© Atos - For internal use
May 21, 2019
Minnesota HIMMS 2019 Spring ConferencePrescriptive Security: Rethinking our Approach to Cybersecurity in Healthcare
Dan Stewart
Vice President, IT Strategy and Cybersecurity
Digital Health Solutions
Atos – North America Operations (NAO)
Conflict of Interest Disclosure Slide
The presenter has no conflicts of interest to report.
The presenter is an employee of Atos.
Session Learning Objectives
► Clear understanding of the evolving healthcare cybersecurity landscape
Challenges that make healthcare a focused target for hackers
Current healthcare cybersecurity threat areas
► Why the current industry model is not sufficient to protect your assets
► Understanding “Prescriptive Security” and its primary components
► Steps and approach to developing a “Prescriptive Security” model
► The benefits of a Prescriptive Security “collaborative” partnership
Healthcare Cybersecurity Landscape
Why is Healthcare a “focus” for Hackers?
Ease of Access
Digital Transformation
Financial Reward
Non-Compliant Employees
Hospital Budget Restrictions
Skilled Labor Shortage
Healthcare industry is behind other industries in putting appropriate security measures in place.
Threat landscape evolving exponentially► New Technology► Cloud Computing► Mobility► Impact of VBC ► IOT, OT, Medical Devices
Access Points & Data Volume
Patient medical records are worth 10 times more than credit card information.
Majority of breaches are from employees.
Drive to reduce costs may lead to security gaps.
By 2020, 1.8M cyber jobs will not be filled.
Healthcare Cybersecurity Results 2018
Top five current highest priority cybersecurity threats:
1. E-mail phishing attack
2. Ransomware attack
3. Loss or theft of equipment or
4. Insider, accidental or intentional data loss
5. Attacks against connected medical devices (IOT) that may affect patient safety
Data Breach Statistics
1. 365 in 2018 – “83% increase“ since 2010
2. >13M Records
3. US Healthcare System cost - $6.2B
4. OCR collected $28.7M in penalties/fines
5. Avg - 197 days to identify breach Comm
Education
Tech
Financial
Health
$128
$166
$170
$206
$408
$0 $100 $200 $300 $400 $500
Data Breach Cost Per Record
Measured in US$
2019 Healthcare Cybersecurity Threats
CYBER SECURITYTHREATS 2019
Insider ThreatsLack of consistent awareness and training make employees and consumers the largest risk for non-malicious incidents
Ransomware Will Continue to dwarf all other types of attacks in healthcare with phishing being the primary method for launching an attack
Cloud Security Industry is dictating a rapid transition to the cloud but with high risk of breach in monitoring data to and from the cloud
Mobile Devices Tsunami of connectedness will
continue from a healthcare worker as well as consumer standpoint driven by the transformation to
VBC
Rise of the MachineIncrease in 2019 and beyond in connected
medical devices and IOT with significant vulnerabilities tied to patient safety
Supply Chain Attacks 20% of all breaches in 2018 were initiated
through suppliers, service providers and business associates
The current model is not sustainable
Because…Cyber Attacks are hard to detect & mitigate
Cyber Kill Chain: Attack Stages
ReconnaissanceAction on Objective
Weaponization Delivery Exploitation InstallationCommand &
Control
Blindspot TimeDwell
Dwell Time (Threat Discovery Time) still high as cyberattacks become more pervasive and are difficult to detect
Average Time to discovery of Threat in 2018: 197 days*
Response Time
Response Time increasing as investigating, neutralizing & recovering from advanced cyberattacks requires specialized CERT teamsAverage Time to contain cyberattack in 2018: 69 days*
Ponemon Institute 2018 Cost of Data Breach Study
Because…you can’t fix what you can’t see!
Logs
Audits
Events
Identity Context
Alerts
Threat Intelligence
Feeds
Social Media
& Email Activity
Full Packet & DNS
Captures
Iot Data
OT Data
Business Process
Data
Web Page Text
Detailed Audit Trails
Traditional Security Operations
Big Data & Analytics
Current Healthcare Cybersecurity Model
Logs Events
focusing on the tip of the iceberg … Not integrating many crucial security events
Does not look everywhere (sampling)
Lack of integrated technology (point solutions)
People-intensive – manual processes (Security Fatigue)
Time consuming (reactive – too slow in identifying threats)
Prescriptive Security
A “Single Pane” Security Intelligence Platform based on integration, automation and high performance computing that uses data from past threats to interpret and prevent future attacks before they occur.
