When it comes to cybersecurity — and by extension, patient safety — “hope is not a strategy,” said Ryan Witt, VP of Industry Solutions with Proofpoint. Particularly as the environment becomes increasingly complex.
“Bad actors’ systems are actually quite evolved and sophisticated these days,” he said during a recent discussion. “It’s scary.” There are more avenues than ever before for obtaining credentials, which he referred to as “the nirvana state” for cybercriminals.
“The moment they gain access into the network, they have the ability to navigate it, lie low, and decide the right way to attack,” Witt added. “A lot of the breaches you hear about start with credentials.”
As a result, cybersecurity leaders face increasing pressure to ensure they have the right pieces in place to avoid those nightmare scenarios. During the webinar, Witt and co-panelists Jesse Fasolo (Director, Technology Infrastructure & Cyber Security, Information Security Officer, St. Joseph’s Health) and Mike Shrader (Director, Information Security/CISO, WellSpan Health) broke down the biggest challenges in securing systems and explained how they’re approaching them.
One of the key factors in defending against a “Trojan Horse” situation, said Fasolo, is understanding the enemy — and what they’re capable of. “Organizations are sometimes attacked by brute force,” with multiple attempts to attain passwords or by deploying specific malware. Or the attack can leverage social engineering. “It can be a call, an email, or someone walking up to you and asking for your password or looking to manipulate you in some way.”
Unfortunately, there are myriad ways for bad actors to gain entrance. And it’s becomingly clearer that most attacks aren’t random, stated Witt. “They’ve done their due diligence. They understand what part of your organization can yield the best return on their investment.” Therefore, it’s important to “put yourself in the attacker mindset, understanding what about your organization is most appealing to them – that’s a very important variable in thinking about how you want to architect your overall security posture.”
Detect and Isolate
A significant aspect of any security posture, according to Shrader, is the ability to detect and isolate threats. “It always comes down to people, process, and technology,” he said. On the technology front, he recommended partnering with vendors like Proofpoint that offer a multilayered approach to fighting email threats like malware and credential phishing.
Through its email filters and warning tags, which utilize AI technology, Proofpoint can automatically detect abnormalities in behavior and send up “red flags,” Witt said. For example, “if all of a sudden you start seeing people without privileges trying to obtain access into systems that they historically have not been entitled to, or have no reason to interact with, hopefully you have the technology to detect it.”
The next step is isolation, which Fasolo believes is “one of the most important components within the process.” As such, leaders need to start the process as quickly as possible by immediately validating any reports of a potential compromise — particularly if it’s a privileged user. In that case, “it’s paramount to stop any activity,” he added.
Continuous monitoring
From there, the next move is to investigate which systems the user entered and what actions were taken, and deploy “monitoring tools and alerts to ensure there’s no further compromise,” said Shrader.
Fasolo agreed, noting that containment is crucial in ensuring bad actors don’t continue to try to access sensitive information. “Just because you reset the password or disabled and re-enabled it, it doesn’t mean the bad actor who compromised those credentials isn’t still trying to use them.” Through constant monitoring and follow-up, security teams can ascertain whether a breach was unintentional, or if there was a deeper motivation that needs to be investigated. “If it’s suspicious, we need to dive into that and do some more proactive research and blocking,” especially if it turns out to be a risky domain or IP address, he said.
By taking these steps, leaders can start to “paint a picture” of why a bullseye was placed on their organization and zero in on the users or systems that were targeted. According to Witt, Proofpoint can assist in this process with its Targeted Attack Protection feature that reveals which individuals are most attacked so security teams can implement risk mitigation controls. Customers can also access reports to learn how their organization compares with others in terms of cyber incidents.
Placing bets
However, while it’s certainly a positive that there are so many cybersecurity solutions available, most CISOs find themselves having to fight for resources, which means having to pick and choose. “You have to recognize that there are tradeoffs and compromises,” said Witt. “And so, you have to place your bets and layer in security controls where it’s more likely to yield the best return for your defense dollars.”
One way to do that, noted Fasolo, is by knowing where threat actors are most active. “The best strategy, in my mind, is to rate vulnerabilities or systems based on criticality and potential risk.” In other words, “if I have privileged users, I’m going to put more security toward them. Or if I have legacy systems, I’ll put them behind multiple layers to break the chain of attack in that environment.”
It’s all part of an effective defense-in-depth strategy — one that goes beyond merely cutting off access in the event of a breach.
“In healthcare, when you shut down someone’s account, you’re impacting their workflow. You’re impacting patients,” he noted. Therefore, it’s important to work quickly and efficiently. “Disable the account, research it, reset the password, and get them working as quickly as possible,” Fasolo advised. “Because at the end of the day, they’re trying to take care of patients.” Once they’re back online, leaders can launch a forensic investigation as to how the password was compromised, where it was accessed, and the IP address from which it originated.
The education piece
Of course, in today’s environment, patient care and cybersecurity have become tightly linked, which is why it’s so critical to prioritize user-centric education, according to Fasolo. “It’s paramount,” he said, encouraging organizations to conduct regular phishing exercises and work with HR to provide coaching for those who click on them.
Another benefit of frequent education, according to Shrader, is that it helps users learn how to identify potential phishing scams, which in turn can help organizations become more proactive. In addition, his team has added incentives, including gift card drawings, to help drive engagement.
“We need to protect people; they’re our key to success,” he said.
To view the archive of this webinar — Delivering Defense in Depth: Best Practices for Preventing & Addressing Credential Compromise (Sponsored by Proofpoint) — please click here.
Share Your Thoughts
You must be logged in to post a comment.