it’s not if but when 20160503

12
IT’S NOT IF… BUT WHEN CISO Assembly, Dallas, TX [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services

Upload: barry-caplin

Post on 24-Jan-2018

122 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: It’s not If but When 20160503

IT’S NOT IF… BUT WHEN

CISO Assembly, Dallas, TX

[email protected]

[email protected] @bcaplin

http://about.me/barrycaplin

http://securityandcoffee.blogspot.com

Barry Caplin

Chief Information Security Official

Fairview Health Services

Page 2: It’s not If but When 20160503

@bcaplin

http://about.me/barrycaplin

securityandcoffee.blogspot.com

Page 3: It’s not If but When 20160503

o Not-for-profit established in 1906o Academic Health System since 1997

partnership with University of Minnesotao >22K employeeso >3,300 aligned physicians

o Employed, faculty, independent

o 7 hospitals/medical centers (>2,500 staffed beds)

o 40-plus primary care clinicso 55-plus specialty clinicso 47 senior housing locations o 30-plus retail pharmacies

2014 volumes

o 6.39M outpatient encounters

o 1.4M clinic visits

o 71,049 inpatient admissions

o 76,595 surgeries

o 9,298 births

o 282 blood and marrow transplants

o 340 organ transplants

o >$4 billion total revenue

Page 4: It’s not If but When 20160503

got

breach? got

job?

Page 5: It’s not If but When 20160503

2015 – Year of the Breach

2014 – Year of the Breach

2013 – Year of the Breach

2016 – Availability?

Integrity?

Page 6: It’s not If but When 20160503

BOARD REPORTING EXAMPLE

• Ransomware first appeared in 1989; large growth since 2013

• 2016 Hollywood Presbyterian – first publicized healthcare org

to pay

• $17K ransom paid

• Systems down for over 1 week – ER, OR, imaging, lab, pharmacy

• MedStar, MD – 10 hospital network

• $3+ days of outages – 4 ERs, all inpatient shut down

• 4/7/16, all systems back up

• Most attacks are through email attachment or link based

• Systems must be taken down to stop spread

Page 7: It’s not If but When 20160503

BOARD REPORTING EXAMPLE

• Estimated >$325M paid in ransoms in 2015

• Some variants charge $100-$500 per workstation

• Some are “flat fee”

• Often the cost of downtime and recovery is more than the

ransom

• It’s not “if”, but “when” an attack will happen

• There is no “prevention” – Each attack is new and unique

• There are “proactive/prevent” responses, and

“detect/remediate” approaches

• We do pursue both

Page 8: It’s not If but When 20160503

•Can we prevent?

•It’s not If, but When

•Is Incident Management the key part of

our job?

•How we respond makes a difference

Page 9: It’s not If but When 20160503

•How to start:

•Figure out where your “stuff” is

•Figure out the risks to your “stuff”

•Figure out how you will react if that risk

manifests

•Write it down – Playbooks

•Practice

•Know what’s normal - Monitor

Incident Response

Page 10: It’s not If but When 20160503

CISO’s Role

•Leadership

•Communication – Internal/External

• Staff/Exec/Board

• Law Enforcement

• External Counsel

•Media

• Regulatory

Page 11: It’s not If but When 20160503

CISO’s Role

• Incident Response/Forensics

•Outsource?

• Pre-pay?

• Retainer?

•Cyber Insurance – What is covered? How does it

pay?

•Tabletop – Exec Breach exercise

Page 12: It’s not If but When 20160503

Discussion Questions

•Can you “defend” you architecture/tech choices?

•Can you detect problems, attacks and IoC’s

against your enterprise?

•Do you have response plans? Have you exercised

them?

•Do you have communication plans? Have you

exercised them?

•Does your C-suite have your back? Why?