Scott Sattler, Incident Response Manager, HealthFirst

Scott, can you tell us a little about yourself, your role at HealthFirst and how you came to work in digital forensics?

I have worked in cyber defense for the last two decades and have witnessed the changing threat landscape and the ever-evolving and improving toolset. In the last five years I can actually feel positive about detecting and avoiding complex incidents, which cost corporations millions in lost revenue and fines.Currently, I have a team of investigators that handle roughly 60 incidents a week. The incidents are ever growing as we bring in new tools that bring transparency to all events occurring externally and internally to the corporation. Generally business units hate the spotlight, but once they see the value of the product that we can bring to them, they are on board.

What does a typical day look like for you at HealthFirst with respect to your incident response duties?

I work a number of roles: SIEM content developer, user-based analytics use case developer, incident responder, case manager, investigator, SOC [security operations center] trainer, team trainer, and I’m responsible for workflow automation of cyber security incidents. Being stretched thin is a typical day.

Lately it seems that you can’t read the news without hearing of another data breach. What do you and your team view as the biggest threat to corporations in terms of ensuring data security, and how do you address this at HealthFirst?

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Phishing emails are the biggest annoyance but no longer a major threat. Malware attacks have been controlled rather well. Our incidents have dropped dramatically by employing best security practices for the common top ten attack vectors. Automation of threat intel in the endpoints, SIEM and security controls has had a major positive effect.

What challenges does HealthFirst currently face with respect to HIPAA and other regulations? How do you ensure you remain compliant?

We model the HIPAA security requirements in the SIEM to prove live compliance, and we map live logs to HIPAA requirements. We face a lot of audits from a number of state and federal entities, so modeling and being able to produce “live” proof of compliance saves us time and money.

Your organization has AD Enterprise and a new API from AccessData. What made you implement this solution?

Automation. Like every organization, we need more investigators, but you can only hire so many people. We need a force multiplier like the API component that integrates the forensics acquisition component with the enterprise SIEM to give the investigators a single pane of glass view.

How has AD Enterprise helped you address the challenges you talked about above? What have been the benefits you’ve seen so far?

Remote offline collection has been key. We have a large mobile work force, so the ability to collect data when the client comes back online and finish processing without losing time has been a huge time saver.

We are also using AD Enterprise to monitor critical servers and workstations and populate the date into the SIEM to monitor for baseline changes.

When it comes to developing solid incident response plans, what are the top three recommendations you’d provide for our readers?

Develop a work flow, table top test it, then test the plan and start over. Wash, rinse and repeat. We do this almost weekly until the SOC and IR team get it and can process the incident without thinking.

What are your projections for incident response in coming years, and how do you anticipate solutions like AD Enterprise/API will help your organization to address future challenges?

Consolidation of all the tools into a common platform, workflow automation will win. You either play well with other tools, or you’re out of business.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles