Name: 30 minute Live Demo Armis Centrix™ for Medical Device Secu Go beyond vulnerability scanning to address the full cyber risk management lifecycle.
Uploaded: 2025-12-11T19:50:06.580Z
Duration: 33 min 8 s
Description: 30 minute Live Demo Armis Centrix™ for Medical Device Secu Go beyond vulnerability scanning to address the full cyber risk management lifecycle.

Transcript for "30 minute Live Demo Armis Centrix™ for Medical Device Secu Go beyond vulnerability scanning to address the full cyber risk management lifecycle.": Hello, and welcome, everyone. And thank you for joining us at today's Armys demo. I am Antonio Querales, one of the campaign marketing manager at Armys, and I will be your host today. In this session, we will discuss Armis Centrix for medical device security. But before we begin into our demo, I would like to cover some housekeeping items. This is a thirty minute demonstration. This session is being recorded and be available for you on demand. Please submit your question in the chat, and we will address them at the end of the presentation. We have provided some additional resources for you on the topic. Please check them out after the webinar. With that, I would like to introduce our speaker, Trevor McGover, sales engineer at Armys. And now, Trevor, I hand this off to you. Thank you. Excellent. Thank you so much, Antonio, and thank you everybody for joining us today. Again, my name is Trevor McGovern. I'm a sales engineer here at Armis. I've been in the medical device security space for over four years now. So today, I'll be covering the medical device security platform, which we call SentriX, and we'll dive a little bit into vulnerability remediation management as well. So to start, who is Armus? Armus has been in this space for close to ten years now. We're considered a leader with over 40 awards, and part of what makes us special is our ability to discover every connected device in the environment. Over these past ten years, we've discovered over 6,000,000,000 devices. We build device profiles, and we're able to do behavioral analysis and define definitively what these devices are and how they're communicating with on our system. There's an extreme amount of growth happening at Armus, and we're grateful you're taking this time to learn a little bit more about our platform. So the Armus vision. Right? My favorite thing to ask when I deal with a a prospect or a a partner is what is the visibility for? Visibility for what? Right? We're building a foundation understanding what every connected device is in the environment. Now that we have that information, what are we gonna do with it? Right? So we have that context, and now we need to prioritize how we're going to manage these devices. What protection mechanisms can we put in place in order to reduce the surface area of attack and ensure that we have a safe and healthy environment, especially when it comes to patient care and patient outcomes. In doing so, we're able to also provide remediation actions. So whether it's an FDA recall that's coming out, we're able to associate that to known devices or a critical clinical impact to a, an infusion pump or other patient connected devices, we can alert and provide remediation steps in order to take care of that and ensure the operation of the environment. So the SentriX platform consists of three pieces, one in terms of medical device security. The first one being that visibility portion with the security elements and understanding risk associated to those medical devices and all connected devices in the environment. So, again, it doesn't matter if it's an IoT, IOMT, building management system, or a traditional IT device. Armbras will be able to provide full visibility with, accurate information surrounding that device in order to take steps into remediation. With the associated device context, we're also able to, leverage the viper platform, which allows us to prioritize vulnerabilities and respond with a closed loop in terms of vulnerability life cycle management and ensure that when we are sending out a vulnerability for, remediation, we're tracking and understanding how the risk is reducing in the environment. We're able to integrate with your ticketing system and automate that tick creation as well as pull in ownership assignment and ensure that we're, again, closing the loop on those risks. And then finally, early warning. So early warning is a human intelligence piece of the Arvest Centrix platform where we're, in the dark web and understanding the chatter amongst the threat actors involved with developing exploits. So what we've done is embedded ourselves in these threat actor groups. We understand what's coming. So we're trying to beat the bad actors to the next exploit so that we're prepared on this CDE eventually, it's easiest we can or take steps prior to that in order to remediate and to make sure we're not affected. We can do this also through deceptive techniques. We can emulate hospital systems and see how bad actors are attacking those emulations. So how does this all work? Well, we have close to 200 integrations at this point. So your traditional IT security stack, your CMMS platforms managing the medical device inventory, as well as other network integrations like DHCP or