We are rapidly moving toward a world where almost everything is connected, and this will increase the number of networked devices by orders of magnitude. IT professionals used to keep track of the number of devices per person as a way of gauging how many connected endpoints there were. Pre-BYOD businesses had about two devices per employee comprising a single user device and a number of IT-owned ones such as printers and servers. Then came the rise of consumer devices and VoIP, and this number jumped to about five to six per employee to as we connected IP phones, tablets, access points and other things.
The Growth of IoT Leads to Chaos for IT
In the internet of things (IoT) era, companies are connecting lighting systems, soda machines, thermostats, autonomous vehicles, drones, sensors, and the list goes on and on. What’s the number of devices per user now? 40? 100? There’s too many for this to be a trackable number and frankly, at this ratio, it’s a bit meaningless. IT pros need to face the fact that the tight control they once had over their network is gone, having given way to chaos. IoT leads to hyperconnectivity being the norm, and that requires different tools and processes to manage the environment.
One startling data point comes from a recent survey from ZK Research that found 61% of network professionals have no or low confidence they know what devices are connected. This number is up from 51% from five years ago, highlighting that the security and operations teams are falling further behind. A new approach is required to meet the demands of a hyperconnected business.
Ordr Uses AI to Manage and Secure IoT
Earlier this year, a VC-backed company named Ordr launched that uses artificial intelligence (AI) to manage and secure connected endpoints. The company’s flagship product Systems Control Engine (SCE) is an AI-based platform. It’s designed to be closed loop, meaning it continues to learn over time. The more data fed into it, the more accurate it gets.
Ordr’s SCE maps all the network flows and creates what it calls a device flow genome that can automatically identify devices. Once an endpoint is identified and classified, the information is stored in Ordr’s cloud and shared with all of its customers. The current database contains tens of thousands of endpoints and includes everything from medical equipment to HVAC systems to IP cameras as well as traditional IT equipment such as routers, switches, PCs and laptops.
While there are a number of other vendors that claim to do device identification, what makes Ordr unique is that it goes beyond that. In addition to helping IT understand what’s connected, the device flow genome also provides the following device-specific attributes:
- Make, model and modality
- OS and software versions
- Vulnerabilities, recalls, etc.
- Network parameters
- Application and user data
Ordr’s SCE Can Detect Any Behavioral Anomaly
Because SCE knows the baseline flow genome, it is able to see the smallest behavioral change, which could indicate a security issue. As an example, a connected MRI machine will likely exhibit the same behavior day after day. However, if it then suddenly attempts to access company resources such as human resources, this behavior change could indicate the IP address was hijacked. Ordr could then automatically quarantine the device for further investigation, limiting the damage caused.
If Ordr had been in place when Target was breached, the threat actors would have gained access to the HVAC system but access would have been cut off when there was an attempt to connect to the point-of-sale systems. The lack of visibility into what was normal and what changed led to that breach.
SCE Simplifies Segmentation
Ordr can be a valuable tool in helping organizations understand how to implement segmentation. SCE is continually analyzing all device communications, enabling it to learn correct behaviors and conversation maps. This information can then be used to group systems by type, location, function or application, which can be used as a map to segment the environment. Almost every IT professional I talk with is interested in segmentation, but there’s a lack of awareness as to what and how to segment. Ordr can provide that information.
The anomalous behavior monitoring and baselining can also help identify the type of breach and the source of it. Below are some examples:
- Phishing: Socially engineered laptop coming back into enterprise IT to spread malware
- Tampering: Replacing a badge reader with a hacker-friendly device to get into the network
- Spoofing: Weak TLS stack in a patient monitoring device to get a copy of patient data
- Denial of service: Default password to hijack a camera and launch a DDoS attack on critical assets
- Ransomware: X-ray machines with old Windows XP controlled externally for encrypting data
- Data exfiltration: Printers used as storage for data exfiltration using tunnels to command and control
Ordr doesn’t actually do the segmentation, but it works with all of the leading security and networking vendors, including Cisco, Palo Alto, Aruba and Fortinet, and it can automate the configuration of network and security devices.
SCE Plays a Key Role in Understanding Utilization
Ordr does play a valuable role in securing IoT endpoints, but isn’t just for security. The data collected can help track system utilization for the following purposes:
- Compare device utilization across facilities for better distribution of endpoints
- Identification of offline devices to bring them back into service
- Understanding of usage behavior to optimize schedules
- Make better informed purchase decisions
- Prioritize operating system and firmware upgrades
The IoT era is here, and more and more IT is being asked to take over management and security. Hyperconnectivity is a new paradigm in networking, one that older tools cannot help with. The conventional wisdom is the IoT causes chaos—and it does—but Ordr can bring some order to security and network operations teams.
Zeus Kerravala is the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.