Welcome to my first blog post with Ordr, which is hopefully the first of many. Here at Ordr we’re all about network-connected device information and providing insightful knowledge, however this comes in many forms. At its simplest form it could be data, binary, Boolean or it could even be a string, but what’s most important is its fidelity, accuracy and relevance. Globally, organizations are starting to truly embrace data, especially big-data, but they are starting to realize that they don’t want just data, what they really want is information and knowledge that they can use within their current workflows.

Connect Anything and Everything 

I like to talk about living in the era of ‘connect anything and everything’; these connected devices across any wired or wireless infrastructure come in all shapes, sizes, flavors. More importantly there is a high variance historically in IT’s ability to correctly identify them and understand their risk and compliance status. In my first few months at Ordr, I had the opportunity to sit down with many customers to understand their needs. In short, our customers look to Ordr to provide valuable insights as to what is connected to their network, what exactly is that device, how it is behaving individually or compared to its peers and be able to identify those devices/endpoints that are misbehaving or perhaps possess vulnerabilities again, this is critical information and knowledge, not just data.

Ordr Data Lake for Device Enrichment 

We pride ourselves on our foundational ability to identify all network-connected devices with a high degree of fidelity using deep packet inspection (DPI) to provide the insights that matter. Using the raw packet data from your network, we are able to classify all devices at-scale, then enrich that data in our Data Lake with various third-party data sources to turn it into the context that you need to help secure your infrastructure.

Part of my core responsibilities at Ordr is to expand the eco-system of integration partners. As we support more customer workflows, it is essential to allow more data into the Ordr Data-lLake for enrichment, but that data has to be of high trust and fidelity.  That’s why we are embarking on adding a number of additional new integrations that provide us with unique contextual data to enrich our analysis and provide more insightful information and knowledge to our customers.

Integrations 

In early 2021, we announced Ordr SCE 7.4.2, delivering more than 160 new features, integrations, and enhancements to provide unparalleled visibility and protection to organizations globally for security, IT, and HTM teams and their connected devices.  In this release, we announced our integrations with Anomali, Exabeam, Fortinet, IBM QRadar, and Ping Identity. In this blog, I want to highlight the Anomali and Fortinet integrations, to give you an idea of the openness of our technology and the agnostic approach we are taking within the industry to ingest data or to use our device context to enrich or enforce policies in existing solutions:

• Anomali – Let’s start with Anomali, we worked with Anomali to ingest their STIX/TAXII 2.0 feed. Anomali consolidates various Cyber Threat Information (CTI) feeds and normalizes the data. Then, via a STIX/TAXII pull, Ordr is able to pull in the normalized data and enrich it with device context.  The key to this is that we have built this using the very latest STIX/TAXII 2.1 standards. STIX/TAXII allows the sharing of CTI data. The CTI feed of data provides indicators of compromise, generally referred to as IOCs that allow Ordr SCE to find the needle in the haystack. The IOCs provide the bread-crumb-trail such that a vendor like Ordr can identify activity on the network that matches the signature of an IoC. This type of data is very targeted and is a true case of less is more.
• Fortinet – In contrast to the Anomali integration, which is very much an inbound ingest integration, our recent Fortinet integrations is primarily an outbound enforcement integration. We use AI and advanced machine learning, along with the Ordr Data Lake device context to create a complete Ordr Flow Genome profile of every device and its behavior. This baseline forms the foundation of segmentation policies to allow devices access while limiting exposure. We are leveraging the open API’s from FortiManager and FortiGate to enable Ordr  to dynamically create and push out these enforcement policies. This can be to FortiGate firewalls or FortiNAC as an enforcement point. l said above it is primarily an outbound-based integration, but we also have the ability to consume basic traffic flow information from FortiGate to enhance and embellish the threat information we already have.

In the coming year, we are planning to implement additional inbound/outbound/bi-directional integrations for the benefit of our customers. As part of that process, we are constantly reviewing the integration use-cases developed to see where we can leverage more context to enable better device context.

October is Cybersecurity Awareness Month under the leadership of CISA and the National Cyber Security Alliance (NCSA). The goal is to continue to raise awareness about the importance of cybersecurity across our Nation. This year’s theme is to be #cybersmart, as we all play a role in the security of our own “cyberspace”. Focusing on cybersecurity and being cybersmart can positively impact our lives, but also the organization we work for and our nation.

To kick off cybersecurity awareness month, here are the five tips to be #cybersmart.

1. Use a password manager – It’s important to have great password hygiene. This means making sure your passwords are hard to crack, that it is long enough and a combination of uppercase and lowercase characters, numbers and special characters. You also don’t want to reuse passwords for various accounts, so the best way to manage this is to use a password manager that will securely store all your passwords for your various accounts.
2.  Don’t use public hotspots – When you’re at the airport, your favorite coffee place or at the library, do you connect to the public WI-FI network? A safer option is to connect to your phone’s hotspot, or use a VPN. There are no guarantees that public WI-FI networks are secure. In fact, with the flaws discovered in WPA2, the encryption standard that secures modern WI-FI networks, attackers within the range of vulnerable wireless access points can become a “man-in-the-middle”, intercepting passwords, emails and other sensitive data. In many cases, they can also inject malware into the sites that you’re visiting.
3. Update your applications – whether you’re on your mobile device or laptop, you’re probably running a number of key applications that will come with vulnerabilities. Enable automatic updates on your applications or make sure that you’re updating them regularly with patches. This includes browser updates such as Chrome or Safari.
4. Use multi-factor authentication – Many applications offer multi-factor authentication. This means you’re required to validate your identify via two or more pieces of credential. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint or faceID). Your credentials must come from two different categories to enhance security. You can add an extra layer of defense to your accounts by enabling multi-factor authentication.
5. Beware of phishing scams – One of the most common delivery systems for malware is via phishing scams, via attachments that come to you in an email, masquerading as a file you should trust. Once they’re downloaded and opened, they can take over you computer. Avoid clicking on links from people you don’t know about, or clicking on links in email messages with grammatical errors and details that don’t make sense. Some phishing scams are very targeted so beware of oversharing sensitive information on social media that would make it easy for hackers to target you.

Danelle Au

Danelle Au has more than 20 years of experience bringing new technologies to market. Prior to Ordr, she was CMO at Blue Hexagon, a deep learning for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. She has an MSEE from UC Berkeley

Today, in conjunction with Check Point’s IoT Protect Program announcement, we’re excited to not only highlight Ordr’s participation in the program, but also to announce the Ordr Systems Control Engine’s availability directly through Check Point. We’re excited to work with a great security partner with market leading technology.

When we built the Ordr SCE, we created a robust AI platform to deliver high-fidelity visibility and security for all unmanaged devices – IoT, IoMT and OT. However, we knew that was not enough. We also focused on automating the critical job of securing these devices, not only reducing the burden on security and networking teams but making previously complex management tasks simple and automatic.

After all, these unmanaged and IoT devices bring very different challenges to an organization. They often cannot be brought out of service, they cannot be scanned or patched, and you cannot install a security agent on them. But unlike end users, unmanaged and IoT devices have very specific and predictable communications patterns. Video cameras need to connect to a camera management system. Medical imaging devices need to communicate to a central PACS or DICOM server. Neither wakes up in the morning and decides to browse the web.

How does Ordr address this? Once we discover and categorize these devices, Ordr’s Flow Genome maps each device’s unique, customer-specific communications patterns and profiles exactly how it should communicate and behave. We then proactively create specific network segmentation policies for each category of device and enforce them on networking and security infrastructure to only allow these “sanctioned communications.”

This is a Zero Trust Network in action.

Ordr SCE does not create segmentation policy recommendations, guidelines, or suggestions. The policies do not need tweaking or customizing. They do not need updating when new devices join the network, or existing devices move to a new location or receive a new IP address. They do not need to be exported as a CSV file, manually uploaded into another system, and refreshed with a chron job. They fully integrate with Check Point’s APIs, providing full, automated context right in the Check Point IoT Protect Manager.

This is the differentiator of the Ordr and Check Point integration. Whether it is proactive segmentation or quarantining an infected device, we will dynamically create and enforce policies for IoT devices with one click of a button. As new devices are added to the network that match a particular device profile with an active policy, this new device will automatically be protected.

This is a huge benefit for any organization with Check Point infrastructure, as it protects your existing investment. At the same time, our ability to generate these policies alleviates the challenges of manually addressing risks and vulnerabilities across the hundreds of thousands of unmanaged and IoT devices that may exist in a network.

