How a data-driven approach to security helps a small healthcare team embrace automation

The healthcare industry is an inviting and lucrative target for threat actors. It holds lots of valuable personal, health and finance data living in environments that often depend on legacy technology that is hard to patch and is defended by small teams with limited resources. Worse, the cost for data breaches at healthcare organizations is high. Not only does the healthcare industry have the highest cost per record breached according to the 2018 Ponemon Cost of a Data Breach study ($408, nearly double the next-highest industry), but research published last year suggested healthcare data breaches may cause as many as 2,100 deaths per year in the United States.

One healthcare organization is turning to automation and orchestration to maximize the effectiveness of its small team. Martin’s Point Health Care’s information security officer has created a new framework to help create what the company calls a “data-driven approach” to security.

Small team vs. regulations and nation-state attacks

Martin’s Point is a not-for-profit organization providing healthcare services and health insurance plans – both Medicare and Tricare – in Maine and New Hampshire. It has seven healthcare centers and employs 800 staff across 18 U.S. locations. Matthew Witten has been information security officer of Martin’s Point since 2015. Previously CISO for the Louisville Metro Government at the University of Louisville, he was brought in to Martin’s Point as the organization’s first security officer to build a full security program.

Witten’s five-person security team – including a former oncology nurse who found a second career within the security operations center (SOC) team – protects health and insurance records for 80,000 people on its health plans, plus over 100,000 more on the patient delivery side. As Martin’s Point deals with health and finance data, it is regulated by the likes of PCI DSS and HIPAA, but Witten jokes that “HIPAA is a walk in the park” compared to regulatory requirements around Department of Defense data for the military personnel it serves under the Tricare plan.

As well as ransomware attacks, Witten and his team help protect Martin’s Point against targeted phishing campaigns against its senior leaders, as well as attacks from what he describes as “smaller nation states.”

A data-driven security framework

Witten’s small team has many records to protect and a security infrastructure that is creating huge amounts of information. “A lot out there in the business see security as gatekeepers for egress and ingress traffic,” says Witten. “What a lot of people didn’t realize is we’re actually a data department. We’re gathering more data in our department than the entirety of our EMR [electronic medical record systems] and our claims system in any given day. Day after day, we collect more data than what is residing on both of those systems — hundreds of millions of logs per day that we’re collecting from all different avenues.”

This perception of the security function as a data team lead to Witten and his team creating a new framework called DOVeS (Detect, Orchestrate, Visualize and Substantiate), an open, vendor-agnostic feedback loop to normalize, optimize and automate processing of security data into what is relevant for the organization.

“We’re trying to take all the subjectivity out of information security risk, getting away from that nominal one-to-five scale, and really drilling into finding the true risk out there and diving into that data, to the point where we’re running Monte Carlo simulations on some of these to find the true likelihood of something actually happening,” says Witten.

DOVeS aims to govern how information is ingested and acted upon. In short, the team brings in a new stream of data (often from a new area of the business that is being monitored), the team looks at how to normalize and visualize that data, then looks at how to orchestrate and automate that data in a meaningful way, substantiate any risks that are coming out (for example, whether it’s a false positive or a major threat) and that take that information and feed it back into the process to better detect and orchestrate against that risk in the future.

“I’ve worked with so many frameworks, and none of them really focused on the data side of it”, says Witten. “We developed this in-house; it was our deliberate intent of developing a framework to be more data-driven around security.”

How DOVeS works

The “detect” aspect is about understanding what data is coming in from where (and what assets aren’t yet being monitored), normalizing it, and then honing down the alerts to reduce the number of false positives your SIEM is creating. While he says his team has been able to hone it down to very meaningful alarms now, there has been a learning process along the way.

“You’d put a certain stream into effect for monitoring, you’d hone down the alarms and all of a sudden when you’re about to go to sleep at night your phone starts blowing up with 480 alarms because we miscalculated. That happens to us I would say at least on a monthly basis. But with DOVeS, … it’s a fail-forward mentality of consistently improving.”

