This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Paul C. is the Chief Information Security Officer (CISO) at a mid-size healthcare organization. His company processes more than 6 billion transactions a year featuring the highly sensitive and regulated personal health information (PHI) records of more than 270 million people. Needless to say, his company has a defense-in-depth strategy to protect the data and transactions, but Paul recently added a unique new cloud solution to the mix to provide additional detection, visibility and response (DVR) capabilities.
The solution is called ProtectWise Cloud Network DVR, and there are two characteristics that make the solution unusual. One is it doesn't require any on-premise infrastructure. The only aspect of the solution that is deployed on the customer's network is a software sensor that records everything that happens and streams it to the cloud platform for aggregation and analysis. If an event is detected, it is prioritized and presented with full contextual information via a console.
The second differentiator is that all of the network activity can be kept for as long as needed – years, if necessary – and it is fully indexed and searchable. This allows an organization to go back in time to search for indicators of compromise (IOCs). And, it allows a user to fully reconstruct the network packets of an incident for a forensics investigation.
Paul's company makes use of all of these capabilities, and the fact that they are delivered as a service from the cloud are important. "We chose the ProtectWise cloud solution for three primary reasons," says Paul. "The first is agility and being able to get up running quickly without the burden of added infrastructure. I didn't want to create a shadow IT situation by implementing servers, appliances and storage for our security needs. A cloud deployment gives me the flexibility to move our cybersecurity program forward quickly and efficiently without getting in line for in-house IT services."
The second reason is around operational efficiencies. Paul used to run security operations at a previous employer and he had a team of people dedicated to running the technology that supported the security solutions. "I had database and storage people on my team just to manage the technology. They weren't there to do the actual security analytics," he says. "Not having to deal with on-premise infrastructure technology is a big plus that we get from ProtectWise. We can run leaner."
The third benefit is the community ecosystem that comes from using a cloud-based solution. This is something that Paul actively sought out. As a member of NH-ISAC, the nation's Healthcare and Public Health Information Sharing and Analysis Center, Paul understands the value in sharing IOCs with his peers. "If I am in the cloud, I expect other ProtectWise customers to be in the cloud, which means that ProtectWise is seeing all the information about security incidents that is worth sharing within this customer community. I benefit from that intelligence, and I see it as a strategic value I receive from the ProtectWise solution," says Paul.
Paul's company has only used ProtectWise for a few months so they haven't had a need for the retrospective technology yet, but he understands how it could help him. If the company were to experience a data breach, being able to go back to look at the packets to see exactly what transpired could be useful to the forensics team. This healthcare company is in a regulated business, with a requirement to notify customers if/when a data breach occurs. ProtectWise could tell Paul whether 10 records or 10 thousand records were stolen. Paul hopes he never has to use this feature, but it's a comfort to know it's there if needed.
To deploy ProtectWise Cloud Network DVR, an organization places a small passive software sensor at places like the egress points, the Internet pipe, the core network for east-west traffic, on cloud assets, and even on industrial control networks. The sensors act like virtual cameras in that they record everything that happens on the network. ProtectWise compresses that data and streams the raw packets to its cloud network DVR platform. This creates a memory for the network, and because it's in the cloud, it can be stored with unlimited retention.
ProtectWise creates a visibility layer on top of this memory by binding the intelligence of key pieces of a customer's IT infrastructure such as firewalls, endpoints, proxies, email, and so on. This visibility layer makes it possible to search for specific historical activities whenever needed.
ProtectWise also has a detection layer that does real-time security analytics. The solution also goes back in time with automated retrospection. As new zero day vulnerabilities, breach tactics, malware, etc. are discovered, ProtectWise automatically goes back in time within the network memory to discover any previously unknown incidents using the most updated intelligence of right now. This can reveal, for instance, if previously unknown malware slipped into the network a month ago. The detection model plugs into a single pane of glass.
On the response side, which is a sophisticated security operations center single pane of glass, ProtectWise combines situational awareness with a forensic workbench for doing impact analysis and all the event management and event collaboration for security analysts. The humans get all the information they need to investigate the prioritized security events.
Paul's healthcare company already has other security tools in place, including Palo Alto WildFire, Invincea advanced endpoint protection, and user behavioral analytics. Those tools see plenty of threats, and ProtectWise validates the information from the other tools. It helps to bolster the company's preventative strategy. In the event ProtectWise finds something that another tool missed, the company can better tune the other tool to close the gaps on prevention and detection.
Still, Paul says the full packet capture is the best value his company gets from ProtectWise. He gives this example. "Say we get a Splunk alert that our Palo Alto system sees large amounts of data leaving the network. We want to know what that data looks like, and who is removing it. ProtectWise gives us a very quick way to go to the ‘video recorder’ and investigate what just happened. With full attribution and assurance we can see, for instance, that our DBA is downloading an Oracle file. Without that quick check, we would be left to race against time to figure out what is happening."
Paul also points out that having the capability to replay past events help him negotiate a favorable cyber insurance policy. "Insurance carriers require forensics data, and we can easily provide that if necessary," Paul says.