Modernizing Security for the Healthcare Industry
-
Upload
kevin-obrien -
Category
Healthcare
-
view
85 -
download
0
Transcript of Modernizing Security for the Healthcare Industry
Who, What, Why
400 breaches (as of 6/30/2015):
85.8% - Medical/Healthcare13.1% - Government / Military 0.6% - Educational 0.3% - Financial 0.1% - Business
117,576,693 records compromisedHealthcare Records - 50x value on black market compared to all other data sets
Breach Study: Anthem
● Multi-week attack (December 2014)● 80 million records lost, primarily PII:
○ “Names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data” compromised.
Defender Detection Deficit
● 60% of all attackers can fully compromise a network in <24 hours
● >50% of all defenders require days or weeks to detect them
Security Teams Stuck in Neutral
85% of most information security professionals say that just staying on top of known issues consumes most of their time.
Breach and Attack Trends
“In the long run, men hit only what they aim at.”-Thoreau
Early stage attack patterns:
○ Compromise user credentials
○ Establish command-and-control channels
○ Move laterally, access, and then exfiltrate sensitive, regulated, and/or valuable data
Abstracting Attack Patterns
Attack Anatomy● ~849 distinct IP addresses● ~13 countries● ~818 distinct organizations
owned the IPs/domains
● Consistent encryption certificates● Multiple malware signatures● 1,000+ unique servers in use
Unpacking The Modern Attack90% of attacks begin with targeted spear phishing
Typical phishing campaigns result in account compromise and lateral movement within 1 minute, 22 seconds
84.4% of successful malware attacks are used to establish long-term command and control (“c2”) access
Once established, C2 access may lie dormant for days, weeks, or months; with (on average) 150,000 daily logs to review, anomalous activity is usually missed by infosec teams
Once awakened, sensitive data exfiltration results in (on average) $3.79 million in damage
Customer Case Study - Health Insurer
Customer
Situation
MA-based health insurance company
● Board mandate to prevent a data breach following Anthem hack
● InfoSec team incredibly busy, little time for research
● CFO nearly spear-phished late 2014 (via domain spoofing)
● Complex infrastructure (Google Apps, PaaS servers, cloud file storage)
Customer Case Study - Health Insurer
Risks
● Team unable to see if attacks occurring
● Loss of PHI would result in millions of dollars of fines, massive reputation damage, possibly end CIO career
● Given scope and size of breach, a large-scale loss of patient information could jeopardize the company’s existence itself
Customer Case Study - Health Insurer
● Spear Phishing:○ >150,000 emails analyzed in first 72 hours○ 300 suspicious emails flagged and
automatically classified● Account Monitoring:
○ PHI database, Google Apps, and fileserver monitoring
○ Authentication detection (preventing APT/under-the-radar compromise)
● Automated compliance reporting
Critical Gaps
Early Stage Breach Detection?
● Spear Phishing Detection○ Domain transformation○ Malware delivery○ Relationship deterministics○ Multi-variate risk analytics
● Account Compromise Detection○ Geolocation and mapping○ Chronological analysis○ Success / failure outliers and
probabilistics
● Anomaly Detection and Response○ Anomaly detection○ Alert analysis and aggregation○ File-level monitoring