Fort Kent is a town of just over 4,000 residents abutting the Canadian border in rural Aroostook County, Maine. Fort Kent is famous for being the northernmost terminus of U.S. Route One, and infamous for its long, harsh winters. It is also home to Northern Maine Medical Center (NMMC), a 10-bed hospital that has seen services cut in an effort to lower operating costs.

Maine Public Radio recently reported from a public forum held in Fort Kent’s town hall after the hospital announced plans to close its maternity ward. Residents fear NMMC will soon close; and if it does it will be part of a growing trend. The American Hospital Association (AHA) says that 136 rural hospitals have closed since 2010, and according to a recent report by the Center for Healthcare Quality and Payment Reform (CHQPR), there are more than 600 hospitals across the country in danger of closing due to financial pressures. Of those, more than 200 are in immediate danger of shutting down. That means that hospital mergers and acquisitions (M&A) are likely to continue as a trend identified by Chief Healthcare Executive magazine, which reported there were more than 50 hospital M&As in 2022, with more expected this year.

The Good and Bad of Healthcare M&A

When larger hospitals acquire smaller–and especially rural–hospitals, it can have a positive effect on access to quality of care for the communities they serve. The AHA said that nearly 40% of hospitals added services after being acquired, and that operating efficiencies helped to lower costs by an average of 3.3% after an acquisition. But along with the benefits associated with healthcare M&As come security risks. Security Magazine reported that ransomware attacks on healthcare organizations have doubled since 2016, and because rural hospitals struggle with financial and staffing constraints, they are often more easily breached by threat actors.

In her testimony to the Senate Homeland Security & Government Affairs Committee during a hearing on cybersecurity threats to rural healthcare organizations, former North Country Hospital (Vermont) CIO/CISO Kate Pierce said, “[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.”

The Lurking Threat of Acquired Risks

The dynamic nature of connected devices operating in a network complicates security and IT management issues. In healthcare, these challenges are magnified because patient safety is affected when operations are compromised. Some findings from our most recent Rise of the Machines, Enterprise of Things Adoption and Risk Report (keep your eyes peeled for our 2023 edition soon), show the dangers present when Internet of Things (IoT), Internet of Medical Things (IoMT), and operational technologies (OT) proliferate in a healthcare environment.:

• 86% of IoT and IoMT deployments have 10 or more FDA recalls.
• 15%-19% of connected devices run on obsolete/unsupported operating systems.
• 10%-15% of devices connected to the network  are unknown or unauthorized.

When a larger hospital makes an acquisition, it takes on the legacy cyber risks that previously beset the smaller one, including the technology assets used to run the facility and support staff in delivering care. In the best cases, hospitals and other healthcare delivery organizations (HDOs) rely on connected medical devices that are likely vulnerable to cyberattack. And once a piece of medical equipment is put in service, it may end up running with obsolete or unsupported software for years, or new vulnerabilities may be revealed that cannot be patched quickly due to patient safety concerns.

Even when a large hospital with “advanced cybersecurity hygiene” takes over the IT and security operations of a smaller hospital, it can take time to assess and mitigate the risks associated with integrating the new organization’s IT estate. And if any of the acquired systems were compromised prior to acquisition, a lurking, undetected threat actor may be able to use the smaller hospital’s IT infrastructure as a kind of Trojan horse from which to move laterally into the new owner’s systems, much like when hotelier Marriott was breached after acquiring Starwood Hotels in 2014.

Mitigate M&A Cybersecurity Risks

With these challenges in mind, a best practice approach to cybersecurity during an M&A event involves three critical steps:

1. Discover every asset in the network

You can’t protect what you can’t see, and so the key to addressing legacy threats and vulnerabilities inherited through the acquisition of other organizations’ technology estates is to be able to discover and classify every asset. That includes all the connected devices in operation: IoMT, IoT, OT, and more. This comprehensive asset inventory may also be useful to determine duplicate systems and reduce redundancies as both organizations in the M&A consolidate their assets.

The Ordr platform performs device discovery and classification quickly, and then monitors communications and tracks changes in real-time. Ordr goes beyond mere visibility to deliver deep, granular, classification of every device, from make, model, serial number, and operating system details. It also provides vital context about where a device is connected and what other systems it is communicating with. Ordr addresses one of the most common M&A challenges of overlapping IP schemas when two organizations are combined. This challenge prevents teams from easily establishing a single view of both environments and can slow risk assessment and integration efforts.

2. Identify your attack surface

The next step is identifying and measuring the attack surface from these assets. This can include devices with vulnerabilities, devices running outdated operating systems, or those with weak passwords. By baselining devices and their communications patterns, you can determine behavior that is outside of norm, that may be an indication of a compromised device.

From a deep, granular foundation of visibility, Ordr gives a complete view of the connected device attack surface and communications in real-time. Ordr identifies which devices are vulnerable or acting in a risky manner, and assigns a risk score based on the device’s known, determinative operational parameters.

3. Implement M&A cybersecurity best practices

Once you know what devices and risks you are inheriting as part of the acquisition, you can begin to implement M&A cybersecurity best practices. The most basic M&A cybersecurity best practices may be segmentation between the two networks, until access and convergence is complete. You will also want to identify or document key risks that need to be mitigated and addressed during or post acquisition.

Ordr dynamically automates the creation and enforcement of security policies. This means that organizations using the Ordr platform can quickly block attacks, quarantine compromised devices, segment vulnerable devices, and accelerate Zero Trust projects to proactively improve security.

Cybersecurity Due Diligence

Because hospitals and HDOs are under constant risk of attack from threat actors who care nothing of the danger their actions present to patients—and, in fact, use that danger to their advantage when carrying out ransomware attacks—there is no grace period when acquiring a smaller organization. It is imperative that the acquiring hospital include cybersecurity when conducting their due diligence. The network must be inventoried, assessed, and protected as quickly as possible, and Ordr helps get that done even before a contract is signed.

Furthermore, we operate on a philosophy of continuous improvement, expanding our integrations, leveraging the most up-to-date threat intelligence, and building our library of millions of device profiles to ensure Ordr is the most comprehensive, single source of connected device truth available. Check out our M&A solution brief for more details on how we help with cybersecurity due diligence.

 

Legislation and national policy changes are necessary, but organizations can’t wait for them to take effect

A recent security alert from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) highlighting advanced persistent threats against internet connected operational technologies (OT), including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, raises the stakes for the federal government to mandate stricter security standards for manufacturers of internet-connected devices.

