3. POLLING QUESTION
How do you know what your specific cyber risks are?
(Select the most appropriate answer)
A. Threat data feed
B. SIEM
C. Managed service provider/consultants
D. Internally research cyber threats
E. We don’t know
3
6. Do You Know It’s Coming?
Healthcare Targets Have
Been “Low Hanging Fruit”
for Cybercriminals
•Large health insurers
•Local dentists
•Specialized healthcare IT consulting firms
•Hospital chains
•Plastic surgery clinics
•Small regional hospitals
•Dialysis center chains
•Small insurance claims processing shops
6
9. This Cyber Emergency Requires
a Different Approach
9
The reactionary/crisis-mode
cybersecurity approach is not
working! What we need is…
Consistent, managed and
scientific cybersecurity
strategy based on long-
term commitment to data
collection and analysis.
10. Where to Start? Follow in the
Footsteps of PSOs
A Patient Safety Organization (PSO) is a group,
institution or association that improves medical
care by reducing medical errors. Common
functions of patient safety organizations are data
collection and analysis, reporting, education,
funding and advocacy.
Replace “medical care” with “cyber”
and you almost have it right?
10
11. Comparing PSOs to
Cyber Risk Intelligence
PSO Cyber Risk Intelligence
Collects data on prevalence and individual details of
errors.
Collects data on cyber activity from OSINT, dark web
and internal users.
Analyzes sources of error by root cause analysis. Standardizes cyber event data into ATEP model and
analyzes for trends.
Proposes and disseminates methods for error
prevention.
Speeds response (and pre-response) to incidents.
Designs and conducts projects to study safety
initiatives including monitoring of results.
Manages risks across your internal organization and
supply chain.
Raises awareness and informs the public, health
pros, providers, purchasers and employers.
Raises cross-organizational situational awareness of
cyber risks.
Conducts fundraising and provides funding for
research and safety projects.
Prioritizes the most effective use of tactical
cybersecurity solutions.
Advocates for regulatory and legislative changes. Educates and informs your management and peers.
11
14. How Do You Get Here?
• Sound risk management is founded in evaluated
intelligence, just like a PSO
• Simplify the complex cyber world into what matters
– Who attacked who/what?
– How was the attack carried out?
– What was the impact?
14
17. POLLING QUESTION
Do you have a formal threat intelligence and analysis
organization/program? (Select the most appropriate answer)
A.Our IT/cybersecurity team handles this
B.Our manager service provider handles this
C.No
D.I don’t know
E.Not yet, but planning on it
17
19. Bridge the Gap Between
Low-Level Tactics & Strategic Insights
19
20. SurfWatch Healthcare
Case Study
20
Large Non-Profit Healthcare
System Business Drivers
•Wanted to be able to produce their own
executive-level cyber reports
•“Because it’s real-time, SurfWatch provides
way more insight on the cyber world in
healthcare than our consulting firm was
providing us.”
SurfWatch Advantages:
•Gives full control of cyber reports produced for management
•Adds real-time cyber insights within the healthcare market
•Fraction of the cost of what company was paying consultant for static info
22. Next Steps and Q&A
22
Read the 2015 Mid-Year Cyber Risk Report:
info.surfwatchlabs.com/2015-mid-year-cyber-risk-report
Download Sample Dark Web Intel Report:
info.surfwatchlabs.com/dark-web-report
Schedule a Demonstration:
•SurfWatch C-Suite:
info.surfwatchlabs.com/request-demo
•Dark Web Intelligence Service:
info.surfwatchlabs.com/dark-web-service-consultation
This was at a dr’s office, where I was taken back and waiting to meet with the dr.
This year the healthcare industry has been on high alert – Anthem and Premera breaches. But this shouldn’t be such a surprise - Looking at data, in 2013 and 2014, Health care networks were being breached, but not by brute force. In fact, the attacks were not even particularly sophisticated at all, but they were carried out deftly:
Overlooked back doors in supply chains were being exploited
3rd party software with unchecked permissions was used to easily gain access
employees with access to networks were phished and their system privileges used to extract data
web applications with network and database access ran with default passwords and incorrect permissions
obvious software and network configurations persisted unchecked.
All veritable open doors.
And in 2015 we’ve seen bigger, badder breaches
Looking back at data from 1-2 years ago it was clear that a lot of bad cyber activity was going on without the good guys even knowing.
Each day, I watched the individual attackers hit their targets. Almost always, they were small and seemingly insignificant ones like local dentists, small consulting firms specializing in healthcare IT, 3-hospital chains in the Pacific NorthWest, plastic surgery clinics, tiny regional hospitals in out of the way parts of your own state that you’ve never even been to, dialysis center chains in the Southeast, 5-person insurance claims processing shops, one-off hospital websites in the Mid-West and even emergency vets just for reptiles (yes, they have those).
my meetings have shown me that, most often, organizations prize high-cost specialized tools, countless alerts and mountains of low-level log and threat data over anything else. They have been - and still are - too focused on “edge-case” threats independent of any specific risk relevance for their specific businesses. To me, it’s kinda like choosing to look through thousands of keyholes to try and paint a picture of what’s outside the house when you have a system of imagery satellites in geosynchronous orbit.
Worse yet, I’ve found most businesses prefer a very broad-spectrum “cover the waterfront” cyber defense approach mixed with just this kind of inconsistent, niche-focused emphasis on highly specific threats that have little true risk relevance for them. To say it another way, they spend on whatever everyone else is spending on at the macro level and get distracted into expending far too much energy worrying about micro threats for which they have little compelling evidence to support being a real threat to them at all.
This approach is not only all-too common across industry today, it is in fact, the standard. A standard that’s now starting to be seen as one of failure.
In my day job, as I meet each week with companies and their cybersecurity teams to exchange info and talk about the benefits of practical cyber intelligence functions inside their business organizations, that data has shown me an equally clear and bothersome image.
Healthcare, much like most other sectors throwing their hands up against an impossible cyber defense task, is indolently ignoring the process of gathering and using important, high-level intelligence to focus and tune their cyber defenses against immediate and trending threats.
This reactionary/emergency response approach to cyber simply isn’t getting the job done. What we need to do is take an existing approach used in the healthcare industry to treat disease and apply it to cyber… all based on a commitment to data mining, analysis and planning.
SurfWatch Labs Starts Where Traditional Threat Intelligence Stops
Powerful cyber risk analytics and practical BI apps that drive strategic insights for improved long-term cyber resilience
Met 3 team members in early Dec at SANS Healthcare Cyber Security Summit
Worked with Exec Director of Enterprise Shared Services, within HIPAA Security Program
Bought 10 user C-Suite license about 1 month after meeting at the event
Replacing $100k+ of services with C-Suite