Lessons from the SOC: Defending HealthCare & Pharma During Covid

[Music]

hello and welcome to my b-sides philly talk i'm really happy we're all still able to get together remotely and i hope everybody's safe well this is my first time presenting at b-sides philly i'm a i've been an attendee since at least 2018 so i'm happy to keep the streak alive of being here in one capacity or another my name is kyle sheely and i'm a senior consultant at security risk advisors or sra sra is a boutique information security consulting firm headed right here in philadelphia just a little bit about me i enjoy dungeons and dragons and when there isn't an international pandemic going on i also love to travel in 2020 since i was at home

this year i became pretty okay at rock climbing and picked up some painting skills too here's me painting a green dragon for dungeons of dragons campaign and if that doesn't establish my nerd cred for you i don't know what will in the past i've been the lead security operations analyst for fortune 500 and global 1000 healthcare and pharmaceutical related organizations my job has me act on a leadership capacity overseeing a number of efforts in cyber security ranging from vulnerability management alert triage security tool engineering even incident response all the way to providing detailed recommendations and intelligence to the c-suite i'm going to touch on some of those insights that i've gathered over the past 12 months both from my

experiences and from talking and working with others in the industry this presentation is as much about health care and farmer-related cyber security as it is about operating in cyber security as a whole so i think there's a little bit for everybody and i'm happy you tuned in and while i have consulted with other individuals on this i do want to stress that these are my opinions and observations not necessarily those of any organization i'm associated with or sras i can only speak for myself additionally to keep the anonymity of the organizations that i've protected i may change or not include certain names and locations in my presentation before we get into it i do want to

address the outfit in the room for any time travelers in attendance or anybody who isn't aware of what's been going on in november of last year a highly contagious coronavirus dubbed covid19 or kovid began to make its way across the world and by march of this year many countries had enacted some form or another of lockdown and efforts to contain the virus a large majority of the world experienced and continues to experience a drastic change in how we do business my clients are in a similar boat we also interact with loved ones differently and generally live our lives in a completely different manner than what we did just 12 short months ago keeping on healthcare and pharma a lot

of eyes have been on us lately as they're the ones either treating the sick or creating a viable vaccine at the time of this presentation unfortunately about a million and a half people have passed away from things attributed to coven 19 and many of the united states is going into some form of secondary restriction to curtail another quote-unquote wave of the virus several companies admittedly are close to creating a vaccine but government estimates detail that uh worldwide let alone country-wide dissemination probably won't be ready until about mid-2021 i wanted to give that brief summary there just to set the stage of where we're at and where i'm at operating on a daily basis almost every cyber security attack

attempts to include details about important work life or current events related activities to increase the legitimacy of the activity or rather the legitimacy of the attack to entice the user i might receive an email at work saying that i need to click here to listen to this voicemail when in actuality if i click that link it's going to send me somewhere malicious and i'll probably download something like an emote banking trojan these techniques they often ebb and flow over time to coincide with current events common ones that i've seen include tax season christmas bonuses even the latest political drama in the case of covid however just like mimicking the global affecting reach that it had on society

we've seen this huge blanketed approach to cyber attacks by cyber criminals since the beginning of the year all covered all the time for a period of that time we saw at least our analysts did all vectors fishing mouse spam you name it a concerted effort to capitalize on covid as a theme now with that being said pictured here is just a sampling of covid themed fishing attempts that i saw in a 10-day period in march in the first quarter of 2020 alone our team saw over 100 000 phony domains registered with covid19 registered terms or rather related terms we also saw emails claimed to have important instructions for employees on how they might look to conduct

business during covid19 as well as claim to include reports or statistics from the world health organization the white house the united nations whoever with similarly named malicious attachments as legitimate ones i saw something particularly clever when attackers embedded headlines and snippets from covid 19 news stories directly into malware so that when antivirus or other tools that would scan it might be tricked into thinking that that attachment that the user's clicking on is actually legitimate or at least the email was we noticed a host of fake programs popping up and advertising third-party websites that were related to our clients even stuff in the app store we saw some pretending to be client medical portals and related applications

to some of our clients as well fake links and quote-unquote helpful advice was put in comment sections on informational videos of our clients on social media it was everywhere in my lifetime and likely yours we've not seen another global incident on the scale of covet and i wish your guests that we'll probably not see one for quite some time that has been as single-minded across cyber security too now but while we saw this unprecedented focus on one theme it's important to note hackers are generally lazy and that's for the hackers in the room i'm not trying to be mean here why reinvent the wheel you know most if not all the stuff that came our

