The Cyber Attack No One Can Survive Alone | Executive Interview with Josh Howell

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.   📍 📍 📍 📍 📍 📍 This episode is brought to you 📍 by Rubrik. Rubrik works with you to better understand your data and workflow so they can help you build up better security solution that's just for you. A solution that not only secures your data, but puts you in the best possible position to recover faster from a ransomware attack. So. Reduce complexity and make sure your data is protected no matter what cloud provider you're using or how bad the cyber landscape looks. Find out more on how Rubrik can help you elevate your cybersecurity game. Check it out at this week, health.com/rubrik. That's R-U-B-R-I-K this week. health.com/rubric.   📍 📍 📍 📍 📍 📍 📍 📍   📍 I'm Drex Deford, president of Cyber and Risk here at this week, health and the 2 29 Project. Our mission is Healthcare Transformation powered by community. Welcome to this executive interview on the UnHack Channel. Real conversations about managing risk at the highest levels. Let's dive in.    Hey everyone. I'm Drex. I've got, uh, I've got Josh from Rubrik, uh, with me today. How you doing, man?   I'm well, happy to be talking to you   again. It's good to see you. Every time we are together, there's always like a hundred things that are going on. A bunch of crazy stuff, sometimes a bunch of really cool stuff. You have a bunch of cool things going on with the American Hospital Association. That was a press release that went out about Rubrik and a HA. Tell me about that, because it sounds really amazing and what it means for all the folks in healthcare and all the folks associated with the American Hospital Association.  Yeah, so let's start first with the program, what it is. So, yeah, the American Hospital Association has hired some really experienced people. So between the, the principal, John Regi and his deputy Scott G, between the two of them, they've got something like. 55 years of combined experience between, you know, the FBI, the CIA, the Army, the Secret Service, leading some of the, the largest cyber investigations that we've had. So you routinely see them in front of Congress. Mm-hmm. You know, testifying, talking about recent incidents and they have created a cyber risk program that they select key vendors and kind of vet them, figure out what the value proposition there is. And so there's a program of a small number of providers in different spaces that together. Are supposed to help organizations achieve meaningful risk reduction. And so we applied to that program. Uh, we first learned about this, uh, this person, John Regi from an organization who said, do you know why we bought Rubrik? I said, no. And he said, well, we had this person come in and he presented to our board. Of this is what a cyber attack is gonna be like. This is going to be the impacts and here's what you need to be prepared for. And he said they scared them so thoroughly that they came to it and said, do whatever it takes, like tell us what you need. And so they moved forward, vetted us, et cetera. So I, I thought that was interesting. So we reached out, we had John Regi present at our healthcare summit last year.   Right. So John was the guy who told the scary story that you're talking about. Okay. Correct.   Yep. So they, they have a number of free workshops. Mm-hmm. Uh, tabletop.   I've seen 'em all over the country. They, they will come to local kind of chapters, organization stuff that's happening and yeah. John does a great job.  Yeah. And because of he and Scott's background, you know, they can bring in cisa, the FBI. Others and really help close the loop there on these are resources that are available to you and here's how to implement it and move forward. So we learned about this program. We started vetting it and them, us, uh, fairly intensive process. There were a couple points at which I was like, uh, this is not gonna happen. Uh, their lawyers and our lawyers went back and forth a lot, but, you know, eventually we found a language that works. There was a, a, a vetting of kind of like our, our portfolio product set. A little bit of like. You know, how does it work? How do you negate these sorts of attacks? What controls are important? How do organizations choose where their data goes? Those sorts of things. So, um, at the end of that, we had to provide a lot of, you know, customer references, various people who could speak to our efficacy, uh, of the product set and how we help solve the, the risk program or problem. And at the end of that, uh, we were able to get this partnership in place. So it means a lot to us because we. Think it is probably one of the better reviews of capabilities. You know, what sets us apart from the other organizations in our space?   That vetting process sounds way more intense than I would've ever imagined. But, so, uh, a HA. Makes this endorsement. You know that buying a thing doesn't guarantee reduction and risk. So what do organizations do to actually get the benefits that they intend to get when they buy Rubrik?  so that's actually a super insightful question, Drex, and it comes back to kind of this technology plus people plus process problem, and. You see this everywhere of I've seen, and at, at this point we've had probably, it, it's in multiple hundreds of organizations that we've helped recover, conduct a recovery from ransomware. Right? It's not to say we solve all problems, we're a piece of the puzzle, but we've had a front row seat now to literally hundreds of these types of incidents, and so the, the sorts of things that are gonna happen and what you're going to need to walk through. Is not a mystery anymore. Uh, there is a predictable timeline and series of events. Before I came to Rubrik, uh, I helped three different organizations recover from ransomware. Today, all three of them are Rubrik customers, and that's not a coincidence again and again. We see organizations that have lived through the problem realize like, oh. It, it's not a question of like restoring data, it's a question of did it survive? What I don't restore is actually more important than what I do