In response to the growing number of threats to its governmental agencies, critical infrastructure, healthcare institutions, and businesses of every type and size, the White House and lawmakers have introduced stiffer standards, clearer guidance, updated policies, and legislation to compel organizations to increase their security posture, and to design more secure products. These include memos on achieving Zero Trust, the PATCH Act to increase medical device security, NIST whitepapers redefining critical infrastructure, the IoT Cybersecurity Improvement Act, and an Executive Order on Improving the Nation’s Cybersecurity, to name a few.

Troubling Trends

Ordr has voiced its support for these measures because it is clear that business-as-usual in cybersecurity is not getting the job done. Here are some numbers that illustrate the growing threat to the integrity of connected devices and the people and organizations that rely on them:

• According to the United Nations, cyberattacks against healthcare organizations has increased 600% worldwide since the start of the pandemic in 2020;
• There are more than 4,000 ransomware attacks every day, and an organization falls victim to a ransomware attack every 14 seconds;
• The total costs of cybercrime, which were estimated at $6 trillion in 2021, are expected to exceed $10 trillion by 2025;
• The FBI’s Internet Crime Complaint Center (IC3) investigated 649 successful ransomware attacks on U.S. critical infrastructure organizations in 2021; and,
• Researchers tracked a 110% increase in vulnerabilities in connected devices in healthcare environments since 2019, and a 55% increase in attacks against the healthcare industry.

These are just a few of the troubling trends that demonstrate the need for a strong, national response for improving cybersecurity. But legislation and policies take time to draft, pass, and implement. In the meantime, organizations that rely on devices that make up the realm of OT, the internet of things (IoT), the internet of medical things (IoMT), and other systems and devices that connect to public networks must take steps now to harden their existing infrastructures against threats that target such systems.

A New Approach is Needed–And Available

Operational technologies form the backbone of modern industrial productivity. Many of the connected devices and cyberphysical systems that run production lines, keep facilities operating, and that support transportation and logistics were not designed with cybersecurity in mind. But as formerly air-gapped systems have become dependent on data and connectivity, they have become vulnerable. That is reflected in the attacks we see increasing on OT environments, which often can start with IT and IoT devices, and  do not require sophisticated approaches to be successful. But they do require a new approach to security.

The emphasis on achieving a Zero Trust posture for IT architectures is vital. The growing number and sophistication of the elements of today’s IT estates, including connected IT, IoT, IoMT, and OT devices means it is impossible for traditional, human-centric approaches to security to succeed. Zero Trust requires machine learning and automation to achieve complete visibility across all aspects of technical infrastructure and to respond to indicators of compromise affecting devices.

When threats are detected, security policy enforcement can isolate affected systems and segment those that are mission critical to allow operations to continue while mitigation unfolds, thereby limiting an organization’s vulnerable attack surface and limiting risks. Ordr’s technology has been proven more than capable of providing this level of performance, allowing organizations to see across their network, know what devices are connected and their level of vulnerability, and to secure those devices from attack by addressing four key aspects of cyber asset attack surface management:

1. Identify your complete attack surface – Know what devices are in the network and risks they bring.
2. Map the transaction flows – Understand what devices are doing. Unlike users, devices have deterministic communications patterns for their “roles”
3. Architect/Create Zero Trust policies – This has to be automated to prevent errors, and to scale for hundreds of thousands of devices in the network.
4. Monitor/maintain the network – Continue to discover devices, and monitor them for risks and anomalies.

When device security must be a priority—whether government, healthcare, manufacturing, or other critical infrastructure environments—organizations around the world trust Ordr for protecting their OT, IoT, IoMT and other connected devices. We can help your organization identify, inventory, assess, and protect your connected devices within minutes. Contact us today to get the conversation started.

Cybersecurity incidents place us in tough spots, and it can be difficult to make all the right decisions. One of the best ways to determine the right course of action for your organization is to understand the tactics that are being used against you. The National Security Agency Director, General Paul M. Nakasone, warns that daily attacks should be expected over the next five years. It’s critical for organizations to be properly prepared. Successful cybersecurity attacks lend valuable information that can be used to formulate new protections—threats are getting smarter, but so is cybersecurity.

Ransomware comes in many shapes and sizes. Although it can be difficult to nail down every caveat of every instance of ransomware, there are certain variants of ransomware that come with hard-learned lessons. Wannacry is definitely in that category.

What is Wannacry Ransomware?

Wannacry ransomware is a form of ransomware, called crypto-ransomware, with worm capabilities that exploits the vulnerabilities in Microsoft Windows Server Messaging Block (SMBv1) protocol to compromise remote systems, spread to other hosts, and encrypt files. The ransom demands payment using the cryptocurrency Bitcoin. Wannacry ransomware propagates through an exploit known as EternalBlue, which was developed by the National Security Agency and stolen by the hacking group known as the Shadow Brokers. It was the Shadow Brokers who released it to the public.

How Does Wannacry Work?

Wannacry ransomware invades and encrypts files that can’t be decrypted unless the attackers hand over the specific encryption key. It also has worm-like capabilities, which enables Wannacry to propagate itself through infected systems to then go on and infect new systems.

Wannacry ransomware is coded in Microsoft’s Visual C++, and therefore, Wannacry targets the Microsoft Windows OS. More specifically, the ransomware targets a SMB v1  vulnerability in the Windows operating system, using an exploit referred to as EternalBlue. Once it gains access through Eternal Blue, it uses DoublePulsar to install itself and execute.

It’s important to note that Wannacry ransomware relies entirely upon EternalBlue exploiting the SMBv1 vulnerability. Before the major global attack, a patch for this vulnerability had already been issued. Having implemented the patch, a system couldn’t be infected by the Wannacry ransomware.

In the original version of Wannacry, there was a built-in kill switch—the ransomware would check to see if it could connect to a specific URL. If the check failed, the software executed. If the check reached an active URL, it would not execute the attack. When this vital information was discovered by security professionals, the URL was quickly registered and brought the attack to a close.

In Wannacry attacks since, there was still an active kill switch, but the URLs are different. However, in Wannacry’s newest evolution, which began in 2021, the ransomware no longer contains a kill switch.

What Was the Global Wannacry Ransomware Attack?

On May 12, 2017 at 3:44 am EST, the Wannacry ransomware attack launched itself on a global scale. The attack lasted for 7 hours and 19 minutes, and was halted by the registration of the built-in kill switch domain that had been coded inside. It compromised more than 200,000 devices in 150 countries and crippled organizations across a plethora of industries.

One of its more catastrophic impacts was the compromise of the National Health Service in Scotland and England. It affected everything from MRI machines, surgical theatres, and blood storage to diverting ambulances. Some other organizations that it affected were Telefonica in Spain, several state governments in India, FedEx, Honda, and the Chinese Public Security Bureau. Overall, the financial losses were estimated to range in the hundreds of millions for those affected by this Wannacry ransomware attack.

