Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Ordr

Request a Demo Search

Tag: IoT Security

There has been a lot of attention paid to ransomware over the last few years, and with good reason. In 2021 Fierce Healthcare reported a 470% increase in ransomware attacks on the healthcare industry in 2020 compared to the previous year. Threat actors saw an opportunity to take advantage of pandemic chaos to target a vulnerable sector of the economy and got to work. Healthcare took the brunt, but no industry was safe. The FBI’s Internet Crime Complaint Center (IC3) reported a more than 20% increase in ransomware investigations overall during that same period and said ransomware payouts increased at an even higher pace as a result. And according to Security Magazine more recent analysis shows the ransomware threat continued to rise through 2023, with more attacks, new gangs, and manufacturers emerging as a favorite target.

But ransomware isn’t the only danger to IT networks and data integrity. More common attacks, where the goal isn’t to lock down valuable information but siphon it off, remain a major threat to businesses. In fact, the most recent IC3 annual report said the FBI received 2,385 ransomware complaints accounting for losses of more than $34.3 million, while overall the Bureau fielded over 800,000 cybercrime complaints with losses of more than $10.3 billion during 2022.

A Complete, Real-Time View

Countering cyberthreats of every type is vital to protecting an organization’s business and operational interests, the safety of individuals, and to safeguarding assets like finances and intellectual property. Many types of cyberattacks share common attributes and indicators of compromise (IoC) like point of entry and vector, lateral movement, and disruptions to normal communications patterns. Identifying these can be difficult without a complete and real-time view of the assets comprising the network, and detailed profiles of each device connected to it. That is why a “whole enterprise” approach to cybersecurity must be adopted to maximize threat prevention.

Because many devices use obsolete, unsupported operating systems, they are easy to exploit and to quickly traverse the network toward their goal. 

This is especially important when considering the growing reliance many organizations have on the Internet of Things (IoT) and associated technologies like the Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), operational technologies (OT), cyber physical systems, and other types of connected devices. Attackers don’t care what kind of devices the organization has deployed, only the operating system it runs. And because many devices use obsolete, unsupported operating systems, they are easy to exploit and to quickly traverse the network toward their goal.

Zero Trust Support

It makes sense, then, that a whole enterprise approach is the logical way to address cybersecurity because it includes full asset visibility combined with rich operational insights to give security teams the ability to recognize unexpected communications patterns and make informed security decisions in response. That is the Ordr See, Know, Secure philosophy to connected device security and it is why we have invested so much into building a platform that not only reveals an organization’s full connected device inventory in real-time, but layers in both intelligence and automation that enable dynamic policy creation and enforcement and support Zero Trust security initiatives.

A whole enterprise approach is the logical way to address cybersecurity because it includes full asset visibility combined with rich operational insights to give security teams the ability to recognize unexpected communications patterns and make informed security decisions in response.

That is important because connected devices are increasingly targeted by threat actors who use notoriously unsecure IoT, IoMT, OT and other devices as either an attack vector or path of lateral movement once inside the enterprise. They know that if 20% of an organization’s connected devices are outside the view of security, they are less likely to be detected and thwarted, and that their efforts stand a much higher chance of success.

Seven Keys to Fighting Back

To counter this threat, Ordr enables seven key capabilities in the fight against cyberattacks:

  • Discovery of all connected devices.
  • Identification of device communications with prohibited countries, prohibited IPs, and malicious URLs.
  • Communications baselining and identification of communication anomalies.
  • Identification of devices running vulnerable protocols with the ability to disable or monitor as needed.
  • Identification of devices running unpatched and/or vulnerable software and OSes through the Ordr Software Inventory Collector.
  • Segmentation or quarantining as a compensating control for devices that cannot be updated.
  • Retrospective analysis to evaluate past compromised communications patterns when new IoC and threat intelligence are released.

Recent Attacks Illustrate the Threat

Several recent, high-profile threat campaigns illustrate how these capabilities and a whole enterprise approach to cybersecurity can help prevent or minimize the effects of an attack. Exploiting vulnerabilities in Fortra’s GoAnywhere managed file transfer product, Progress Software’s MOVEit managed file transfer product, and the RDStealer weapon targeting remote desktop applications allowed threat groups to plant malware, including ransomware, in hundreds of organizations and execute the exfiltration of millions of data files containing sensitive personal and corporate information. Even when attacks use zero-day vulnerabilities to compromise network security undetected, the exfiltration of data may itself trigger automated policy enforcement, minimizing the event’s impact.

Ordr is a key component in the whole enterprise cybersecurity strategies of many top healthcare, manufacturing, financial services, and other organizations that recognize their growing reliance on connected devices could leave them vulnerable. Using Ordr, they now SEE, KNOW, and SECURE their systems and data.

