Ordr Announces Integration with ServiceNow Service Graph Connector Program! Read more here!

Ordr

Request a Demo Search

Month: March 2021

Today, we announced our engagement with the  Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE). As the industry leader in  continuous discovery, device asset inventory visibility, and security of all connected devices, including unmanaged IoT, IoMT, and OT devices, Ordr will supply cybersecurity protection and resilience for the global defense industrial base (DIB) network of contractors, vendors, and suppliers.

This will help the DIB network of contractors, vendors, and suppliers prepare for their CMMC audit, reduce complexity, improve awareness, and accelerate the industry effort to secure the Federal “supply chain” by becoming more cyber resilient.

Who does CMMC apply to?
CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense (DoD). This includes more than 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify. With the inception of CMMC in 2020, defense contractors must now achieve certification via an accredited 3rd-party auditor in order to be awarded a defense contract.

When does CMMC go into effect?
On November 30, 2020, the DFAR 252.204-7012 made cybersecurity hygiene foundational to all acquisitions. Provisionally trained CMMC assessors are active as this activates the supply performance risk system. Request for Proposals (RFPs) will now include CMMC requirements of their contractors.

Why is CMMC being implemented?
Prior to CMMC, cyber security measures have failed to protect the United States supply chain. The NIST SP 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. Often self-assessment often is not top priority and does not offer any safe-guards to verify supply chain integrity. Compliance does not equal security, but financially motivated compliance can offer cybersecurity hygiene and corporate process. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place for the DIB network of contractors, vendors, and suppliers.

How do I achieve CMMC compliance?
All defense contractors are required to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification from Level 1 to Level 5 with a multitude of Practices (AKA Controls) in each level.  CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.

FAQs:

What is Controlled Unclassified Information (CUI) data?
The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry. If your organization possesses CUI, you will likely need to achieve CMMC Level 3.

My Organization is a subcontractor on DoD contracts, do I need CMMC compliance?
Yes, CMMC applies to subcontractors. The level of certification your organization will need will depend upon the type and nature of the information you receive from the prime contractor.

Does my organization need one level of CMMC certification or can areas of our organization be certified at different CMMC levels?
According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.

For more information on how Ordr can help the DIB network of contractors, vendors, and suppliers meet 77 of the CMMC practices, visit our CMMC webpage or email us at info@ordr.net.

Welcome to my first blog post with Ordr, which is hopefully the first of many. Here at Ordr we’re all about network-connected device information and providing insightful knowledge, however this comes in many forms. At its simplest form it could be data, binary, Boolean or it could even be a string, but what’s most important is its fidelity, accuracy and relevance. Globally, organizations are starting to truly embrace data, especially big-data, but they are starting to realize that they don’t want just data, what they really want is information and knowledge that they can use within their current workflows.

Connect Anything and Everything 

I like to talk about living in the era of ‘connect anything and everything’; these connected devices across any wired or wireless infrastructure come in all shapes, sizes, flavors. More importantly there is a high variance historically in IT’s ability to correctly identify them and understand their risk and compliance status. In my first few months at Ordr, I had the opportunity to sit down with many customers to understand their needs. In short, our customers look to Ordr to provide valuable insights as to what is connected to their network, what exactly is that device, how it is behaving individually or compared to its peers and be able to identify those devices/endpoints that are misbehaving or perhaps possess vulnerabilities again, this is critical information and knowledge, not just data.

Ordr Data Lake for Device Enrichment 

We pride ourselves on our foundational ability to identify all network-connected devices with a high degree of fidelity using deep packet inspection (DPI) to provide the insights that matter. Using the raw packet data from your network, we are able to classify all devices at-scale, then enrich that data in our Data Lake with various third-party data sources to turn it into the context that you need to help secure your infrastructure.

Part of my core responsibilities at Ordr is to expand the eco-system of integration partners. As we support more customer workflows, it is essential to allow more data into the Ordr Data-lLake for enrichment, but that data has to be of high trust and fidelity.  That’s why we are embarking on adding a number of additional new integrations that provide us with unique contextual data to enrich our analysis and provide more insightful information and knowledge to our customers.

