Mapping the Device Flow Genome

Incredibly complex problems cannot be solved without first establishing a baseline of understanding the elements of the problem in very fine grain detail. In the medical community, for example, development of targeted therapy for many serious diseases was comparatively ineffective before the mapping and sequencing of more than 3 billion nucleotides in the human genome. The Human Genome Project, a 15-year collaborative effort to establish this map of human DNA, has enabled the advancement of molecular medicine at a scale that was once impossible.

Similarly, IT, Security and Business leaders cannot address the myriad challenges of the hyper-connected enterprise without fully mapping the device flow genome of each network-connected device and system. There are millions of connected devices, from simple IoT devices to multi-million-dollar functional systems, in a Global 2000 corporation, major healthcare system, retail chain or large industrial enterprise. The global volume of non-traditional network-connected devices – IoT devices – is doubling every few years and will exceed 20 Billion by 2020, according to experts.

This challenge is enormous, because it requires complete understanding of both the fixed characteristics of each device, as well as the constantly changing context in which it operates. To do this at scale, you must be able to apply sophisticated machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network. If you can do that, you can immediately identify potential ‘mutations’ in the genome – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences. At the time, you can leverage artificial intelligence to define and implement actionable policies that prevent future recurrences. That’s the only reliable way to protect critical assets and deliver true closed-loop security in the hyper-connected enterprise. And that’s exactly what we set out to do when we founded Ordr a few years ago.

There are solutions on the market today that seek to “fingerprint” devices, discovering their IP address, using MAC address lookup to identify the device manufacturer, and applying other rudimentary techniques to build a generic profile of the device. Fingerprinting allows you to answer some important but very basic questions: How many devices are connected to my network and to which ports and VLANs are they connected? How many of these devices are from Manufacturer X? Gathering more specific information has typically required agents installed on each endpoint. That is simply not possible in the hyper-connected enterprise, as the scale and heterogeneity of these devices quickly breaks traditional IT and security models.

Instead, by fully mapping the device flow genome automatically, without any modifications to the device or the existing enterprise infrastructure, within hours, Ordr identifies and enables you to act on critical information:

  • 5 of your critical manufacturing systems are running software other than your standard configuration, with known vulnerabilities;
  • 2 devices have been infected with Wannacry ransomware and are actively attempting to connect to peers;
  • 3 of your X-ray machines are being used at 90% capacity while 2 are only operating at 40%;
  • 6 of your heart-rate monitors are models are subject to an FDA recall;
  • Your elevator control system is attempting to contact your internal HR application;
  • 80% of your security cameras are still using the manufacturer’s default password;
  • All digital signage on your network communicate with the manufacturer for updates and patches, but one of them is also communicating with a suspicious server in Kiev and appears to be exfiltrating PCI data.

Mapping the device flow genome allows Ordr to provide these types of actionable insight across millions of devices within the hyper-connected enterprise. This requires comprehensive real-time collection, correlation and analysis of vast amounts of information about each device:

  • Device Make, Model and Modality – Classification and grouping of similar device types at a hierarchical level to facilitate efficient administration and regulation of those devices requires, specific information on the manufacturer, device type, model, modality and even the serial number.
  • OS and Software Versions – Device operating system, including current OS patches, all software components installed (software bill of materials), anti-virus software etc.
  • Known Vulnerabilities – Detection of potential port exploitation, results of vulnerability scans, and correlation of all known vulnerabilities from the device manufacturer and third-party sources (national vulnerability database, FDA recalls, etc.).
  • Network Parameters – Complete information on network connectivity, switch port, wireless access point, VLAN/subnet (and comparison of each device’s VLAN/subnet membership relative to similar ‘peer’ devices).
  • Device-Level Session and Flow Data – Data on connection attempts, number of sessions, data rate, location, ‘last seen’ time and location, usage patterns, etc.
  • Flow-level Conversation Patterns – Ability to assess conversation at the flow-level communication to baseline normal behaviors compared to its peer group and to its own and detect anomalies.
  • Internal Communications – Accurate detection of devices propagating malware, using well-known signatures like the one that looks for reconnaissance
  • External Communications – Real-time comparison of external communication patterns to the permitted external/internet sites for each device profile (for software updates, etc.) is needed to defend against external attacks and identify communication with hostile sites with poor reputation scores like phishing sites
  • Applications and Users – Full understanding of applications running on each device, as well as the users on the device
  • Servers – Data on all the servers to which each device connects

The purpose-built Ordr Systems Control Engine is the only software product with the capability to perform this real-time mapping at massive scale. The unique Ordr SCE architecture is specially designed to collect and analyze device and system data – at line speed – from multiple sources within the enterprise, including:

  • Full packet capture data from backbone core routers that include all the file transfers, http sessions, peer-to-peer traffic, client-server traffic, and application-level interactions.
  • Network infrastructure data from switches, routers, WLAN controllers, NAC solutions etc.,
  • Device probes like SNMP for inherent device information from various MIB repositories
  • Protocol decodes of proprietary protocols like DICOM, Modbus and Patient Monitoring systems
  • Parsing results from well-known data plane signatures from security vendors
  • User and location information that includes Active Directory users with roles and privileges, and location feeds, etc.
  • Ingest network device Information like Netflow
  • On-demand vulnerability scans for onboarding as well as information collected from other periodic vulnerability scan reports information like provide open ports
  • Network layer control plane protocols like DHCP
  • Utilization and performance data like frequency and duration of operation and connection attempts.

Accurate mapping also requires integrating information from IT Service Management, Enterprise Asset Management, location information, and threat information from national level exchanges.

Ordr SCE takes all of this information and applies sophisticated machine learning with ANN (Artificial Neural Network) training models to classify and profile everything on your network. That gives us a full understanding of each device – what it is, how it’s configured, and what behaviors it is supposed to exhibit – with unprecedented granularity. Once that is done, it becomes possible to detect anomalies and come up with actionable policies, using AI techniques, to regulate and protect your devices and critical data assets, in real-time and at scale.

This level of intelligence with depth that you’ll never be able to get from simple device fingerprinting. Customers using SCE’s device flow genome have been able to:

  • Correctly identify a SIEMENS AXIOM-Artis X-Ray Angiography medical device rather than label it as Tyran Computer Corp system due to the OUI from the embedded network interface card
  • Reveal devices connected behind gateway systems from vendors like Capsule Datacaptor.
  • Rationalize inventory with other systems that do not have knowledge of MAC or IP addresses, and instead use serial numbers
  • Find an uncontrolled user device from the IT side talking to a factory OT control system
  • Spot non-standard software in a camera that was reaching back to get updates from a site in a questionable geography
  • Accurately finding WannaCry infestations and enumerate every compromised device and the source of the problem

Mapping the device genome is incredibly complex, but it’s exactly that complexity that makes it so useful, and we’ve taken great care to present this detail to you in its simplest, most usable form. We make the incredibly complex incredibly simple.

The only effective way to address massively complex problems is to have an intricately detailed understanding of the elements of the problem. That’s the only way to develop treatments that improve human health and longevity. And that’s the only way to take control of the hyper-connected enterprise.