Ordr just announced the closing of our Series C round of investments, raising an additional $40 million dollars to support our growth and continuing R&D in the realm of securing internet-connected devices for the organizations that rely on them. Investors in the round include ongoing commitments from all our prior investors, including Battery Ventures, Ten Eleven Ventures, Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. We are delighted to add Northgate Capital as an Ordr investor and to have the support of industry leaders and notable Silicon Valley entrepreneurs René Bonvanie, former Chief Market Office of Palo Alto Networks; Dan Warmenhoven, former Chairman and CEO of NetApp; and Dominic Orr, former Chairman and CEO of Aruba Networks.

Since Ordr’s founding in 2015, our company has attracted more than $90 million in total investments. On behalf of the Ordr team, I want to thank all our investors for this strong vote of confidence in the organization and in our vision for the future of cybersecurity. While many companies have been sold or exited this market early, this funding gives us the ability to build a strong, stand-alone technology leader that will be here for our customers for years to come. I must also offer our gratitude to the hundreds of customers and partners who have trusted Ordr to protect their connected devices, patients, and businesses. We are inspired every day by your commitment and dedication to your mission. Your passion and input have made us a better company and today’s announcement would not be possible without you.

Finally, I want to recognize the tremendous Ordr team, from our founders, Pandian Gnanaprakasam and Sheausong Yang, to the amazing new colleagues who have joined us recently. This milestone reflects your passion, your empathy for our customers, and your dedication and confidence in our mission.

Our Vision, Our Journey

When we began our journey, it was estimated that there were about 3.5 billion internet of things (IoT) devices connected to public networks. Improvements and innovations in processing and network communications, artificial intelligence and machine learning, and automation presaged rapid growth for the technology. Today there are more than 35 billion connected devices in service, and projections suggest more than 75 billion will be deployed by 2025—more than twenty times the number since we started.

Every one of those devices is a potential attack vector, expanding the need for what Gartner now calls “cyber asset attack surface management,” or CAASM. Threat actors are adept at taking advantage of device vulnerabilities to gain a network foothold from which they can move laterally to disrupt operations and execute attacks. Their targets are often organizations in critical infrastructure industries like healthcare, manufacturing, energy, and government where there has been heavy adoption of IoT devices, including the internet of medical things (IoMT) and operational technologies (OT). In fact, Ordr is one of the few security vendors that address a myriad of security and device management use cases across Gartner-defined market categories ranging from medical device security and OT security, to CAASM, and network detection and response (NDR).

IoT Security as a Business Imperative, Strategic Priority

Securing the vast constellation of connected devices is not only a business imperative, but it has been recognized as having strategic importance for national security here in the U.S. and abroad. The Ordr platform is a vital component to achieving a Zero Trust security posture as recommended to protect economic interests. To meet the security needs of critical infrastructure and other industries, like financial services, retail, education, and biopharma research, where connected device adoption is building momentum, requires a tool like Ordr that is designed to address conditions unique to connected devices. Ordr’s “See. Know. Secure.” approach to connected device security finds devices wherever they are in the network, identifies each device and learns its operating pattern, then automatically applies and executes appropriate security policies to ensure that each device remains protected.

And Ordr’s approach to connected device security works. That’s why the Ordr platform enjoys wide adoption across critical infrastructure industries where we help protect three of the world’s six largest healthcare organizations, and are the connected device security tool-of-choice for more than 150 manufacturing sites. Ordr customers span the full spectrum of industry, and our technology’s excellence has driven a 140% increase in year-over-year new customer growth in our most recent quarter, ending March 31, 2022.

Looking to the Future of Connected Device Security

As we look to the future to further develop our product, attack the market, and execute against our business plan and goal of achieving continuous improvement in all aspects of our operations, we’re proud to have attracted such strong partners invested in our success and that have a stellar track record working with companies in hyper-growth, and that bring strong domain expertise to our leadership team. We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer’s security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market.

It is my privilege to serve as Ordr’s CEO and to play a role in an exciting future for the company, and am humbled to be surrounded by a team of professionals committed to our success and the security of our customers. If you want to be a part of that future, please check out our Careers page for opportunities to join the team. If you are a CISO, CIO, or other tech leader who recognizes that your company’s investments in connected devices are leaving you vulnerable, take a look at our technology and then reach out for more information or a demonstration. We’d love to hear from you.

It’s December 8, 1941, and you’re in charge of defending the United States against future enemy air attacks like the one that devastated Pearl Harbor. What would you do?

Given the technology of the time, you wouldn’t have had many choices. You might have recruited scores of civilians and given them illustrated books showing what German and Japanese warcraft looked like and how to distinguish them from American or British planes. Then you’d ask these civilians to take up observation posts and call a phone number when they spotted anything suspicious.

