The power of the Ordr platform has always been its ability to automate device classification and behavioral modeling using AI. This is foundational to our Zero Trust and segmentation strategy.
Larry Smith Manager Cybersecurity Architecture and Engineering, El Camino Health.
Search Results:
”Quiz 2024 SAP C-ARSOR-2308: Marvelous SAP Certified Application Associate - SAP Ariba Sourcing Valid Dumps Book 🐮 Open ▷ www.pdfvce.com ◁ and search for ➥ C-ARSOR-2308 🡄 to download exam materials for free 🏑C-ARSOR-2308 Customizable Exam Mode”
-
BlogLess is More – Not all Data is Equal
…to correctly identify them and understand their risk and compliance status. In my first few months at Ordr, I had the opportunity to sit down with many customers to understand…
Welcome to my first blog post with Ordr, which is hopefully the first of many. Here at Ordr we’re all about network-connected device information and providing insightful knowledge, however this comes in many forms. At its simplest form it could be data, binary, Boolean or it could even be a string, but what’s most important is its fidelity, accuracy and relevance. Globally, organizations are starting to truly embrace data, especially big-data, but they are starting to realize that they don’t want just data, what they really want is information and knowledge that they can use within their current workflows.
Connect Anything and Everything
I like to talk about living in the era of ‘connect anything and everything’; these connected devices across any wired or wireless infrastructure come in all shapes, sizes, flavors. More importantly there is a high variance historically in IT’s ability to correctly identify them and understand their risk and compliance status. In my first few months at Ordr, I had the opportunity to sit down with many customers to understand their needs. In short, our customers look to Ordr to provide valuable insights as to what is connected to their network, what exactly is that device, how it is behaving individually or compared to its peers and be able to identify those devices/endpoints that are misbehaving or perhaps possess vulnerabilities again, this is critical information and knowledge, not just data.
Ordr Data Lake for Device Enrichment
We pride ourselves on our foundational ability to identify all network-connected devices with a high degree of fidelity using deep packet inspection (DPI) to provide the insights that matter. Using the raw packet data from your network, we are able to classify all devices at-scale, then enrich that data in our Data Lake with various third-party data sources to turn it into the context that you need to help secure your infrastructure.
Part of my core responsibilities at Ordr is to expand the eco-system of integration partners. As we support more customer workflows, it is essential to allow more data into the Ordr Data-lLake for enrichment, but that data has to be of high trust and fidelity. That’s why we are embarking on adding a number of additional new integrations that provide us with unique contextual data to enrich our analysis and provide more insightful information and knowledge to our customers.
Integrations
In early 2021, we announced Ordr SCE 7.4.2, delivering more than 160 new features, integrations, and enhancements to provide unparalleled visibility and protection to organizations globally for security, IT, and HTM teams and their connected devices. In this release, we announced our integrations with Anomali, Exabeam, Fortinet, IBM QRadar, and Ping Identity. In this blog, I want to highlight the Anomali and Fortinet integrations, to give you an idea of the openness of our technology and the agnostic approach we are taking within the industry to ingest data or to use our device context to enrich or enforce policies in existing solutions:
- Anomali – Let’s start with Anomali, we worked with Anomali to ingest their STIX/TAXII 2.0 feed. Anomali consolidates various Cyber Threat Information (CTI) feeds and normalizes the data. Then, via a STIX/TAXII pull, Ordr is able to pull in the normalized data and enrich it with device context. The key to this is that we have built this using the very latest STIX/TAXII 2.1 standards. STIX/TAXII allows the sharing of CTI data. The CTI feed of data provides indicators of compromise, generally referred to as IOCs that allow Ordr SCE to find the needle in the haystack. The IOCs provide the bread-crumb-trail such that a vendor like Ordr can identify activity on the network that matches the signature of an IoC. This type of data is very targeted and is a true case of less is more.
- Fortinet – In contrast to the Anomali integration, which is very much an inbound ingest integration, our recent Fortinet integrations is primarily an outbound enforcement integration. We use AI and advanced machine learning, along with the Ordr Data Lake device context to create a complete Ordr Flow Genome profile of every device and its behavior. This baseline forms the foundation of segmentation policies to allow devices access while limiting exposure. We are leveraging the open API’s from FortiManager and FortiGate to enable Ordr to dynamically create and push out these enforcement policies. This can be to FortiGate firewalls or FortiNAC as an enforcement point. l said above it is primarily an outbound-based integration, but we also have the ability to consume basic traffic flow information from FortiGate to enhance and embellish the threat information we already have.
In the coming year, we are planning to implement additional inbound/outbound/bi-directional integrations for the benefit of our customers. As part of that process, we are constantly reviewing the integration use-cases developed to see where we can leverage more context to enable better device context.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogPublic-Private Partnerships to Secure Medical Devices
…are an inevitability, so clearly establishing the duties and obligations ensures the HDO and MDM are prepared to recover, and to prevent. To quote Mr. Wolf, “In the event that…
Risk Management
Public-Private Partnerships to Secure Medical Devices
3Min ReadBy Ty Greenhalgh
In episode three of the seven-part CHIME webinar series, Public-Private Partnerships to Secure Medical Devices, I am joined by five guest speakers representing three public-private initiatives addressing current issues in the healthcare ecosystem.
- Mike Powers, MBA: Representing the Legacy Devices task group within the Healthcare Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group. Mr. Powers is a Clinical Engineering Director at Intermountain Healthcare and a member of the AAMI Healthcare Technology Leadership Committee.
- Samantha Jacques, PhD: Dr. Jacques is also from the HSCC Joint Cybersecurity Working Group and is the Vice President of Clinical Engineering at McLaren Health Care, vice-chair of the AAMI Healthcare Technology Leadership Council, and a fellow of the American College of Healthcare Executives.
- Alex Wolf: Another representative of the HSCC Joint Cybersecurity Working Group as the Model Contract Language task group leader, Mr. Wolf is a Cybersecurity Specialist at Cleveland Clinic.
- Jim Jacobson: From the National Telecommunications and Information Administration (NTIA) Software Component Transparency work group, Mr. Jacobson is the Chief Product and Solution Security Officer of Siemens Healthineers, and Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic.
- Tola Amusan, MBA: Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic and also a member of NTIA.
Our first topic was addressed by Mr. Powers and Dr. Jacques on their projects at the HSCC’s Legacy Device work group. Officially, legacy devices are defined by the International Medical Device Regulators Forum as simply those that cannot be protected against current cybersecurity threats. In contrast to this vague description, Dr. Jacques elaborated on how clinical engineers of Health Delivery Organizations (HDOs) alternatively define them as devices no longer supported by the manufacturer, necessitating reactive strategies like microsegmentation and network monitoring to keep them secure. The task group’s upcoming publication will provide guidance on the core practices, challenges, recommendations, and HDO and Medical Device Manufacturers (MDM) perspectives. One critical area of contention it aims to resolve is the difference between “end of life” and “end of support.” To an MDM, “end of life” may potentially be initiated to justify terminating post-sale technical support, instructional material, and/or patch availability to incentivize replacement. From an HDO perspective, an unsupported device may still function perfectly, and prematurely relegating it to end-of-life status is often infeasible or cost prohibitive. As Mr. Powers concisely summarizes the distinction, “It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”
It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”
Mike Powers MBA, Clinical Engineering Director at Intermountain Healthcare
Next, Mr. Jacobson and Mr. Amusan presented their work on Software Bills of Materials (SBOMs) at the NTIA. An SBOM is the list of “ingredients,” or the individual components of which a device’s software is composed. Explained by Mr. Jacobson, the task group has been creating a proof-of-concept SBOM since 2018. Their goal is to provide standardized and automated formats for use by manufacturers. Mr. Amusan highlighted the various use cases of how HDOs may utilize SBOMs across Healthcare Technology Management (HTM) functions ranging from procurement, asset management, risk management, vulnerability and patch management, and device life-cycle management.
In the final segment of the webinar, Mr. Wolf presented an overview of the HSCC’s Model Contract Language task group. Its foremost objective is establishing shared cooperation between MDMs and HDOs in regard to security, compliance, management, operation, and security of MDM-managed medical devices. The task group has been working a contract template for organizations of any size, which simplifies cybersecurity requirements and expectations between parties, and aligns with existing standards like NIST and the FDA Post-Market Guidance. A point of particular emphasis in the delegation of compliance responsibility and liability between parties. Security breaches to devices are an inevitability, so clearly establishing the duties and obligations ensures the HDO and MDM are prepared to recover, and to prevent. To quote Mr. Wolf, “In the event that something goes wrong, both parties are aware of those expectations and have a good understanding how to work through those issues.”
Ty Greenhalgh
For the last 4 years, Ty has been the CEO of Cyber Tygr, a company dedicated to improving and protecting the privacy, cybersecurity and compliance of our nation’s Health Industry by operationalizing advanced technologies. As a result of his intensive efforts in supporting the cybersecurity posture of healthcare medical devices and facility equipment, Nuvolo has brought him on board to spearhead their new Cyber OT module. Mr. Greenhalgh is an active member in several groups and associations, such as Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup, the Department of Health and Human Services 405(d) Workgroup and the Department of Commerce National Information and Telecommunications Agency.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogBeing Cybersmart for Cybersecurity Awareness Month
…for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing…
Security Strategy
Being Cybersmart for Cybersecurity Awareness Month
2Min ReadBy Danelle Au
October is Cybersecurity Awareness Month under the leadership of CISA and the National Cyber Security Alliance (NCSA). The goal is to continue to raise awareness about the importance of cybersecurity across our Nation. This year’s theme is to be #cybersmart, as we all play a role in the security of our own “cyberspace”. Focusing on cybersecurity and being cybersmart can positively impact our lives, but also the organization we work for and our nation.
To kick off cybersecurity awareness month, here are the five tips to be #cybersmart.
- Use a password manager – It’s important to have great password hygiene. This means making sure your passwords are hard to crack, that it is long enough and a combination of uppercase and lowercase characters, numbers and special characters. You also don’t want to reuse passwords for various accounts, so the best way to manage this is to use a password manager that will securely store all your passwords for your various accounts.
- Don’t use public hotspots – When you’re at the airport, your favorite coffee place or at the library, do you connect to the public WI-FI network? A safer option is to connect to your phone’s hotspot, or use a VPN. There are no guarantees that public WI-FI networks are secure. In fact, with the flaws discovered in WPA2, the encryption standard that secures modern WI-FI networks, attackers within the range of vulnerable wireless access points can become a “man-in-the-middle”, intercepting passwords, emails and other sensitive data. In many cases, they can also inject malware into the sites that you’re visiting.
- Update your applications – whether you’re on your mobile device or laptop, you’re probably running a number of key applications that will come with vulnerabilities. Enable automatic updates on your applications or make sure that you’re updating them regularly with patches. This includes browser updates such as Chrome or Safari.
- Use multi-factor authentication – Many applications offer multi-factor authentication. This means you’re required to validate your identify via two or more pieces of credential. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint or faceID). Your credentials must come from two different categories to enhance security. You can add an extra layer of defense to your accounts by enabling multi-factor authentication.
- Beware of phishing scams – One of the most common delivery systems for malware is via phishing scams, via attachments that come to you in an email, masquerading as a file you should trust. Once they’re downloaded and opened, they can take over you computer. Avoid clicking on links from people you don’t know about, or clicking on links in email messages with grammatical errors and details that don’t make sense. Some phishing scams are very targeted so beware of oversharing sensitive information on social media that would make it easy for hackers to target you.
Danelle Au
Danelle Au has more than 20 years of experience bringing new technologies to market. Prior to Ordr, she was CMO at Blue Hexagon, a deep learning for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. She has an MSEE from UC Berkeley
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogOrdr and Check Point Expand Partnership
…need to connect to a camera management system. Medical imaging devices need to communicate to a central PACS or DICOM server. Neither wakes up in the morning and decides to…
Today, in conjunction with Check Point’s IoT Protect Program announcement, we’re excited to not only highlight Ordr’s participation in the program, but also to announce the Ordr Systems Control Engine’s availability directly through Check Point. We’re excited to work with a great security partner with market leading technology.
When we built the Ordr SCE, we created a robust AI platform to deliver high-fidelity visibility and security for all unmanaged devices – IoT, IoMT and OT. However, we knew that was not enough. We also focused on automating the critical job of securing these devices, not only reducing the burden on security and networking teams but making previously complex management tasks simple and automatic.
After all, these unmanaged and IoT devices bring very different challenges to an organization. They often cannot be brought out of service, they cannot be scanned or patched, and you cannot install a security agent on them. But unlike end users, unmanaged and IoT devices have very specific and predictable communications patterns. Video cameras need to connect to a camera management system. Medical imaging devices need to communicate to a central PACS or DICOM server. Neither wakes up in the morning and decides to browse the web.
How does Ordr address this? Once we discover and categorize these devices, Ordr’s Flow Genome maps each device’s unique, customer-specific communications patterns and profiles exactly how it should communicate and behave. We then proactively create specific network segmentation policies for each category of device and enforce them on networking and security infrastructure to only allow these “sanctioned communications.”
This is a Zero Trust Network in action.
Ordr SCE does not create segmentation policy recommendations, guidelines, or suggestions. The policies do not need tweaking or customizing. They do not need updating when new devices join the network, or existing devices move to a new location or receive a new IP address. They do not need to be exported as a CSV file, manually uploaded into another system, and refreshed with a chron job. They fully integrate with Check Point’s APIs, providing full, automated context right in the Check Point IoT Protect Manager.
This is the differentiator of the Ordr and Check Point integration. Whether it is proactive segmentation or quarantining an infected device, we will dynamically create and enforce policies for IoT devices with one click of a button. As new devices are added to the network that match a particular device profile with an active policy, this new device will automatically be protected.
This is a huge benefit for any organization with Check Point infrastructure, as it protects your existing investment. At the same time, our ability to generate these policies alleviates the challenges of manually addressing risks and vulnerabilities across the hundreds of thousands of unmanaged and IoT devices that may exist in a network.
Benefits of combining the Check Point and Ordr solutions include:
- Automatic discovery and classification of IoT, IoMT and OT devices
- Direct integration of device context into the Check Point IoT Protect Manager, including asset type, make and model, OS version and risk information
- Use of Check Point’s advanced APIs to automatically send Ordr Zero Trust segmentation policies to the Check Point IoT Protect Manager for distribution to Check Point’s Quantum Security GatewaysTM
- Automatic updates of Check Point’s Quantum Security GatewaysTM with current device IP information, regardless of network location or dynamic addressing
- Dynamic generation of firewall zoning policies directly into Check Point IoT Protect Manager , allowing for protection and control of the IoT and OT environment within minutes
For more information on the joint integration, please check out our detailed Check Point partnership page here and the Check Point IoT Protect page.
Bryan Gillson
Bryan joined Ordr in November 2019 after spending six years as VP Strategic Alliances at Ionic Security. At Ionic, Bryan initiated and managed business relationships with system integrators such as Accenture, Deloitte, and PwC, and closed OEM partnerships with vendors in the CASB, virtualization, and data protection sectors. Previously, Bryan led product management and business operations for Symantec’s encryption products and information protection groups after integrating the acquisitions of both PGP Corporation and GuardianEdge. Prior to Symantec, Bryan led the business development team at PGP Corp. and was a VP in Merrill Lynch’s Technology Investment Banking group.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogIt’s All About Identity
…connected devices is a challenge for organizations that are unprepared for identifying and managing the growing enterprise attack surface. Identity is a foundational component of modern security models, allowing organizations…
Identity is a foundational component of modern security models, allowing organizations to control the data or services a user or account should be able to access. The explosion of IoT, IoMT, OT and other connected devices introduces significant gaps in identity-based security while creating new challenges and posing questions:
What is an identity for these devices that do not inherently have what we think of as an identity?
How can we close the gap and bring identity-based controls to these critical devices?
This post looks deeper into the challenges, these questions, and how Ordr helps provide answers in a straightforward and automated way.
It’s the End of Identity as We Know It…and I Feel Fine?
There are several methods organizations use to establish and verify identity for their users and assets. Unfortunately, none of these methods work well for the new class of connected devices.
Traditional devices such as laptops and workstations can be associated with a specific user and can be reliably linked to that user’s identity. Security teams can also verify the identity of a device by installing certificates or using USB keys. When a high-value asset is accessed, multi-factor authentication mechanisms can be leveraged by sending the user a passcode via email or text to be provided for additional verification.
The new class of connected devices are rapidly increasing in numbers and can be found everywhere in enterprise environments. Connected devices include everything from consumer products and phones to printers and media displays. In industrial settings IIoT and OT devices span the range of sensors to the multi-million dollar equipment essential to manufacturing lines. In healthcare, IoMT includes a vast array of medical devices from health monitoring equipment to magnetic resonance imaging (MRI) scanners that are critical to delivering care and ensuring patient safety.
Connected devices are increasingly critical infrastructure in organizations across industries, yet these devices can’t be managed the same as traditional devices. The simple task of installing enterprise certificates or endpoint agents is virtually impossible since many of these devices run embedded operating systems or are agentless. Even if agents could be installed, the vast diversity of hardware and software variations of IoT devices makes it almost impossible for vendors to develop and support agents.
Connected devices are commonly found with software stacks from various sources layered on embedded and customized operating systems. For these devices, any tool that uses a map of the processes to perform behavioral analysis is virtually useless.
Integrated firmware running on connected devices typically prevents any new software from being installed to ensure security and device reliability. As an example, new software can’t be installed on a piece of medical equipment once it’s gone through FDA certification.
Multi-factor authentication is another non-starter for IoT. An infusion pump can’t be expected to receive and provide a passcode to verify its identity.
Bringing Ordr to the Chaos of IoT Identity
With all of these limitations, how is identity determined and used for connected devices? The best unique identifier (not identity) is a device MAC address or serial number. MAC addresses are at least trackable (although easily spoofable), but serial numbers are nearly impossible to track and manage.
Ordr takes a new approach that doesn’t require IT and security teams to manually track the endless minutia of device details or do anything to update or change devices. Instead, Ordr automatically and passively analyzes the behavior of each device and recognizes a device’s identity based on what it actually does (i.e., the device communication).
To illustrate, let’s look at a device that claims to be a printer. Does it act like a printer? How do we know how a printer should act?
To answer this a large number of printers must be studied to understand what printers normally do, the protocols they speak, destinations they connect with, packet patterns they exhibit, etc.
With sufficient sampling a baseline can be established and used to verify if a new “printer” behaves like all the other printers previously seen – if it walks and squawks like a printer, then it’s probably a printer.
It’s also important to understand normal behavior for a particular environment. It’s not enough to know if a printer is behaving within the norms of other printers – it’s essential to know if the printer is behaving like my other printers. Is it talking to the appropriate management server, using the appropriate network segments, and so on.
The combination of global and local insights into behavior gives a very reliable approach to understanding a device’s identity. Just as importantly, it is a passive, hands-off approach that doesn’t require more work from staff or to change anything on the device itself.
As a result, Ordr is able to easily establish identity and continuously monitor it throughout its life cycle. Request a demo to learn more about how Ordr can help with identity and security for all your IoT, IoMT, OT and other connected devices.
Pandian Gnanaprakasam
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
PagesOrdrAI Protect
…with real-time monitoring that detects and alerts on active threats, anomalous behaviors and risky communications. Security and compliance gaps Autoplay Speed 4000 Address compliance frameworks such as NIST-CSF, CIS Controls…
OrdrAI Protect
Discover and secure every mission-critical device — from traditional IT to vulnerable IOT, OT, IOMT devices — from advanced cyber attacks.
Secure Mission-Critical Assets
Eliminate Blind Spots
Discover high-fidelity asset context with highly accurate AI/ML powered classification of every asset including IT, IoT, OT and IoMT.
