Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Today Ordr announced our Series C funding; another injection of capital that allows us to continue investing in our company and build it to last. On this occasion, I can’t help but look back and reflect on a journey that began in 2015 when Sheausong Yang and I–the founding team–had a vision to build a security platform that would give organizations the ability to see and secure every connected device in their network.

Our idea was new then, and it wasn’t easy getting people to understand the problem at first. Even as organizations were increasingly adding unmanaged connected devices to enterprise IT environments, there was confusion over what was classified as internet of things (IoT) or operational technology (OT). Many organizations we encountered thought we were talking about consumer technologies, like then-new smart speakers, and not the millions of medical devices, industrial controls, building management systems, and other equipment like surveillance cameras, phones, printers and vending machines that were often connecting simultaneously to enterprise networks and the public internet.

The Entrepreneur’s Dream

Because an entrepreneur’s journey is hard, often with ups and downs, it’s important to find partners who believe in the vision, the team, and are willing to give the support needed to work things out and solve big problems. We were fortunate to find such a believer in Peter Wagner, founding partner at Wing Venture Capital. Peter believed in the Ordr founding team and our ability to design the right solution to the problem. We also trusted Peter as a partner in our journey. Dominic Orr, former president of Aruba Networks; Pankaj Patel, former executive vice president and chief development officer at Cisco Systems; Dan Warmenhoven, former CEO of NetApp; and Prakash Bhalerao, veteran chief executive and angel investor also became believers in our vision and invested in our seed round as well.

What was not well-known when we started, but something that Peter, Dominic, Pankaj, Dan, and Prakash grasped, was how difficult it was to discover and secure IoT devices in enterprise environments. In fact, it was nearly impossible. These devices were often connected and unmanaged, operating outside the view of IT management and security tools, and given the proliferation rate at which they were connecting, the problem was getting worse. A specialized security solution was needed, and so we set out to build one. At the same time, the industry needed education about the unique threats to connected devices, and we were competing for attention in the cybersecurity space with hundreds of companies, each claiming to have something new and better, even if only a few really did.

A Foundation of Data

Every strong structure starts with a solid foundation. Our approach to connected device security would be built on data and analytics. Specifically, building a massive data lake populated with the details of as many device types as possible, and using behavioral analytics to build security models for each. Achieving our vision required studying breaches to understand their characteristics and communication patterns, and continuously comparing what we learned with the typical behavior of every single device in the network. Employing behavioral analytics was the only way to monitor complex communication patterns and adapt to the ever-changing strategies of threat actors.

Artificial intelligence (AI) and machine learning (ML) require massive amounts of data to solve hard problems. Rather than rely on second-order metadata, the Ordr Data Lake would be populated with accurate, correlated device details collected directly from the source. This was no easy task. You need to have grit, and shortcuts taken at this stage will haunt you throughout the lifetime of the product. We knew once we had the data we could harness it to solve hard problems, take on the challenges ahead, and build a platform for connected device security.

Fast forward to 2022 and the Ordr Data Lake has millions of device profiles; a number that grows as new devices are released and connected to environments across the globe. To enrich our data lake with new details and insights, we do a full, real-time packet capture across our customers’ environments to feed our platform with an accurate and continuous input of every connection, every flow, and every change. Analysis of that data is real-time too. It has to be. When someone asks for the current weather, it does no good to give the temperature from earlier in the day. Real-time analysis is critical in security and provides a precise assessment so accurate decisions can be made. In security, the game is rapid detection and remediation; guesswork is unacceptable.

Innovative Approaches to Problem Solving

Other key innovations have been part of the evolution of our platform. Data correlation, normalization, compression and organization is critical to storing and harnessing the massive amounts of data we collect and analyze without requiring hundreds of servers and zettabytes of disk storage. For those who are counting, one zettabyte is one billion terabytes. Thanks to our intelligent data compression, we can secure an entire large-scale hospital with just a few servers as our analytics backend. For context, the average hospital maintains an inventory of more than 100,000 total devices of which at least 10-15 thousand are in clinical care as internet of medical things (IoMT) devices, as well as IoT and OT associated with administration, communications, facilities management, and other essential functions–not to mention all the stranger things that find their way onto enterprise networks.

