September 28, 2023
Amazon Invests $4 Billion into the AI Space with Anthropic
Money is pouring into AI at a record pace.
Joshua Koszalkowski
Contributing Writer
Amazon has joined the ranks of Google and Microsoft with its latest investment in artificial intelligence. The e-commerce giant committed $4 billion to the AI startup firm Anthropic, giving it minority ownership in the company.
Why it matters: This investment marks a major shift for Amazon as it looks to become a forerunner in the generative AI space. It also gives Anthropic momentum as the small startup attempts to compete with OpenAI, the developer of ChatGPT. In this strategic collaboration, Anthropic has also selected Amazon Web Services (AWS) as its primary cloud provider. Anthropic also plans to give its customers first access to select features for model customization and greater fine-tuning capabilities.
Amazon has been diligently working to catch up with Microsoft, which has invested billions in OpenAI and Google. The company’s investment in Anthropic is a significant step in the right direction.
AWS customers who wish to build on Anthropic’s AI models will have the option to do so with Amazon Bedrock. This is a service that allows users to construct generative AI applications in the cloud through existing models instead of having to train their own.
As part of the agreement, Amazon will also become Anthropic’s source for custom chips for use in training and deploying its unique AI systems. This partnership will give the e-commerce giant a leg in the race against Nvidia.
Go Deeper —> Amazon to invest up to $4 billion in Anthropic, a rival to ChatGPT developer OpenAI – CNBC
0
September 27, 2023
NYU Langone Health’s MCIT Department of Health Informatics, Institute for Innovation in Medical Education and Institute for Excellence in Health Equity held their first Generative AI Prompt-A-Thon in Health Care this past month.
During the event, teams of clinicians, educators and researchers worked together to find artificial intelligence-powered solutions to healthcare challenges using real-world, de-identified patient data.
The event addressed large language models (LLMs) that predict likely options for the next word in any sentence, paragraph or essay, based on how real people used words in context billions of times in documents on the internet.
Also called generative AI, LLM systems randomly fill in a mix of probable next words to give a feeling of variety and creativity. A side effect of this next-word prediction is the models are "skillful" at summarizing long texts, extracting key information from databases, and generating human-like conversations as chatbots.
Despite these advancements, such AI programs do not think, and can produce conclusions and references that do not exist, Prompt-A-Thon organizers said. Thus, they require close supervision by human users, especially in healthcare, where the technology has the potential to increase safety and improve care.
THE PROBLEM
"The problem we faced was how to engage members of our workforce that might have transformative uses for generative AI and might not be technologically savvy enough to participate in our other capacity-building initiatives like exploratory access or mentored projects," said Dr. Jonathan Austrian, associate chief medical information officer, inpatient informatics, at NYU Langone Health.
"These other initiatives worked well for highly motivated colleagues who solely needed our HIPAA-compliant, patient-secure NYU GPT to safely experiment with real-life clinical data or proprietary research ideas," he explained. "Our mentored projects were ideal for researchers, educators and clinicians who already had a more well-formed idea to leverage generative AI and required mentorship from our data scientist team to shepherd their ideas to the next level."
The gap was those frontline clinicians, researchers, educators and operational leaders who understand the problems the health system faces but need some concentrated time and in-person support to connect generative AI with those challenges. There was significant demand from the workforce to close this gap, and the fastest and most efficient means of meeting that demand was through an event coined a prompt-a-thon, Austrian said.
PROPOSAL
The Generative AI Prompt-A-Thon in Health Care was a mechanism to rapidly engage a large segment of the NYU Langone Health workforce in generative AI and, in parallel, publicize the health system's existing program of engagement initiatives to those who could not be accommodated by the prompt-a-thon.
The prompt-a-thon was intended to lower the barriers for the workforce to engage with generative AI. Staff highlighted the in-person nature of the event, at-elbow mentorship by generative AI experts and that no prior experience with generative AI was required.
Dr. Jonathan Austrian, NYU Langone Health
"Beyond engaging a larger segment of our workforce in generative AI, we also felt such an in-person event mixing different specialties, roles and experiences could create those novel ideas and relationships that drive innovation: a true community of learning," Austrian said.
RESULTS
The health system will be using the results of the Generative AI Prompt-A-Thon in many ways.
"First, the 70 people who participated in person and the more than 500 people who watched the webinar remotely are incorporated into our community of learners that we will continue to engage with access to GPT, updates on available technologies and additional approaches to leveraging generative AI," Austrian explained.
