With new and renewed attacks against our organizations, Incident Response and Management needs to be a core part of your Information Security program.
Doing only what’s worked in the past and focusing on “preventing” breaches in not a viable tactic. We need to focus broadly on proactive, detective and responsive measures. We need to provide leadership when things go wrong.
Incident Response and Management could be one of the most important parts of a security program because "when" it happens, how we respond to minimize the impact can make a huge different both for the patients/customers and the organization.
1. IT’S NOT IF… BUT WHEN
CISO Assembly, Dallas, TX
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
Chief Information Security Official
Fairview Health Services
3. o Not-for-profit established in 1906
o Academic Health System since 1997
partnership with University of Minnesota
o >22K employees
o >3,300 aligned physicians
o Employed, faculty, independent
o 7 hospitals/medical centers
(>2,500 staffed beds)
o 40-plus primary care clinics
o 55-plus specialty clinics
o 47 senior housing locations
o 30-plus retail pharmacies
2014 volumes
o 6.39M outpatient encounters
o 1.4M clinic visits
o 71,049 inpatient admissions
o 76,595 surgeries
o 9,298 births
o 282 blood and marrow transplants
o 340 organ transplants
o >$4 billion total revenue
5. 2015 – Year of the Breach
2014 – Year of the Breach
2013 – Year of the Breach
2016 – Availability?
Integrity?
6. BOARD REPORTING EXAMPLE
• Ransomware first appeared in 1989; large growth since 2013
• 2016 Hollywood Presbyterian – first publicized healthcare org
to pay
• $17K ransom paid
• Systems down for over 1 week – ER, OR, imaging, lab, pharmacy
• MedStar, MD – 10 hospital network
• $3+ days of outages – 4 ERs, all inpatient shut down
• 4/7/16, all systems back up
• Most attacks are through email attachment or link based
• Systems must be taken down to stop spread
7. BOARD REPORTING EXAMPLE
• Estimated >$325M paid in ransoms in 2015
• Some variants charge $100-$500 per workstation
• Some are “flat fee”
• Often the cost of downtime and recovery is more than the
ransom
• It’s not “if”, but “when” an attack will happen
• There is no “prevention” – Each attack is new and unique
• There are “proactive/prevent” responses, and
“detect/remediate” approaches
• We do pursue both
8. •Can we prevent?
•It’s not If, but When
•Is Incident Management the key part of
our job?
•How we respond makes a difference
9. •How to start:
•Figure out where your “stuff” is
•Figure out the risks to your “stuff”
•Figure out how you will react if that risk
manifests
•Write it down – Playbooks
•Practice
•Know what’s normal - Monitor
Incident Response
12. Discussion Questions
•Can you “defend” you architecture/tech choices?
•Can you detect problems, attacks and IoC’s
against your enterprise?
•Do you have response plans? Have you exercised
them?
•Do you have communication plans? Have you
exercised them?
•Does your C-suite have your back? Why?
Editor's Notes
Check out my about.me, with links to twitter feed and Security and Coffee blog.