Integrations 

In early 2021, we announced Ordr SCE 7.4.2, delivering more than 160 new features, integrations, and enhancements to provide unparalleled visibility and protection to organizations globally for security, IT, and HTM teams and their connected devices.  In this release, we announced our integrations with Anomali, Exabeam, Fortinet, IBM QRadar, and Ping Identity. In this blog, I want to highlight the Anomali and Fortinet integrations, to give you an idea of the openness of our technology and the agnostic approach we are taking within the industry to ingest data or to use our device context to enrich or enforce policies in existing solutions:

  • Anomali – Let’s start with Anomali, we worked with Anomali to ingest their STIX/TAXII 2.0 feed. If you don’t know what STIX/TAXII is, take a look here for an overview. Anomali consolidates various Cyber Threat Information (CTI) feeds and normalizes the data. Then, via a STIX/TAXII pull, Ordr is able to pull in the normalized data and enrich it with device context.  The key to this is that we have built this using the very latest STIX/TAXII 2.1 standards. STIX/TAXII allows the sharing of CTI data. The CTI feed of data provides indicators of compromise, generally referred to as IOCs that allow Ordr SCE to find the needle in the haystack. The IOCs provide the bread-crumb-trail such that a vendor like Ordr can identify activity on the network that matches the signature of an IoC. This type of data is very targeted and is a true case of less is more.
  • Fortinet – In contrast to the Anomali integration, which is very much an inbound ingest integration, our recent Fortinet integrations is primarily an outbound enforcement integration. We use AI and advanced machine learning, along with the Ordr Data Lake device context to create a complete Ordr Flow Genome profile of every device and its behavior. This baseline forms the foundation of segmentation policies to allow devices access while limiting exposure. We are leveraging the open API’s from FortiManager and FortiGate to enable Ordr  to dynamically create and push out these enforcement policies. This can be to FortiGate firewalls or FortiNAC as an enforcement point. l said above it is primarily an outbound-based integration, but we also have the ability to consume basic traffic flow information from FortiGate to enhance and embellish the threat information we already have.

In the coming year, we are planning to implement additional inbound/outbound/bi-directional integrations for the benefit of our customers. As part of that process, we are constantly reviewing the integration use-cases developed to see where we can leverage more context to enable better device context.

On Tuesday March 9th, Bloomberg reported that threat actors had breached security camera feeds by Verkada Inc, a Silicon Valley startup, gaining access to almost 150,000 video surveillance cameras inside hospitals, organizations, police departments, prisons and schools. This was an unsophisticated hack, i.e the threat actors found exposed credentials for an administrator’s account on the Internet.

While many security vendors are claiming that they could have detected the breach, note that in this specific case the credentials used were valid administrative credentials that provided access to multiple feeds from multiple customers in the Verkada cloud servers and not customer networks. Additionally, because of Verkada’s architecture, every feed from an organization’s cameras was encrypted and sent directly to the cloud. Therefore, any on-premises security solution would not have detected any anomalies from the cameras as they were simply streaming video to the centralized cloud server.

However, there are several security learnings from this incident:

  • Real-time visibility is critical – Video surveillance cameras are pervasive, and just like many IoT devices, are not built with security in mind. Security starts with knowing what’s on your network. Our customers use our inventory dashboard to find devices like Verkada or any other video surveillance cameras in their network.

  • Profile risks and behavior– It’s important to not only identify devices, but also understand the risks they bring and map how they communicate. In one Ordr deployment, we found that 60% of an organization’s cameras deployed in hundreds of facilities world-wide were using default passwords that were published on the Internet. And some of these cameras were running “non-production” software, calling home to their R&D center in China periodically. Once you understand risks and baseline normal communications, you can create segmentation policies to enable devices access required for its role while limiting exposure.
  • Monitor admins, users and access – Always make sure that admin maintenance accounts are secured properly, and monitor users and access. As outlined in this blog, Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, so you can monitor which user is accessing what devices at what time. We also monitor supervisory protocols SSH, Telnet, RDP, and can monitor access by corporate versus guest users.

Organizations must look at the rapid growth of connected devices (ie. digital transformation) as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s).

Background 

On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security teams released a blog post that disclosed multiple 0-day exploits that were being used to attack on-premises versions of Microsoft Exchange Server. The MSTIC team attributed the campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology and Tactic, Techniques, and Procedures (TTPs). If not already addressed, we would urge you along with the Microsoft team to update on-premises systems immediately. Currently, there are no reports of Exchange Online being affected.

The vulnerabilities exploited are:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

Who is HAFNIUM? 

HAFNIUM primarily targets entities in the United States across a number of industry sectors which have included targets in legal, higher education, government, and even including infectious disease researchers, policy think tanks, and NGOs.

In the past, HAFNIUM compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, a red team framework for mapping the attack surface of .NET. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA, an end-to-end encrypted cloud storage and communication platform.

