1 Session #29, February 20 th 2017 Laura Morgan, System Director Internal Audit & Corporate Compliance, Edward-Elmhurst Health, IL Amit Kulkarni, CEO Cognetyx Inc. From Firewalls to AI: How to Stop Insider Threats
1
Session #29, February 20th 2017
Laura Morgan, System Director Internal Audit & Corporate Compliance,
Edward-Elmhurst Health, IL
Amit Kulkarni, CEO Cognetyx Inc.
From Firewalls to AI: How to Stop Insider Threats
2
Speaker Introduction
Laura Morgan, CPA, CHC and HCISPP
System Director Internal Audit & Compliance
Edward-Elmhurst Health, IL
Add Speaker
Photo Here
3
Conflict of Interest
Laura Morgan, CPA, CHC and HCISPP
Has no real or apparent conflicts of interest to report.
4
Speaker Introduction
Amit Kulkarni, M.S, MBACEO Cognetyx Inc
Add Speaker
Photo Here
5
Conflict of Interest
Amit Kulkarni, M.S, MBA
Ownership Interest : Cognetyx Founder & CEO
6
Agenda
• Scope of healthcare data breach problem
• Problem with Systems and their User ID’s
• Security Basics – Auditing Access
• Hacker/Malicious user behavior
• New technologies & methods – User Access Behavior
• Machine Learning(ML) & Artificial Intelligence(AI) basics
• ML based approach – New level of detection
• Takeaways
7
Learning Objectives
• Identify to attendees the true scope of the problem of insider threats,
which is often overlooked as most current systems deal with outside
threats from hackers or malware.
• Evaluate how to identify the most common types of insider threats, including misuse of legitimate credentials and detection of stolen credentials used to access systems.
• Describe recent technological advancements in AI and ML to help identify and stop malicious users by constantly monitoring normal use by authorized users, and detecting abnormal use when legitimate credentials are used to access the system.
8
We cannot solve our problems with the same thinking we used when
we created them
“”
Picture: http://cecimath.wikidot.com/albert-einstein
9
Can You Identify The Data Breach /
Privacy Violation Threat(s)?
01 02 03 04 05 06 07 08
09 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
Insider Insider Insider Insider
Insider Insider Insider
Insider Insider Insider Insider
Vendor
Vendor Vendor
Hacker Hacker Hacker
Hacker Hacker Hacker Hacker Hacker
Hacker Hacker
They are ALL THREATS!
10
Ponemon Institute 2015 Cost of Data Breach Study (n=350)
1/3 of all
American’s
Health Record
Compromised
in 2015
Increases
savings by
avoiding
penalties,
lawsuits
Electronic
Secure
Data
SavingsIncreases
need for
newer
techniques
to mitigate
data theft
Decreases
time needed
to comply
with HIPAA
An Introduction to Benefits Realized for the Value of Health IT
11
Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016
May Have Already
Passed A Tipping
Point in USA For
HealthCare
89% Of Health
Organizations
Breached; 61% Of
Vendors/Supply
Chain Breached
Rate of ePHI Data
Breaches &
Privacy Violations
Out Of Control
& Accelerating
Big Problem – Face Facts
Today, Healthcare Data Breaches & Privacy Violations Are At “Crisis” Levels
12
Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016
89%
45%
1 Breach Last 2 Years
5 Breaches Last 2 Years
US Healthcare Org. Business Associates
61%
28%
Don’t Know If Breached ?? 100% 100%
Big Problem – Face Facts
13
Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016
Average of 226 Days To Discover Breach;
0102030405075100150200205210220221222223224225226 0102030405060636566676869Days For Discovery + Days To Stop
+ 69 days To Stop The Breach
Big Problem – Face Facts
14
Everything is networked
15
The Basics- The OSI Layers
16
Inventory
Control
Secure
Network
Engineering
Secure
Configuration
-Servers
Vulnerability
Management
Malware
Defense
Application
Security
Wireless
Control
User Data
Encryption
Secure
Configuration
-Perimeter
Control of
Admin
Privileges
Boundary
Defense
Access
Monitoring
& Audit
Data
Loss
Prevention
Incident
Response
Penetration
Testing
Identity
Management
Source: Spring 2013 SANS Poster
The Basics- Security Controls
17
Ponemon Institute 2015 Cost of Data Breach Study (n=350)
Value of User IDs
18
Value of Standardizing User IDs
Categories of Users across the system.Makes it easier to do analytics on data.
Differentiate privileged users from regular –functionality & access
Helps analyze how users are using credentials for non-business activities
Helps track Malware & Ransomware across your network & Your partner organization’s networks
19
Covert Channels
• Clever social engineering
• Phishing emails
• Nearly undetectable
• Not all that uncommon “They’ll never see me coming!”
20
Criminal Outside
Hackers- 45%;
Malicious Insiders
32%; Rogue Vendors/Supply
Chain 23%
Data Breaches & Privacy Violations Are
Committed By THREE Distinct Groups
Connect The Dots
21
They All Use the Same Method
to Gain Access to Data
LOGIN Credentials ! ! !Sources may be different: Phishing Emails, Malware / Trojans, RansomWareWeb browser – stored passwords
Connect The Dots
22 www.securehealing.com
Perimeter/Network/Internet
Data Security/Privacy Layers vs. Hackers; Insiders; Vendors
Policies, Procedures, Awareness, Training
Host/OS
App 1
Host/OS
App 2
Data Data
Steal Credentials Steal Credentials
Steal Credentials
Steal Credentials
Steal Credentials
Steal Credentials
Steal Credentials
Steal Credentials
23
INTERCEPT
Generate Digital ‘Fingerprint’ Of Normal User Activity
For EVERY User Login ID Interacting With Data
New DEFENSE Shield – Surveillance Of User Access Behavior
Mitigate Data Breaches & Privacy Violations
24
Machine LearningCloud Computing
Confluence of Two Technological Forces
25
Medical Records (ePHI)
Employee Records
Patient Schedule Data
Billing/Finance
…OR ANY “Data”
User Behavior Access Profiling- Artificial Intelligence
26
Source patternex
A Learning Engine
27
Source patternex
A Learning Engine that “learns”
28
CriminalOutside Hackers
MaliciousInsiders
Rogue Vendors
Supply Chain
Goal: To Create a Virtual Defense Shield
45%
32%
23%
Data
29
Save millions of $ by speeding
investigations, limit financial
and informational losses and
related legal expenses
Reduce the amount of time to detect a
breach from 226 days to much less and
hence limit the amount of data stolen
Review of Benefits Realized for the Value of Health IT
Electronic Secure
Data
ESavings
S
With newer generation of tools that use Machine Learning, you can…
30
It is essential to add a bit of a human touch in the incident lifecycle to develop a truly learning artificial intelligence system.
The variety and richness of data ingested is key in getting actionable insights; without it you will have to ask your analysts to investigate everything.
Lessons Learned
31
• Assume you will be targeted/hacked by a
rogue insider or malicious outsider
• Defenders need to look for indicators of
compromise across many sources
• SIEM solutions centralize data, but often lack
Machine Learning analytics
• Start small with basic methods, test, and move
to more advanced techniques
• Goal is to detect compromise as early as
possible with minimal false positives
Key Takeaways
32
1. Scikit-learn – Machine Learning in Python.
2. Apache Spark – ML LIB.
3. WEKA – Data mining in Java.
4. Tensorflow – Google’s deep learning.
5. Microsoft – Azure ML Studio.
6. Amazon – AWS Machine Learning.
Open Source Machine Learning Technologies