Interested in connecting with Greg? Reach out to him on Linkedin!

About COMPANY: Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing, and TenEleven Ventures.

Key Questions and Topics from this Episode:

(00:58) Introduction to Dan Davi

(01:17) Intro to Greg

(02:00) Intro to Ordr

(03:08) Ordr Use Cases

(05:08) How do you view the current state of IoT?

(07:51) What makes connected devices so difficult to secure?

(10:51) Who is responsible for securing these connected devices?

(14:30) What’s the role of regulations in securing these devices? What are we missing? 

(17:36) How do your customers think about the security of their solutions?

(21:50) What are the biggest challenges your customers face when securing their devices and solutions? What advice do you have for companies?

(24:28) What are some of the highlights from your 2021 Rise of the Machines report on the State of Connected Devices?

Transcript:

– [Announcer] You are listening to the IoT For All Media Network.

– [Ryan] Hello everyone, and welcome to another episode of the IoT For All podcast on the IoT For All Media Network. I’m your host, Ryan Chacon, one of the co-creators of IoT For All. Now before we jump into this episode, please don’t forget to subscribe on your favorite podcast platform or join our newsletter at IoTforall.com/newsletter to catch all the newest episodes as soon as they come out. One of the last things I wanted to mention before we jump into this episode is that our wonderful partners, Calchip Connect are excited to be leading the way in the IoT space, helping to drive digital transformation and decentralized open source wireless technology. The decentralized network is a community managed network offering public wireless services to IoT developers and consumers in exchange for valuable cryptocurrency. This new wave of connectivity is growing at an explosive rate. Early adopters are exploring new ways to utilize the internet. It’s time to move away from the aging infrastructure and embrace a peer to peer model. Decentralized wireless has momentum and is here to stay. Please check out Calchipconnect.com. That’s C a L C H I P C O N N E C T.com. So without further ado, please enjoy this episode of the IoT For All podcast. Welcome Greg to the IoT For All show. Thanks for being here this week.

– [Greg] Thanks Ryan, happy to be here.

– [Ryan] Yeah, it’s fantastic to have you, I’m looking forward to this conversation and I wanted to start off by having you just give a quick introduction to our audience, you know, just so they can get some more information on who they’re listening to. So any background information, anything about your experience, kind of what brought you to Ordr that kind of thing will be great.

– [Greg] Sure thing. Yeah, I’ve been here at a Ordr of Now for just about three years. I’ve spent most of my career for the past 20 years or so working in the networking security space first in, in wireless, and then moving to a company called Aruba networks. It was in the wifi space and then for the past three years at Ordr, so I’ve been spending my, my career figuring out how to connect devices to networks and how to make sure that those devices are secure.

– [Ryan] That’s awesome, and now, speaking of Ordr, let’s talk a little bit more about what Ordr does kind of the overall kind of offering to the market, kind of, you know, what your role in IoT is, that kind of thing?

– [Greg] Sure thing. So Ordr is a, we’re a cybersecurity company and our role is to protect connected assets in enterprises. So, you know, large hospitals, you know, big manufacturing systems, you know, enterprise and our particular focus is the literally billions of agentless endpoint devices that are being installed in enterprises that do not, or cannot have any software agents installed on them to provide security. So a lot of those devices are what you think of as that the classic IoT building system, all of these devices, OT devices, they can be specialized. You have medical devices in hospitals like the, the MRI machines, but our job is to make sure that whoever that organization is that enterprise has visibility and control that they know what’s connected to their network and that they have a way to secure those devices.

– [Ryan] And talking more about kind of some use use cases or, you know, basically bringing this full circle for audience to better understand kind of what kind of applications you’re involved in and how your technology is being used out in the world. Do you mind elaborating a little bit more on that?

