It’s December 8, 1941, and you’re in charge of defending the United States against future enemy air attacks like the one that devastated Pearl Harbor. What would you do?

Given the technology of the time, you wouldn’t have had many choices. You might have recruited scores of civilians and given them illustrated books showing what German and Japanese warcraft looked like and how to distinguish them from American or British planes. Then you’d ask these civilians to take up observation posts and call a phone number when they spotted anything suspicious.

That’s indeed what happened and what served as a national alert system until later in the war when radar was invented. Lucky for the United States, the action remained almost entirely away from American shores throughout World War II.

But the human radar example, along with subsequent warning and response systems, provides a rough parallel to the progress of network security defense mechanisms from the early days of IT until now. It’s a story that highlights common requirements between keeping a country safe from bombings and a network safe from breaches. From an operational standpoint, each of these systems needs to meet three objectives:

1. Comprehensively monitor the threat posed by the enemy
2. Accurately detect threats
3. Quickly and thoroughly respond to neutralize the threat

Noble goals, but as we shall see, they’re not so easily accomplished.

The 7 stages of network security evolution

Stage 1: Intrusion Detection System (IDS)

In the beginning, there was the intrusion detection system (IDS) method, which is not terribly different from printing up a bunch of enemy plane illustrations and telling your network to be on the lookout for them. In the IT case, the illustrations were “signatures” of the known malicious threats that had been identified based on past attacks.

There were two major problems with this system:

1. It didn’t do you any good if the enemy had developed a new weapon that didn’t look like the ones it attacked you with previously and…
2. Once spotted, the detection system didn’t prompt any automatic responses – just a “hey, you might want to do something” call to headquarters.

In all fairness, the initial ideas for IDS came about in the early 1980s when the only people using networks extensively were governmental agencies. The true cyber wars were decades away, so a relatively primitive network monitoring tool sufficed.

Stage 2: Intrusion Prevention System (IPS)

As attacks ramped up, the people who developed network security tools next added a basic response feature: blocking. The packet containing the dangerous goods was prevented from delivering the payload to a target by using an intrusion prevention system (IPS) to shut down access to email addresses, websites, and the like. In warfare terms, this is like erecting a shield over your target without doing anything to anticipate and prevent future bombing raids.

The other issue that came to undermine effectiveness was a vendor’s tendency to brag about how many attackers they’d identified to keep networks safe in the form of “playbooks.” Vendor A claimed that it was better than Vendor B because it listed, say, 3,500 malware agents in its playbook while its competition only had 2,000. This slowed down operations as the system thumbed through its databases and tried to determine if blocking was needed.

Stage 3: NetFlow

Cisco developed this protocol for its switches and routers to give SecOps a broad overview of what was happening on the network. Now the security team had visibility of activity so it could effectively monitor and troubleshoot network performance across all data sources. This provided ready-made, native tools to investigate issues without using workarounds that might or might not work.

Stage 4: Network Forensic Technology (NFT) and Metadata

While it’s great to have a broad view of threats to a network, you also need to be able to dig deep and analyze individual threats. To do so, you need to look at the packets in question – and do so quickly and efficiently. Network Forensic Technology (NFT) and metadata did exactly this by looking at the packet headers. Metadata in particular, was a significant advance in that it could see patterns and quickly group threats that resembled other threats. This is similar to the way that photo programs now can recognize a face and help viewers pull all shots of a given person from thousands they may have captured with just a few clicks rather than sorting through the entire catalog.

Stage 5: Network Analysis and Visibility (NAV)

While NetFlow gave visibility into what was happening with devices that incorporated the Cisco technology, it didn’t give teams a hint about what was happening elsewhere on their networks. Enter Network Analysis and Visibility (NAV) — a tool that pulled the covers off assets that might previously have been hidden. This means everything — in the cloud, on-prem, and even ZTE/SASE solutions — comes into view.

Stage 6: Network Traffic Analysis (NTA)

NAV was introduced in 2011, and eight years later, a further refinement came in the form of network traffic analysis (NTA). The visibility extended into such access points as IoT devices and deepened the ability to look closer and deeper at problematic traffic. There’s only one problem: We’re still largely just SEEING the threatening enemy with these devices and sealing off dangerous openings. What we need is something that can neutralize the attacking group — if not exactly a squadron of fighters shooting down enemy bombers, at least some mechanism to take countermeasures automatically.

Stage 7: Network Detection and Response (NDR)

The most recent and most effective method of defending networks from intruders, network detection and response (NDR) provides not only the extensive analytical and visibility power that previous generations have developed, but — as the name implies — an automated response as well.

In its NDR market guide, Gartner provided several criteria for a product to be classified as such. A true NDR must:

• Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real-time or near real-time.
• Monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network).
• Be able to model normal network traffic and highlight suspicious traffic that falls outside the normal range.
• Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics that detect network anomalies.
• Provide automatic or manual response capabilities to react to the detection of suspicious network traffic.

At Ordr, we advocate that the above Gartner-outlined features aren’t enough. To more comprehensively detect against all threats, NDR should evolve, and the following capabilities need to be considered.

• Integrated IDS – Yes, IDS has been around for a while, and it may not be as sexy as all other new threat detection capabilities. But it’s tried and true. A comprehensive threat detection solution should incorporate an IDS to detect known threats. An integrated IDS complements machine-learning behavioral techniques.
• Device context – For security teams that receive a threat alert about a potentially-compromised device, additional insights on that device are needed to move from “detection” to “response.” For example, information on what the device actually is that’s compromised, where it is located, data enrichment, business context, what actions are possible, how to prioritize those actions, what the compensating controls should be, and what actions to take if the device is offline. This means that while NDR may be a network-centric view of cybersecurity, organizations need to evolve to an asset-centric view of cybersecurity.
• Network context – In addition to device context, you need to understand details about where a device is connected, what is the wireless/wired access, what are the “normal” network flows.
• Retrospective analysis – New IoCs are constantly being generated as new criminal gangs form. A detection and response solution needs to incorporate the ability to ingest newly announced indicators of compromise, and determine if an infected device is already in the network. We know that attacks stay in the network for months at a time; retrospective analysis identifies compromised devices that have bypassed existing security controls so you can address security gaps that exist.
• Response – and Remediate not just Detect and Respond –  Automated response means everything during a security incident; you cannot just rely on SIEM (too much data to analyze), or SOAR (assumes the recipe to remediate is in place, which it may not be). A next-generation detection and response solution needs to be able to properly generate remediation policies or segmentation policies to quarantine an infected device and orchestrate action on appropriate networking/security infrastructure. The device and network context outlined earlier is the foundation for proper policy creation to allow a potentially compromised device appropriate access required for its role while limiting exposure. Creating the ability to implement, operate, and orchestrate efficient and effective policy drive automated actions.

*Note: These capabilities above are critical and should be added to NDR requirements. Ordr supports these features and more. 

