Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

We’ve always known the value of partnering with Cisco Meraki. Recently we learned that we were selected by the Meraki team as the September 2023 Ecosystem Partner of the Month. This is a great honor for all of us at Ordr, we’re thrilled by the recognition of our efforts, and believe our deep integration and continued partnership is a Win/Win for our joint customers. 

The Ordr and Cisco Meraki joint solution is giving enterprise security teams what they want from the Cisco Meraki platform – ‘enterprise grade’ networking features, not the least of which includes policy and segmentation. By combining Ordr and Cisco Meraki customers can: 

  • Discover every device via the seamless Ordr and Meraki cloud integration.
  • Gain granular visibility into every single asset in their network including IT, Internet of Things (IoT), Internet of Medical Things (IoMT), and Operational Technologies (OT) devices.
  • Identify their attack surface with insights such as devices with vulnerabilities, outdated operating systems, recalls, weak passwords, anomalous behaviors, and active threats.
  • Simplify and automate policy creation to accelerate incident response and Zero Trust projects.

Our successful partnership is not just about technology but also includes a strong collaboration to keep customer needs at the forefront of everything we do together. Ordr is a Cisco Co-Sell partner focused on finding the best integrated solutions for our customers through our global, shared partner community.

Our successful partnership is not just about technology but also includes a strong collaboration to keep customer needs at the forefront of everything we do together. Ordr is a Cisco Co-Sell partner focused on finding the best integrated solutions for our customers through our global, shared partner community. 

A big shout out to our Cisco Meraki colleagues who make working together fun and rewarding Alicia LorenzettiDavid Hoysan Jacky LoMatthew D’AngelicoJoe MaestriShayna Boudreau, MBAAnna (Ania) EsipovaDisha MosesHope GalleyStephanie FelicianoAllison Norfleet, Oren Brigg, Albert Chen, Shweta Palande, Vasundhra Dewangan, Cory Guynn, John M. Kuchta Danna Simon  

Watch the live Cisco Meraki Ecosystem Partner of the Month announcement 

And don’t forget to request a demo on the Meraki Marketplace 

Read the announcement on the Meraki Community

 

Julie Criscenti Heck

Head of Global Partner Ecosystem Marketing


I just joined Ordr as Chief Healthcare Officer and, as is often the case in life, there’s a story, personal and professional, behind my new adventure here. 

A little more than seven years ago, while I was CTO at Sutter Health, a friend from my days as CIO at Seattle Children’s Hospital called and told me about a technology he really wanted to get my opinion on. It was an innovative new product aimed at keeping connected devices secure—a growing problem for healthcare environments. Since I was just a few hours from Silicon Valley, I drove out to find out more. 

That’s when I met Gnanaprakasam Pandian, one of Ordr’s co-founders. Pandian proceeded to show me v1 of Ordr and I was floored. In more than 20 years in healthcare IT and security, I had never, ever, been able to get complete visibility on everything that was on any of the networks I managed. And from conversations with my colleagues and peers I knew I was not alone; nobody could. 

Sure, I could see all my PCs, printers, routers, switches and other traditional IT and back-office gear; I could even manage them fairly efficiently with the right set of tools, but my vulnerability scanners kept reminding me that there were things connected to my network that were just out of view. Yes, I might have a MAC or IP address, but no clear understanding of what the associated device was, where it was, or how it was behaving. That’s the kind of stuff that keeps a CIO or CISO up at night. 

My network managers had told me not to worry about it. They would try to assuage my fears by telling me those unknown configuration items were probably just biomedical devices, not real IT equipment. Yes, they were operating on the network, but they were someone else’s problem. Their advice was meant to reassure me, but I couldn’t shake the feeling of dread. 

Ordr Visibility and Security Capabilities

I described my experience with Pandian, and he showed me that, with the Ordr platform, he could tell me exactly what devices all those MAC and IP addresses were assigned to. Not only that, but Ordr could also tell me if any of those devices had associated ECRI notices, vulnerabilities, recalls, and other insights invaluable to understanding a hospital’s security posture. The visibility alone would have been enough to give me the confidence to get a full night’s sleep, but the depth and device intelligence Ordr provided was invaluable to a CISO. 

Then Pandian showed me how Ordr could learn and establish a baseline for all these devices– establishing what is “normal behavior”, and then automatically generating VLAN, ACL, and Firewall policies for network and security engineers to review and execute. This functionality delivered “Zero Trust policies” — enabling only the normal communications required for its function–and was thanks to the machine learning (ML) artificial intelligence (AI) that Ordr’s other founder, Sheausong Yang, brought to the platform. And because it is ML driven, Ordr has been learning about device behavior for a long time and has a precise understanding of what constitutes abnormal activity—and what to do about it. 

As impressed as I was at the demonstration, it was still a demonstration. And while I am not from Missouri, I am fond of the state’s motto: “Show Me”. So, I asked Pandian if he would be willing to bring Ordr to my organization’s operational environment. I wanted to see how the platform would perform with my stuff, and, oh boy, did it ever perform. I was amazed at the level of device intelligence I was getting out of Ordr, and I wasn’t the only one. I had my security team with me, and their faces lit up. 

