Cyber resilience is a concept that most organizations are familiar with. It is defined as the ability to withstand and recover from adverse events that have the potential to impact an organization’s information systems and IT resources.
Hospitals, of course, are no strangers to this need and most have sophisticated downtime procedures in place to keep patient care operational in the event that EHRs, PACS and other clinical systems are affected by an incident.
But while downtime procedures and other incident response procedures that help support cyber resilience often include information security components, it’s not uncommon to find that organizations often forget to ask an important question: How resilient is my organization if one of my cybersecurity tools or controls were to suffer an adverse event?
If a healthcare organization were to suddenly lose EDR telemetry, a firewall were to be breached, or a zero-day inconveniently left a system vulnerable, is there sufficient cyber resilience in security controls to ensure the organization remains protected?
While issues like the recent CrowdStrike event, which disabled Microsoft systems worldwide, have put this issue on the minds of many hospitals, it’s important to remember that controls don’t just fail in major events.
In fact, security controls fail all the time, and attackers are often adept at bypassing common security tools.
Hospitals need to develop robust security strategies and architectures that account for control failures to ensure they have created a security program that is resilient enough to withstand adverse events and protect the patients in their care.
To achieve an effective level of cyber resilience for security controls, healthcare organizations should begin to consider incorporating some of the approaches detailed below:
Measuring control effectiveness
Many of the standards followed by the security industry today are useful for establishing minimum baselines on what security controls are necessary to keep an organization secure, but one of the limitations of these standards is that they tend to focus on the existence of the control rather than its effectiveness.
Being able to verify the existence of a firewall is very different from empirically evaluating the effectiveness of the firewall’s rule set against attacker behavior such as data exfiltration or command and control establishment.
Adopting approaches such as evidence-based security can help organizations assess the effectiveness of their controls against attacker techniques and help them identify any areas where controls are not working as well as expected.
This is especially critical because controls fail more often than many organizations realize—one study estimates that controls like EDR only work to stop attacks. 39% of the time.
These approaches to measuring security are critical, as it is through identifying weaknesses that we often find the greatest opportunities for improvement. Ensuring that the controls we have in place are operating at an acceptable level of effectiveness is the first step towards control resilience, as it ensures that our defences do not fail immediately.
Remove bypasses
Related to the above, a common problem with many security tools and controls is that even if a control can be shown to have a high level of effectiveness against common attack techniques, attackers often have means to bypass the controls in their playbooks, such as booting into safe mode to bypass EDR or using DNS tunneling to mask command and control and bypass egress filtering.
As security professionals, we need to identify and work to eliminate all the different ways that controls can be bypassed. In the case of safe mode, we might block the bcdedit command from running, and in the case of DNS tunneling, we might add controls to block lookups for domains that are not categorized as safe, or generate detections for DNS requests or responses that are of an unusual size.
While evasions can vary from tool to tool, no security tool is perfect and all tools can be evaded in some way. The more proactive we are in identifying and removing an evasion, the more we can ensure that attackers are forced to deal with the effectiveness of our controls, rather than taking the easy way out.
After all, a control that can be easily bypassed is not much of a control and will not provide much resistance against an attack.
Vulnerability management
When most healthcare organizations think about vulnerability management, they think about identifying all the places where a patch may be needed and making plans to apply the missing patch in a timely manner. While patching is a fundamental security best practice and something that should be done whenever possible, hospitals should not rely solely on patching as a means of keeping systems secure.
Organizations need to begin to broaden the definition of vulnerability management to include more than just patching and start asking what compensating controls could be put in place to mitigate successful exploitation of this vulnerability.
For example, if we consider a vulnerability like Log4J in the context of compensating controls, we can see that successfully exploiting this vulnerability requires outbound LDAP communications. Therefore, applying outbound filtering to our system is a compensating control that could be used to mitigate Log4J.
So, if we were to patch Log4J and apply outbound filtering, we would find that we not only had a defense-in-depth control in place to protect against Log4J, but we had also improved our cyber resilience against any future zero-days that might also require outbound communications.
Furthermore, these types of benefits are far from unique to Log4J mitigation, and disabling the print spooler on systems where it was not needed in response to PrintNightmare would be another example where offset control also protects against exploitation of future vulnerabilities in the Windows print spooler.
Asking the compensating control question allows us to identify and build the appropriate security and system hardening architectures needed to mitigate future vulnerabilities that may not be patched.
As zero-day attacks are increasingly used to compromise organizations, we must go beyond simply applying patches and create hardened architectures that can protect organizations in the absence of a patch or tool evasion.
Defense in depth
Defense in depth is a long-established best practice in the security space, but it is not always analyzed in sufficient depth from the perspective of failures of an entire class of control or from the perspective of failures in the supply chain.
Failure mode analysis is becoming increasingly important as vendors increasingly try to lure organizations with the promise that “my product can do all of this in a single pane of glass.” For example, in light of the recent CrowdStrike event, it is not unreasonable to wonder what would happen if we lost access to EDR and the detections it provides.
Does the organization have a deep enough defense in place that we won’t miss a security issue on an endpoint? Perhaps the organization has a secondary source of detection through an MDR or XDR system that provides a layer of defense in depth, or perhaps Sysmon logging and log collection is used as a secondary detection set?
Defense in depth should be implemented in a way that not only provides layers of security, but resilient layers of security in case an entire class of control is lost, or worse, an entire security stack is lost due to a common vendor. Control sets should be analyzed to identify single points of failure that would leave an organization blind or unable to stop an attack and defense in depth should be applied in a way that mitigates the impact.
System diversity
When considering the defense-in-depth strategies described above, we must be careful that there is some diversity built into the security control sets.
While having a single pane of glass has definite advantages, such as the potential for cost reduction, simplified administration, better integration between different functions, etc., it is important to note that having everything from a single source also has the potential to exacerbate any failures.
This could be a major supply chain failure, where multiple security functions could be lost simultaneously if the supplier experiences a problem, but it could also cause more fundamental day-to-day failures.
If we buy our entire stack from vendor A, and vendor A doesn’t yet have a way to detect a new threat, we likely won’t be able to detect the threat at all levels.
If we have some diversity of product sets (e.g. if we have EDR and XDR from different vendors, or if we have different brands of internal and perimeter firewalls, etc.), there is a higher probability of detecting a threat even if vendor A cannot. System consolidation makes sense in many cases. It just needs to be done in a way that maintains resilience where it is needed.
Zero trust
While zero trust and the various techniques it encompasses, such as microsegmentation, can be applied as compensating controls to help achieve many of the goals already discussed, they are also worth highlighting separately.
When zero trust principles are applied to system hardening guidelines and system architectures, it becomes an excellent way to build security resilience into systems.
At its core, zero trust assumes that everything can be compromised and works to proactively mitigate threats by ensuring that every person and every device has the least amount of access possible to do their job. Establishing a zero trust mindset and using zero trust principles will help improve the security resilience of systems.
While the above list should not be considered exhaustive in terms of what can be done to improve the resilience of security controls, it should help outline some of the key ways in which security resilience should be considered in the security strategies and architectures used by healthcare systems.
It is critical to patient safety that security control sets are designed to be resilient enough to withstand ransomware and other cyberattacks that result in adverse events in patient care.
on Mount Sinai south of Nassau.
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC. Learn more and register.