Reduce Risks To Your Business
Identify vulnerabilities for managed and unmanaged devices. Prioritize remediation based on risk scores and assign to device owner.
Accelerate Response
Identify known and unknown threats with an integrated intrusion detection engine and AI/ML-based anomaly detection. Automate incident response policies.
Enable Cyber Resilience
Confidently create Zero Trust segmentation policies to prevent lateral movement or isolate devices based on baseline communications.
USE CASES
Visibility and Security for IT, IOT, OT, IOMT
Asset inventory & management
Autoplay Speed
4000
Automate hardware and software asset inventory across IT, IoT, IoMT, OT. Visualize asset connections and communications with detailed mapping, providing clarity on network interactions and potential risks.
Vulnerability prioritization and management
Autoplay Speed
4000
Prioritize vulnerabilities and assess the attack surface with customizable risk scoring aligned with business priorities. Quickly close vulnerabilities for IoT, IoMT, and OT devices with automated workflows assigned to the right owners.
Threat/anomaly detection and response
Autoplay Speed
4000
Stay ahead of threats with real-time monitoring that detects and alerts on active threats, anomalous behaviors and risky communications.
Security and compliance gaps
Autoplay Speed
4000
Address compliance frameworks such as NIST-CSF, CIS Controls Cyber Essentials, CMMC, NHS DSP Toolkit, and more. Identify non-compliant devices like those running outdated OS or devices in the wrong VLAN/subnet.
NAC Acceleration and Zero Trust
Autoplay Speed
4000
Accelerate Cisco ISE, Aruba ClearPass, FortiNAC projects with rich context, and automated policies for connected devices. Generate Zero Trust segmentation policies, limiting vulnerable devices to “baseline” communications.
Accelerate incident response
Autoplay Speed
4000
Share deep asset context with SIEM/SOC with automated workflows, facilitating faster and more informed incident response.
Industry’s Most Powerful Platform To Protect Mission-Critical Devices
Ordr Software Inventory Collector
Gain context about applications running on devices, similar to a real-time SBOM. Know OS patches and updates, 3rd-party software installed, AV software status, disk encryption and BIOS password status to inform exposure and risk management.
Vulnerability Lifecycle Management
Map comprehensive vulnerabilities for every device via integrations (National Vulnerability Database etc). Prioritize remediation based on risk scores, and automate tasks for the device owner.
Ordr Flow Genome
Profile the behavior of every device, including internal and external communications. AI/ML technology establishes baseline communications patterns to surface anomalies or create Zero Trust segmentation policies.
Comprehensive Threat Detection
Quickly identify both known and unknown threats through our integrated IDS and AI/ML-based anomaly detection. Visualize East-West communications between devices and to external malicious domains.
Utilization insights
Know device utilization insights for operational and budgeting decisions. Analyze real-time device usage to schedule maintenance and patching, support capital spend decisions and optimize operations.
Automated Response
Accelerate response by generating policies to quarantine a device, block ports, terminate sessions. Address Zero Trust initiatives by creating segmentation policies to limit vulnerable devices to known good baseline.
The visibility that we now have into our networked devices and their software inventory gives us greater assurance that we are properly maintaining and securing our systems to ensure that we can continue to provide excellent service and patient care.
Stacy Estrada Information Security Manager, Montage HealthUsing network architecture to help protect devices only goes so far if you can’t profile device behavior and understand existing vulnerabilities. The Ordr platform gives you that visibility to understand how every device is being used.
CISO Financial Services Organization (788 Branches Across 17 States)Ready to Start Securing Your Assets?
-
PagesCyber Asset Attack Surface Management
…misconfigurations, for example endpoints that are missing EDR or MDM agents Read More Audit/Compliance Reporting Address compliance and regulatory compliance with accurate and real-time asset data for NIST, CIS Controls…
Cyber Asset Attack Surface Management
Not all Cyber Asset Attack Surface Management (CAASM) solutions are created equal. Understand the drivers, use cases and considerations when selecting a CAASM product.
Discover OrdrAI CAASM+Why Is CAASM Important?
With digital transformation and adoption of hybrid business models, enterprises are rapidly deploying assets to enhance efficiency. However, the explosive growth of these assets – devices, users, applications, SaaS and cloud workloads – not only significantly expands the attack surface, but also introduces asset management challenges:
- Security teams find themselves investing considerable time and manual efforts in correlating data from various sources to try to answer questions about their security posture
- Most asset management solutions cannot identify IoT and OT, leading to cybersecurity blind spots
- The difficulty in getting granular details about assets, risks and business context can make it challenging to prioritize vulnerabilities and remediation
- The lack of business context becomes even more critical during incidents and can noticeably slow response times.
- Without real-time asset context, addressing compliance requirements require time-consuming and manual processes.
What is Cyber Asset Attack Surface Management (CAASM)?
Cyber asset attack surface management (CAASM) is focused on enabling security teams to overcome asset visibility and exposure challenges.
