Athenahealth CISO describes the company’s new ‘internal offensive’ security strategy
As Chief Information Security Officer at cloud IT giant athenahealth, Taylor Lehmann is responsible for protecting data managed by 5,300 employees – running across 160,000 providers serving 110 million patients.
Lehmann, who has been a CISO for seven years and the CISO at athenahealth for a year, is trying to shake things up with a new security strategy – “internal offensive,” he calls it. Part of this strategy is a new security system designed by an ex-red teamer and Carbon Black executive at a company called Randori.
Always throwing up punches
The new approach first identifies athenahealth’s most valuable targets, then it acts as a red team or nation-state hacker would: unleashing ongoing scripts and APTs until it breaks through.
Lehmann calls this an anti-traditionalist approach because most companies are focusing on avoiding attacks. He knows his blue team needs resilience by always throwing up punches in defense the way this new system does.
“We no longer can rely on traditional security controls like vulnerability scans and periodic penetration tests to assure our stakeholders, board and customers that our systems are keeping up with the rate and pace with which attacks occur,” he said. “Advancing the organization’s perspective on cybersecurity is key – shifting from a ‘protect what you think you need to’ to a ‘protect what you know and defend forward’ is our plan.”
"Understanding and assigning value to a given target – from an outsider’s view – helps us inform which assets most likely will be attacked first and what role they would play in a coordinated, human-driven attack."
Taylor Lehmann, athenahealth
One enables this shift by introducing proactive security measures meant to find opportunities before they become problems. One method is creating an internal team or capability focused on offensive security. The “internal offensive” team conducts continuous penetration testing and uses tools like the MITRE ATT&CK framework to express their work: protective and defensive controls that were validated and those that did not pass.
“The feedback loop this creates allows security professionals to stop wondering about their controls and rating their effectiveness with hyperbole metrics, to using data that shows where defense was successful or unsuccessful,” he explained. “They then can make smarter investments of their resources to protect or defend the organization based on what needs improvement to thwart an attack.”
Driving better decision-making
Almost every part of a traditional cybersecurity risk management program is enabled by having better information about threats, vulnerabilities and impacts. Internal offense strategies build this data set to drive better decision-making, he added.
Attack-and-breach simulation is an emerging market category in cybersecurity and Lehmann has seen many players enter this space looking to acquire new customers with promises that their solutions effectively simulate attacks and help an organization learn from them.
“Many of these tools look to take commodity attack-tools like Metasploit and publicly available exploits, put them in the hands of security analysts who run them against a set of infrastructure to see what can be got,” he explained. “Other techniques may be demonstrated, but largely use commodity tooling that can be obtained through various open sources.”
While helpful, commodity attack-tools do not simulate the behavior of a human attacker – complete with unconventional, creative, resourceful thought processes and approaches, he added. These are critical, and are capabilities that got Lehmann interested in Randori.
“Building in human perspectives is key,” he asserted. “For example, certain targets of an attack are more valuable than others. Sophisticated attackers do not necessarily go after the easiest targets, they go after the ones that are valuable to a given campaign and end goals. Understanding and assigning value to a given target – from an outsider’s view – helps us inform which assets most likely will be attacked first and what role they would play in a coordinated, human-driven attack.”
Humans adjust their techniques
Further, attacker techniques adjust based on what they find once they conduct reconnaissance and establish a foothold in the network, he added.
“Randori’s approach to providing customers with a trusted adversary better aligns to how humans conduct that analysis and the decisions they make because they are modelled after real penetration and red-team testers’ actions who are looking to achieve a goal – not simply a list of vulnerabilities anyone could find,” he explained. “This perspective is key, and when combined with Randori’s offensive-security team curation and maintenance of attack patterns, helps us ensure our testing can be robust.”
Randori CEO Brian Hazzard explains how the security company’s technology and services work.
“Determined, stealthy and ‘Black Box,’ Randori starts with just an email address,” he said. “When an opportunity presents itself, the company executes real-world attacks so organizations can quantify risk, strengthen responses, and prove that their most valuable assets are secure. The company’s attack platform enables organizations to continually practice, test and assess their security.”
Launching real-world attacks
The platform serves as a virtual mirror for nation-state actors and cybercriminals and unlike a simulation, which replays historical attacks inside artificial boundaries, it provides the ability to safely launch real-world attacks against production assets, he added.
“Athenahealth uses Randori’s reconnaissance capabilities to understand the accessibility and value of assets that could be attacked and make determinations on how best to prioritize and protect them,” Hazzard continued. “The company’s tooling helps us identify internet-facing systems – where we are, how we appear to attackers on the internet, what avenues to access are available, and what data exists in the internet that could be used to acquire access.”
Much of the reconnaissance is conducted automatically in the same way threat actors conduct such activities, he explained.
“We’ve found opportunities in using the company’s data to improve our security posture and make certain attacks less possible, more difficult, or require a much higher level of sophistication to execute,” he said. “We are moving into then operationalizing the reconnaissance information to drive very frequent penetration testing activities where we move to exploit those vulnerabilities and rate our performance.”
What athenahealth has learned
Penetration testing and red-team projects provide little long-term value and can come at a very high cost, Lehmann contended.
“The reality is these types of engagements point out issues that never tell a full story about an organization’s security posture, and are not performed frequently enough to enumerate new issues that could impact you,” he said. “They are limited in what they discover as the scope and techniques employed in a given engagement are typically based on a single human actor’s creativity, knowledge of tools, and executing a playbook they are comfortable with.”
While they can be valuable, these do little to provide all of the value that is possible with such activities, Lehmann said.
“Moving to a platform that builds in the creativity of many sophisticated actors with the ability to run attacks continuously and against the infrastructure or services that are the most interesting and tempting provides a clearer perspective on the reality of your systems and protections, as well as what you need to do to improve your posture in shorter, more frequent bursts,” he concluded.