How to Prevent and Detect a Ransomware Attack

Ransomware of any kind is a frightening prospect, but big hitters like Wannacry have proven that there are measures to take that can keep systems safe. Even if there’s an initial breach, proper detection can mitigate the damage and lessen the overall impact of the cyber threat incident.

Prevention

Defending against ransomware, especially those reliant on specific exploits, can all boil down to adequate prevention tactics. These methods of prevention are effective against many types of malware, so they provide some best practices for an organization’s cybersecurity defense.

1. Focus on basic principles and drill often

A system is only as good as its foundation. Know your organization’s threat landscape and define critical assets. Implement multifactor authentication wherever possible. Encrypt data and conduct vulnerability testing. Always keep systems patched—Wannacry is a hard way to learn the lesson on the importance of patching.

2. Have a plan

Cybersecurity threats can happen anytime, anywhere, and an organization needs to be prepared and involved in threat prevention. Define security policies and make sure all compliance for the industry is followed. Involve stakeholders and major decision makers. Help everyone to know their part in mitigative risk—it’s truly a company-wide effort.

3. Improve continuously

Security is never stationary. Like the technology it protects, cybersecurity must evolve over time. An organization should look at their security posture and threat landscape as an iterative process. Over time, new vulnerabilities are discovered and patched, or new technology is integrated. It’s essential to continuously evaluate risk and security measures.

4. Implement Zero Trust

Zero Trust rests on the principle of “trust no one”. Implementing least privilege and microsegmentation are key ways to defend against ransomware and other modern malware, or at minimum Zero Trust segmentation policies can stop propagation within the network. Monitor traffic patterns and look for device behavior changes. Modern threats require a modern solution.

Detection

Prevention is one piece of the puzzle, but detection is also important. There are several stages of the cyber kill chain  at which ransomware can be detected.

To enable effective detection:

• Have a comprehensive real-time asset inventory so you know where devices are.
• Use an integrated threat detection engine to monitor traffic, both north-south and east-west.
• Use a machine-learning to baseline normal patterns of behavior for devices to surface anomalous behaviors indicative of a compromised device.
• Integrate with threat intelligence solutions to identify new indicators of compromise.
• Automate policies to quickly isolate infected devices or  mitigate risks from an attack.

Detecting sophisticated ransomware requires a robust security solution like Ordr. Ordr  monitors internal lateral movement and uses known behavioral baselines to detect unusual or suspicious traffic, which could flag early ransomware activity. Ordr profiles every device and maps every device communications pattern If suspicious activity is detected, Ordr can immediately track down and identify the infected asset, track down infection roots and automatically create policies to mitigate risks from the attack.

Be Prepared for a Ransomware Attack

Wannacry ransomware drove home that patching is an essential point of cybersecurity. One exploit led to a compromise that touched 150 countries and over 200,000 devices. Wannacry began as a dangerous crypto-ransomware with worm-like capabilities and a built-in kill switch, and continues to be a risk today as there are a million plus devices that remain unpatched.

In order to protect your organization from Wannacry ransomware and other malware, it’s critical to learn details of the major attacks. Define who, what, when, where, and how a specific attack occurred, and analyze and convert that information into action plans so you can improve your cybersecurity measures and ensure your organization isn’t the next victim.

An advanced security solution can help your organization build its security fortress. With Ordr, you can see all your connected devices and identify those at-risk, practice Zero Trust microsegmentation to reduce the attack surface, monitor traffic using behavioral base patterns and watch for east-west lateral movement, and much more. Ordr helps you understand the purpose and operation of all devices connected to your network, and automates management and security policies to ensure maximal protection. Should you fall under attack, Ordr can help you rapidly isolate and protect infected devices.

Cisco has been a mainstay of Silicon Valley for decades, launched in 1984 by two Stanford University computer scientists with a vision of creating technology for the “network of networks” that paved the way for interconnecting the entire world into a single seamless system as we see today. Its fortunes have ascended as its hardware became ubiquitous. Now ranked No. 63 on the Fortune 100 list, Cisco has recently eclipsed Microsoft as the world’s most valuable company.

Not surprisingly, Cisco hardware has made its way into the digital infrastructures of tens of thousands of organizations over the past three-plus decades. The Cisco Catalyst 9000 Series is Cisco’s flagship switching portfolio. Enterprises worldwide rely on the Cisco Cat9k to power transformative solutions, not only as part of its core capabilities but also via a variety of Cisco and partner applications hosted on the switches. Today, Ordr announces the ability of our sensor to be deployed as a hosted application on the Cat9k, which not only extends visibility and insights on connected devices to any site a Cat9k switch is deployed but also extends Zero Trust segmentation to the edge. This, together with our recent offering on the Meraki Marketplace provides every Cisco Identity Services Engine (ISE) and Software-Defined Access (SDA) customer with a seamless way to accelerate their deployments.

But before we get into the details, let’s take a look at why such protections have become increasingly important in the past several years.

The Rise of Threats on Connected Devices

Many connected devices, including but not limited to IoT (Internet of Things), IoMT (Internet of Medical Things), and OT (Operational Technology) were primarily intended to communicate with each other or within a closed system. As long as the transmissions remained within the confines of a manufacturing plant, a hospital, or another facility, it was unlikely that an outsider could tap into them and cause harm.

That changed as information transmitted through connected devices evolved to provide core business functions – merging the overall IT infrastructure of an organization with its operational functions. Digital transformation has hastened this shift, potentially affecting countless devices in numerous scenarios that the term “connected devices” has been recently coined and gone mainstream. It’s meant as an umbrella term for the host of connected cyber-physical systems, not just IoT, OT, but industrial control systems (ICS), industrial devices (IIoT), medical devices (IoMT), and facilities devices controlling such things as elevator and HVAC functions and everything in between.

The threats and risks these connected devices introduce are not just theoretical. The healthcare industry is among the most frequently targeted by threat actors and is heavily reliant on connected medical devices. The average hospital has an inventory of more than 3,850 IoMT devices. The attack surface is larger and more complex than most if not all other industries. Poor security and lack of visibility can have life or death consequences as digital risk expands into having a very real physical impact.

Threats have also manifested in the manufacturing sector, which has jumped from an area largely ignored by cybercriminals a few years ago to the number one target for ransomware in 2022 according to IBM Security’s X-Force Threat Intelligence Index 2022. The jump is due largely to the shift to Industry 4.0, a term used to describe the increasing interconnectivity between manufacturing facilities and external information sources.

Attack surfaces have expanded not just for healthcare and manufacturing but for every organization that has embraced digital transformation including financial services, retail, government, education, public sector, and utilities. Whether it be protecting a connected camera, a patient’s infusion pump, a programmable logic controller (PLC) on the manufacturing floor, or host of other critical connected devices, the need for security has never been more important.