restore, right? And it the real challenge. Is that, you know, we had the largest IT outage in history. Uh, I forget exactly when, but in, in the last year or two, and every time I speak at HIMSS or one of these other shows, I always ask for a show of hands of like how many people were down for more than two days. More than three days. Just about everybody. I know of one organization that said they had effects that lasted longer than four days. So largest it outage in history that people got out of by restoring data. Everybody was done in four days. And yet we also know that when it comes to these cyber attacks, it's routinely 30, 35 days. Mm-hmm. But the thing is, is it doesn't have to be. And the reason why. These cyber attacks are fundamentally different is because it requires this massive range of different. Skillsets and groups to work smoothly together in ways they never have before, right? Mm-hmm. Mm-hmm. You're gonna need legal public relations, uh, you know, the infrastructure team, the, the clinical team, the, you know, CISO's organization and all of their analysts, external third parties, like incident response. And all of these groups have to come together and do this when they are tired, stressed out. Struggling to communicate. Disconnected from the internet. Yeah. And that's the real problem that we have to focus on is how do these teams work together? What are the sorts of tools and platforms that they need to have integrated? Um, true story. I was in a room with an organization that was doing an evaluation and I started to talk about the process of threat hunting. Which is how you determine what data is safe to restore and what data isn't. And one of their executives said, eh, don't talk about that. That team isn't in the room. And I just was like, then why are we here? Like, what are we talking about? Yeah. Like if we can't engage them and bring them together, when we're talking about hypothetically what the process should look like and they aren't aware of the tool sets and how to use them together, when the fat hits the fire, then how do you expect to have a better outcome? And so really focusing on that problem of you have to bring these skill sets together. You need an opinionated platform that says, here's how the CISOs org and the data protection team finds and restores clean data. Here's what an IRE is and looks like Here are the sub components, you know, a clean room staging, secure production environment. Here's how you. Stand that up and do it really affordably. Right? And we can show organizations, here's how you can do it in the budget footprint you already are spending. And then now let's talk about automation. How do we automate the recovery of identity? Mm-hmm. That your first three or four critical applications and Entra and Stitch app registrations back together so that M 365 will work. Again, going back to that Mandiant report, they talk about how if they get your identity control plane. They weaponize your tools against you and then they can pivot to your cloud. Um, tenants, you could lose all of your internal communication and collaboration, which introduces friction into every downstream coordination and recovery process, uh, that you're gonna conduct. So just, and I guess this is where I would leave you is, uh, on that question is. I was talking to an organization recently who was really happy 'cause a health system had entrusted them with $18 million and over a 24 month period they had started with business impact analysis to analyze which applications were needed to then come downstream and start building out. An IRE reference architecture and all the automation and infrastructure as code. And they didn't actually build anything until the very end, 24 months later. And they were like, that's what great looks like. And I wanted to pull my hair out because I was like, maybe what we, I'm glad you got  that. Can't pull your hair out. Come on.  Been done. But what we need to do, in my opinion, is to invert that whole process. If you know that your first thing that you're going to have to do in the wake of a cyber attack is say, did my backup data survive? Start there. Start right. Just start exactly. Risk production there. Then can we start building something? Even if it's resource poor, the nucleus of an IRE, and we can show you how to do that affordably. And then once you have that, the beauty of an IRE is it's isolated. You can do whatever you want in the middle of the business day. Nobody cares, right? Mm-hmm. So now can we start playing around with how fast can we recover all of the domains in the forest with DNS, global catalog, all of those things into that environment? And then can we figure out how to recover? The first couple applications, your IT team, if we went out and pulled them, I guarantee you is like, yeah, these, these three are definitely on the list. Great. Start there, right? And over time we keep adding them on and we can schedule these drills and then you end with, okay, do we have all the applications right? But at every stage we've achieved meaningful risk reduction with minimal investment. And we learn by doing. And that's what I see the best organizations doing is that they're not. Uh, resorting to yet another analysis they are building and doing and learning as they go. And even if imperfect, it achieves a much better outcome.  Yeah, totally. It's, um, I, I, I love that idea of just start somewhere. The more you do, the more, the more you learn, the more you'll. Have value now and be able to build the next thing better. So, um, I think that's cool. I wanna ask you about this, uh, uh, this report you referenced. Um, we just had the Stryker event a few weeks ago. I know you. Can't, none of us probably really want to specifically talk about Stryker, but in the context of those kinds of things that happen in our industry, uh, I know there's a Mandiant report out and it kind of dives into the worst case scenario. Can you kind of talk a little bit about that report and the sort of that worst case scenario and how the worst case didn't really happen?  