Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

Ordr

Request a Demo Search

Author: Wes Wright

I just joined Ordr as Chief Healthcare Officer and, as is often the case in life, there’s a story, personal and professional, behind my new adventure here. 

A little more than seven years ago, while I was CTO at Sutter Health, a friend from my days as CIO at Seattle Children’s Hospital called and told me about a technology he really wanted to get my opinion on. It was an innovative new product aimed at keeping connected devices secure—a growing problem for healthcare environments. Since I was just a few hours from Silicon Valley, I drove out to find out more. 

That’s when I met Gnanaprakasam Pandian, one of Ordr’s co-founders. Pandian proceeded to show me v1 of Ordr and I was floored. In more than 20 years in healthcare IT and security, I had never, ever, been able to get complete visibility on everything that was on any of the networks I managed. And from conversations with my colleagues and peers I knew I was not alone; nobody could. 

Sure, I could see all my PCs, printers, routers, switches and other traditional IT and back-office gear; I could even manage them fairly efficiently with the right set of tools, but my vulnerability scanners kept reminding me that there were things connected to my network that were just out of view. Yes, I might have a MAC or IP address, but no clear understanding of what the associated device was, where it was, or how it was behaving. That’s the kind of stuff that keeps a CIO or CISO up at night. 

My network managers had told me not to worry about it. They would try to assuage my fears by telling me those unknown configuration items were probably just biomedical devices, not real IT equipment. Yes, they were operating on the network, but they were someone else’s problem. Their advice was meant to reassure me, but I couldn’t shake the feeling of dread. 

Ordr Visibility and Security Capabilities

I described my experience with Pandian, and he showed me that, with the Ordr platform, he could tell me exactly what devices all those MAC and IP addresses were assigned to. Not only that, but Ordr could also tell me if any of those devices had associated ECRI notices, vulnerabilities, recalls, and other insights invaluable to understanding a hospital’s security posture. The visibility alone would have been enough to give me the confidence to get a full night’s sleep, but the depth and device intelligence Ordr provided was invaluable to a CISO. 

Then Pandian showed me how Ordr could learn and establish a baseline for all these devices– establishing what is “normal behavior”, and then automatically generating VLAN, ACL, and Firewall policies for network and security engineers to review and execute. This functionality delivered “Zero Trust policies” — enabling only the normal communications required for its function–and was thanks to the machine learning (ML) artificial intelligence (AI) that Ordr’s other founder, Sheausong Yang, brought to the platform. And because it is ML driven, Ordr has been learning about device behavior for a long time and has a precise understanding of what constitutes abnormal activity—and what to do about it. 

As impressed as I was at the demonstration, it was still a demonstration. And while I am not from Missouri, I am fond of the state’s motto: “Show Me”. So, I asked Pandian if he would be willing to bring Ordr to my organization’s operational environment. I wanted to see how the platform would perform with my stuff, and, oh boy, did it ever perform. I was amazed at the level of device intelligence I was getting out of Ordr, and I wasn’t the only one. I had my security team with me, and their faces lit up. 

Seven Years Later

That was seven years ago. Today, with 61 million individual device profiles (with 1000 attributes each) now populating the Ordr Data Lake, it is now the leading asset visibility and security platform used by healthcare organizations everywhere.  

Because of that experience, Sutter engaged Ordr for a trial and we began putting the platform through its paces and working with the company’s engineers. Alas, I left Sutter to take on the CTO role at Imprivata, and did not get through the PoV process before I left. Pandian and I had discussed the possibility of joining Ordr then, but the timing wasn’t quite right. I did join the company’s advisory board, however. As it turns out, that was the best scenario for both parties. 

While I had extensive experience as a healthcare CIO and CTO, Ordr is much more than just a healthcare security platform and I don’t think I would have been able to do what the company needed at that point in its growth. In fact, I remember one of my first meetings “on the vendor side” listening to people talk about TAM, SAM, and SOM. I made a mental note thinking, “I’d better meet these people. They seem important!” 

Today, I think I’m much better prepared to work with my friends and colleagues in the healthcare field and to use those conversations to help Ordr continue to evolve its market leading device security platform. That’s why I decided to join the Ordr team now.  

I am eager and excited for this next chapter to unfold, and I hope that it involves you. 

 

Gartner analysts have been busy publishing several Hype Cycles recently. If you’re not familiar with the Gartner Hype Cycle, it is a graphic representation of the maturity lifecycle of new technologies, and there are several key reports to help security leaders with their strategy and investments.  We are thrilled to be included as a representative vendor for Cyber Asset Attack Surface Management (CAASM) category in three Gartner Hype Cycles:

Gartner Hype Cycle - Security Operations

Figure 1: Gartner Hype Cycle for Security Operations, 2023

 

What is Cyber Asset and Attack Surface Management (CAASM)?