– [Greg] Sure, absolutely. Yeah. The big problem that we encounter when we start talking to it to enterprises is that very few of them actually really know what’s connected to their, their networks and they, they may have tools that show them all the IP addresses of the devices. But if you really sit down with a Cisco and say, how confident are you that you could actually identify every device connected to your network? I have never ever had a CSO say, I am truly competent that I, I can do that. And that the big challenge is that most of the CISOs and most IT organizations have a pretty good understanding of the traditional it devices that the laptops, the tablets that the mobile phones that are connected in their environment, because there’ve been decades of tools and solutions built up to identify and protect those devices. The problem is that in any given enterprise right now, more than half of the devices don’t look anything like that, traditional that the laptop that the workstation they are, you know, everything under the sun, you know, from, as I mentioned, MRIs in hospitals, building management systems, I even encountered a Bluetooth enabled IoT, toilet paper dispenser recently.

– [Ryan] Wow, yeah.

– [Greg] So anything in the world can be, can be connected and that’s scary because it means they attack surfaces is pretty large. And, you know, the organizations don’t really understand exactly what that attack surface looks like.

– [Ryan] And when you were just mentioned a second ago you said, Cisco, what does that mean for our audience? Just so they know what you’re talking about.

– Sorry about that, yeah. It’s a chief information security officer that

– [Ryan] Perfect.

– [Greg] man or a woman who is ultimately responsible for securing whatever is connected into the enterprise environment.

– Fantastic, okay. I’d love if you could talk a little bit more from your all’s point of view, how do you view the current state of IoT and connected device security as a whole? That’s something that we’ve, we’ve talked about device security on the podcast many times before, but I think you all have a very unique kind of perspective on kind of the connected device security landscape. And I’d love it if you could just kind of connect that to how you view the industry as a whole at this current time, because I think, you know, one thing that is important for people to understand is that for organizations to truly see the benefits of digital transformation or, you know, IoT deployments that they’re getting involved in, the devices that they’re putting to capture the data need to be secure. If they’re not, they’re very vulnerable to obviously attacks and, and just, you know, just general things that could happen to their business in a negative way. So just talk to me a little bit more about how you all view the market currently and that, you know, and, and as well as elaborating on the connected device security state.

– [Greg] Sure. It’s a, it’s a great question. I think there’s really been kind of an awakening to this, this issue over the past several years that I think has really intensified in the past 12 months. Because as, as you mentioned for years, everyone has been talking about and seeing the, the benefits of digital transformation and that the reason that you deploy IoT devices in your environment is because there’s a business benefit that bringing you information control that you, you couldn’t otherwise have, it’s going to make your business more efficient. And I think that it’s really very recently that people have started to understand the level of security risk that comes along with those, those business benefits. And

– [Ryan] Right.

– [Greg] I think in certain industries, there are some pretty galvanizing events like in healthcare, I would point to want to cry a few years ago, where all of a sudden you had hospitals that were literally being taken down and you had nurses that were going back to using pencil and paper

– [Ryan] Right, right.

– [Greg] instead of systems, because you know, these, that their devices were impacted. And frankly, they’d had so little visibility and control over those devices. They just had to run through the entire organization, just literally pull the plug on every and every connected device probably to get their hands around it. And I think those types of those types of incidents and recently we’ve, we’ve all been reading and hearing an awful lot about ransomware and how that’s been impacting, you know, oil pipelines and governments. I think it’s really starting to get people waking up to this and it it’s also, you know, got the government starting to take notice for you see the IoT cybersecurity improvement act. And we see, you know, mandates and executive Ordrs coming from the, the federal government that says this is being identified as one of the major over abilities, you know, in our, you know, in the it landscape right now and needs to be addressed.

– [Ryan] That makes a lot of sense. And then as we’re kind of talking about the current state of connected device security, talk to me a little bit more about what makes devices at times difficult to secure, or one of the challenges around device security given, or in this current state. I mean, obviously devices have come a long way. Security has come a long way, but there’s still challenges and things that companies need to be thinking about. And when you’re speaking with organizations, you know, what are you kind of sharing with them are the challenges that these devices are currently experiencing and things they should be looking out for. And then just that general advice for how organizations should think about securing their devices.