The “orchestration” and automation step involves writing scripts to take automated actions where possible. That might be blocking or flagging bad sites to the user, alerting the security team to a threat that needs remediation or investigation, or creating scripts to alert certain risky behaviors by users with certain profiles. “Instead of automating yourself out of a job, let’s automate yourself to a better job,” says Witten. “Automate those little simple, everyday tasks that you’re doing over and over and over again, and those two minutes [of time saved] turns into 30 minutes, turns into an hour, turns into an FTE.”

“There are so many automation tools out there to do that. We build our own servers in our environment, so we went outside the security realm and started bringing in server automation tools, using tools like Ansible to spin up, and Docker-izing our SIEM and our EDR [endpoint detection and response] and so we can spin it up and spin it down as we need,” says Witten.

“Visualization” is about making everything easy to understand for the people involved, visualizing the data ingested, and surfacing the right data points at the right time for the right people.

“Substantiate” is about understanding the risk and, says Witten, where “DOVeS all comes together.” This can be anything from reverse-engineering malware, to running a vendor or internal risk assessment, to having the Martin’s Point red team try to emulate or duplicate an attack to see the real damage something would cause before then putting new detection and remediation procedures in place and starting the whole process again.

DOVeS in action

As an example of how DOVeS works, Witten explains how he has recently seen a large uptick in malicious macros being used in Word files being sent via phishing emails So, the company has been using the framework to try to block those without affecting ongoing business processes and legitimate uses of macros.

“We take our Endgame EDR logs, those flow into our SIEM, which then goes into our GrayLog visualization tool. We set up alarms as those are coming through to determine where they’re coming from, how they’re coming in, the what the purpose is,” Witten says. “Instead of looking through each alert every time one come in, we have orchestrated automated streams to show if it’s coming from certain areas of the world and whether its targeting or emulating certain individuals.”

“We determined we were being targeted from a couple of countries who were trying to emulate a couple of our chief executives. We do our own reverse analysis for forensics on the files to see what they were trying to do and substantiate the true risk. We then eliminate admin rights on machines, flag certain TLDs in our perimeter firewalls to say this isn’t truly a legitimate site, and we block a range of IP addresses and whitelist going forward.”

Security automation can be a business enabler

A key part of DOVeS is the idea of constantly improving and feeding back, and Martin’s Point is always looking to expand the framework into new areas. One vendor helping Martin’s Point with its DOVeS idea is Endgame, which is providing EDR services. As well as providing data streams around endpoints for its SIEM and greater protection against attacks such as ransomware hidden in macros, it is also helping the team introduce behavioral analytics into its monitoring and prevention capabilities.

“One of the things we’re working on with Endgame is using the data that we’re gathering and to figure out the risk of employees resigning within the next four weeks,” says Witten. “When somebody leaves, they are going to try to take different pieces of proprietary data to help themselves at their new job, so we’re looking to try to protect our intellectual property and regulatory-protected data as well by detecting that behavior, visualize that the behavior is actually happening, and then start taking action and keep extra eyes on that data, files, systems, whatever, to make sure that nothing’s leaking out.”

Another success within the company was repurposing some of the automation work the security team was doing for the infrastructure team to help automate server upgrade-related tasks. “One of our largest systems is over 40 servers large, so when you do an upgrade to that it takes months. With one of the automations we were doing in security, were able to help automate that entire upgrade process to where instead of taking three to six months to do the full upgrade of the infrastructure, we got it down to three hours, which was massive to the organization.”

Witten and his team started the DOVeS project in 2017, and it wasn’t until late 2018 that he says the project has really started to take true effect. “It wasn’t built overnight, and it’s not just something you can go buy off the shelf, it does take a lot of work.”

However, despite the initial effort, the company’s efforts around automation and orchestration with a small team using this DOVeS framework saw Witten win a SANS Difference Maker award. He and Martin’s Point plan to release the framework as an open-source project – including scripts to help stitch different product together – later in the year. “We know we’re not experts in everything. We contribute to a lot of open-source projects, especially the ones that we use, and we want other people to hopefully contribute to DOVeS as well. Let all the brains come together and show us where we can improve.”