As described by Gartner, “Cyber Asset Attack Surface Management (CAASM) is an emerging technology that is focused on presenting a unified view of cyber assets to an IT and security team. These assets can serve as an attack vector for unauthorized users to gain access to a system to steal information or launch a cyber attack. In order to detect assets containing outdated software, misconfigurations, and other vulnerabilities, CAASM tools use API integrations to connect with existing data sources of the organization. These tools then continuously monitor and analyze detected vulnerabilities to drill down the most critical threats to the business and prioritize necessary remediation and mitigation actions for improved cyber security.”

In Ordr deployments, we don’t just aggregate data via API. We also perform deep packet inspection of network traffic, NetFlow and cloud-to-cloud integration such as Cisco Meraki to discover and classify assets.

Use Cases for Cyber Asset and Attack Surface Management

There are a number of use cases for cyber asset and attack surface management for security teams:

  • Asset management – provide granular visibility across all IT, Internet of Things (IoT) and operational technology (OT) assets, including detailed information about device type, manufacturer, OS version, vulnerabilities.
  • Compliance assessment – during an audit, the process to provide details of assets, and the software, antivirus or applications that are running on them, can be very cumbersome if done manually. CAASM can simplify this process
  • Security gaps – identify security gaps across the network, for example, assets that should have a security endpoint agent but do not or assets that are running outdated operating systems.
  • IT governance – identify shadow IT devices or assets that should not be on the network, such as gaming devices. Ordr goes a step further and can compare what assets we see on the network versus what is actually in the CMDB or vice versa. We can also identify devices that we discover on the network or are missing on the network in the last 24 hours.
  • Vulnerability management – identify vulnerabilities associated with assets. Most CAASMs only ingest vulnerabilities from various source systems and overlay them with asset details. Ordr goes further. Because most IoT and OT devices are typically not scanned for vulnerabilities, we also provide vulnerability details on these devices, without impacting the operations of these devices. Ordr can also discover and profile a new device on the network, and trigger appropriate scanning from vulnerability management tools.

These use cases are all fundamental CAASM use cases. But, they are just scratching the surface of what’s possible with Ordr. Because Ordr also maps communications flows for every asset, we can also support the following use cases:

  • Baseline flows – the ability to baseline normal communications patterns for every device is critical to identify malicious and anomalous traffic. This can include devices communicating to the Internet, manufacturing or medical devices in the guest VLAN, or devices that are communicating to a malicious command and control domain.
  • Bidirectional integrations – Any asset details that we aggregate and correlate is shared with more than 80 networking and security integrations. For example, granular asset and vulnerability details can be shared with CMMS, CMDB, SIEM and traditional vulnerability management solutions like Rapid7, Qualys and Tenable. This ensures a consistent source of truth on all assets and risks across the entire organization.
  • Automated policies – Finally, with Ordr, because we have details on assets, connectivity and communications flows, we can dynamically generate proactive Zero Trust segmentation policies to secure devices (to allow only sanctioned, normal communications) or dynamically generate reactive policies to block ports, terminate sessions or move devices to different VLANs during an incident.

Check out a recent Demo Forum panel hosted by Richard Stiennon on Cyber Asset and Attack Surface Management. Ordr’s own Jeremy Haltom participated, and summarizes our value proposition.

Figure 2: Demo Forum panel on CAASM

In summary, there are many benefits to CAASM, primarily with optimizing resources via  automated inventory of what’s on the network. Additionally, with the granular details on risks for every device, organizations can reduce their attack surface, improve operational efficiencies, and streamline compliance assessments. Ordr extends these benefits to even more comprehensive security capabilities, and actionable policies on existing infrastructure that can accelerate incident response by hours.

For more information on the Ordr platform, please reach out to us at info@ordr.net.

 

The 2023 Verizon Data Breach Investigations Report is out. Like most folks in the cybersecurity industry, we downloaded it and pored over the contents to see what was new and relevant and surprising. As always, there’s a lot of data that quantifies the issues we see everyday: ransomware attacks, social engineering, underlying factors, threat types, etc. For example, the summary of findings identified external actors as the top threat involved in 83% of breaches; said that human error plays a role in 74% of all breaches; and reported that 24% of attacks involve ransomware; and broke down credential theft, phishing, and exploitation of vulnerabilities as the three primary means of attack.