Seven Years Later

That was seven years ago. Today, with 61 million individual device profiles (with 1000 attributes each) now populating the Ordr Data Lake, it is now the leading asset visibility and security platform used by healthcare organizations everywhere.  

Because of that experience, Sutter engaged Ordr for a trial and we began putting the platform through its paces and working with the company’s engineers. Alas, I left Sutter to take on the CTO role at Imprivata, and did not get through the PoV process before I left. Pandian and I had discussed the possibility of joining Ordr then, but the timing wasn’t quite right. I did join the company’s advisory board, however. As it turns out, that was the best scenario for both parties. 

While I had extensive experience as a healthcare CIO and CTO, Ordr is much more than just a healthcare security platform and I don’t think I would have been able to do what the company needed at that point in its growth. In fact, I remember one of my first meetings “on the vendor side” listening to people talk about TAM, SAM, and SOM. I made a mental note thinking, “I’d better meet these people. They seem important!” 

Today, I think I’m much better prepared to work with my friends and colleagues in the healthcare field and to use those conversations to help Ordr continue to evolve its market leading device security platform. That’s why I decided to join the Ordr team now.  

I am eager and excited for this next chapter to unfold, and I hope that it involves you. 

 


Gartner analysts have been busy publishing several Hype Cycles recently. If you’re not familiar with the Gartner Hype Cycle, it is a graphic representation of the maturity lifecycle of new technologies, and there are several key reports to help security leaders with their strategy and investments.  We are thrilled to be included as a representative vendor for Cyber Asset Attack Surface Management (CAASM) category in three Gartner Hype Cycles:

Gartner Hype Cycle - Security Operations

Figure 1: Gartner Hype Cycle for Security Operations, 2023

 

What is Cyber Asset and Attack Surface Management (CAASM)?

As described by Gartner, “Cyber Asset Attack Surface Management (CAASM) is an emerging technology that is focused on presenting a unified view of cyber assets to an IT and security team. These assets can serve as an attack vector for unauthorized users to gain access to a system to steal information or launch a cyber attack. In order to detect assets containing outdated software, misconfigurations, and other vulnerabilities, CAASM tools use API integrations to connect with existing data sources of the organization. These tools then continuously monitor and analyze detected vulnerabilities to drill down the most critical threats to the business and prioritize necessary remediation and mitigation actions for improved cyber security.”

In Ordr deployments, we don’t just aggregate data via API. We also perform deep packet inspection of network traffic, NetFlow and cloud-to-cloud integration such as Cisco Meraki to discover and classify assets.

Use Cases for Cyber Asset and Attack Surface Management

There are a number of use cases for cyber asset and attack surface management for security teams:

  • Asset management – provide granular visibility across all IT, Internet of Things (IoT) and operational technology (OT) assets, including detailed information about device type, manufacturer, OS version, vulnerabilities.
  • Compliance assessment – during an audit, the process to provide details of assets, and the software, antivirus or applications that are running on them, can be very cumbersome if done manually. CAASM can simplify this process
  • Security gaps – identify security gaps across the network, for example, assets that should have a security endpoint agent but do not or assets that are running outdated operating systems.
  • IT governance – identify shadow IT devices or assets that should not be on the network, such as gaming devices. Ordr goes a step further and can compare what assets we see on the network versus what is actually in the CMDB or vice versa. We can also identify devices that we discover on the network or are missing on the network in the last 24 hours.
  • Vulnerability management – identify vulnerabilities associated with assets. Most CAASMs only ingest vulnerabilities from various source systems and overlay them with asset details. Ordr goes further. Because most IoT and OT devices are typically not scanned for vulnerabilities, we also provide vulnerability details on these devices, without impacting the operations of these devices. Ordr can also discover and profile a new device on the network, and trigger appropriate scanning from vulnerability management tools.

These use cases are all fundamental CAASM use cases. But, they are just scratching the surface of what’s possible with Ordr. Because Ordr also maps communications flows for every asset, we can also support the following use cases:

  • Baseline flows – the ability to baseline normal communications patterns for every device is critical to identify malicious and anomalous traffic. This can include devices communicating to the Internet, manufacturing or medical devices in the guest VLAN, or devices that are communicating to a malicious command and control domain.
  • Bidirectional integrations – Any asset details that we aggregate and correlate is shared with more than 80 networking and security integrations. For example, granular asset and vulnerability details can be shared with CMMS, CMDB, SIEM and traditional vulnerability management solutions like Rapid7, Qualys and Tenable. This ensures a consistent source of truth on all assets and risks across the entire organization.
  • Automated policies – Finally, with Ordr, because we have details on assets, connectivity and communications flows, we can dynamically generate proactive Zero Trust segmentation policies to secure devices (to allow only sanctioned, normal communications) or dynamically generate reactive policies to block ports, terminate sessions or move devices to different VLANs during an incident.

Check out a recent Demo Forum panel hosted by Richard Stiennon on Cyber Asset and Attack Surface Management. Ordr’s own Jeremy Haltom participated, and summarizes our value proposition.

Figure 2: Demo Forum panel on CAASM

In summary, there are many benefits to CAASM, primarily with optimizing resources via  automated inventory of what’s on the network. Additionally, with the granular details on risks for every device, organizations can reduce their attack surface, improve operational efficiencies, and streamline compliance assessments. Ordr extends these benefits to even more comprehensive security capabilities, and actionable policies on existing infrastructure that can accelerate incident response by hours.

