Improve Visibility to Reduce Vulnerabilities and Protect Patient Data

On-Demand

Video Transcription

Sanjay Raja:
Hello everyone. Welcome to the Lumeta webinar. Here we’re going to be talking about addressing top security challenges in healthcare. My name is Sanjay Raja. I run marketing for Lumeta. Lumeta is actually now a FireMon company. Proud to be part of that group, and let’s get started.

Sanjay Raja:
As Lumeta, we have been working with different healthcare organizations over time. I just want to provide a quick introduction in terms of Lumeta and what we do, and talk about some of the initiatives we’ve had in this particular space. Again, we’ve been working with large enterprise security organizations for many years now. Lumeta has been around since early 2000s.

Sanjay Raja:
In fact, our technology was first used to map the public internet years ago. We basically looked at the entire internet. We got this really large, beautiful maps you can find online where everything in the public address space across the entire world, we were able to map using Lumeta’s technology.

Sanjay Raja:
That technology was the foundation for our current product, which is called Lumeta Specter. With Specter, based on the clients we’ve had and some of the organizations you can see that we have worked with in the healthcare space, we’ve got over 500 million IPs that are under real-time management by Lumeta Solutions in the marketplace. Their target has pretty much been Fortune 500 companies based on what we do, and working with their security practice to improve things.

Sanjay Raja:
At Lumeta, we’re looking at really three areas that our customers and certainly our prospects are looking at as business drivers. The concern is that these particular areas can create a grate on our tax service. The first is really around narrow complexity. It’s based on the fact that you got a lot more IP addresses, a lot more devices. Mobile devices, iPads, medical device technology that’s being IP enabled, that’s using standard operating systems. We consider that part of the IoT space.

Sanjay Raja:
There’s movement to the Cloud, and that’s creating a lot less visibility and more a black box in terms of security, the mobile security teams. They don’t necessarily have the visibility they need in terms of what’s going on in Cloud environments, whether it’s their own Cloud environments, running VM ware, or they’re using things like AWS or Azure, as examples. Again, the lack of visibility there is concerning to them. Most security organizations within different industries.

Sanjay Raja:
There’s a lot of consolidation in the marketplace certainly in healthcare. We see it in financial institutions, manufacturing. There’s lots of partnerships. Different suppliers that are being used, that have access to the network to some extent. There’s a huge amount of risk introduced, based on working with those different organizations, different groups. You don’t necessarily see everything going on, or how strong their risk or security posture is. Now you’re connecting them to your systems, and again you’re putting your systems at risk.

Sanjay Raja:
This was true before in acquisitions. We’ve seen it with Yahoo!, where Verizon picked up Yahoo!’s assets, and when that happened they didn’t do a proper assessment of Yahoo! beforehand. There were huge amounts of leaks and malware running around. But again, it can certainly be effective once you decide to connect those systems fully, even post-acquisition.

Sanjay Raja:
The other piece too is just integrating with other security technologies. Integrating with the network itself. Again, how do I pull all this together so I get a cohesive view of what’s going on? Those integrations are key. Again, being able to get an end-to-end view of your security posture is important. We can get it in little pieces. Those are areas that attackers can exploit.

Sanjay Raja:
In our research, and I’ll talk this in a minute with some details. We’ve seen that on average, over 40% of your network’s end point’s infrastructure are not being actively managed by a particular network or security team. It’s because a lot of this stuff ends up being unknown, ends up being unmanaged for different reasons. Network monitoring ends up missing some stuff. A lot of times it’s on purpose. There’s devices or VMs being spun up that are unauthorized, whether it’s due to shadow IT internally or DevOps, or whether it’s something where an attacker is starting to spin up a resource quickly to kind of go under the radar from monitoring systems. Because of that, it’s leaving us significant blind spots. We’ll talk a little bit more about that, and some specific attacks that have occurred to enable that.

Sanjay Raja:
The reality is that healthcare organizations and pharmaceutical, I’ll attach that to that group as well. They’re a top target for attackers. There’s so much patient and clinical data there. Intellectual property. There’s so much data there that’s very sensitive. When you talk about medical records, they include social security numbers, a lot of patient history.