Ordr: The next level of detection and response

Ordr builds on all the accomplishments of the past and moves it to something unimaginable in the early days of cybersecurity — as different from the labor-intensive, incomplete manual methods as modern missile defense systems are from those civilian plane-spotter projects. Now you have a thorough, granular  understanding of all devices, the ability to detect known and unknown threats, and an automated process for defending yourself. With Ordr, you know what devices are connected, what activities they’re executing, which ones are vulnerable, and how you can secure those devices at scale.

It’s a solution that is being embraced by organizations in a wide range of verticals that need to keep their guards up — healthcare, life sciences, government, manufacturing, retail, and enterprise in general.

We invite you to see Ordr in action and see how we can give you the complete protection your organization deserves.

Brad LaPorte

Former Gartner Analyst and partner High-Tide Advisor.

As we stand at the threshold of a new year, it’s time to reflect on the crescendo of achievements, growth, and unwavering commitment to innovation that defined Ordr’s remarkable journey through 2023. Join us in revisiting the symphony of passion, a customer-first philosophy, and excellence that set the stage for an even more promising 2024.

Passion in Progress: A Year of Growth

The heart of Ordr has always pulsed with unbridled passion for progress, and 2023 was no exception. With year-to-year growth in annual recurring revenue of nearly 250%, Ordr surged forward, reinforcing its leadership in healthcare and expanding its influence across diverse industries. The passion to embrace digital transformation and fortify against evolving risks drove our enterprise partners to recognize the significance of safeguarding every connected asset. Ordr emerged as a trusted partner, ensuring that enterprises transform and do so securely.

Customer-First Spirit: Orchestrating Security

At Ordr, the mantra of “customer first, customer last” is a guiding principle woven into the fabric of our daily operations. Our support team, fueled by the indomitable spirit of dedication, ensured that our customers felt the warmth of our commitment. From yearly SOC2 audits and penetration testing, to periodic security bulletins, every action was a testament to our customer-first approach. We provided white-glove service to marquee clients and worked with all of our customers with supreme care to ensure the security of each. We frequently got in front of our customers and listened to their comments, experiences, and suggestions and used that input to improve our products and help them to be successful in their security maturity journeys.

Excellence Unveiled: Product Evolution

Ordr’s commitment to excellence was unwavering in adding features that continuously kept us ahead of the competition while addressing and anticipating market demand. The symphony of innovation and R&D translated into 13 software releases, featuring over 100 new enhancements released at a cadence of every two months. The harmonious introduction of unique features, collaborations with industry giants, and addition of many major new integrations showcased Ordr’s dedication to staying ahead of the dynamic threat landscape. Ordr now has robust, bi-directional integrations with several major players in areas like endpoint detection and response (EDR), mobile device management (MDM), vulnerability management, threat intelligence feeds, security information and event management (SIEM), IT service management (ITSM), network access controls (NAC) and firewalls, network infrastructure management, data center, cloud, endpoint management, medical devices, computerized maintenance management system (CMMS), and more. Our product line enhancements are reflected in our technological prowess and a commitment to protecting mission-critical equipment and services for our customers.

A Year of Recognition: Industry Accolades and Partnerships

Ordr’s capabilities echoed far and wide, resonating through accolades and strategic partnerships. With our ServiceNow integration, we ensure our customers’ asset inventories are always accurate and up-to-date. We also work closely with Crowdstrike to secure every asset for our customers—agentless and agent-based. Segmentation and Zero Trust continue to be key strategic projects for every one of our customers, and we have had long term partnerships with Cisco, Aruba and Fortinet on these.

With the GE HealthCare CARESCAPE network, we help provide customers with enhanced self-management capabilities for their critical patient care devices. And with Sodexo Healthcare Technology Management, we enable the creation of a new managed healthcare technology management (HTM) services. Our expanding network of partners around the world further ensures that more enterprises will be able to protect their assets and networks with Ordr.

These efforts have raised our profile significantly. Ordr was recognized in Gartner Market Guides and Hype Cycles, underlining our expanding influence across all industry sectors. And many trade publications recognized us as a startup visionary, digital innovator, vanguard vendor, and IoT security leader, adding to the chorus of affirmations for our passion and excellence. During 2023 Ordr was:

• Named to the 2023 Startup 50, recognizing innovative technology companies solving real industry problems.
• Named a “Leading Security Visionary” in the annual Enterprise Management Associates (EMA) Vendor Vision Report.
• Named a 2023 Intellyx Digital Innovator Award winner by research firm Intellyx.
• Named among the 10 Coolest IoT Security Companies: The 2023 Internet of Things 50 by CRN.
• Named a 2023 Vendor on the Vanguard by ChannelPro.
• Named a Soonicorn on Tracxn’s “Internet of Things Infrastructure Startups 2023” list of top IoT companies to watch.

Building a World-Class Team: Talent Ready to Rock

The backbone of Ordr’s success lies in its world-class team. In 2023, the roster was fortified with C-level additions like Chief Healthcare Officer Wes Wright and Chief Revenue Officer Kevin Arsenault. We also expanded our customer success and field teams to leverage the massive opportunities in markets like financial services, manufacturing, government, bioscience, higher education, and healthcare. These additions bring Ordr deep industry experience and strategic vision to propel our business performance. The dedicated and richly talented Ordr team has translated to results in the product and market, including:

• 13 software releases, including Ordr 8.2, FIPS release, and bi-monthly patching.
• 100+ new features, including GUI enhancements, business intelligence analytics, parsers, and customer-specific implementations.
• 20+ new integrations in various categories, including MDM, EDR, firewall, maps, cloud asset, vulnerability assessment, CMDB and service graph connector, and more.
• Proof-of-concepts with major financial services, healthcare, educational, manufacturing and other organizations around the world.
• Annual SOC2 audit and pen testing.
• Migration to new threat intelligence feeds.
• Publishing security bulletins for emerging threats like MOVEit, Wayze Cameras, Cisco products, and more.

AI Driven Approach: Device Classification and Zero Trust Policies

Traditional policy-based management is becoming obsolete, giving way to AI-driven policy recommendation engines. We want to make it easy for our customers to gain accurate insights to reduce their attack surface and secure every asset, enforced on the networking and security products they’ve already invested in.

Ordr’s policy recommendation engine harnesses an extensive collection of device intelligence and behavioral models amassed in the Ordr data lake over many years. This curated knowledge base leverages machine learning and empowers Ordr to effectively categorize, compare, and analyze millions of devices operating in similar environments. Key capabilities of our Policy Recommendation Engine include:

• Behavioral Analysis: Analyzing vast datasets to identify patterns, anomalies, and trends in device behavior.
• Context-Aware Policy Generation: Generating context-aware policy recommendations tailored to the specific needs of a customer’s environment.
• Continuous Learning and Adaptive Policies: Adapting insights from ongoing network activities to manage policies in real time.
• Scalable Policy Comparison: Efficiently analyzing and comparing policies across millions of devices in real time.
• Proactive Anomaly Detection: Identifying deviations from established norms to enable policy adjustments before potential threats escalate.
• Threat Intelligence Integration: Applying information from threat intelligence feeds to enhance the engine’s ability to identify and respond to emerging threats.