The Cisco+Ordr Solution – Establish Trust at Point of Access

The Cisco+Ordr collaboration embraces and enables Zero Trust – a strategic approach to security that centers on the concept of minimizing the attack surface by enforcing trust from an organization’s network architecture. The Zero Trust model of security prompts you to question your assumptions of trust at every access attempt. This comprehensive solution to secure all access across your applications and environment, from any user, device, and location, allowing you to mitigate, detect, and respond to risks across your entire environment.

A Zero-Trust approach:

• Establishes trust in every access request, no matter where it comes from
• Secures access across your applications and network
• Extends trust to support a modern enterprise across the distributed network

The Building Blocks…

Using the Catalyst 9000

To address the requirements of securing connected devices, Ordr has added 2 new Cisco product integrations including its sensor technology on the Cisco Catalyst 9000 Series Switches and advanced data learning from Cisco Meraki Systems Manager to extend end-to-end visibility and security across the entire organization.

The Ordr sensor for the Catalyst 9000 allows organizations to deploy the sensor as a hosted application on the switch to scale data collection across campus environments or extend Ordr to locations where it’s not possible or practical to deploy an Ordr hardware sensor – to secure devices in branch offices, smaller remote locations, and the like.

So equipped, customers know what devices are in their environment, their physical location, the essential details for each device, whether they are behaving normally, and how to secure them. Ordr gains this level of insight by continuously collecting and analyzing data from sensors as well as switches, routers, wireless controllers, firewalls, and other devices in the network. Insights from Ordr’s analysis helps teams maintain an up to date device inventory, meet compliance requirements, and quickly respond to contain active threats. Ordr insights also provide context essential to defining and implementing Zero Trust policy with solutions such as Cisco ISE.

A Cisco Meraki Ecosystem Partner

Ordr now is also a Cisco Meraki Ecosystem Partner, so customers can analyze their Meraki cloud data with Ordr and gain a central, single source of truth to see, know, and secure all their connected devices. For businesses that have switched to remote workforces since the emergence of the pandemic, this is an efficient way to safeguard from potentially dangerous devices used in home offices among other locations outside of typical corporate protections.

Integration with Multiple Solutions

Ordr’s close relationship with Cisco over the years means that it now integrates with multiple solutions. In addition to those previously named, Ordr integrates with Cisco TrustSec, Cisco Secure Networks Analytics (Stealthwatch), and Cisco Prime Infrastructure. Ordr also integrates with Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls through Cisco ISE.

Ordr integrations across the Cisco portfolio help customers add the end-to-end visibility and security needed to accelerate segmentation and Zero Trust projects with CiscoISE and SDA solutions. Most importantly for organizations that are struggling with connected device security, Ordr’s device classification, network awareness, security intelligence, and auto-generated enforcement rules provide context needed to simplify the process of creating, provisioning, and managing connected device segmentation policies.

Quick Deployment and Improved Security

The Ordr sensor for the Catalyst 9000 is deployed in a matter of minutes as a pre-packaged Docker container on any Catalyst 9000 switch supporting application hosting. Cisco DNA Center can be used to deploy the Ordr sensor on hundreds of Cisco Catalyst 9000 switches with a few clicks, then combined with Ordr SaaS managed service, customers gain insights and improve device security across connected devices in a matter of hours.

See-Know-Secure with Ordr+Cisco

Ordr’s deep integrations across the Cisco portfolio help customers add the end-to-end visibility and context needed to protect connected devices and accelerate the deployment of Cisco ISE and SDA solutions. Ordr’s device classification, network awareness, security intelligence, and ability to auto-generate enforcement rules simplify the process of creating, provisioning, and managing IoT, IoMT, and OT segmentation policy.

Get more information about how Ordr can help strengthen the visibility, security, and overall management of connected devices across all your Cisco deployments.

Cybersecurity and cyber threats have been in competitive co-evolution for years, with each side adapting to the other. Historically firewalls, IPS, antivirus, and modern endpoint protection tools have been common elements in the first line of defense to keep the bad guys out. Try as we might, bad things still happen to good networks. Attackers constantly develop new threats, target new vulnerabilities, or bamboozle a busy employee into doing the wrong thing. The first line of defense is never perfect, so it’s critical to develop a solid second line of defense.

For many organizations, the second line of defense amounts to simply recreating the first line of defense in more places. This approach misses the ways threats differ once inside an organization and also ignores some of the essential advantages defenders have at their disposal.

This post briefly revisits some of the high points in the evolution of cybersecurity and cyber threats, looking at what has worked for defenders, where things have gone wrong, and how lessons learned have helped build new lines of defense. Some deep topics will admittedly be oversimplified. The point of this post is not to denigrate any of the great security tools in use today. Instead, the point is to highlight some of the broad trends and inherent issues security teams need to consider.

An Absurdly Condensed History of the First Line of Cyberdefense

Until recently, many organizations thought of the inside of their network as trusted and the outside Internet as untrusted. Firewalls provided a natural barrier and control point for this boundary, denying unsolicited connections from the untrusted outside by default and leaving a few pinholes open for essential services. Trusted insiders, however, could connect to pretty much any outside service they wanted, and that service would be allowed and trusted. While this approach worked to keep random strangers out, it didn’t work if users and assets on the inside were already compromised.

Attackers had countless ways to attack. They could send phishing emails containing a malicious link in an attempt to gain access. If an email security solution was in place and the attacker was unsuccessful, they could shift to a new vector not subjected to email checks such as DNS tunneling. If a DNS-based firewall or perhaps a web application firewall (WAF) was in use, an attacker could pivot to target cloud applications. The cat and mouse game continued, so various methods were needed to detect and prevent threats.

Attackers found ways to slip past detections. Modifying malicious payloads ensured previously known signatures didn’t match while encoding, obscuring, or encrypting helped attacks slip past detection logic without being inspected.The ever-growing deluge of new vulnerabilities didn’t help. With the recent log4j exploit, setting a username in the apple profile resulted in a new attack vector. Exploiting Microsoft’s hole, a hacker can enter the enterprise by typing something inside the chat window of a video game.

If all else fails for the attacker, one final incredibly effective tool remains – social engineering. Instead of breaking in, an attacker can convince a user to give out passwords or install malicious software in the guise of a valid application or tool.

A New Line of Defense Introduces New Advantages

History has shown the first line of defense is eventually breached, and we must assume adversaries will get in or have already gained access. With access, the attacker typically attempts to move laterally to reach a high-value asset such as a server with all AD credentials, a device with sensitive patient information in a hospital,or a management platform with the ability to coordinate all PLCs on a manufacturing floor. 