Yeah. So first of all, Kenna can't talk about any specifics of anyone's situation, so I would refer everybody back to. You know, Stryker public statements, they have a block out. Right? Uh, I think they've said we're fully back online. Yeah. You know, producing products. That's great. Um, you know, a, a short timeframe, relatively speaking, and also our statements on the, on the topic that, that PR has put out. Um, but going back to that Mandian report, it is a really well written document, by the way. I don't think Rubrik had anything to do with it. I'd be shocked if we did. There is 22 pages in the middle of the 2026 Google MREs report. Hmm. And um, it is fascinating. I've actually gone through and highlighted entire sections. It's pages 55 through 77 and it talks about here's what it looks like when an attacker can so thoroughly compromise your environments that they can turn all of your IT tools against you. Right. So think about a scenario in which they capture the identity control plane. They now are the domain admins. They can roll every password in the organization effectively locking out your entire team from all of your infrastructure and all of your tools. They can issue MFA token resets. They can add people to firewall administrators. They can, they can erase your devices. They can wipe thousands of devices across, you know, a lot of countries. And in this scenario, I want people to think about like, how would my infrastructure stand up to that? If I can build it, can they tear it down? If I can configure it, can they defeat it? Um, if I disable the ports, can they enable the ports? Right? They are me essentially. And so in that context, if your. Solutions require some backend sql, MySQL, Oracle database that can be found and deleted. Mm-hmm. Do you have anything anymore? Right. If there's a Windows operating system in the mix, um, you know, does that stand up to attack with all of the attack surface that presents if there's a third party storage array that you know, yes. Hypothetically it's worm, but as, as an administrator, if I can log in and delete lungs. You know, now the data doesn't exist anymore.  Make it disappear. Exactly.   And so they, they kind of walk through in pretty graphic detail, here's what the compromise of an identity control plane looks like. Here's what weaponization of your IT assets against you looks like. And the answer to some of this is, one, you need a secure by design, uh, approach. You if, if you can configure it, they can un configure it. Mm-hmm. So you need something that. Separates out your, your parachute, the tools that you'll need to recover from, the things they can access and change. And then you need to start thinking about what happens if they compromise an admin. Well, this is where Multimin authorization comes in, right? As zero trust extends even to, you are a fully authenticated user on this. Platform and admin and even you are not allowed to do these tasks unless   we were talking about the other day. Is that sort of like, uh, two keys need to be turned at the same time to launch the missiles? Um, it's that same kind of scenario.   Uh, and it's even beyond that because if they are domain admins, what's uh, what stops them from getting all of the admins and having all the keys? True. So we even need to build in multi-organ, uh, set of keys so that everybody has to agree. Before you can do things that harm, harm your security posture. Mm-hmm. Like mm-hmm. Removing an archive or changing an m FFA source or doing those sorts of things. So you can see how that level of paranoia ground up, clean sheet redesign produces something that is secure by design instead of secure by configuration. And that's where we think zero trust really has power beyond the, the marketing buzz hype and every vendor claims. It is true immutability is. They can't undo it even when they own you end to end.   Yeah. That's, that's really, um, secure by design, not secure by configuration.   Yeah. And there's a lot that goes into that. Like do you trust an external clock? Do you have default vendor credentials that can be accidentally left in place? Like it is a very long list of design considerations that goes into building something that we'll stand up to. They are you and they can do everything you can do, and they still can't harm it, right? That's a different mindset.  Josh, it's always great to have you, on the show. If someone wants to get started, how, how do they get started? What's the process for that?   It's a pleasure to talk about something that we're passionate about, but I think the place to start is bringing together the leadership team. So I see a difference when your ciso, your CTO and your CIO are all together at the table. And working through the problem set together. And toward that end, we've built what we call cyber resilience working days. So we did one at the New York Stock Exchange early this year, and we brought in the a HA, Google Mandiant Cyber Incident Response. We brought in, um, the cyber insurers so they could kind of hear this and talk about here's how to leverage the investments you're making to go get. Discounts in your cyber insurance and we spent a day working through how do you approach the problem? How do you build a business case around this? Where do you start? How do you move forward, and how do you make this pay for itself? So we're gonna be running those with different partner organizations across the country this year. So I think that's a great place to get started, to find all of the resources and complimentary things that we want to bring to help organizations achieve a meaningfully better outcome.   I really appreciate you coming on. It's always fun. I feel like I never have enough time. We need to do this again soon and dive into some of the other stuff that's going on right now.   You're very generous, and thank you for, uh, letting me exhibit the passion that we feel about this topic.   It's easy to be passionate about. Thanks, Josh. Talk to you soon.   Thanks for joining this executive interview on UnHack with me Drex Deford here this week. Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at this week, health.com/subscribe and share this with a colleague because together we're stronger.