For more information on the Ordr platform, please reach out to us at info@ordr.net.

 


The 2023 Verizon Data Breach Investigations Report is out. Like most folks in the cybersecurity industry, we downloaded it and pored over the contents to see what was new and relevant and surprising. As always, there’s a lot of data that quantifies the issues we see everyday: ransomware attacks, social engineering, underlying factors, threat types, etc. For example, the summary of findings identified external actors as the top threat involved in 83% of breaches; said that human error plays a role in 74% of all breaches; and reported that 24% of attacks involve ransomware; and broke down credential theft, phishing, and exploitation of vulnerabilities as the three primary means of attack.

Digging Deeper

Then we gravitated toward findings specific to the industries that Ordr is focused on and that have embraced our technology as a part of their cybersecurity strategies.

  • In financial services and insurance, we learned that “basic web application attacks, miscellaneous errors, and system intrusion represent 77% of breaches,” and that financial gain was the motive in 97% of attacks on the industry.
  • In healthcare we learned that “system intrusion, basic web application attacks, and miscellaneous errors represent 68% of breaches,” and that financial gain was the motive in 98% of attacks on the industry.
  • In manufacturing we learned that “system intrusion, social engineering, [and] basic web application attacks represent 83% of breaches,” and that financial gain was the motive in 96% of attacks on the industry.

Similar results were reported down the line in accommodation and food services, education services, government, IT and so on. Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help. Each data point illuminates and confirms issues we all intuitively recognize as true.

“Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help.”

Then we started looking deeper. Our focus at Ordr is on protecting enterprises by securing the growing number of connected devices at work in enterprises across the globe, in every industry. These include categories like the Internet of Things (IoT), Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), Operational Technology (OT), and the many devices connecting to networks to perform new and exciting tasks in a variety of niche roles (XIoT).

A Threat to Health and Safety

The risks that unsecured devices present to the organizations that own them are well known, and the implications of attacks affecting them are troubling. In healthcare, for example, attacks may have financial motives, as the VDBIR says. But recent research by the Ponemon Institute found that cyberattacks on hospitals correlated to an increase in negative outcomes for patients in 57% of hospitals affected due to delays in performing needed tests and procedures. The problem is so severe that hospitals with no means of protecting the medical devices integral to the delivery of patient care are training staff in “code dark” response, which is the physical unplugging and disconnecting of at-risk systems.

The problem is so severe that hospitals with no means of protecting the medical devices are training staff in ‘code dark‘ response, which is the physical unplugging and disconnecting of at-risk systems.

The dangers associated with vulnerable IoT, IoMT, and OT devices, and the risks they pose to not only critical infrastructure but financial services, manufacturing, and smart cities, are so concerning to our economic and physical security that connected devices are a part of the White House’s National Cybersecurity Strategy, called out in “Strategic Objective 3.2: Drive the Development of Secure IoT Devices.” The FDA has also issued a mandate to ensure new devices entering the market are built to be secure. And over in the UK connected device security is called out as part of that country’s new National Health Services cybersecurity strategy.

Despite the real and troubling issues associated with IoT security, there is no mention of them in the 2023 VDBIR. And OT security is dismissed with the explanation that “we continue to see [a] very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure,” in contrast to the volume of attacks on traditional IT systems.

Vector, Path, or Target

It is worth pointing out that even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination. It could also be that, because the VDBIR takes a broad and high-level view of the data they collect, the presence of IoT in the report is simply buried in the data. Or maybe it is not known that connected devices are involved. Our analysis following the discovery of devices connected and operating on customer networks shows that as many as 15% of those devices were unknown to IT security and management prior to deployment of Ordr. You can’t secure what you can’t see, and so an attack in which an unknown, vulnerable, and unsecured connected device was the primary vector would also be invisible to security analysts.

More likely is that attacks involving IoT, IoMT, or OT devices are probably too granular a detail to be called out specifically in any report based on broad security analysis. But that doesn’t mean the risk isn’t real, and that the potential effects of an attack involving connected devices are not dire. They are, and that is why we built the Ordr platform to see, know, and secure every device in any network.


Great news! Ordr just announced the availability of the Service Graph Connector for Ordr in the ServiceNow Store. This integration is exciting for our customers, who can now maintain an up-to-date system of record for all assets so organizations can operate efficiently, react quickly, and manage risks more effectively.

Service Graph Connector for Ordr now available in the ServiceNow Store

Ordr provides the most comprehensive, accurate, real-time inventory of connected assets as a single source of truth. As the threat surface continuously evolves and expands, it is critical to ensure asset inventories are complete and provide the context to address risk proactively and reactively. With ServiceNow and Ordr’s bidirectional integration, Ordr’s device, network, and risk context are combined with the business context of ServiceNow. And the new Service Graph Connector for Ordr makes the integration more manageable and robust.

You now get a robust, most comprehensive, accurate real-time inventory of connected assets—from traditional IT to IoT, IoMT, and OT — and their risks in the ServiceNow Configuration Management Database (CMDB) to optimize enterprise-wide workflows and assess and manage risks.