– [Greg] Absolutely. I think that the challenge of securing devices, and if you focus specifically on IoT and how they’re then maybe that the traditional it is the first thing is that a lot of these IoT devices really weren’t designed with security in mind,

– [Ryan] Okay. they were multi a thousands different manufacturers. A lot of them still to this day are running pretty outdated operating systems. They, and, and very often, most often they can’t support a software agent to be put on the, on the devices, which is the traditional response of IT. If you’re trying to protect a and control, you know, a laptop is, well, go put a CrowdStrike agent on that, then you’ll get visibility and control over it.

– [Ryan] Right.

– [Greg] That’s not an option with, with IoT devices. And you compound that with the fact that for IoT devices, the service life of them can be, you know, much, much longer than what you’re we’re used to in the traditional IT world,

– [Ryan] Sure. where we assume kind of is almost disposable every two or three years, I’m going to get a new laptop. You know, now in, in the, the world of IoT and OT, you know, a manufacturing system might be expected to last in place for 12, 15 years, not two or three years. So you get lots of devices from different manufacturers, a lot of legacy devices, and frankly, they’re being installed by and owned by lots of different groups within the enterprise, which means that, you know, it’s pretty uncommon for an enterprise to have a really good asset inventory says, here are all of the things that we have that are connected to our environment. Instead, what you find are multiple different DIA databases, spreadsheets, manual inventories. And so that creates some pretty, pretty big blind spots in that in organizations. And when we have gone into and work with customers, we usually find that there’s at least a 15 to 20% gap between what we actually see on the network versus what the organization thought was on that at the network. We see guys,

– [Ryan] Gotcha.

– [Greg] you know, we’re there, we have devices

– [Ryan] Right.

– [Greg] we’re connected to that, aren’t there. And so that’s a, that’s a pretty big hole in security. So you don’t see it. If you don’t know about it, it’s awfully hard to secure it.

– [Ryan] And who is responsible for securing these IoT devices? And when I say that, there’s probably, obviously it depends on which angle you’re coming into this from, but, you know, within an organization who’s adopting IoT, who’s responsible on the outside of an organization. Is there somebody that’s usually responsible? Is it the company that, you know, is supplying the devices? Is it the systems integrator you’re working with the deploy, the IoT solution, who is, you know, who do you kind of look at as the responsible party for securing the devices, making sure things stay kind of, you know, up to standard and so forth.

– [Greg] It’s a, it’s a great question. And I would say that it’s, the answer has really been changing. And now I would say usually the buck stops with the chief information security officer, and that’s the person who is responsible for understanding what’s connected to the network and making sure that those devices are secure. And frankly, making sure that the network is protected from those devices. That’s a change because historically used to have a pretty big divide between what we called the it world, which was the responsibility of the CIO and the chief information security officer and the, you know, the OT or the IoT that might be department during a

– [Ryan’ Right, Right. manufacturing company, it’s you manufacturing operations. And then they used to the, the assumption used to be these networks were kind of completely separate. We added there’s a phrase called an air gap. Like what happens

– [Ryan] Yep.

– [Greg] on the OT network, shouldn’t be able to impact what happens on the it network, what happens on the it network should impact the OT network. The problem is that just breaks down with digital transformation because the whole, the whole point of digital transformation is we’re going to get insights into what’s happening all across the business. We’re going to tie these systems together. And so that the notion of an air gap, I don’t think is really that useful anymore.

– [Ryan] Right.

– [Greg] When you look at the communications, you’ll see OT devices that are communicating to the corporate network and IT devices that are impacting operations. In fact, the most recent data, the colonial pipeline incident that everyone read about on the front pages of the paper is just a, a couple of months ago that was traditional IT estate, but was so critical to the operation that it was impacted and then ended up shutting down the pipeline for several weeks. But it’s this notion of, of separation that, Hey, maybe there’s going to be a different group. That’s going to be responsible for securing OT devices or IoT devices. And that’s going to be different from the rest of the IT data. I think that’s starting to break down and we’re seeing that, that the chief information security officer at the end of the day is, is ultimately the person that the CEO and the board of directors are holding accountable for this.

– [Ryan] And what about when a company doesn’t have that role within their company, a smaller company who’s usually responsible or has that kind of trickled down?

– [Greg] It usually ends up being in, in smaller organizations. It’s now moving more and more into the IT organization. So under the CIO, there might be a director of security or head of cybersecurity. Sometimes it’s in, you know, in risk and compliance, but more often than not, it’s, it’s really coming down to, this is a, an IT responsibility because at the end, a board of directors and CA CIO needs to our CEO needs to know that there is someone that they can go to and say, give me an understanding of what is our strategy to protect our data and our assets. And they, you know, having that responsibility to be fragmented is increasingly hard to defend.

– [Ryan] Yeah, that makes a lot of sense. And, you know, with the colonial pipeline attack that we recently had is probably one of the biggest ransomware things in the news lately, at least one that I’ve paid the most attention to because it does affect where I live and the gas prices immediately skyrocketed gas stations did have gas, which was something I’ve never experienced in my lifetime. I’m going a gas station and everything saying in there out.

– [Greg] To get an Uber while I was out there doing that.

– [Ryan] Yeah, no, I mean, lines were around the corner. And, you know, I had to use a gas, gas buddy, or some kind of gas app where basically told you which ones had gas at any given time, which I never had to use in my before. But speaking of this ransomware, and because it’s become more of a kind of hot topic or popular topic because of what happened with, with the pipeline I wanted to ask if you have noticed or seen any new regulations, or if you feel like regulations need to be put in place on the security of IoT, IoT devices to help protect from these kinds of things happening, or do you think it’s something that’s just as, is very hard to cover all your bases and regulations can only do so much?

– [Greg] Oh, absolutely. I think we are starting to see some, you know, regulations. And I think that, you know, that the government and auditors are increasingly aware of just how much of a business impact something like ransomware can have where it can cause untold tens, hundreds of millions of dollars of damage. So, you know, we, we have started to see things like the, the federal government starting to use its buying power, saying that if your, you know, IoT cybersecurity improvement act, if you’re going to sell to the federal government, then your product is going to have to have certain security capabilities baked in or your, or the federal market is going to be closed off to you. So that’s a,

– [Ryan] Yeah.

– [Greg] that’s a lot of buying power that the government has. It will force, you know, the, well of course, a lot of manufacturers to, to come in line. And I think that you’re also seeing it in terms of kind of some of the audits of the organization going out in, in forcing standards like CMCC, which is, you know, turning to the manufacturer information, say, you’re going to, you’re going to have to show that you’ve got security controls in place. You’re gonna have to show that, you know, what assets are connected to your environment and that you’ve got the ability to protect them. So I do think that there is a, a role and I think it’s great that the, the government is really finally stepping up and taking an act. But fundamentally, you know, this is the responsibility of every organization that is out there there’s, you cannot rely on a manufacturer to have the supplier to do the right thing and just make that your sole line of defense, you as a, as an organization, have to take your destiny in your own hands and make sure that when you look at your network environment, you know, what’s connected, you know, what vulnerabilities are there that you’re taking basic measures, like, you know, segmenting your, your network, you know, if a ransomware gets in it can’t spread like wildfire across the entire organization.

– [Ryan] Right, yeah, that makes a lot of sense. When you’re speaking with organizations and your customers, do they have a lot of questions about, or do they connect a lot of what they see in, in the media with their own situation, their own use cases that you’re helping them develop, you know, and handle the security for? Or is that something that is not really a topic that you all find that comes up too often in conversations with customers?