Active Directory, we're pulling all that context into the SentriX platform and then enriching it with telemetry data. So we're taking real time traffic from typically the core switch, a mirror port in order to, determine how the devices are behaving and using Deep Pack and Inspection to build those device profiles and understand what protocols are being used in order to give us better better behavioral analysis and potential alerts to risk factors. With that asset intelligence engine, we're able to know what those known good device profiles are and then compare them to how your devices are acting. So if there's any anomalies or, malicious behaviors on these devices, again, we can create policies and alert you to the fact these devices are mis behaving, and it gives you steps towards remediations to, again, reduce risk in the environment and understand that, we can reduce the surface area of attack. And then finally, the the management portion on the right hand side, where we're taking these actions and sharing it and enriching the existing, solutions that you have in place, whether it be a SIEM or, network enforcement such as Cisco, ICE, or Aruba ClearPass, other NAC providers, we can recommend access control list and then send them out for enforcement through those, means. And then the CMMS platforms as well, we understand that biomed and clinical engineering has a lot on their plates. So, device inventory and tracking can be, cumbersome to that group. So we're able to, enrich their dataset with ArnoCentric's, information, send out attributes like serial number, location information, utilization data, and then properly help to manage and reduce the man hours it takes in order to, track those devices and ensure patient care is delivered. There are a lot of challenges that we're seeing in the health care space. Firstly, being identification. Medical devices are traditionally difficult to identify and have visibility into because of their unique position in these networks. Right? They're not using traditional IT controls. You can't put an endpoint agent on most of them to help protect them in that sense. So visibility really comes down to that network traffic inspection and understanding those proprietary protocols that are being used by those device. We also see utilization and cost reduction. You know, every hospital at this point is having, budgetary issues, and we wanna ensure we're getting most out of our inventory. So when we talk about utilization, we wanna ensure that we're getting as many patients in and out the door with positive outcomes as possible. So when we see an MRI being used at 30 or 40% of its potential utilization, We wanna understand why that's happening, and is there any potential to get, more services done by that machine. The same can be said for infusion pumps. You know? It is the most prolific device in any hospital system. And typically, we have to spend, money at the end of the year by five or 10% more to replace maybe missing or lost infusion pumps. So Armist can actually provide location information as to where that device was last seen and any offline notifications or alert to see if there's been a an extended period of time where it hasn't been utilized. With that live information from the SPAN port, we're also able to give you ransomware detection PHI violations if there's PHI leaving the environment or being transmitted externally unencrypted. And then also the vulnerabilities associated to these devices and prioritizing those based on the clinical impact. So understanding is this a patient facing device? Do we need to make sure we reduce risk here before we look somewhere else? And, positive outcomes again in terms of prioritization and remediation for the health system. And finally, pulling in the FDA recalls and NDS two documents, we have a massive repository of manufacturer disclosure statements for medical device security. In these, we're parsing all the questions that they are providing so we understand how the data is being handled, what security controls are in place, and what we can do in terms of patching. Do we have to reach out to the manufacturer or we can get hands on with the device itself? So, again, we're trying to reduce cost, reduce risk, and increase efficiency. So those are my slides for the day. I'm going to move into the demo portion. And, again, if there's any questions, please drop them in the chat. So here we are in the medical device security platform. Here, we can see the categories of all devices connected in this environment. So whether it be computers, medical, imaging, handhelds, again, visibility to every connected device within the four walls of the hospital system. We also have sites and boundaries. So a site is a physical location. So from the top here, I'm able to narrow down my scope. If I only wanna look at Switzerland care, locations, I can look at those 261 devices. Some of them being medical, some being associated with the security. But beyond that, I'm also able to change the boundaries. So these are logical groupings of devices. So if I only wanna look at diagnostic imaging, I can go ahead and select that and narrow it down to the Switzerland five clinics, with the 29 imaging devices that exist with them within that environment. Below, we