2024: Our Time to Shine

Ordr continuously invests in our AI capabilities to provide easy data access and search capabilities using generative AI techniques and the fruits of those investments will be made manifest in our product roadmap and roll-out in the coming months. That is why I look forward to 2024. The stage is set for another Ordr grand performance. Our team, fueled by passion, a customer-first philosophy ingrained in our DNA, and a commitment to excellence, will continue to deliver bigger and better ways for our customers to manage their expanding asset inventories and attack surfaces.

We stand at the right place and time, armed with the best product in the industry and a great team. Together, we embark on a journey where success is not just a goal but a certainty. Here’s to the symphony of passion, the harmony of customer-first values, and the crescendo of excellence that will define Ordr’s triumphs in 2024.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Last week we posted about the Log4j vulnerability, advised all organizations to continue patching, and shared that Ordr was not impacted. We also provided an overview of Ordr features that you can use to detect and protect against attacks leveraging Log4j.

In this blog, we will dive into the details of how attackers are taking advantage of this vulnerability. The Russia-based Conti ransomware gang, for example, is exploiting Log4j via vulnerable VMware networks that have not yet been patched. We will look closely at the details of how you can use the Ordr System Control Engine’s (SCE) existing functionality and newly released enhancements to detect and protect against the Log4j vulnerability.

First, here’s a summary of how Log4j attacks progress in a network:

1. An attacker sends a simple HTTP GET request, or a well-crafted protocol message, to the target server. The request is a “User-Agent” header which includes a URL for a JNDI lookup, or a message with the exact string, JNDI for non-web protocols.
2. The request is passed to the Log4j library for logging.
3. The Log4j library attempts a JNDI lookup as directed by the URL. The URL directs this request to an LDAP server that is under the attacker’s control.
4. The LDAP server responds with directory information with a protocol header that includes a Java class to execute. The JNDI library instantiates and executes the class, which has the same system-level privileges as the server software that included the Log4j/JNDI libraries.
5. The successfully injected malware can then do whatever the attacker wants.  Risks include ransomware, exfiltration of sensitive data, and any other malware function.

What can Ordr do for you?

Identifying vulnerable targets

Ordr uses multiple methods to detect targets for Log4j. These include monitoring of SPAN or network traffic to detect attacks or probing a device with active scans to identify vulnerable devices. These are logged in the Ordr Security Dashboard Threat Card as a “special category” created to track Log4j attacks.

IDS based attack detection

The Ordr platform includes an integrated intrusion detection engine that monitors traffic to detect malware and attack attempts. Ordr sensors continuously monitor both North-South and East-West traffic for signs of malicious activity or violations of security policies.  This provides real-time visibility into instances of potential network compromises and insights into any lateral movement attempts made by an attacker.

Anomaly detection

The Ordr platform also includes a machine learning-based behavioral analytics engine. This method is used to confirm a possibility of attack, not a confirmation of an attack. It is recommended this information be analyzed, along with other potential events Ordr has added, for Log4j detection. Ordr SCE analyzes and baselines the traffic based on expected behavior, and any deviation from this normal traffic is marked as anomalous on the system. This model works well for all devices that have predictable traffic patterns. For example, a medical device running limited traffic patterns that suddenly displays new communication patterns should be considered potentially anomalous and be investigated.

Vulnerability probing

Ordr has introduced new vulnerability detection software for Log4Shell. This new scanner takes advantage of Ordr SCE’s knowledge of the devices being scanned. IoT and medical devices require special consideration to avoid interfering in their operation.  This capability is not available in most vulnerability scanning products which will aggressively probe all ports in the ranges of IP addresses they are configured to scan. This type of heavy-duty scanning could be detrimental to the operation of the medical devices that could be providing patient care or IoT automation functions.

Unlike typical IT scenarios where security teams can run a set of scripts to see what kind of Log4j version is built into the server, healthcare operations do not have the privilege to run scripts directly on heavy iron, like CT/X-ray equipment, as well as patient monitoring devices. With Ordr’s scanner, you can select only specific devices to be scanned at a time. It is also typical that a hospital standardizes on a specific make/model, and all that is required is to run this test on only one of them to understand the software decomposition. Ordr generates a report after the scan to show a list of devices that are vulnerable to Log4j.

How does the Ordr scanner work?

• Devices are selected by IP, device type, or various search mechanisms.
• The Ordr scanner runs on Ordr sensor, and does not need full credential access.​
• The Ordr scanner injects a string in the packet that triggers a call back to the sensor if a vulnerability is present.
• The Ordr scanner performs scans on open ports of HTTP, FTP, telnet, and Syslog; It generates a report after the scan is run.

Detecting callbacks to C&C sites

The Ordr platform includes the ability to track and visualize communications to malicious attacker domains; in this case, Log4j attacker domains.

Tracking malicious communications

The Ordr platform subscribes to reputable threat intelligence feeds and is available to every customer today. These feeds detect many of the callbacks to Log4j IPs and domains, but do not associate the family with that. To overcome this problem, Ordr has built a mechanism to scout the internet for all callbacks available for Log4j domains and Ips, and has built a mechanism to update the callbacks dynamically at each customer deployment. The feature provides a two-fold advantage: it covers more callbacks than any of the subscribed threat feeds cover, and it associates the Log4j family to these IP addresses for easy tracking.

Ability to track communications on malicious ports

Another feature available in the Ordr product is tracking communications to the internet based on ports and protocols. As most of the studies have suggested, most of the callbacks for Log4j uses 1389, 2202, and 39536 ports. A simple rule available in Ordr SCE will track every communication to Public IP addresses not owned by the enterprise and mark it as malicious if it matches the rule. All these communications can be viewed on individual devices or under “Blocked Port” on the security page.

Visibility to Log4j traffic patterns

Traffic analysis engine

Ordr SCE provides the ability to visualize problematic traffic centrally in the Group Traffic Analysis tool.   This screen features a constellation plot that shows the recognized groups and individual bubbles.  To make tracking of Log4j easy, Ordr has created a new bubble specific to Log4j, and all communications from inside the enterprise can be viewed with a single click.

In the example below, the operator clicked on the Log4jRCE Sites bubble. The only traffic lines plotted were to the Workstations and Medical Devices group.  This means that other groups such as Servers are not yet active with Log4Shell traffic.

Policy profiles to track communications

Users are given an option to create a policy profile to track communications from a discrete set of devices. In the case of Log4j, it is recommended to create a new policy profile to track devices that are potentially vulnerable to Log4j. In this case, start with servers and expand it to other potential devices.  After creating the policy profile, Ordr SCE evaluates every flow from these devices as a base and marks new communication as malicious. These are color coded based on the risk of the communication.

Highlighting infected devices using a risk score

Ordr assigns a risk score for every device in the network based on the events detected for that device. Each event described above will change the risk score of the device based on the criticality of the event. In the case of Log4j, devices with attributes such as a vulnerable system, where an exploit is identified or if the device is communicating to Log4j callback will have a risk score of critical. The risk score gets adjusted based on the events detected and the criticality of the device.

Ordr has deep integration with firewalls and NAC vendors. Users will have an option to quarantine connected devices based on their risk level, or if they detect a Log4j security event or behavior anomaly. They all point to a possibility of an attack in the enterprise.

In summary, Ordr has one of the most comprehensive features to detect the Log4j vulnerability and protect against exploitation. For more information, contact us today.

Srinivas Loke

Srinivas Loke is Vice President of Product Management at Ordr. Srinivas has a passion for cybersecurity with a deep understanding of network, end point, cloud and IoT security. Prior to Ordr, he led product teams at Aruba, Pulse Secure, FireEye and McAfee. He loves taking 1.0 products to the market and furthering cutting edge technologies that are solving customer problems.

The COVID-19 pandemic is one of those black swan events that is beyond the scope of normal contingency planning and has unpredictable, long-lasting, and highly disruptive consequences. Yet amid the chaos, one thing has been completely predictable: malicious actors quickly exploiting the panic.

Not long after emergency orders were issued and the healthcare industry was preparing for the first wave of patients infected by coronavirus, malicious actors were already bombarding healthcare workers with phishing emails weaponized with ransomware, and exploiting vulnerable remote desktop systems deployed by hospitals to enable a remote workforce and then installing ransomware on hospital systems.

Ransomware is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware gains a foothold, the infection spreads through common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via untraceable cryptocurrency. In most ransomware cases, the requested ransom amount increases over time in an attempt to lure companies to act fast and pay a lower ransom payment. UCSF was recently targeted by the Netwalker ransomware and paid $1.14M to recover their data.

Hospitals and other healthcare organizations are especially susceptible because many of their mission-critical, internet-connected devices—including medical devices—run vulnerable operating systems that cannot be patched. Some examples include nursing station that have to interact with legacy systems that, in turn, have out of date operating system requirements; or expensive imaging equipment which runs on unsupported and unpatchable versions of WindowsXP. Our Rise of the Machines: 2020 Enterprise Risk and Adoption Report found that 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older).

By some estimates there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked.

When a ransomware attack happens:

• Don’t Panic: If you can isolate infected machines, do it quickly. Stop the spread of ransomware by isolating those machines from the network and protecting systems with important information. It is much easier to deal with a few infected machines versus thousands, so identifying and stopping the spread of ransomware should be the primary goal after it has entered the network.
• Research: Ransomware has been around for a long time. Some variants have been well-studied, and free decryption programs are available to defeat them. Once you know what variant of ransomware has hit your network, you may learn that the keys to decrypt your data are easily available and that your infection turns out to be little more than a nuisance. However, newer variants are more virulent, and use sophisticated algorithms that can’t be decrypted.
• Respond: Having assessed your situation and taken the appropriate action to limit the damage, you may still find that your important data is encrypted. This is where the question, “Should I pay the ransom?” comes into play and you have decisions to make. Some points to consider:
  • How valuable is your lost data and can you do without it?
  • Do you have that data backed up and archived?
  • Does losing the data affected by the ransomware put the life of your business at risk?
  • Follow the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments by the U.S. Department of the Treasury to make sure that you are not facilitating payment if, “there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.” This could potentially result in an assessed fine.
• No Guarantees: One major point to consider if you decide to pay the ransom is that, after doing so there is no guarantee of recovery. Keep in mind that attackers are criminals. They may execute an attack campaign, scoop up quick payouts, and then abandon their victims in order to leave a cold trail for investigators. The systems they’ve set up for transferring payment may not work as intended. Or, they may have never intended to cooperate with anyone who made payment in the first place.

Of course, the best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Working with trained security experts to assess vulnerabilities, close security gaps, train employees, and put written incident plan in place specific to your organization, and of course having a robust backup strategy for important information before an attack occurs is your best course of action. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.

For organizations that have adopted IoT as a part of their infrastructure and technology strategy , the Ordr platform is designed to give you full visibility into all the devices connected to your network, understand their purpose and operation, and automate management and security policies to ensure maximal protection for even the most sensitive and mission critical equipment. In a worst-case scenario, Ordr can facilitate the rapid isolation and protection of infected devices.

If you have questions about your situation, or need a partner with the skills and expertise to help protect your IoT assets, let us know. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.

Incredibly complex problems cannot be solved without first establishing a baseline of understanding the elements of the problem in very fine grain detail. In the medical community, for example, development of targeted therapy for many serious diseases was comparatively ineffective before the mapping and sequencing of more than 3 billion nucleotides in the human genome. The Human Genome Project, a 15-year collaborative effort to establish this map of human DNA, has enabled the advancement of molecular medicine at a scale that was once impossible. Similarly, IT, Security and Business leaders cannot address the myriad challenges of the hyper-connected enterprise without fully mapping the device flow genome of each network-connected device and system. There are millions of connected devices, from simple IoT devices to multi-million-dollar functional systems, in a Global 2000 corporation, major healthcare system, retail chain or large industrial enterprise. The global volume of non-traditional network-connected devices – IoT devices – is doubling every few years and will exceed 20 Billion by 2020, according to experts.

This challenge is enormous, because it requires complete understanding of both the fixed characteristics of each device, as well as the constantly changing context in which it operates. To do this at scale, you must be able to apply sophisticated machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network. If you can do that, you can immediately identify potential ‘mutations’ in the genome – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences. At the time, you can leverage artificial intelligence to define and implement actionable policies that prevent future recurrences. That’s the only reliable way to protect critical assets and deliver true closed-loop security in the hyper-connected enterprise. And that’s exactly what we set out to do when we founded Ordr a few years ago.

There are solutions on the market today that seek to “fingerprint” devices, discovering their IP address, using MAC address lookup to identify the device manufacturer, and applying other rudimentary techniques to build a generic profile of the device. Fingerprinting allows you to answer some important but very basic questions: How many devices are connected to my network and to which ports and VLANs are they connected? How many of these devices are from Manufacturer X? Gathering more specific information has typically required agents installed on each endpoint. That is simply not possible in the hyper-connected enterprise, as the scale and heterogeneity of these devices quickly breaks traditional IT and security models.

Instead, by fully mapping the device flow genome automatically, without any modifications to the device or the existing enterprise infrastructure, within hours, Ordr identifies and enables you to act on critical information:

• 5 of your critical manufacturing systems are running software other than your standard configuration, with known vulnerabilities;
• 2 devices have been infected with Wannacry ransomware and are actively attempting to connect to peers;
• 3 of your X-ray machines are being used at 90% capacity while 2 are only operating at 40%;
• 6 of your heart-rate monitors are models are subject to an FDA recall;
• Your elevator control system is attempting to contact your internal HR application;
• 80% of your security cameras are still using the manufacturer’s default password;
• All digital signage on your network communicate with the manufacturer for updates and patches, but one of them is also communicating with a suspicious server in Kiev and appears to be exfiltrating PCI data.

