Scott, can you tell us a little about yourself, your role at HealthFirst and how you came to work in digital forensics?
I have worked in cyber defense for the last two decades and have witnessed the changing threat landscape and the ever-evolving and improving toolset. In the last five years I can actually feel positive about detecting and avoiding complex incidents, which cost corporations millions in lost revenue and fines.Currently, I have a team of investigators that handle roughly 60 incidents a week. The incidents are ever growing as we bring in new tools that bring transparency to all events occurring externally and internally to the corporation. Generally business units hate the spotlight, but once they see the value of the product that we can bring to them, they are on board.
What does a typical day look like for you at HealthFirst with respect to your incident response duties?
I work a number of roles: SIEM content developer, user-based analytics use case developer, incident responder, case manager, investigator, SOC [security operations center] trainer, team trainer, and I’m responsible for workflow automation of cyber security incidents. Being stretched thin is a typical day.
Lately it seems that you can’t read the news without hearing of another data breach. What do you and your team view as the biggest threat to corporations in terms of ensuring data security, and how do you address this at HealthFirst?
Phishing emails are the biggest annoyance but no longer a major threat. Malware attacks have been controlled rather well. Our incidents have dropped dramatically by employing best security practices for the common top ten attack vectors. Automation of threat intel in the endpoints, SIEM and security controls has had a major positive effect.
What challenges does HealthFirst currently face with respect to HIPAA and other regulations? How do you ensure you remain compliant?
We model the HIPAA security requirements in the SIEM to prove live compliance, and we map live logs to HIPAA requirements. We face a lot of audits from a number of state and federal entities, so modeling and being able to produce “live” proof of compliance saves us time and money.
Your organization has AD Enterprise and a new API from AccessData. What made you implement this solution?
Automation. Like every organization, we need more investigators, but you can only hire so many people. We need a force multiplier like the API component that integrates the forensics acquisition component with the enterprise SIEM to give the investigators a single pane of glass view.
How has AD Enterprise helped you address the challenges you talked about above? What have been the benefits you’ve seen so far?
Remote offline collection has been key. We have a large mobile work force, so the ability to collect data when the client comes back online and finish processing without losing time has been a huge time saver.
We are also using AD Enterprise to monitor critical servers and workstations and populate the date into the SIEM to monitor for baseline changes.
When it comes to developing solid incident response plans, what are the top three recommendations you’d provide for our readers?
Develop a work flow, table top test it, then test the plan and start over. Wash, rinse and repeat. We do this almost weekly until the SOC and IR team get it and can process the incident without thinking.
What are your projections for incident response in coming years, and how do you anticipate solutions like AD Enterprise/API will help your organization to address future challenges?
Consolidation of all the tools into a common platform, workflow automation will win. You either play well with other tools, or you’re out of business.