Digging Deeper

Then we gravitated toward findings specific to the industries that Ordr is focused on and that have embraced our technology as a part of their cybersecurity strategies.

  • In financial services and insurance, we learned that “basic web application attacks, miscellaneous errors, and system intrusion represent 77% of breaches,” and that financial gain was the motive in 97% of attacks on the industry.
  • In healthcare we learned that “system intrusion, basic web application attacks, and miscellaneous errors represent 68% of breaches,” and that financial gain was the motive in 98% of attacks on the industry.
  • In manufacturing we learned that “system intrusion, social engineering, [and] basic web application attacks represent 83% of breaches,” and that financial gain was the motive in 96% of attacks on the industry.

Similar results were reported down the line in accommodation and food services, education services, government, IT and so on. Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help. Each data point illuminates and confirms issues we all intuitively recognize as true.

“Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help.”

Then we started looking deeper. Our focus at Ordr is on protecting enterprises by securing the growing number of connected devices at work in enterprises across the globe, in every industry. These include categories like the Internet of Things (IoT), Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), Operational Technology (OT), and the many devices connecting to networks to perform new and exciting tasks in a variety of niche roles (XIoT).

A Threat to Health and Safety

The risks that unsecured devices present to the organizations that own them are well known, and the implications of attacks affecting them are troubling. In healthcare, for example, attacks may have financial motives, as the VDBIR says. But recent research by the Ponemon Institute found that cyberattacks on hospitals correlated to an increase in negative outcomes for patients in 57% of hospitals affected due to delays in performing needed tests and procedures. The problem is so severe that hospitals with no means of protecting the medical devices integral to the delivery of patient care are training staff in “code dark” response, which is the physical unplugging and disconnecting of at-risk systems.

The problem is so severe that hospitals with no means of protecting the medical devices are training staff in ‘code dark‘ response, which is the physical unplugging and disconnecting of at-risk systems.

The dangers associated with vulnerable IoT, IoMT, and OT devices, and the risks they pose to not only critical infrastructure but financial services, manufacturing, and smart cities, are so concerning to our economic and physical security that connected devices are a part of the White House’s National Cybersecurity Strategy, called out in “Strategic Objective 3.2: Drive the Development of Secure IoT Devices.” The FDA has also issued a mandate to ensure new devices entering the market are built to be secure. And over in the UK connected device security is called out as part of that country’s new National Health Services cybersecurity strategy.

Despite the real and troubling issues associated with IoT security, there is no mention of them in the 2023 VDBIR. And OT security is dismissed with the explanation that “we continue to see [a] very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure,” in contrast to the volume of attacks on traditional IT systems.

Vector, Path, or Target

It is worth pointing out that even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination. It could also be that, because the VDBIR takes a broad and high-level view of the data they collect, the presence of IoT in the report is simply buried in the data. Or maybe it is not known that connected devices are involved. Our analysis following the discovery of devices connected and operating on customer networks shows that as many as 15% of those devices were unknown to IT security and management prior to deployment of Ordr. You can’t secure what you can’t see, and so an attack in which an unknown, vulnerable, and unsecured connected device was the primary vector would also be invisible to security analysts.

More likely is that attacks involving IoT, IoMT, or OT devices are probably too granular a detail to be called out specifically in any report based on broad security analysis. But that doesn’t mean the risk isn’t real, and that the potential effects of an attack involving connected devices are not dire. They are, and that is why we built the Ordr platform to see, know, and secure every device in any network.

There has been a lot of confusion about the future of cyber insurance following recent statements by market makers Lloyd’s of London and Zurich Insurance Group. In late 2022, Lloyd’s informed underwriters in its syndicate that they would be required to explicitly exclude coverage for damages related to state sponsored cyberattacks. More recently Zurich CEO Mario Greco told the Financial Times, “What will become uninsurable is going to be cyber,” adding that if a threat actor “takes control of vital parts of our infrastructure” the results may be uninsurable.

Those statements, coupled with well publicized policy price increases for 2023 that are as much as three times higher than what many customers paid the year before, have fueled concerns that cyber insurance coverage may be unavailable in the near future and that many underwriters may simply get out of the business. In many ways what we are seeing is the maturation of what remains a relatively new market trying to find its footing in a dynamic threat and risk landscape. Because of that, questions and confusion are rampant, and rational answers from seasoned experts are needed. That is why Ordr recently convened the Cybertrends and the Impact on Cyberinsurance webinar with Marc Schein, national co-chair, cybersecurity center of excellence, Marsh McLennan Agency, and Jim Brady, vice president cybersecurity and risk management, and CISO at Fairview Health. If you missed the webinar, you can check out the recording here.