"Second, we anticipate many of the ideas generated during Prompt-A-Thon will be further refined by our community and will ultimately evolve into applications operationalized at NYU and disseminated to the world," he continued.
Third, the direct observations by mentors and results of the survey that was conducted will inform how the health system continues to build its internal capacity to leverage generative AI.
"We invited our health science library staff to observe the workshops, as they will be collaborating with us on formalizing a curriculum in generative AI," Austrian said. "Based on the success of the event, we will be doing Prompt-A-Thons on the road with smaller groups of researchers, educators, clinicians and members of our corporate services.
"And finally, we learned much about the technological infrastructure needed to support scalable, intensive use of generative AI," he said. "Specifically, we had 70 people synchronously prompting NYU GPT. Concurrently, in our command center, we had our data scientist team observing those interactions in real time to understand any error messages or processing delays."
NYU Langone Health's partners at Microsoft were also on site to help ensure participants had a seamless technological experience and the health system can scale the experience as it expands usage.
The preliminary results of the survey speak to the impact of the prompt-a-thon on attendees. Of the 62 who responded, 90% believe the prompt-a-thon increased how efficiently they could perform their job with generative AI. Eighty-four percent said they were likely to submit a healthcare-related generative AI project.
ADVICE FOR OTHERS
Austrian definitely recommends other healthcare organizations consider an event similar to the Generative AI Prompt-A-Thon in Health Care.
"For the introductory talks, we spent significant time describing the capabilities of generative AI and the important ethical and trust issues to consider when using generative AI," he recalled. "Next time, we will spend a little more time on prompt engineering basics.
"We had to strike a balance between having our mentors be engaged in the prompting groups without stifling innovation or disrupting the group dynamics," he continued. "We settled on one mentor for every two teams of four people per team. Given how new generative AI is, I recommend staffing one mentor per team. The 'blank' prompting page was overwhelming for some of our groups in the beginning."
Finally, Austrian said he cannot overstate the importance of having a strong technological infrastructure to accommodate a prompt-a-thon.
"Our IT department spent significant time stress-testing NYU GPT and developing creative solutions to load balance all the users," he concluded. "Sometimes, I felt like Captain Kirk speaking to our engineering team: 'Scotty, we need more compute!'"
Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.
September 27, 2023
Few board directors at the most prominent U.S.-listed companies have direct experience with cybersecurity, presenting a challenge for how executives handle cyberattacks.
An analysis of board composition in companies in the S&P 500 index found that 88% have no cybersecurity expert as a director. Only seven companies had a current or former chief information security officer on their board, the research found, and in two cases, that was the same person.
“This lack of momentum in the boardroom continues to startle me,” said Dave DeWalt, founder and chief executive at venture-capital firm NightDragon, who also sits on the boards of Delta Air Lines and software company Five9. NightDragon and the Diligent Institute, the research and think-tank arm of executive software developer Diligent, conducted the study, published Thursday.
Cyber expertise was broadly defined as people who currently work or formerly worked in CISO roles; those who held senior technology positions, but not necessarily cyber roles; and those who had technology experience without having held senior positions.
About 52% of companies had a board director with some technology experience adjacent to cybersecurity. This includes people who sit on the boards of cyber companies or have an affiliation with a cybersecurity-related professional organization.
Cyber credentials on the board are now crucial for good governance, said Emily Heath, a general partner at VC firm Cyberstarts. Heath, a former security chief at United Airlines and tech provider DocuSign, sits on the boards of cyber companies Wiz and Gen Digital.
Directors, in their oversight role, are responsible for ensuring risks are properly managed, including cyber risk, Heath said. “You have to have that cyber knowledge and expertise to know what questions to ask,” she said.
The results of the Diligent/NightDragon study largely mirror similar research conducted by The Wall Street Journal in November 2022. That analysis found that only 86 of 4,621 board directors in S&P 500 companies had relevant experience in cybersecurity over the past 10 years.
Proposed rules from the U.S. Securities and Exchange Commission would have required companies to disclose which board members had cyber experience, although that provision was dropped from the final rules that went into effect on Sept. 5.
Directors say that it is often difficult to find the right candidates for a board-level position. Cybersecurity is a highly technical field and one in which executives have only recently been elevated to the senior leadership level. Board work demands wide business experience that many security chiefs lack, said Myrna Soto, founder and chief executive of consulting firm Apogee Executive Advisors.
