Published April 2023 –
Ransomware attacks don’t happen in the blink of an eye, despite what many think, says cybersecurity expert Nadir Izrael, chief technology officer (CTO) and co-founder of Armis. For weeks and months, bad actors will penetrate an organization, overriding and infecting different systems before the final attack. A lot can be done at the beginning of such an attack to mitigate it, if cyber-leaders have a good understanding of their assets and how they all interconnect, he says. In this Live at Vive episode of healthsystemCIO’s Partner Perspective Interview Series, Anthony Guerra, founder and editor-in-chief, interviews Izrael, who says good cyber-hygiene is an organization’s best defense. “The reality is that most attacks don’t happen with these super fancy, Zero-days that just came out. They happen with run-of-the-mill vulnerabilities that have existed for a long time and just old equipment,” he says.
- The relationship between technical debt, application and device ecosystem complexity, and security risk
- Cyber-attack percentages via exploits versus phishing/social engineering
- Bad actor methodology
- The benefits of truly understanding your environment when trying to mitigate a cyberattack
- The challenges faced by small and rural hospitals
- Cloud security issues
- The coolest thing about physics
Guerra: Nadir, thanks for joining me.
Izrael: Thanks for having me.
Guerra: All right. Do you want to tell me a little bit about your organization and your role?
Izrael: Sure. So I’m the CTO and one of the founders at a cybersecurity company called Armis. We basically deal in the world of devices and assets. We map out every single device and asset within an environment. Specifically, given the context of this conference in healthcare environments, we map out everything from the IT infrastructure to medical devices, to all the specialized different pieces within the environment all the way through cloud workloads and containers and things like that.
We give you a map of your universe, and then contextualize everything, meaning for every asset, every device, be it an MRI machine, or an EHR asset, exactly what it is, what role it plays within your organization, criticality, and then all the security details and information and the ability to act on them. Fundamentally, we like to think of ourselves a little bit like the Google Maps of your organization, with the ability to navigate and act on things based on that.
Guerra: Okay, very good. So you’re speaking here at Vive. And I know your session covers the topic of technical debt and security. That’s a very interesting topic to me, technical debt. How would you describe the relationship between technical debt and security vulnerabilities and risk?
Izrael: Well, it’s a very tight relationship. I think technical debt generates risk and an attack surface. And I think that, for the most part, we see that dovetailing heavily into the whole world of cybersecurity and how attackers are exploiting that increasingly large attack surface. But technical debt, I think, is a world unto its own. Technical debt is also old things that are out of service, end of life, things that you’re basically paying and incurring the risk for having them because it’s hard to deal with them, it’s hard to replace them, it’s hard to manage downtime. But definitely, for most organizations, this is something that goes completely hand in hand with vulnerabilities and patching and generally supporting different systems.
Guerra: So technical debt could have two parts of it. You could have the old products that you mentioned, no longer being supported, no longer receiving patches. We know that with the medical devices, the operating system outlives the patching and the support from the vendor, but they want to keep using the product because it’s got a long shelf life in that sense. So that’s one area of technical debt. And then you’ve alluded to the concept of more products, if you continually are adding more and more applications to your suite, instead of perhaps using something you already have, or using something from a vendor you already have – that goes into application rationalization, right? More and more CIOs and CISOs talk about how we want to keep our application universe tighter. So you’ve got two areas, again, of technical debt, lots of products and old products, correct?
Izrael: Yes, and I’d even added a third. It’s more of a derivative of the second one that you said, which is, the more complex the environment and the more applications, the more you have to apply patches or replace things, the more you come across problems of dependencies that break. So you set out to patch some server or some database and inadvertently you take down a critical system within a hospital or some workload, and it’s because of the complexity of the interconnections.
Guerra: So even applying patches has some risk to it.
Izrael: For sure because most organizations, and hospitals in particular, have a partial understanding of the dependencies. They might think they’ve mapped out all the different applications because business owners said, “We use these,” and these are different servers. But that one server that no one even thought about, you patch that and suddenly a whole system or whole business application goes down.
Guerra: So dependencies and complexity, we want to keep that to a minimum. Okay, so one reason for technical debt would be not upgrading to new equipment. Things are getting old and we’re not spending the money to update our equipment correctly. So, when we want to buy things as a CIO or CISO, we are making budget requests, perhaps increases, we need to convince the powers that be that this should be approved, because otherwise our technical debt will keep growing, and our security risk will keep growing. Maybe that needs to be included more in the conversation when they’re requesting additional funds to upgrade equipment.