A Little History

For context, the first cyber insurance policy was written in 1997 by AIG and, according to The Insurance Journal, “Covered only third party suits arising from breaches originating from outside the company.” Optimism for the insurance industry’s first new product category in decades was high, but as underwriters began entering the market in the early 2000s, the challenges associated with an increasingly difficult threat landscape became evident. The number of threat actors, including lone wolf hackers, criminal syndicates, and state-sponsored adversaries, was growing quickly, and the tools available to them were becoming more effective. As new threats emerged, the insurance industry struggled to keep current.

Fast-forward to 2020 and, with the outbreak of Covid-19, things got bad. In the chaos of a global pandemic threat actors took advantage and began focusing on the use of ransomware. Few organizations were prepared for the attacks, and the insurance industry’s risk calculations were turned upside down. Schein said many “underwriters were paying out more in claims than they were collecting in premiums because they were unprepared for the rise in ransomware.”

Ransomware Disruption

According to Marsh, there were 4,000 ransomware attacks per day in the U.S., and the cost to the insurance industry was $20 billion in 2021. Then, in 2022 with the outbreak of hostilities between Russia and Ukraine there was another sudden shift in the industry’s risk calculus. The potential for acts of cyberwar targeting critical infrastructure and industry, coupled with continued escalating risks for industries like healthcare, forced the insurance industry to make numerous adjustments to its risk assessments, culminating in steep premium increases along with policies and exclusions written with greater specificity.

In hindsight these changes shouldn’t come as a surprise. If anything, organizations that used cyber insurance as a major part of their risk management strategy had been getting a great deal. But as the industry has become more educated on the risks, that experience is now forcing organizations to (finally) take their own cybersecurity programs more seriously. No more cutting corners. Instead, to qualify for coverage, savvy insurers are demanding that organizations be able to demonstrate that they have complete visibility and understanding of their IT estates, and have implemented controls sufficient to protect their assets.

Gain Control

As an early player in cyber insurance, brokerage, risk management, and reinsurance services firm, Marsh McLennan has been a leader in its industry with a deep understanding of what it takes for customers to protect themselves from cyberthreats. The firm offers a list of twelve security controls it requires of its customers that Schein shared during the webinar–along with the caveat that a failure to demonstrate use of the first five is likely to disqualify the organization for coverage. Those twelve controls are:

  1. Multifactor authentication (MFA) for remote access and admin/privileged controls
  2. Endpoint detection and response (EDR)
  3. Secured, encrypted, and tested backups
  4. Privileged access management (PAM)
  5. Email filtering and web security
  6. Patch management and vulnerability management
  7. Cyber incident response planning and testing
  8. Cybersecurity awareness training and phishing testing
  9. Hardening techniques, including remote desktop protocol (RDP) mitigation
  10. Logging and monitoring/network protections
  11. End-of-life systems replaced or protected
  12. Vendor/digital supply chain risk management

The Marsh checklist signals a growing savvy within the industry that knows more information means more accurate risk assessments. As Robert Parisi, North American head of cyber solutions for Munich Re recently told the Wall Street Journal, “The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look.’”

What’s missing on this checklist? In the webinar, we raised the question of why asset visibility, security, and segmentation were not included in the list of controls. In fact, the broad “endpoint detection and response”, “patch management and vulnerability management,” and “end-of-life systems replaced or protected” all require visibility into assets and the risks they bring.

Deeper Insight

That requirement for deeper insights into the customer’s risk posture can translate to an advantage for some organizations when shopping for a cyber insurance policy. The ability to provide proof of asset visibility across their entire enterprise can mean a stronger position when shopping for a policy and negotiating with potential underwriters. Brady discussed the advantages Fairview has enjoyed by “coming to the table ready to roll” with necessary controls fully documented. This includes proof the organization has gone beyond an insurer’s requirements by implementing complete asset inventory management and network segmentation to ensure the organization’s ability to quickly detect and effectively mitigate risks.

“How can you even detect something bad going on [with a device] if you don’t even know you have it?” — Jim Brady, Fairview Health

 

“How can you even detect something bad going on [with a device] if you don’t even know you have it?” Brady asked, highlighting the strategic advantage of having complete device visibility across the entire network.

Good News

Schein agreed, and delivered surprisingly good news when he said, “If you are engaging better controls and you do improve your security posture, the marketplace is getting significantly better.” He then shared that, even as sharp premium increases grab headlines, 14% of Marsh’s customers enjoyed a price decrease by aggressively improving their overall security posture.