That’s indeed what happened and what served as a national alert system until later in the war when radar was invented. Lucky for the United States, the action remained almost entirely away from American shores throughout World War II.

But the human radar example, along with subsequent warning and response systems, provides a rough parallel to the progress of network security defense mechanisms from the early days of IT until now. It’s a story that highlights common requirements between keeping a country safe from bombings and a network safe from breaches. From an operational standpoint, each of these systems needs to meet three objectives:

  1. Comprehensively monitor the threat posed by the enemy
  2. Accurately detect threats
  3. Quickly and thoroughly respond to neutralize the threat

Noble goals, but as we shall see, they’re not so easily accomplished.

The 7 stages of network security evolution

Stage 1: Intrusion Detection System (IDS)

In the beginning, there was the intrusion detection system (IDS) method, which is not terribly different from printing up a bunch of enemy plane illustrations and telling your network to be on the lookout for them. In the IT case, the illustrations were “signatures” of the known malicious threats that had been identified based on past attacks.

There were two major problems with this system:

  1. It didn’t do you any good if the enemy had developed a new weapon that didn’t look like the ones it attacked you with previously and…
  2. Once spotted, the detection system didn’t prompt any automatic responses – just a “hey, you might want to do something” call to headquarters.

In all fairness, the initial ideas for IDS came about in the early 1980s when the only people using networks extensively were governmental agencies. The true cyber wars were decades away, so a relatively primitive network monitoring tool sufficed.

Stage 2: Intrusion Prevention System (IPS)

As attacks ramped up, the people who developed network security tools next added a basic response feature: blocking. The packet containing the dangerous goods was prevented from delivering the payload to a target by using an intrusion prevention system (IPS) to shut down access to email addresses, websites, and the like. In warfare terms, this is like erecting a shield over your target without doing anything to anticipate and prevent future bombing raids.

The other issue that came to undermine effectiveness was a vendor’s tendency to brag about how many attackers they’d identified to keep networks safe in the form of “playbooks.” Vendor A claimed that it was better than Vendor B because it listed, say, 3,500 malware agents in its playbook while its competition only had 2,000. This slowed down operations as the system thumbed through its databases and tried to determine if blocking was needed.

Stage 3: NetFlow

Cisco developed this protocol for its switches and routers to give SecOps a broad overview of what was happening on the network. Now the security team had visibility of activity so it could effectively monitor and troubleshoot network performance across all data sources. This provided ready-made, native tools to investigate issues without using workarounds that might or might not work.

Stage 4: Network Forensic Technology (NFT) and Metadata

While it’s great to have a broad view of threats to a network, you also need to be able to dig deep and analyze individual threats. To do so, you need to look at the packets in question – and do so quickly and efficiently. Network Forensic Technology (NFT) and metadata did exactly this by looking at the packet headers. Metadata in particular, was a significant advance in that it could see patterns and quickly group threats that resembled other threats. This is similar to the way that photo programs now can recognize a face and help viewers pull all shots of a given person from thousands they may have captured with just a few clicks rather than sorting through the entire catalog.

Stage 5: Network Analysis and Visibility (NAV)

While NetFlow gave visibility into what was happening with devices that incorporated the Cisco technology, it didn’t give teams a hint about what was happening elsewhere on their networks. Enter Network Analysis and Visibility (NAV) — a tool that pulled the covers off assets that might previously have been hidden. This means everything — in the cloud, on-prem, and even ZTE/SASE solutions — comes into view.

Stage 6: Network Traffic Analysis (NTA)

NAV was introduced in 2011, and eight years later, a further refinement came in the form of network traffic analysis (NTA). The visibility extended into such access points as IoT devices and deepened the ability to look closer and deeper at problematic traffic. There’s only one problem: We’re still largely just SEEING the threatening enemy with these devices and sealing off dangerous openings. What we need is something that can neutralize the attacking group — if not exactly a squadron of fighters shooting down enemy bombers, at least some mechanism to take countermeasures automatically.

Stage 7: Network Detection and Response (NDR)

The most recent and most effective method of defending networks from intruders, network detection and response (NDR) provides not only the extensive analytical and visibility power that previous generations have developed, but — as the name implies — an automated response as well.

In its NDR market guide, Gartner provided several criteria for a product to be classified as such. A true NDR must:

  • Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real-time or near real-time.
  • Monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network).
  • Be able to model normal network traffic and highlight suspicious traffic that falls outside the normal range.
  • Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics that detect network anomalies.
  • Provide automatic or manual response capabilities to react to the detection of suspicious network traffic.

At Ordr, we advocate that the above Gartner-outlined features aren’t enough. To more comprehensively detect against all threats, NDR should evolve, and the following capabilities need to be considered.

