splunk as a tool for privacy monitoring · geek out, share ideas with enterprise security...
TRANSCRIPT
Splunk as a Tool for Privacy Monitoring
Chris Grant Chief Information Security Officer Chris White Senior Security Engineer October 9, 2014
Group Health Cooperative (GHC) Introductions
Chris Grant, CISO Chris White, Senior Security Engineer
• Seattle, WA (Go Hawks!) • Integrated, non-profit provider and payer • Cover 600,000 lives • Medicare last 3 consecutive years • 25 Clinics in 17 cities in Washington state • 380 Providers, 720 specialists • 9,000 Total employees
2
So, What Will You Get Out of This?
Show you how we solved the healthcare privacy monitoring problem by 1. Not using default privacy monitoring tools
2. Using clever information security geeks 3. Using tools we already owned
3
What is Privacy Monitoring? Why Does it Matter?
What is it?
Privacy Monitoring is looking for patterns in log data • Access logs • Between two people
Why does it matter?
Healthcare has unique privacy monitoring needs • Clinical data • Personal relationships • Required by regulation
4
How Were We Doing This Prior to 2014?
• Manually and slowly • With product-specific reports • Frustrating, maddening tedium (editorial comment)
5
Design Considerations
After speaking with two organizations that came before us, we had lessons learned.
• How would we do this differently? • Can we do it all in Splunk? • How do we integrate other applications? • How do we bring in people data? • Can we build something that could be redistributed?
6
Design Considerations
7
Production Implementation
Group Health Log Sources: Epic Clarity (access logs)
• Filter 6M -> 2M per day (40% of raw events) • Filtered false positives • Filtered if no user_id, pat_id “PersonDB” (people data) • Lawson • Ceridian
8
Proof of Concept
Focused on proving we could:
1) Understand Epic access log data
2) Understand Splunk 3) Build a sample “report” using
#1 and #2 4) Ask for direction then build to
Privacy Team needs
9
Production Goals
• Minimize daily indexing volume – Filtering out high volume,
low value data – Only logs populated
UserID/PatientID pair • Create generic framework
– Focus on functional pieces – Support multiuser workflow – Reduce requirements for
adding scenarios
10
Production Goals
• Create a simple, dynamic analysis experience for users • Present complete context through demographics and encounters • Increase efficacy, decrease false positives through weighted scores • Reporting performance
– Avoid live analytical searches – Summarize scenario reports – Display pre-analyzed data
• Support scope expansion – Avoid vendor/product specifics in framework – Design with the intent of supporting multiple sources of privacy data
11
Flight Demo!
12
Decision Path
• 2012 to Early 2013 – RFP, not satisfied
• Mid 2013 – Two conversations
• October 2013 – Site visit
• November 2013 – Decision
• December 2013 – PoC proven
• March 17, 2014 – Go Live
4 months from decision to production!
13
Recent Past and Future Recent Past • Made distinction between interactive bits and product-specific bits • Wrapped up GHC-supported open source license (important)
Future • Releasing Sentry framework through SplunkBase • Releasing Epic product-specific bits through Epic • Analysis to detect anomalous behavior and improve
confidence scores • Improve scenario logic and scoring with performance data
14
How to be Successful
1. Get Splunk – presume this has been completed 2. Invest in a creating a Splunk guru 3. Develop organization-specific scope 4. Play off your strengths in the design 5. Find willing participants on the IT side 6. Get access log data 7. Get your people data
Note: apply bribes where possible to improve speed of implementation
15
16
Contact Information
Preferred email: [email protected] Chris Grant, CISO 206.901.6710 [email protected] Chris White, Sr. InfoSec Engineer 206.901.6226 [email protected]
17
Purpose Tell you our journey and implementation of our Splunk-based solution for healthcare focused privacy monitoring, “Sentry”.
Agenda Name What will you get out of this? Chris Grant Decision Path and Overview Chris Grant Design, PoC & Production Chris White
Demo Chris White
Future, Questions & Contact Info Chris Grant
Payoff You’ll have enough information to be dangerous…
18
Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday Geek out, share ideas with Enterprise Security developers
Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM
Learn, share and hack
Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room
© 2014 Group Health Cooperative and Group Health Options, Inc.