“If you are engaging better controls and you do improve your security posture, the marketplace is getting significantly better.” — Marc Schein, Marsh McLennan Agency

 

Clearly, security leaders that have invested in maturing their cybersecurity program with asset management, and excellent controls at the core are reaping the benefits by not only hardening their enterprises against attacks, but by reducing their overall risk profile. Many security leaders recognize that Ordr can play a key role in that equation by giving its customers the ability to see across the entire enterprise to continuously discover and classify an organization’s complete connected device inventory. What’s more, the Ordr Data Lake ensures deep insight into every device’s risk profile with a real-time understanding of communications and operational behavior that could signal an indicator of compromise. Those insights can trigger dynamically created security policies that can be quickly enforced to prevent or contain an attack, and also give insurers confidence that they are working with a customer that takes the concept of Zero Trust seriously and employs strong risk reduction practices.

Click through to view the Cybertrends and the Impact on Cyberinsurance webinar. And for a deeper dive into how to use Ordr as a tool to better secure your organization and prepare for negotiating your best deal for cyber insurance, watch Master Class: How Ordr Bolsters your Cyberinsurance Eligibility.

The HIMSS 2023 conference kicks off this week in Chicago, Illinois from April 17 – April 21 2023. This year’s theme is on “Health that connects” and “Tech that cares”. We’re excited to be sharing best practices on securing connected devices in healthcare, implementing Zero Trust segmentation and accelerating medical device security programs. You won’t want to miss hearing directly from our customers including J.D. Whitlock, CIO of Dayton Children’s and Keith Whitby, Division Chair, HTM, from Mayo Clinic in our speaking sessions. We also have a lot of partner activities. Check out everything we’re doing at HIMSS here.

Connect with Us

Join us for demos and discussions with our product experts at our Booth #4333. Book a 1-1 meeting for a deep dive into how we address critical use cases. Attend our speaking sessions.

Accelerating Your Medical Device Security Program

  • Speakers: Keith Whitby, Division Chair, HTM, Mayo Clinic and Jim Hyman, CEO, Ordr
  • When: Wednesday, April 19, 2023, 11:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S105 C

This session is one of eighteen HIMSS CXO Experience endorsed sessions, and one of fourteen sessions that are a part of the HIMSS 23 Digital Health Transformation Series.

Zero Trust in Healthcare is Not an All Or Nothing Option

  • Speaker: Danelle Au, CMO, Ordr
  • When: Monday, April 17, 2023, 10:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S102

Practical Approach to Securing Every Connected Device in Healthcare

  • Speaker: Darrell Kesti, VP Sales, Ordr
  • When: Tuesday, April 18, 2023, 1:15 pm CDT
  • Where: McCormick Center, South Building, Level 2, Hall A, Booth 4309-4333, Cybersecurity Command Center – Theater B

Better Together With Ordr and Our Partners

As an industry, and particularly in a highly targeted vertical like healthcare, we are stronger and better together when we collaborate. We are proud to work with so healthcare, networking and security partners. See first-hand our strong partner integrations with Cisco, Cisco Meraki, ServiceNow, Fortinet, and others at HIMSS:

Cisco:

  • Check out Ordr and Cisco Integrations at the Security Workstation in Cisco (Booth 2225) from April 18-20th in the afternoons
  • Attend our Fireside Chat with CIO J.D Whitlock on Zero Trust on Tuesday April 18th
  • An Ordr and Cisco “Happy Hour” will be held in the booth at 4:00 pm CDT immediately following this fireside chat.

Sodexo:

Sodexo will feature their HTM Cybersecurity managed services powered by Ordr on April 18th, 2023 from 2:30 – 3:30 pm CDT (Booth 8315)

GE HealthCare:

GE HealthCare will feature their ReadySee services offering powered by Ordr (Booth 1712)

ServiceNow:

  • Participate in our ServiceNow partner Bingo Card that will include a visit to the Ordr Booth
  • Attend our speaking session on our integration – “Maintain an Accurate, Real-time Asset Inventory with Ordr and ServiceNow”
    • Speaker: Srinivas Loke, VP Product Management, Ordr
    • When: Wednesday, April 19, 2023, 4:00 pm CDT
    • Where: McCormick Center, ServiceNow Booth3609

CrowdStrike:

Visit an Ordr demo station to see CrowdStrike and Ordr integration up close at Booth#4332

We can’t wait to see you in person!