  • Integrated IDS – Yes, IDS has been around for a while, and it may not be as sexy as all other new threat detection capabilities. But it’s tried and true. A comprehensive threat detection solution should incorporate an IDS to detect known threats. An integrated IDS complements machine-learning behavioral techniques.
  • Device context – For security teams that receive a threat alert about a potentially-compromised device, additional insights on that device are needed to move from “detection” to “response.” For example, information on what the device actually is that’s compromised, where it is located, data enrichment, business context, what actions are possible, how to prioritize those actions, what the compensating controls should be, and what actions to take if the device is offline. This means that while NDR may be a network-centric view of cybersecurity, organizations need to evolve to an asset-centric view of cybersecurity.
  • Network context – In addition to device context, you need to understand details about where a device is connected, what is the wireless/wired access, what are the “normal” network flows.
  • Retrospective analysis – New IoCs are constantly being generated as new criminal gangs form. A detection and response solution needs to incorporate the ability to ingest newly announced indicators of compromise, and determine if an infected device is already in the network. We know that attacks stay in the network for months at a time; retrospective analysis identifies compromised devices that have bypassed existing security controls so you can address security gaps that exist.
  • Response – and Remediate not just Detect and Respond –  Automated response means everything during a security incident; you cannot just rely on SIEM (too much data to analyze), or SOAR (assumes the recipe to remediate is in place, which it may not be). A next-generation detection and response solution needs to be able to properly generate remediation policies or segmentation policies to quarantine an infected device and orchestrate action on appropriate networking/security infrastructure. The device and network context outlined earlier is the foundation for proper policy creation to allow a potentially compromised device appropriate access required for its role while limiting exposure. Creating the ability to implement, operate, and orchestrate efficient and effective policy drive automated actions.

*Note: These capabilities above are critical and should be added to NDR requirements. Ordr supports these features and more. 

Ordr: The next level of detection and response

Ordr builds on all the accomplishments of the past and moves it to something unimaginable in the early days of cybersecurity — as different from the labor-intensive, incomplete manual methods as modern missile defense systems are from those civilian plane-spotter projects. Now you have a thorough, granular  understanding of all devices, the ability to detect known and unknown threats, and an automated process for defending yourself. With Ordr, you know what devices are connected, what activities they’re executing, which ones are vulnerable, and how you can secure those devices at scale.

It’s a solution that is being embraced by organizations in a wide range of verticals that need to keep their guards up — healthcare, life sciences, government, manufacturing, retail, and enterprise in general.

We invite you to see Ordr in action and see how we can give you the complete protection your organization deserves.

Awareness and concern over security implications associated with the flood of connected devices hitting the market is growing worldwide, and governments are taking notice. Here in the U.S., it started after it was discovered that internet-connected security cameras made in China, and in common use at Department of Defense facilities, were sending data back to their manufacturers. That prompted Congress to take targeted action prohibiting the purchase of communications gear made in China. The Secure Equipment Act of 2021 was signed into law on November 11, 2021.

But unsecure IoT and Internet-connected devices aren’t a problem limited to products made overseas. The journal EE Times recently reported that the security of connected devices is a major concern, and that manufacturers of such products are not reporting known issues and vulnerabilities with their goods.

New UK Bill Aims to Protect Consumers

Now, a new law being considered in the UK seems intended to protect consumers from the threats associated with unsecure connected devices.  The Product Security and Telecommunications Infrastructure (PSTI) Bill is expected to become law sometime in 2022 and would establish new rules for Internet-connected devices made and marketed to consumers. PSTI would prohibit universal default passwords, ensure transparency related to known security flaws and what actions are being taken to mitigate them, and require the creation of better public reporting systems for discovered vulnerabilities.

Industry research, current events, and laws like PSTI show that personal and enterprise security have never been more vulnerable and intertwined. Vulnerabilities in Internet-connected devices don’t just put consumer data at risk, but also put corporate and government enterprise integrity in jeopardy. While PSTI is focused on the consumer-grade IoT market, we know many such devices make their way onto corporate and government networks.

Consumer Devices are Connecting to Commercial, Government Networks

Ordr’s own research (Rise of the Machines 2021: State of Connected devices — IT, IoT, IoMT and OT) has found devices like Pelotons, Sonos and Alexas, Kegerators, and many more unmanaged, consumer devices connected to corporate networks and healthcare environments—often for legitimate purposes and operations. Alexa devices, for instance, are being used as substitutes for the nurse call button, turning on lights and TVs with a voice command. Pelotons are being adopted for physical therapy. Imagine if those devices were to become compromised after connecting to a hospital’s IT infrastructure.

In Ordr’s view, legislation like PTSI should be expanded to cover an even broader array of devices, including those designed specifically for the enterprise as well as the consumer. Enterprise devices, and even medical devices, share many of the same vulnerabilities. Instead of merely requiring transparency, PTSI should mandate designing security into IoT products, ensuring secure protocols and technologies are used for key functions.