“Prescriptive Security”
Prescriptive Security Components
Technology Planning and Unified Architecture
Analytics & Machine Learning + Threat Intelligence
Big Data and High Performance Computing
Security Operations Center
Unified Technology Architecture
API-based Integrations
Short-term ‘Fix’, but Problematic
Collaborative Ecosystem
(Prescriptive Security)
Standalone Products
Common Approach
Result
• Slow, heavy and burdensome
• Complex and expensive to maintain
• Limited vendor participation
• Remediation is difficult and uncertain
Result
• Fast, lightweight and streamlined
• Simplified and reduced TCO
• Open vendor participation
• Holistic visibility
Analytics to connect the dots
End user/identity behavior
knowledge
Multi-
dom
ain
behavio
r analy
sis Devices endpoint
behaviorKnowledge
Sandbox malware/email
learning
Egress/ingress traffic behavior
DNS/learning
IPS/IDSlearning
Decision support/Decision automation
Deployed Action to Operational
Systems
Artificial Intelligence enabledbehavior correlations
Lookin
g f
or
abnorm
al
behavio
r
The Rise of Intelligence & AnalyticsHigh Performance Computing + Automation & Orchestration
Logs
Audits
Events
Identity Context
Alerts
Threat Intelligence
Feeds
Darknet
Full Packet &
DNS Captures
Iot Data
Fraud Information
Big Data
Detailed Audit Trails
Deep & Dark Web
Intelligence
Social Media Use Big Data
to find threats
Security Operations CenterImpact on Security Operations
► Prescriptive Security enables:
− Fewer resources
− Less Focus on alerts
− More malware analysisand threat research
− Analysts
− Data Scientists
− CSIRT
Requiring Different Skill Sets
Prescriptive Security Improve Detection & Response
Cyber Kill Chain: Attack Stages
ReconnaissanceAction on Objective
Weaponization Delivery Exploitation InstallationCommand &
Control
Dwell Time
Response Time
With Prescriptive Security
Extend Visibility & Detection to outside the organization
Detect cyberattacks while in preparation before they reach your organization
Reduce detection & response times from months to days or even minutes
Prescriptive Security Actionable Intelligence to Think & Act Fast
Security Operations Center Analysts
Incident Mgmt.. L1/L2 Ticket Management
Computer Security Incident Response Team
Incident Mgmt. L3 Forensics Services
Vulnerability & Remediation
ThreatIntelligence
Global Threat IntelligenceTargeted Threat Intelligence
Threat Hunting
Servers & Network Devices
API & Apps dataEndpoint
Protection ServicesAPT Detection &
Remediation
Data LossPrevention
IAM & PAMservices
Malware ScanningDevices
DDoS Mitigation Services
Unstructured data
Secu
rit
y b
ackb
on
e f
or a
uto
mate
d
resp
on
se
Security backbone for automated response
Prescriptive Security Analytics
SecurityDashboard
Security Reports
Security Metrics
Change Mgmt..
OT IoT
Benefits of a Prescriptive Security Approach
Integrated Scalability
Analytics & Machine Learning
Data Visualization
Automation and OrchestrationVelocity of Response
One Security Platform –Single Pane Analyzing massive amount of data
Threat Intelligence integrated part of SOCGlobal Threat Backbone
Optimized use of resourcesFocusing on Threat Hunting
Proactive Approach, Better Protection, Resolve more risk, faster!
Transitioning to Prescriptive Security
► Re-assess your current cybersecurity posture
People, Process, Technology, Framework
► Identify and prioritize your assets
► Understand your current threat landscape
► Develop a remediation plan and roadmap
► Determine if a collaborative approach works
► Execute the plan
► Manage, monitor and improve
Where Do You Start ?
