Show me some value, quickly
Company: Health System Affiliated Hospitals: 90+
Healthcare by many reports is the most targeted sector for cyber attacks. Patient data continues to fetch a good price and so remains an attractive target for attackers. With the growing use of wearables, as well as the continuing use of “cloud” systems, the attack space is growing, and with it the number of potential issues for a security team to deal with.
Between vulnerability scanning, annual penetration testing, attack surface management, red teaming, code reviews, and various other controls, this provider was running multiple tools and each month getting thousands of issues to deal with. This led to a variety of problems to constantly solve:
- What to actually focus on first and why?
- How to deal with it?
The list of issues continued to grow and at the same time the organization was undertaking new initiatives, launching new services, and adopting more technologies.
Every week someone is trying to sell us a tool that will solve all our problems, so unless you can show me some value quickly….
The CISO was referred to OccamSec by a peer in the industry who had seen significant security program improvements by working with the Incenter platform.
The CISO jumped on a call with members of the OccamSec team to discuss the issues she was facing and it was concluded that Incenter may be of use. A proof of concept was scheduled and once the targets were provided the system was active within an hour.
3 high risk issues were found in the first round of testing, 1 via automated testing and 2 through manual testing. The automated testing was considered critical due to its compliance impact, the manually identified items were both used in exploit chains to gain administrative access on a system and ultimately breach key internal systems.
After the success of the initial testing Incenter was provisioned to examine all of the network and applications.
Incenter’s business context functionality was utilized to answer the question of “what to actually focus on?”. By utilizing data from organizational departments on key assets, exposures were assessed not just in terms of technical severity, but also potential business impact.
As with many organizations, there was not an accurate asset inventory, and knowledge on key systems was dispersed among multiple teams. The OccamSec team worked with the client to identify those assets utilizing both our intelligence capabilities to collect OSINT on the client systems, and through discussion with various client personnel. Quickly, the relevant data was captured and stored in Incenter.
Testing was ongoing, combining automated testing with manual testing. Automated testing identified a range of vulnerabilities. Automated validation was able to eliminate false positives and the business context data, combined with any relevant threat intelligence, helped ensure only issues with the potential for a serious impact were flagged for remediation.
In several cases automated testing identified possible issues that required manual testing to investigate. This included a vulnerability that was initially identified as not being exploitable, but subsequent testing by the OccamSec team led to the development of a proof of concept exploit which was utilized to gain full access to a target system.
Manual testing continued and considerable time was spent investigating a number of areas. While automation continues to provide time savings there is still a need for manual penetration testing to uncover complex, hard to find issues.
The noise has been reduced, where we were once chasing down hundreds of vulnerabilities we now focus on the ones that will actually have an impact. This has freed up personnel to make progress on other security program initiatives
As the engagement progressed the security team found there spending less time chasing down vulnerabilities and more time fixing critical issues and working on other areas that required attention.
Through the use of Incenter the security team are now able to identify and remediate the most important business impacting security issues over 300% faster than their previous process.
They are also now able to continuously assess and monitor every application and key part of their network environment as well as be immediately alerted on new security issues. Another point of value is that they are able to produce security assessment reports on demand to provide to internal management, to auditors and other 3rd parties.
Incenter has allowed the Healthcare provider to decommission some legacy security products whose capabilities and more are included within the platform, helping reduce cost and free up security staff resources.