More Awareness, Security Needed

PTSI will help make consumer devices safer, but beyond safer passwords and vulnerability management, organizations still need to consider additional security best practices, such as:

  • Maintaining a real-time inventory of devices: You can’t protect what you don’t know about. Security starts with real-time visibility of exactly what you have in your network and how those components are communicating in the network.
  • Monitoring device behaviors for suspicious communications: Devices have deterministic functions. By using machine learning to baseline what behaviors are normal, you can then identify abnormal device behavior that may be an early indication of an attack.
  • Tracking who is using your devices: By tracking and associating devices to users, you can identify compromised devices and also potential account misuse.
  • Implementing Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing “normal communications” required for its function, while limiting exposure.

We believe PSTI is a good start, but much more remains to be done to make all internet-connected devices, and the people and organizations that use and rely on them, safe.

Internet of Things (IoT) has introduced enormous benefits to society over the years. With great power there must also come great responsibility to protect it. As the number of IoT devices grow and become embedded into the corporate ecosystem and so is the need to provide security for it as a top priority.

The challenge is many IoT devices were not designed with security in mind. Many devices do not have an interface, lack basic security features, and simply cannot be updated or patched in the event of a software vulnerability. The global workforce continues to be digitally dispersed across the home and office devices this provides a unique challenge for security and risk leaders to overcome. This is further complicated as IoT devices move outward to partners and the larger supply chain.

Recent Examples Where IoT Devices Have Been Compromised:

As 5G speeds things up even further and devices with embedded IoT capabilities start to come to life the opportunity to get a hold of this tsunami will is coming to a rapid end. Implementing best practices now will ensure your organization is able to proactively get ahead of this and mitigate your risk exposure to an attack.

  1. Accurately identify your complete attack surface – Accurately and completely identify all connected assets everywhere your corporate ecosystem; inside and outside your physical four walls.
    1.  Ensure that you have granular details on every device such as make, model, operating system, serial number
    2. This allows organizations to gain real-time continuous visibility and insights into all of their assets such as those with weak certificates, poor passwords or vulnerabilities so they can be managed efficiently and effectively
  2. Find active threats more quickly and accurately – Continually detect known and unknown threats as they happen with actionable insights.
    1. Consider threat detection solutions that can detect exploits, attacker tools (such as Cobalt Strike or Eternal Blue), and lateral movement
    2. Map and baseline device behavior to identify anomalous behavior such as C2 communications to malicious domains.
    3. Utilize rich device context to discern what is happening to which devices exactly where the moment it occurs. The Mean Time To Detect (MTTD) is critical in mitigating the impact a threat has on your organization.
  3. Immediate Response – Take fast, targeted actions to impacted devices to eliminate operational downtime.
    1. By implementing a Zero Trust security posture across network, endpoint, as well as other telemetry in your infrastructure you can reduce the next critical metric is the Mean Time to Respond (MTTR).

Implementing these best practices is not an easy task. Ordr is here to help. For more information, email us at info@ordr.net.

Last week, we announced the availability of Ordr’s 2nd annual Rise of the Machines 2021 Report “State of Connected devices — IT, IoT, IoMT and OT”. This year’s report analyzed connected device security risk and adoption for 12 months (June 2020 through June 2021) across more than 500 Ordr deployments in healthcare, manufacturing, financial services organizations and more.

We invite you to download this report here.

What were the learnings from the Rise of the Machines? Here are the five security takeaways from the 2021 Report.

1. A “whole organization” approach to connected device security is critical

In this report, Ordr discovered that 42% of connected devices were agentless or un-agentable devices. This number increased from 32% of agentless or un-agentable devices in 2020. With almost half of devices in the network that are either agentless or un-agentable, it’s clear that a security strategy that is only focused on agent-based endpoint security is not enough. These connected devices are key to digital transformation and organizational strategic priorities, but they are not designed with security in mind, often run obsolete operating systems and cannot support endpoint security agents. The solution is to identify, detect and secure via the network to complement your endpoint security solution.

What’s important to remember is that ALL devices/assets need to be identified and profiled. Yes, if you’re in healthcare, medical devices are critical, and similarly if you’re in manufacturing, your OT devices are critical. But because threat actors can target any vulnerable device, you need to have a complete asset inventory of every “thing” in your network. The Colonial Pipeline attack showed us that when IT and IoT systems are hit by a cyberattack, your business is impacted even if your OT environment continues to function. In a hospital environment, a cyberattack impacting your elevator control systems will similarly bring down the entire healthcare operations if patients cannot be transported even if your medical devices are fine. This is what we mean by the “whole organization” approach to connected device security.