According to Gartner, CAASM “enables organizations to see all assets (internal and external), primarily through API integrations with existing tools”. With the consolidated view of all assets, security teams can then initiate queries to find security coverage gaps, misconfiguration issues, and prioritize vulnerabilities and risks.
In the Gartner 2023 Hype Cycle for Security Operations, Gartner has stressed for security teams to adopt a continuous exposure-based approach to operations, with an emphasis on being more agile, and emphasizing a business-relevant focused. Gartner identifies CAASM as one of the technologies to continuously discover, assess, prioritize, validate and reduce exposure across digital estates. CAASM is a key component for any organization that is embracing the Continuous Threat Exposure Management (CTEM) framework.
CAASM Use Cases
How Does CAASM Differ From CMDB
CAASM is often confused with CMDB because both support asset management. The difference is that CAASM focuses on asset visibility and security use cases for security teams rather than IT service management (ITSM) use cases. CAASM does not support the CDMBs ITSM functions such as tracking asset life cycle, managing workflows associated with these assets and performing financial costing analysis.
- CAASM is primarily built for security teams that want to have a complete visibility of all the organization’s assets, map asset dependencies, surface security gaps and perform prioritization and remediation.
- CAASM provides visibility of all assets. In contrast, CMDBs focus on assets that are important to the IT teams, and miss assets like IOT, IOMT and OT.
- CMDB does not collect and correlate vulnerabilities against assets.
- CAASM can bidirectionally integrate with a CMDB as a data source and be used to enrich CMDB data, or enable asset reconciliation with CMDB data.
Considerations For Selecting a CAASM
There are many factors to consider when selecting a CAASM solution for your enterprise. Below are a few to get you started:
- What does your environment look like today and what visibility should CAASM address?
- How many security tools are deployed today? What teams will be involved to enable ingestion of data from these tools?
- Does the vendor only support asset discovery via API ingestion, or do they supplement with their own discovery methods?
- Is the vendor able to deliver asset inventory beyond traditional asset categories such as granular software inventory, users, and IOT, IOMT or OT systems?
- Beyond just visibility into assets and risks, can the vendor initiate action to reduce the exposure?
- Beyond just visibility into assets and risks, can the vendor extend to more advanced use cases like threat detection?
- Is there an easy way to surface insights about your environment, or do you need to learn a new programming language
- Are there easy reports to facilitate compliance and audit reporting
- Which teams will be involved in this CAASM project? What security outcomes are most important to the users
Ready to Start Securing Your Assets?
-
BlogEmbrace the Future of Cyber Asset Attack Surface Management
…organizations with the tools to manage their assets effectively, ensuring security and operational efficiency in an increasingly complex cyber landscape with an expanding attack surface. As we look to the…
Blog
Embrace the Future of Cyber Asset Attack Surface Management
3Min ReadBy Pandian Gnanaprakasam
CAASM+ DIfferentiators Series: Ordr’s Advanced Deduplication and Data Integrity Features are Vital to a Successful CAASM Strategy
In the ever-evolving landscape of cybersecurity, the need for an innovative and effective Cyber Asset Attack Surface Management (CAASM) strategy is more critical than ever. And as we navigate the complexities of integrating data from disparate sources to embrace the advantages of CAASM, it’s essential to ensure that cyber asset data is rich, timely, and accurate. That requires a data integrity program supported by complete asset visibility and real-time data ingestion, and I am excited to share with you how Ordr is leading the charge in enhancing data integrity through our advanced deduplication and data correlation methodologies.
Data integration within CAASM platforms is like assembling a jigsaw puzzle, where each piece comes from different puzzle sets. We have noticed that, without a coherent strategy, this results in a fragmented understanding of the cyber asset landscape akin to tunnel vision. Each tool in an organization’s arsenal only offers a glimpse into the assets within its scope. True asset visibility can only be accomplished by performing aggregation, normalization, mapping, and correlation to this data using GenAI organizational methods.
The Duplicates and Ephemeral Device Conundrum
One particularly challenging aspect of CAASM is managing duplicated data in situations such as IP rotation, MAC randomization, multiple adapters, etc. Ephemeral tech apparitions could be anything from virtual machines to IoT gadgets—ubiquitous yet elusive. These devices come through VPNs, get spun up as VDIs, etc., as they fit in and out of corporate networks. That makes acquiring and managing an accurate asset inventory a Herculean task using traditional approaches and tools.
That is because traditional asset discovery methods are like using a net with oversized holes: they simply cannot catch these quicksilver-like devices. For however long they are active in the network they have an effect on operations and risk calculus, opening a window to incidents and threats. And so, while invaluable for monitoring more persistent assets, agent-based and other asset management solutions often fail with ephemeral devices that avoid consistent network connections.
Ordr’s Unique Approach to Dynamic Asset Discovery
At Ordr, we’ve developed dynamic asset discovery mechanisms that embrace the transient nature of duplicate and ephemeral devices that is endemic to network operations today. Our approach involves leveraging real-time monitoring technologies and anomaly detection algorithms to spot these elusive assets based on their behavior.
