Threat Hunting: Buy, Build, Beg or Borrow
What goes into running a top-notch SOC? Recently, we sat down with Taylor Lehmann, the CISO of Wellforce, to get his takes on managing breaches, leveraging data, and adapting new hunting techniques.
Question: So, you mentioned this concept of a virtual CISO. Can you talk a little bit about what that is and how do people use that service?
Taylor Lehmann: It’s sort of a blend, I would say. You’re starting to see legislation coming out on a state basis, and I think as you saw with some of the executive orders coming from Trump with respect to cyber. And what I found in just talking with folks is that most small to medium businesses can’t carry the weight of a CISO, but they need the help and they need the strategic guidance. At the same time, the boards of those companies need the same things. So, without having to provide or force these companies to carry the weight of a CISO, there’s way you can sort of fractionalize their time, give them the time they need to provide businesses feedback on what their plans are but also give them sort of a phone to have somebody to call in the event there’s an issue or a problem, that they can rely on to get the right advice at the right time.
And, of course, on top of that there’s this wonderful world of products and services that a lot of these companies don’t know how to decide on what’s right for their business. And, you know, we can help and have helped with doing a lot of what I’d say is system selection, product selection, and the whole project management. It just gives a whole facet of, you know, the economy, access to skillsets they would otherwise not be able to get because either they couldn’t afford it or it wouldn’t be specific enough to their business. And you’re starting to see, you know, that now becoming mandated, especially in the state of New York where, you know, it’s sort of official on the books: The Department of Financial Services is mandating having senior leadership represent cyber security.
Q: What are some of the unique challenges of working as a healthcare CISO?
Taylor: Yeah, so that’s an interesting question. So, my own story with healthcare is my first project coming out of college was spending six months with a large insurance company in Hartford, Connecticut, healthcare insurance company, and I was sort of forced in. But I got to know the business and I understood how it worked. I also developed this feeling that what I did mattered to people, and their health, and their families. And so it became very personal to me over time where, you know, I’d sort of chosen my destiny and decided that healthcare was for me.
What I didn’t realize at the time, but I gained an appreciation for when I joined financial services, was how different and complex the problems are between the two. Whereas, in healthcare, whether it’s your on the insurance side, or your the payer’s, provider side, or you’re in pharma, what have you … And speaking from provider, just to be specific, you know, much of what you do goes directly to supporting, you know, the health and safety of people. And you’re, in a sense, you’re providing a social good and giving back, at the same time these organizations are old, they’ve been built upon, you know, brick upon brick. I can tell you Tufts Medical Center was one of the original hospitals of Boston, there’s a lot of history there and, if you can imagine, from a tech perspective there’s a lot of history there too.
So, you know, legacy technology, snowflakes everywhere, tech debt, you know, to the ceiling, these create lots of interesting challenges that are really hard to solve and that require creativity that goes beyond what you’d say at a financial services firm where the technology’s being refreshed every five to ten years, and you have a pretty consistent and standard stack, and, you know, you can deploy something once and expect it to work and be deployed successfully everywhere. That’s cool, but only when you deploy it, right? When you have to refresh it, it’s cool again, but that’s in five years. Healthcare is a new challenge every single day, and every day you learn something new that you didn’t know could possibly exist, and you have face-palm moments every day, but it’s extremely rewarding at the same time when you’re able to solve something that hadn’t been solved in 20, 30 years
Q: What kind of breaches keep you up at night? What are you most worried about?
Taylor: Yeah, I mean, I think ultimately, at the end of the day, I worry about providing a high quality patient care experience for people who visit our medical centers. You know, things that keep me up at night, obviously, we’ve read about them, you know, monitored attacks on hospitals involving ransomware. There have been some major events in the last year where entire hospitals have been shut down and equipment had to be flown in the next day to restore patient care operations, you know. So, those are top, top for us.
I think, if you look at the data, a lot of the data breach investigation report put out by Verizon, you know, highlights the fact that, still to this day, despite the fact the biggest breaches are due to hacking, the most frequent ones are due to mistakes people make with respect to information handling. And, you know, part of what I’m focused on is trying to find a way to make it really easy for people to do their job and not worry about things like that. You know, training only goes so far, policies are pieces of paper, but if there’s a way to educate a workforce to behave a certain way with respect to sensitive information, whether it’s your mother’s information, or your children’s, or your neighbors, you know, I feel like I’m doing my job on those fronts. But, you know, for me it’s a personal issue and one that, you know, we take very seriously. But ultimately, you know, a lot of the sort of more advanced ransomware, as well as behaviors, and making sure that we have the right behaviors with the things that I would say are top of mind.
That being said, from a technical vulnerability perspective, we have all the same vulnerabilities everyone else has. We have insider threats, we have external threats. We’ve got authentication and identity challenges that everyone has had at some point in their career. You know, obviously all of these things need to be addressed but, you know, when we try to prioritize them always put that, you know, what are the things that are going to affect patient care the most? In a positive and, or negative way, and we try to prioritize those the highest.
Q: What kinds of programs do you put into place to reduce your attack surface?
Taylor: So, I’m still a little new at Tufts, but we are building out many of these programs right now. My major focus right now is just what I think people call ‘hygiene’, or execution consistency. So, making sure that whatever the procedures are that we have for administering user access for scanning and patching our systems for, you know, prioritizing vulnerability remediation, that those processes are solid and, to the extent that they can be, they’re highly automated. So, we’re working with firms now to come in and do process mapping and automation as a way of bribing in, scaling best practices in a way that removes human error. So, that to me is, I’d say, our biggest area of focus right now.
The next is, finding ways and getting creative on collecting data about what’s happening in our environment, and subjecting that to much more scrutinous review. You know, detection is important, it’s expensive, but we need to be awesome at it if we’re going to have a shot at keeping your medical center safe. And so, spending the cycles now to at least figure out what data we need, where we’re going to get it from, how we’re going to ingest it, process it, manage it and monitor it is a huge area of focus for us.
Many of my colleagues are tool-focused. And I think that’s fine, but in priority order, I think regardless of what you do, be really good at it, and automate the hell out of it if you can. And then the second thing is understand what you’ve got and make sure you keep tabs on it at all times. I think if you do those two things very well, you know, generally speaking, you’re going to be a much better position regardless of what is throw at you because you’re going to know what your execution capabilities are, and you’re going to know what information you have on yourself. And, you know, from there you can pay that in any direction you want, but I’d say as core capabilities, those are the two that I’m focused on right now.
And then, you know, obviously the people factor’s important and making sure that you’ve got all the, you know, right defenses in place. The DVIR report does a nice job of summarizing, you know, what’s most important and why, depending on your risk profile, and that’s great, and we use a lot of that data. We also use the CSF for, you know, helping us sort of programatize our plans, but at the end of the day for me the focus is on execution quality and situational awareness.
Q: So, this sounds like a really good pivot to talk about threat hunting and what that might mean to you, and how it might be applied inside of your organization. Can you tell me a little bit about how you approach that subject at all?
Taylor: Yeah. When it comes to this topic it’s sort of always an interesting debate. I’m of the mindset where you can almost skip the SIEM at this point. And I know that sounds crazy but, to be honest with you, the landscape changes so rapidly; even if a hospital’s been around for 100 years, what’s happening on the inside and outside is always changing. There’s always new interesting intel that’s out there that comes out and you need to process. And there’s always, you know, suspicions or hypotheses that need to be tested. Alerting and monitoring is fine on events that you think you know could happen, or are early indicators or a bigger problem.
And so, while I say you can skip the SIEM, you do need the ability to maintain awareness of events that are going on and bribing attention to the ones that matter. But, you know, you absolutely need a capability, in this day and age, to detect and respond to compromise and use that as an important feedback loop back into that alerting and monitoring platform. So, you know, the two are hand in hand but, you know, to me, right now, based on what I see is being able to be situationally aware, to determine compromise, is a critical detective capability that probably hasn’t received the amount of emphasis that it should today.
That being said, you know, we are starting down that path. We’re building the platform to be able to execute high quality hunts, to develop robust use cases and hypotheses, and evaluate them. You know, there’s lots of interesting terms we us to call threat hunting but ultimately it’s about determining compromise, or determining whether a threat exists and how big it is to us, and then using that as a way to prioritize our remediation, or non-activities. And it helps make sure that we’re always focused on the things that matter, and that we’ve got an effective feedback loop back into our monitoring system. So, when we’re done, we’ve learned something, we’ve automated it into it into our infrastructure.
Q: Do you think that threat hunting is on of those capabilities that will reduce that dwell time in the environment?
Taylor: Well, it’s interesting. To be honest, it’s an issue that’s not totally and fully understood, but I do think the activity of being proactive in hunting your infrastructure to identify, you know, sort of hidden, or lost, or sort of over-thought, or overlooked threats is an important activity. Not just because you’re going to find this stuff, but you’re going to challenge yourself throughout the process to solve information gap issues, to learn your infrastructure, to learn where other vulnerabilities might be. But, ultimately, you know, one of the major benefits is obviously reducing that time to detect and respond, and ultimately remediate.