Customer FY18 Remediation Plan
FY18 FY19
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Patient Health Data
Quantify and reduce vulnerabilities
Harden infrastructure
Managed Service Provider Integration
Implement Incident Response
Critical asset protection program
Contingent user access control
Secure business partner access
Secure cloud and mobile platforms
MSSP monitoring and oversight
Implement Data Classification
Completed On-track At-risk Scheduled in FY18
Patient Health Data VulnerabilitiesIntellectual Property
ProtectionVendor
Management3rd Party Access
Managed Security Services
AllRisks Legend:
Baseline current environment
Define FY18 goal
Begin regular reporting
Begin remediation
50% reduction
1% critical vulnerabilities
assessmentFinalize
remediation path All safeguards fully impleen
Implement additional safeguards
Firewall inventory
Baseline Network
Patch Managemen
t
Install STIGs
SIEM reporting Pen Test
Re-assess environment Update CSF
Install SIEM collectors
Integrate with SOC Optimization
Define plan/ scope
Define incident response program
Implement and optimize processes
Critical asset program definition
Program launch
Complete FY16 assessments
Complete assessments
Current state assessment
Streamlined process for ES accounts
Contingent account verification/ clean up
Current state assessment
Develop partner access strategy
Identify partner access solution
Complete implementation and migration
AWS security architecture
Define security processes
Initiate security support for cloud
migration
Azure security architecture
Optimize security operations in cloud
Complete security support for cloud migration
Update process/ service manuals
Monitor ES services to plan
ES baseline assessment
Define ES improvement plan
Achieve service efficiencies
Data protection strategy
TrainingAssess plausible software/process Implement
Enterprise DLP roll out
Cyb
ersecu
rit
y A
cti
vit
ies
Profile Enhancement / Risk Reduction
Customer Cybersecurity RoadmapE
vo
luti
on
P
ath
Pla
nn
ed
In
itia
tives
Key B
en
efi
ts
Reactive & FragmentedFY’18
• Quantify and reduce vulnerabilities
• Identify Critical Asset Secure cloud and mobile platforms
• SOC integration for entire environment
• Deploy end-point detection and DLP pilot
• Regulatory Compliance gap remediation
• Harden infrastructure
• MSSP monitoring and oversight
• Reduce MHC attack surface
• Security embedded into major transformation activities
• Basic protection for critical assets
Optimize & ExpandFY’18
• Optimize Security Operations Center
• Initiate third party risk management
• Enhance IAM: streamline access and federation
• Expand network visualization and anomaly detection
• Enhanced IAM; improved efficiency
• Enhanced security for critical assets
• Improved protection and coverage
Expand & AccelerateFY’18-19
• Integrate threat intelligence
• Continuous and pervasive monitoring
• Proactive security remediation
• Enhance forensics and containment
• Comprehensive third-party risk management
• Effective cyber detection and response capabilities
• Reasonable level of protection across
PreemptiveFY’20
• Quantify and reduce vulnerabilities
• Security counterintelligence and brand monitoring
• Comprehensive Security data management and analysis
• Continual risk assessments
• Security orchestration and automated response capabilities
• Preemptive and adaptive capabilities
• Leading level of protection
Preemptive Capabilities
► Organizational priority
Understanding impact of a breach – “investment vs. cost”
► Budget/Resource Constraints
► Timing
► Cost
Consistent “blocking and tackling”
Advanced/Integrated Tools/Technology
Analytics and Machine Learning
High Performance Computing/SOC
Additional Resources – qualified security analysts required for 7/24/365 and different skill sets
► Resources
Attaining and retaining qualified resources
Prescriptive Security Inhouse vs. Collaborative Approach Considerations
Prescriptive Security Collaborative Appoach
Vendor Requirements:
► End-to-End Comprehensive Portfolio of Solutions
Healthcare centric
Services/partnership approach
► Unified Technology Architecture
Best of Breed not going away
System integrators working in cooperation on Open Standards
► Automation and Orchestration
Analytics and Machine learning
Threat intelligence is no longer a separate technology but an integrated part of the SOC neutralizing threats in real time and preventing future attacks
Integrated Threat Feeds –discovered malware provides instantaneous learning for other clients
Prescriptive Security Collaborative Approach
Vendor Requirements:
► High Performance Computing
Velocity of response significantly increased
► Changes SOC operational model and the role of the analyst
Detailed malware analysis, advanced threat hunting and research
Reactive to Proactive –no longer burdened with repetitive alert management
► Flexibility
Outsource appropriate functions
▪ Onsite
▪ 3rd Party SOC
▪ Hybrid
Prescriptive Security Collaborative Approach
Benefits of a Prescriptive Security Collaborative Approach
Integrated Scalability
Analytics & Machine Learning
Data Visualization
Automation & Orchestration
One Security Platform –Single Pane Analyzing massive amount of data
Threat Intelligence integrated part of SOCGlobal Threat Backbone
Act Rapidly & Efficiently71% reduction of Manual Effort
Optimized use of resourcesFocusing on Threat Hunting
Proactive Approach, Better Protection, Resolve more risk, faster and with fewer resources
Less Cost and faster transition than Inhouse!
Questions
Atos, the Atos logo, Atos Syntel, Unify, and Worldline are registered trademarks of the Atos group. April 2019. © 2019 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.
Thank youFor more information please contact:Dan StewartVice President, IT Strategy and Cyber SecurityDigital Health SolutionsAtos – North America Operations (NAO)M+ 1 678 699 [email protected]