Enhanced network visibility is also crucial. We provide additional insights into device activity by incorporating contextual real-time activity from network sources and endpoint telemetry. This contextual intelligence is pivotal in differentiating between legitimate devices and transient entities. Moreover, we utilize machine learning algorithms to sift through network-based real-time data ingestion, seeking out anomalous patterns that might signal an ephemeral device. These models, honed on historical data, enhance detection accuracy and minimize false positives.
Ordr’s AI/ML Deduplication
Addressing errors related to manual data entry and data duplication is another perpetual challenge in data management. Given the speed and volume of data creation and change, there is no practical reason to rely on manual data entry today, and yet it remains. At Ordr, we recognize that duplicated data is not just a nuisance—it can be a significant obstacle in business operations and security triaging.
What sets Ordr apart is our innovative use of AI and ML in deduplication. Our advanced machine learning techniques, along with predictive large language models, classify devices within an extensive asset knowledge base. We organize devices into an “Asset Catalog” with a sophisticated hierarchical structure, from buckets to categories, sub-categories, profiles, and device instances, along with business/owner context such as who is using the asset.
This organizational prowess and our learning engine’s precise identification capabilities significantly enhance our deduplication algorithm. We developed the vast Ordr Data Lake with rich profiles on millions of crowd-sourced individual assets, informed by data from manufacturers and other authoritative sources, which aids in the comprehensive understanding of device identities.
The Importance of Data Preprocessing
Our strategy hinges on establishing each device’s “true identity” through globally unique identifiers. This foundational understanding is essential for effective deduplication and provides the context to prevent erroneous duplicates.
Every integration at Ordr undergoes a rigorous mapping process to ensure incoming attributes are normalized, mapped and represented within our central database. This preprocessing is vital for maintaining data quality and consistency, forming our subsequent analysis’s bedrock. These innovative strategies that address the nuances of our digital ecosystem pave the path to robust CAASM. And we tirelessly refine our methodologies to ensure that our enterprise customers have a reliable, single source of truth for their asset management needs.
The Road Ahead
I hope this blog clarifies the importance of sophisticated data management within CAASM and how Ordr is at the forefront of tackling these challenges. Our mission is to empower organizations with the tools to manage their assets effectively, ensuring security and operational efficiency in an increasingly complex cyber landscape with an expanding attack surface.
As we look to the future, we remain committed to continuously improving our platform and ensuring that it remains at the forefront of the fight against cyber threats. Thank you for joining us on this journey as we redefine the standards of CAASM and pave the way for a more secure digital world.
Pandian Gnanaprakasam
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
NewsOrdr Announces Integration with ServiceNow Vulnerability Response
…for their varied expertise and experience to drive opportunities, open new markets, and help customers in their digital transformation efforts. “We’re thrilled to expand our tight bidirectional integrations with ServiceNow…
Ordr Announces Integration with ServiceNow Vulnerability Response
3Min ReadSANTA CLARA, Calif., Oct. 4, 2023 /PRNewswire/ — Ordr, the leader in connected device security, announced an integration with ServiceNow Vulnerability Response, expanding Ordr’s existing bidirectional integrations with ServiceNow Service Graph Connector, CMDB, and ITSM. The joint effort extends Ordr’s deep insights into all connected devices, enabling optimized vulnerability management, creating better experiences, and driving value for customers with its unique solution, built with the Now Platform.
ServiceNow’s expansive partner ecosystem and partner program is critical in supporting the $220 billion market opportunity for the Now Platform. The revamped ServiceNow Partner Program recognizes and rewards partners for their varied expertise and experience to drive opportunities, open new markets, and help customers in their digital transformation efforts.
“We’re thrilled to expand our tight bidirectional integrations with ServiceNow and extend our device vulnerability and risk insights to ServiceNow Vulnerability Response,” said Pandian Gnanaprakasam, Chief Product Officer and Co-Founder, Ordr. “This addresses a critical need for customers with devices not covered by traditional scanning or agent-based solutions. The integration enables an optimized solution for risk reduction by leveraging Ordr’s full visibility and vulnerability insights, combined with workflows in ServiceNow Vulnerability Response, and the ability to track and close the loop on the status of vulnerabilities across both platforms.”
Ordr’s existing integration with ServiceNow Service Graph Connector ensures comprehensive and accurate details for every network connected asset, including all managed and unmanaged IT, IoT, IoMT, and OT devices. These details are essential to customers looking to enrich and reconcile device data in the ServiceNow CMDB for an up-to-date asset inventory, building ITSM workflows to optimize device management efforts.
Extending Ordr’s insights through integration with ServiceNow Vulnerability Response enables customers to:
- Close vulnerability and risk visibility gaps with insights into all devices, including those not covered by endpoint agents or active scanning tools.
- Maintain a centralized and comprehensive view of all device vulnerabilities and risk by leveraging Ordr insights collected from multiple sources with no impact to devices, services, or patient/operator safety.
- Accelerate vulnerability management tasks and reduce risk with accurate vulnerability data to enable ServiceNow Vulnerability response capabilities across the full lifecycle.