Mapping the device flow genome allows Ordr to provide these types of actionable insight across millions of devices within the hyper-connected enterprise. This requires comprehensive real-time collection, correlation and analysis of vast amounts of information about each device:

• Device Make, Model and Modality – Classification and grouping of similar device types at a hierarchical level to facilitate efficient administration and regulation of those devices requires, specific information on the manufacturer, device type, model, modality and even the serial number.
• OS and Software Versions – Device operating system, including current OS patches, all software components installed (software bill of materials), anti-virus software etc.
• Known Vulnerabilities – Detection of potential port exploitation, results of vulnerability scans, and correlation of all known vulnerabilities from the device manufacturer and third-party sources (national vulnerability database, FDA recalls, etc.).
• Network Parameters – Complete information on network connectivity, switch port, wireless access point, VLAN/subnet (and comparison of each device’s VLAN/subnet membership relative to similar ‘peer’ devices).
• Device-Level Session and Flow Data – Data on connection attempts, number of sessions, data rate, location, ‘last seen’ time and location, usage patterns, etc.
• Flow-level Conversation Patterns – Ability to assess conversation at the flow-level communication to baseline normal behaviors compared to its peer group and to its own and detect anomalies.
• Internal Communications – Accurate detection of devices propagating malware, using well-known signatures like the one that looks for reconnaissance
• External Communications – Real-time comparison of external communication patterns to the permitted external/internet sites for each device profile (for software updates, etc.) is needed to defend against external attacks and identify communication with hostile sites with poor reputation scores like phishing sites
• Applications and Users – Full understanding of applications running on each device, as well as the users on the device
• Servers – Data on all the servers to which each device connects

The purpose-built Ordr Systems Control Engine is the only software product with the capability to perform this real-time mapping at massive scale. The unique Ordr SCE architecture is specially designed to collect and analyze device and system data – at line speed – from multiple sources within the enterprise, including:

• Full packet capture data from backbone core routers that include all the file transfers, http sessions, peer-to-peer traffic, client-server traffic, and application-level interactions.
• Network infrastructure data from switches, routers, WLAN controllers, NAC solutions etc.,
• Device probes like SNMP for inherent device information from various MIB repositories
• Protocol decodes of proprietary protocols like DICOM, Modbus and Patient Monitoring systems
• Parsing results from well-known data plane signatures from security vendors
• User and location information that includes Active Directory users with roles and privileges, and location feeds, etc.
• Ingest network device Information like Netflow
• On-demand vulnerability scans for onboarding as well as information collected from other periodic vulnerability scan reports information like provide open ports
• Network layer control plane protocols like DHCP
• Utilization and performance data like frequency and duration of operation and connection attempts.

Accurate mapping also requires integrating information from IT Service Management, Enterprise Asset Management, location information, and threat information from national level exchanges.

Ordr SCE takes all of this information and applies sophisticated machine learning with ANN (Artificial Neural Network) training models to classify and profile everything on your network. That gives us a full understanding of each device – what it is, how it’s configured, and what behaviors it is supposed to exhibit – with unprecedented granularity. Once that is done, it becomes possible to detect anomalies and come up with actionable policies, using AI techniques, to regulate and protect your devices and critical data assets, in real-time and at scale.

This level of intelligence with depth that you’ll never be able to get from simple device fingerprinting. Customers using SCE’s device flow genome have been able to:

• Correctly identify a SIEMENS AXIOM-Artis X-Ray Angiography medical device rather than label it as Tyran Computer Corp system due to the OUI from the embedded network interface card
• Reveal devices connected behind gateway systems from vendors like Capsule Datacaptor.
• Rationalize inventory with other systems that do not have knowledge of MAC or IP addresses, and instead use serial numbers
• Find an uncontrolled user device from the IT side talking to a factory OT control system
• Spot non-standard software in a camera that was reaching back to get updates from a site in a questionable geography
• Accurately finding WannaCry infestations and enumerate every compromised device and the source of the problem

Mapping the device flow genome is incredibly complex, but it’s exactly that complexity that makes it so useful, and we’ve taken great care to present this detail to you in its simplest, most usable form. We make the incredibly complex incredibly simple.

The only effective way to address massively complex problems is to have an intricately detailed understanding of the elements of the problem. That’s the only way to develop treatments that improve human health and longevity. And that’s the only way to take control of the hyper-connected enterprise.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Internet of Things – Digital Transformation  

Merriam-Webster’s definition of the Internet of Things (IoT) is, “the networking capability that allows information to be sent to and received from objects and devices (such as fixtures and kitchen appliances) using the Internet”. In 1999 Kevin Ashton coined the term and since then we have seen the expansive growth of IoT and while these devices have been around for decades, the regulations on these devices still remain ineffectual.

And, while IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025, we still are not able to properly build IoT devices with security in mind.

The United States  

Recently, a bipartisan bill, the IoT Cybersecurity Improvement Act, from Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) was passed by the House but now must go to the Senate before hitting the President’s desk. The bill took more than three years to get to the House of Representatives and in that time more than 6 billion IoT devices entered the market.

While the bill would set the minimum security standards for IoT devices connected to federal networks, it would also require the National Institute of Standards and Technology (NIST) to set best practices for device security, the Office of Management and Budget to create guidance for agencies to meet, and require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.

The Food and Drug Administration (FDA) is trying to achieve medical device security and makes it well known on their website what they aim to accomplish:

The U.S. Food and Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the Agency shares with device makers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security and U.S. Department of Commerce. 

The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them. 

The medical device cybersecurity guidance by the FDA was last updated in 2018. While they release a list of vulnerabilities, their guidance points organizations to the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in which they were a contributor.

Much like with regulatory compliance standards around sensitive data, in the United States the individual states are leading the charge again. California and Oregon have enacted legislation that mandates that manufactures that supply IoT devices do so with “reasonable security features.” In addition to California and Oregon, eight additional states are considering legislation.

The United States is likely to not see real meaningful regulatory compliance standards for IoT devices until the impact has already hit most organizations and homes. Compare that to the European Union (EU) and what they have in place and are working to put in place.

The European Union (EU) 

The EU in June of this year introduced a new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products. With the hopes of better security practices and more manufactures adopting a security-by-design principle when developing new connected consumer products.