Behavior-based identity analytics is another key innovation for Ordr, and is used to establish multifactor authentication on agentless, unmanaged devices. Triangulation of factors such as a device’s OS vulnerabilities, communication patterns across the enterprise, communications patterns to external sites, and the reputation score of destination sites, are all analyzed to minimize false-positives and ensure a high level of confidence when unique indicators of compromise (IOC) are identified.

Countless hours of hard work, determination, and creativity were behind the effort that turned our vision into a proof-of-concept, and then, a working product. From that point, our vision, the strength of our team, and the potential of our technology helped us secure Series A funding, led by Alex Doll of Ten Eleven Ventures and joined by Unusual Ventures. With Series A we were able to build our team, establish our brand, and go to market. After Series B, led by Dharmesh Thakkar of Battery Ventures, and with investments from Kaiser Permanente Ventures and Mayo Clinic, Ordr was established as a force in healthcare and positioned for expansion into other verticals, like manufacturing, financial services, smart cities, and government. At this point, we began expanding into visibility and security for every connected device. To secure any device, you need visibility into every device in the network.

Flexibility in the Face of the Unexpected

When the pandemic struck in early 2020, the strength, resilience, and flexibility of our company were put to the test. The growth of nearly every organization was impacted at this time, but our healthcare customers in particular faced tremendous challenges. We stepped up to explore new ways to deliver value with our platform. Leveraging our core discovery and analytics capabilities, our customers found value in the ability to locate existing device inventory and understand real-time device utilization.

As an example, the Ordr platform enabled customers to keep track of critical devices such as ventilators, ensuring they were deployed to maximal efficiency to deal with the surge of COVID patients. Not only did the Ordr platform keep hospitals safe during this time, it also helped them run efficiently, ensuring they could continue to deliver critical healthcare services. That built goodwill and, when the pandemic eased, our customers adopted our platform enterprise-wide and recommended us to their peers in the industry. It was a key moment for the growth of our business.

Building an Unrivaled Franchise

As the world slowly returns to some semblance of normalcy, our Series C funding sets us up for our next phase of expansion on our journey to build an unrivaled security franchise. The Ordr Data Lake is growing rapidly, and now includes millions of device profiles, helping us to discover, identify, and classify every device in a customer’s environment with accurate, granular detail.

Within minutes of deploying Ordr in an environment, the data we analyze populates our UI with every connected device discovered, classifying each by manufacturer and model. Each device includes a picture for easy identification, along with a detailed description of attributes that include the device’s OS, vulnerabilities, connectivity details, flow data, applications installed, and logged users. Visualization in our platform is world-class and gets raves from our customers thanks to the tremendous “design thinking” effort we put into our UI/UX to achieve excellent aesthetics in support of usability.

On top of that, we add data and insights from a wide variety of enterprise tools to enrich our analysis. With more than 70 integrations, our data lake quickly provides accurate context for the operational status, as well as security posture, of every device in an organization.

Fast, Accurate, Dynamic, Automatic

Another critical strength of the Ordr platform is its ability to identify and respond to active attacks, including zero-day threats, and enable teams to stop them quickly with automation and orchestration. To get to “zero-day” attack detection requires behavioral baselines–something that must be done within minutes–to identify unique, malicious, abnormal behaviors. Since most connected devices operate within narrow behavioral parameters, our extensive data lake allows us to detect IOCs with a high degree of speed and accuracy.

Once malicious activity is identified, we leverage our deep knowledge of each device and its exact connectivity under normal operations to dynamically generate zero trust policies to isolate any misbehaving, potentially compromised device. These policies can be reviewed by security teams and, with a single click in our UI, policies are enforced with existing security and network infrastructure. With Ordr, response times are reduced from hours or days down to minutes to stop the spread of an attack. No other connected device security solution provides a complete map of all the devices, their connectivity in the enterprise, and their flow level context in real time, 24×7. We achieved this by building interfaces with every single network infrastructure vendor out there–a daunting task indeed.