Top Ten Security Risks of Incomplete and Outdated Asset Inventories

As given below, there are significant entry points that cybercriminals can exploit. With the combination of Ordr and ServiceNow, security and IT teams can identify and mitigate the following asset risks.

  1. Banned Equipment (Section 889)
    To protect national security, the federal government bans products manufactured by prohibited companies such as Kaspersky, Huawei, and Hikvision. These banned products can have vulnerabilities if exploited, resulting in the loss of intellectual property. The mandate covers new procurement and requires reporting within one business day if any prohibited asset is discovered in inventory.
  1. Unauthorized Devices
    Every unauthorized device that bypasses IT and operational tools and connects to a corporate network will expand the attack surface and could introduce significant risk. When the flash news of new vulnerabilities impacting corporate tools is announced, tracking all those instances of the compromised device can be challenging. This can include devices used in production and increasingly non-production or POV (Proof of Value) environments. The combination of Ordr and ServiceNow can proactively detect devices that can access other corporate servers and other precious devices and remove them from the network after the trial period.
  1. Orphaned/Missing Devices
    Maintaining good asset hygiene is always a best practice for improving security posture. It is critical to ensure that all assets registered and recorded by the procurement team are tracked and compared against all the devices connecting to the network. Any gaps should be reconciled proactively before it results in security concerns.
  1. Manufacturer Recall / FDA Recall
    Manufacturers may issue recall notices and security bulletins for significant vulnerabilities discovered. This is prevalent in regulated industries with mission-critical medical and industrial equipment devices. Similarly, from a federal regulation perspective, there can be recalls for sensitive equipment such as medical devices. Ordr can collate all recall announcements from multiple sources and tag all devices impacted; this context can be shared with ServiceNow.
  1. Default Credentials
    Business groups typically install IoT devices such as cameras in batches. The person responsible for the installation is usually not technical and often needs to gain knowledge or experience to change default passwords. It is unrealistic, if not impossible, to have a process to choose multiple unique passwords for physical security cameras when hundreds to thousands are going up in the ceiling. Think of the risk when hundreds of devices default to “Password1”. These passwords are not rotated periodically using over-the-air methods, like a password policy that enforces periodic password changes for laptops and desktops. An asset management system that combines the Ordr “default password discovery” feature with ServiceNow CMDB can alert administrators to update the credentials associated with these devices.
  1. Rogue Wireless/Switches that are bridging traffic to the internet (5G/LTE/Guest Wi-Fi)
    Unauthorized devices usually connect to a corporate open port and a set of devices using a daisy chain mechanism. Suppose the consumer-grade switches/routers come with LTE or link to the Guest Wi-Fi network. In this case, taking corporate data and exfiltrating without going through all the border controls exercised by firewalls becomes easier. It is a vast attack surface. Even when a good asset management and visibility solution is implemented, one needs a sophisticated tool to understand this daisy chain mechanism throughout the network to keep an exact list of these devices and implement a solution to eliminate them. An asset management system must integrate with a sophisticated visibility tool to detect and eliminate these daisy chain devices; this is why the Ordr and ServiceNow integration is so powerful.
  1. Non-Compliant Devices
    When a corporate Antivirus (AV)/Endpoint Detection Response (EDR) policy mandates that all IT endpoints (e.g., laptops, mobile, desktops) need to have a robust agent/software installed, it is not easy to audit all the devices and pull a list of those that do not have the required software installed. One step further than that is how challenging it is to ensure all those EDR agents are continuously running and receiving updates periodically to detect and thwart the latest attacks.Expired Certificates: We have all experienced how frantic it is to fix a certificate issue when a critical server stops working with expired certs. With a good asset management strategy, corporate IT can track all certificate expirations and implement a plan to address them periodically. Both these insights are readily available with Ordr and can be shared with ServiceNow.
  1. Local User Accounts without Domain Joins
    All users accessing a system must be part of Windows Active Directory (AD), if possible. This is especially critical in the case of older Windows machines that usually have a lot of unpatched vulnerabilities. Even if the device is part of the domain controller, sometimes operators can create local users on these machines. This practice must be watched closely, and a list of all locally-made user accounts must be extracted and reported continuously. When hackers create local user accounts and leave them dormant for later exploitation, it is easy to identify and remove those inactive accounts and fix the machines with malware infections.
  1. End-of-Life / Outdated OS
    Assets running end-of-life and outdated operating systems pose a significant risk to the organization. The first step is to identify these end-of-life devices. This can be a struggle without a solution like Ordr and ServiceNow that not only delivers accurate real-time inventory but now extends visibility to IoT, IoMT, and OT devices that often have longer operating cycles than traditional IT endpoints.Note that upgrading all devices running end-of-life or outdated OS is a logical way to address potential risks. But upgrading these devices in regulated industries such as healthcare, manufacturing, and banking might not be possible due to backward compatibility issues. In some cases, an update to a device will trigger the need to re-certify the device with federal regulators. For all these cases, it is prudent to have a segmentation strategy to isolate outdated and at-risk devices from other parts of your environment, which could get be easily accomplished with Ordr’s behavioral baselining and automated Zero Trust policies.
  1. Unpatched Devices Vulnerable to Exploitation
    This is the most important reason one should embark on an asset management strategy to get an accurate view of all connected devices and their associated details. An asset management strategy must include identifying operating system (OS) versions and patch levels for each connected device. This makes it easy to highlight the exact CVEs (Common Vulnerabilities and Exposures) that are still open and vulnerable that a potential hacker could exploit. Having this list as a work item and tracking how the patching for these devices is progressing is one of the most foundational aspects of cyber security an organization can initiate.

