Published February 2024 –
If burglars were consistently entering houses in your neighborhood through the back door, it wouldn’t make much sense to spend the majority of your home defense budget fortifying the windows. According to Ryan Witt, VP of Industry Solutions, Healthcare, for Proofpoint, figuring out where to spend your cybersecurity budget should work much the same way. And speaking of healthcare, he notes that the more things change, the more they stay the same, with phishing consistently being a top attack vector for the past decade. Why? According to Witt, because it works. But there are ways to give you a better chance of fending off the bad guys. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Witt talks about some strategies for defense, what to do (and not do) post credential compromise, and why convincing users that IT security is on their side is so important.
The old school attacks still work in the way that they used to work 15 years or so ago. Yes, things have evolved for sure, but the reality is phishing is still the most used attack vector and is still working, and is still super impactful.
I have yet to meet a CISO or an IT organization or a hospital executive team that says, ‘I have a ton of money, I have a ton of resources, I have a ton of access to technology, I can just put the gold standard everywhere.’ It’s usually quite the opposite. The people I’m working with are usually making tradeoffs, sometimes significant tradeoffs.
… threat actors used to have specialization around a particular attack technique or a particular exploit, and they would just rinse and repeat their one. Now they don’t have to. Now, they focus more on access, knowing that they can go acquire exploits on the dark web.
Anthony: Welcome to healthsystemCIO’s Partner Perspective Interview Series. I’m Anthony Guerra, Founder and Editor-in-Chief. Today, we’re talking with Ryan Witt, VP of Industry Solutions for Healthcare with Proofpoint. Ryan, thanks for joining me.
Ryan: Anthony, it’s great to be here. Looking forward to the conversation.
Anthony: Excellent. Do you want to tell me a little bit about your organization and your role?
Ryan: Let’s go with the organization first. Proofpoint is very focused on what we call human-centric security. This notion that the attack surface has pivoted to attacking people, attacking humans and how they work. We’re all about protecting those people from cyber attacks and defending the data which is so frequently the focus of cyber criminal activity and exploits. It’s all about protecting people and defending data.
Anthony: Very good. You have a new title.
Ryan: Let me elaborate that as well. My role within Proofpoint is we have a deliberate focus on a small number of industries, healthcare being one of those. I run the strategy and solutions for those industries, making sure that we are enhancing the experience for customers who exist within that industry, and so we double down our efforts from a go-to market standpoint, from a product development standpoint. So that if you are a healthcare industry customer, you should be able to discern an enhanced experience from working with Proofpoint.
As a by-product of that, I also ran Proofpoint’s healthcare customer advisory board. Healthcare being the only industry that Proofpoint had to dedicate an advisory board for. We take our strategy and solutions and we run it past this advisory board, get some feedback on that and that shapes what you ultimately see in the marketplace.
Anthony: Very good. We’re going to take this in a logical progression as we analyze this issue of security around email and people and that type of thing. Email is still the main way we communicate when we do business. We all know about the spam filters and things like that. It’s also one of the major attack vectors, right? It’s the way we do business and it is one of the major ways that we have security breaches is through that email.
Security professionals want the good emails to get through, which is also a critical point that’s come up. We can’t have that lever too tight, that dial too tight so good emails are being rejected, which can happen, where they’re going in spam and whatnot. We want to make sure the good stuff is getting through and the bad stuff isn’t.
Two ways we that are one, with technology filters, and the other way is employee education. Does that sound about right? I just want to set the stage before we go into some more nuance and detail on this. Tell me your thoughts on that premise.
Ryan: Yes, I think that sounds about right. I think the first thing to maybe focus on, at least for a moment or two, is despite all the different forms of attack, despite all the different exploits, I get to captivate people’s attention.
For example, we just came off the holiday season and a lot of my friends, family, loved ones who have nothing to do with IT or cybersecurity, they know about, say, ransomware attacks. Those things captivate people’s knowledge. Those things become kitchen table topics.
The reality is phishing and attacking people mostly on email or other communication channels is still by far the most popular and most prominent form of attack vector. If you had to just pick one to double down on, it would be email.
Yes, when you get to the controls, what are some of the measures the defenders can put in place to mitigate against that form of attack? It is a blend of processes, a blend of technology, and it’s a blend of training. You need all three, all three are important parts of the mix. We would recommend a strong layering of your security controls to protect against that attack vector.
Yes, you certainly want to make sure that you have your dials set to a point where you are keeping as much of the malware, much of the nefarious traffic away from your users, so they don’t have to make the judgment about, ‘hey, it’s this a good or bad email.’ You don’t have to add that complication to their work. The reality is that some will get through, so then you need to put steps in place. You need to train the user in a way to allow them to have a considered judgment about what they might do next if they have a concern about an email in their mailbox.
Anthony: Right. We do our best to keep the bad ones out and let the good ones in. We know that some of the bad ones are going to get through. That’s just the way it’s going to be. We layer on education, training, processes so people learn how to deal with the bad ones. Okay, we have that as a premise.
Do you also think that the ChatGPT AI type stuff is being leveraged by the bad guys and super charging the scams?
Ryan: Allow me an opportunity to give you my favorite answer.
Ryan: Yes and no.
Anthony: Okay, you do say that a lot. Let’s go. I love it. (laughing)
Ryan: Hold on. (laughing) Yes, certainly we should not diminish the prevalence of ChatGPT and other AI tools. It’s interesting, however, that I think the most recent Verizon DBIR report – one of seminal studies that looks at the cybersecurity landscape – I’m paraphrasing here, but they made this statement along the lines of, we could cut and paste from an executive summary from 2010 and put it in this year’s executive summary because nothing has really changed, right? The old school attacks still work in the way that they used to work 15 years or so ago. Yes, things have evolved for sure, but the reality is phishing is still the most used attack vector and is still working, and is still super impactful. The bad actors don’t necessarily need to take that step to AI just yet because that just elongates and complicates their processes and it could impact their ROI.
I hate using those terms in relation to cyber criminal organizations. But the reality is they think of themselves as a business. But that’s not to say it’s not coming. For sure, AI is coming. Essentially we are in an arms race. The attackers and the defenders are going to deploy AI as aggressively as they need to to try to stay one step ahead of each other.
Right now, there’s an argument that says industry has more capability to deploy AI. It has more funds to deploy AI. If there’s an advantage there, it won’t last for long. The bad actors are also looking in that area. And so, I say that to make sure that we focus on where the threat vector really is most prominent, and it’s still going to be phishing.
Anthony: Very good. When we’ve spoken in the past, you talked a lot about the concept of very attacked people and the fact that as a security professional, it’s not a one-size-fits-all as you roll out your controls and tools and education. You really need to understand that there are certain groups of people that are much more at risk, much more threatened and much more attacked. That will help you properly configure – and I think you’ve used the word elegant and sophisticated in that past in describing how you should be rolling out your controls, keeping in mind this concept of very attacked people. Any updates on that concept or specifically in terms of who is very attacked?
Ryan: Sure. We focus on this for a couple of reasons. One is it’s best to make sure your defenses are deployed where you think the attacks are most active.
If you have an accounts payable department or if your pharmacy or your hospice departments are all heavily attacked from the cyber criminal landscape, and they are for all sorts of reasons, it would make sense to layer in more controls there to give more defenses to go help those employees, those members or staff, to be able to protect against an exponentially higher attack number.
From a philosophical standpoint, Proofpoint very much believes that data, in this instance, really, really matters. Understanding that within the organization, there are people who are exponentially more attacked. There are departments that are exponentially more attacked, usually for monetization aims. The bad guys made a conclusion about the organization that says: this person, this department, can yield something to me in the form of data, credentials, intellectual property, whatever that I can monetize. We believe that when you think about your security posture, your security architecture, that’s the most important variable about what you do to counter that.
Now, what you do is a much deeper philosophical conversation; whether you pivot towards training, technology, you put interrupt processes in place that say, ‘don’t interact with that email, think of making a phone call, talk to a colleague, whatever.’ That’s a much broader, more philosophical, discussion. But that’s Proofpoint’s starting point – having that insight is a really, really good variable to helping in tuning your strategy.
The second thing, and this really pertains more to healthcare, is I’ve been in cybersecurity for almost 20 years now, I have yet to meet a CISO or an IT organization or a hospital executive team that says, ‘I have a ton of money, I have a ton of resources, I have a ton of access to technology, I can just put the gold standard everywhere.’ It’s usually quite the opposite. The people I’m working with are usually making tradeoffs, sometimes significant tradeoffs. They have to make an educated guess or judgment about which of their 10 priorities to focus on this year from an investment standpoint, and maybe they can only choose three or four. We believe data like this provides the necessary insight to go help guide them, ‘okay, if you can only focus on 30-40% of what you would ideally want to do, what should that look like?’
Anthony: Yes, just a little more detail on that. I think you answered a lot of it. My follow up question was about the downsides of not taking a customized approach. What happens when you don’t do that?
Ryan: Let me give you a basic example, but I think it applies to the conversation. Five years ago, most significant expenditures in security focused on hardening the network. If we were to have this conversation 5 years ago, we would talk a lot more about a vulnerability in terms of the network being exploited, design being a little bit flawed upon reflection, patches not being deployed, bad actors coming with zero days. We don’t hear that too much today, but the expenditures have been slow to pivot. So we keep putting, in some cases, a disproportionate amount of money into hardening the network. I would never say that’s not important – because it is absolutely important – but you have to look at the balance.
Let me give you another example. We have all, I think practitioners, those in cybersecurity, those people in healthcare, those people who offer opinions about the marketplace, had been very concerned about the attack or the vulnerability of medical devices. Again, if you look at the reality, there are very, very few stories where the attack came in by an exploit in a medical device. I wouldn’t say that that’s not important because they’re vulnerable and so they are inherently important. If you look at where the effort is or where the attack effort is today, I wouldn’t unduly put too much investment there when you can look at the wall of shame, you’ll see our wall of shame – or look at what data HIMSS puts out – the initial compromise was almost always on email.
I think there are some downsides if you don’t look at your attack surface and look at where you have the most vulnerability.
Anthony: Right, right. Very important stuff, very important stuff. Let’s talk about this credential compromise. We talked about email being the way they’re coming in. What they want are the credentials, right? A lot of times that’s what they’re looking for, username, password.
Ryan: That’s the scam. Credentials have become the nirvana state for a threat actor, right.
Ryan: Once they have credentials, once they have access to their network, they have the opportunity to take the time and figure out how they want to launch their attack. Not only do they have the time, they now have a plethora of options to go to the dark web where they can pick out whatever the right exploit is for them to purchase. If they want to do a ransomware attack, if they want to buy a Trojan, if they want to launch a fraudulent attack, combinations thereof. And threat actors used to have specialization around a particular attack technique or a particular exploit, and they would just rinse and repeat their one. Now they don’t have to. Now, they focus more on access, knowing that they can go acquire exploits on the dark web.
Anthony: They want to get the credentials to get in. So that makes me think about the importance of identity and access management. If you are doing IAM right, their access will be limited. But it’s not easy; it’s extremely complicated to do it well.
Ryan: Not an easy topic, not at all. No. Ponemon is one of those organizations that study this a little bit. I’ll quote some of their data. I don’t know if I can get it exactly accurate but certainly within the ballpark, certainly in the context of this conversation.
Ponemon would say that it takes about 6 months before a healthcare organization recognizes that they have a breach within their network. So somebody got in, somebody got some credentials. They’ve had the opportunity to navigate the network, go into the various rooms and do some reconnaissance, make a determination about which room is most valuable or which room might lead to the crown jewels, and they have 6 months before you as a defender recognize that.
If you think about that from a physical security standpoint, if somebody was active physically within the walls of your hospital for 6 months walking around, surveying things, before you can reckon what was going on. (A), it’s creepy, and (B) you can see that would be actually quite valuable from a data gathering standpoint. You could see where if you have that level of access, how much harm you could possibly do against that institution.
Anthony: If we relate this to credential compromise, practically speaking, this would be someone getting scammed, perhaps in a phishing email, giving out their username and password, I assume never realizing they were scammed, and so moving on with their life. However, it’s been compromised, they just don’t know. So they’re not telling anybody. Is that how this happens?
Ryan: That’s one way, for sure. The manifestation of that is quite significant because, all of a sudden, you can use these credentials to not only navigate the network but you could use these things to, let’s say, if you’re a – I don’t want to pick on Microsoft but it is a prevalent technology. They’re using the Microsoft architecture to go upload something onto Sharepoint or to build something on Teams and therefore they’re communicating back to some of their employees, some of their staff members and the whole wide organization and saying, for example, ‘hey, this is a new travel policy or this is a new expenses policy, come look here and hit this link.’
Well, if you’re a receiver of that email, you’re like, ‘that’s the thing I would expect that person to send me, it’s within our Sharepoint environment, they communicated to me on Teams, it all makes sense. Sure, why wouldn’t I click that link.’ Then you could start to see how effective the attacks can be once they are within the realms of the network.
There are still some who would say, ‘no, my alarm bells are ringing, I’m not going to do that.’ But you can’t blame the staff members who say, ‘why would I question it? It came within my environment.’ So yes, not only can they do the reconnaissance, but they can actually use that opportunity to go pretty aggressive on the exploits they launch.
Anthony: Again, progressing through this thought process, what can security professionals do about the problem of credentials being stolen when the user is never aware they’ve been compromised?
Ryan: Right. There are technologies around identity defense detection and response that look at the most commonly exploited vulnerabilities from identities, and there are some common areas that you see attacked – where you see these cred phishes or credentials being deployed – that you can survey, your service accounts, your administration accounts, anything that requires credentials, maybe cloud credentials, legacy accounts, anything that has access back to the website. You can do some interrogation on the most common areas where people navigate to. That’s one way we look at.
Then, if you have concerns in this area, or just to offer a layer of defense in these areas, you could present a shadow version of these capabilities, of these access points, back to a threat actor and give them the impression that they’re navigating within your environment, your accounts payable system, whatever system you want to talk about, your EMR. Give them the impression that they’re navigating this environment, but they’re doing so in what is essentially a shadow, fictitious network architecture and design. They’re navigating only within this environment and so therefore, you don’t have an undue exposure to them.
Then, you could use that knowledge in a couple of ways. One is you can figure out what is most interesting and attractive to the threat actors, what do they gravitate towards. One of the things – I think you and I may have discussed this previously – is how frequently, for example, hospice departments are attacked. That was a conclusion that initially surprised us. We did not think that would be a primary area of focus for threat actors, but we’ve seen that come up time and time again.
Now, why do they have that motivation? That’s a different conversation. But then it allows you to make that determination, and then it also allows you the opportunity to understand more about the organization, get them in a situation to potentially reveal more about their organization and from an audit, compliance, dealing-with-authorities standpoint, it could offer a lot of really valuable data.
Anthony: Excellent, excellent. I’m just wondering about some of the ways you might detect that credentials have been compromised. Perhaps log-ins are occurring in two places at once?
Anthony: I’m logged in as a user and the bad guys have it and they’re trying to log in as well and the system is able to detect that, or if the location of the log in is somewhere unusual, right?
Anthony: That might be detected. This would be more sophisticated but if the user is doing things outside, perhaps, of a profile of what they normally do.
Ryan: 100%. Work patterns is big – heuristics and work patterns and trying to make a determination about what their normal work activity looks like and is this in line with that. 100%, yes.
Anthony: It’s all going to be automated, right?
Ryan: Yes, yes.
Anthony: Software that does all this, so you’re getting an alert like: Joe Smith is doing some weird stuff that he doesn’t usually do, ding, ding. Let’s check it and figure it out. Then I guess the investigation begins and, to your point, sometimes we find that Joe Smith, his credentials, are being used, but let’s put in some honey pot, I don’t think you use that term but maybe that’s the wrong term. But let’s put him in some safe sandbox and watch him. Put the little cover on and watch, watch what he or she is doing and that will help us with our investigation and whatnot.
Ryan: For sure, for sure. You start to see what we would have called maybe, I don’t know, 18 months ago, machine language as a way that we would automate log-less processes. Now, I think it probably would be more appropriate to call that AI, right? But there are learnings here. It’s automated. It’s trying to figure out where Joe Smith should be from within your system like, where would he normally have access or not and making that determination in an automated way.
Anthony: Identifying compromised credentials. Let’s talk a little bit about the idea of education around teaching users that if you think you might have been compromised, you better tell someone and not pretend it never happened, because time matters. Does that make sense?
Ryan: It makes total sense. I can’t stress enough how open you should be and transparent you should be with your IT team. Your IT teams are about safeguarding your institution. They really need as much assistance from you as possible. So much so that we can make the argument that everybody’s second job these days is to be a security professional, because we’re all part of this defense mechanism that’s so crucial.
I think the reality is your IT teams will already have a determination about your likelihood of vulnerability. Your IT team generally, from a vulnerability standpoint, will bucket you into at least one of potentially three categories where they look at vulnerable aspects. If you are a person, for example, who has a public persona for whatever reason, you could be a noteworthy specialist, surgeon, you could be a member of the executive team, you could be a noteworthy researcher, you could be somebody who raises money for the institution and foundation. You could be somebody who runs 5Ks and 10Ks on your hospital’s behalf and therefore, your name is out there.
If you have this public persona for whatever reason. The reality is that makes you a much more significant target. That’s a consideration your hospital definitely takes into account. You could be somebody who is the opposite, right? You don’t have any public persona at all but you work in a highly targeted area. You work in accounts payable, you could approve invoices, you could approve payments, you can approve payroll. You could be an administrator to a particular system.
The bad actors know who those people are and they target them more, exponentially so. Or you could be somebody who just works in a really vulnerable way. You’re not doing anything wrong, but maybe you’re in, I don’t know – you’re in HR. Your job is to recruit people into your organization. As a result of your job, you have to download files, download resumes, you have to go on to LinkedIn or Twitter or wherever a possible candidate might point you to go learn more about them. You’re downloading a file, you’re clicking on links, you just work in a vulnerable way.
The point – I’m trying to reassure people that there is an expectation based on your department that you are much more likely to be attacked and therefore, there’s a lot of empathy about your situation, your work situation, about how it’s easy for you to fall for these attacks.
Or you could be just someone like a nurse, for example, who’s multi-tasking constantly; you have a thousand things you’re trying to juggle at one point in time and it’s easy to make one mistake. People empathize with the situation. Don’t be fearful of your cybersecurity teams. They’re here to help you.
Anthony: Ryan, we’re almost out of time. I just want to wrap it up this way. That very attacked person concept, it applies before an attack or a compromise with the training, the tools, the education, extra protections for those people that are very attacked. It also applies, it sounds like, after a potential breach in the sense of monitoring the credentials of very attack people to see if there’s anything odd going on with them. You want to keep a closer eye on those because, again, they could be compromised and not know about it. Correct?
Ryan: Absolutely. It’s a good summary. If I could leave you with some parting thoughts, one is you probably have to make some tradeoff. You have to place some bets, however you want to phrase this. You’re going to have to prioritize where you make your investment from a cybersecurity standpoint. I would really encourage people to understand your vulnerabilities. There’s enough data in the marketplace from Proofpoint and from others around about where the threat activity is most active, where within your institution it’s most active. There’s a lot of organizations that probably look like yours and have similar challenges. Try to get that data because I believe it should drive your security strategy.
I’m not going to sit here and say, even though I work for Proofpoint, we have a biased towards technology; that technology is always the answer. It may not be, that’s where you have to look within your institution and figure out what’s best for you, but the starting point is that data. I think the second thing to say in relation to that is, if you can’t get that data, you can always call us. If not, think about what makes your organization special, about why your organization is attractive to your patient base.
There is something about you, right? Everybody’s got something. You specialize in this particular discipline or it’s your location or it’s the client base you serve, whatever. From a financial standpoint, the threat actors definitely have to figure that out. They think in that way. So even if you can’t get access to this data, think about who would be more likely to be attacked from a personnel level or departmental level and if you can see some things that will be attractive, that’s probably where they’re attacking. That, again, should be a data point to drive your overall strategy.
Anthony: Wonderful, Ryan. Another great chat with you. I want to thank you so much for your time today.
Ryan: I really enjoyed it. Good talking to you.