can see those device types associated to those 29 devices. So we can see an MRI, couple CTs as well as two x rays, the data sources associated to them. So mostly coming from traffic inspection, and a few of them have agents like SentinelOne or CrowdStrike on them. Also, the risk. So understanding how these devices lay within the network boundary is one thing, but also the the service area attack, understanding what potential risks are associated to these devices and what we can do to mitigate those risks in the long run. So going back up to the top, I'm going to remove my filters and I'm gonna take an example of an infusion pump. So I'll go ahead and click the medical device assets. I'll move into the table view. So now I see every connected medical device within the entire health system. I can see the criticality down the left hand side, the names, the data sources, the category, as well as the model and the brand. So we're getting a deep, understanding of these connected medical devices and let's dig a little bit further. So in this example, I'll select this critical infusion pump. We can see some of the information we're gathering off the wire. So information like the name of the device, the serial number, category type and brand, as well as the model. And doing so, we're able to also capture the operating system. So in this case, we see two dot six and this allows us to, associate information around what risk may be associated with this version of operating system. We also have a historical view. So from the first time we see this device up until present day, we're building a device, log, essentially. We're able to track activities, change in behavior, as well as change in risk. And when we talk about risk, we can see the risk score here, but it makes up of a few different things, like risk factors, vulnerabilities, exploitable CVEs. We're gathering all this information passively, and we're associating it to the device. And then from there, we can take steps to mitigate the critical risk on this computer and pump. To the right, we also have network information, so the the MAC address, the IP address, as well as the protocols being used by this device. Further in this example, I'll talk about this thirty six thirteen, TCP protocol. This is a proprietary protocol made specifically for these Alaris Infusion pumps and this allows us, information around the identification and the specifics the specifics around how it is communicating throughout the environment, what utilization is being done by this device. I'll move over into the inventory. So this is what we call the back of the baseball card view. We're able to understand in-depth every attribute that we're able to gather about this device. So, again, a lot of the information that was on the previous screen, but a little bit more in-depth. And something I wanna call out here is the, location information. So, again, we're able to pinpoint based on the AP location where this device is in the environment. So in this case, we're connected to Building A 44 Room 5. So again, narrowing the surface in which we have to go about looking for this device is, critical in the operation of the business and, again, driving, positive patient outcomes. Beyond that, we also have the MDS two available to us. So we're parsing these documents. This one coming from BD. We're able to understand how this device is storing and transmitting PHI. We can see if there's any sort of unauthorized access prevention available to us, what we can do in terms of OS and security patching, as well if there's any anti malware support for this device. So again, taking those long forms, parsing them into readable, actual steps in order to have a deeper understanding of the, security controls around these medical devices. I believe at this point, we have over 2,000 MDS two's available to us. Beyond that, we're also pulling in FDA recalls. So as they're coming out to the hospital systems, we're pulling them into the, SentriX platform and then associating them to devices. So near real time, we're able to act on these recalls as they come out to ensure, again, that patient safety comes first. When there is an FDA recall, how can we respond? Who do we need to reach out to? What do we have to do in order to have continuity within the health system? And then the information coming from Novolo, this is an integration bidirectional with the CMMS platform in this demo. So we're able to share bidirectionally information, like, again, serial number, is this device rented, what location, when was the last time this, device received preventative maintenance on it, and other characteristics and even customizable attributes that you can add. I'll move into the network portion so you can see several different IP connections. Again, this is live traffic so we can have an understanding of how this device is communicating and how it's behaving. So I mentioned the, TCP port thirty six thirteen. This is the Alaris DCMP protocol. This is a proprietary protocol used by these devices. So when defining and understanding these infusion pumps, this allows us to, gather a lot of context around how this device is being used, what drugs are being infused into a patient, what operating systems, are on this these