Sanjay Raja:
We’ve seen cases where a nation state will attack an insurance company or a healthcare institution to be able to get data on relatives of someone high up in the military and the US government. It may not even be a direct attack just to steal the data and sell it. A lot of times certain attackers will try to pull data to make associations and build profiles of targets that they’re going after. That’s a great example of that, where again, they’re not really targeting the healthcare organization. They’re targeting the US government. But they’ll try to get data in other places on that particular individual to go after them. Again, it can be pretty complex in terms of why healthcare is targets.

Sanjay Raja:
But again, in general medical records because of the amount of data, which can include financial information in some cases, is worth a lot more than even the price of a credit card. When you talk about the number of organizations that have been breached… and what we’ve seen too, outside of the fact that the number is 91% in the last two years. That’s obviously an approximate number based on what’s being reported. The other concern, too, is that there are multiple attacks going on. It’s not necessarily just one attack in a given year, we’re seeing that it’s very common to have two to three attacks, depending on the size of the organization, and depending on how easy the breach was. Again, it’s a huge problem.

Sanjay Raja:
The other piece too is HIPAA is starting to definitely become more relevant over time, as these breaches are taking hold. The government is coming in and fining. Usually from what I’ve seen in 2018 is the fines are usually around half a million dollars. That’s for just not reporting the breach within 60 days of identification of it. You are required to do that. You will get fined that amount if you don’t report it within a 60 day window, unless you have really extenuating circumstances. But again, that’s just the start to the fine. That’s not even for being in violation of HIPAA and other areas, where they’re not proving that your infrastructure is strong enough. Whether you’ve got all the different privacy controls in place. That’s additional monies just for that 60 day violation it’s about half a million dollars. A little under that, from what I’ve seen.

Sanjay Raja:
I just wanted to cover some big, well-known attacks, or large attacks that have attacked both healthcare and pharma, just to kind of cover what attackers have done in general. Everybody’s heard of WannaCry. WannaCry was a big one last year. It did focus on hospitals primarily in the UK, even though it ended up being a worldwide outbreak. In some cases, full departments were knocked out based on the attack. The attack lasted a long time. In fact, WannaCry even hit manufacturing companies like Honda three months later, where it shut down manufacturing facilities. Again, it was a pretty high profile attack, but it was very extensive. Did a lot of damage.

Sanjay Raja:
What’s not really known about that attack or really talked about too often, there’s a few articles that mention it, is that everyone kind of targets Microsoft for not having a patch for some of their older operating systems to prevent this kind of attack. Certainly a lot of hospitals and healthcare facilities didn’t necessarily patch those systems that were using the right operating system. But there were a huge number of endpoints and devices that weren’t even scanned or discovered, and known to vulnerability management systems in the particular environment. There were huge sets of servers that attackers would exploit and really spread WannaCry heavily in the environment because they didn’t even know that they were there, let alone know what patch they were in, or what operating system they were using. Again, it was a very, very large problem, and it exposed the fact that being able to be proactive to patch a lot of these systems can be really effective in preventing the attack.

Sanjay Raja:
Merck lost $300 million due to a follow up to WannaCry. A lot of these ransomware attacks are variants. Petya/NonPetya was certainly a variant of WannaCry, or a variant of the regional attack that WannaCry was based off of. Merak actually had to shut down production for a while. It infected their manufacturing facilities. It cost them over $300 million due to the outage that they had had. Again, NonPetya/Petya was a few months after WannaCry kind of petered out.

Sanjay Raja:
In 2018, we can see that LifeBridge Health got hit with a breach that basically stole 500,000 records for patients. Pretty significant attack. Really though, the largest one was at UnityPoint. UnityPoint, this was actually their second attack in 2018. As I mentioned a lot of these are repeat attacks. They had 1.4 million records stolen. Pretty much the second largest in 2018. When you talk about even internationally, hackers breached Singapore government health’s database. They basically penetrated a foreign work station, and were able to compromise that station. Over time… it took several months. I think it was about three months is how long they took from beginning to end, and then it took them about a week once they had found the right area to be able to exfiltrate about 1.5 million patient records. They even had the Prime Minister, his record stolen too, because it was a government healthcare organization. Huge numbers there. Again, really strong target.