way was covered packaged but the malware behind it it was all the same your standard emote and trick banking trojans oh they were there as well as spyware variations password crackers or rather password steelers ransomware the whole thing oftentimes we'd see websites and programs bundle their malware with legitimate covet 19 materials if you all remember johns hopkins put out that kovid 19 global tracker we saw a similar application but instead when you downloaded it it also had some spyware behind it we also saw promotional deals like get five dollars off your covid test by downloading this contact tracing program when in actuality if you did so you'd be putting ransomware on your android phone all of this all of this stuff was

covered themed but it was still the same old malware in the background and it was just used or just used the guise of covid to convince users that what they downloaded was legitimate it should be mentioned here that the unifying theme in question also forced a lockdown and that's important because healthcare is traditional in their work habits client-side it and secops traditionally work alongside those in the hospital on site and it's done that way because there's a belief that they need to be there to fix issues as needed but it also comes from an old school mindset of requiring in-office work of being visibly seen in the office there's an adage of said in healthcare

if the doctors have to be here you've got to be here then covet hits and health care and pharma they're not prepared despite the boots on the ground doctors nurses and technicians filling the hospitals to handle everything that the virus threw at the world a large majority of our users in healthcare and pharma needed to pivot to remote work for safety concerns for just that very reason they were deemed essential workers but they were also deemed workers that could have done their work outside of the hospital literally overnight infrastructure has to be changed to hold us over in the initial weeks until i.t can provide more permanent solutions because there's a lot of people now putting stress

on servers that never expected that amount of people to assist with the needs and find their weaknesses sra offered all of our health care and pharma efforts or pharma clients rather free comprehensive health checks to determine the gaps that they need to remediate the most client-side security teams begin to roll out to users more security best practices to beef up security surrounding remote connections and other things that needed to be fixed speaking of which some of our employees when they went that way to remote work they didn't have a solid enough connection at home to do zoom meetings let alone vpn how do you handle that many of our workers were at a level where they were comfortable handling

their work at home but some weren't comfortable with working from home um just everything from their laptop was new it could have just been the old-fashioned way of the hospital or what they had been ingrained in it took some doing to get into that new habit and i think a lot of it comes down to they didn't have their co-workers now beside them to assist for the small stuff now they're starting to call me and the rest of the guys and girls and non-binary pals for the small stuff too and i t and secops roles begin to blend as we have to start playing zone coverage as we're stretch thin that's when everything it's working smoothly now what happens

when you throw in a couple incidents how do you handle all that the short answer of it all it's triaging one crisis at a time and trust in the quality of your team i really want to commend the teams that i've been a part of here because they've done yeoman's work in the last 12 months and they've been able to figure out questions or answers to questions that i just couldn't anticipate like how do you remotely re-image a user's laptop from another state when the only thing that you've ever done prior to that is have them come into the office with it what policy do you do for that or what do you do when the new mfa patch

prevents your entire secops team from communicating with the rest of the company and themselves via instant message we had to tackle those things and it was something that really required the resilience of the team to get there i don't get into the technical details about those topics here or the user and organizational recommendations about defending against certain attacks but as supplemental information in this talk i encourage you to check out security risk advisors blog where i talked just about that topic in a blog blog post entitled covet 19 staying secure while staying at home it was the seed for this presentation now the bad news to all this as we began to work to remotely

and we also had to then handle all the new bumps and changes that went along with it is that so too did the bad guys and we noticed that they did it better than we did since the beginning of 2020 we saw a sizeable uptick in activity across the board from scanning to typo squatting to phishing email quantity everything up whether it was previous attackers capitalizing on the vaccine efforts the desperation of some hospitals to stay online or maybe attackers are just now furloughed from their main jobs and they're just trying to start up a side hustle and script kidding whatever it was remote work definitely suited their efforts pharma teams were stretched thin already

and this increase in volume simply exacerbated that so how do you counter that yes automation to get the low hanging fruit out of the way so that you can focus on the real stuff is an option to an extent but you need bodies in the sock you need you really can't beat old-fashioned extra eyes on glass

