CISA, the FBI and the U.S. Treasury have released a joint Cybersecurity Advisory (CSA) about North Korean-sponsored attackers using Maui ransomware to target the healthcare industry.  We urge healthcare organizations to quickly act now to protect their systems.

Every connected device increases the attack surface. Healthcare organizations cannot afford to only do the minimum to secure their networks – especially when patient safety is at stake. Hospitals and healthcare organizations rely on all kinds of connected devices to operate and they don’t always know exactly what’s connecting to their networks. This makes it hard to immediately understand what’s at risk when these ransomware alerts are issued.

In addition, healthcare organizations often rely on older, more vulnerable legacy devices and equipment that have a long lifespan and can’t be taken out of service. These legacy devices (such as those running outdated Windows 7/8/10 operating systems) often represent about 20% of devices or more in a network.

The Maui Ransomware is more challenging to detect than many other types of ransomware because of the way threat actors execute these operations remotely. With help from our customers, we’ve validated that no communications from their devices to North Korea exist, other than DNS traffic from guest devices. However, this is a wake up call for healthcare organizations to shut down all communications to North Korea so we are protected from future breaches.

Here are some immediate steps to take based on this Maui Ransomware advisory.

Monitor device communications flows 

Track communication to certain countries like Russia and N. Korea and understand the web reputation of the sites these devices are going to. Medical devices should not have a legitimate business need to be communicating with certain countries.

Healthcare organizations can do this using the Ordr traffic analysis tool.

Additionally, similar to our Russian communications report, and the detailed analysis we performed, Ordr will be delivering a North Korean communications report. Our customers can generate this report when they need the data, or schedule it daily or weekly.

Monitor privileged communications 

Healthcare organizations need to monitor devices using privileged protocols, for example, SMBv1 and RDP protocols. Security teams need to scrutinize the usage of these protocols and shut them down if they are not required. These protocols come into play for device manufacturers to perform maintenance, but access should be enabled only for the duration of services needed.

Ordr tracks connected devices using these protocols continuously today. Our customers can get details about these devices with one click on our dashboard.

Monitor all remote execution activities  

The Maui ransomware is designed for manual execution by a remote actor via a command-line interface, using it to target specific files on the infected machine for encryption. So, it is imperative to watch all the remote execution commands like telnet/rsh, rcp, rlogin etc., and track such activities carefully. The Ordr platform allows you to identify all devices using these methods to make sure they are all open and available only for a very few select devices and shut this down on all other devices if the need that opened this up has been fulfilled.

Monitor all user login attempts  

It is imperative to monitor closely all windows workstations and servers that serve clinical needs and work closely with medical devices. The Ordr platform provides a list of all logins attempts on any windows machine to track and identify unwanted logins. It is advised to clean up the numerous unnecessary accounts on various machines in clinical setting using a report from Ordr,  following the principle of least privilege.

Monitor for IoC files 

Healthcare organizations can detect files that are used by the Maui ransomware threat actors, for example maui.exe/maui.log/maui.key and its variations as well as malicious file indicators. Customers using Ordr can identify the presence of these files from the software inventory that is extracted from devices.

Baseline all connected devices 

The initial infection (i.e., entry point) for ransomware may be challenging to detect. Therefore, it is important to focus on other stages of the kill chain, for example lateral movement. Healthcare organizations can baseline connected devices using Ordr to ensure they are not deviating from their baseline of “normal behavior”. Whenever ransomware takes over one of these devices, there is lateral movement, and this baselining will immediately detect abnormal internal communications.

We hope the above guidance helps all healthcare organizations. Read our ransomware best practices and ensure that you are keeping your connected devices secure.  Due to patient care disruption, more and more healthcare organizations are resorting to quickly paying ransom, as they cannot even afford to wait for systems to recover on their own through backups. However, note that paying a ransom does not guarantee data will be recovered. Additionally, lightning does hit twice in the case of ransomware victims, i.e., organizations that have paid ransom have been targeted again.

Finally, if you need assistance, Ordr and our team are here to help. Contact us today to get the conversation started.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Whole hospital security means knowing every cyber asset in real-time detail

On November 20, 2023, the Cybersecurity Infrastructure and Security Agency (CISA) issued guidance for healthcare delivery organizations (HDOs) struggling to secure their data and systems against a growing and pernicious onslaught of attacks from threat actors across the globe. The purpose of CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector is to articulate “best practices to combat pervasive cyber threats affecting the Healthcare and Public Health (HPH) Sector.”

We recently published our first blog that touched on Mitigation Strategy #1: Asset Management and Security, with important best practices around gaining visibility into what assets are actually on your network, and proactively implementing segmentation policies. In this installation of our three-part series, we look at CISA’s second Mitigation Strategy: Identity Management and Device Security and how Ordr helps healthcare organizations raise their security posture to meet the identified objectives.

Mitigation Strategy #2: Identity Management and Device Security

CISA observes that, “As the HPH Sector continues to transition more of its assets and systems online, CISA recommends entities secure their devices and digital accounts and manage their online access to protect sensitive data and PHI from compromise.” For many healthcare organizations that may seem like a daunting task. A typical mix of traditional IT, connected medical devices, building controls, and cloud-based services and applications can be difficult to inventory, manage, and secure–especially with traditional tools.

To protect the network–and patient health–means first, discovery and classification of every asset, identifying vulnerabilities and threats, and profiling behavior  and communications, and then securing every device. Ordr calls this the See, Know, Secure approach to “whole hospital” security . Let’s take a look at the focus areas CISA has identified in this section.

Focus Area 1: Email security and phishing prevention

CISA’s Mitigation Guide shifts focus from the importance of identifying and inventorying all of an enterprise’s assets, to executing against specific policies that in total, represent common attack vectors. CISA reports that more than 90% of all cyberattacks originate with email, so it makes sense that prioritizing email security would be at the top of this list. Whether a spray-and-pray approach to spamming an organization with messages containing weaponized links and attachments, or more targeted phishing campaigns, this is a first-line defense. Ordr can complement email security by identifying devices communicating to known malicious “phishing” sites, or identifying suspicious device behavior that may be an early indication of a compromised device.

Focus Area 2: Access management

Because users are one of the assets that Ordr tracks, we are able to help organizations with access management through robust tracking using AD/RADIUS and wireless integration, enabling security teams to monitor who is accessing what assets and when. That provides two key perspectives, including the time an asset was accessed and the session’s duration. This can help healthcare organizations recognize risks associated with poor cyber-hygiene such as password sharing, or leaving access to an asset open after a task is completed. The level of detail Ordr tracks and records can also prove invaluable during forensic investigations after an incident occurs.

Focus Area 3: Password policies

Too often assets are deployed with weak, default, or no passwords, leaving them vulnerable to threat actors. CISA recommends healthcare organizations observe a 15-character (minimum) password and to change factory defaults. Ordr customers benefit from our ability to identify and report assets operating with default or weak passwords so that security teams can change them in accordance with policy.

Focus Area 4: Data protection and loss prevention

Because Ordr provides granular details on every asset operating in the enterprise (make, model, serial number, operating system, and software version), we are able to help healthcare organizations identify–and apply appropriate policies–those assets that can store and/or transmit sensitive data like protected health information (PHI). What’s more, Ordr can track patching and disk encryption to maximize protection.

Focus Area 5: Device logs and monitoring solutions

Ordr Software Inventory Collector helps healthcare organizations comply with CISA recommendations on tracking assets and log data. By delivering granular asset details, including  EDR installation status, version number, and active/inactive state, Ordr helps teams identify assets with out of date, disabled or missing EDR software while confirming whether devices are patched and communicating with the appropriate servers. This helps healthcare security teams to identify and close security gaps,and  more quickly detect and respond to threats before they can succeed.

Stay Tuned for Part Three

In our next segment we’ll discuss CISA’s Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management, and offer insights and approaches for achieving the goals of that portion of the Guide. The good news is, with the right tools, healthcare organizations can do what is needed with less trouble, cost, and complexity than they might think.

In the meantime, check out our new white paper, Mapping Ordr Capabilities to CISA Mitigation Guide: Healthcare and Public Health (HPH) Sector. It goes into greater detail of how the Ordr platform can be used to quickly and easily do what the CISA Mitigation Guide suggests, while serving as a roadmap for formulating a strategy to align organization policy with CISA guidelines.

Wes Wright

Chief Healthcare Officer

Wes is responsible for driving Ordr’s engagements in healthcare. Previously he was the CTO for Imprivata, and prior to that VP and CTO at Sutter Health, a 26 hospital network in Northern California. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrens’, which, to this day, he says was his most gratifying work experience.

Cybersecurity and cyber threats have been in competitive co-evolution for years, with each side adapting to the other. Historically firewalls, IPS, antivirus, and modern endpoint protection tools have been common elements in the first line of defense to keep the bad guys out. Try as we might, bad things still happen to good networks. Attackers constantly develop new threats, target new vulnerabilities, or bamboozle a busy employee into doing the wrong thing. The first line of defense is never perfect, so it’s critical to develop a solid second line of defense.

For many organizations, the second line of defense amounts to simply recreating the first line of defense in more places. This approach misses the ways threats differ once inside an organization and also ignores some of the essential advantages defenders have at their disposal.

This post briefly revisits some of the high points in the evolution of cybersecurity and cyber threats, looking at what has worked for defenders, where things have gone wrong, and how lessons learned have helped build new lines of defense. Some deep topics will admittedly be oversimplified. The point of this post is not to denigrate any of the great security tools in use today. Instead, the point is to highlight some of the broad trends and inherent issues security teams need to consider.

An Absurdly Condensed History of the First Line of Cyberdefense

Until recently, many organizations thought of the inside of their network as trusted and the outside Internet as untrusted. Firewalls provided a natural barrier and control point for this boundary, denying unsolicited connections from the untrusted outside by default and leaving a few pinholes open for essential services. Trusted insiders, however, could connect to pretty much any outside service they wanted, and that service would be allowed and trusted. While this approach worked to keep random strangers out, it didn’t work if users and assets on the inside were already compromised.

Attackers had countless ways to attack. They could send phishing emails containing a malicious link in an attempt to gain access. If an email security solution was in place and the attacker was unsuccessful, they could shift to a new vector not subjected to email checks such as DNS tunneling. If a DNS-based firewall or perhaps a web application firewall (WAF) was in use, an attacker could pivot to target cloud applications. The cat and mouse game continued, so various methods were needed to detect and prevent threats.

Attackers found ways to slip past detections. Modifying malicious payloads ensured previously known signatures didn’t match while encoding, obscuring, or encrypting helped attacks slip past detection logic without being inspected.The ever-growing deluge of new vulnerabilities didn’t help. With the recent log4j exploit, setting a username in the apple profile resulted in a new attack vector. Exploiting Microsoft’s hole, a hacker can enter the enterprise by typing something inside the chat window of a video game.

If all else fails for the attacker, one final incredibly effective tool remains – social engineering. Instead of breaking in, an attacker can convince a user to give out passwords or install malicious software in the guise of a valid application or tool.

A New Line of Defense Introduces New Advantages

History has shown the first line of defense is eventually breached, and we must assume adversaries will get in or have already gained access. With access, the attacker typically attempts to move laterally to reach a high-value asset such as a server with all AD credentials, a device with sensitive patient information in a hospital,or a management platform with the ability to coordinate all PLCs on a manufacturing floor. 

While this is all doom and gloom, there are ways to detect and stop attackers by shifting focus from chasing an infinite number of threats to focusing on a smaller number of malicious behaviors. For example, there may be hundreds of thousands of variants for a piece of malware, but when it comes to lateral movement, tools like Mimikatz behave the same when performing actions like pass-the-hash.

The same is generally true of all sorts of secondary attacker actions. For example, when an attacker performs internal reconnaissance, it’s easy to detect when a device starts indiscriminately reaching out to a new or large number of devices. Likewise, SMBv1 is at the center of many Windows vulnerabilities and lateral movement attempts. We can now watch all devices speaking SMBv1 and see which system suddenly communicates to many other systems over SMBv1. The same is true for RDP – a protocol designed for remote diagnostics. We can quickly identify excessive RDP usage that falls outside normal administrator behavior. 

These examples highlight important advantages for defenders. When an attack has moved inside the network, we can see everything as long as we make an effort to look. When an attacker is still outside, we have almost no insight into who they are, what they’ve been doing, and where they’ve been. When they move to our turf, we see the entire battlefield. Instead of only looking at individual traits or actions, we see the complex behaviors across multiple hosts and how they develop over time.

Instead of making a yes/no decision based on a few milliseconds of analysis, we can inform decisions by understanding the complete history of the network, the behavior of all devices in it, and the collective knowledge of how threats behave. Using inputs like this is how Ordr works.