set of devices and in doing so, really building that device profile. As mentioned earlier, visibility is the foundation for everything, so we wanna ensure that we are correct when defining those devices. We can also build off the connections. So this is our network diagram here. So I can see this specific infusion pump connecting to that access point that was referenced earlier as well as all the other devices connected to that access point. So giving us a little map and understanding of how this device is distributed within our environments and operates within, the network infrastructure. I'm gonna move over to risk, and we'll talk a little bit about, risk factors, vulnerability, and clinical impact. So in this case, we have risk factors associated to this device. One of them being this invalid certificate, but there can be many others like, external PHI being sent to a known bad IP address. Right? Unencrypted PHI traversing the network, information around the FDA recalls that this device could potentially have. And then below that, we have vulnerabilities. So at this point, we've correlated 20 known vulnerabilities to this device. We can see directly, the link to the CVE, the restore associated to it, how we're matching in the confidence, as well as when it was first detected and last detected. So, the this profile matching is happening in real time. So as Armus is gathering information about the device, we're, cross examining it against the list of known vulnerabilities, and then we're able to give you recommendations on how to remediate those vulnerabilities. So here, I went in-depth on an individual device, but there are other medical use cases that I do wanna point out before jumping into our VIPER platform. So from assets, we can jump into utilization. In this case, we have nine MRIs in our inventory within the health system, taking over 500 scans in the last fourteen days, averaging four a day each. We can see the total distribution of those scans over time, so mostly happening between eight and 5PM, but there are some outliers. So why are we pointing this out? Well, the medical device security platform not only focuses on, the remediation of vulnerabilities and the reduction of risk in the environment, but also positive patient outcomes. Right? At the end of the day, a healthcare delivery organization wants to ensure the best possible outcome for our patients and in doing so, Armist assists in this by providing utilization data around your devices. So if we can get patients in and out the door, providing more scans to more people and doing more diagnostics, we we wanna ensure that, that ability is given to you. So this traffic is coming off the wire. We're able to provide recommendations on how we can better utilize the existing inventory. And as mentioned previously, if there are any devices such as infusion pumps that may be lost or have been turned off for an extended period of time, we can notify you of those and the last known location. So again, we can get them back in the circulation and, working on patients. Within this platform, we also have the compliance engine. We know there's a lot of new HIPAA regulations coming out, so, Armys assists in getting you ahead of the curve. So we're taking the 13 controls within the existing HIPAA framework and we're, matching your inventory against it. So where are we compliant? Where are we noncompliant? What steps do we need to take to ensure that we're, trending towards a a positive outcome in terms of our alignment to HIPAA? This top one is internal vulnerability scanning agent enabled. So this, control wants us to perform vulnerability scans on a periodic basis throughout the environments. We can see what devices are compliant and what what gas exists. And Armistice with integrations with Tenable Qualys Rapid seven, those vulnerability scanners, can do scan orchestration. So we can actually target these devices that, haven't been or are considered gap devices in this case. As these frameworks changes, we're constantly updating them and leveraging our knowledge against your environment and ensuring that we're taking positive steps towards being compliant to different frameworks. I did show a list here. We have many different frameworks available to you whether it be within the environment, we can cross Colony to your device inventory. So moving from the medical device security platform into the vulnerability remediation platform In Viper so now that we have all this information about these devices, right, we we understand, the vulnerabilities associated to them. Is there are there any misconfigurations? What steps can we take in order to reduce risk and actually take steps to, the remediation of these findings? So first, I'll move into settings and then integrations, and I'll go ahead and look at the data flow. So how how are we gathering this information? So, again, I mentioned the, existing tools within this the organization. So if we have CrowdStrike or other endpoint solutions, vulnerability scanners and the medical device security platform we were just viewing, we're pulling in the findings from all those existing tools and doing an ingestion process. So close to 500,000 findings ingested. We're now normalizing these findings so they're all