September 7, 2022: Healthcare is being slammed by cybersecurity challenges. What does the anatomy of a security breach look like? It is vital to be able to detect malicious behavior and understand what's normal and what's not normal. What strategies and solutions can be deployed to mitigate the threats? Today Todd Felker, Executive Healthcare Strategist at CrowdStrike and James Case, VP and CISO at Baptist Health talk about EDR (Endpoint Detection and Response), MDR (Managed Detection and Response) and IR (Incident Response). How are these tools addressing some of the challenges? What are the main “portals” for exfiltration? How does a “people-centric” approach protect organizations? What is the 1 10 60 framework?
Key Points:
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Being able to detect malicious behavior, understand what's normal, understand what's not normal. So a lot of times you'll hear artificial intelligence and machine learning and that's a key component to most EDRs is their ability to be able to identify what is malicious. So you kind of have to be able to identify an attack, even if it's not a known vulnerability that's being exploited.
Welcome to our solution showcase. We are going to be talking today with CrowdStrike and Baptist health, and we're gonna be talking about EDR and MDR and taking it to the next level. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated to keeping health it staff current and engaged. You can subscribe wherever you listen to podcasts, apple, Google, Spotify, Stitcher, overcast, you name it. We are there just head on over to one of those platforms. Sign up there or go ahead and go over to this week. health.com and you can subscribe there as well now onto our show.
All right, today we have two great guests with us and we're gonna talk EDR and MDR. In fact, we're gonna start with what those mean. Today we have Todd Felker executive healthcare strategist at CrowdStrike and James Case, who is the chief information security officer at Baptist health out of Jacksonville.
Gentlemen. Welcome to the show. Thank You I would love to start with what is EDR and MDR N IR, and we are gonna get to that in a minute, but where I wanna start is I wanna throw out to you guys, what does the anatomy of a breach look like? So we're gonna talk about a lot of these terms, but it's important to understand what it looks like. So anyone wanna take a stab at what the anatomy of a breach looks.
sure I'll take that. So there's so many ways that the adversary can get in now that it really has contributed to the whole concept of the perimeter of the network we're that used to kind of be.
The demarcation point where all our security was and we used to be okay to kind of have the soft chewy middle on the inside. Nowadays it just doesn't, I mean, not only have we got the cloud and mobile devices and the teleworking and telemedicine, all this stuff that, that just kind of eroded the perimeter, but now we've just had so many vulnerabilities, the vulnerabilities.
The CVEs we call them go up every year the zero days, which means the the vulnerabilities that are not publicly announced or there's not a patch for yet have just risen significantly. So we have all these ways the adversaries can get in from exploiting a web server. That's got one of these vulnerabilities or zero to harvested credentials to fishing the spear fishing or even fishing with people's phones. There's a lot of ways they can get in. And so most CISOs like James, I think kind of have the mentality of it's not if, but win because they're gonna get in at some point.
so once they get in, I mean, there's a lot of different kinds of attacks. I think people think once they get in, they attack immediately in a way they go a lot of these attacks. I'm looking at. And the average time on network is significant. So it's, it's not only gain access. There's a whole process that goes on after that initial access isn't there.
And living off the land and yes, I mean it's weeks and months. It's not days or hours, you know, like you would hope.
And so they are, they're lying low seeing what's going on, seeing what traffic looks like. Essentially discovery, moving out, doing some lateral movement.
And then once they determine what their objectives are, they will go after those objectives. Cuz quite frankly, they don't know the first time they come in, they don't know your network and it's complicated. They've gotta figure it out. They learn it. They do learn it. All right, let's go to the acronyms real quick. So we're gonna talk to ND. And EDR, let's start with EDR James what is EDR?
Well, it's, I would say it is the next generation after the normal AV, right? So AV is kind of going away and EDR is here. it's been around, I think, in multiple forms. But at the end of the day, it it's the whole next generat.
but I'm gonna make you say the words here, cuz you guys are killing me with these acronyms and I'm not gonna assume that everybody knows the acronyms. So EDR is detection and response. Yeah. Sorry. Endpoint detection and response. NDR is managed that managed, detect and response and IR, which will throw out every now and then is incidents of response.
So these are the three things we're gonna talk about. We're gonna talk about how they've evolved, what they've evolved to and how that's addressing some of the cybersecurity challenges that we've. had So how has the industry shifted over the last couple of years with regard to our approach to endpoint detection and response?
it's a matter of some people will say that the end point is the new perimeter is one of the things that I've heard. And so that's kind of where we're going to put our key visibility resources is being able to detect and malicious behavior understand what's normal, understand what's not normal. So a lot of times you'll hear AI. And ML for some more acronyms for you, bill it's artificial intelligence and machine learning. and that's a key component to most, EDRs is their ability to be able to identify what is malicious especially with the prevalence of zero days that are continuing to happen.
So you kind of have to be able to identify an attack, even if it's not a known vulnerability, that's being exploited
Yeah. I mean, not to go too far back, but it used to be, we had signatures and we had things that were local to the computer, or even local to the network that we were looking at.
And if we would see those things, we'd say. Boom. We got one, we found one that kinda stuff protect us, remediate that kinda stuff. EDR is much more sophisticated than that. It is it really is about coming to a central database. So if CrowdStrike has a hundred customers, It's actually aggregating all that data for those hundred customers to identify those attacks, creating those signatures immediately so that we're looking for those kinds of things.
And it's not only signatures anymore. We're looking for behaviors, activities, all sorts of other things. So it's becoming much more a network protecting a network. Isn't it. James, how is this different than what we used to do five to 10 years ago.
I mean, I, I think you described it perfectly, right? As far as the whole evolution. And I would say it it's even gone so far as some cyber insurance companies even require EDR now. Like they won't write you a policy. If there's no EDR, it's gotten that crazy.
And like that prescriptive. But yeah, I mean, it's definitely shifted in all the ways that you just described it, bill.
So what, what are we looking at with this new. What are some of the cybersecurity challenges that we're looking to address with this change? Is it speed? I mean, what are the primary thing? Is it talent shortage? What things are we addressing with EDR at this point?
Well, EDR is much more advanced and like you said, it's not signature base, so that's one huge advantage. So it evolves over time automatically, but also it has the history of what's happened on the machine.
So if something happens wrong or if there's an attack, then we can see the history and go back and see what file caused, what issue or as far as encryption or malware and that's all part of the EDR. That's not part of a normal AV system.
So if you think about it this way, We have tens of millions of these sensors around the world in like 180 countries. And so anytime if there's a company that like in like a corner of Europe that's being attacked, then that behavior. And the indicators of attack, the indicators of compromise are all immediately fed into our security cloud, the largest security cloud in the world. And so now you in America and a little at a little hospital, somewhere in America are gonna benefit from the intelligence gleaned off of that endpoint over in Europe.
And that's the speed of the cloud. And I think that's what George Kurtz, our CEO was looking for when he started this new philosophy on how to architect a security cloud.
Good point.
earlier today I was talking to some people about the sophistication on the other side. It doesn't take that much to to rent out a bot. and deliver an attack. It doesn't take, in fact, during the like last year sky Lake's medical center was breached with a fishing attack and it was a ransomware attack and whatnot at the very same time they were being pummeled with emails.
Other systems were all being pummeled exactly. At the same time. It's not like they're sitting there sending 'em one at a time. The whole thing is so automated on both sides that if you're not automated on your. they're gonna hit you almost instantaneously. So what you're talking about is being able to, to, respond that quickly is almost, almost mandatory these days.
Speed is everything. We've been clocking and you'll hear us talk a lot about an hour 38, because that's the average time it takes for an adversary after he gains initial. To begin lateral movement. So that whole mapping out the network, figuring out what they want to do, what their next steps are gonna be an hour 38 is the average amount of time. So if you can't respond to an initial breach in less than that average time, then you're behind and you're playing catch up.
Wow. One hour and 38 minutes. That's pretty quick. So let's talk about MDR. So all this stuff is gonna work together and we're gonna talk about that. MDR, why have we seen this approach become so widely adopted James, I'll go to you for this one.
I know why we did it, it was because we wanna invest and really detecting and also responding because we know it's really going back to what you said. It's not, if it's when. And so really it's about doubling down and making sure that if and when, and really when it does occur, that we hit that like minutes, find it in minutes and not hours days a week for months, we.
Again, be ready for when we're breached, cuz it's going to happen. It's impossible to prevent perfectly. So it's all about responding as fast as we can to stop it.
So Todd NDR feels like just another form of outsourcing, but why is it not? So when we talk about outsourcing, a lot of times people have a visceral reaction in one direction, but in this area, it doesn't seem to get that visceral reaction. Why do you think that is?
Well, it it's finally happened I feel like they've been talking about a skill shortage and more jobs than trained security professionals for years now. And I was in the chair in James' chair just even a year ago. And I would say it's. It's finally happened to where it's very, very challenging to hire skilled security professionals that the shortage is here and it's real.
The reason that it's not considered outsourcing and the reason why some large health systems have come to us and they had threat hunters and now they've subscribed to the whole MDR and they've either cut over to it, the managed detection response, or they're planning on it.
And I think that's because we're evolving. We have to evolve like the adversary does. We have to get faster and sometimes like smaller organizations may have one threat hunter or two. And then, well, what happens when one of them suddenly gives their two week notice? Cuz there's a lot of opportunity in security right now.
So then now you're. You're scrambling and now you don't have the coverage you need, and you really need to be protected 24 by seven by 365. And the adversary's only gotta be right. One time. We've gotta be right every time in order to stop him. So what happens is what I tell. That, especially if they have a lot of threat hunters is don't, don't see it as outsourcing.
They can become security orchestrators now. And I think that's really where the natural evolution is going is because now we've gotta make our security tools work together and be faster. And so you wanna automate some responses and sometimes that requires scripting. Whether it's a workflow in ServiceNow or whether it's just sharing intelligence from other parts of the network. Besides the endpoint, I feel that this orchestration is where security teams can have the customization for their unique network.
And who better to work on the CrowdStrike tool than the actual vendor themselves is my thought. So it's not really outsourcing. It's how I think of it. It's more about they're the experts, they're on the tool. If I'm gonna have somebody helping me catch these bad guys faster, I want them.
Yeah. And we're gonna go to incident response in a minute, but I do wanna talk about that skills challenge, cuz I just did a webinar just last week, in fact, with Anhe Santiago with Christiana care and others. we were chatting about this shortage. And the reality is in cybersecurity, the skills are so specific. There are so many skills that you have to have. It's so specific and it's, it is hard to fill those. And we're specifically talking about security architects.
There's an opportunity. I would think if you, if you go to a managed text and response kind of solution, where people can actually move into very specific roles. To fill out that security team. And even with the limited availability, if you move that off, you probably have enough people and potentially the right skills to to build out a complete team. That's my premise. What are your thoughts on that?
No, I agree. I think that, that makes sense that, that if they're doing that, then they can be very specific on all those functions and tools. Whereas a normal place like myself, like our skills are more broad and not as focused.
let's talk about incident response. so tying it all together. So we have endpoint detection and then we have managed response and then we have incident response. we were talking a little bit before this call about why it's so important to connect all three of these elements. James, give us a little bit of your thought process. Why why it works to have these three connect.
To me, it's like the whole trifecta, right? If you can tie them all together, then to me, it really gives you the fastest chance to respond to lower the risk as fast as you can. So many years ago, in a past life, I had an incident where our IR vendor was able to jump into our EDR at the time and find the issue within minutes. And so to me, that really taught me going forward, that I never want to have any sort of solution, like an EDR that doesn't have the IR vendor with access already in there.
Right. So to me, I've had that strategy going forward since that day, because of that importance. So again, The faster you get in there and the faster they can help you, the faster you can kick them out and stop the attack.
So we talked about a minute and 38 before that would be, that would be really challenging an hour and 38 will get to that. And that's kinda scary, but hour and 38. of the things that CrowdStrike has is 1 10 60. Todd, I'd love to hear you talk a little bit about the 1 10 60 framework.
Yeah. So that's kind of what our guarantee is with our managed detection and response is that we will identify, detect and remediate activity with the adversary within 60 minutes. And so in 10 minutes we'll have an understanding of what's happening. We're actually beating that now our average time. Is around 38 minutes or so And now that we've got some new things happening where now we just announced that we are actually using our AI to detect indicators of attack.
As opposed to indicators of compromise. So we're getting faster because we need to. And so with these new IAS that we're detecting and the speed of our dedicated threat hunters overseeing our customers' environments. We're able to respond in much quicker than that, but I think it's necessary in order to keep pace with the speed of the adversary and the way that their. Taking their best people and breaking things down into well, run businesses and corporations that are designed to compromise our businesses and our customers.
And Todd, I'm glad to hear that as far as moving up to chain know, finding it sooner and even before the breach. So to, so thank you for sharing that.
James, I wanted to come to you cuz. We did a we did a webinar a little while ago with some ransomware victims. And we went through, we did an hour webinar. We went through minute, essentially minute by minute, what it felt like to go through ransom. The cause of it was that they essentially had not put, they had put their IDR in place and hadn't fully configured.
It essentially is what happened I'd love for you to talk about. The deployment of these tools and the impact on performance or the network. So what does it look like to deploy these kinds of tools?
Yeah, we used our standard packaging tool and we sent it out with that. We haven't really noticed as far as the whole complexity, it was not complex at all to roll. And then as far as performance hit, we've we looked at our CPU and we've not noticed any sort of performance hit, so that's good. Cause I know several years ago that that was a major concern, but I think less and less as far as any sort of performance degradation.
So you should use your standard rollout tool. You did enough testing and you just rolled it out with this standard.
Oh, we tested. Sorry. So after testing, I meant, yeah.
Wow. That's exceptional. All right. What question? Didn't I ask? What else should we be talking about? What do people need to know about IDR and N.
I think it's important to have your EDR or MDR platform to be the platform that your incident retainer organization is going to use in order to investigate an attack. Right?
Yeah. And that touches on what I said earlier, that your IR team company must have access to that tool. If it's not crowd sake know, whatever the tool. Because again, every minute counts at that point. And if you're signing contracts at that point, or they're like asking for access, that's poor planning and and so it's all about having it, testing it and really making sure that that access works so you can respond in minutes.
closing question here, what does the future of this look like? I mean, we, I sort of slipped there and said a minute in 38 seconds, is it just faster and faster, more sophisticated attacks and more sophisticated responses?
yeah. You, you said that. And that then that light bulb came on like, oh crap. That's probably the future, right. That it's an hour, 30 an hour and then it'll be 45 minutes. And so it's. So it does make me uncomfortable to think, how do we keep getting faster and faster to really keep, keep up with that as much as we can.
I think where it's going is what we call another Dr. Acronym, XDR extended detection and response where we're making our security tools work together and setting up some detections and automated responses when certain things happen, whether it's with the cloud. Or with your network traffic, or whether it's with some unmanaged devices inside your network, it's being able to have that visibility real time, and then having your tools communicate and work together in order to stop these attacks. And that's, that's where we're going.
Yeah. I think integration is, is what that makes me think about tools working together through APIs or whatever, to share that information in real time for response. Yep.
Yeah. So Todd, you, you threw out cloud. obviously EDR is not a part of that, but when we talk about the NDR solution is that looking at cloud workloads and cloud storage.
Yeah. So we have that. I don't think everybody does, but we have cloud workload protection. That's both agentless and agent based on VMs in the cloud that you can view in, in the same console. And I think that's important because as the network evolves and as these workloads evolve and get spread out I think it's important that you have a platform that can protect it all.
Fantastic. James Todd, Hey, I wanna thank you for your time and thank you for the education. it's great to hear what's going on and hear directly from James, especially you and Todd you, you haven't been out of the chair all that long. You know how how the thinking has changed since I was there five years ago. So thank you very much.
Yeah. Thank you. Nice
to meet you. Thank you, bill.
What a great conversation. I wanna thank Todd and James for coming on the show. It was fantastic to get their perspective. On so many aspects of that. I learned a ton of things as we were going through there. I realized the technology has changed dramatically since I was a CIO better than five or six years ago. Not that the not that the technology is new, but it is. Changed dramatically from what we were doing just a couple years ago. So loved getting that refresher from them and really appreciate being able to bring this content to you as well. We wanna thank our sponsor CrowdStrike for this episode and for 📍 investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now. 📍