Building a Second Line of Defense with Ordr

Ordr analyzes network traffic and traits of each host to conclusively identify each device, whether it is a laptop, server, or the wide variety of IoT, IoMT, or OT devices. The platform builds global and local baselines for normal behavior of every device and allows organizations to identify suspicious or malicious behavior quickly. As soon as a risk or threat is identified, the platform can automatically create and implement policies to isolate any affected hosts and prevent the spread of an attack.

Ordr’s capabilities provide a logical approach to building a second line of defense. Every device is identified and protected based on its unique needs and functions, regardless of being managed or unmanaged. The entire environment is monitored for signs of threats and malicious behaviors, regardless of how those threats got in. Thanks to automation, Ordr enables a robust second line of defense at a fraction of the effort and cost of traditional threat prevention tools.

If you want to learn more about Ordr technology,reach out for a deep dive demo.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

The Numbers Game

Today, virtually every device connects to the enterprise network. From simple function IoT devices to multi-million-dollar operational systems, modern devices utilize data connectivity to perform highly specialized tasks much more intelligently. The sheer heterogeneity of these devices is growing exponentially.

Effectively regulating these devices, in terms of what it can and cannot do inside the enterprise, requires a significant amount of knowledge on each, since you simply cannot control what you don’t know. In an effort to build the necessary repositories of device intelligence, vendors create – with varying levels of detail – device profile libraries.  At Ordr we see these libraries as a starting point, a base on which to deliver a comprehensive suite of control capabilities that effectively protect devices and relevant business critical information. We believe that developing a large profile library is nice – organizing in a way to keep it relevant and up to date is crucial.

There are enormous challenges in organizing the library relevant and up to date.  A set of printers that are classified as a set of profiles in an enterprise installation will look slightly different in another customer installation – perhaps because of configuration, operational behavior, network connectivity – and will result in an entirely new set of device profiles. Any firmware or software update will necessitate a new profile in order to keep it up to date.  At the same time, just like a traditional library, there are too much material that are irrelevant since nobody can ever use them. Profiles with irrelevant information will do more harm than good.  To search through all the myriad of uncorrelated and out of date information in a library to get what you need is a difficult task.

Profile Library vs Profile Generator

At Ordr, we believe that the only way to keep the device profiles relevant and up to date is to develop a profile generator.  Being able to report millions of device profiles in a library is fundamentally unimportant. What is important is the efficiency with which the profiles can be used in an underlying multi-vendor networking and security infrastructure – and automate such infrastructure to control these devices in terms of access control and policy enforcement.  We need a real-time Profile Generator for those devices actually deployed in an enterprise and produces the relevant parameters for automated control.

In order to achieve this goal, we deploy a number of sophisticated Machine Learning (ML) techniques for our Profile Generator.  Our Deep Neural Network (DNN)model ingests all the relevant attributes identified to create a sophisticated machine learning engine for comprehensive device classification. Each unique set of device attributes are collected and fed into the engine, which learns and organizes it.  When new devices are added to the network or when their software is updated, the learning engine can add or update the device profile. Moreover, it has the intelligence to determine that multiple devices, while they may have slight differences in individual attributes, are essentially the same type and class of device. It filters out irrelevant details and focus on important attributes.

Instead of creating a new profile for each of these devices and each variant of it, the DNN enhances the main device profile to better predict the behavior of the device regardless of its enterprise-specific attributes. When we feed a set of attributes of a device, DNN engine models the non-linear relationship on data for more generalized learning. This way we arrive at an “inference engine” that can predict the classification the devices of that it has never seen before.

Along with DNN, we also use carefully crafted ensembles of Random Forest and SVM algorithms to influence prediction performance. Such techniques have a significant positive impact on the classification accuracy of our inference engine.

For instance, with Ordr, a printer profile hierarchy would be organized as a logical tree beginning for example with manufacturer, make, model, firmware, and other attributes which may vary from enterprise to enterprise.  Ordr intentionally organizes this structure in a way that enables increasing granularity of detail with each tier, while other approaches would create a different profile for each variation in any level of attribute.  Not only is it an efficient way to store the profiles, the hierarchical method delivers an ever-increasing level of intelligence and accuracy, while maintaining the relationship among the devices in an efficient manner. As the number of devices identified to be within a group increases, the predictive engine becomes increasingly efficient in future classifications, all without the need for any manual intervention or personnel resources.  The Profile Generator is a Learning Tree that continues to produce new branches and grow new leaves, while shedding dead branches and dropping dry leaves.

