Five Security Takeaways from Ordr 2021 Rise of The Machines Report

Last week, we announced the availability of Ordr’s 2nd annual Rise of the Machines 2021 Report “State of Connected devices — IT, IoT, IoMT and OT”. This year’s report analyzed connected device security risk and adoption for 12 months (June 2020 through June 2021) across more than 500 Ordr deployments in healthcare, manufacturing, financial services organizations and more.

We invite you to download this report here.

What were the learnings from the Rise of the Machines? Here are the five security takeaways from the 2021 Report.

1. A “whole organization” approach to connected device security is critical

In this report, Ordr discovered that 42% of connected devices were agentless or un-agentable devices. This number increased from 32% of agentless or un-agentable devices in 2020. With almost half of devices in the network that are either agentless or un-agentable, it’s clear that a security strategy that is only focused on agent-based endpoint security is not enough. These connected devices are key to digital transformation and organizational strategic priorities, but they are not designed with security in mind, often run obsolete operating systems and cannot support endpoint security agents. The solution is to identify, detect and secure via the network to complement your endpoint security solution.

What’s important to remember is that ALL devices/assets need to be identified and profiled. Yes, if you’re in healthcare, medical devices are critical, and similarly if you’re in manufacturing, your OT devices are critical. But because threat actors can target any vulnerable device, you need to have a complete asset inventory of every “thing” in your network. The Colonial Pipeline attack showed us that when IT and IoT systems are hit by a cyberattack, your business is impacted even if your OT environment continues to function. In a hospital environment, a cyberattack impacting your elevator control systems will similarly bring down the entire healthcare operations if patients cannot be transported even if your medical devices are fine. This is what we mean by the “whole organization” approach to connected device security.

2. Beware the “Shadow IoT” and personal devices

In a sign of the times, Ordr found Pelotons, Sonos, Alexas and Teslas in the network, almost 2 times the number compared to the 2020 report. Many of these devices (with the exception of Teslas) were in fact being used for actual business operations. In fact, many of our “Smart Hospitals” were deploying Aexas in their rooms for their pediatric patients. Alexas were used for “nurse call functions”, to switch channels on TVs, and to dim or change the smart lighting in the rooms. Pelotons were being used for physical therapy in hospitals, deployed in gyms in hospitality verticals and enterprises.

What’s interesting to note is that not only do these devices have vulnerabilities (for example leaky APIs within Pelotons) for threat actors to take advantage of but there is also an overwhelming amount of data stored that could be used to target users within the organization. Threat actors are already targeting disgruntled employees to get them to unleash ransomware, imagine if they had data from personal devices (eavesdropping on Alexas or identifying health conditions on Peloton devices) to optimize their target list.

3. Understand which devices are bringing risks to your network

Outdated operating systems present the greatest risks for most organizations. We identified about 19% of deployments with devices running outdated operating systems Windows 7 and older, and almost 34% of deployments with devices running Windows 8 and Windows 10, which are expected to end-of-life in 2023 and 2025, respectively.

Within healthcare, 15% of medical devices and 32% of medical imaging devices run on outdated operating systems. This is because many medical devices remain in operation for a number of years and cannot be easily replaced for cost reasons. Segmentation is the only way to ensure security of these devices, keep them in operation and avoid the costs of replacing devices early.

Ordr makes this easy for any security organization because we create the segmentation policies automatically for you, to be pushed and enforced on switches, next-generation firewalls, wireless LAN controllers and NAC systems.

Besides outdated operating systems, you should also identify devices with weak operating systems, weak passwords or weak certificates. Again, this is an easy click of the button on the Ordr dashboard.

4. Monitoring device behaviors and communications patterns is critical to security

At Ordr, we believe in the adage “You can’t secure what you can’t see”. But visibility is not just about knowing what devices you have in the network, it’s also about understanding how it’s behaving and what it is communicating with. That behavioral understanding of what is “normal” allows you to surface anomalous behaviors such as lateral movement from the (sudden increase in SMB traffic) or a compromised device (via communications calling home to a C2 domain).

The Ordr platform not includes an integrated threat detection engine for known threats, but also the behavioral mapping of every device flow to detect unknown threats. This is not easy, we monitor almost one BILLION flows today across all our customers’ deployments. But this has allowed us to detect Darkside and Conti infections, via devices behaving suspiciously, BEFORE any indicators of compromise were even released by authorities such as the FBI.

5. Manage user access to devices and appropriate offboarding when status changes

Finally, one of the most interesting additions to the 2021 report was about 55% of our deployments having devices with orphaned users. Devices with orphan accounts retain the same access rights as when they were associated with an active user. These orphaned user accounts provide a gateway to privilege escalation and lateral movement. Therefore, as part of a robust and complete Zero Trust strategy for connected devices, you need to ensure that all devices are being utilized only by current users and those with appropriate privileged access. Check out our blog on identifying employee account misuse using Ordr.

Want to learn more? Download our Rise of the Machines report now.

Danelle Au

Danelle Au has more than 20 years of experience bringing new technologies to market. Prior to Ordr, she was CMO at Blue Hexagon, a deep learning for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. She has an MSEE from UC Berkeley