Tamer Baker

Minimizing the incident response treadmill with automation

September 26, 2022
By Tamer Baker

Throughout the pandemic, the healthcare industry has been experiencing another epidemic: ransomware. Cybersecurity teams have been rushing to respond to the unwavering threats by implementing new controls and products. Although most talk about their desire to automate, most of them lack confidence in the products and/or the products are not “actionable” enough to automate their new solutions. Consequently, the process of responding to ransomware (and other breaches) remains highly manual and reactive. Healthcare organizations need to improve their cybersecurity posture by automating a more proactive response.

In 2020, the FBI, DHS and the HHS warned that ransomware attacks against the healthcare industry were imminent. In retrospect, they were right. According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and doubled again in 2021. And according to government data, healthcare breaches doubled in the first six months of 2022 compared to the same period in 2021.

In private conversations, healthcare CISOs have confided that they continue to detect communication to Russia even after they have responded to the breach. It can feel like a never-ending treadmill for incident response teams; especially if they are relying on time-consuming manual processes. This challenge is further exacerbated by a cybersecurity skills shortage. The prognosis for the next few years seems unlikely to improve, which is why it is so critical for healthcare organizations to begin embracing automation today.

Complex systems are more vulnerable
Healthcare organizations are challenged by an ever-increasing attack surface, which includes a variety of cyber assets. Medical assets and operational technology (OT) environments are incompatible with many IT processes, such as installing agent-based protections, patching, and even vulnerability scanning. Healthcare organizations have embraced IT/IOMT convergence among their digital transformation initiatives, but without the proper controls they may lack visibility into vulnerabilities and risks that have emerged in these complex environments.

More mature organizations may be overwhelmed by dozens of IT and security solutions that lack any meaningful integration. They may lack insight into device context or be unable to respond to new threats. Multiple point solutions also tend to have conflicting data and overload incident response teams and security operations centers with more alerts than they can process. Many of these alerts are false positives or risks that have been mitigated by other means, such as network segmentation.

Likewise, many alerts are inactionable. Talk to almost any incident response team and you will hear the complaint that “we can detect threats but can’t respond to them in time” or “our controls send alerts but can’t automatically remediate them.” This is ultimately why incident response is such a reactive process – it has become a cumbersome manual task just to prioritize alerts.

Three benefits of security automation
The difference between manual processes and automation can be the difference between hours and minutes. Beyond saving time, here are three benefits of optimizing security automation:

1. Device Context – Automation enables organizations to maintain up-to-date information about all their cyber assets as soon as they join or leave the network. Network context is key to understanding where the device is connected (e.g., which switch, port, SSID, etc.), from where it is connecting, and what it is. This context enables understanding the difference between a Windows 7 PC vs. a Windows 7 laptop that is operating a pill dispensing cart on a hospital floor. This information can be easily integrated into other security tools.
2. Orchestrated Workflows – Automated workflows (e.g., “playbooks”) can enforce policies and trigger a response, from finding vulnerable devices to isolating them until they can be remediated. Automatically triggering remediation, such as executing a script, fixing a missing agent, or triggering a patch, is a key capability to stay ahead of threats.
3. Accelerated Response – Multifactor risk scoring and advanced threat detection can prioritize alerts to the risks and threats that matter most. Ideally, responses should include actions at the network level since host-based controls are often disabled by malware. Cyberattacks have become increasingly decommodified and automated, so responding to incidents at machine speed is critical to preventing a breach.

Building confidence: Trust the process
Healthcare organizations may be slow to implement automation because they are concerned about breaking a mission critical process. However, organizations that invest the time to setting up automation will become far more efficient and save much more time in the long run.

The key to setting up automation is to have good data and context come in so you may trust the information and to recognize how things work. Visibility and monitoring solutions can provide rich information into the depth and breadth of a network so that organizations can eliminate their blind spots. Fully integrated platforms enable organizations to enable multiple capabilities to move beyond visibility and into automated action. And in doing so, they can move to a more proactive approach to assessing risks and responding to threats.

About the author: Tamer Baker is the VP of global healthcare at Forescout.