speaking the same language and then going through a deduplication process because there can be multiple alerts coming, from different sources that overlap. So we wanna ensure that we're giving you clean data, and then we're enriching it with context, understanding is this a clinical facing device? Is it connected to a patient? Is there other, steps that you want to take to increase the priority of this device? And then we do that reprioritization process in the background, and then we give you groupings of remediation steps. So now that we've gone from 500,000 findings down to 7,000 unique remediations, we can take actionable steps to reduce risk. So go ahead and click these remediations and we'll take a look at this top one, update package Linux, and we can see 37,000 findings associated to, this remediation action. We can see owners, tickets available to us, but something I do wanna point out is that although there are 37,000 alerts coming from these disparate tools when going through the data aggregation process in Vypr, it's actually only 23 assets that are affected. So in a sense, if we were to update Linux on these 23 devices, we would shut off the red alerts that are coming from these disparate, security tools. Once I'm confident in taking this remediation step, I can create tickets directly from the platform integrating with your existing workflows. So whether it be ServiceNow, Jira, Freshdesk, I can select the ticketing tool I'd like to use. I can create an ownership assignment based on the existing owners from those tools. So again, we're bidirectional. We're pulling in information from, let's say, ServiceNow, who's worked on this device before, who has ownership over this device. We can leverage that information to assign those tickets and then also create campaigns in the viper dashboard. So we can close the loop on these remediation steps. So once I create these tickets and build a campaign for those tickets, I can track over time the close findings. So let's say I created this end of support campaign. I can see 11 closed findings on 450. I can see the tickets created, who they're assigned to, and the existing findings. And as they get fixed, it will be reflected in this dashboard and, again, tracking and reporting on reduction in risk. A big part of this SentriX platform, both on the medical device security side and the viper side, is the reporting capabilities. So understanding over time how we're doing in terms of risk reduction in the past week or the past month. We can see the open and closed findings, whether they be critical, high, medium, or low. We can compare ourselves to any SLAs we may have in place and see the discovered findings versus the closed findings over time. So again, ensuring that we're making, marketable progress, actionable progress in order to reduce risk in the environment, and these reports can be generated on a weekly or monthly basis. I'll go ahead and jump back to the dashboard. I know we're close to time at this point. I'll I'll open it up for questions. I think I see a couple in chat already, but I hope you enjoyed your time learning a little bit about the Armacentrix platform. Okay. I see, one question here. How does visibility into medical devices differ from traditional IT discovery? Well, that's a great question. So unlike traditional IT devices with those tools that, are able to gather information based on agent deployments like those CrowdStrike or Sentinel ones, we have to rely on information off the wire and that, live traffic. So Armist leverages a technology called Deepak inspection. We have a protocol database of, I believe, over 800 at this point where we're parsing these communications and understanding how the device is communicating because those protocols give off attributes. Once we have those attributes, we're able to build a definitive device profile and deterministically, again, define what those devices are. Thank you for your question. Antonio, I think I see one more here. The, what are some challenges when trying to secure medical devices? So when trying to secure medical devices, this again goes back to the traditional controls conversation. Right? I can't slap an agent on most of them. I can't, use those, traditional, IT solutions in order to protect these devices, I have to use compensating controls. So, Armis helps to recommend based on the context of the device, understanding the MDS two form, what actions can we take to reduce the surface area of attack. So is that applying policy? Is that, enforcing that ACL through a NAC? Is it segmentation? There there are several different options that we can recommend based on the device's behaviors and create a sandbox in the Armis platform in order to understand the effect on the environment before we go about enforcing. Well, excellent. Thank you all for the questions today. I really appreciate the time in learning about the ArmisCentrix platform. I'll pass it back to Antonio. Thank you, Trevor. And, well, we are already in the conversation. I want to thank everyone for joining us today. Thank you, Trevor, for your amazing presentation. Again, thank you so much everyone for your time. For more information about Armist, please visit armys.com. Have a great day. Thank you. Thank you, everybody.