Asset Management Aligned to Risk Reduction

An incomplete and inaccurate asset inventory poses many risks. The risks can extend from non-compliance to safety and regulatory concerns. On top of that, add the problems of security breaches, which can cause high financial and reputation costs to organizations.

Understanding your attack surface by implementing a robust asset management strategy that identifies and closely tracks vulnerabilities and threats from the entire asset universe of IT, OT, IoT, ICS, BMS, and IoMT (Internet of Medical Things) will minimize the risk imposed on an organization. We are proud to offer the Service Graph Connector for Ordr to help customers achieve the comprehensive and accurate asset inventory they need to simplify workflows, improve security, and accelerate incident response.


It’s a new year, and with so much uncertainty, seven of Ordr’s executives and subject matter experts offer ironclad predictions for what to expect in connected device security in 2023.

Bryan Gillson – Head of Vertical Market Strategy

As a result of the convergence of information technology (IT) and operational technology (OT) and expanding connectivity of once isolated industrial infrastructure, there will be a notable increase in attacks targeting OT. Ransomware, cyberterrorism, and other attacks will be the unfortunate result and critical infrastructure environments will be a primary target.

OT like industrial control systems (ICS), supervisory control and data acquisition (SCADA), and similar equipment was once protected by air-gapping their networks from traditional IT and the internet (the Purdue Enterprise Reference Architecture, or Purdue Method). However, as trends like remote supervision, automation, and digital supply chain management have taken hold, greater levels of connectivity have opened those once isolated environments—including legacy systems running obsolete, unsupported, and unsecure equipment—putting them in reach of threat actors who have proven themselves all-too willing to take advantage of any vulnerability, and any type of organization.

Jim Hyman – CEO

CISOs and cybersecurity champions inside more organizations will see a sharp increase in support as corporate boards bring in cybersecurity expertise. When the U.S. Federal Trade Commission (FTC) issued guidance last year putting corporate boards on notice that “data security begins with the Board of Directors,” it added fuel to a process that had been slowly gaining momentum in recent years by elevating the issue of cybersecurity within corporate governance. In 2023 that process will translate to meaningful support for security initiatives, including budgets and staffing.

Similarly, in 2023 more organizations will be held to account for their lax security programs and we can expect to see greater attention given to the issue of cybersecurity by federal legislators. Lawmakers are growing impatient with corporate inaction even as threats begin to affect individuals amid attacks on critical infrastructure, including hospitals. As Senator Ron Wyden told MIT Technology Review, “There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God. That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility.”

In 2023 more organizations will be held to account for their lax security programs and we can expect to see greater attention given to the issue of cybersecurity by federal legislators.

Kahil Thomas – Regional Sales Manager, Healthcare

Inventory tools like configuration management databases (CMDBs) and computerized maintenance management systems (CMMSs) will play an increasingly critical role in cybersecurity as the number of connected devices continues to soar and organizations turn to automated solutions to scale security efforts. The importance of these tools , in turn, will prioritize the need to automate the collection of asset details, aggregate data from multiple sources, and ensure accurate, real-time information.

Gartner has identified the expansion of cyber-physical systems, including IoT and other connected devices, as a major risk for organizations that fail to account for all assets across their environment. Human effort alone is not capable of keeping up with the growth of connected devices and that is why automation is essential to all cybersecurity related tools.

Gnanaprakasam Pandian – co-founder and Chief Product Officer

In 2023, organizations will finally have a single, unified asset knowledgebase for cyber security. This is essential to achieving and maintaining a Zero Trust security posture that spans IT, OT, and IoT. That is because maximizing protection demands there be no blind spots; and gaining a unified view of all connected assets, along with their essential business context, is foundational for cyber security today. That capability represents the keys to the cybersecurity kingdom, and it will be available to most organizations in 2023. Many organizations (but not all) will embrace it.

Also, the era of proactive protection using behavioral models will finally displace the era of reactive remediation. This will relieve a tremendous burden from security teams that currently spend an enormous amount of energy on reactive remediation and allow them to apply their skills to other areas of security, like optimization, automation, and forensics. Effective security means knowing what a device does much more than what the device is. Hence, behavioral modeling of devices will form the foundation of threat detection and automated response.

The era of proactive protection using behavioral models will finally displace the era of reactive remediation.

Darrel Kesti – VP of Sales

Healthcare will see an increase in mergers and acquisition activity in 2023 as a result of the financial toll on the industry since early 2020, including effects related to both the pandemic and a sharp increase in costly cyberattacks. Smaller and independent hospitals, clinics, and related service providers that are no longer able to deliver a high quality of care will see some operations shut down while others will be absorbed by larger providers, extending their reach and expanding their market footprint. But because many smaller healthcare organizations have been targeted relentlessly by threat actors, acquiring organizations must be careful to conduct thorough due diligence to determine if any threats exist before merging IT estates.