The standard consists of 13 provisions:

• No universal default passwords
• Implement a means to manage reports of vulnerabilities
• Keep software updated
• Securely store sensitive security parameters
• Communicate securely
• Minimize exposed attack surfaces
• Ensure software integrity
• Ensure that personal data is secure
• Make systems resilient to outages
• Examine system telemetry data
• Make it easy for users to delete user data
• Make installation and maintenance of devices easy
• Validate input data

In addition to ETSI EN 303 645 V2.1.1, the EU also explicitly addresses medical devices in the European Medical Device Regulation (EU MDR). Much like the US FDA’s UDI, it seeks to ensure high standards of quality and safety for medical devices being produced in or supplied into Europe. With the introduction of this directive, devices entering the EU will have:

• Stricter pre-market control of high-risk devices at an EU level
• The inclusion of certain aesthetic products which present the same characteristics and risk profile as equivalent medical devices
• A new risk classification system for diagnostic medical devices based on international guidance
• Improved transparency through the establishment of a comprehensive EU database of medical devices
• Device traceability through the supply chain from its manufacturer through to the final user
• An EU-wide requirement for an ‘implant card’ to be provided to patients containing information about implanted medical devices
• the reinforcement of the rules on clinical data and clinical studies on devices
• Manufacturers to collect data about the real-life use of their devices
• Improved coordination between EU Member States

And, now with Brexit, what happens with the United Kingdom (UK) come December 31, 2020 and the IoT regulatory compliance standards? While the UK remains subject to EU law, it is no longer part of the EU’s political bodies or institutions. Will the Department for Digital, Culture, Media & Sport (DCMS) serve as the governing body for IoT device security?

The United Kingdom (UK) 

In June of 2020 the UK DCMS addressed the need for cybersecurity as a fundamental instrument in the building of IoT devices, they are enacting a product assurance schema to mark approved IoT devices with an assurance label or kitemark that demonstrates that the product has undergone independent testing or a robust and accredited self-assessment process. The ultimate goal would be that consumers of IoT devices would purchase approved devices, rather than those that are not, and that retailers would only sell approved devices.

DCMS has been taking forward multiple initiatives to address the matter, including:

• Publishing the Code of Practice for Consumer IoT Security 
• Committing to taking forward new legislation to mandate core aspects of the Code
• Leading the development of industry standard ETSI EN 303 645 

“The UK Government looks forward to continuing to work with industry and all interested stakeholders to ensure that the UK is the safest place to be online.” 

While the EU and UK continue to lead the charge in regulatory compliance standards to protect citizen and resident data, it is also years ahead of the U.S. in addressing IoT device security. The fundamental issues still remain. Can we create a global culture where we put securing our data first, both from properly building IoT devices and then by holding device manufactures accountable in our procurement of devices?

Overview:

On July 23, the National Security Agency (NSA) along with the Cybersecurity and Infrastructure Security Agency (CISA) urged all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their Operational Technologies (OT) assets. The alert was issued because in the past few months, threat actors have leveraged internet connected devices to exploit critical infrastructure. OT and IoT devices and systems are designed for ease-of-use rather than with security in mind and thus don’t have the means to detect or mitigate malicious activity. The design of these devices and systems combined with the data that they transmit and share via the internet, make them easily exploitable.

“…civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests”

Some of the observed Tactics, Techniques, and Procedures (TTPs) as defined by the MITRE ATT&CK framework are:

• Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
• Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
• Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
• Use of vendor engineering software and Program Downloads [T843].
• Modifying Control Logic [T833] and Parameters [T836] on PLCs.

While Alert AA20-205A discusses OT specifically, IoT is also relevant in this alert, because the alert tackles the 16 “critical infrastructure” sectors as defined by CISA:

Bolded below are the 9 critical infrastructure sectors that are largely impacted by IoT

• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Food and Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors, Materials, and Waste
• Transportation Systems
• Water and Wastewater Systems

How Ordr can help:

“At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of US systems should a time of crisis emerge in the near term.”

With our comprehensive IoT security platform, Ordr can help organizations address the following recommended steps as outlined in NSA & CISA Alert AA20-205A:

• Harden Your Network
• Create and Accurate “As-operated” Network Map Immediately
• Understand and Evaluate Cyber-risk on “As-operated” Assets
• Implement a Continuous and Vigilant System Monitoring Program
• Exercise your Incident Response Plan

Harden Your Network

Hardening your network starts with visibility into what is actually on your network. With the most comprehensive platform for discovering, profiling, and automating action for connected devices, we passively discover high-fidelity context on every connected device, including; make, model, operating system, firmware, version, location, and application/port usage. This device context is enriched with threat intelligence, vulnerability data, FDA/device manufacturer alerts, and incorporated into our data lake. Organizations then have granular, high-fidelity classification into every device in their network for identification of outdated operating systems, FDA recalls, and devices banned by the U.S Commerce Department. This device context can be integrated with asset management systems.

Using Ordr Flow Genome, we leverage real-time machine learning to profile every device, and visualize and baseline every device’s communications. This allows organizations to have a deep understanding of behavior insights like identifying anomalous or suspicious behaviors, such as communications to external malicious domains, lateral movement of malware/trojans and more. We do this through our security engines that scan for activity on infected machines.

This allows organizations to address the following hardening requirements:

• Identify devices using weak passwords and ciphers – clear text transfer of passwords, default or manufacturer passwords, shared drives, weak ciphers, etc.
• Identify devices that connect to business, telecommunications, or wireless networks – clearly separate devices into managed, unmanaged, and how devices enter the network.
• Closely scrutinize and track devices that are internet-accessible – closely scrutinize outbound connections to internet especially from mission critical devices like PLCs etc., and rate those connections with respect to the reputation of the sites they are reaching out to.
• Closely scrutinize and track devices that have remote management services – extract all administrative protocol interactions like SSH, rlogin, and more to closely monitor manufacturer based remote debugging sessions using protocols like RDP.

Create and Accurate “As-operated” Network Map Immediately

Ordr Flow Genome provides the most comprehensive profiling of every device communications patterns. We are also able to extract the latest authentication information via Active Directory/LDAP, WinRM/WMI and Kerberos to identify device users so organizations can locate devices associated with a specific owner, or identify the most recent authenticated login to a device. Our constellation map also provides a visual network topology view of where these devices are relative to network VLANs and subnets, allowing organizations to quickly address the “network map” requirement,

Understand and Evaluate Cyber-risk on “As-operated” Assets

The Ordr dashboard provides flexibility in searching for and investigating the risks outlined by NSA and CISA. This includes using our device inventory and context to identify devices that have been called out by:

• Vendor or technical advisories
• CISA advisories
• CVE vulnerabilities databases
• National vulnerability databases

More importantly, Ordr has the capability to automatically segment and isolate any device that is impacted by vulnerabilities, with one touch of a button. These policies can be enforced on any security or networking infrastructure.

Implement a Continuous and Vigilant System Monitoring Program

Through the Ordr Incident Summary & Device Risk Summary, we can visually show the continuous discovery and monitoring of devices, highlight any new risks to those devices (ie. Ripple20), alert based on severity, and create action for segmentation.

Exercise your Incident Response Plan

We automate the appropriate responses for security and networking teams. These include the automated creation and enforcement of segmentation policies or alerting and triggering a specific security or operational workflow. We also integrate with enforcement points (like switches, CISCO ISE, CPPM, controllers, etc.) to quarantine, blacklist, shutdown or enforce an ACL.