Soto, who is also a director at Spirit Airlines, banking group Popular, and payroll and benefits administrator TriNet Group, said boards typically discuss cyber matters for a limited amount of time during their meetings. Other issues require their attention, and any cyber expert must be able to justify his or her seat by being able to contribute to those discussions.
“It is incredibly important that the candidates that will be on the docket to bring this type of expertise into the boardroom are very well-rounded business executives,” she said.
Solving this problem will take effort from boards and cybersecurity professionals, said NightDragon’s DeWalt. Security chiefs must expand their overall business knowledge, companies must elevate the CISO role to a true C-suite position, and boards must become better educated about cyber matters.
“I really want to see a continuous education requirement for cyber literacy in the boardroom,” he said.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
September 26, 2023
Twin cyberattacks on MGM Resorts and Caesars Entertainment have provided a singular view into what happens when two similar organizations, under similar attacks by the same threat actor, pursue contrasting incident response strategies.
In this instance, both were victims of a Scattered Spider /ALPHV cyberattack. Caesars quickly negotiated with the cyberattackers, and handed over a $15 million ransom payout, which allowed it to proceed with business in relatively short order. MGM meanwhile flatly refused to pay, and just announced that its operations have been recovered after 10+ days of casino and hotel operational downtime (tens of millions of dollars in lost revenue later).
While it's tempting to make a judgment as to which approach is better, any direct comparison between the Caesars and MGM responses to the cyberattack is an oversimplification, experts say. For instance, Rob T. Lee, SANS Institute's chief curriculum director and faculty lead, emphasizes that the core principle of incident response is trying to make the "least worst decision." And this tends to be a complex decision that always has a positive and a negative (some would say brutal) set of outcomes.
He notes, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."
Whether or not to pay a ransom following a cyberattack is one of those no-win decisions incident responders are forced to make under intense pressure.
It's well documented that paying a ransom does nothing to guarantee data security or system recovery. Worse yet, it encourages future attacks by creating a market for these cybercrimes. But business risk decisions don't always turn on clear-cut choices of right vs. wrong, and expediency is always a consideration.
"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," says Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective."
However, Joseph Carson, chief security scientist and advisory CISO at Delinea explains that there are other complexities at play. Companies who take a while to mull their options may decide that not paying makes more sense. In his experience, he says organizations only have about a four-day window to negotiate with ransomware threat actors before positions become hardened on both sides. After that, ransomware attackers tend to become frustrated, and enterprise security teams get dug into their position as well.
"There's a sunken-cost bias," security researcher Jake Williams added. "The further away from the incident they (cybersecurity response and recovery teams) get, the more entrenched they get in the recovery."
Recovery costs are another consideration, according to Carson. If recovery is painful, but only costs a few million, that might be a better choice compared to a an eight-figure extortion payment, he adds.
Evaluating both MGM and Caesars overall incident response broadly, Guenther explains that Caesars' reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.
"MGM's choice not to pay the ransom, despite financial losses, might stem from a broader perspective on the implications of ransom payments," Guenther says. "The duration of their disruption might also reflect a comprehensive internal review and restoration process, ensuring all threats are fully mitigated."
Caesars' incident response, she adds, by comparison was "decisive."
"However, paying a ransom, while providing immediate relief, carries long-term considerations," Guenther adds. "The speed of their recovery post-payment suggests they had robust backup and restoration processes in place, but it also raises questions about their preventative measures leading up to the attack."
Experts widely acknowledge that both Caesars and MGM incident responses were capable under difficult circumstances and mitigated more widespread damage.
In terms of Caesars' ransom payment, Andrew Barratt, vice president at Coalfire, points out what a fraction the $15 million extortion payment is in the larger scheme of the organization's overall revenues.
"Caesars' payout works out to be around a 0.1% hit on their year-prior revenue, and that probably wouldn't even make their earnings call if it was another type of cost amortized over the period," Barratt says.
He adds that MGM's 10-day recovery time stacks up well against other organizations, in his experience.
"While it seems to have dragged on, I've seen incidents take upwards of a year to get fully resolved, and 10 days is not a terrible response for an organization with the complexity the MGM inevitably has," Barratt adds.
Cybersecurity hygiene, system architecture, tools, and available talent pool aside, SANS Institute's Lee points out incident recovery is ultimately about as predictable as a pull on a slot machine.
"Just because Caesars recovered 'better' might not have anything to do with the ransom payment," Lee adds. "You cannot judge 'success' based on the outcome — they just might have been, using a Vegas term, luckier."