We will also continue to see an increase in cyber insurance premiums and coverage limitations in 2023 across healthcare and all other industries. As a result of the growing number of claims and increasing scrutiny, cyber insurance providers will demand greater documentation of essential security controls and will refine their audits and reviews to verify adequate security measures are in place, paying close attention to the complete 3PT (People, Process, Policy, and Technology) elements of security programs to reduce their risks.

Bryan Wallace – Head of Partner Sales

Network administration teams will be squeezed between being short-staffed due to a tight labor market and tightening budgets even as security requirements and expectations increase in the coming year. Trends toward network segmentation, Zero Trust implementation, and complete cyber asset attack surface management (CAASM), among other network-centric security priorities, will push organizations toward adopting new tools to simplify the definition and implementation of rigorous security policies (e.g., firewall, NAC, switch ACLs) and that allow teams to do more with less.

Similarly, both security and network teams will require a unified view of inventory and risks across IT, OT, and IoT assets as connectivity between industrial and administrative networks continues to expand. The blending of these environments will increase complexity and risk, while making security and IT operations management impossible without the right (automated) tools.

Trends toward network segmentation, Zero Trust implementation, and complete cyber asset attack surface management (CAASM)… will push organizations toward adopting new tools to simplify the definition and implementation of rigorous security policies

Paul Davis – VP of Customer Success

Cyberattacks targeting the healthcare industry will continue to increase, driving legislation at the state and federal level in the U.S., and abroad, while also prompting the industry to adopt stricter security standards on its own. In response, healthcare organizations will look for ways to generate efficiencies for security in what are often complex organizations.

With the overlap between traditional IT security teams and biomed/clinical engineering becoming more apparent, there will be pressure to adopt monitoring and security management tools that address requirements across the teams in 2023. The goal of these efforts is to improve visibility of the attack surface and response to threats while providing a more consistent and effective way of communicating security risk across the whole organization.


Did you catch the recent news that stress and burnout are the primary concerns for most chief information security officers (CISOs) these days? That was the result of a recent study conducted by the executive search firm Heidrick & Struggles as reported by CNBC last month. The survey found stress (59%) and burnout (48%) were identified as the top two personal risks by 327 CISOs from around the globe. Those results were compiled well before former Uber CISO Joe Sullivan’s controversial conviction on charges he hindered a federal investigation into a data breach at the ride-sharing company. Given the range and passion of opinions other CISOs have expressed in response to that case, it’s likely that stress is on the rise.

Scapegoats and Sacrificial Lambs

It’s not that surprising to learn that CISOs are under stress. They are responsible for keeping networks and data safe from a relentless onslaught of attacks from threat actors, and from data breaches that are a result of simple human error. If you spend any amount of time talking with members of the CISO community, as I do, you’ll hear the common complaint that they must manage high expectations and low budgets. You’re also likely to hear a lot of gallows humor involving scapegoats and sacrificial lambs.

I’m sympathetic to a CISO’s plight. In Ordr’s corner of the cybersecurity world, we deal with connected devices of the sort that make up the Internet of things (IoT), Internet of medical things (IoMT), and operational technologies (OT) that are the backbone of industrial and critical infrastructure enterprises. In that world, the pace of change and growth is astounding; it’s impossible to keep up. Consider the following statistics:

  • By 2025 there may be as many as 83 billion connected devices active in commercial networks by 2024 (Juniper Research).
  • At that time there will be more than 150,000 devices connecting to networks every minute (IDC).
  • The average hospital IT infrastructure includes more than 100,000 connected devices, including more than 15,000 IoMT devices dedicated to critical care, and between 10-15 IoMT devices per bed.

Those are big numbers, and they only represent the devices a CISO knows about. There may also be hundreds more unmanaged devices connecting to their networks, enlarging the enterprise’s attack surface, and increasing the chances of a data breach. That’s because you can’t protect what you can’t see. And when vending machines, smart assistants, aquariums, Kegerators, Teslas, Pelotons, and any number of other stranger things decide to make themselves at home on the network, stress rises along with risk.

Just What the Doctor Ordr’ed

Ordr is aware of these trends, and we have just what the doctor ordered to ease the burden that they cause on both the CISO’s enterprise and psyche. Our platform excels at looking across the network to locate and identify each device. Within minutes, Ordr discovers, locates, and automatically classifies all the device assets that are operating on your network, including devices you knew you had, devices you forgot you had, devices you thought you lost, and the ones that you weren’t expecting. In addition to complete devices discovery, Ordr’s feature set is designed to make a CISO’s job easier, including:

  • Automated asset inventory synchronized with your CMMS or CMDB.
  • Continuous risk assessment uncovering vulnerabilities and risky communications.
  • Vulnerability management to help with remediation and mitigation tasks.
  • Improved incident response with dynamically created policies to stop attacks.
  • Accelerated Zero Trust with dynamically created policies for NAC and segmentation.
  • Simplified compliance with detailed reports and documentation to help with auditors and assessments.

