GreatHornKnow Before the Breach

Modernizing Security for the Healthcare Industry

Who, What, Why

400 breaches (as of 6/30/2015):

85.8% - Medical/Healthcare13.1% - Government / Military 0.6% - Educational 0.3% - Financial 0.1% - Business

117,576,693 records compromisedHealthcare Records - 50x value on black market compared to all other data sets

Starting Points

“Medicine, to produce health, must examine

disease.”-Plutarch

Breach Study: Anthem

● Multi-week attack (December 2014)● 80 million records lost, primarily PII:

○ “Names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data” compromised.

wellpoint.com

we11point.com

Breach Study: Anthem

Breach Study: Anthem

Defender Detection Deficit

● 60% of all attackers can fully compromise a network in <24 hours

● >50% of all defenders require days or weeks to detect them

Security Teams Stuck in Neutral

85% of most information security professionals say that just staying on top of known issues consumes most of their time.

The Cavalry Isn’t Coming

Breach and Attack Trends

“In the long run, men hit only what they aim at.”-Thoreau

Early stage attack patterns:

○ Compromise user credentials

○ Establish command-and-control channels

○ Move laterally, access, and then exfiltrate sensitive, regulated, and/or valuable data

Abstracting Attack Patterns

Attack Anatomy● ~849 distinct IP addresses● ~13 countries● ~818 distinct organizations

owned the IPs/domains

● Consistent encryption certificates● Multiple malware signatures● 1,000+ unique servers in use

Unpacking The Modern Attack90% of attacks begin with targeted spear phishing

Typical phishing campaigns result in account compromise and lateral movement within 1 minute, 22 seconds

84.4% of successful malware attacks are used to establish long-term command and control (“c2”) access

Once established, C2 access may lie dormant for days, weeks, or months; with (on average) 150,000 daily logs to review, anomalous activity is usually missed by infosec teams

Once awakened, sensitive data exfiltration results in (on average) $3.79 million in damage

Customer Case Study - Health Insurer

Customer

Situation

MA-based health insurance company

● Board mandate to prevent a data breach following Anthem hack

● InfoSec team incredibly busy, little time for research

● CFO nearly spear-phished late 2014 (via domain spoofing)

● Complex infrastructure (Google Apps, PaaS servers, cloud file storage)

Customer Case Study - Health Insurer

Risks

● Team unable to see if attacks occurring

● Loss of PHI would result in millions of dollars of fines, massive reputation damage, possibly end CIO career

● Given scope and size of breach, a large-scale loss of patient information could jeopardize the company’s existence itself

Customer Case Study - Health Insurer

● Spear Phishing:○ >150,000 emails analyzed in first 72 hours○ 300 suspicious emails flagged and

automatically classified● Account Monitoring:

○ PHI database, Google Apps, and fileserver monitoring

○ Authentication detection (preventing APT/under-the-radar compromise)

● Automated compliance reporting

Critical Gaps

Early Stage Breach Detection?

● Spear Phishing Detection○ Domain transformation○ Malware delivery○ Relationship deterministics○ Multi-variate risk analytics

● Account Compromise Detection○ Geolocation and mapping○ Chronological analysis○ Success / failure outliers and

probabilistics

● Anomaly Detection and Response○ Anomaly detection○ Alert analysis and aggregation○ File-level monitoring

founders@greathorn.com (800) 605-2566116 Beech StBelmont, MA 02478

thank you