While this is all doom and gloom, there are ways to detect and stop attackers by shifting focus from chasing an infinite number of threats to focusing on a smaller number of malicious behaviors. For example, there may be hundreds of thousands of variants for a piece of malware, but when it comes to lateral movement, tools like Mimikatz behave the same when performing actions like pass-the-hash.

The same is generally true of all sorts of secondary attacker actions. For example, when an attacker performs internal reconnaissance, it’s easy to detect when a device starts indiscriminately reaching out to a new or large number of devices. Likewise, SMBv1 is at the center of many Windows vulnerabilities and lateral movement attempts. We can now watch all devices speaking SMBv1 and see which system suddenly communicates to many other systems over SMBv1. The same is true for RDP – a protocol designed for remote diagnostics. We can quickly identify excessive RDP usage that falls outside normal administrator behavior. 

These examples highlight important advantages for defenders. When an attack has moved inside the network, we can see everything as long as we make an effort to look. When an attacker is still outside, we have almost no insight into who they are, what they’ve been doing, and where they’ve been. When they move to our turf, we see the entire battlefield. Instead of only looking at individual traits or actions, we see the complex behaviors across multiple hosts and how they develop over time.

Instead of making a yes/no decision based on a few milliseconds of analysis, we can inform decisions by understanding the complete history of the network, the behavior of all devices in it, and the collective knowledge of how threats behave. Using inputs like this is how Ordr works.

Building a Second Line of Defense with Ordr

Ordr analyzes network traffic and traits of each host to conclusively identify each device, whether it is a laptop, server, or the wide variety of IoT, IoMT, or OT devices. The platform builds global and local baselines for normal behavior of every device and allows organizations to identify suspicious or malicious behavior quickly. As soon as a risk or threat is identified, the platform can automatically create and implement policies to isolate any affected hosts and prevent the spread of an attack.

Ordr’s capabilities provide a logical approach to building a second line of defense. Every device is identified and protected based on its unique needs and functions, regardless of being managed or unmanaged. The entire environment is monitored for signs of threats and malicious behaviors, regardless of how those threats got in. Thanks to automation, Ordr enables a robust second line of defense at a fraction of the effort and cost of traditional threat prevention tools.

If you want to learn more about Ordr technology,reach out for a deep dive demo.

With a new wave of devices like IoT and OT, the fourth industrial revolution has created some unique issues and use cases for cybersecurity personnel. Such assets haven’t previously been connected to a network with direct internet access, but new network configurations and cyber threats have made these types of devices just as vulnerable as other IT devices. Agentless asset discovery can be used with these devices, in order to ensure that they’re secure on the network.

What is Agentless Asset Discovery?

Agentless asset discovery is the process of cataloguing each device on your network, without software installation onto each individual device. Agentless asset identification is via DPI (Deep Packet Inspection) whereby the  packet and communications of a device is analyzed. With Inspection of communication flows and the application packets themselves, you can often determine make, model, software load, and even serial numbers, all without installation of an agent.Additional enrichment of this data, and further classification by machine learning and compared to a catalog of millions of devices allows for accurate device identification and classification. 

Let’s look at a common, modern network use case. An employee at a sporting event receives an urgent work call. The employee uses his tablet to connect to the company network to view current information about the incident. Passive agentless asset discovery picks up this device as it monitors the network and collects metrics, such as manufacturer, make, model, and operating system. It also validates that the device hasn’t been exposed to known threats or vulnerabilities. The passive agentless discovery solution can also validate the OS, including patch levels and application inventory.

Agent vs Agentless Discovery

Agent-based asset discovery is using one or more agent software installations on the target system(s) to collect information and metrics about the target system and send that data to a centralized monitoring system, such as a hub, a collector, a server, etc. Typically, agent software must be manually installed on each target device via direct installation on the physical asset or remote installation using SSH, RPC, or other comparable methods. Some agents may be able to be installed via automation, but these agents aren’t available with all agented discovery solutions.

Both agent and agentless asset discovery collect asset information and metrics. However, agent discovery is more in-depth because it is installed directly onto the device being discovered, but it comes with a much greater deployment and maintenance overhead. Agentless discovery offers the luxury of not needing to be deployed onto each device, so it offers better resource and time efficiencies.  

Performance latency must also be considered, especially in older legacy devices. While agentless discovery can cost more network overhead and can be dependent on network conditions, it does not require an agent to be deployed. Older legacy devices may not be running the right operating system to support an agent. In addition, newer devices like IoT, IoMT and OT also cannot support an agent because of the limited software footprint and performance latency impact. 

Support Device Variety with Agentless Discovery

Almost any device in your network environment can be discovered using agentless discovery. There are certain situations when agentless asset discovery is clearly your best—or sometimes only—option. For example, the growing use of assets can only use agentless discovery since they simply can’t have an agent installed. Such assets include IoT, OT, and medical devices (IoMT). But whether or not the agent can be installed on the device isn’t the only consideration. In some cases, the costs, time, and/or resources associated with agent discovery for every device simply could be too high. By utilizing agentless discovery, you can meet asset discovery requirements in the most effective and efficient manner. 

A solution like Ordr means your organization can rapidly discover all its assets, classify them based on type and function, and then assess them for risk. Using a product developed by Ordr allows your organization to build the most accurate and comprehensive asset inventory of what’s in your network, and identification of key risks, without impacting business operations. 

Asset Transparency on a Network with Agentless Discovery

With agentless asset discovery, you gain real-time visibility to assets in the organization’s domain. Such discovery allows your organization to gain highly granular insights about the devices on the network and use those details to monitor for potential security issues. 

A robust solution with agentless asset discovery makes it possible for you to dynamically create and impose segmentation on devices that are deemed high-risk. It also delivers the means to identify the compliance and risk postures for devices in the network. A solution, like Ordr, can also integrate the asset inventory with CMMS and CMDB databases for asset reconciliation, and in order to trigger workflows for any vulnerabilities that need to be addressed. Furthermore, it provides an integration with Active Directory to establish context on what device the user is on and use duration.

Monitor Traffic Flows Between Devices

Agentless asset discovery delivers unified monitoring of traffic flows between the devices connected to the network. It can classify both managed and unmanaged devices, which allows your organization to monitor the traffic flows of all connected devices. This traffic monitoring can baseline communication patterns, identify anomalous traffic such as communication made to malicious sites outside of the organization—including traffic to known security threats like malware or phishing sites, and deliver an audit trail of the device communications with other network systems.

You can’t secure what you can’t see, or don’t know about. This unified view and complete device visibility, including traffic flows, is the first critical step for your cybersecurity strategy. Ordr uses agentless asset discovery that doesn’t interfere with device function and employs device behavior monitoring using machine learning to create a flow genome—a conversation map of the communications pattern of every device connected to the network. This flow genome also learns the network topology and provides security personnel and networking groups the information they need to analyze monitored traffic. Ordr makes it easy to determine what devices are currently doing, identify their unique risk scores, and discover any vulnerability gaps.