• Proactive Segmentation – Unlike users, devices should only communicate with specific systems. Ordr dynamically create policies to allow only appropriate device communications. These policies can be automatically enforced on existing infrastructure — firewalls, switches, NAC and wireless LAN controllers.
• Operational Actions – when a new or unknown device is discovered, we can trigger a centralized workflow with a CMMS or CMDB to ensure proper inventory, authentication, and routing to the right device owners.
• Security and Incident Response Actions – in the event of a security incident, or if devices have triggered an alert (known vulnerability, weak cipher, weak certificate, active threat, or malicious/suspicious behaviors) we can initiate an incident response workflow in a SIEM or SOAR, or automatically segment the impacted device.

To learn more about how Ordr can help your organization, schedule a demo.

Coauthors: Srinivas Loke, Gowri Sunder Ravi

Progress Software, which makes the MOVEit Transfer app, first disclosed a vulnerability for the MOVEit application on May 31^st, 2023. The MOVEit application is a managed file transfer software produced by IPSwitch (acquired by Progress Software Corporation). It encrypts and uses secure FTP to transfer data with automation. MOVEit is used by thousands of enterprises, including 1700 software companies and 3.5 million developers. MOVEit is also used significantly within the healthcare industry, with HHS recently issuing an alert on this.

1. What Are The MOVEit Vulnerabilities?

CVE-2023-34362, with a CVSS score of 9. 8, is a critical SQL injection vulnerability affecting MOVEit Transfer and MOVEit Cloud. The vulnerability allows unauthenticated attackers to control a MOVEit installation completely, potentially leading to data alteration or theft, malicious software installation, and server configuration changes. The MOVEit Transfer versions affected are:

• before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5),
• and 2023.0.1 (15.0.1)

Following this disclosure, two additional vulnerabilities were disclosed for a total of three to date:

• CVE-2023-35708 (June 15, 2023) with patching recommendations here:
  • Knowledge Base Article (June 15, 2023)
• CVE-2023-35036 (June 9, 2023) with patching recommendations here:
  • MOVEit Transfer Knowledge Base Article (June 9, 2023)
  • MOVEit Cloud Knowledge Base Article (June 9, 2023)
• CVE-2023-34362 (May 31, 2023) with patching recommendations here:
  • MOVEit Transfer Knowledge Base Article (May 31, 2023)
  • MOVEit Cloud Knowledge Base Article (May 31, 2023)

2. Has this vulnerability been exploited?

Exploits of the vulnerability have been discovered in the wild, and have been attributed to the Cl0p ransomware group (also known as FIN11 or Lace Tempest). It has been reported that attacks against this vulnerability were “zero-day attacks” and may have begun as early as May 27, 2023, before a patch was available or the vulnerability was publicly disclosed or discussed.

3. Recommendations by Progress Software

• Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
  • More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
• Review, Delete, and Reset
  • Delete Unauthorized Files and User Accounts (Particularly looks for an event associated with human2.aspx)
  • Delete any instances of the human2: aspx (or any files with the human2 prefix) and .cmdline script files.
  • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
  • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
  • On the MOVEit Transfer server, look for new APP_WEB_[random].dll files created in the C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP .NET Files\root\[random]\[random]\ directory:
  • Stop IIS (iisreset /stop)
  • Delete all APP_WEB_[random].dll files located in C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP. NET Files\root\[random]\[random]\
  • Start IIS (iisreset /start). Note:The next time the web application is accessed, it will be rebuilt correctly. It is normal to have 1 APP_WEB_[random].dll file located in this directory.
• Apply the Patch

4. How Ordr Can Help

Detection

Vulnerability mapping of impacted devices:

• Ordr provides application mapping via its Software inventory Collector to detect MOVEit applications in the network and uses its Vulnerability Matching engine to identify whether the organization is impacted:
• Using its Software Inventory Collector, Ordr provides visibility into all the apps installed on all enterprise or health system devices, workstations, and servers.
• Ordr maintains a list of all the software packages installed on the endpoints with version numbers and a time stamp on when it was installed/last updated etc.,
• Ordr vulnerability mapping engine assigns vulnerabilities based on the SW version collected from the endpoint. The installed application list is updated daily, and vulnerabilities are recalculated based on the new info.

Real-time detection of exploits using IDS, behavioral violation, and threat correlation:

• Ordr has an IDS engine that can detect this specific vulnerability using analysis of packets transacting over the wire.
• Ordr IDS signatures have been updated to detect exploits of the MOVEit vulnerability

Track communications to compromised IP/URLs:

• In real-time, Ordr’s external IP/IOC tracks every communication to prohibited IP/URLs. Ordr uses a cloud-based threat intelligence platform where the list is continuously updated, and all communications are marked accordingly in the Ordr Security Threat Card.
• Ordr scoured the internet to establish a list of MOVEit IPs/URLs and tracks all communications associated with this vulnerability with a “group” within the Ordr Traffic Analysis Tool outer ring. Ordr has named it “MOVEIT” in the classification analysis. All the lookups done using this method are retrospective in nature and map every communication to these IoCs.
• Users can easily track and tag every device communicating with malicious IPs for remediation purposes.

Baseline communications to surface anomalies:

• Ordr also provides the capability to baseline all the communications based on profile, location, business function, or any customized entity using our AI/ML techniques. Ordr can trigger anomalies based on any deviations observed for this traffic. Ordr recommends using our behavioral anomaly and threat detection capabilities to identify anomalies while performing any incident response or remediation.

• Ordr adjusts the risk score of the device based on the events detected for the device along with the asset criticality. For example, Ordr assigns a higher risk score for devices with vulnerability and exploits vs. devices only with vulnerability. All of the risk scores are normalized based on the criticality.

Mitigation

• M1051 (ATT&CK) – Update Software
  • Patch immediately. Refer to the Progress Software Knowledge Base above and apply the fixed versions of MOVEit Transfer.
• M1040 (ATT&CK) – Behavior Protection on Endpoint – Rapid threat containment if a breach is detected.
  • Ordr tracks every device’s connectivity and keeps real-time data on where the device is connected to in the enterprise network – wired switch, wireless AP, VPN, and so on.
  • When an alarm of a breach comes into the SOC team, the Ordr platform provides a one-click action to immediately get the device isolated or segmented into a quarantine VLAN.
  • Ordr supports a variety of threat containment actions, as shown below: 

• M1037(ATT&CK) Proactive firewall policies:
  • Disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer in the interim is recommended to prevent exploitation.
  • Create a policy profile with all the MOVEit servers, then build a firewall policy to block ports 80 and 443 inbounds from an external address.
  • Ordr supports integration with multiple industry-leading firewall vendors. Below is a sample screenshot of one vendor. 

• M1030(ATT&CK) – Network Segmentation:
  • Ordr’s segmentation policies can protect the mission-critical devices
  • Even if a breach happens,  mission-critical devices, for example, medical or devices in ER/OR, can be protected using Ordr policies. Only specific devices over certain protocols can communicate with these mission-critical devices.
  • Ordr supports integration with multiple industry-leading NAC vendors. 