Benefits of combining the Check Point and Ordr solutions include:

• Automatic discovery and classification of IoT, IoMT and OT devices
• Direct integration of device context into the Check Point IoT Protect Manager, including asset type, make and model, OS version and risk information
• Use of Check Point’s advanced APIs to automatically send Ordr Zero Trust segmentation policies to the Check Point IoT Protect Manager for distribution to Check Point’s Quantum Security Gateways^TM
• Automatic updates of Check Point’s Quantum Security Gateways^TM with current device IP information, regardless of network location or dynamic addressing
• Dynamic generation of firewall zoning policies directly into Check Point IoT Protect Manager , allowing for protection and control of the IoT and OT environment within minutes

For more information on the joint integration, please check out our detailed Check Point partnership page here and the Check Point IoT Protect page.

Bryan Gillson

Bryan joined Ordr in November 2019 after spending six years as VP Strategic Alliances at Ionic Security. At Ionic, Bryan initiated and managed business relationships with system integrators such as Accenture, Deloitte, and PwC, and closed OEM partnerships with vendors in the CASB, virtualization, and data protection sectors. Previously, Bryan led product management and business operations for Symantec’s encryption products and information protection groups after integrating the acquisitions of both PGP Corporation and GuardianEdge. Prior to Symantec, Bryan led the business development team at PGP Corp. and was a VP in Merrill Lynch’s Technology Investment Banking group.

Identity is a foundational component of modern security models, allowing organizations to control the data or services a user or account should be able to access. The explosion of IoT, IoMT, OT and other connected devices introduces significant gaps in identity-based security while creating new challenges and posing questions:

What is an identity for these devices that do not inherently have what we think of as an identity? 

How can we close the gap and bring identity-based controls to these critical devices? 

This post looks deeper into the challenges, these questions, and how Ordr helps provide answers in a straightforward and automated way.

It’s the End of Identity as We Know It…and I Feel Fine?

There are several methods organizations use to establish and verify identity for their users and assets. Unfortunately, none of these methods work well for the new class of connected devices.

Traditional devices such as laptops and workstations can be associated with a specific user and can be reliably linked to that user’s identity. Security teams can also verify the identity of a device by installing certificates or using USB keys. When a high-value asset is accessed, multi-factor authentication mechanisms can be leveraged by sending the user a passcode via email or text to be provided for additional verification.

The new class of connected devices are rapidly increasing in numbers and can be found everywhere in enterprise environments. Connected devices include everything from consumer products and phones to printers and media displays. In industrial settings IIoT and OT devices span the range of sensors to the multi-million dollar equipment essential to manufacturing lines. In healthcare, IoMT includes a vast array of medical devices from health monitoring equipment to magnetic resonance imaging (MRI) scanners that are critical to delivering care and ensuring patient safety.

Connected devices are increasingly critical infrastructure in organizations across industries, yet these devices can’t be managed the same as traditional devices. The simple task of installing enterprise certificates or endpoint agents is virtually impossible since many of these devices run embedded operating systems or are agentless. Even if agents could be installed, the vast diversity of hardware and software variations of IoT devices makes it almost impossible for vendors to develop and support agents.

Connected devices are commonly found with software stacks from various sources layered on embedded and customized operating systems. For these devices, any tool that uses a map of the processes to perform behavioral analysis is virtually useless.

Integrated firmware running on connected devices typically prevents any new software from being installed to ensure security and device reliability. As an example, new software can’t be installed on a piece of medical equipment once it’s gone through FDA certification.

Multi-factor authentication is another non-starter for IoT. An infusion pump can’t be expected to receive and provide a passcode to verify its identity.

Bringing Ordr to the Chaos of IoT Identity

With all of these limitations, how is identity determined and used for connected devices? The best unique identifier (not identity) is a device MAC address or serial number. MAC addresses are at least trackable (although easily spoofable), but serial numbers are nearly impossible to track and manage.

Ordr takes a new approach that doesn’t require IT and security teams to manually track the endless minutia of device details or do anything to update or change devices. Instead, Ordr automatically and passively analyzes the behavior of each device and recognizes a device’s identity based on what it actually does (i.e., the device communication).

To illustrate, let’s look at a device that claims to be a printer. Does it act like a printer? How do we know how a printer should act?

To answer this a large number of printers must be studied to understand what printers normally do, the protocols they speak, destinations they connect with, packet patterns they exhibit, etc.

With sufficient sampling a baseline can be established and used to verify if a new “printer” behaves like all the other printers previously seen – if it walks and squawks like a printer, then it’s probably a printer.

