This post was originally published here by Sqrrl Team.
What goes into running a top-notch SOC? Recently, weĀ sat down withĀ Taylor Lehmann, the CISO of Wellforce, to get his takes on managing breaches, leveraging data, and adapting new hunting techniques.
Question:Ā So, you mentioned this concept of a virtual CISO. Can you talk a little bit about what that is and how do people use that service?
Taylor Lehmann:Ā Itās sort of a blend, I would say. Youāre starting to see legislation coming out on a state basis, and I think as you saw with some of the executive orders coming from Trump with respect to cyber. And what I found in just talking with folks is that most small to medium businesses canāt carry the weight of a CISO, but they need the help and they need the strategic guidance. At the same time, the boards of those companies need the same things. So, without having to provide or force these companies to carry the weight of a CISO, thereās way you can sort of fractionalize their time, give them the time they need to provide businesses feedback on what their plans are but also give them sort of a phone to have somebody to call in the event thereās an issue or a problem, that they can rely on to get the right advice at the right time.
And, of course, on top of that thereās this wonderful world of products and services that a lot of these companies donāt know how to decide on whatās right for their business. And, you know, we can help and have helped with doing a lot of what Iād say is system selection, product selection, and the whole project management. It just gives a whole facet of, you know, the economy, access to skillsets they would otherwise not be able to get because either they couldnāt afford it or it wouldnāt be specific enough to their business. And youāre starting to see, you know, that now becoming mandated, especially in the state of New York where, you know, itās sort of official on the books: The Department of Financial Services is mandating having senior leadership represent cyber security.
Q: Ā Ā What are some of the unique challenges of working as a healthcare CISO?
Taylor:Ā Ā Yeah, so thatās an interesting question. So, my own story with healthcare is my first project coming out of college was spending six months with a large insurance company in Hartford, Connecticut, healthcare insurance company, and I was sort of forced in. But I got to know the business and I understood how it worked. I also developed this feeling that what I did mattered to people, and their health, and their families. And so it became very personal to me over time where, you know, Iād sort of chosen my destiny and decided that healthcare was for me.
What I didnāt realize at the time, but I gained an appreciation for when I joined financial services, was how different and complex the problems are between the two. Whereas, in healthcare, whether itās your on the insurance side, or your the payerās, provider side, or youāre in pharma, what have you ā¦ And speaking from provider, just to be specific, you know, much of what you do goes directly to supporting, you know, the health and safety of people. And youāre, in a sense, youāre providing a social good and giving back, at the same time these organizations are old, theyāve been built upon, you know, brick upon brick. I can tell you Tufts Medical Center was one of the original hospitals of Boston, thereās a lot of history there and, if you can imagine, from a tech perspective thereās a lot of history there too.
So, you know, legacy technology, snowflakes everywhere, tech debt, you know, to the ceiling, these create lots of interesting challenges that are really hard to solve and that require creativity that goes beyond what youād say at a financial services firm where the technologyās being refreshed every five to ten years, and you have a pretty consistent and standard stack, and, you know, you can deploy something once and expect it to work and be deployed successfully everywhere. Thatās cool, but only when you deploy it, right? When you have to refresh it, itās cool again, but thatās in five years. Healthcare is a new challenge every single day, and every day you learn something new that you didnāt know could possibly exist, and you have face-palm moments every day, but itās extremely rewarding at the same time when youāre able to solve something that hadnāt been solved in 20, 30 years
Q:Ā Ā What kind of breaches keep you up at night? What are you most worried about?
Taylor:Ā Yeah, I mean, I think ultimately, at the end of the day, I worry about providing a high quality patient care experience for people who visit our medical centers. You know, things that keep me up at night, obviously, weāve read about them, you know, monitored attacks on hospitals involving ransomware. There have been some major events in the last year where entire hospitals have been shut down and equipment had to be flown in the next day to restore patient care operations, you know. So, those are top, top for us.
I think, if you look at the data, a lot of the data breach investigation report put out by Verizon, you know, highlights the fact that, still to this day, despite the fact the biggest breaches are due to hacking, the most frequent ones are due to mistakes people make with respect to information handling. And, you know, part of what Iām focused on is trying to find a way to make it really easy for people to do their job and not worry about things like that. You know, training only goes so far, policies are pieces of paper, but if thereās a way to educate a workforce to behave a certain way with respect to sensitive information, whether itās your motherās information, or your childrenās, or your neighbors, you know, I feel like Iām doing my job on those fronts. But, you know, for me itās a personal issue and one that, you know, we take very seriously. But ultimately, you know, a lot of the sort of more advanced ransomware, as well as behaviors, and making sure that we have the right behaviors with the things that I would say are top of mind.
That being said, from a technical vulnerability perspective, we have all the same vulnerabilities everyone else has. We have insider threats, we have external threats. Weāve got authentication and identity challenges that everyone has had at some point in their career. You know, obviously all of these things need to be addressed but, you know, when we try to prioritize them always put that, you know, what are the things that are going to affect patient care the most? In a positive and, or negative way, and we try to prioritize those the highest.
Q:Ā Ā What kinds of programs do you put into place to reduce your attack surface?
Taylor:Ā Ā So, Iām still a little new at Tufts, but we are building out many of these programs right now. My major focus right now is just what I think people call āhygieneā, or execution consistency. So, making sure that whatever the procedures are that we have for administering user access for scanning and patching our systems for, you know, prioritizing vulnerability remediation, that those processes are solid and, to the extent that they can be, theyāre highly automated. So, weāre working with firms now to come in and do process mapping and automation as a way of bribing in, scaling best practices in a way that removes human error. So, that to me is, Iād say, our biggest area of focus right now.
The next is, finding ways and getting creative on collecting data about whatās happening in our environment, and subjecting that to much more scrutinous review. You know, detection is important, itās expensive, but we need to be awesome at it if weāre going to have a shot at keeping your medical center safe. And so, spending the cycles now to at least figure out what data we need, where weāre going to get it from, how weāre going to ingest it, process it, manage it and monitor it is a huge area of focus for us.
Many of my colleagues are tool-focused. And I think thatās fine, but in priority order, I think regardless of what you do, be really good at it, and automate the hell out of it if you can. And then the second thing is understand what youāve got and make sure you keep tabs on it at all times. I think if you do those two things very well, you know, generally speaking, youāre going to be a much better position regardless of what is throw at you because youāre going to know what your execution capabilities are, and youāre going to know what information you have on yourself. And, you know, from there you can pay that in any direction you want, but Iād say as core capabilities, those are the two that Iām focused on right now.
And then, you know, obviously the people factorās important and making sure that youāve got all the, you know, right defenses in place. The DVIR report does a nice job of summarizing, you know, whatās most important and why, depending on your risk profile, and thatās great, and we use a lot of that data. We also use the CSF for, you know, helping us sort of programatize our plans, but at the end of the day for me the focus is on execution quality and situational awareness.
Q:Ā So, this sounds like a really good pivot to talk about threat hunting and what that might mean to you, and how it might be applied inside of your organization. Can you tell me a little bit about how you approach that subject at all?
Taylor:Ā Yeah. When it comes to this topic itās sort of always an interesting debate. Iām of the mindset where you can almost skip the SIEM at this point. And I know that sounds crazy but, to be honest with you, the landscape changes so rapidly; even if a hospitalās been around for 100 years, whatās happening on the inside and outside is always changing. Thereās always new interesting intel thatās out there that comes out and you need to process. And thereās always, you know, suspicions or hypotheses that need to be tested. Alerting and monitoring is fine on events that you think you know could happen, or are early indicators or a bigger problem.
And so, while I say you can skip the SIEM, you do need the ability to maintain awareness of events that are going on and bribing attention to the ones that matter. But, you know, you absolutely need a capability, in this day and age, to detect and respond to compromise and use that as an important feedback loop back into that alerting and monitoring platform. So, you know, the two are hand in hand but, you know, to me, right now, based on what I see is being able to be situationally aware, to determine compromise, is a critical detective capability that probably hasnāt received the amount of emphasis that it should today.
That being said, you know, we are starting down that path. Weāre building the platform to be able to execute high quality hunts, to develop robust use cases and hypotheses, and evaluate them. You know, thereās lots of interesting terms we us to call threat hunting but ultimately itās about determining compromise, or determining whether a threat exists and how big it is to us, and then using that as a way to prioritize our remediation, or non-activities. And it helps make sure that weāre always focused on the things that matter, and that weāve got an effective feedback loop back into our monitoring system. So, when weāre done, weāve learned something, weāve automated it into it into our infrastructure.
Q:Ā Do you think that threat hunting is on of those capabilities that will reduce that dwell time in the environment?
Taylor:Ā Well, itās interesting. To be honest, itās an issue thatās not totally and fully understood, but I do think the activity of being proactive in hunting your infrastructure to identify, you know, sort of hidden, or lost, or sort of over-thought, or overlooked threats is an important activity. Not just because youāre going to find this stuff, but youāre going to challenge yourself throughout the process to solve information gap issues, to learn your infrastructure, to learn where other vulnerabilities might be. But, ultimately, you know, one of the major benefits is obviously reducing that time to detect and respond, and ultimately remediate.
Photo:Picserver