2. Beware the “Shadow IoT” and personal devices

In a sign of the times, Ordr found Pelotons, Sonos, Alexas and Teslas in the network, almost 2 times the number compared to the 2020 report. Many of these devices (with the exception of Teslas) were in fact being used for actual business operations. In fact, many of our “Smart Hospitals” were deploying Aexas in their rooms for their pediatric patients. Alexas were used for “nurse call functions”, to switch channels on TVs, and to dim or change the smart lighting in the rooms. Pelotons were being used for physical therapy in hospitals, deployed in gyms in hospitality verticals and enterprises.

What’s interesting to note is that not only do these devices have vulnerabilities (for example leaky APIs within Pelotons) for threat actors to take advantage of but there is also an overwhelming amount of data stored that could be used to target users within the organization. Threat actors are already targeting disgruntled employees to get them to unleash ransomware, imagine if they had data from personal devices (eavesdropping on Alexas or identifying health conditions on Peloton devices) to optimize their target list.

3. Understand which devices are bringing risks to your network

Outdated operating systems present the greatest risks for most organizations. We identified about 19% of deployments with devices running outdated operating systems Windows 7 and older, and almost 34% of deployments with devices running Windows 8 and Windows 10, which are expected to end-of-life in 2023 and 2025, respectively.

Within healthcare, 15% of medical devices and 32% of medical imaging devices run on outdated operating systems. This is because many medical devices remain in operation for a number of years and cannot be easily replaced for cost reasons. Segmentation is the only way to ensure security of these devices, keep them in operation and avoid the costs of replacing devices early.

Ordr makes this easy for any security organization because we create the segmentation policies automatically for you, to be pushed and enforced on switches, next-generation firewalls, wireless LAN controllers and NAC systems.

Besides outdated operating systems, you should also identify devices with weak operating systems, weak passwords or weak certificates. Again, this is an easy click of the button on the Ordr dashboard.

4. Monitoring device behaviors and communications patterns is critical to security

At Ordr, we believe in the adage “You can’t secure what you can’t see”. But visibility is not just about knowing what devices you have in the network, it’s also about understanding how it’s behaving and what it is communicating with. That behavioral understanding of what is “normal” allows you to surface anomalous behaviors such as lateral movement from the (sudden increase in SMB traffic) or a compromised device (via communications calling home to a C2 domain).

The Ordr platform not includes an integrated threat detection engine for known threats, but also the behavioral mapping of every device flow to detect unknown threats. This is not easy, we monitor almost one BILLION flows today across all our customers’ deployments. But this has allowed us to detect Darkside and Conti infections, via devices behaving suspiciously, BEFORE any indicators of compromise were even released by authorities such as the FBI.

5. Manage user access to devices and appropriate offboarding when status changes

Finally, one of the most interesting additions to the 2021 report was about 55% of our deployments having devices with orphaned users. Devices with orphan accounts retain the same access rights as when they were associated with an active user. These orphaned user accounts provide a gateway to privilege escalation and lateral movement. Therefore, as part of a robust and complete Zero Trust strategy for connected devices, you need to ensure that all devices are being utilized only by current users and those with appropriate privileged access. Check out our blog on identifying employee account misuse using Ordr.

Want to learn more? Download our Rise of the Machines report now.

I participated in Threatpost’s 15 Cybersecurity Gaffes and Fixes Mid-size Businesses Face Webinar with Timu Kovalev and Erich Kron earlier this year to share my knowledge of today’s cybersecurity issues.

Here are 15 cybersecurity issues many midsize businesses face:

  1. Think they’re too small to be a target: Many smaller organizations are perceived as easier targets, and attacks can go undetected and unsupported. Ensure there are appropriate cybersecurity defenses to protect your business.
  2. Haven’t made a thorough asset inventory assessment: You should be confident that you know what is on your network. Asset inventories should be kept up to date and automated.
  3. No network segmentation: Segmenting your network is foundational to cybersecurity plans, and prevents breaches from spreading throughout the network.
  4. Ignore fundamentals: Businesses should have the cybersecurity basics – asset inventory, business continuity plan, backups, security training, least privilege access policy, and segmentation strategy.
  5. Haven’t done a business risk evaluation: Risk evaluations are important to analyze security risks and allocate adequate resources to mitigate those risks.
  6. Insecure digital assets: All aspects of your organization are at risk of attack – digital assets need to be secured too.
  7. Don’t know what “normal” activity looks like: Some form of device monitoring program should be in place to flag what device communications are normal and which should be investigated.
  8. No two-factor authentication: Two-factor authentication is not only a useful cybersecurity tool, but is also an educational tool, driving employee awareness of cybersecurity issues by making them stop and think about security.
  9. Misconfigured cloud servers, confusion about move to cloud: Securing your data is your job, cloud service providers do not secure your data. Organizations should deploy security in the cloud and control access to the resources moved to cloud.
  10. Not enough user security training: Security training and helping employees understand the importance of security is key to a good security plan. Reminding employees that breaches can cause substantial business disruption as well as damage the company reputation can help them take training seriously.
  11. Haven’t evaluated their own threat to the supply chain: Many smaller organizations are often part of the supply chain for larger organizations, and will start being regulated more. These regulations can impact business function and revenue, so evaluating potential threats to the supply chain early on is important to addressing security risks.
  12. No business continuity plan: Many businesses fail to make a continuity plan or fail to think about a multitude of scenarios. A smart business continuity plan emcompasses cybersecurity.
  13. Strategic, realistic asset allocation and budgeting: Cybersecurity takes time, money, and effort, requiring asset allocation to be realistic and strategic.
  14. Failing to backup: Organizations should have a secure, set place to consistently backup information and protect their data.
  15. Lax patching: Patching is key to addressing vulnerabilities, and should be taken seriously.

Although this list is not all encompassing, addressing those 15 common mistakes can greatly improve your security. Ordr works with many channel partners and managed service providers that can help provide managed security services for you, including deployment and management of the Ordr platform.

Ready to achieve total visibility into what’s on your network? Request a free Ordr sensor today and you’ll be able to see what connected devices are on your network in minutes!

Ordr has one of the most robust channel partner programs in the market, and I often meet with our partners to understand not only what opportunities they’re working on, but also address any questions they have about our products.

In a conversation with Steven Dastoor of CITON recently, we spoke about the convergence of IT and OT environments, and how it was important to have visibility and security for IT (IoT) and OT devices. The Colonial Pipeline attack demonstrated that the security of IT systems is just as important as OT, because when your billing system goes down, your business operations are impacted even if the ransomware did not hit the OT systems.

We discussed best practices and specifically the recommendations outlined in the September 2020 Microsoft Digital Defense Report on securing IoT/OT Networks.

These were great recommendations by Microsoft. Here’s how Ordr maps to them:

Reducing exposure of IoT/OT devices

Beyond discovering and classifying all connected devices– from traditional servers, workstations and PCs to IoT, IoMT and OT devices. Ordr profiles device behavior and risks, and then automates appropriate action. In addition, there are visual representations of your network and associated risk. You can view this at the device group level easily to see all devices with communications to the internet in our Ordr Traffic Analysis connectivity map, or at the individual device level in our Ordr Flow Genome. We also integrate threat intelligence from multiple sources, enriching the Ordr Data Lake with data on emerging threats, domains associated with phishing sites, Command and Control (C2) infrastructure etc. We can also map “good behavior,” and flag and alert on any anomalies or new traffic patterns we have never seen before. This good behavior can be shared with other tools like the firewalls, switch infrastructure too, to create zero trust policies that only allow a device access and communication flows it needs. Anything else is automatically blocked based on the dynamically generated policies.

Mitigating risks

Ordr has a number of capabilities to first identify devices that are high-risks. These include devices with weak passwords and certificates, running outdated operating systems, or with vulnerabilities. Ordr also includes an integrated Threat Detection Engine that detects exploits and active threats, in addition to machine-learning models that alerts on anomalous traffic. Ordr helps validate security-based workflows like red teaming.

In addition, once vulnerable or compromised devices are identified, we can deliver rapid response to remediate and mitigate risks. We dynamically generate policies to save security teams time on manually writing policies individually for VLANs, SGTs, internal Firewall rules. In addition, organizations globally, use Ordr to triage events during the incident response (IR) process, often through enriching their Security Information Event Management (SIEM) solution.

Implement Zero Trust IoT/OT strategies

In order to create the appropriate Zero Trust policies, it is important to not only identify devices but also what they are doing in the network, and be able to create policies that align to business needs. This is one of Ordr’s biggest differentiators– creation of Zero Trust policies and the ability to be able to enforce them across existing networking and security infrastructure such as Aruba ClearPass, Cisco ISE, FortiManager/FortiGate, FortiNAC, CheckPoint, etc…

Centralize asset/configuration/patch management (IT, IoT, and OT)

Ordr delivers real-time asset inventory of every device. As we discover devices on the network, we can push and pull information from tools like ServiceNow or other CMDB/IT Asset Management tools to ensure the devices we see are cataloged by the business. We can keep asset management systems continuously up-to-date about systems that are not being tracked. We see this a lot where Ordr detects devices on the network that do not exist in the Asset Management tool, and also devices that are still in the Asset Management system as Active, but not deployed or online in the environment.

Ordr also works with vulnerability management tools like Tenable and Rapid7 to deliver vulnerability insights into devices that may not previously have been scanned for CVEs.