It’s also important to understand normal behavior for a particular environment. It’s not enough to know if a printer is behaving within the norms of other printers – it’s essential to know if the printer is behaving like my other printers. Is it talking to the appropriate management server, using the appropriate network segments, and so on.

The combination of global and local insights into behavior gives a very reliable approach to understanding a device’s identity. Just as importantly, it is a passive, hands-off approach that doesn’t require more work from staff or to change anything on the device itself.

As a result, Ordr is able to easily establish identity and continuously monitor it throughout its life cycle. Request a demo to learn more about how Ordr can help with identity and security for all your IoT, IoMT, OT and other connected devices.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

CAASM+ DIfferentiators Series: Ordr’s Advanced Deduplication and Data Integrity Features are Vital to a Successful CAASM Strategy

In the ever-evolving landscape of cybersecurity, the need for an innovative and effective Cyber Asset Attack Surface Management (CAASM) strategy is more critical than ever. And as we navigate the complexities of integrating data from disparate sources to embrace the advantages of CAASM, it’s essential to ensure that cyber asset data is rich, timely, and accurate. That requires a data integrity program supported by complete asset visibility and real-time data ingestion, and I am excited to share with you how Ordr is leading the charge in enhancing data integrity through our advanced deduplication and data correlation methodologies.

Data integration within CAASM platforms is like assembling a jigsaw puzzle, where each piece comes from different puzzle sets. We have noticed that, without a coherent strategy, this results in a fragmented understanding of the cyber asset landscape akin to tunnel vision. Each tool in an organization’s arsenal only offers a glimpse into the assets within its scope. True asset visibility can only be accomplished by performing aggregation, normalization, mapping, and correlation to this data using GenAI organizational methods.

The Duplicates and Ephemeral Device Conundrum

One particularly challenging aspect of CAASM is managing duplicated data in situations such as IP rotation, MAC randomization, multiple adapters, etc. Ephemeral tech apparitions could be anything from virtual machines to IoT gadgets—ubiquitous yet elusive. These devices come through VPNs, get spun up as VDIs, etc., as they fit in and out of corporate networks. That makes acquiring and managing an accurate asset inventory a Herculean task using traditional approaches and tools.

That is because traditional asset discovery methods are like using a net with oversized holes: they simply cannot catch these quicksilver-like devices. For however long they are active in the network they have an effect on operations and risk calculus, opening a window to incidents and threats. And so, while invaluable for monitoring more persistent assets, agent-based and other asset management solutions often fail with ephemeral devices that avoid consistent network connections.

Ordr’s Unique Approach to Dynamic Asset Discovery

At Ordr, we’ve developed dynamic asset discovery mechanisms that embrace the transient nature of duplicate and ephemeral devices that is endemic to network operations today. Our approach involves leveraging real-time monitoring technologies and anomaly detection algorithms to spot these elusive assets based on their behavior.

Enhanced network visibility is also crucial. We provide additional insights into device activity by incorporating contextual real-time activity from network sources and endpoint telemetry. This contextual intelligence is pivotal in differentiating between legitimate devices and transient entities. Moreover, we utilize machine learning algorithms to sift through network-based real-time data ingestion, seeking out anomalous patterns that might signal an ephemeral device. These models, honed on historical data, enhance detection accuracy and minimize false positives.

Ordr’s AI/ML Deduplication

Addressing errors related to manual data entry and data duplication is another perpetual challenge in data management. Given the speed and volume of data creation and change, there is no practical reason to rely on manual data entry today, and yet it remains. At Ordr, we recognize that duplicated data is not just a nuisance—it can be a significant obstacle in business operations and security triaging.

What sets Ordr apart is our innovative use of AI and ML in deduplication. Our advanced machine learning techniques, along with predictive large language models, classify devices within an extensive asset knowledge base. We organize devices into an “Asset Catalog” with a sophisticated hierarchical structure, from buckets to categories, sub-categories, profiles, and device instances, along with business/owner context such as who is using the asset.

This organizational prowess and our learning engine’s precise identification capabilities significantly enhance our deduplication algorithm. We developed the vast Ordr Data Lake with rich profiles on millions of crowd-sourced individual assets, informed by data from manufacturers and other authoritative sources, which aids in the comprehensive understanding of device identities.

