The need to respond quickly and effectively to cyberthreats has become a very important part of a modern defense against cyberattacks.
When responding to cyberattacks, speed matters. According to the 2016 Data Breach Investigations Report, in 93 percent of cases, it took attackers minutes or less to compromise systems. The same report states that organizations often take weeks or even months to discover that an incident had even occurred – it was typically customers or law enforcement that sounded the alarm, not their own security measures.
Healthcare organizations are soft targets
This dynamic is particularly relevant to healthcare organizations; this is because cybercriminals view them as soft targets for data theft and ransomware attacks for the following reasons:
- Their security departments are often under-staffed relative to other similarly sized organizations in other industries.
- Hospitals are harder to defend because they have complex systems, multiple locations, diverse departmental applications, plus both patient and physician web portals.
- Many hospitals are associated with university campuses and are vulnerable through their connection to university networks that have porous perimeter security.
- Visiting physicians, consultants, and contractors need access to healthcare networks but that accentuates the risk of insider threats, password compromises, and exposures due to misconfiguration of systems or devices.
- Embedded operating systems in medical devices frequently have known security vulnerabilities that IT staffs are unable to patch.
- Healthcare organizations increasingly rely on cloud-based services, applications and data storage. Third party cloud-based services focus on protecting their service, leaving their clients to deploy virtual intrusion detection software and monitor logs in the cloud.
Focus on what matters
The first step toward achieving a rapid response to cyberattacks is to determine what threats are critical and require immediate action. This is far from trivial when you consider that a mid-sized hospital can have tens of millions of security events traverse their network every day and thousands of these could be of suspicious nature.
Mature organizations rely on an in-house SIEM or an MSSP to filter and prioritize events. While SIEM technology is potentially very powerful, it requires frequent content updates and 24×7 monitoring to work effectively. Many hospitals receive so many security alerts that their internal staff does not have the time to investigate every event. And if the in-house IT team perceives that a high percentage of alerts are false positives, they may lose any sense of urgency to follow-up at all – a condition commonly seen, known as “alert fatigue”.
What does this alert mean?
When it comes to detecting critical threats, accuracy is very important. Another important requirement is context. SIEM users can be challenged by alerts that are hard to understand, lack context, and have no obvious next steps.
To use an example from the boating world, if you received a message from the harbormaster saying your boat was in danger of sinking, that would equate to a critical alert. But if the message told you there is a hole on the port side that could be fixed with duct tape, you would now have useful context about the problem and how to address it.
Similarly in the world of cybersecurity, knowing what asset is being attacked, over what channel, and from what source is important to define what action should be taken to stop the attack and prevent data loss. For example, the IT team may need to block traffic from a specific IP address, quarantine a file, or wipe a laptop.
It’s a 24×7 world
Unfortunately, hackers do not restrict their activities to the local business hours of their targets. Advanced cyberattacks frequently originate from Eastern Europe, China and other countries that function outside normal US business hours. Just blocking traffic to or from a country like Russia does not address this issue because hackers have anticipated this countermeasure and now launch their attacks from US-based IP addresses under their control.
Effective security requires around-the-clock monitoring to detect and respond to targeted attacks before they result in loss of data and damage an organization’s brand. With an unprecedented shortage of qualified cybersecurity professionals, IT organizations face the most challenging job market in history; staffing a 24×7 IT security team is particularly challenging. And as a consequence, many organizations do not have the resources to investigate or remediate security threats outside normal business hours.
Automate containment
IT teams need time to investigate critical threats and determine the best course of action. The ideal approach is to automate containment by programmatically blocking an IP address on a firewall, removing a device from the network, or disabling an account. With these techniques, critical threats are addressed within a minute or two, giving IT teams time to remediate the issue or rollback the action in the event that the alert was a false positive.
Active Defense is the next-generation of incident response. Automation that triggers blocking traffic or disabling a host requires highly accurate threat detection, integration with multiple security products and threat detection systems, and thorough testing.
While very large organizations have the resources to develop programmatic response and containment systems, mid- to upper-sized organizations may wish to rely on service providers to enable these capabilities.