Our ultimate goal is to effectively offer automated protection to the myriad of connected devices that access the enterprise network.  To do this, we generate and enforce granular policies that utilize the existing network and security infrastructure.  It is absolutely essential to scale profiling efficiency to many hundreds of thousands of devices in a single enterprise, and finish this process within hours. Without understanding the relevant details of the relationship among these profiles properly organized in a hierarchical way – this policy generation would be untenable, if not impossible.

Taking Control with Actionable Profiles

In summary, we use the most sophisticated data extraction techniques to collect data using methods like DPI (Deep Packet Inspection) and application level transaction analysis. The inference engine from the learning model gives us an enormous advantage to classify the unseen devices in the customer setup without additional interventions. Our AI/ML models make it possible to not only detect anomalies but also come up with actionable auto-generated policies ready to apply in the existing networking and security infrastructure.  Our real-time Profile Generator can keep the information relevant and up to date, with continuous improvement in coverage and accuracy.

It may sound impressive and exciting to hear about many millions of device profiles. Big numbers get attention.  But growing a tree is more than collecting thousands of leaves.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Advanced Cybersecurity Training on Asset Visibility and Management Available As Self-Guided or Instructor-Led Option

Santa Clara, CA – March 5, 2024 – Ordr, the leader in AI-powered asset intelligence, today announced availability of its new and improved technical product training program, Ordr University. Product training from Ordr University is available in two different ways — self-guided or instructor-led, enabling organizations and teams to select the approach that is best suited for their specific needs and circumstances. Ordr University is available to Ordr customers, resellers, distributors, and system integrators.

With digital transformation, the explosive growth of devices including IT, IoT, OT, IoMT, users, cloud workloads, and SaaS applications exacerbates the challenges associated with attack surface management. Vulnerabilities and threats continue to grow, generating alerts that need to be addressed by already overwhelmed cybersecurity professionals. It is critical that security professionals become more efficient in determining risk and exposure, and accelerating response. This includes using platforms like Ordr that empower teams with accurate asset context for incident response, prioritizes vulnerabilities based on organizational risks, and provides rapid threat containment using automated actions. Ordr University helps equip organizations and their security teams with the product knowledge and best practices they need to successfully manage the expanded attack surface.

“The path to cybersecurity success depends on ensuring that team members at all levels have the proper training, skills, and expertise to manage their cyber asset attack surface and protect their organizations. Threat actors never remain complacent, and it is equally important that security teams stay current with new innovations,” said Jim Hyman, CEO at Ordr. “Continued training and education is key to keeping pace with the ongoing evolution of the threat landscape. A program like Ordr University can increase product knowledge and ability with minimal investment.”

The two Ordr University options include:

• Self-Guided Training: The self-guided content includes introductory product training for teams just getting started with the Ordr platform, as well as more advanced masterclasses for experienced users who are addressing more sophisticated use cases. This option is perfect for teams that wish to learn on their own schedule, at their own pace. Self-guided training features an extensive video catalog with both introductory and advanced-level content, enables an unlimited number of learners for each organization, and includes knowledge checks and certificates for participants. Participants can study at their own pace and take periodic quizzes to test their knowledge of the material.
• Instructor-Led Training: With the instructor-led training offering, Ordr works directly with an organization to create a private learning experience tailored to the organization’s specific needs – and focused on their specific network environment. Certified expert instructors either visit teams onsite at their business or conduct tailored remote sessions with participants. The instructor-led course is structured around a learning model that features 60% hands-on time with the Ordr pre-configured lab environment. Printed materials are also provided for reference post-event.

There are four different structured learning paths that can be selected by organizations to ensure the training their teams experience is most closely aligned to their real-world needs — Foundations, Healthcare Technology Management, Networking, and Security. Ordr Foundations is currently available, ensuring the participant has the ability to navigate the user interface, configure administrative settings, generate reports, and effectively administer their Ordr-enabled environment. This course series serves as the starting point for all Ordr role-specific learning paths.

Subsequent courses for HTM, Networking and Security teams will be offered in the next few months.

Get more information on how Ordr University can help your organization.