– No, I, I think it does come up in conversations. I mean, you, you cannot be in IT and, and security these days and not be getting questions. You know, your senior management from ward about topics like ransomware. I mean, they, every member of a board of directors reads the wall street journal and they, they see, you know, organizations that are being impacted. And the first thing they do is they click off of the, the wall street journal site and send him an email saying, Hey, could this happen to us? Yeah, the answer is, of course, yes, it could, you know, there’s, there’s no organization that can insulate us from the, the possibility of being attacked when there’s so many devices, what really comes down to is what are the things that you are doing as an organization to protect your organization so that when something happens, when someone gets in that the, the chances of it spreading are as little as possible, or it can that way it propagates across the, the network that you have controls in place to, to prevent that. And that you’re having the ability to detect, to see once, you know, malware has gotten into your, your environment to be able to see how it’s moving laterally across the network and starting to spread. And that’s something I think that, you know, since we’re talking specifically about IoT today, a lot of organizations and a lot of people in the security world, look at it and say, well, you know, it’s not usually the IoT devices that are the ones that are being attacked by the, by the criminals, whether ransomware and malware, and that that’s actually true. There are very few ransomware attacks that have started from, you know, an IoT device. It’s usually a user-based device. You know, they get access credentials, get into the network. But what we see is that the IoT devices are very often collateral damage that once they ransomware, once a malware is in the environment, it spreads like wildfire across the, you know, the organization. And that starts to impact all of these IoT devices. And because so many of them are vulnerable, like we talked about before. So many of them have legacy operating systems, right? They become, you know, very, very exposed. And, and frankly, a lot of these are pretty darn mission, critical functions, a, an access control, a badge reader in a, in a warehouse while your battery is not working people aren’t getting in and out of that warehouse, that’s a, that’s a problem for you,

– [Ryan] Right?

– [Greg] So I think it’s, it’s really kind of educating organizations to say, they’ve got to look at the entire attack surface and that they have a fundamental starting point is visibility. If you don’t know connected, you don’t know what you’ve got in your environment, and you don’t know what those devices do, then implement a security policy. And I’d really put the emphasis when we talk to customers on that behavioral piece is critically important that I know which 51, 50,000 devices are connected to my environment. I also need to know what those devices do. What is normal behavior look like? So I can say, okay, you know, a video surveillance camera in our environment normally does the following three things behaves in the fun way, because it’s that knowledge of the behavior that allows you to detect when something anomalous is happening. You know, a security camera is suddenly starting to prove, you know, the, the entire network. That’s something that you don’t typically see a security camera do. That’s all the alarm bells should start, should start ringing. So it’s that combination of knowing what’s connected and understanding their behaviors. So they can quickly detect and say, Hey, something here does not look right. And then we better be able to take a fast action to, to protect against that, to stop Brad once it’s in the environment.

– [Ryan] Right, that makes a lot of sense. Before we wrap up here, I have a couple of final questions I wanted to ask you. And some of this may be sort of connected to what we’ve already been talking about, but when you talk to customers, what are some of the biggest challenges that your customers have faced during their IoT security journey? And what advice do you usually give them to kind of handle those challenges? I think this would be something good for our audience. Just, you know, whoever’s out there kind of listening and looking to better understand the security aspects and to understand the security element of an IoT solution. I’m sure there are common roadblocks, common challenges that most companies come across that you may be able to kind of help guide them around in this conversation. So I’d love it if you kind of elaborate a little bit more on that.

– [Greg] Yeah, I think the advice that I would give and I been consistent with some of the, the conversation we’ve been having is, is really start with that question to visibility. Like, do you know what is connected in your environment because it’s those gaps that can come back to bite you. And just as an example, one of our, one of our customers, you know, in the, the medical spaces, you know, at a pretty good program in place, they’re identifying was connected to their network environment, but they found a parking lot gate, you know, an access control gate in their, their parking lot that had been installed by their facilities organization. And they had absolutely no idea that that device was there. And they found that, oh my God, that, that device, you know, actually it was infected with malware because the unknown device, or recently you may have read the, the news about the solar gates, the solar winds attack that impacted so many thousands of organizations. Another customer said, you know what, great news. I give him that morning to say, wow, this is a really bad attack, but we don’t have any solar wind servers. We don’t use that product and are on our network. And when they looked at our tool, they actually were able to show them, you’ve got a, a device that is connecting to, you know, to a solar gate, your destination. And what had happened is one of their departments and actually brought in, brought in solar winds to do a pilot, to do it a test in their environment. And that demo system had never been disconnected. So they had absolutely no idea that they had solar winds in their environment until they started to monitor the network and say, wow, wait a minute. We do have a device that is connecting to this destination. That that’s a problem for us. So you start with a start with visibility and start with the understanding of behaviors. Then you can start to say, all right, now, what do we do about it? How do we start to put policies in place? But if you don’t have that fundamental building block, the rest of your security strategy is really built on quicksand.