And because the Ordr Data Lake is already populated with detailed information on millions of individual device types, every device we find is automatically and accurately profiled, and its communications patterns baselined and monitored. That’s important because connected devices operate in narrow, deterministic ways. Any deviation from normal can be considered as an indicator of compromise, and when Ordr detects a threat, we arm your teams with contextual insights and policies so you can take the right action, quickly. That protects your network by preventing attacks, containing threats, and enabling operational resilience by isolating mission-critical devices that need to remain in service.

You can’t protect what you can’t see. And when vending machines, smart assistants, aquariums, Kegerators, Teslas, Pelotons, and any number of other stranger things decide to make themselves at home on the network, stress rises along with risk.

The CISO’s team also benefits from these features. The ability to automate asset inventory, locate devices easily, and generate security policies on any networking or security infrastructure reduces human errors and frees IT and security personnel to focus on more strategic tasks. This can help CISOs ensure higher job satisfaction, reduce stress, and increase retention for his or her team.

A CISO’s Peace of Mind

Whether you are protecting a hospital, industrial facility, financial services firm, or any  other enterprise that relies on a vast constellation of connected devices, Ordr is good medicine. When Ordr is at work a CISO has a little more peace of mind, reducing the stress that comes with being an organization’s Cyber Incident Scapegoat Offering. If you want more information about the Ordr connected device security platform, or if you’d like a demo, reach out and let us know.


Last year, we shared a number of cybersecurity predictions, most of which either played out as described or are trending that way, with results that remain to be seen. In one instance Ordr CEO Greg Murphy predicted that, “Someone in the U.S. will die as the result of a ransomware attack, resulting in increased push for cybersecurity regulations in healthcare and increased cybersecurity budgets.” Tragically, according to a lawsuit filed in September of last year, that prediction came true.

This year, we asked a number of Ordr cybersecurity experts what they saw unfolding for the next eleven months and are sharing nine of the more interesting responses.

  1. Ransomware attacks will continue to increase (Pandian Gnanaprakasam)

The impacts of double extortion and crimeware-as-a-service will continue to plague businesses worldwide. The number of victims will triple, increasing from 20% to 50%, while the number of companies that pay a ransom to recover their data will increase from 10% to 30%.

Cybercriminals will drive these increases through more aggressive tactics, including data destruction, sensitive data leaks, DDoS campaigns, targeting and breaching high-profile organizations (including wealthy families), and disrupting business operations to force enterprises to pay. We will also see a concerning increase in the use of killware in attacks that once were used to sow only ransomware.

  1. Organizations will adopt a more holistic security strategy to address a shift from traditional endpoints as IoT, IoMT, and OT devices converge in the enterprise network. (Bryan Gillson)

Recent attacks (i.e., Colonial Pipeline) show us that we are not thinking about cyber resilience and as a result, in the case of thousands of industrial and healthcare breaches, we see loss of services (patients diverted, pipelines shut down). This happened even though the IoT/OT infrastructure was not attacked nor compromised.

This will prompt organizations to recognize that what is needed is to embrace a whole-of-enterprise approach to security that encompasses cloud-to-ground visibility, and analysis and control of all connected assets (from traditional IT to vulnerable IoT, IoMT or OT) in order to enable true cyber resilience.

  1. Third party/Supply chain attacks will continue to increase (Brad LaPorte)

2022 will be the Year of the Supply Chain Attack. Already up 430% since 2019, the growth of these types of attacks will increase exponentially and become the #1 global attack vector. As more enterprises adopt more mature cybersecurity practices, criminals will go upstream to weaker targets that can maximize their blast radius and give them an impactful one-to-many attack ratio. Historically, attacks have been spray-and-pray; now, they will become more surgical as supply chain attacks become weapons of mass disruption.

  1. Attackers will begin using AI to infect multiple organizations at a massive scale (Srinivas Loke)

It has taken a few decades, but adoption of automation solutions such as AI, ML, and DL has gone mainstream and worldwide. This is great news for cyber defenders, as Gartner finds “33% of technology providers plan to invest $1 Million or more in AI within two years.” The cybersecurity industry is leading the way on this trend, but easy access to open-source AI tools is both a blessing and curse. Cybercriminals have access to the same resources, and the resulting threat is multiplied by strong ideological and financial incentives to use them. This will accelerate the ability of threat actors to conduct targeted, automated attacks at a massive scale. The war of the machines is on the horizon.

  1. Attackers are going straight to recruiting insiders for advanced attacks (Danelle Au)

Organizations have focused (rightly so) on shoring up their identity and access management capabilities, and deploying multi-factor authentication within their networks. These solutions have made it harder for attackers to bypass defenses—and so attackers are going directly to insiders. With the promise of a cut of the haul in exchange for access, ransomware gangs are bypassing traditional methods and are instead working to recruit insiders to use their privileged access to install malware directly. The tactics being used by these attackers are similar to HUMINT espionage and recruitment programs. Unfortunately, this means that every security leader now needs to consider insider-originated malware as part of their ransomware protection strategy.

