Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Ordr

Request a Demo Search

Tag: Asset Inventory

On July 14, 2020, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) published in the Federal Register the interim rule, “Federal Acquisition Regulation: Prohibition on Contracting With Entities Using Certain Telecommunications and Video Surveillance Services or Equipment” that requires federal agencies, including Universities to certify that they do not use telecommunications equipment or services produced or provided by the following Chinese companies or any subsidiary or affiliate of those entities,
  • Huawei Technologies Co.
  • ZTE Corp.
  • Hytera Communications Corp.
  • Hangzhou Hikvision Digital Technology Co.
  • Dahua Technology Co.
Included in the interim rule are the entities that the Secretary of Defense reasonably believes to be owned, controlled or otherwise connected to the Republic of China government. This rule impacts a range of industries like healthcare, education, automotive and aviation. As organizations look to identify all telecommunications equipment on their network, Ordr can quickly help them do so.

Compliance Made Easy with Ordr

In the interim rule, there is a section that calls for corporate enterprise tracking. Within Ordr, we have worked to create a workflow that will enable organizations to adhere to the actions needed for compliance.
Step 1
Without any interruptions to the network, Ordr passively detects prohibited devices and simplifies the ability to search for these devices in the UI. In addition to the devices that are clearly marked by the manufactures above, those manufactures also OEM their products which make it infinitely more complex without a solution like Order. For example, Philips often uses Hikvision cameras in their eICU product. Ordr identifies these products with ease, irrespective of the brands.
Step 2
Identify the physical location of these prohibited devices to initiate the appropriate workflow for taking them offline. With the information collected using Ordr, organizations can come up with a comprehensive plan to replace these prohibited devices based on the quantity, location and impact.
Step 3
After the prohibited devices are replaced, the new devices will automatically show up in Ordr and the replaced prohibited devices will be noted as “Offline” and can be deleted from the UI. This completes the device replacement workflow.
Additional Considerations
Bring Your Own Device (BYOD) presents a unique challenge. If the organization allows for BYOD to use internal resources, then blocking these prohibited devices is advisable. Ordr has the capability to monitor these devices and can work with Network Access Control (NAC) tools like Cisco ISE and Aruba ClearPass to block these prohibited devices from using the internal resources.
To stay in compliance, continuous monitoring is essential. This can be accomplished with an Ordr and Computerized Maintenance Management System (CMMS) integration. If Ordr discovers a new prohibited device, workflows can be setup in CMMS to alert users to take remediation action.
For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.

I am excited to announce the integration of Ordr Systems Control Engine (SCE) and VMware NSX-T™ Data Center and VMware NSX® Intelligence™.

Ordr Systems Control Engine (SCE): Discovers every connected device, profiles device behaviors and risks, and automates response. Ordr not only identifies devices with vulnerabilities, weak ciphers, weak certificates, and active threats, but also those that exhibit malicious or suspicious behaviors. Ordr enables networking and security teams to easily automate response by dynamically creating policies that isolate mission-critical devices, those that share protected organizationally unique sensitive data (PCI, PHI, PII) or run vulnerable operating systems.

VMware NSX-T Data Center: Includes Distributed Firewall functionality to specify dynamic security policies down to the VM level with the ability to configure east-west and north-south firewalling.

VMware NSX Intelligence: Provides a graphical user interface to visualize the security posture and network traffic flows that have occurred in your on-premises NSX-T Data Center environment.

With the integration, joint customers can now:

  • Achieve cutting edge visibility
  • Accelerate NSX-T Data Center microsegmentation
  • Minimize the potential business impact associated with firewall changes

If your VMware NSX data center firewall microsegmentation team is looking for a method to significantly reduce the overhead of maintaining static NSX-T IPsets and group objects, it is time to consider a solution that is capable of addressing the following scenarios:

  • Automated NSX-T group object creation for non-data center device types
    Since NSX-T provides excellent visibility for the entire data center, the most time-consuming objects to create and maintain are ones which pertain to devices outside of the data center (enterprise campus, branch sites, etc).

Ordr continuously discovers devices as they join campus and branch networks and can automate the creation of corresponding group objects in NSX.

NOTE: Ordr creates NSX objects with a standard prefix of “ordr-“. This allows NSX admins to easily recognize which objects are autogenerated and maintained by Ordr.

  • Automated IP address membership tracking for NSX group objects
    Dynamically creating NSX-T groups is a great start, but this capability alone does not solve the labor-intensive aspect of maintaining IP address membership for each type of device.
    Ordr tracks the IP addresses of each type of device in the campus and branch. If a credit card reader device IP changes, Ordr will automatically update the NSX group with the new IP address.
  • Support for advanced visualizations in the latest version of NSX Intelligence
    Ordr programmatically creates NSX group objects and their members in a format which is compatible with the latest version of NSX Intelligence (announced at VMworld 2020[CI1] ).
    This means that NSX Intelligence is able to render all communications from Ordr-defined and maintained NSX device groups.
    This capability is key for teams who are looking to accelerate their data center security initiatives by gaining a comprehensive understanding regarding all types of campus and branch devices which are communicating to virtual machines in the data center.