we're fortunate in that the information security industry grows during crises it seems to be at least to me at least so far that information security is recession proof and a hot industry to be in especially in these last few years it's a sexy career to get into that's good for us because a lot of organizations continue to grow with the needs that they had healthcare and pharma included and therefore we needed new recruits to fill the alert cues and become serious engineers and analysts to staff them but in a time when you can't meet a candidate face to face and i can't take them out to dinner so i can interact with them how do you accurately assess their

quality over zoom a lot of what i look for in an entry level candidate correlates to their ability to communicate well with others yes technical knowledge is good but i found that soft skills are often more difficult than the hard skills it's my opinion that it's much easier to learn how to dissect malware and triage alerts than it is to learn how to build and maintain solid relationships with your client especially if we're doing it this way over the internet i want to hire somebody who i look forward to working with i want to hire somebody who makes my day go faster because they're joking around and enjoying themselves and when we meet with the client

they get along with them even more importantly to me is that they jive well with our organization's culture i wanted to stick around for a while on more than a couple occasions i'd go into meetings with clients where the topic at hand was to brief them on a certain ongoing incident but when i got there all they wanted to do was vent or shoot the breeze i talked with the manager of security about home cooking his favorite nhl team and him trying to get his girlfriend into board games i have a co-worker who likes to lovingly call these hangout sessions i i'm inclined to agree information security is as much about stopping incidents as it is assuaging the fear of one

and just being a friend and i look for people to fill my team who could do both and those were the ones who best succeeded as a result i found that the best way to see who's going to be a good fit is just to have an honest conversation with them whether in person or on zoom where i don't know but i will learn that for the next time that we talk is not only an acceptable but an applauded answer to give where after they've demonstrated basic competency in cyber security i ask myself would i want to be stuck in an airplane with them for a red eye or more aptly to this period would i

want to be in quarantine with them i would rather hire an affable elementary school teacher with an interest in computers who's familiar with how to corral 20 5th graders and distill a topic to understandable chunks for them rather than hire a cyber security whiz with a master's degree in computer engineering but no social skills speaking of college degrees some of the best analysts that i've worked with they don't have one it was not a requisite to their success and in fact when interviewing for new hires i found that sometimes it's better to more heavily weigh those who have demonstrated competency through independence after getting a certification or two or just doing an eight week intensive course less someone

who has been spoon-fed stuff now i'm a four-year college degree grad but and i'm not saying anything bad for them but i'm just saying as far as the pandemic is concerned it's demonstrated to us that those who have come in with that independence of learning have an ability to learn and work independently a valuable skill and a good indicator of success at remote work in the span of the last year some of the teams that i led and worked on doubled in size just to manage the increase in the amount of volume we had as well as the increased urgency in issues that were once on the back burner

we hired a lot of people and when talking with them during the hiring process some of them expressly stated how burned out they were from their roles at other locations in both information security and elsewhere we'd say why are you looking for a new job your old job sounds great and some of them would just tell us you know it's burnout i can't take this anymore i'm working 24 hours a day here i just need a change to something more sustainable we asked a related question to ourselves as we hired them how do you keep someone engaged and connected to their co-workers and the mission amid a time of such isolation that refrain of sustainability is

something that we look to build and brought to heart and kept as we began to train these new analysts for those that started after march of 2020 most of them if not all have really yet to meet the team or any of us in person it's a far cry from what things are like just a year ago and definitely from what it was like when i started my first days at sra we're an organization that prides herself of in-person gatherings of connecting over a beer at work now many just receive their laptops and phones in the mail and their first happy hour that's over teams it was therefore paramount to us as a team and as a company culture to keep

them feeling as part of the team as possible as much as possible because that's how we viewed them stuff that's often seen as discretionary stuff that's often cut like a swag bag or a company t-shirt or a handwritten letter written during thanksgiving from their manager becomes essential to some it gave them something physical to hold on to when everything else was cold and online we began to invest heavily into mentorship our mentorship program provided new hires and inexperienced consultants with people they could go to for anything and it doesn't matter how far up the organization you go that will be the case for them mentors provided them with answers surrounding culture how to handle personal relationships professional

relationships handle feedback learn best practices for time management and more we recognize that a lot of people's escapes their ways to de-stress and relax before after work they dried up now their lives outside their work they're filled with anxiety or stress oftentimes because of the virus or the economy or what's happening with their family or a mixture of it all and ironically work became their escape it was a place for them to find stability and it became a coping mechanism for some of them people began to invent their own new methods for coping at work and we sought to promote an environment where despite them protecting hospital systems or working on an incredibly important vaccination