Identify Vulnerabilities and Meet Compliance

Continuous asset monitoring is crucial. When your organization performs asset management and monitoring periodically, or as a “point-in-time” audit, it can lead to security gaps as a vulnerable device may be offline during the designated period. This visibility gap can lead to potential security issues, if the vulnerabilities on those devices are not patched. For many organizations, inventory management is performed as a periodic point-in-time audit. When you have continuous, up-to-date information, you gain greater security coverage and prevent device use if they’re not in compliance. 

Ordr provides continuous asset discovery and allows you to drill into non-compliant devices and isolate them from the organization’s network. Our solution also monitors devices for risks like active threats, anomalies, bad URL/site connections, or known vulnerabilities. With Ordr, you have the complete picture of all devices on the network, including ones that belong to visitors or contractors.

Agentless Discovery and Your Organization

Agentless asset discovery gives your organization flexibility and real-time asset information for all the devices in the company’s network. It provides the ability to monitor vital traffic, identify security risks, and assist with meeting compliance or industry regulations. With a unified view of your assets and traffic at any point in time, you can detect behavior changes before a cybersecurity threat is executed.

Organizations gain a plethora of advantages from a complete, up-to-date asset inventory of devices connected to the network in real time. Ordr delivers a unified view of all the managed and unmanaged assets on your organization’s network, including IoT, OT, and IoMT devices. Not only does Ordr allow individual device behavior monitoring, but it also ensures that your devices behave as they should, based on their uniquely defined behaviors. With the added ability to integrate with your organization’s existing applications, like ITSM, CMMS, or CMDB solutions, Ordr helps you get more value out of your existing investments. 

Ordr just announced the closing of our Series C round of investments, raising an additional $40 million dollars to support our growth and continuing R&D in the realm of securing internet-connected devices for the organizations that rely on them. Investors in the round include ongoing commitments from all our prior investors, including Battery Ventures, Ten Eleven Ventures, Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. We are delighted to add Northgate Capital as an Ordr investor and to have the support of industry leaders and notable Silicon Valley entrepreneurs René Bonvanie, former Chief Market Office of Palo Alto Networks; Dan Warmenhoven, former Chairman and CEO of NetApp; and Dominic Orr, former Chairman and CEO of Aruba Networks.

Since Ordr’s founding in 2015, our company has attracted more than $90 million in total investments. On behalf of the Ordr team, I want to thank all our investors for this strong vote of confidence in the organization and in our vision for the future of cybersecurity. While many companies have been sold or exited this market early, this funding gives us the ability to build a strong, stand-alone technology leader that will be here for our customers for years to come. I must also offer our gratitude to the hundreds of customers and partners who have trusted Ordr to protect their connected devices, patients, and businesses. We are inspired every day by your commitment and dedication to your mission. Your passion and input have made us a better company and today’s announcement would not be possible without you.

Finally, I want to recognize the tremendous Ordr team, from our founders, Pandian Gnanaprakasam and Sheausong Yang, to the amazing new colleagues who have joined us recently. This milestone reflects your passion, your empathy for our customers, and your dedication and confidence in our mission.

Our Vision, Our Journey

When we began our journey, it was estimated that there were about 3.5 billion internet of things (IoT) devices connected to public networks. Improvements and innovations in processing and network communications, artificial intelligence and machine learning, and automation presaged rapid growth for the technology. Today there are more than 35 billion connected devices in service, and projections suggest more than 75 billion will be deployed by 2025—more than twenty times the number since we started.

Every one of those devices is a potential attack vector, expanding the need for what Gartner now calls “cyber asset attack surface management,” or CAASM. Threat actors are adept at taking advantage of device vulnerabilities to gain a network foothold from which they can move laterally to disrupt operations and execute attacks. Their targets are often organizations in critical infrastructure industries like healthcare, manufacturing, energy, and government where there has been heavy adoption of IoT devices, including the internet of medical things (IoMT) and operational technologies (OT). In fact, Ordr is one of the few security vendors that address a myriad of security and device management use cases across Gartner-defined market categories ranging from medical device security and OT security, to CAASM, and network detection and response (NDR).

IoT Security as a Business Imperative, Strategic Priority

Securing the vast constellation of connected devices is not only a business imperative, but it has been recognized as having strategic importance for national security here in the U.S. and abroad. The Ordr platform is a vital component to achieving a Zero Trust security posture as recommended to protect economic interests. To meet the security needs of critical infrastructure and other industries, like financial services, retail, education, and biopharma research, where connected device adoption is building momentum, requires a tool like Ordr that is designed to address conditions unique to connected devices. Ordr’s “See. Know. Secure.” approach to connected device security finds devices wherever they are in the network, identifies each device and learns its operating pattern, then automatically applies and executes appropriate security policies to ensure that each device remains protected.

And Ordr’s approach to connected device security works. That’s why the Ordr platform enjoys wide adoption across critical infrastructure industries where we help protect three of the world’s six largest healthcare organizations, and are the connected device security tool-of-choice for more than 150 manufacturing sites. Ordr customers span the full spectrum of industry, and our technology’s excellence has driven a 140% increase in year-over-year new customer growth in our most recent quarter, ending March 31, 2022.

Looking to the Future of Connected Device Security

As we look to the future to further develop our product, attack the market, and execute against our business plan and goal of achieving continuous improvement in all aspects of our operations, we’re proud to have attracted such strong partners invested in our success and that have a stellar track record working with companies in hyper-growth, and that bring strong domain expertise to our leadership team. We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer’s security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market.

It is my privilege to serve as Ordr’s CEO and to play a role in an exciting future for the company, and am humbled to be surrounded by a team of professionals committed to our success and the security of our customers. If you want to be a part of that future, please check out our Careers page for opportunities to join the team. If you are a CISO, CIO, or other tech leader who recognizes that your company’s investments in connected devices are leaving you vulnerable, take a look at our technology and then reach out for more information or a demonstration. We’d love to hear from you.

In testimony before the House Select Committee on the Chinese Communist Party yesterday, FBI Director Christopher Wray delivered an ominous message:

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

That statement strongly implies that the assets (including IT, OT, and cyber physical systems) on which American power grid, water treatment, healthcare, pipeline, transportation and logistics, telecommunications, and other critical infrastructure operations depend have already been compromised by state sponsored or sanctioned threat actors.

The risk, Wray emphasized, was not hypothetical, but real; not a matter of if, but when. And when the attack comes, he said it would be at a moment of China’s choosing.

