Understanding and Mitigating Cyber Attack Risks in...
Transcript of Understanding and Mitigating Cyber Attack Risks in...
Understanding and Mitigating Cyber Attack Risks in Healthcare
+ destructive
Malicious software Targeted attacks Data theft and insider leaks
Business impact
average annual
spend to protect
from, detect, and
recover from
attacks
1.8 successful attacks
experienced
every week
Cumulative
Cybersecurity
spend by 2023
$8.9M $165B
http://www.ponemon.org/library
http://www.norse-corp.com/HealthcareReport2014.html
http://www.nist.gov/cyberframework/index.cfm
http://www.verizonenterprise.com/DBIR/2014/
HIPAA Breach Summary
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
90,196
Continuous Monitoring
http://www.microsoft.com/security/cybersecurity/default.aspx#!Overview
http://download.microsoft.com/download/7/2/3/723a663c-652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf
http://aka.ms/CSRT
http://aka.ms/securitytrendshealthcare
The security trends that are identified in
this report result from anonymized data
that was collected from 12,000
respondents to a survey that was
conducted during the period of
November 2012 to February 2014. The
trends are representative of a worldwide
sample.
Security Trends in Healthcare
Server Sprawl
caused by
dedicating
servers to single
applications
Data Center
Downtime
Costs
approximately
$5,600 per
minute
Security and
Compliance is
considered
among the top
concerns for IT
Infrastructure
Complexity
caused by
multiple
disparate
systems, making
management
difficult.
70% of IT
budget is spent
maintaining
inflexible and
siloed data
center
equipment
Cloud Provisioning and
Deprovisioning
Infrastructure
Servers
Virtual machines
Applications and
services
Monitoring and
Remediation
Infrastructure
Servers
Virtual machines
Applications and
services
Maintenance and
Patching
Infrastructure
Servers
Virtual machines
Applications and
services
Security and Disaster
Recovery
Infrastructure
Servers
Virtual machines
Applications and services
Service Management, Compliance, and
Reporting
• Service catalog
• Reporting
• Change management
• Capacity management
Internal
Manual
Processes
Internal
Outsourced
Processes
Custom
Scripts
Vendor-
specific
Tools
Lack of:
Consistency compliance
Lack of:
Consistency compliance
know-how
High customization costs to support
heterogeneous technological
landscape
Lack of:
Standards Unified Management
Consolidated Error Handling
Current Environment and Issues
Event Management
Service Desk
Asset/CMDB
Configuration/IDM
Virtual
Security
Storage
Server
Network
Incid
en
t
Resp
on
se
Ch
an
ge &
Co
mp
lian
ce
Pro
visio
nin
g
Ap
plica
tion
Serv
ice M
on
itorin
g
VM
Life
cycle
Man
ag
em
en
t
Automated data center
http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2/
http://www.microsoft.com/services
Microsoft Cloud TransformationMaking Cyberworld Secure
20+ Data Centers
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st
Microsoft Data
CenterActive
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes
Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
HITRUST
ProcessesBest practices to ensure safe design and operation of data centers and cloud services
People Best-in-class security professionals
TechnologyLeading edge
security and privacy technology, across
the cloud stack
Take a proactive approach against the expanding threat landscape
Security embedded in
systems and software (SDL)
Predictable operations and
security controls through OSA
“Assume breach”
strategy
Deep understanding of new
threats and attack vectors
People Best-in-class security professionals
TechnologyLeading edge
security and privacy technology, across
the cloud stack
Centralized monitoring
and logging
Sophisticated intrusion
detection controls
Anti-virus and
anti-malware
Patch management
Protected networks
Encrypted data
Incident response
team works 24/7
Redundant,
resilient backup
Integrated teams of
security specialists
Take a proactive approach against the expanding threat landscape
Network perimeter
Internal network
Host
Application
Data
User
Facility
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access control
http://aka.ms/OSA
Assume Breach
War game exercises
Live site penetration testing
Centralized securitylogging & monitoring
Prevent Breach
Threat model
Code review
Security testing
Assume breach identifies & addresses potential gaps
Scope ongoing live site testing of security response plans
to drastically improve mean time to detection & recovery
Reduce exposure to internal attack (ensuring once
inside, attackers do not have broad access)
Periodic environment post breach
assessment & clean state
http://www.verizonenterprise.com/DBIR/2014/
The Red Team - dedicated adversary (a group of ethical hackers) performing targeted and persistent
attacks against our Microsoft Online Services (Microsoft’s own properties)
The role of the Red Team is to attack and penetrate environments using the same steps adversary’s kill
chain:
http://go.microsoft.com/fwlink/?linkid=518599&clcid=0x409
Key metrics captured when Red Team performs their breaches:
• Mean Time to Compromise (MTTC)
• Mean Time to Privilege Escalation or “Pwnage” (MTTP)
The Blue Team is comprised of either a dedicated set of security responders or members from across the
security incident response, Engineering and Operations organizations. Regardless of their make-up, they
are independent and operate separately from the Red Team.
