Security needs business intelligence

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/security-needs-business-intelligence

The list of tools in a health organization's data security armamentarium is
long and varied: firewalls, encryption, anti-virus, audit logs, etc. But a
truly risk-based security framework need more than mere protective
measures. It requires awareness.

Ron Mehring, senior director and chief information security officer Texas
Health Resources, oversees security architecture and operations at the
sprawling 25-hospital system – an organization whose sheer size and name
recognition plausibly make it a conspicuous target of any bad actor looking
to gain access its huge troves of data.

"With larger health systems, there's more data there, there's more
complexity there, and there's a larger base of users," says Mehring. "Just
your footprint alone makes you a target."

That understanding – that THR (like "all of us in healthcare") is beset on
all sides by shadowy cyber crooks looking to exploit the tiniest chinks in
its armor – has led to some adjustments in its security strategies in
recent years, he says.

After all, the drumbeat of massive data-loss events – Anthem, Community
Health Systems, UCLA – is hard to ignore.

"The onset of these large-scale breaches is changing how we prioritize our
security efforts within the health system," says Mehring. "In the past, we
kind of spent time on the regulatory and compliance level, and then we
thought about what we would do (in the case of) large scale breaches."

The fact that such breaches have become so commonplace now means that THR
is "changing how we prioritize investments, resources – what we fix first,
what we fix last, and how we internalize risk treatment plans," he says.

Specifically, that means escalating up from "baseline security
requirements" to something much more robust. Firewalls? Intrusion
protection and prevention? Antivirus? "I consider that the starting point,
those are table stakes," says Mehring.

"I think where we're heading now is: How can we manage incredibly complex
environments?" he adds. "How can we more effectively manage the baseline
security controls and make decisions on what advance controls or techniques
we need to put in our enterprise to manage these more sophisticated threat
actors who want to break in?"

That means thinking shrewdly about how to configure appliances and
controls, how to ensure staff are properly trained, how to optimally
monitoring them: "It's that whole slew of activities that go around those
control sets that's critical in defending against these advanced threats,"
says Mehring.

THR has deployed what's variously called a "cyber kill chain" or a "threat
actor profile," he says. "We're improving our technology around how we
detect and react to phishing campaigns, whether they're targeted or
broad-based. We're starting at that first injection point and then working
away through every one of those profile areas. If they try to get a
persistent foothold in the network, how do we detect that?

"We make sure we're monitoring more on our endpoints, we're monitoring
inside of our data centers to see if we can see that anomalous activity,
we're advancing our security zoning in our enterprise to break apart our
network to control data flow," Mehring adds.

The goal of that last one, if the bad guys were to get in, is to make it
"really hard to get to where the most important stuff is at: We're breaking
apart the network to make it more difficult for them, preventing a little
of that horizontal movement."

Analytics such as data loss prevention technology is also aimed at offering
visibility into what the bad guys are up to, he says.

"If they get that far, can we see them lift data off these sensitive areas
and try to carry it out of the network? We're putting in solutions to
hopefully more effectively identify that behavior in the network. We're
advancing our DLP platform, as well as some more technical parts of our
architecture, to see if we can detect that liftoff when they're trying to
exfiltrate and get it out of the network."

But the ideal scenario, of course, is to not let them in in the first
place. Which is why THR has put in place an array of threat management
systems, focused on activity monitoring.

"It gives us a good analytical view across our core systems, and helps us
profile behavior. Those things exist today but they're not a consolidated
end-to-end view. And in any case we have to do a lot of log aggregation and
manual correlation to make sense of it all. So having a consolidated, easy
to use, easy to deploy platform that analysts can get behind so they can
manage the security of the infrastructure is pretty tough to do."

Mehring hopes to see advancements and improvements in analytics tools in
the near future -- especially a move toward a more holistic threat awreness.

At the moment, he says, "we're dealing with a security space that is
heavily siloed; even the vendors that have a portfolio of security
products, they aren't necessarily well-integrated."

That makes it exceedingly difficult to get a common operational view of an
organization's security posture.

"We're still creating separate views in our architectures, in our analytics
platforms, to detect bad behavior. In the protection schemes and the
detection schemes, we're still seeing a lot of point solutions that make it
difficult for us to effectively detect and respond," he says.

"What I would like to see is a much more tightly integrated platform that
ties together not only our generalized security event management data but
also that integrates much more tightly with a common view of behavioral
data."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!