6.     Ordr Customer Updates

Ordr has prepared the following software configuration rules package (no software change required) and is working with customers on pushing them to their separate instances with utmost priority:

1. Ordr Vulnerability Database to match against devices vulnerable to MOVEit.
2. Ordr IDS engine to detect exploits related to MOVEit vulnerability.
3. IoCs associated with MOVEit vulnerabilities are constantly updated and all the existing and new communications are mapped against these IoCs and are updated in the Ordr’s traffic analytics diagrams.
4. All the indicators of compromise will be flagged on the Ordr’s security page and added to the alerts. Ordr constantly streams to the SOC/SIEM and sends emails to the admin if configured.

7.     Helpful Links

• Detailed analysis blog
• Progress Software community advisory & Progress Software community article
• Artifacts
• POC
• Tenable Blog & CVE article
• NVD
• Talos Blog
• Other references from Sophos and First Health Advisory

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Santa Clara, CA – May 2, 2023 – Ordr, the leader in connected device security, today announced the release of new innovations and ecosystem integrations in version 8.2 of its AI-powered platform. Ordr enables customers to SEE, KNOW, and SECURE every connected device across their whole organization – from laptops and traditional IT equipment, to especially vulnerable Internet of Things (IoT), Internet of Medical Things (IoMT), and Operational Technology (OT) devices. This release positions Ordr as the most comprehensive, granular, and accurate source of truth for every connected device.

Using Ordr version 8.2, customers will:

• SEE a greater amount of connected devices and better understand device context through integrations with leading Mobile Device Management (MDM) solutions Jamf and Microsoft Intune, Endpoint Detection and Response (EDR) platform SentinelOne, network management platform Cisco DNA Center; and through enhancements to the Ordr Software Inventory Collector.
• KNOW more about vulnerabilities and risks through integrations with leading EDR and threat intelligence platforms, including CrowdStrike and Qualys.
• SECURE devices more rapidly through enhanced automation capabilities across the Zero Trust ecosystem, including integration advancements with Aruba ClearPass. 

“Today’s organizations must manage a tough balance between the demands of rapid digital transformation and the need to protect their businesses,” said Pandian Gnanaprakasam, Chief Product Officer and co-founder of Ordr. “While digital transformation is an opportunity to fundamentally improve enterprise operations, the tradeoff is an expansion of the cyber attack surface and the demands of an increasingly strict regulatory regime. At Ordr, we understand that balance. Our platform helps customers embrace digital transformation without compromising security.”

Ordr 8.2 gives customers a centralized view of the connected device attack surface, including vulnerabilities, risks, and active threats. As an open platform, Ordr takes pride in offering the largest number of security, networking, and IT solution integrations in the industry today, including bidirectional integrations. When combined with the Ordr Data Lake profiles, these integrations further Ordr with the most comprehensive and detailed context, flows, and insights on tens of millions of devices to mitigate risks and accelerate Zero Trust initiatives. 

“The Ordr platform gives us invaluable insights that help accelerate our Zero Trust project with Aruba Clearpass,” said Randy Yates, VP, Chief Information Security Officer, Memorial Hermann. “With Ordr, we’re able to easily define granular policies based on device role and risk to ensure we can reduce our attack surface and improve security without fear of impacting operations.”

The new features and integrations announced as a part of Ordr version 8.2 include:

SEE: Gain Granular Visibility of Every Connected Device 

Devices used every day by a remote and distributed workforce increase the attack surface and create visibility gaps for security teams, resulting in increased risk for organizations. Security teams need to understand the risk posture of all managed and unmanaged devices, while maintaining a complete and accurate device inventory.

Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) – Ordr delivers device insights and enables a centralized view of every device for a comprehensive view of the attack surface. Ordr has integrated with top MDM and EDR platforms, including Jamf, Microsoft Intune, and SentinelOne, to enhance the view of vulnerabilities and risk with additional managed device details.

Ordr Software Inventory Collector – Ordr Software Inventory Collector gathers essential details from devices to provide deep insights into vulnerabilities and risks, such as unpatched software, unauthorized software, and outdated or disabled antivirus programs. Ordr Software Inventory Collector now fetches additional endpoint attributes for teams, including user login, admin, hardware details, certification, and IP address, while also complementing Software Bill-of-Materials (SBOM) efforts with real-time visibility into the state of software, the date it was installed, and any patches implemented.

Cisco DNA Center – By integrating with Cisco DNA Center, Ordr enhances the view of devices with location context, including building and floor details. This improves incident response when physical access is needed to remove a device from the network (e.g., unplug it) or if physical access is needed for patching. 

ServiceNow Service Graph Connector – Ordr eliminates manual asset inventory efforts by automatically and continuously discovering and gathering granular details for every connected device. By integrating with ServiceNow Service Graph Connector, Ordr helps teams ensure that asset inventories are accurate and up-to-date.

KNOW: Strengthen Vulnerability Management and Risk Reduction Efforts 

Ordr’s accurate device classification and insights enable teams to scan previously unscanned devices or environments, and optimize scanning to ensure that the operation of critical devices and services are not impacted.

Qualys Cloud Platform – Device scanning gives security teams an essential view into potential vulnerabilities and risks. That said, many devices have restrictions where scanning could affect operations and impact safety. By integrating with Qualys, previously unscanned devices and environments can now be scanned with Ordr insights to inform controls for scanning strength, depth, and timing. Gaps in the attack surface are closed without an impact on operations.

CrowdStrike Spotlight API – Ordr can now easily integrate device vulnerability information from CrowdStrike managed devices using the CrowdStrike Spotlight API. This provides teams with a centralized and enhanced view of device vulnerabilities and risks. 

New Threat Detections – Ordr version 8.2 incorporates several features that help customers detect attempts to exploit the latest ransomware and zero-day threats, such as the OpenSSL vulnerability.

SECURE: Accelerate and Scale Proactive Security with Zero Trust 

A critical part of implementing segmentation or other Zero Trust policies is that policy enforcement does not “break” critical applications, impacting operations, safety, or customer services. Capabilities in Ordr 8.2 help teams proactively improve security by automating the creation and customization of Zero Trust policies, and optimizing those policies for enforcement at scale on solutions such as Cisco ISE, Aruba ClearPass, and Fortinet FortiNAC.

Aruba ClearPass – Ordr 8.2 enhances integrations with Aruba ClearPass, auto-updating endpoints with current device classification information, security metrics (including an adjusted risk score), alarm categories triggered, and the reason for any block or quarantine action. With these enhancements, Ordr continues to offer HPE-Aruba customers the most comprehensive solution to support and accelerate Aruba ClearPass deployments.

“Ordr’s integrations are a game-changer for our customers, and we’re excited to see them continue to make investments in the ecosystem,” Said Tony Coleman​, Executive VP of Sales and Service, Computer Solutions. “By connecting their tools to Ordr, we’ve been able to help customers see a much more complete view of their devices and risk. This not only contributes to their ability to protect their environments, but has also helped to improve efficiencies and drive down cost.”

Connect with us for more information about how Ordr can help security, network, and IT teams SEE, KNOW, and SECURE every connected device across the whole enterprise.