The Next Chapter

From the start, our mission has been to help organizations see, know, and secure every connected device everywhere. We continue to innovate to deliver on that mission and provide our customers and partners with the most accurate, complete, and easy to consume device knowledgebase on the planet with meticulous device classifying, profiling, and cataloging.

What’s more, all of our data is available to partners through open APIs. In fact, Ordr is the only platform that has complete device intelligence that includes network and flow-level context with deep accuracy. Today, Ordr is well-positioned to be the supplier of choice of device intelligence to evolving Open XDR frameworks, providing open-source data to enable the correlation of information and delivery of the best possible service to the customers.

There are many more innovations and opportunities ahead for Ordr. With our world-class investors, dynamic board of directors, experienced management team, and passionate employees, we look ahead with laser focus to meeting the needs of our customers and helping them see, know, and secure every connected device that is critical to their business. Stay tuned, we’re off to write the industry’s next chapter on connected device security–and beyond.

A little background on why I’ve agreed to do this guest QA blog for Ordr:

In my role as CTO at CDW Healthcare, I talk to former healthcare peers, in an advisory capacity, to help them protect patient safety and resources with the best cybersecurity technology solutions. Prior to joining CDW, I was CIO of Halifax Health where we deployed Ordr for our medical device security needs

I’ve been at CDW for slightly more than two years, after more than two decades in the healthcare trenches, most recently as the former CIO of Halifax Health. I decided on a different role at CDW to bring best practices and cybersecurity technologies to my CIO colleagues who are on the forefront of fighting the cyber war. If the healthcare industry could more effectively collaborate and share security expertise to mitigate cyber-attacks, we would stand a much better chance against the cyberattacker army working together against us every day!

What is your primary goal as the CTO of CDW Healthcare Division?

To bring awareness to our healthcare customers on the importance of bringing modern IT tools into healthcare organizations to optimize patient safety and hospital resources. With Ordr’s cybersecurity solution there are many ways network visibility helps hospitals beyond, of course, ransomware, but also what’s happening with device utilization, what’s happening with compliance and what’s being communicated externally. There are several important use cases we want to advise our customers about to develop a proactive plan before something bad happens.

Why is IoT and connected device monitoring and enforcement so unique for hospitals?

There’s a problem with biomed devices and it’s not going away. There will always be biomed devices that have outdated and unsupported operating systems. In the beginning, when first purchased, they were of course running mainstream and perhaps even state of the art operating systems, but now these operating systems are no longer supported by the manufacturers. As a result, O/S patches are no longer available to address vulnerabilities, even though these devices are still within their useful lifecycle and are still viable, delivering strategic care for patients and revenue to healthcare organizations.

Why weren’t patches performed on outdated operating systems on biomed devices?

Unfortunately, this is due to the biomedical industry. As a medical device design engineer for ten years, I may have helped cause the problem, although we thought it made sense the way we did it back then. We would buy an off the shelf computer and put it in a cabinet or a device we were creating, and it would run it. The computer we installed ran whatever the latest operating system was at the time. The issue back then was per the FDA 510k rules for class two, and three medical devices once the device was tested, it could never be altered.  This included the operating system on the off the shelf computer.  So, the manufacturers never changed them or patch the OS because they could not!

Can you patch today?

In 2016, the FDA reversed their guidelines and said you can patch devices now because it is important to upgrade operating systems. But it was a guideline, it was not a mandate. Because it was a guideline and because it is hard for biomedical manufacturing companies to transition to have a global patch program for all the devices they sell, they do not do it. And they do not want to release the product to an IT team to open it up and obviously, upgrade the operating system or patch it due to inherent risk on their part, because it might make their system not work properly.

Bottom line, the problem is going to persist because biomed devices will continue to outlast the useful life of their operating systems and CFOs do not want to replace a $4M imaging device that makes the hospital money every day only because it has a security vulnerability.

If you don’t patch what can the CISOs and security leaders to do?

They are stuck, because now they have a known vulnerability in their system, and they must do something about it. This is the reason I was introduced to Ordr.

How did you select Ordr for addressing the patching issue?