creation effort during a global pandemic and protecting it work could still be enjoyable work could be that escape for them some of this included opportunities that were interactive ways for them to safely get together even during covet we had weekly thursday happy hours on teams i've already mentioned that and we also allocated a food budget for mentors and mentees to get a hangout or um to get some food where they could then hang out with their mentor and talk over lunch even if it was just a vent or to see where they're at we had a period of time where there were some healthy gatherings again over zoom where we talk about nutrition meditation perform yoga together or any

number of things now i know what you're probably thinking at least some of you but i really want you to know that all of this is to say that we look to really shine a light on our culture and that this type of interpersonal engagement is most certainly not fluff i know cyber security is more um i would say a hard science for some um and it's less feely but those aspects of that interaction um that that interpersonal engagement none of the other stuff that we did in our job description would be done as well as it's done when we get the culture right when we establish a solid foundation of that interpersonal relationship even during a time of remote working

to some a lot of the remote learning and remote work in general that we did also became a lesson in managing expectations some people adapted better than others to quarantine it affected every person differently and sometimes in really significant ways some of our analysts who routinely sought out extra training or were rock stars accused just a year ago struggled significantly and they didn't pursue anything more than just to get by but you have to recognize as i did that just making it just getting by in the last 12 months is an award in and of itself how do we handle the impact on the degradation of their performance while recognizing that their performance isn't the problem

this amount of massive adaptation from a management perspective meant that we had to view our people grew not compared to their previous years but from where they started in quarantine and even then to understand that this is an unprecedented time on how we handle ourselves we seriously modulated our expectations as far as engagement and motivation were concerned did you show up to do your job did you provide quality deliverables and worked well with others then you're succeeding you're succeeding at your job plain and simple so that's how we handled recruiting onboarding virtual workforces and new hires but what about handling the c-suite you know in case you weren't aware there's a massive movement to fast-track

a coveted vaccine some of the clients that we had and i've worked with have been involved with those efforts that effort resulted in a changing relationship with leadership in the boardroom for starters they welcomed an extra focus on security in fact a lot of them became way more hands-on in a big way acknowledging that if this part of the organization cyber security doesn't go well the rest of the org could experience big ramifications this extra focus meant that we were asked for more and more frequent updates regarding the latest threats or changes to the risk landscape the trouble was most of the risk landscape didn't change much to meet that new focus cisos and cios wanted to demonstrate

value but their drive went to the threat of the day for the most part or aries and risk management that didn't particularly help them perhaps they picked up a magazine and saw a vendor espousing a new issue that just positively needed to be fixed by this shiny new firewall and we'd have to push back and say but sir we don't even have dlp or complete coverage with edr tools and detection and removal is the name of the game now and all prevent defense does not work a lot of these conversations occurred through intermediaries but the gravity to them was just the same we recognized where the focus needed to be and we did our best to

share what we could with the c-suite by demonstrating valuable tuning with what we had and filling the gaps discovered by those health checks as for the threat of those day updates you know we provided them sometimes you just have to keep them uh feeling informed one other thing that one of the things that we were also dealing with that we felt we were in lockstep with the c-suite was the remediation to which we handled critical issues in the past some of these organizations would sweat the small stuff and the big stuff but stuff like ransomware has always been impactful to healthcare entities but with covid and how systems were stressed to the limit operating at max capacity

there was a belief that if something were to hit us it and be seriously bad news bears because i mean we're all remote and it's going to be a lot more difficult to remediate an issue especially now that we are changing policy changing infrastructure changing a lot of things a lot of things were different from just a year ago when reuk ransomware hit several major hospital systems the response to that was swift and effective from every client i saw everybody dropped everything to fix things on a dime from a threat intelligence vulnerability management even purple teaming standpoint i've never seen anything like it or how fast it was reacted to but everybody knew that health care

and pharma could no longer handle the risk alongside all that there's been this huge emphasis of cross-competitive partnerships as the healthcare pharma private sector and governments work together to create a vaccine whereas in the past orgs were reticent to share their issues with others for fear of another company leapfrogging them or capitalizing upon it what's instead taken hold is a belief that we do more good by sharing our issues working together to see if anyone else has a solution rising together we're seeing this in places like the hisac community where members of organizations have grown and those who are a part of this information sharing group are in fact doing more sharing as opposed to just a

