The cybersecurity frontier in healthcare remains a Wild West of threats – and involves a wide variety of technologies and strategies to combat those threats. Healthcare CIOs and CISOs have their hands full.
One major cybersecurity problem the health IT sector currently is facing is analogous to the evolutionary changes in how the U.S. has approached healthcare itself, said Neill Sciarrone, president and co-founder of Trinity Cyber, a threat prevention technology and services company.
Treating root causes, not symptoms
“Historically, doctors only treated symptoms before later learning that it was necessary to focus on preventive measures that address the root causes of ailments,” said Sciarrone.
“In the same way, healthcare cybersecurity has been focused on treating the symptoms rather than prevention,” she explained. “Cybersecurity teams respond to attacks – potential and successful – by monitoring alerts and countless endpoints on their networks. But they have not focused on taking measures to prevent these attacks from reaching their IT infrastructure in the first place.”
"This approach allows you to control the attacker’s experience and limit the frequency of incident response."
Neill Sciarrone, Trinity Cyber
An emerging new approach to cybersecurity makes it possible to transition from the reactive ways of cybersecurity – addressing symptoms – to preventive methods that neutralize cyberattacks and make the hackers fail, she added. The future of cybersecurity, she contended, is a shift from incident response to Proactive Threat Interference, which is the focus of Trinity Cyber, so much so that they registered the term as their trademark.
“Proactive Threat Interference is a fundamentally new approach to commercial cybersecurity,” Sciarrone explained. “This strategy involves focusing cyber defenses on the attacker to invisibly neutralize attacks before they reach your network, rather than continuously responding to the unrelenting volume of alerts after an attack or intrusion has occurred.”
Traditional cybersecurity focuses on decreasing risk by reporting intrusions in the wake of an attack, using an incident response approach. After an incident occurs, cybersecurity teams are tasked with cleaning up affected systems and reporting the incident to the appropriate law enforcement, government and private sector stakeholders.
Preventing more of the same
“Analysts and researchers then dissect samples of the malicious code and network traffic to identify indicators and signatures of the successful attack,” Sciarrone noted.
“This threat information is used to patch systems in order to prevent the attack from being successful again in the future. Signatures and indicators, such as IP addresses, domain names or hashes of known bad files, are fed into cybersecurity tools and wielded like a giant hammer to block or deny any traffic associated with them.”
The problem, she contended, is hackers anticipate this and quickly adapt their techniques – sometimes by simply changing their IP addresses – in order to continue their attacks. Sophisticated attackers even monitor the public threat reporting resources used by security teams to ensure they stay one step ahead of the most current defenses.
This creates a perpetual cycle of reactive, defensive measures that consistently leave the attacker with a competitive advantage while cybersecurity teams chase the threats, she said.
“Proactive Threat Interference offers a solution to this detect, respond and recover approach, providing truly preventive cybersecurity,” Sciarrone insisted. “Moreover, it focuses on the most critical – and overlooked – element of every cyberattack: the person behind it.”
Cyberattacks ultimately are attempts by people to compromise systems designed and used by humans. Computers are the tools used to accomplish their goals in a human-made environment. Regardless of the origin or type – phishing email, ransomware, DDoS attack, malware campaign or insider threat – every attack is reliant on a person or group of people to organize and execute it.
Hackers’ tactics, techniques and procedures
“Proactive Threat Interference concentrates on identifying, targeting and manipulating an attacker’s tradecraft – the tactics, techniques and procedures hackers use to execute a successful cyberattack,” she said.
Leveraging technology, she explained, this approach has several benefits and key features:
- First, it shifts the industry’s first line of cyber defenses without becoming part of the attack surface. It deploys and operates outside of an enterprise’s network edge, between the network and the attacker, to intercept and neutralize attacks before they reach the network. “This is done without having to install software or hardware on the infrastructure,” Sciarrone said.
- Second, it takes customized action to actively prevent an attack from compromising a network instead of alerting after one has taken place. “Rather than respond and block, it uses detection technology that employs a bi-directional deep session inspection capability to disrupt and neutralize attacks as they happen,” she said. “This truly decreases risk, increases trust and justifies investment value by ensuring commerce and business operations continue unimpeded.”
- Third, it shifts the balance of power from the attacker to the defender. “It identifies and manipulates an attacker’s tradecraft in real time to disrupt the attack and make it fail,” she explained. “This imposes costs of time, energy and resources on the attacker, and is done in an invisible manner that doesn’t reveal why the attack failed.”
Leveraging Proactive Threat Interference enables network defenders to prevent an attack before it reaches its target instead of deploying incident response, reducing disruptions to business operations and mitigating risk to the organization, Sciarrone said.
“This reduces alert volume for security teams and appropriately prioritizes their resources to high-value tasks,” she concluded. “Most important, this approach allows you to control the attacker’s experience and limit the frequency of incident response.”