Convergence of IT and OT

We are a bridge between these teams, as we give them a data set they can both work with, from their unique perspective. I am working with a manufacturer right now where we are delivering visibility and security of their OT and IT networks. Because there aren’t “air-gapped” networks anymore, the IT security team was concerned about exactly what was connected. We found a number of OT Workstations running Windows XP, not part of IT as they are Siemens control systems, But the IT team was using Remote Access (RDP) to connect to them remotely for work. This is similar to how threat actors infiltrated the water treatment plant in Florida. Ordr was able to map out what specific devices are allowed to be part of remote work and remote access, limiting the attack surface. It is a great story of IT and OT coming together to ensure the security and availability of these systems.

Continuously monitor for unusual or unauthorized behavior

The Ordr platform includes a machine learning engine that baselines and maps every single device communications. This baseline allows us to understand what is “normal behavior” and alert on unusual behavior.

Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.

Plan for Incident response

We are a critical product for Security Operations Centers (SOCs) and Cyber Security Incident Response Teams (CSIRTs) and should be a tool used in diagnostics. When an incident occurs, Ordr provides the context for the device and details about what it is communicating with. We can also provide insights on communications to C2 sites retrospectively. Finally, we empower SOCs and incident response teams by creating security policies to quickly lock down or isolate a device, block threats through NGFW policies, ACL blocks, quarantine VLAN assignment, port shutdown, or session termination–either directly to firewalls, existing switches, wireless controllers, or via NAC platform.

For example, when the SolarWinds vulnerability hit, we had a customer reach out and ask: “Can you give me an inventory of all of my SolarWinds devices, and where they are in the network”? We did it in two clicks. We also monitored the customer’s environment to see if there were any communications to SolarWinds domains.

Remember third parties

We can monitor third party connections. We see this all the time in healthcare where a third party, like Siemens, is connecting to do remote support on a device, like an MRI. We see the communications coming in from the Netherlands, generally over traditional management protocols like Telnet, SSH, HTTPS, and RDP. We can track the source/destination of this traffic, as well as have the time stamps for when it is occurring. We can then create Zero Trust policies to lock down these management ports, but still allow the third party access that is needed.

Ready to achieve total visibility into what’s on your network? Request a free Ordr sensor today and you’ll be able to see what connected devices are on your network in minutes!

Internet of Things (IoT) are now in every aspect of enterprises. As businesses grow, adding more and more devices to their networks, they face unique challenges in securing IoT. Frost and Sullivan, in their most recent report “Strategic Assessment of the IoT Security market” expects the number of IoT devices to grow from around 34 billion devices in 2020 to over 60 billion by 2025:

As IoT adoption increases, IoT security is becoming critical. Many IoT devices lack basic security features, cannot be easily patched, and run obsolete operating systems. The ideal scenario is to build security into these devices, which some states and the Federal government are advocating via legislation such as the California SB327 or the IoT Cybersecurity Improvement Act. But with billions of insecure IoT devices already deployed, organizations need cybersecurity solutions that can address IoT security today.

In this report, Frost and Sullivan also calls out the need for an IoT security solution that offers the following:

  • Network Monitoring: Network monitoring, or network detection and response solutions that incorporate deep packet inspection technologies can extract granular insights about devices. This can be combined with artificial intelligence (AI) and machine learning (ML) technologies to map and baseline every device communications.
  • Integrated IT, IoT, and OT Cybersecurity: As IT and IoT/OT networks, the need for multifunction platform that offer the “whole enterprise” approach is important.
  • IoT Risk Management: A solution that can help identify risks and defines anomalous behavior is important
  • Network Segmentation: A good best practice to protect connected devices is via segmentation. Zero Trust segmentation ensures devices have appropriate access required for its role, while limiting access, and can be enforced on next-generation firewalls or in the network (switches, network access control)

In fact, these are the key building blocks of the Ordr platform – a whole organization approach to device security that combines DPI with AI to classify devices, profile risks and behavior and automate response including Zero Trust segmentation. Our capabilities include:

  • Device discovery: Within a few hours of deployment, Ordr discovers high-fidelity context on every connected device, including make, OS, location and application/port usage
  • Device flow analytics and baselining: Ordr passively monitors network communications and creates a conversation map, called the Ordr Flow Genome, for every connected device.
  • Security response: Ordr automates device identification and uses AI to baseline normal communication behavior, then translates these behaviors into a device-specific security policy
  • Detection of internal reconnaissance and lateral movement: For reconnaissance and sniffing, the Ordr behavioral baseline of the compromised devices can spot these activities as soon as the flow starts to a destination from a device that has the malware infection to a device to which it has never had any flows
  • Comprehensive device insights for businesses: Ordr sees the device the moment it becomes active in the network, records operational activity and records the time it goes offline

To learn more about Ordr’s IoT security solutions, please visit www.ordr.net. For the full report, click here.