Collective defense: A different way to approach healthcare cybersecurity
For some time, healthcare organizations have been defending against cyberattacks on their own while malicious actors have been organizing into increasingly sophisticated networks of attackers.
A better way to combat cybersecurity threats is by sharing and correlating events across organizations, both within the healthcare sector and across industry sectors, contend experts at IronNet Cybersecurity.
General (Retired) Keith Alexander, co-CEO of IronNet Cybersecurity, former NSA director and former commander of the U.S. CyberCommand, explored this notion in a recent HIMSS20 Digital session, "Cybersecurity’s Tectonic Shift: A Call for Collaboration."
Along with IronNet Cybersecurity Chief Marketing Officer Russ Cobb, Alexander described the people, processes and technologies that are making “collective defense” a reality.
How do you protect what you cannot see?
“At the NSA and at CyberCommand, we had the mission of protecting the nation,” Alexander said. “The problem is you are trying to protect something that you cannot see. It’s analogous to running an air defense without any air-defense data. Tracking airplanes requires you to create this picture so that air traffic controllers can see airplanes and make sure they don’t bump into each other and direct air traffic. So it’s very useful.”
In cybersecurity, there is no picture.
“The government today is focused on incident response, which means the system has been hacked, we’ve lost some data, and it’s too late,” Alexander said. “So the first part, if we want to defend the nation, we’ve got to be able to see it. And if you think about how the adversary operates, the adversary has this team that can hide against all the current defenses that we have. This is not one person sitting on a bed. These are well-trained teams. They are well-rehearsed, well-trained, they know what their plan is, they work their way through it, and they work it together.”
Now look at how organizations defend against bad actors. A mid-sized bank might have 10 people on the problem defending their organization.
“They see what’s going on in that company, and they try to protect against it,” Alexander explained. “And they use signature-based systems. The adversary knows what they are using and uses that to get by, whether it is phishing or some other type to get into the network. Once the bank finds out they have been hacked, they look at it from a liability and reputational angle and then they share it after that. That’s way too late.”
Creating a "picture" of cybersecurity
Alexander said what needs to be done is to create an air traffic control-like picture of cybersecurity.
“The way to do that is to now create the event logic that allows you to see as things are occurring and an expert system that allows you to understand it,” he said. “There is a lot of traffic out there, a lot of volume. So we’ve got to change the way we think about cyber from taking a bunch of boxes and trying to knit them together to collective defense.”
The government is needed to help defend the country and organizations, but the government cannot see the country and organizations when it comes to cybersecurity, Alexander said.
“That in itself is broken,” he remarked. “That means if we had radar, we cannot tell the air traffic controllers what we see. So this is a transformation that has to occur in our country and others to really move cybersecurity to where it needs to be. Collective defense means we need to work together better than the offense, sharing data and collaborating together.”
The behavior of communications
From the collective defense point of view, when one talks about network traffic, it’s not talking about duplicating or tracking communications, it’s about the behavior of communications, Alexander explained.
“We’re talking about feature data that is independent of the personally identifiable data within it,” he continued. “So you want to have a way that protects the privacy of communication but you protect the security at the same time. And that’s not by taking the content and looking at that and laying that all out. It’s about sharing threat-related information.”
In a signature base, people talk about indicators of compromise. And that still works in the behavioral space, as well, he noted. It’s looking at behaviors that are indicators of compromise.
“The difference being that a signature is needed for each independent behavior,” he said. “A behavior can capture a whole category of signatures. Threats can take a piece of malware and change it so that the signature is now modified. They can change the way they operate to now bypass controls.”
Seeing a network unlike ever before
There are some important parts to what collective defense is trying to accomplish, Alexander said.
“One is to grasp features and track them,” he explained. “And if you do that, what that does is the event data now gives you a way of seeing a network in a way that you have never been able to see it in the past. And it’s characteristic of the event data that’s been going on, not of the specific content and communications. So that is a huge first step.”
While that is being done, there are some key things to think about, Alexander noted.
“There is a lot of data, and there can be a lot of false positives,” he said. “So you have to have an expert system, you have to have rules, you have to have machine learning and AI. The expert system is to take that data and help make sense of it. So in the radar analogy, it’s taking all that radar data that is bouncing back and forth with the plane, putting it into the content of a communication and a specific spot on the earth where that plane is, so that you can track an aircraft.”
Finding just the bad communications
In collective defense, it’s very much the same with behavioral analytics: One does not want to take all the communications and keep all that noise going back and forth, one wants to find the bad communications, sorting all the bad types, Alexander explained.
“You want to separate that out and allow analysts to look at that holistically,” he said. “And more important, if you work at it holistically, the big jump we’ve made is you can share it for collective defense. And if you share it, now those 90 companies with teams of 10, instead of each of them working individually, now those 900 people can work together for the collective defense.”
Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.