Cyber resilience is an idea that the majority organizations are accustomed to. It is outlined as the power to resist and get better from adversarial occasions which have the potential to impression a company’s data methods and IT sources.
Hospitals aren’t any stranger to this want, after all, and most have refined downtime procedures to maintain affected person care operational within the occasion that EHR, PACS and different medical methods are impacted by an incident.
However whereas downtime procedures and different incident-response procedures that assist help cyber resilience usually embody data safety parts, it isn’t unusual to seek out that organizations usually neglect to ask an vital query: How a lot resilience does my group have if certainly one of my cybersecurity instruments or controls have been to undergo an adversarial occasion?
If a healthcare group have been to out of the blue lose EDR telemetry, have a firewall fail open or have a zero day inconveniently render a system weak, is there sufficient cyber resilience throughout safety controls to make sure the group stays protected?
Whereas points just like the current CrowdStrike occasion, which disabled Microsoft methods worldwide, have introduced this challenge to the highest of thoughts for a lot of hospitals, it is very important keep in mind that controls don’t fail in simply main occasions.
Actually, safety controls fail on a regular basis – and that attackers are sometimes adept at bypassing frequent safety tooling.
Hospitals have to develop strong safety methods and architectures that account for management failures as a way to guarantee they’ve constructed a safety program that’s resilient sufficient to resist adversarial occasions and defend the sufferers of their care.
With a view to obtain an efficient degree of cyber resilience for safety controls, healthcare organizations ought to start to contemplate incorporating among the approaches detailed beneath:
Measuring management efficacy
Lots of the requirements that the safety trade follows right this moment are helpful for setting minimal baselines for what safety controls are wanted to maintain a company safe, however one of many limitations of those requirements is that they are usually targeted on management existence and never management efficacy.
With the ability to examine off having a firewall could be very totally different from empirically evaluating the efficacy of the firewall ruleset towards attacker conduct like information exfiltration or the institution of command and management.
The adoption of approaches akin to evidence-based safety might help organizations to judge the efficacy of their controls towards attacker strategies and assist them establish the entire areas the place controls are usually not working in addition to supposed.
That is particularly important in that controls fail extra usually than many organizations understand, with one research estimating that controls akin to EDR solely work to cease assaults 39% of the time.
Such approaches to measuring safety are very important because it’s by means of the identification of weaknesses that we frequently discover one of the best alternatives for enchancment. Making certain the controls we’ve work to an appropriate degree of efficacy is step one in direction of management resilience because it ensures that our defenses don’t fail proper out of the gate.
Get rid of bypasses
Associated to the above, a standard challenge with many safety instruments and controls is even when a management could be demonstrated to have a excessive degree of efficacy towards frequent attacker strategies, attackers usually have technique of bypassing controls of their playbooks akin to booting into secure mode to bypass EDR or utilizing DNS tunneling to masks command and management and bypass egress filtering.
As safety professionals we have to establish and work to eradicate the entire varied methods by which controls could be bypassed. Within the case of secure mode, maybe we block the bcdedit command from execution and within the case of DNS tunneling maybe we add controls to dam the lookup of domains that aren’t categorized as secure or construct detections for DNS requests or responses which are uncommon in measurement.
Whereas bypasses might differ from software to software, no safety software is ideal, and each software could be bypassed in a roundabout way. The extra proactive we’re in figuring out and eliminating a bypass the extra we will be certain that attackers are pressured to cope with the efficacy our controls carry, quite than taking a simple means round them.
In any case, a management that may be readily bypassed is just not a lot of a management and received’t present a lot resilience towards an assault.
Vulnerability administration
When most healthcare organizations consider vulnerability administration, they consider figuring out all of the locations the place a patch could also be wanted and planning to use the lacking patch in a well timed method. Whereas patching is a important safety greatest follow and one thing that must be achieved wherever potential, hospitals shouldn’t depend on patching alone as a way of holding methods safe.
Organizations want to start to develop the definition of vulnerability administration to contain extra than simply patching, and start to ask the query of what compensating controls could possibly be utilized to mitigate the profitable exploitation of this vulnerability.