“To get the security and network teams to completely agree on something was amazing.”

Our first step was to do a POC (proof of concept) by my IT security team. A few weeks  later, my network and security team had a meeting with IT leadership to show the results of the POC. We were all blown away. I’ll never forget that moment because everyone was happy, even joyous which doesn’t normally happen with software in general.

To get the security and network team to completely agree on something was amazing, because normally, they have a little contention just due to their job functions where one wants data to flow, and the other one wants to control data.

Once deployed, did you meet your objective?

“One of the major tenants of cyber security is to understand your landscape. And that includes all devices connected to your network. Are they patched? Or are they outdated and unsupported?”

I was amazed. Ordr worked and it worked well. We purchased Ordr originally because I knew I had a problem with older biomed devices running Windows XP. Before Ordr, our vulnerability scans would find them but then they would disappear because of their dynamic nature of how they connected to the network. And if we didn’t find them that very minute and physically locate them, we would lose sight of them. It was a real problem. We could not see and didn’t know our full landscape. And that is scary, because to me, one of the major tenets of cyber security is to understand your landscape. And that includes all devices connected to your network and their patch status. Are they patched? Or are they unsupported? It is not just your IT devices, it is anything that is connected to your network. As you know, in the last five years, that’s grown greatly with so many other things connecting now, and you still have these legacy biomed devices that are out there too.

How did you manage all the outdated and unsupported biomed devices you found?

When we fully deployed Ordr, we noticed a couple of things right away. First, we not only found all the biomed devices, but we also now had an inventory of them. And we were able to understand what operating systems they were running and could have a plan of what to do about it. At that time, we had three choices.

  1. Replace the device. But again, financially that might not be viable.
  2. Get the manufacturer to patch it, or to upgrade the operating system so it was no longer vulnerable.
  3. Bury it by micro segmentation. Through micro segments, you have controls around it from the internal firewall, Even though we have controls, you still need to monitor it and we used Ordr.

When I would talk to people, they understood Splunk monitors user behavior. Ordr monitors device behavior. I can now set upper or lower limits on the device itself. And if Ordr detects something odd, we can be alerted

What was the next step to managing these vulnerable devices?

“If the hacker gets in and gets to an XP device, that would be the biomed device, it takes about 20 minutes for them to own that device. If the device is connected to a server, then they can own the network.”

The roadmap was moving more towards enforcement and that sat well with me. The reason why is that hackers do not attack during the day, they tend to attack at night and on weekends. At those times, depending on what hospital you’re at, you might be relying on a managed Security Operations Center (SOC), which is pretty good. Or you might be relying on your on-call staff to fight any cyber problems in the middle of night. And there’s latency in that. If the hacker somehow gets in and gets to an XP device, it takes about 20 minutes for them to own that device. If there are any servers connected to that kind of device, then they have the opportunity to own the network. Now the world turns bad quickly. To have a system that has deep understanding of proper network communication related to strategic IoMT devices and can monitor those devices 24/7and alert us when something is wrong, is great.

Next, if I could actually enforce policy, or at least send API commands from Ordr to change the policy in my  firewall or my NAC,  these devices could shut down communication at 3 am in milliseconds.  This is much better than the time it would take the team to figure out what the problem was, based on a calls to the service.  IoT and connected device security enforcement can stop a virus from propagating

What else could you do now with full visibility of your network landscape?

Device utilization is a big deal. Ordr creates custom views per departmental stakeholders. For example, the Biomed and/or Operations team could go into their Ordr view and just look at medical device utilization. Their view doesn’t allow them to see the other aspects of cyber or network information Ordr was capturing.

I like to tell the story that if a clinician wants another ultrasound device in your hospital, but your ultrasound fleet is only being utilized 30% of the time, you do not need another ultrasound, you need to improve your processes to get better utilization of your devices. And when you do this, you save money by not buying another device while improving your processes. And so that is valuable.

For some devices, Ordr was monitoring down to the battery life level. Since we all know batteries go bad, to have an alert to the Clinical Engineering team for low batteries on biomed devices is cool and important.