In testimony before the House Select Committee on the Chinese Communist Party yesterday, FBI Director Christopher Wray delivered an ominous message:

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

That statement strongly implies that the assets (including IT, OT, and cyber physical systems) on which American power grid, water treatment, healthcare, pipeline, transportation and logistics, telecommunications, and other critical infrastructure operations depend have already been compromised by state sponsored or sanctioned threat actors.

The risk, Wray emphasized, was not hypothetical, but real; not a matter of if, but when. And when the attack comes, he said it would be at a moment of China’s choosing.

Wake Up Call

Wray also expressed frustration that these threats to U.S. critical infrastructure have not gotten the attention they require, and he made it clear to the Committee that they and the nation need to do more.  “China’s multi-pronged assault on our national and economic security make it the defining threat of our generation,” he warned.

Offering some reassurance, Wray said that the U.S. was not incapable of defending against the Chinese cyberthreat, but that the public and private organizations responsible for managing our economic and critical infrastructure “cannot afford to sleep on this danger.”

In other words, his testimony was a wake-up call.

How You Can Respond

Ordr’s customers can take immediate action to check for, respond to, and mitigate security gaps and indicators of compromise that might otherwise be exploited by threat actors. You have a powerful tool available and can use our See, Know, Secure framework to guide your cybersecurity strategy and execution. 

1. See every asset and manage exposure: The good news is that our platform has already discovered, profiled, and is monitoring your entire cyber asset attack surface. That includes every asset–IT, OT, IoT, and cyber physical systems–operating on your network, along with their installed software and applications, and their communication flows. Using Ordr you can ensure that you’re identifying and mitigating risks such as devices with vulnerabilities, running outdated operating systems, or using weak/default/no passwords.
2. Know your threats and anomalies: We view active threats in three ways. First, known threats will be detected by our integrated intrusion detection system and threat intelligence feeds. (Note: our IDS signatures today can detect the KV botnet malware referenced by Director Wray). Second, we detect risky communications, such as internal east-west traffic, and external traffic to unknown or hostile domains. Finally, we also alert on any activity by any device that strays outside of its expected baseline parameters. Security teams should use Ordr risk scores to prioritize remediation of the top threats in their networks. Risk scores can be customized based on asset and business attributes important to the organization.
3. Secure and segment: You should review your network segmentation policies to make sure you can isolate mission-critical assets and make it harder for threat actors to get to them in the event of an attack. Zero Trust segmentation, where you are limiting vulnerable devices (such as those with outdated operating systems) to baseline communications, can enable appropriate access while limiting risky exposure. You can also automate responses when a threat is present, double-check the asset context to determine the best possible enforcement point (firewalls, NACs, or switches), and make sure responses and policies are requisite to the threat.

Keep in mind that, while the FBI director named several examples of critical infrastructure under threat, the list was not exhaustive. Healthcare, financial services, manufacturing, and other industries can all be defined as critical infrastructure. And any organization that is part of the digital supply chain to those targets also poses a threat.

How Ordr is Responding

It is important to know that we are not sitting still. Our policy is one of continuous improvement, and we are monitoring this and other threats to ensure our customers are prepared, developing and updating features that help our customers simplify risk prioritization, and rapidly respond to and contain threats. Our threat intelligence integrations, in concert with the Ordr Data Lake, ensure the most precise, real-time analysis possible are at work on your behalf.

For example, the rogue devices, malicious communications, and malware our customers have detected and remediated mean their environments are already better protected against potential cyberattacks. One customer–a critical infrastructure operator–was able to reduce dwell time from the industry average of 16 days to just a few minutes. 

We also continue to monitor our systems and processes, ensuring they comply with SOC2 standards. As outlined in a previous blog, Ordr’s achievement of SOC 2 compliance in Organizational Governance and Structure underscores our enduring commitment to security. 

We are all in this together

The FBI’s warning should not come as a surprise to cybersecurity professionals who have been paying attention. Threat actors have been actively targeting economic and infrastructure targets for years. And whether or not the scenario Director Wray described in his testimony comes to pass, we can expect attacks from other hostile players to persist. Cybercriminals have shown a propensity for carrying out their business with callous unconcern for the consequences of their actions.

As such, we should use this moment to remind those around us that security is everybody’s job. Be wary of every email, every online interaction, every unexpected behavior in your network. Our commitment to you is that we will continue to work diligently to ensure the Ordr platform is always vigilant, ready, and able to keep your enterprise as secure as it can be. Do not hesitate to reach out to us if you have any questions about this or other cyberthreats to your organization.