– [ Ryan] Fantastic, that’s, that’s great advice. And, and this may tie into it and maybe a little bit a separate topic, but I know you all have a, a report that, that has come out recently. And I wanted to see if you wouldn’t mind sharing at least a taste of some of the highlights, kind of maybe what the overall purpose of the report was or is, and, and kind of what you learned from it from a highlight standpoint.

– [Greg] Yes. We just recently released our second Daniel kind of rise of the machines report. And that is designed to give organizations just insight on what’s happening with connected devices and in trends and how they’re being used. And so we, we do this based on the experience that we’ve got working with, you know, hundreds and thousands of organizations and tens of millions of devices. And just some of the things that we saw is that, you know, this year we saw almost 50% of the devices that are connected in an enterprise environment are what we call these agent lists devices, the things that don’t like traditional IoT. So the attack surface is getting much, much bigger because organizations that don’t have an endpoint security strategy that goes beyond agent-based solutions have 50% of the devices represent exposure for them. I would also say the other thing that we really highlighted this report is probably the biggest risk for grease risk right now, among these IoT and OT devices are outdated operating systems. And that we found that almost 20% of our deployments at 20% of environments have outdated operating systems like windows seven, you know, decades old operating systems, still running, still operating in those environments. And those are devices that are not typically being patched that have, you know, known vulnerabilities that could be, could be exploited. And that’s, we, we talked to organizations closing down and making sure that those devices are protected. If they can’t be replaced, they can’t be updated. How do you protect them and ensure that they don’t represent a really big vulnerability for your organization? So those are just two of the, the insights I thought were most interesting coming out of that rise of the machines report.

– [Ryan] Cause, oh, that’s fantastic.

– [Greg] It’s brought up over the past couple of years.

– [Ryan] And working audience view the report or going to learn more about it.

– [Greg] Sure, they just go to our website at www.Ordr.net. That’s O R D r.net. There’ll be a resources section and find that rise of the machines report.

– [Ryan] And is that the best way, best place also to find a ways to contact and reach out if they have questions after listening to this episode?

– [Greg] Absolutely.

– [Ryan] Okay.

– [Greg] And they can also don’t they have questions when to reach out just [email protected] We’d be happy to respond to any questions I’ve got.

– [Ryan] Okay, great. Well, Greg, this has been a fantastic conversation. I wanted to just see if there’s anything on top of the report, anything coming out, maybe in the, in the next number of months that our audience should be on the lookout for or anything like that, that you want to kind of plug now here at the end of the show.

– [Greg] Yeah, absolutely. I think one of the, the things that we’re really focused on right now is, you know, our making our solution even easier to use incorporating, you know, you have different insights from multiple partners that we’re working with. And so we’re going to be having some pretty exciting new software releases that are coming up and so very eager to share those with the, the market. So I would definitely ask them to, to reach out to us and we’d be more than happy to, to share and show them some of these exciting new capabilities.

– [Ryan] That’s awesome, all right, Greg, well, thanks again so much for your time, this information and the advice and the insights you’re sharing on the security front regarding devices in the IoT space is great. I think our audience is going to find a lot of value out of this conversation. So, so thanks again for your time, and I’d love to have you back at some point in the future.

– [Greg] Absolutely, thanks so much, Ryan really enjoyed it and thank you for doing this. It’s a great source of information for the, for the net.

– [Ryan] Absolutely, thank you.

– [Greg] Glad to be of service.

– [Ryan] Alright everyone, thanks again for joining us this week on the IoT For All podcast. I hope you enjoyed this episode. And if you did, please leave us a rating or review and be sure to subscribe to our podcasts on whichever platform you’re listening to us on. Also, if you have a guest you’d like to see on the show, please drop us a note at [email protected] and we’ll do everything we can to get them as a featured guest. Other than that, thanks again for listening. And we’ll see you next time.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://www.iotforall.com/podcasts/e139-connected-device-security