The next important outcome we gained is forensic device data. Ordr collecting all device data in the cloud. When we have a potential security incident, we called the security team. The team uses Ordr to determine what device was bad and see who it was talking to and how it was talking, to see if it was doing things that it should not do. We always used Ordr during any security incident as part of our incident response toolbox. And it worked well. And even the network team liked it because Ordr does an incredibly good job of showing how everything communicates, and what it is trying to communicate and what is being blocked from communication.

To sum it up, first and foremost the outdated and unsupported biomed devices are a problem that is not going away, ever! Operating systems only have a life for so long, so you need something to address the issue. With Ordr though, you get more use cases including device utilization management, forensic data and the network team gets to see how things are communicating, outside of their regular forensic toolbox. So that’s why I like Ordr.

Please contact me if you’d like to learn more or to share stories that could benefit all of us in addressing outdated medical devices and cybersecurity resiliency in healthcare.


The Cyber & Infrastructure Security Agency (CISA) recently issued two security advisories highlighting vulnerabilities associated with connected devices made by medical technology firm Becton, Dickinson & Co. (BD). The advisories follow disclosures BD made to CISA, and describe security flaws in the company’s Pyxis and Synapsys product lines.

Among the vulnerabilities described in the advisories are the use of default and shared credentials in the Pyxis products and “insufficient” session expiration for the Synapsys informatics platform. Both flaws could leave the devices vulnerable to exploitation by threat actors who could then gain access to sensitive patient protected health information (PHI) or even affect the delivery of correct treatment.

Device Vulnerabilities Put Network and Patient Safety at Risk

The disclosure of these security flaws by BD, and the subsequent advisories issued by CISA, underscores the risk to both network and patient security when vulnerable  internet of medical things (IoMT) devices are deployed within healthcare environments. Even when such devices must remain in service and cannot be patched, allowing them to continue operation without taking steps to mitigate their associated risks should be regarded as a dereliction of duty.

In this current case, BD recommends a number of steps to close the now-known security gaps, including:

  • Limit physical access to only authorized personnel;

  • Tightly control management of system passwords provided to authorized users;

  • Monitor and log network traffic attempting to reach the affected products for suspicious activity;

  • Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed; and,

  • Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

From an IT and security operations standpoint, these steps may be difficult for hospitals and other healthcare delivery organizations (HDOs), especially in larger organizations with no means for effecting proper asset management. This leaves questions like: Does my organization have these devices in inventory and where are they located? What software versions are installed? Are they in use and unable to be taken out of service?

Ordr can answer these questions and easily address the recommendations by BD above.

See, Know, Secure, Every Connected Device

Our See, Know, Secure approach to connected device security means our customers can find and identify all the BD connected assets—as well as other connected devices operating in the network—within minutes of deployment. Once Ordr has discovered the devices, their specific make, model, and other operational data are identified, the BD products that are impacted by this vulnerability can be  monitored for any anomalous behavior that could be an indicator of compromise (IOC).

Ordr can identify which BD devices are being accessed by which user, and track which users were logged into a specific device, at what time, duration and more.

Ordr also enables security teams to proactively segment the impacted BD devices, and to set Zero Trust security policies specific to each. In the event that a device is compromised, and we detect anomalies such as a suspicious communications pattern or other operations outside of defined parameters—our segmentation policies limit  an attack’s potential “blast radius” by isolating affected devices and network segments, and allowing security teams to take mitigating actions within minutes of a breach.

Ordr Can Help Secure Your Devices and Environment

With studies suggesting that as many as three-quarters of all connected medical devices currently in service contain at least one security vulnerability, and that half may contain two or more, it is critically important for hospitals and HDOs to do what is necessary to gain the upper-hand on connected device inventory, management, and security.  For more information about how the Ordr can assist in this endeavor, please visit our site to learn more about our security platform, or contact us with questions specific to your organization’s situation.