Izrael: Absolutely. The word debt is in there and it’s not by chance, it costs money. Increasingly, it costs in terms of risk, but also in terms of real world cost of what it means to upgrade an old system versus a newer one. Now, I agree with you completely. I think that part of the conversation around acquiring new technology should first come from good sound business logic around rationalization, but also definitely technical debt and the cost incurred by not doing that, for sure.
Guerra: So I think it’s usually the CIO making those dollar requests. And perhaps a new dynamic needs to be the CISO supporting the CIO with those risk-based arguments that the CIO will take to those board-level or CEO-level discussions. Unless the CISO will be having those interactions directly.
Izrael: That is absolutely the right way of looking at it. I think 2022 was the first year when, statistically, most attacks that happened in the cybersecurity space happened from exploits, and not from the usual social engineering techniques that we’re all used to. And in essence, exploits mean the ability to exploit vulnerable systems. And the reality is that most attacks don’t happen with these super fancy, Zero-days that just came out. They happen with run-of-the-mill vulnerabilities that have existed for a long time and just old equipment. So in that sense, technical debt is a primary entry point into an environment, into a potential compromise, that would cost way more.
Guerra: Well, let’s talk a little bit more about that. Because I’ve heard the opposite in terms of the attacks. I’ve heard people say it’s coming in through email and it’s the social engineering. That’s where the majority come in. And it’s interesting, right? So you’ve got those two sides to look at. One is more technical, you might say, with the devices you’re going to need a more technically savvy attacker, right? Anybody can learn how to write a phishing email, right? That’s not very savvy, although you could get really sophisticated with it. But you have to be pretty savvy to be coming in through an infusion pump. If you were talking to a CISO and they were trying to figure out where do I spend my dollars, do I spend my dollars doing education and email security and all that? Where do I spend my dollars on the device stuff? I mean, obviously, you’re going to have to do both, but what are your thoughts?
Izrael: So I was going to say, first of all, the simple answer is that you need to do both to some degree. But let me first explain the discrepancy. For the longest time, you’re right that social engineering was the primary path into an organization. This changed about 12 months ago or so. I think that COVID, in particular, seems to have created a major shift in a lot of different aspects of cyber, both cybercrime as well as cyber warfare. The reality is that there are plenty of nation-state grade tools out there available to different groups, available to different people. And there’s a lot of incentive to go after organizations that have either weak cyber hygiene or otherwise are very high profile targets. So this is a fairly new situation where exploits are the main way of getting into organizations.
Now, having said that, I’ll say the following. No, it’s not that you suddenly don’t need to educate your organization. But the problem is the infusion pumps, as an example – but take that to mean any device out there – that are running old Windows; old Android or old Linux. It’s not running something that requires a vast understanding and knowledge of particular types of products. It’s something that basically is just really old stuff that wouldn’t exist on an endpoint. The only problem with things like medical devices is that, due to a combination of things like FDA compliance, as well as others, it takes way longer for patches to come out. Operating systems are inherently already very old when you buy the device in the first place. And generally, the routines around being able to patch or put any compensating controls in a typical hospital just tend to be weaker than in your average IT organization. That’s where this is ultimately coming from.
Guerra: So plenty of people are coming in through the devices, plenty of danger. There’s plenty of sophisticated folks out there that will take that avenue to come in.
Izrael: Yes, because it’s worth it. I think that ultimately the prize, if you will, is you shut down a hospital with ransomware, or even part of IT systems, whatever you’re able to compromise. And the reality is that in most cases, they would pay because it’s very hard to be on the other end of that equation as a CIO or as a CFO in a hospital. How do you justify the price of keeping a hospital in business and serving people and the healthcare industry? It’s very hard to ignore that. If you’re hit, you will likely pay a good amount of money, so there’s a lot of incentive, there’s a lot of opportunity. And yes, there’s plenty out there that would exploit that.
Guerra: And with these breaches that we’ve seen happen, tell me a little bit about how it works. Do the bad guys put this stuff out everywhere and see where it works? Or do they target specific organizations?
Izrael: Yes, in the sense that you’re talking basically about two different groups in the world. There’s two aspects of this industry when it comes to what you’re describing. First of all, there are the groups that deal in just selling intelligence entry points, if you will, for different targets of opportunity. Imagine basically like a brokerage or a marketplace where you go in, and there’s groups that just create all of these different doors and opportunities. They would be doing, to your point, massive reach out, almost random, trying to see what picks up where they scour the internet, they scour different elements of the environment that just basically pick up different entry points, and then they go and sell them.
Now what would happen is a group would actually do exactly the targeted aspect that you mentioned, they would go and think, “Okay, here’s a hospital system in Nashville. They have the right finances, they look big enough, they will likely pay, or they have insurance or anything like that. And that’s what this group will go and find or buy intelligence as to entry points. They would then go and for weeks, sometimes months if it’s big enough, but for weeks, usually, they would go and do the slow penetration of that organization, as opposed to what most people think that ransomware is something that happens with the flip of a switch. There are weeks of preparation for that where they go in, they penetrate slowly, they infect different systems, they override different systems. And eventually, when they’re ready, they push out all the commands, usually by compromising the active directory and just going from there. And there are a lot of things, there are a lot of elements of that which can be stopped in the beginning of such an operation, if you have a good understanding of your environment, of what plays a part and communications, and basically how all the things tie together. So it’s all about the basics.
Guerra: It’s really fascinating. So from the scenario you describe, let’s use the concept of an open door, right? And that’s a vulnerability, an open door. So, group A, the one that looks for vulnerability says we found an open door over here. And this is now available for sale. So I wonder if there’s any way for health systems to find out if they have a vulnerability listed for sale.
Izrael: In fact, there’s definitely been more of a push on that front as well with organizations in general and not just with healthcare. They can also buy curated forms of intelligence like that, but I will say that there’s a lot of disparity there between different vendors on the cybersecurity side that provide that information. But yes, they could.
The other aspect is – and that’s why I keep saying the basics – is that the reality is that ultimately most of these things relate to exposed systems with known vulnerabilities. It’s not the Zero-day stuff. It’s not all that. Good hygiene can save you a ton of breaches and money. And the reality is that when we go back to what I said in the beginning around what Armis does, that’s exactly the approach that we advocate. Here’s the map of your universe, let’s sort through that for a second and prioritize what is business critical, what’s exposed to the Internet, and also vulnerable or unpatched? And let’s focus for a second on that top tier of things before we go into a whole funnel.
Guerra: Let me ask you this. There are other entities, other companies that claim to do similar things to what you do, what is unique about your offering?
Izrael: So I think, ultimately, there’s a few things that are unique about how Armis approaches things. And yes, there are plenty of actually good tools out there to do any piece of what I’m going to describe. But I think the holistic approach is really what sets us apart. It’s holistic in a few different ways. First of all, a lot of the different tools out there to do similar things to what we’re describing but focus on a particular niche, it might be medical devices, it might be OT, it might be a particular subset of the environment. We believe in an all or nothing approach. Ultimately, if we were talking about a hospital or a retail store, or a massive bank, it doesn’t matter. It’s all about every single asset and device that you have and how they all mesh and interconnect together; you can’t only look at a part of the environment.
So the holistic approach is one difference we have when we look at everything. You can expect to see within something like Armis anything from an infusion pump to what we talked about before, all the way through your security cameras, your endpoints, your nurse workstations, and your PAC servers, everything. The second thing, and that again sets us quite a bit apart, is that we have a massive scale, as we’re basically deployed across some of the biggest organizations on the planet. And we track today over 3 billion assets worldwide, which is an enormous number. But the way we use it to our advantage, or to every one of our client’s advantage, is that we believe in a collective intelligence approach. We learn from all of these environments, both how to figure out what something is, but also what role it plays within an organization, as well as all the security features that you should know about that. So in essence, what we tell folks is that there is no need to wait for something to happen to you. We’re deployed across some of the biggest hospital networks in the world, we’re deployed across some of the largest defense organizations in the world. These folks, they get attacked over and over again all the time. Every time something like this happens, Armis learns from that and adapts that to everywhere else.
And lastly, the holistic approach. It also translates into one more thing, which is we learn from our clients – not just their environments or their data, but also how they act and what they do, what are their playbooks? What are the things that they do? And we consume and put that information in one place and then make it available for everyone else. We believe that our job isn’t just to provide technology, it’s to provide a service and to provide value. And that means using that to also apply methodologies and teach our clients how others are doing it as well.
Guerra: One of the things I’ve been hearing is that rural and the small health systems are in a bad place with security, even though there’s a lot of best practices out there that are provided by the government and government-associated entities. They just don’t have the people or the money to really take the steps they need to be secure. Do you have any thoughts on that?
Izrael: I think there’s a few different things here. First of all, yes, they are. They may get guidance these days, but they don’t get mandates and they don’t get funding right. Now, in some states, by the way, the states have taken it upon themselves to create all kinds of general programs. But you’re right, in all kinds of different rural areas, either private hospitals or smaller networks are struggling, for sure. And I think that’s why going back to your comment from before, tool rationalization – having things that work on many different domains at once; having things that can operate what you do more efficiently or add into that stack, multiple different capabilities at once – are crucial.
The second thing is it’s no longer a world where you can afford to buy just one tool for every domain. Things need to integrate. Things need to work well together. And those are things that we believe in quite a bit. And the last thing is, in many cases, what would happen in those kinds of situations is that there is a very small team that is in charge of a lot. We can come in and also provide technical expertise, put everything in and operationalize it for them – be able to do the legwork beyond just providing the technology. That has been a big differentiator for us.
Guerra: I just have a feeling you have thoughts on this. Aren’t some hackers, or these nation states, supposed to leave healthcare alone?
Izrael: Well, I think the reality is it’s a little bit like the Geneva Accords and not hurting medics in the field, which is one of these things that maybe used to be once upon a time, but the reality is it no longer works that way. Look, if anything, I think the last couple of years, and especially during COVID, have proven to us that even if there are hackers that have that level of ethic, there are plenty that don’t. And the reality is that the healthcare system, and hospitals, in particular, are a target rich environment, and a very lucrative one as well. In most cases, they would pay, and no one would even think badly of them for doing it.
Guerra: Let’s talk a little bit about cloud. Does the cloud increase your risk?
Izrael: First of all, I think that as a security organization, the cloud is too big to say no to. It’s happening, no matter what. So it’s more about how to do this the right way. Now, I think just like in the world of third party networks, or pretty much anything else that existed for a long time within healthcare environments, it’s about being able to contain and mitigate the third party risk that exists. Every vendor, including security vendors like ourselves, introduce a certain level of risk into the environment. I mean, that’s just the reality. Anyone who says different is either lying or misinformed. But the reality is that you introduce a certain level of risk, but you do it to mitigate a significantly larger area of risk.
Guerra: It’s like a side effect with a medicine.
Izrael: Exactly, exactly. But what you should absolutely be in a position to demand from different third party vendors, such as ourselves, is a complete understanding of the security controls and how we basically go about securing the data and the access that we ourselves have. And that’s true for any vendor. I think third party risk is something that has always existed, but that doesn’t mean that it doesn’t have a solution or something that you can basically do. Now, I’ll add to that for a second, that there are many ways of doing cloud, it’s not about rushing into anything, or doing anything in the wrong way. But there are tried and true policies out there already. There’s a lot of experience already in the things to do right and to do wrong. And I would say that, in general, visibility and understanding of what you’re doing and what you’re transferring is key. That’s where it starts and that’s where you can handle the basics.
Guerra: Is a cloud vendor just another third party vendor, or is it more complicated than that?
Izrael: It’s more complicated in the sense that you yourself can build logic that introduces vulnerabilities and risks into their equation as well. So you need to do it right yourself. But at the same time, what I would say is, it’s no different significantly than building out virtual networks within your environment and exposing them to the Internet. And at the end of the day, yes, you own the risk for that. But there are ways of doing it, not only best practices but tooling for visualizing and understanding exactly what you have there and what that exposure looks like. And again, handling it one piece at a time.
Guerra: Okay. Very good. Let’s have a little fun here. So I looked at your LinkedIn profile and you studied both computer science and physics. You have a passion for both. So I like the shows about space and physics at a very high level. What do you think is one of the most interesting things that you’ve learned about in physics?
Izrael: First of all, there was a time when I thought that I’m going to be doing a PhD in physics and continuing into astrophysics, not what I’m doing today. I will tell you that one of the most fascinating things that I discovered studying physics is just how little our knowledge is. You would expect that you’d need to do a PhD to reach the limits of human knowledge and physics. But no, you reach it really, really fast. I think that it’s incredible to me that during my studies, the Higgs boson was discovered. And until then, the curriculum was we don’t know if it exists or not. So if it does, here is the equations. And if it doesn’t here are the equations, and then during my studies, it was discovered, and they were like, okay, so I guess it’s this. It is fascinating how little we know about our universe. And with every step, like the James Webb telescope that got launched last year, or anything like that, our knowledge completely transforms. It’s incredible to me how close we are to the edge of our knowledge, basically.
Guerra: So you still enjoy it?
Izrael: Yes, I do. I’m still thinking that maybe one day I’ll do something in that area, too.
Guerra: That was the collider, right? Where they found the Higgs boson?
Izrael: Yes. That was 2012, 2013, something like that.
Guerra: Very interesting. All right. I think that’s about all we had time for today, but I really enjoyed the discussion.
Izrael: Me, as well. Thank you for having me here.