Wake Up Call

Wray also expressed frustration that these threats to U.S. critical infrastructure have not gotten the attention they require, and he made it clear to the Committee that they and the nation need to do more.  “China’s multi-pronged assault on our national and economic security make it the defining threat of our generation,” he warned.

Offering some reassurance, Wray said that the U.S. was not incapable of defending against the Chinese cyberthreat, but that the public and private organizations responsible for managing our economic and critical infrastructure “cannot afford to sleep on this danger.”

In other words, his testimony was a wake-up call.

How You Can Respond

Ordr’s customers can take immediate action to check for, respond to, and mitigate security gaps and indicators of compromise that might otherwise be exploited by threat actors. You have a powerful tool available and can use our See, Know, Secure framework to guide your cybersecurity strategy and execution. 

1. See every asset and manage exposure: The good news is that our platform has already discovered, profiled, and is monitoring your entire cyber asset attack surface. That includes every asset–IT, OT, IoT, and cyber physical systems–operating on your network, along with their installed software and applications, and their communication flows. Using Ordr you can ensure that you’re identifying and mitigating risks such as devices with vulnerabilities, running outdated operating systems, or using weak/default/no passwords.
2. Know your threats and anomalies: We view active threats in three ways. First, known threats will be detected by our integrated intrusion detection system and threat intelligence feeds. (Note: our IDS signatures today can detect the KV botnet malware referenced by Director Wray). Second, we detect risky communications, such as internal east-west traffic, and external traffic to unknown or hostile domains. Finally, we also alert on any activity by any device that strays outside of its expected baseline parameters. Security teams should use Ordr risk scores to prioritize remediation of the top threats in their networks. Risk scores can be customized based on asset and business attributes important to the organization.
3. Secure and segment: You should review your network segmentation policies to make sure you can isolate mission-critical assets and make it harder for threat actors to get to them in the event of an attack. Zero Trust segmentation, where you are limiting vulnerable devices (such as those with outdated operating systems) to baseline communications, can enable appropriate access while limiting risky exposure. You can also automate responses when a threat is present, double-check the asset context to determine the best possible enforcement point (firewalls, NACs, or switches), and make sure responses and policies are requisite to the threat.

Keep in mind that, while the FBI director named several examples of critical infrastructure under threat, the list was not exhaustive. Healthcare, financial services, manufacturing, and other industries can all be defined as critical infrastructure. And any organization that is part of the digital supply chain to those targets also poses a threat.

How Ordr is Responding

It is important to know that we are not sitting still. Our policy is one of continuous improvement, and we are monitoring this and other threats to ensure our customers are prepared, developing and updating features that help our customers simplify risk prioritization, and rapidly respond to and contain threats. Our threat intelligence integrations, in concert with the Ordr Data Lake, ensure the most precise, real-time analysis possible are at work on your behalf.

For example, the rogue devices, malicious communications, and malware our customers have detected and remediated mean their environments are already better protected against potential cyberattacks. One customer–a critical infrastructure operator–was able to reduce dwell time from the industry average of 16 days to just a few minutes. 

We also continue to monitor our systems and processes, ensuring they comply with SOC2 standards. As outlined in a previous blog, Ordr’s achievement of SOC 2 compliance in Organizational Governance and Structure underscores our enduring commitment to security. 

We are all in this together

The FBI’s warning should not come as a surprise to cybersecurity professionals who have been paying attention. Threat actors have been actively targeting economic and infrastructure targets for years. And whether or not the scenario Director Wray described in his testimony comes to pass, we can expect attacks from other hostile players to persist. Cybercriminals have shown a propensity for carrying out their business with callous unconcern for the consequences of their actions.

As such, we should use this moment to remind those around us that security is everybody’s job. Be wary of every email, every online interaction, every unexpected behavior in your network. Our commitment to you is that we will continue to work diligently to ensure the Ordr platform is always vigilant, ready, and able to keep your enterprise as secure as it can be. Do not hesitate to reach out to us if you have any questions about this or other cyberthreats to your organization.

The White House recently issued a memo entitled Fact Sheet: Biden-⁠Harris Administration Delivers on Strengthening America’s Cybersecurity. The communique offers a checklist of policies, executive orders, and other steps the Biden-Harris Administration has taken to demonstrate its “relentless focus to improving the United States’ cyber defenses, building a comprehensive approach to ‘lock our digital doors’ and take aggressive action to strengthen and safeguard our nation’s cybersecurity.” It’s worth looking at the items outlined as it offers insight into the federal government’s position on the state of the nation’s cybersecurity posture.

The Fact Sheet on Strengthening America’s Cybersecurity addresses different areas of concern focused on protecting national economic interests, addressing security by design, countering ransomware threat, raising threat awareness, training more cybersecurity professionals, and preparing for a post-quantum world. The Fact Sheet’s focus policies include:

• Improving the cybersecurity of our critical infrastructure.
• Ensuring new infrastructure is smart and secure.
• Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government.
• Countering ransomware attacks to protect Americans online.
• Working with allies and partners to deliver a more secure cyberspace.
• Imposing costs on and strengthening our security against malicious actors.
• Implementing internationally accepted cyber norms.
• Developing a new label to help Americans know their devices are secure.
• Building the Nation’s cyber workforce and strengthening cyber education.
• Protecting the future – from online commerce to national secrets — by developing quantum-resistant encryption.
• Developing our technological edge through the National Quantum Initiative and issuance of National Security Memorandum-10 (NSM-10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.

While the eighth policy on the list addresses a need to help make consumers more aware of the cyber-risks associated with their purchase and use of Internet of Things (IoT) devices, we note the lack of a reference to IoT security within enterprises. Here’s the full text from the Fact Sheet:

Consumer and Commercial/Industrial IoT are Vulnerable

First, let me be clear that Ordr supports the efforts to help make people more aware of the risk associated with the connected devices they purchase for personal and in-home use. Often these devices collect sensitive information, or they may be a gateway for threat actors to gain access to a personal network that is relatively unprotected. Very few homes run industrial-grade security products, and are vulnerable to the tools and techniques available to most criminal hackers and hacker groups. But the same threats that put personal IoT devices at risk are present in many of the devices that populate enterprise networks.

Medical devices, industrial controls, sensors, point-of-sale systems, communications equipment, and many more Internet of Medical Things (IoMT), operational technologies (OT), IoT, and other connected devices are notoriously vulnerable to attack. Many of these devices are not built with security as a priority of their design. They operate with obsolete operating systems, rely on default (if any) passwords, and are released to market with security weaknesses. Some industry studies have found that three-quarters of all IoMT devices deployed today have at least one security vulnerability, and that half may have multiple vulnerabilities.