September 28, 2023
Amazon Invests $4 Billion into the AI Space with Anthropic
Money is pouring into AI at a record pace.
Joshua Koszalkowski
Contributing Writer
Amazon has joined the ranks of Google and Microsoft with its latest investment in artificial intelligence. The e-commerce giant committed $4 billion to the AI startup firm Anthropic, giving it minority ownership in the company.
Why it matters: This investment marks a major shift for Amazon as it looks to become a forerunner in the generative AI space. It also gives Anthropic momentum as the small startup attempts to compete with OpenAI, the developer of ChatGPT. In this strategic collaboration, Anthropic has also selected Amazon Web Services (AWS) as its primary cloud provider. Anthropic also plans to give its customers first access to select features for model customization and greater fine-tuning capabilities.
Amazon has been diligently working to catch up with Microsoft, which has invested billions in OpenAI and Google. The company’s investment in Anthropic is a significant step in the right direction.
AWS customers who wish to build on Anthropic’s AI models will have the option to do so with Amazon Bedrock. This is a service that allows users to construct generative AI applications in the cloud through existing models instead of having to train their own.
As part of the agreement, Amazon will also become Anthropic’s source for custom chips for use in training and deploying its unique AI systems. This partnership will give the e-commerce giant a leg in the race against Nvidia.
Go Deeper —> Amazon to invest up to $4 billion in Anthropic, a rival to ChatGPT developer OpenAI – CNBC
0
September 27, 2023
NYU Langone Health’s MCIT Department of Health Informatics, Institute for Innovation in Medical Education and Institute for Excellence in Health Equity held their first Generative AI Prompt-A-Thon in Health Care this past month.
During the event, teams of clinicians, educators and researchers worked together to find artificial intelligence-powered solutions to healthcare challenges using real-world, de-identified patient data.
The event addressed large language models (LLMs) that predict likely options for the next word in any sentence, paragraph or essay, based on how real people used words in context billions of times in documents on the internet.
Also called generative AI, LLM systems randomly fill in a mix of probable next words to give a feeling of variety and creativity. A side effect of this next-word prediction is the models are "skillful" at summarizing long texts, extracting key information from databases, and generating human-like conversations as chatbots.
Despite these advancements, such AI programs do not think, and can produce conclusions and references that do not exist, Prompt-A-Thon organizers said. Thus, they require close supervision by human users, especially in healthcare, where the technology has the potential to increase safety and improve care.
THE PROBLEM
"The problem we faced was how to engage members of our workforce that might have transformative uses for generative AI and might not be technologically savvy enough to participate in our other capacity-building initiatives like exploratory access or mentored projects," said Dr. Jonathan Austrian, associate chief medical information officer, inpatient informatics, at NYU Langone Health.
"These other initiatives worked well for highly motivated colleagues who solely needed our HIPAA-compliant, patient-secure NYU GPT to safely experiment with real-life clinical data or proprietary research ideas," he explained. "Our mentored projects were ideal for researchers, educators and clinicians who already had a more well-formed idea to leverage generative AI and required mentorship from our data scientist team to shepherd their ideas to the next level."
The gap was those frontline clinicians, researchers, educators and operational leaders who understand the problems the health system faces but need some concentrated time and in-person support to connect generative AI with those challenges. There was significant demand from the workforce to close this gap, and the fastest and most efficient means of meeting that demand was through an event coined a prompt-a-thon, Austrian said.
PROPOSAL
The Generative AI Prompt-A-Thon in Health Care was a mechanism to rapidly engage a large segment of the NYU Langone Health workforce in generative AI and, in parallel, publicize the health system's existing program of engagement initiatives to those who could not be accommodated by the prompt-a-thon.
The prompt-a-thon was intended to lower the barriers for the workforce to engage with generative AI. Staff highlighted the in-person nature of the event, at-elbow mentorship by generative AI experts and that no prior experience with generative AI was required.
Dr. Jonathan Austrian, NYU Langone Health
"Beyond engaging a larger segment of our workforce in generative AI, we also felt such an in-person event mixing different specialties, roles and experiences could create those novel ideas and relationships that drive innovation: a true community of learning," Austrian said.
RESULTS
The health system will be using the results of the Generative AI Prompt-A-Thon in many ways.
"First, the 70 people who participated in person and the more than 500 people who watched the webinar remotely are incorporated into our community of learners that we will continue to engage with access to GPT, updates on available technologies and additional approaches to leveraging generative AI," Austrian explained.
