cases

Our customers have used the Ordr platform in many cases where one or more misuse of user accounts have occurred.

  • Unauthorized user accessing accounts – Based on the network data collected in the Ordr Data LakeTM, we were able to reconstruct extensive and specific activities conducted by a person with an unauthorized-yet-active account, specifically:
    • When the user account was logged on and off, and to which system.
    • What specific resources were accessed.
    • The amount and direction of data transacted (in malware terms, the identification of the data that was exfiltrated.
  • Former employee accesses records – In one healthcare environment, we identified that a former nurse used their login credentials at a medical facility to access more than 600 data records. With the information gathered from Ordr, the response and mitigation of the security breach was initiated in a few minutes. Similar incidents have been documented publicly.
  • Security cameras with default passwords – Another case involved access to security cameras whose default passwords had not been changed. This can happen not only on new installations but also where a failed unit is replaced by a worker not familiar with the organization’s security requirements. After the initial incident the security team was able to make necessary operational changes to avoid a reoccurrence of this specific problem.

To find out more about how Ordr is helping organizations today, you can view our case studies, webinars and white papers here.