By John Attala, Director, North America, Endace
The healthcare sector has been and continues to be under attack. As long as malicious criminals and hackers have the upper hand in agility, healthcare organizations, frequently under-resourced, face a never-ending struggle to defend themselves and their data.
Hardware appliances constitute the majority of security solutions required to defend healthcare companies from cyber-attacks. They are expensive to buy and maintain—and can become obsolete before being fully depreciated. The result is that NetOps and SecOps teams are habitually stuck with outdated security solutions during what is often a time-intensive upgrade or replacement process. Getting approval, raising the budget, evaluating vendors, running proof-of-concept tests, deploying and configuring new solutions can often take months or years. Cyber thieves don’t have the same constraints, often using their victims’ own infrastructure to attack them.
For a healthcare organization to be truly agile and able to respond more quickly and more effectively to attacks, it must be able to move beyond hardware-based security solutions. A common platform that allows security analytics solutions to be deployed as virtualized applications removes dependence on specific hardware and allows agile deployment of new functionality as needs evolve.
Virtualizing security functions has the potential to deliver the same benefits that virtualization has delivered in the data center, removing the overhead of managing huge numbers of individual, hardware-based servers and making deployment inexpensive, fast, and relatively easy.
Healthcare security teams face another challenge: the challenge of dealing with a flood of security alerts that their security tools raise. The sheer number of security alerts and the time it takes to triage, prioritize and investigate each alert is overwhelming. Research from McAfee states that 93% of organizations can’t adequately triage relevant threats and are unable to sufficiently investigate 23% of the alerts that are raised.
The fact is, investigations simply take too long. Traditional investigation methods involve a slow, cumbersome, and often inconclusive, process of collecting and collating evidence from multiple sources (such as syslog’s, Net Flow data, authentication logs, and application logs) and trying to reconstruct what happened.
Leading US healthcare organizations’ security teams are turning to continuous packet capture to give them an edge in dealing with the flood of alerts and helping them accelerate the investigation and response process. Recording what happens on their network lets SecOps teams go from a security alert in their monitoring tools directly to definitive, packet-level evidence. Real-life examples include:
A hospital group in the Northeastern US is preventing malware attacks by extracting and reconstructing executable email attachments from recorded traffic and running them in a sandbox to validate whether they are malware or not. It also uses recorded network history to successfully thwart phishing attacks and identify potentially compromised credentials before attackers have an opportunity to use them to access systems. It can also identify when hospital staff has had their personal credentials compromised while on the hospital’s network (e.g. banking logins compromised through phishing) and as a result can warn them to change their passwords immediately.
A large healthcare organization based in the Southern US uses recorded network history to accelerate the investigation of security alerts raised by their security monitoring software tools, such as Darktrace and collected by their Spelunk SIEM. The security team can swiftly retrieve the packets relating to an alert to see precisely what has occurred and immediately go into analysis mode to know how to respond and what the scope of the threat is.
Virtualizing and streamlining security functions on a common platform can enable organizations to continually evolve their defenses and keep ahead of security threats. With access to a packet-level history of network activity, analysts can examine the actual packets relating to a security alert to make sure they have the definitive evidence they need to quickly and conclusively investigate and respond to security threats and reduce the backlog of unexamined alerts.
About the Author
John Attala is the Director, North America for Endace, a world leader in high-speed network monitoring and recording technology. As the North American sales leader, John has played a pivotal role in launching and building Endace’s network monitoring business within North America. He has more than 20 years’ experience in selling networking and security solutions to Fortune 1000 companies and government accounts—bringing a deep understanding of the market, delivering a consultative, solution selling approach to solve complex problems and improving network security across the globe.