What’s more, the same devices that the White House wants to warn consumers about may also end up connecting to enterprise, industrial, and healthcare networks. Within minutes of deploying Ordr in these environments, our platform automatically discovers and classifies all of the devices operating on the network, and the results have been eye-opening for our customers. Vending machines, smart assistants, and gaming systems are not uncommon; but we’ve also found stranger things like parking gates, Kegerators, Pelotons, and Tesla automobiles.

Many times, these devices have a legitimate reason to be operating where they are, but if IT and security operations don’t know about them, they present an unrealized risk. That is where Ordr comes in handy. By discovering and classifying every device, then drawing on the deep Ordr Data Lake to gather context and monitor its activity with a granular understanding of its purpose and normal operational patterns, Ordr can uncover vulnerabilities and detect behavioral deviations that are indicators of compromise. When that happens, Order automates policy enforcement to respond immediately to prevent or stop the spread of an attack, while maximizing operational resilience.

IoT Security for Economic Security

Some devices and systems must keep operating even while at risk, and Ordr’s enforcement of segmentation and isolation policies can ensure continued functioning even as the security team takes action to mitigate the present risk. That’s an option that is better than a “code dark” event during which non-technical staff are instructed to disconnect machines from the network altogether.

We applaud the White House’s efforts to use its bully pulpit to advance the cause of cybersecurity. We also urge the administration to continue to use its influence to help make our entire economy safer by recognizing the need to build security-by-design into every connected IoT, IoMT, and OT device. Building on the momentum of the IoT Security Improvement Act of 2020 as well as FDA guidance for IoMT security, bills like the PATCH Act and other requirements are needed to ensure connected devices are built and delivered to be secure. If labeling consumer devices is important, it must also be a priority for commercial devices as well.

As enterprise environments become more complex, the responsibilities of Incident Response (IR) teams have become equally complex. With the rapid growth of IoT, OT, IoMT, container, ephemeral cloud, and various other asset types, the task of identifying assets and effectively responding to cybersecurity incidents has become more difficult and time-consuming than ever. OrdrAI CAASM+ provides a centralized platform for cyber asset attack surface management (CAASM) with accurate asset data and actionable business insights for IR teams to protect their assets and accelerate response times during incidents.

Preparation: Handling an incident more effectively with complete, accurate asset inventory and in-depth data

NIST 800-61 R2, Computer Security Incident Handling Guide, outlines a framework for incident response. OrdrAI CAASM+ empowers IR teams to effectively prepare for the “preparation phase” by equipping them with a complete, accurate, and centralized source of asset inventory and data. This eliminates the need for manual data gathering and correlation from siloed sources.

Ordr’s methodology combines 170+ IT and security ecosystem integrations and proprietary discovery technology with AI/ML correlation and classification. The result is a complete, deduplicated inventory of all assets, including devices (IT, IoT, IoMT, OT), SaaS, applications, cloud, and users. This approach also delivers deep asset context, including device owners, software, security tool posture, assigned policies, open ports, running services, vulnerabilities, and more.

With this asset context and data, IR teams can efficiently respond to incidents, reducing mean-time-to-remediation (MTTR). Additionally, Ordr’s proprietary AI/ML asset profiling and classification provides teams with a visual representation of all devices, including IoT and OT. This is invaluable for on-site personnel seeking to locate—and potentially disconnect—a device from the network.

Ordr also provides teams with user-to-device relationships, alongside vulnerabilities, SaaS applications, installed software, and more, through the OrdrAI Asset Graph.

In the screenshot below, you can quickly see that user “dbrown” has been active on four devices. Focusing on a specific device, we see the known exploited vulnerabilities (KEV) associated with it. We can further extend this analysis to understand every device in the environment affected by the same known exploitation. With this information, IR teams can efficiently assess, prioritize, and assign remediation actions to the most critical devices.

Ordr uses a variety of techniques to identify vulnerabilities, ensuring organizations achieve a comprehensive understanding of all vulnerabilities in their network. For assets unable to undergo scans or those not regularly updated, Ordr utilizes our Software Inventory Collector, a lightweight script that detects vulnerabilities based on KB/HF correlation instead of scanning the asset directly.

Ordr utilizes asset data (including things like make, model, manufacturer, and operating system) collected through passive and active techniques, to identify vulnerabilities associated with assets running outdated operating systems.

Detection & Analysis: Optimizing incident response with comprehensive asset data and business insights with GenAI Search

Traditional methods and initial analysis of an incident may only identify suspicious activity from a specific IP or user. Ordr’s ability to understand and visualize asset relationships is crucial for incident response teams to easily access asset data and deliver the context needed to efficiently contain and recover from an incident.

Ordr’s Generative AI search enables security and IR teams to quickly initiate their investigation with a single data point. For example, in the screenshot below, the team begins their investigation by inputting the flagged IP address associated with suspicious activity. After inputting the IP address, teams gain access to the necessary data for analysis and incident containment, including the make and model of the device (Dell Latitude 7420 laptop), device user, and a timeline of events.

Additionally, OrdrAI CAASM+ provides an out-of-the-box risk analysis, including customizable risk and vulnerability scores, assessment of device compatibility with endpoint detection and response (EDR) and mobile device management (MDM) technologies, and more. This risk analysis empowers teams with the context needed to prioritize vulnerabilities based on the criticality of assets to the business, enabling them to concentrate on addressing the most significant risks.

Contain, Eradicate & Recover: Improve Time-to-Remediation with OrdrAI CAASM+

OrdrAI CAASM+ is a game changer for incident response teams, providing them with the data and business insights needed for prompt and decisive action throughout NIST’s incident handling process.  Additionally, OrdrAI CAASM+ empowers teams with streamlined workflows that strengthen their incident response capabilities while reducing response times. Ordr also provides a framework for remediation with multiple enforcement options, including:

• Add to Blocklist
• Add to Blocklist & Shutdown Ports
• Generate Blocklist CLI
• Change VLAN (enforce)
• Initiate Scan
• Analyze App Usage
• Open a Ticket
• Send SMS
• Send Email

Furthermore, Ordr integrates with industry-leading security solutions to share risk and vulnerability data and automate remediation. Recommended data sources for Ordr to integrate with to accelerate incident response include:

• EDR
• MDM
• CMDB
• Cloud Assets
• Vulnerability Assessment Systems
• Ordr Discovery Engine

Check out this video for a deeper dive, or you can also learn how OrdrAI CAASM+ can help your security and IR teams reduce their response times with a live demo.

https://www.youtube.com/watch?v=Qhj7nt_yaoI

Thanks for joining us for another blog in our series on cyber asset and attack surface management use cases. We will continue to explore more asset and attack surface management use cases in the coming weeks and discuss how Ordr addresses them.

---

---