"Second, we anticipate many of the ideas generated during Prompt-A-Thon will be further refined by our community and will ultimately evolve into applications operationalized at NYU and disseminated to the world," he continued.
Third, the direct observations by mentors and results of the survey that was conducted will inform how the health system continues to build its internal capacity to leverage generative AI.
"We invited our health science library staff to observe the workshops, as they will be collaborating with us on formalizing a curriculum in generative AI," Austrian said. "Based on the success of the event, we will be doing Prompt-A-Thons on the road with smaller groups of researchers, educators, clinicians and members of our corporate services.
"And finally, we learned much about the technological infrastructure needed to support scalable, intensive use of generative AI," he said. "Specifically, we had 70 people synchronously prompting NYU GPT. Concurrently, in our command center, we had our data scientist team observing those interactions in real time to understand any error messages or processing delays."
NYU Langone Health's partners at Microsoft were also on site to help ensure participants had a seamless technological experience and the health system can scale the experience as it expands usage.
The preliminary results of the survey speak to the impact of the prompt-a-thon on attendees. Of the 62 who responded, 90% believe the prompt-a-thon increased how efficiently they could perform their job with generative AI. Eighty-four percent said they were likely to submit a healthcare-related generative AI project.
ADVICE FOR OTHERS
Austrian definitely recommends other healthcare organizations consider an event similar to the Generative AI Prompt-A-Thon in Health Care.
"For the introductory talks, we spent significant time describing the capabilities of generative AI and the important ethical and trust issues to consider when using generative AI," he recalled. "Next time, we will spend a little more time on prompt engineering basics.
"We had to strike a balance between having our mentors be engaged in the prompting groups without stifling innovation or disrupting the group dynamics," he continued. "We settled on one mentor for every two teams of four people per team. Given how new generative AI is, I recommend staffing one mentor per team. The 'blank' prompting page was overwhelming for some of our groups in the beginning."
Finally, Austrian said he cannot overstate the importance of having a strong technological infrastructure to accommodate a prompt-a-thon.
"Our IT department spent significant time stress-testing NYU GPT and developing creative solutions to load balance all the users," he concluded. "Sometimes, I felt like Captain Kirk speaking to our engineering team: 'Scotty, we need more compute!'"
Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.
September 27, 2023
Few board directors at the most prominent U.S.-listed companies have direct experience with cybersecurity, presenting a challenge for how executives handle cyberattacks.
An analysis of board composition in companies in the S&P 500 index found that 88% have no cybersecurity expert as a director. Only seven companies had a current or former chief information security officer on their board, the research found, and in two cases, that was the same person.
“This lack of momentum in the boardroom continues to startle me,” said Dave DeWalt, founder and chief executive at venture-capital firm NightDragon, who also sits on the boards of Delta Air Lines and software company Five9. NightDragon and the Diligent Institute, the research and think-tank arm of executive software developer Diligent, conducted the study, published Thursday.
Cyber expertise was broadly defined as people who currently work or formerly worked in CISO roles; those who held senior technology positions, but not necessarily cyber roles; and those who had technology experience without having held senior positions.
About 52% of companies had a board director with some technology experience adjacent to cybersecurity. This includes people who sit on the boards of cyber companies or have an affiliation with a cybersecurity-related professional organization.
Cyber credentials on the board are now crucial for good governance, said Emily Heath, a general partner at VC firm Cyberstarts. Heath, a former security chief at United Airlines and tech provider DocuSign, sits on the boards of cyber companies Wiz and Gen Digital.
Directors, in their oversight role, are responsible for ensuring risks are properly managed, including cyber risk, Heath said. “You have to have that cyber knowledge and expertise to know what questions to ask,” she said.
The results of the Diligent/NightDragon study largely mirror similar research conducted by The Wall Street Journal in November 2022. That analysis found that only 86 of 4,621 board directors in S&P 500 companies had relevant experience in cybersecurity over the past 10 years.
Proposed rules from the U.S. Securities and Exchange Commission would have required companies to disclose which board members had cyber experience, although that provision was dropped from the final rules that went into effect on Sept. 5.
Directors say that it is often difficult to find the right candidates for a board-level position. Cybersecurity is a highly technical field and one in which executives have only recently been elevated to the senior leadership level. Board work demands wide business experience that many security chiefs lack, said Myrna Soto, founder and chief executive of consulting firm Apogee Executive Advisors.
Soto, who is also a director at Spirit Airlines, banking group Popular, and payroll and benefits administrator TriNet Group, said boards typically discuss cyber matters for a limited amount of time during their meetings. Other issues require their attention, and any cyber expert must be able to justify his or her seat by being able to contribute to those discussions.
“It is incredibly important that the candidates that will be on the docket to bring this type of expertise into the boardroom are very well-rounded business executives,” she said.
Solving this problem will take effort from boards and cybersecurity professionals, said NightDragon’s DeWalt. Security chiefs must expand their overall business knowledge, companies must elevate the CISO role to a true C-suite position, and boards must become better educated about cyber matters.
“I really want to see a continuous education requirement for cyber literacy in the boardroom,” he said.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
September 26, 2023
Twin cyberattacks on MGM Resorts and Caesars Entertainment have provided a singular view into what happens when two similar organizations, under similar attacks by the same threat actor, pursue contrasting incident response strategies.
In this instance, both were victims of a Scattered Spider /ALPHV cyberattack. Caesars quickly negotiated with the cyberattackers, and handed over a $15 million ransom payout, which allowed it to proceed with business in relatively short order. MGM meanwhile flatly refused to pay, and just announced that its operations have been recovered after 10+ days of casino and hotel operational downtime (tens of millions of dollars in lost revenue later).
While it's tempting to make a judgment as to which approach is better, any direct comparison between the Caesars and MGM responses to the cyberattack is an oversimplification, experts say. For instance, Rob T. Lee, SANS Institute's chief curriculum director and faculty lead, emphasizes that the core principle of incident response is trying to make the "least worst decision." And this tends to be a complex decision that always has a positive and a negative (some would say brutal) set of outcomes.
He notes, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."
Whether or not to pay a ransom following a cyberattack is one of those no-win decisions incident responders are forced to make under intense pressure.
It's well documented that paying a ransom does nothing to guarantee data security or system recovery. Worse yet, it encourages future attacks by creating a market for these cybercrimes. But business risk decisions don't always turn on clear-cut choices of right vs. wrong, and expediency is always a consideration.
"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," says Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective."
However, Joseph Carson, chief security scientist and advisory CISO at Delinea explains that there are other complexities at play. Companies who take a while to mull their options may decide that not paying makes more sense. In his experience, he says organizations only have about a four-day window to negotiate with ransomware threat actors before positions become hardened on both sides. After that, ransomware attackers tend to become frustrated, and enterprise security teams get dug into their position as well.
"There's a sunken-cost bias," security researcher Jake Williams added. "The further away from the incident they (cybersecurity response and recovery teams) get, the more entrenched they get in the recovery."
Recovery costs are another consideration, according to Carson. If recovery is painful, but only costs a few million, that might be a better choice compared to a an eight-figure extortion payment, he adds.
Evaluating both MGM and Caesars overall incident response broadly, Guenther explains that Caesars' reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.
"MGM's choice not to pay the ransom, despite financial losses, might stem from a broader perspective on the implications of ransom payments," Guenther says. "The duration of their disruption might also reflect a comprehensive internal review and restoration process, ensuring all threats are fully mitigated."
Caesars' incident response, she adds, by comparison was "decisive."
"However, paying a ransom, while providing immediate relief, carries long-term considerations," Guenther adds. "The speed of their recovery post-payment suggests they had robust backup and restoration processes in place, but it also raises questions about their preventative measures leading up to the attack."
Experts widely acknowledge that both Caesars and MGM incident responses were capable under difficult circumstances and mitigated more widespread damage.
In terms of Caesars' ransom payment, Andrew Barratt, vice president at Coalfire, points out what a fraction the $15 million extortion payment is in the larger scheme of the organization's overall revenues.
"Caesars' payout works out to be around a 0.1% hit on their year-prior revenue, and that probably wouldn't even make their earnings call if it was another type of cost amortized over the period," Barratt says.
He adds that MGM's 10-day recovery time stacks up well against other organizations, in his experience.
"While it seems to have dragged on, I've seen incidents take upwards of a year to get fully resolved, and 10 days is not a terrible response for an organization with the complexity the MGM inevitably has," Barratt adds.
Cybersecurity hygiene, system architecture, tools, and available talent pool aside, SANS Institute's Lee points out incident recovery is ultimately about as predictable as a pull on a slot machine.
"Just because Caesars recovered 'better' might not have anything to do with the ransom payment," Lee adds. "You cannot judge 'success' based on the outcome — they just might have been, using a Vegas term, luckier."
© Copyright 2024 Health Lyrics All rights reserved