How it works:

Step 1

Ordr SCE sensors use advanced deep packet inspection (DPI) techniques to process campus and branch traffic from a SPAN/port mirror, TAP, or packet broker feed

Step 2

Ordr SCE sensors forward metadata to the SCE Analytics system which identifies all the device types (including unmanaged IoT devices) which are communicating on the campus network

Step 3

Ordr SCE Analytics programmatically creates NSX groups and their member IP addresses

NSX Intelligence with Ordr device data in action:

In this example screenshot from NSX Intelligence, we can quickly see that the Alaris Manager VM is receiving unprotected communication from two different device types in the campus network.

NSX group 1: ordr-BD-Alaris-Infusion-Pump

NSX group 2: ordr-Shenzhen-Network-Camera

This type of information can be leveraged to reduce the amount of manual labor associated with understanding source/destination communication for thousands of different campus and branch device types communicating to virtual machines in the data center.

In summary, the Ordr integration with NSX-T Data Center and NSX Intelligence allows teams to achieve greater operational efficiency by automating labor intensive tasks and unlocking rich device type context visibility for all campus and branch devices communicating with virtual machines.

For more on how one of our customers is leveraging this integration today, visit our on-demand VMworld breakout session NSX Intelligence: Visibility and Security for the Modern Data Center – Pt2 [ISNS2496] with Ray Budavari, Sr. Staff Technical Product Manager at VMware, Brandon Rivera, Enterprise Infrastructure Architect at CHRISTUS Health, and myself as we take a deep dive into the integration, and provide a demo of the Ordr and NSX Intelligence capabilities.

VMware & Ordr Overview

While my career started on the technical side, first with helpdesk support and then to a technical support engineer, I have enjoyed the journey into Sales. Through this journey, I find that the best part of my day is when I get to work with customers and partners on solving technical problems. While working with organizations in the Midwest region, this is a top issue I frequently hear about, “I am concerned about smart speakers with the ability to listen and share data. I want to track them down so I can understand what are out there and where they’re located, so I can understand the risk, remove them, and educate our users about the risks.”

While devices like Amazon Alexa and Google Home are top of mind, devices like smart lights, connected thermostats, and more are equally of concern. Any device that you can audibly address and say, “Hey Siri”, “Hey Google”, “Hey Alexa!”, or “Hey, thing” to, has the ability to be a threat to organizations.

These concerns are nothing new in the security community and while this Washington Post article gives a good background on the scope and concerns around this topic, there are still billions of IoT devices and a noticeable fraction of those smart speakers. The reality is these devices can be used against organizations, if someone is enterprising enough to take advantage of them.

Example:

In large hospitals, I’ve have seen smart speakers located in board rooms, executive offices, a front information/security desk, a desk in a 911 dispatch center, a SOCs on an analysts desk, and more. These devices bring risk to an organization through external threats and especially insider threats. One individual could walk into a board room and say, “Hey Alexa, record the next two hours,” or remotely access the device for listening, before a board meeting, sharing organizationally unique sensitive data.

While there are many articles to highlight how devices users can review and delete recordings, they still pose a tremendous threat to organizations, especially when they don’t know if/where they exist.

  • PC Mag – review and delete recordings
  • ZD Net – research from Check Point on exploiting these devices

In my tenure at Ordr, I have worked with various organizations to locate these devices and secure their network. Here are some foundational steps I walk through:

Step 1.  Find the devices/continuously monitor for these device types: 

This is an easy one for Ordr.

  • Ordr has profiles for all of these types of systems.
  • Ordr is always on as well, so this is continuous. Not just a point in time or scheduled check for systems like this. No scanning required either – so no drops in coverage.
  • How does Ordr see these systems? Just send a copy of your wireless traffic to an Ordr SCE Sensor. Ordr can see your Corporate and Guest Wireless (as that is where most of these live).
  • Ordr discovers and classifies these systems, automatically. Here is a screen shot of a few examples of these types devices profiled by top manufacturers:

Sonos:

 

Amazon:

 

Google:

 

You get the point.

Step 2:  Contextual Detail:

You will need to know where the device is, when it first appeared, where is it communicating, etc. You have more questions at this point, and Ordr has the answer.

Here is an example of the information Ordr will give you:

Device Profile - Amazon Alexa

You need and get network detail on IP, MAC address, which wireless network it is connected on, access point it is connected to, location information, the VLAN it is on, as well as when the device was first detected and last seen on the network by Ordr. These devices come and go, so the Network Stats will capture historical anchoring into the environment to track the device while it has been in your environment.

Step 3: Removal of the Device

If you can’t get to the device physically, you can remove it from the wireless network. With Ordr integrated into your switches, NAC solution, or Firewall solution, you can either remove the device connectivity completely, or push a policy to restrict its access….until you can address the educational moment with your colleague.

Below is an example of the communications this Amazon Alexa device had in the environment, and where you would push Ordr policy from our Flow Genome to your existing security systems.

Flow Genome - Amazon Alexa

I hope you found this to be helpful.

“Hey Siri, leave comment below.”