The Importance of Data Preprocessing

Our strategy hinges on establishing each device’s “true identity” through globally unique identifiers. This foundational understanding is essential for effective deduplication and provides the context to prevent erroneous duplicates.

Every integration at Ordr undergoes a rigorous mapping process to ensure incoming attributes are normalized, mapped and represented within our central database. This preprocessing is vital for maintaining data quality and consistency, forming our subsequent analysis’s bedrock. These innovative strategies that address the nuances of our digital ecosystem pave the path to robust CAASM. And we tirelessly refine our methodologies to ensure that our enterprise customers have a reliable, single source of truth for their asset management needs.

The Road Ahead

I hope this blog clarifies the importance of sophisticated data management within CAASM and how Ordr is at the forefront of tackling these challenges. Our mission is to empower organizations with the tools to manage their assets effectively, ensuring security and operational efficiency in an increasingly complex cyber landscape with an expanding attack surface.

As we look to the future, we remain committed to continuously improving our platform and ensuring that it remains at the forefront of the fight against cyber threats. Thank you for joining us on this journey as we redefine the standards of CAASM and pave the way for a more secure digital world.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

SANTA CLARA, Calif., Oct. 4, 2023 /PRNewswire/ — Ordr, the leader in connected device security, announced an integration with ServiceNow Vulnerability Response, expanding Ordr’s existing bidirectional integrations with ServiceNow Service Graph Connector, CMDB, and ITSM. The joint effort extends Ordr’s deep insights into all connected devices, enabling optimized vulnerability management, creating better experiences, and driving value for customers with its unique solution, built with the Now Platform.

ServiceNow’s expansive partner ecosystem and partner program is critical in supporting the $220 billion market opportunity for the Now Platform. The revamped ServiceNow Partner Program recognizes and rewards partners for their varied expertise and experience to drive opportunities, open new markets, and help customers in their digital transformation efforts.

“We’re thrilled to expand our tight bidirectional integrations with ServiceNow and extend our device vulnerability and risk insights to ServiceNow Vulnerability Response,” said Pandian Gnanaprakasam, Chief Product Officer and Co-Founder, Ordr. “This addresses a critical need for customers with devices not covered by traditional scanning or agent-based solutions. The integration enables an optimized solution for risk reduction by leveraging Ordr’s full visibility and vulnerability insights, combined with workflows in ServiceNow Vulnerability Response, and the ability to track and close the loop on the status of vulnerabilities across both platforms.”

Ordr’s existing integration with ServiceNow Service Graph Connector ensures comprehensive and accurate details for every network connected asset, including all managed and unmanaged IT, IoT, IoMT, and OT devices. These details are essential to customers looking to enrich and reconcile device data in the ServiceNow CMDB for an up-to-date asset inventory, building ITSM workflows to optimize device management efforts.

Extending Ordr’s insights through integration with ServiceNow Vulnerability Response enables customers to:

• Close vulnerability and risk visibility gaps with insights into all devices, including those not covered by endpoint agents or active scanning tools.
• Maintain a centralized and comprehensive view of all device vulnerabilities and risk by leveraging Ordr insights collected from multiple sources with no impact to devices, services, or patient/operator safety.
• Accelerate vulnerability management tasks and reduce risk with accurate vulnerability data to enable ServiceNow Vulnerability response capabilities across the full lifecycle.
• Track vulnerability management efforts by leveraging bidirectional integration for up-to-date vulnerability status in the Ordr and ServiceNow platforms.

As a Registered Build Partner, the certified integration provides customers with the ability to integrate Ordr’s comprehensive and accurate connected device and vulnerability insights with ServiceNow Vulnerability Response, and is available in the ServiceNow Store.

“Partnerships succeed best when we lean into our unique skills and expertise and have a clear view into the problem we’re trying to solve,” said Erica Volini, senior vice president of global partnerships at ServiceNow. “Ordr’s integration extends our reach well beyond where we can go alone, and represents the legacy and goals of the Now Platform. I am thrilled to see the continued innovation we will achieve together to help organizations succeed in the era of digital business.”

For more information, learn more about Ordr’s integration with ServiceNow Vulnerability Response and how Ordr works with other ServiceNow capabilities .

About Ordr
Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing Venture Capital, Ten Eleven Ventures, Northgate Capital, Kaiser Permanente Ventures, and Unusual Ventures. For more information, follow Ordr on Twitter and LinkedIn.

ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries.