This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Zero Trust Hospital Series: Understanding the Anatomy of a Breach with Tamer Baker

Welcome to This Week Health. Today, we're continuing a six part series on Zero Trust Hospital, the CXO vision. It's a new book by Zscaler. have one of the authors here with me, Tamer Baker.

Hi, Tamer.

Hey, Drex. Thanks for having me again.

Tamer's a healthcare CTO for Zscaler. I'm Drex DeFord, president of Cyber at Risk at This Week Health and the 229 Project. Welcome to the show. We've got a lot of stuff to talk about. We've been through a couple of episodes already. A lot of great insights on what Zero Trust is, what it isn't, some of the challenges, some of the other stuff.

Again, I like to use analogies, and I think in the last episode we used the analogies of Netflix and DVD players, right? Yeah. Let's use an analogy of a bank robbery to start this. How does a bank robbery occur? We think about a bank robber first has to find a target. So I'm going to go target First National Bank they find all the different branches of First National Bank and they look for the weakest link, right?

So they're going to go see every branch out there and see which one's the weakest link. Once they've targeted that branch, then they infiltrate. So they break in, they, come in, stick them up, whatever it is that they're planning on doing for the robbery, and then they infiltrate the environment first and foremost.

And now I'm making my way to where the real money is, which is the safe. Once I've gotten to the safe, I crack open the safe or you typically make the branch manager, open the safe and steal all the money out of it. So when we take that analogy of a bank robbery and apply it to our world in IT and cyber, it's very similar.

The bad actor first has to find your attack surface. They look for you. They find you all over the internet, right? So all those things that are internet exposed, they're gonna find you. Once they've targeted you, they can find all the different ways that you're available online through the internet. After that They're going to infiltrate you.

So this is where they're going to do phishing. They're going to do malware installations, whatever it is that they're going to do to compromise you. So step two is to infiltrate, to get in and compromise you. What's step three? I've attacked, some poor users laptop that doesn't give me anything.

So everything's double extortion nowadays. So that fourth piece is I'm going to take your data and I'm going to exfiltrate it out to somewhere in the internet so that I have access to it later. So that not only do you have to pay me to decrypt you, but you also have to pay me to make sure I don't release your data.

And then they show you proof of some of that data that's stolen. So that's like. The four stages.

with those four stages in mind, zero trust, the architecture helps at each one of those stages. So tell me about what's the zero trust fight that you have at each one of those stages.

It comes to the point to where when they get to stage two, which is, phishing malware, all the other attacking of the users and endpoints, even if I have phished your credentials, Drex, if I can't even find a server to log into those credentials, whether it's an application, security appliance, whatever it may be.

Those credentials have become useless to me as a matter of fact. Because your

access for that particular credential is so limited because the architecture has been designed. We talk about blast radius. That's what you're talking about when you talk about blast radius.

So blast radius goes into that as well as stage three of the attack.

Oftentimes, what we've seen in our environments, especially when we go into things like proofs of concept, proofs of values, is, you don't turn any security things off when we're proving this out, and we still are blocking and tackling phishing attempts, meaning it has passed through all your other security means to try and block phishing.

That's part of that stage two, and all that gets removed. Stage three is the significant portion of where you remove the blast radius because that's the preventing lateral movement. That's that network segmentation device segmentation as well as user to app segmentation where you make sure that even if somehow a bad actor somehow gets through, they can't get anywhere.

And you can block and tackle no matter where the data lives, no matter where the data is moving, and no matter where that Quote unquote user is trying to move that data all that gets seen and protected to make sure sensitive information doesn't get exfiltrated

It almost sounds like magic

and

as a result of all of this have a lot of insights into the bad guys and how they work and the ways that they attack and move what are some of the most common attack vectors in health care if you were just taking a step back and looking at that.

That also gives you the cloud effect, so as soon as one bad thing happens anywhere, we're helping everybody. We're updating our security policies. Billion policies get added every single day security policies without you having to lift a finger. Number one, number two, attack vectors today. Phishing of course, is still very popular attack vector and that they're getting much better with it because of the use of AI on the bad actor side. And number two, they're attacking security appliances directly. That has become one of the leading attack factors.

You can oftentimes replace VDI and the likes with zero trust where you don't even need them online at all anymore, but in those instances where you may still need them online, just hide them so that they can't even be accessed from the internet, which helps with attack vector number two, which is.

phishing is the second most popular. Actually, first and second, depending on which report you read from which vendors put out another report on, these vulnerabilities that have hit last year. When you think about that phishing piece I mentioned earlier. If I have your credentials, what good are they?

I can't use them if I have no application to even see or find no security appliance to log in with to, gain access to your network. So

yeah, so the other part that I want to dig in on a little bit because I find it fascinating is that we talk about information sharing and the things that we share with other health systems to help them be better prepared or not be attacked.

You catch it and kill it. Zscaler customers get immunity from that, right? They get the updates and the information that kind of keeps them safe.

That's right. Yeah, one of the things that I always like, especially when we do a proof of value or proof of concept, is we turn on things in our security platform, part of our platform that we detonate bad files or bad, detonate files to make sure there's no bad things in there.

And we show a report at the end of it and say, hey, out of the 300,000 files that came in during this short little POV, three dozen of them were malicious, and out of the three dozen of them, 30 of 'em were actually known already because of the cloud effect. Of which includes other companies like CrowdStrike and about two dozen other threat feeds.

I really appreciate you coming in explaining a lot of this stuff to us today. We're going to continue to do more episodes. If you're watching this one, you're behind. There are other episodes ahead of this one. And if you're watching this episode there's more to come. So I appreciate you being here, Tamer.

Yeah. Thanks Drex. I love being here with you. Appreciate you having me.

thanks for tuning into episode three of our Zero Trust series. You want to dive in deeper? You can pick up a signed copy of the book at either VIVE or HIMSS. Plus, you can get the other book in the series, The Architect's Approach.

You can register for that right now at ThisWeekHealth. com slash Zero Trust. Thanks for being with us.