Ordr just announced the closing of our Series C round of investments, raising an additional $40 million dollars to support our growth and continuing R&D in the realm of securing internet-connected devices for the organizations that rely on them. Investors in the round include ongoing commitments from all our prior investors, including Battery Ventures, Ten Eleven Ventures, Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. We are delighted to add Northgate Capital as an Ordr investor and to have the support of industry leaders and notable Silicon Valley entrepreneurs René Bonvanie, former Chief Market Office of Palo Alto Networks; Dan Warmenhoven, former Chairman and CEO of NetApp; and Dominic Orr, former Chairman and CEO of Aruba Networks.

Since Ordr’s founding in 2015, our company has attracted more than $90 million in total investments. On behalf of the Ordr team, I want to thank all our investors for this strong vote of confidence in the organization and in our vision for the future of cybersecurity. While many companies have been sold or exited this market early, this funding gives us the ability to build a strong, stand-alone technology leader that will be here for our customers for years to come. I must also offer our gratitude to the hundreds of customers and partners who have trusted Ordr to protect their connected devices, patients, and businesses. We are inspired every day by your commitment and dedication to your mission. Your passion and input have made us a better company and today’s announcement would not be possible without you.

Finally, I want to recognize the tremendous Ordr team, from our founders, Pandian Gnanaprakasam and Sheausong Yang, to the amazing new colleagues who have joined us recently. This milestone reflects your passion, your empathy for our customers, and your dedication and confidence in our mission.

Our Vision, Our Journey

When we began our journey, it was estimated that there were about 3.5 billion internet of things (IoT) devices connected to public networks. Improvements and innovations in processing and network communications, artificial intelligence and machine learning, and automation presaged rapid growth for the technology. Today there are more than 35 billion connected devices in service, and projections suggest more than 75 billion will be deployed by 2025—more than twenty times the number since we started.

Every one of those devices is a potential attack vector, expanding the need for what Gartner now calls “cyber asset attack surface management,” or CAASM. Threat actors are adept at taking advantage of device vulnerabilities to gain a network foothold from which they can move laterally to disrupt operations and execute attacks. Their targets are often organizations in critical infrastructure industries like healthcare, manufacturing, energy, and government where there has been heavy adoption of IoT devices, including the internet of medical things (IoMT) and operational technologies (OT). In fact, Ordr is one of the few security vendors that address a myriad of security and device management use cases across Gartner-defined market categories ranging from medical device security and OT security, to CAASM, and network detection and response (NDR).

IoT Security as a Business Imperative, Strategic Priority

Securing the vast constellation of connected devices is not only a business imperative, but it has been recognized as having strategic importance for national security here in the U.S. and abroad. The Ordr platform is a vital component to achieving a Zero Trust security posture as recommended to protect economic interests. To meet the security needs of critical infrastructure and other industries, like financial services, retail, education, and biopharma research, where connected device adoption is building momentum, requires a tool like Ordr that is designed to address conditions unique to connected devices. Ordr’s “See. Know. Secure.” approach to connected device security finds devices wherever they are in the network, identifies each device and learns its operating pattern, then automatically applies and executes appropriate security policies to ensure that each device remains protected.

And Ordr’s approach to connected device security works. That’s why the Ordr platform enjoys wide adoption across critical infrastructure industries where we help protect three of the world’s six largest healthcare organizations, and are the connected device security tool-of-choice for more than 150 manufacturing sites. Ordr customers span the full spectrum of industry, and our technology’s excellence has driven a 140% increase in year-over-year new customer growth in our most recent quarter, ending March 31, 2022.

Looking to the Future of Connected Device Security

As we look to the future to further develop our product, attack the market, and execute against our business plan and goal of achieving continuous improvement in all aspects of our operations, we’re proud to have attracted such strong partners invested in our success and that have a stellar track record working with companies in hyper-growth, and that bring strong domain expertise to our leadership team. We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer’s security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market.

It is my privilege to serve as Ordr’s CEO and to play a role in an exciting future for the company, and am humbled to be surrounded by a team of professionals committed to our success and the security of our customers. If you want to be a part of that future, please check out our Careers page for opportunities to join the team. If you are a CISO, CIO, or other tech leader who recognizes that your company’s investments in connected devices are leaving you vulnerable, take a look at our technology and then reach out for more information or a demonstration. We’d love to hear from you.