Srinivas Loke

Srinivas Loke is Vice President of Product Management at Ordr. Srinivas has a passion for cybersecurity with a deep understanding of network, end point, cloud and IoT security. Prior to Ordr, he led product teams at Aruba, Pulse Secure, FireEye and McAfee. He loves taking 1.0 products to the market and furthering cutting edge technologies that are solving customer problems.

Advanced Research Projects Agency for Health (ARPA-H) is a U.S. federal agency operating independently under the aegis of the National Institutes for Health whose mission is to “accelerate better health outcomes for everyone by supporting the development of high-impact solutions to society’s most challenging health problems.” On May 20, ARPA-H announced a new initiative called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) aimed at developing technologies for improving cybersecurity for healthcare organizations.

A Worthwhile Goal

UPGRADE comes with $50 million in new funding to support collaborative research and development ARPA-H says is needed to create “an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates. Importantly, this software platform will enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care.”

That is a worthwhile goal.

Clearly there is a critical need to stem the tide of cyberattacks on the healthcare industry, and while I am glad to see that the federal government has taken notice, I can’t help but wonder if leadership at ARPA-H have taken a look at the cybersecurity market to see what innovative solutions exist that already do what it hopes to accomplish. If so, they might have noticed that there are already billions of dollars in private investment capital pouring into the market to address this very issue, and many “high-impact solutions” are already available to help address the cyberthreats that hamper the industry’s ability to focus on patient care.

In fact, a part of the hypothetical software platform ARPA-H describes sounds a lot like the platform Ordr’s customers have been using for years. The Ordr platform reduces their cyber risk, prevents and mitigates the effects of cyberattacks, automates responses in the face of threats, maximizes operational resilience for hospitals, and allows them to maintain effective operations without the need to resort to radical “code dark” exercises.

Ideals vs. the Realities

From my perspective as a former healthcare CTO/CIO, and confirmed by the numerous conversations I’ve had (and continue to have) with my peers in the industry, the challenge isn’t primarily one of a lack of tools capable of addressing the threats the industry faces; it is in having the resources (time, money, and people) necessary to invest in and implement those tools. And this problem is most acute in the mid-market, rural, and disadvantaged communities where finances are focused on keeping the lights on. Cybersecurity may be near the top of priorities, but even placing second on that list means making do with a meager budget and keeping your fingers crossed.

Perhaps when ARPA-H assembles its body of experts it will conclude that there’s no real value in initiating a process that our great community of cybersecurity vendors is already driving toward, and focus their efforts (and $50M) on an area where improvement is possible and solutions are lacking. I choose to be optimistic in this regard because it is encouraging to see the problem acknowledged, and federal dollars allocated to try and do something about it.

New Innovation, Not Recreations

Rather than try to recreate existing technology, ARPA-H might want to look at what Health and Human Services is doing with their Healthcare Sector Cybersecurity strategy and think about how to complement that initiative. There is an opportunity to apply new innovations in pursuit of HHS’ four Healthcare Sector Cybersecurity goals, namely:

1. Establish voluntary cybersecurity performance goals for the healthcare sector
2. Provide resources to incentivize and implement these cybersecurity practices
3. Implement an HHS-wide strategy to support greater enforcement and accountability
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

And by working with industry experts to estimate budget, then enlisting Congress to allocate significant financial resources, funding (far more than $50 million) can be made available to those hospitals serving mid-market, rural, and disadvantaged communities in the form of grants, loans, and incentive programs specifically for the purpose of funding investments in the people, processes, and technologies needed to defend against cyberthreats. Such a program should be easy to access and apply for (heaven knows they don’t need more burdensome paperwork thrust upon them), while structured to ensure that the monies provided are spent in direct support of effective cybersecurity investments and programs.

No More Unfunded Mandates

It is frustrating for those responsible for securing the most at-risk hospitals to read about more mandates and best practices proclaimed from afar when they are fighting for every dollar they can get to simply keep their IT running. No one in healthcare IT and security is ignorant of the threats they face, and they all want to do the best they can for their organization and the patients they serve. There are good security tools available to them; what they need is the means to access them and put them to use.

For more information about Ordr and how we protect healthcare organizations, contact us to see our platform in action.