For instance, if we contemplate a vulnerability like Log4J within the context of compensating controls, we will see that as a way to efficiently exploit this vulnerability that outbound LDAP communications are required. Thus, making use of egress filtering to our system is a compensating management that could possibly be used to mitigate Log4J.
Due to this fact, if we have been to patch Log4J and apply egress filtering we might discover that we not solely had a protection in depth management set to guard towards Log4J however that we’ve additionally improved our cyber resilience towards any future zero day which may additionally require outbound communications.
Furthermore, most of these advantages are removed from distinctive to Log4J mitigation and disabling the print spooler on methods the place it was not wanted in response to PrintNightmare can be one other instance in that the compensating management additionally protects towards the exploitation of future vulnerabilities within the Home windows print spooler.
Asking the compensating management query permits us to establish and construct the right system hardening and safety architectures wanted to mitigate future vulnerabilities that will not have a patch.
With zero days more and more getting used to compromise organizations, we have to transfer past simply solely patching and construct hardened architectures that may defend organizations within the absence of a patch or the bypass of a software.
Protection in depth
Protection in depth is a long-established greatest follow within the realm of safety, however one that’s not all the time analyzed deeply sufficient from the lens of failures of a complete class of management or from the lens of provide chain failures.
Analyzing failure modes turns into much more pertinent as distributors more and more attempt to entice organizations with the promise that “my product can do all this on a single pane of glass.” For instance, in gentle of the current CrowdStrike occasion, it isn’t unreasonable to ask the query of what if we lose entry to EDR and the detections it offers?
Does the group have sufficient protection in depth that we might not be blind to a safety challenge on an endpoint? Maybe the group has a secondary supply of detection through an MDR or XDR system that gives a layer of protection in depth, or maybe sysmon logging and log assortment is leveraged as a secondary detection set?
Protection in depth must be laid in a means that not solely offers layers of safety, however resilient layers of safety within the occasion a complete class of management is misplaced, or, even worse, a complete safety stack is misplaced resulting from a standard vendor. Management units have to be analyzed to establish single factors of failure that would go away a company blind to or unable to cease an assault and protection in depth utilized in a means that might mitigate the impression.
System variety
As we think about protection in depth methods as outlined above, we have to be cautious that there’s some variety constructed into safety management units.
Whereas there are definitive benefits to having one pane of glass, such because the potential for value reductions, simplified administration, higher integration between totally different capabilities, and so forth., it is very important needless to say having all the pieces from one supply additionally has the potential to exacerbate any failures.
This could possibly be a serious failure on the availability chain facet the place a number of safety capabilities could also be concurrently misplaced if the seller experiences a difficulty, however may additionally trigger extra basic on a regular basis failures.
If we purchase our complete stack from vendor A, and vendor A doesn’t but have a approach to detect a brand new menace, we’ll seemingly fail to detect the menace in any respect ranges.
If we’ve some variety of product units (e.g. having EDR and XDR from totally different distributors, or having totally different manufacturers for inner and perimeter firewalls, and so forth.,), there’s an elevated probability to detect a menace even when vendor A can’t. System consolidation is sensible in lots of instances. It simply must be achieved in a means the resilience remains to be maintained the place wanted.
Zero belief
Whereas zero belief and the assorted strategies like microsegmentation that it encompasses could be utilized as compensating controls to assist obtain lots of the targets already mentioned, it’s price highlighting it individually as effectively.
When zero belief rules are utilized to system hardening tips and system architectures, it turns into a good way to construct safety resiliency into methods.
Zero belief, at root, assumes that all the pieces could be compromised and works to proactively mitigate threats by making certain that each individual and each machine has the least quantity of entry potential as a way to do their job. Establishing a zero belief mindset and utilizing zero belief rules will work to enhance the safety resilience of methods.
Whereas the above listing shouldn’t be thought-about complete by way of what could be achieved to enhance the resilience of safety controls, it ought to assist to stipulate among the main methods by which safety resilience must be factored into the safety methods and architectures that healthcare methods use.
It’s important to affected person security that safety management units are designed to be resilient sufficient to resist ransomware and different cyberattacks that result in adversarial affected person care occasions.
at Mount Sinai South Nassau.
The HIMSS Healthcare Cybersecurity Discussion board is scheduled to happen October 31-November 1 in Washington, D.C. Study extra and register.