- Track vulnerability management efforts by leveraging bidirectional integration for up-to-date vulnerability status in the Ordr and ServiceNow platforms.
As a Registered Build Partner, the certified integration provides customers with the ability to integrate Ordr’s comprehensive and accurate connected device and vulnerability insights with ServiceNow Vulnerability Response, and is available in the ServiceNow Store.
“Partnerships succeed best when we lean into our unique skills and expertise and have a clear view into the problem we’re trying to solve,” said Erica Volini, senior vice president of global partnerships at ServiceNow. “Ordr’s integration extends our reach well beyond where we can go alone, and represents the legacy and goals of the Now Platform. I am thrilled to see the continued innovation we will achieve together to help organizations succeed in the era of digital business.”
For more information, learn more about Ordr’s integration with ServiceNow Vulnerability Response and how Ordr works with other ServiceNow capabilities .
About Ordr
Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing Venture Capital, Ten Eleven Ventures, Northgate Capital, Kaiser Permanente Ventures, and Unusual Ventures. For more information, follow Ordr on Twitter and LinkedIn.ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogA Neophyte’s Guide to DNS Security
…and a special briefing for Homeland Security and select members of the US Senate, he has addressed CISOs and legislators alike. Interested in Learning More? Subscribe today to stay informed…
Yesterday, our Chief Security Officer, Jeff Horne shared his perspective on NAME:WRECK and the vulnerabilities associated with domain name systems (DNS) that were found. As a follow up, I wanted to share some best practices for DNS security.
The most common DNS exploits are things like exfiltration, payload delivery, and commands and control. Sometimes outright flaws in code (like a few mentioned in NAME:WRECK) are leveraged also. DNS is a vulnerable and necessary service that can be secured with good practices and solid Zero Trust policy.
In this blog we will explore a number of DNS configurations, explore what’s right and wrong and steps you can take to secure your configuration.
Scenario 1 (Worst Case)
In this scenario, endpoints of all sort query some internet source (typically Google or Verizon) for name lookups directly. This is a typical home user configuration and unfortunately a typical configuration for IoT devices and guest networks across many verticals in enterprise. In this scenario attacks can come from nearly any ware upstream, and in any form from bad packets, bad answers (sending the host to a malicious location) or worse.
Even a Next-Generation firewall capable of DNS application understanding is not enough.
Scenario 2 (Typical Enterprise)
This is the most common implementation of DNS in enterprises across the world where a local authoritative name server is the ‘first hop’ and provides recursion out to the internet. Some enterprises are further adding some layer of DNS security in response policy zones, leveraging Next-Generation firewalls, or Secure DNS solutions on the internet side. If this is set up in best practice, this delivers minimal security(yes minimal) but if we are working in Cyber-Physical Systems like Manufacturing, Healthcare or Financial Services then this is not nearly enough.
What is Best Practice?
The Firewall would block all DNS requests (outbound/inbound) except to the Internal DNS server that was running DNS security in the form of response policy zones, and furthermore the internet resolver would be a Secure DNS source (i.e., Cisco Umbrella, Akamai, Neustar or other such provider).
Scenario 3 (Reference DNS)
This is a better set up and is often considered the ‘reference’ DNS architecture for many. This scenario will protect most internal hosts from many, many sorts of exploits and attacks. However, this configuration still falls short for Cyber-Physical Systems (and even some core services servers) when we apply Zero Trust concepts to the DNS service.
Scenario 4 (Best Practice for Cyber Physical Systems)
Following the Reference DNS set up with Best Practices, we need to add yet another dimension to the architecture for Cyber Physical systems.
Most Cyber Physical Systems do not rely on internet lookups to function and if we apply Zero Trust ideology to the DNS architecture we should deny them access that is not necessary. This architecture permits internal look ups and communications as needed but stops any communications, lookups, payloads, C &C, or other DNS mischief dead in its tracks. For the few systems that look up a single address for Firmware download or other sort of check ins or even for cloud-based management, simply add conditional forwarders for those domains. (i.e. an imaging system might store images in the cloud and need a set of internet facing addresses so only allow lookups for that domain).
This method can take some time to set up, but is overall much more secure and will protect your most valuable and critical systems from DNS-related exploit and harm.
In Summary
- Do not allow internal HOSTS to query the internet directly.
- Do not trust external nameservers (like Verizon and Google).
- Leverage Secure DNS providers like Cisco Umbrella, Neustar, Akamai and others for recursion and further leverage DNS Security in the form of Response Policy Zones (RPZ) internally.
Jamison Utter
Jamison brings 25+ years of IT/Security experience spanning large organizations like Sprint, SUN Microsystems and Palo Alto Networks where he led the OT/IoT business development unit and startups like Infoblox where he was the security evangelist for many years. His deep desire to understand a customer’s internal and external problem set make him an empathic speaker and his experience in many roles spanning sales, channel, BD, and evangelism make him a capable and competent industry visionary. With hundreds of public speaking engagements including the EU congress at the Hague and a special briefing for Homeland Security and select members of the US Senate, he has addressed CISOs and legislators alike.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?