Impact Thus Far 

It has been reported that nearly 30,000 organizations, and as many as 250,000 individual users have been impacted. And, while Microsoft released a patch last week to shore up flaws in its email software, the remedy still leaves open a back door that can allow access to previously compromised servers and perpetuate further attacks by others. The back channels for remote access are most likely to impact credit unions, town governments and small businesses. Microsoft has two resources for learning more and patching:

The White House is calling this an “Active Threat” and the President is apparently assembling an emergency group of government agencies as part of a “whole of government” approach.

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said. 

It is likely time to reconsider on-premise exchange if you have it 

On-premises Exchange is incredibly difficult to manage and maintain from both an IT and security perspective. Exchange is usually tied integrally into a networks authentication sources and typically contains very sensitive data. Exchange has several configuration options that allow for interoperability with devices and services wanting to communicate over email (usually over insecure or basic authentications), however lacks the ability to properly secure these necessary configurations within Exchange itself and instead usually requires other security controls.

From a cybersecurity perspective on-premise Exchange is a nightmare because its complicated, tied integrally into authentication sources like Active Directory, holds very sensitive information, and typically has a large internet facing attack surface, and because of this it has several research teams solely focused on finding vulnerabilities to exploit within Exchange.

One of the best things Microsoft did with Exchange is begin hosting it within O365/Exchange Online and slowly removing support for insecure configurations. This made organizations running Exchange internally to either migrate to Exchange Online and remove the legacy systems and services that are no longer supported because it required insecure configurations, or unfortunately stick with on-premises Exchange and attempt to properly secure it themselves.

To drive the point home Microsoft themselves no longer run on-premises Exchange servers and have migrated the company to Exchange Online.

How Ordr Can Help 

As most organizations have moved to the cloud or at least a hybrid model, we have found there are not many on-premises Exchange servers out there amongst our customers. However, if they are out there, Ordr will be able to detect the devices and will alert the proper workflow based on the associated the CVEs that have been issued.

Internet of Things (IoT) are now in every aspect of enterprises. As businesses grow, adding more and more devices to their networks, they face unique challenges in securing IoT. Frost and Sullivan, in their most recent report “Strategic Assessment of the IoT Security market” expects the number of IoT devices to grow from around 34 billion devices in 2020 to over 60 billion by 2025:

As IoT adoption increases, IoT security is becoming critical. Many IoT devices lack basic security features, cannot be easily patched, and run obsolete operating systems. The ideal scenario is to build security into these devices, which some states and the Federal government are advocating via legislation such as the California SB327 or the IoT Cybersecurity Improvement Act. But with billions of insecure IoT devices already deployed, organizations need cybersecurity solutions that can address IoT security today.

In this report, Frost and Sullivan also calls out the need for an IoT security solution that offers the following:

  • Network Monitoring: Network monitoring, or network detection and response solutions that incorporate deep packet inspection technologies can extract granular insights about devices. This can be combined with artificial intelligence (AI) and machine learning (ML) technologies to map and baseline every device communications.
  • Integrated IT, IoT, and OT Cybersecurity: As IT and IoT/OT networks, the need for multifunction platform that offer the “whole enterprise” approach is important.
  • IoT Risk Management: A solution that can help identify risks and defines anomalous behavior is important
  • Network Segmentation: A good best practice to protect connected devices is via segmentation. Zero Trust segmentation ensures devices have appropriate access required for its role, while limiting access, and can be enforced on next-generation firewalls or in the network (switches, network access control)

In fact, these are the key building blocks of the Ordr platform – a whole organization approach to device security that combines DPI with AI to classify devices, profile risks and behavior and automate response including Zero Trust segmentation. Our capabilities include:

  • Device discovery: Within a few hours of deployment, Ordr discovers high-fidelity context on every connected device, including make, OS, location and application/port usage
  • Device flow analytics and baselining: Ordr passively monitors network communications and creates a conversation map, called the Ordr Flow Genome, for every connected device.
  • Security response: Ordr automates device identification and uses AI to baseline normal communication behavior, then translates these behaviors into a device-specific security policy
  • Detection of internal reconnaissance and lateral movement: For reconnaissance and sniffing, the Ordr behavioral baseline of the compromised devices can spot these activities as soon as the flow starts to a destination from a device that has the malware infection to a device to which it has never had any flows
  • Comprehensive device insights for businesses: Ordr sees the device the moment it becomes active in the network, records operational activity and records the time it goes offline

To learn more about Ordr’s IoT security solutions, please visit www.ordr.net. For the full report, click here.