sparse view sharing and the majority just taking that information whoops did not mean to switch to that one there's also an effort driven from a vertical standpoint within each company to keep all abreast of where we are from an information security perspective sharing information also horizontally between co-workers too to make sure everybody's informed staying up to date with information as best as possible a lot of this has been spurred in the c-suite by strong healthcare leaders particularly in pharma saying all right look we got to do this we're all in this together how can we work with you and how can you work with what we can give you no longer is it as tight lipped and

siloed the c-suite is saying that we as an industry as a whole have an obligation to our patients in order to protect this thing that could solve a global pandemic and that obligation requires us to work outside our org to accomplish it suddenly one company needs another in a way that we just we haven't seen in the past similarly we've seen a full shift especially budgetarily to implementing ot or operational technology security this stuff it's like scada and ics it looks to detect and control changes to devices processes events when it's uh paramount that nothing interrupts the creation of or possibly even worse changes the very formula or creation of a vaccine ot security comes in

the c-suite recognizes this they recognize that vaccine creation is now critical infrastructure much is how power stations or transportation networks are classified as such they also recognize that we need solutions that allows complete visibility of network control traffic and can establish the right security policies the problem is for a lot of healthcare and pharma orgs they have no idea how to do it or how to do it well this stuff is different from what's been standard in the past you know your run-of-the-mill on-prem security or your more recent innovations with cloud but with an openness of new ideas and a hands-on approach by the c-suite that emphasized across competitive partnerships and now a shift in the budget towards

cyber security and this in particular many orgs are just starting on ot and they're starting with in a good place i'd say and have a good road map for the future i think as we you know fingers crossed emerge from the pandemic over the next year will notice a number of lasting effects to the industry and how each organization handles it will internally and publicly determine their success in the coming years i truly believe the remote workforce is here to stay even when it comes to formerly traditional workplaces like hospitals up until this point many in management viewed testing a remote workforce as just too risky or breaking an entrenched company culture covid all things considered provided us with

the rare opportunity to prove that for a large majority of health care and farm workers they don't have to be in the office to be productive or effective to that note i've seen companies begin to disband current offices and abandon some expansion efforts not just because of restricting budgets but because it's more cost effective to have a remote workforce a publication by the group global workplace analytics found that a typical employer can save about eleven thousand dollars per year per person for those who work remotely just half of the time even more if they went full remote this included healthcare and pharma in that study am i saying offices are completely going away no absolutely not i believe nothing can

beat in-person face-to-face training and relationship building i'm much more of an in-person person and if i have the choice i'll be there but even in security the options and feasibility are there there's less of an expectation now on healthcare pharma that if the doctors have to be here you have to be here i t healthcare workers have really demonstrated that they can work from home and they uh they can do it well provided they have support moreover it's already i mean i would say i've already begun to see this as not just a perk but as an expectation moving forward for both it and secops as they're looking to apply to positions within healthcare and

pharma organizations the industry's hot and have continued to grow and to get top talent orgs are going to have to demonstrate that they can support employees in flexible work styles and locations be prepared for more questions during interviews like will this job allow me to work remotely i think this is for the better especially from accompanying standpoint why limit your talent pool to a geographic location you can become more competitive and build your company's reach by embracing a digital work landscape and what's more it protects companies too you'll always have someone online imagine what happens if you center all of your employees in a single geographic area and that area then is affected by a

natural disaster your entire i.t services team could be affected and knocked out that isn't the case if you've got people working different time zones different regions they'll be able to stand up ready if one part of their team goes down elsewhere and it just expands the company's reach as a whole so that's how we handled recruiting onboarding but i will also say cyber for the first time is having this uh front seat at the budget in health care for the absolute first time and um i think we should capitalize upon it um i will say that well let me take a drink of water never before has healthcare had cyber security at the table that's a

very new fact and i really believe that we need to capitalize upon it the recognition is there by the c-suite that for healthcare and pharma to move forward competitively they need to stay secure and that requires cyber security working there i think we should capitalize upon it and the companies that will grow the most those healthcare and pharma organizations that put the efforts in to building a cyber security maturity program better than the rest will be the ones at the top of the game during covid and after covid and further on

afterwards

you