  1. Laws or sanctions won’t make a big dent in stopping ransomware and cyberattacks (Greg Murphy)

Over the last several years, the urgency in dealing with ransomware and other advanced attacks at the legislative level has grown, as illustrated with bills like Warren-Ross, a 30-country meeting led by the Biden administration to address the threat of ransomware, and efforts by the FBI to crack down on ransomware gangs. However, political and legislative efforts won’t make a difference as long as cybercrime makes sense economically, and as long as Russia has no incentive to bring threat actors to justice. One possible—though controversial—way to reduce these advanced attacks is to eliminate the anonymity associated with cryptocurrency payments. Without an easy way to pay ransom, these attacks will decrease. Additionally, more scrutiny is needed on cyber insurance, as this practice facilitates easy payments for threat actors, and has the adverse effect of fueling more cyberattacks.

  1. Security teams should expect significant Zero Day vulnerabilities (Pandian Gnanaprakasam)

Software development has roared forward for decades without enough thought given to security implications, and we’re suffering the consequences. That was evident to security teams in 2021 with the emergence of vulnerabilities like PrintNightmare in Q2/3, and Log4j in Q4. Similar revelations will continue throughout 2022 and beyond with the evolution and use of malicious, automated scanners leveraging tools like Cobalt Strike to find and exploit new vulnerabilities. In response, software developers should emphasize security best practices, especially when working with open-source software. Manufacturers should also disclose their software bill of materials (SBOM)–nested inventory for software, a list of ingredients that make up software components–to better inform customers and users of the possible security implications of using their products.

  1. Telehealth and telemedicine are here to stay. And healthcare organizations need to keep those systems secure. (Darrell Kesti)

The COVID-19 pandemic brought telehealth and telemedicine into the mainstream, and they are not going away even after the threat of the virus abates. For most healthcare organizations, the popularity of telehealth visits versus physical visits will be dependent on insurance providers, and whether they will pay the same amount for virtual versus physical visits. In the UK, telehealth visits are gaining in popularity because of the reduced number of physicians and the long wait time when it comes to scheduling visits. From a cybersecurity perspective, a lot of telehealth/telemedicine environments connect directly from the patient to the specific telehealth vendor, and therefore there is a lack of security visibility into these visits. That needs to change for the sake of patient and organizational safety.

In the U.S., Mayo Clinic began offering hospital-at-home care for patients with non-life-threatening conditions during the pandemic, and saw success from the strategy; not just for patients but also for freeing up space in the hospital. With Omicron and future variants being inevitable, expect that these will also be included in telehealth and telemedicine at-home care, with corresponding medical devices that also need to be secured.

  1. Cloud infrastructure will be one of the leading attack vectors in 2022. (Brad LaPorte)

Everything is moving to the cloud—including cybercriminals. According to Gartner, by 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, up from 40% in 2020. Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. In addition, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations. Threat actors know this, and they are working hard to take advantage. To say that cloud security needs to be a top priority is the understatement of the year.

Those are our thoughts on what’s in store for the cybersecurity landscape in 2022. We’d love to hear yours.


Internet of Things (IoT) are now in every aspect of enterprises. As businesses grow, adding more and more devices to their networks, they face unique challenges in securing IoT. Frost and Sullivan, in their most recent report “Strategic Assessment of the IoT Security market” expects the number of IoT devices to grow from around 34 billion devices in 2020 to over 60 billion by 2025:

As IoT adoption increases, IoT security is becoming critical. Many IoT devices lack basic security features, cannot be easily patched, and run obsolete operating systems. The ideal scenario is to build security into these devices, which some states and the Federal government are advocating via legislation such as the California SB327 or the IoT Cybersecurity Improvement Act. But with billions of insecure IoT devices already deployed, organizations need cybersecurity solutions that can address IoT security today.

In this report, Frost and Sullivan also calls out the need for an IoT security solution that offers the following:

  • Network Monitoring: Network monitoring, or network detection and response solutions that incorporate deep packet inspection technologies can extract granular insights about devices. This can be combined with artificial intelligence (AI) and machine learning (ML) technologies to map and baseline every device communications.
  • Integrated IT, IoT, and OT Cybersecurity: As IT and IoT/OT networks, the need for multifunction platform that offer the “whole enterprise” approach is important.
  • IoT Risk Management: A solution that can help identify risks and defines anomalous behavior is important
  • Network Segmentation: A good best practice to protect connected devices is via segmentation. Zero Trust segmentation ensures devices have appropriate access required for its role, while limiting access, and can be enforced on next-generation firewalls or in the network (switches, network access control)

In fact, these are the key building blocks of the Ordr platform – a whole organization approach to device security that combines DPI with AI to classify devices, profile risks and behavior and automate response including Zero Trust segmentation. Our capabilities include:

  • Device discovery: Within a few hours of deployment, Ordr discovers high-fidelity context on every connected device, including make, OS, location and application/port usage
  • Device flow analytics and baselining: Ordr passively monitors network communications and creates a conversation map, called the Ordr Flow Genome, for every connected device.
  • Security response: Ordr automates device identification and uses AI to baseline normal communication behavior, then translates these behaviors into a device-specific security policy
  • Detection of internal reconnaissance and lateral movement: For reconnaissance and sniffing, the Ordr behavioral baseline of the compromised devices can spot these activities as soon as the flow starts to a destination from a device that has the malware infection to a device to which it has never had any flows
  • Comprehensive device insights for businesses: Ordr sees the device the moment it becomes active in the network, records operational activity and records the time it goes offline

To learn more about Ordr’s IoT security solutions, please visit www.ordr.net. For the full report, click here.