Wes Wright

Chief Healthcare Officer

Wes is responsible for driving Ordr’s engagements in healthcare. Previously he was the CTO for Imprivata, and prior to that VP and CTO at Sutter Health, a 26 hospital network in Northern California. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrens’, which, to this day, he says was his most gratifying work experience.

The 2023 Verizon Data Breach Investigations Report is out. Like most folks in the cybersecurity industry, we downloaded it and pored over the contents to see what was new and relevant and surprising. As always, there’s a lot of data that quantifies the issues we see everyday: ransomware attacks, social engineering, underlying factors, threat types, etc. For example, the summary of findings identified external actors as the top threat involved in 83% of breaches; said that human error plays a role in 74% of all breaches; and reported that 24% of attacks involve ransomware; and broke down credential theft, phishing, and exploitation of vulnerabilities as the three primary means of attack.

Digging Deeper

Then we gravitated toward findings specific to the industries that Ordr is focused on and that have embraced our technology as a part of their cybersecurity strategies.

• In financial services and insurance, we learned that “basic web application attacks, miscellaneous errors, and system intrusion represent 77% of breaches,” and that financial gain was the motive in 97% of attacks on the industry.
• In healthcare we learned that “system intrusion, basic web application attacks, and miscellaneous errors represent 68% of breaches,” and that financial gain was the motive in 98% of attacks on the industry.
• In manufacturing we learned that “system intrusion, social engineering, [and] basic web application attacks represent 83% of breaches,” and that financial gain was the motive in 96% of attacks on the industry.

Similar results were reported down the line in accommodation and food services, education services, government, IT and so on. Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help. Each data point illuminates and confirms issues we all intuitively recognize as true.

Then we started looking deeper. Our focus at Ordr is on protecting enterprises by securing the growing number of connected devices at work in enterprises across the globe, in every industry. These include categories like the Internet of Things (IoT), Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), Operational Technology (OT), and the many devices connecting to networks to perform new and exciting tasks in a variety of niche roles (XIoT).

A Threat to Health and Safety

The risks that unsecured devices present to the organizations that own them are well known, and the implications of attacks affecting them are troubling. In healthcare, for example, attacks may have financial motives, as the VDBIR says. But recent research by the Ponemon Institute found that cyberattacks on hospitals correlated to an increase in negative outcomes for patients in 57% of hospitals affected due to delays in performing needed tests and procedures. The problem is so severe that hospitals with no means of protecting the medical devices integral to the delivery of patient care are training staff in “code dark” response, which is the physical unplugging and disconnecting of at-risk systems.

The dangers associated with vulnerable IoT, IoMT, and OT devices, and the risks they pose to not only critical infrastructure but financial services, manufacturing, and smart cities, are so concerning to our economic and physical security that connected devices are a part of the White House’s National Cybersecurity Strategy, called out in “Strategic Objective 3.2: Drive the Development of Secure IoT Devices.” The FDA has also issued a mandate to ensure new devices entering the market are built to be secure. And over in the UK connected device security is called out as part of that country’s new National Health Services cybersecurity strategy.

Despite the real and troubling issues associated with IoT security, there is no mention of them in the 2023 VDBIR. And OT security is dismissed with the explanation that “we continue to see [a] very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure,” in contrast to the volume of attacks on traditional IT systems.

Vector, Path, or Target

It is worth pointing out that even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination. It could also be that, because the VDBIR takes a broad and high-level view of the data they collect, the presence of IoT in the report is simply buried in the data. Or maybe it is not known that connected devices are involved. Our analysis following the discovery of devices connected and operating on customer networks shows that as many as 15% of those devices were unknown to IT security and management prior to deployment of Ordr. You can’t secure what you can’t see, and so an attack in which an unknown, vulnerable, and unsecured connected device was the primary vector would also be invisible to security analysts.

More likely is that attacks involving IoT, IoMT, or OT devices are probably too granular a detail to be called out specifically in any report based on broad security analysis. But that doesn’t mean the risk isn’t real, and that the potential effects of an attack involving connected devices are not dire. They are, and that is why we built the Ordr platform to see, know, and secure every device in any network.

Danelle Au

Danelle Au has more than 20 years of experience bringing new technologies to market. Prior to Ordr, she was CMO at Blue Hexagon, a deep learning for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. She has an MSEE from UC Berkeley