When an adversary, such as a Red Team, has breached an environment, the Blue Team must:
http://go.microsoft.com/fwlink/?linkid=518599&clcid=0x409
Key metrics evaluated by the Blue Team include:
• Estimated Time to Detection (ETTD)
• Estimated Time to Recovery (ETTR)
Wargameexercises
Blueteaming
Redteaming
Monitor emerging threats
Executepost breach
Insider attack simulation
All organizations can benefit from adopting similar security strategies for combatting emerging and evolving threats
http://go.microsoft.com/fwlink/?linkid=518599&clcid=0x409
ISO 27001:2013 and ISO 27018 Yes Yes Yes Yes
HIPAA BAA Yes Yes Yes Yes
FDA Title 21 CFR Part 11 Yes Yes Early evaluation No
HITRUST Yes No Early evaluation No
FedRAMP P-ATO Yes Yes In Process N/A
EU Model Clause Yes Yes Yes Yes
Article 29 WP Yes Yes Yes Yes
PCI DSS N/A Yes N/A N/A
UK G-Cloud Yes Yes Yes In Process
SOC 1 Type 2 - (SSAE 16 / ISAE 3402) Yes Yes Yes Yes
SOC 2 Type 2 - (AT Section 101) Yes Yes In Process Yes
Enable customers to meet
global compliance standards
in ISO 27001, EUMC,
HIPAA, FEDRAMP
Contractually commit to
privacy, security and handling
of customer data through
Data Processing Agreements
Admin Controls like Data Loss
Prevention, Archiving,
E-Discovery to enable
organizational compliance
ISO/IEC 27018 (ISO 27018), an extension of ISO 27001, strengthens data privacy by adding key protections for sensitive customer
information stored in the cloud.
Published July 30, 2014 by the International Organization for Standardization (ISO), it sets forth guidelines for cloud service providers
concerning Personally Identifiable Information (“PII”).
Adopting ISO 27018 is code of practice governing the processing of personal information by cloud service providers. It outlines a
stronger, industrywide framework of six key principles which CSP must operate under:
1. Consent. Cloud providers must not process the personal data they receive for purposes other independent of the instructions
customer, and they must not use that personal data for advertising and marketing unless expressly instructed to do so by the
customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data
for advertising or marketing.
2. Control. Customers have explicit control of how their information is used.
3. Transparency. Cloud providers must inform customers where their data resides and make clear commitments about how that
data is handled.
4. Accountability. The standard asserts that any breach of information security should trigger a review by the service provider to
determine if there was any loss, disclosure, or alteration of PII.
5. Communication. In case of a breach, cloud providers should notify customers and regulators, and keep clear records about
the incident and the response to it.
6. Independent and periodic audit. A successful third-party audit of a cloud service’s compliance with 27018 documents the
service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory
obligations. To remain compliant, the Cloud service provider must subject itself to periodic third-party reviews.
Run Latest
Microsoft & Third
Party Products
Implement Good
Patch Management
Practices
Align Active
Directory to
Current Threat
Environment
Assess Threats &
Countermeasures
of the IT
Infrastructure and
Operational
Practices
Implement Secure
Software
Development
Practices
Apply Security
Practices During all
Phases of
Development
Address Cybersecurity at its Foundational Roots
1 2 3 4
03.02.14
Value Added Product OfferingsBitlocker / Azure Rights Management /Microsoft Identity Manager / Azure AD
ServicesPhoneFactor and Multi-factor Authentication
Protect Microsoft & Showcase Learnings
Remote Security Incident Report
Online Security Incident Response
AdvisoryServices
Security Solutions & Consulting
Advanced Tools & Technologies
MCS Cybersecurity Services
http://www.microsoft.com/security/online-privacy/default.aspx
Top-35 Cyber Mitigations
‘Mitigating PtH Attacks and other Credential Theft Techniques
EMET
www.microsoft.com/sir www.microsoft.com/sdl www.microsoft.com/twc blogs.technet.com/securitywww.microsoft.com/trustedcloud
Microsoft Health - www.microsoft.com/health
37
© 2014 Microsoft Corporation. All rights reserved. The information herein is for informational purposes only and represents the current view of Microsoft
Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Modernize health LOB applications Storage of patient data in the cloud Mobile health worker
Business analytics
on medical data
Medical imaging
in the cloudEMR in the cloud
Health
application
access anywhere
IoT: human and
ambient sensors
Medical and
clinical research
www.microsoft.com/health