Cybersecurity is top of mind for many healthcare IT leaders. Since the start of 2019, nearly 1 million individuals have been impacted by a breach or other cyber activity, according to the Department of Health and Human Services. With personally identifiable information (PII), financial records, and health information on the line, a cyber readiness plan should be a priority for health IT leaders.
Recently, the Department of Defense (DoD) reached out to private sector partners that specialize in cyber defense and security to help construct a cyber plan. Although the DoD and healthcare organizations differ, they face many of the same threats that are focused on stealing valuable data. To combat the enemy, healthcare organizations can use the guidance offered to the DoD and utilize it to build a cyber readiness plan of their own.
Below is an overview of the cyber initiatives the DoD will be considering including threat hunting, cloud utilization, and the 1-10-60 rule:
Three Steps to Combatting the Enemy
According to Dmitri Alperovitch, CTO of CrowdStrike, the DoD needs to pivot from cyber hygiene – activities like patching, building an asset inventory, or implementing controls – to focus on threat hunting. Hunting adversaries stops foreign intelligence and military organizations from breaking into networks. “[G] ood cyber hygiene will not stop determined GRU or PLA cyber actors – just as having locks on the door of your house would not stop Navy Seals from getting in if they have a mission to do so,” he shared with members of Congress.
Hunting is a specific activity for Alperovitch. “Hunting is assuming that adversaries are in your network and proactively searching for them by looking across your assets for indicators of malicious activity. Simply investigating alerts generated by security tools is not hunting,” he emphasized. While threat hunting might sound labor-intensive, there are tools that not only hunt for adversaries on a 24×7 basis but, do so across the millions of machines around the world.
While “the cloud” is often held up as the panacea for organizations looking to modernize their IT infrastructure, in this instance, it really is. Alperovitch shared examples from the financial services and other private sector organizations whose legacy infrastructure and complex operating environments rival those of the Department of Defense and, yet, are making significant progress in combatting threats by using cloud-enabled technologies.
Alperovitch noted that “cloud-enabled technologies work because they flip the asymmetry between offense and defense. Modern security approaches take advantage of cloud resources by recording all computer security-related events in massive cloud-based data stores and perform advanced analytics and forensics on that data to uncover subtle adversary activity. Tracking trillions of events provides rich context for identifying suspicious patterns. What is more, once a threat is identified in one part of the network, cloud-based security technologies allow instantaneous distribution of protection against it, across the entire ecosystem. With millions of endpoints under management, DoD can leverage cloud systems to turn its scale into a strength, rather than a challenge.”
To win the battle in cyberspace speed is the critical factor; the only way to beat an adversary is by being faster than them. As part of his work at CrowdStrike Alperovitch developed a model called the 1-10-60 rule. In short, the rule outlines the timeframe that an organization needs to meet to detect, investigate, and remediate a threat. “The very best private-sector companies we work with [at CrowdStrike] strive to detect an intrusion on average within 1 minute, investigate it within 10 minutes, and isolate it, or remediate the problem, within 1 hour.”
Alperovitch assured the nation’s legislative and military leaders that while this might sound impossible it is, in fact, a routine response for the best private sector organizations. What’s also important about the 1-10-60 approach is that it doesn’t rely on preventing the initial compromise, but on preventing the adversary from establishing a beachhead within the network and therefore, from, achieving their objective. And for Alperovitch, this is in fact, a better definition of preventing the breach.