Sanjay Raja:
Based on that information, and healthcare being a top target, what are some of the things that lead to the security risk and lead to a lot of these breaches that are occurring? Certainly some of the attacks are things like phishing attacks. Occasionally it will be based on physical stealing of paper records, things like that. But primarily it’s based on an attacker being able to find a system that is breachable, or it can really be compromised because we’ve got a vulnerability. Some sort of malware’s been injected in there, and that malware starts to either spread or probe around the network itself and figure out where it can find more resources. Sometimes it’ll steal credentials. Sometimes it’ll just be able to get into a part, penetrate another server. Start to exfiltrate data through a leak path.

Sanjay Raja:
Those are the types of things that are occurring within the environment, and that’s really how ransomware works as well, where a particular host is infected. It starts to spread between the environment, and then it starts to talk externally to a server. Starts to exchange key information, and then it starts to encrypt the traffic on your site based on your storage. Pretty typical of a normal malware attack.

Sanjay Raja:
Some of the things that lead to that are, everybody has a lot of these different security solutions in some capacity. Most healthcare companies will have some sort of antivirus or next-gen antivirus, or endpoint protection. They’ll have a SIM for being able to do logging of security information. A lot of them will have vulnerability programs. Most companies we’ve seen will have somewhat of a vulnerability manager or assessment program. Then certain organizations will have NetFlow collectors for understanding network anomalies. They’ll have maybe packet capture, some security analytics. Again, those tend to be very mature organizations with security operations centers.

Sanjay Raja:
Then they’ll have NAC. NAC is very common in the healthcare space where they want to make sure that a doctor’s device being used in the office, from an iPad, is authorized or not. They can decide that. But certainly if they’re using their iPad from home or from some remote location, maybe they don’t want to grant too much access to certain patient records or things like that. They may want to restrict that, depending on the device being used. That’s what NAC is good for, and it’s commonly used in those environments.

Sanjay Raja:
The problem is that each of those are piecemeal. They’re really good at being able to protect certain pieces of the network, but they still don’t provide full comprehensive visibility into the entire infrastructure. NetFlow can’t be turned on anywhere. NAC is very good at the perimeter, or even in certain parts of the data center, but usually most attackers aren’t really requesting formal access onto the network itself. They’re usually trying to find a different way to get inside.

Sanjay Raja:
We can talk about end points. They’ve very focused on devices, specifically. SIM logs, everything. That’s a security event. Certainly packet capturers are very difficult to have in every part of the network, especially in distributed hospital systems, we’re talking about partners. You’re really not getting a strong view. Then when we talk about going to the Cloud, it becomes even more challenging. We’re seeing that there’s gaps in certainly network visibility, but also all the different end points and devices that are running on the network.

Sanjay Raja:
The lack of real-time visibility is really hampering breach detection, because if I get a snapshot view of what’s going on in a particular time, virtual machines move around, devices come in and out of the network. Medical devices will power on, do their job function, maybe transmit some data and then shut down or kind of go quiet or suspended when they’re not being used just to save on power. We’re seeing things like that where, again, devices are fluttering in and out of the network. Not having a real-time view or understanding of those devices, how they’re connected, when they’re connecting, again really provides you for an understanding if there are security risks involved with some of that stuff.

Sanjay Raja:
The network complexity is the other piece. As I move towards the Cloud, I mentioned virtual machines moving resources around. Again, mobile devices, as we already talked about, or devices that are laptops, iPads, things that are being used more commonly. Certainly when you’re talking about manufacturing and pharmaceutical, a lot more devices are being IP-enabled and on the network itself. That’s adding to a lot more complexity with security teams that are resource-constrained. That aren’t growing at the same pace as the number of IPs that are running around in that particular environment. It becomes quite challenging to be able to manage all this, and be able to really get the full visibility you need to be able to find these threats.

Sanjay Raja:
One thing I did want to touch upon is at Lumeta we talk about what’s called a leak path. Basically a leak path can be two things. It’s essentially something that a path is being created to the internet that’s not authorized, or it’s something that may have been authorized at one point in time and should have been closed or shut down, and it hasn’t been. Or a path that’s being created between two areas of the network that should be restricted. A great example is between either your medical devices, the network they’re operating on, versus your financial data.

Sanjay Raja:
There’s really no reason for those two areas to be communicating. At least there may be other layers that they’re communicating before they get to one of those, but they really shouldn’t be in general. We talk about pharmaceutical manufacturing, you really want to separate your IT networks from your operational technologies from your OT networks, or your manufacturing floor. In that scenario you don’t really want communicating, except for a very small pipe. I shouldn’t say small pipe, but very few communication channels between the two because you want to separate them and keep them controlled.

Sanjay Raja:
These are cases where leak paths can exist. Again, they’re very common with most external attacks. When you’re talking about malware sites being communicated with, command and control sites communications that are occurring, callbacks, exchanging the keys for ransomware. Those are all basic paths that are being created to those particular sites, but what we’ve also seen is that there are a lot of existing lead paths that are in customer networks that are being leveraged by attackers because they’re not being monitored, they haven’t been managed. So it makes it even easier for them to do that because they go much more undetected because the path is already there. They’re not creating anything new.

Sanjay Raja:
Again, as I mentioned some of the attacks that occur, we’ve seen even nation state attacks. A great example was last year, North America stole a bunch of battle plans from South Korea and the US army that they did jointly together. That was based on a leak path that a contractor had created a year before, and had left open. That contractor was long-gone, no longer needed that, but they had left it open. North Korea had seen that path as being open and had used that to exfiltrate data. This was in 2017.

Sanjay Raja:
Certainly some systems had gotten in there, but the data exfiltration was based on this leak path. There are different mechanisms for it. There’s firewall router misconfigurations, there’s certainly policy misconfigurations there. There are network devices that aren’t actively being managed that can create a leak path. We’re seeing shadow IT infrastructures being created. Then certainly if an attacker can figure out that those show IT infrastructures aren’t communicating and being monitored as well as they should be, which is why they’re shadow IT, they can use those as creating paths. Who’s going to monitor that to know that that’s occurring? Again, there’s ride hijackings and other examples. Again, leak paths can indicative in most malware attacks, and certainly ransomware as well.

Sanjay Raja:
When you look at different healthcare systems and different organizations, we’ve done some research based on some of the customers we’ve worked with. Certainly we’re very heavily involved with the government as well. Where we’re see a few different factors in our research. I talk about that 40% gap for Delta. That 40% number is across different verticals. It’s basically our entire customer base on average. What we see in most healthcare organizations, this ends up being around 15, 20%. Some organizations are a little less, some of them are a little bit more. But what we’re talking about there is a few different factors.

Sanjay Raja:
The first is when we go into bigger particular environments, whether it’s a POC, whether it’s a proper deployment, we’re being given a number of end points that the customer knows about. They say, “These are all the ones that we manage and we know about actively.” We request that list. Within hours, within a day, whatever period of time it takes depending on the size of the infrastructure and how we’re deployed, we will give that particular customer a list of the end points we discovered. We’ll say, “Well here’s the list that you didn’t see that are actively working on your network now.” When I say active, it may be that they’re part of a network segment that you’re not monitoring. We’ll get into that in a minute. But it may be something where we’re seeing huge numbers there of end points that aren’t being actively managed.

Sanjay Raja:
That’s what we call the end point visibility gaps. Again, you can see the percentages there, depending on the type of organization. Pretty significant numbers where you’re getting into 40%. We have had a couple of specific customers… I won’t say in healthcare. Not in healthcare, that have even had over 100%. They’ve got double the number of end points that they thought they had running around, and clearly didn’t have much in terms of securing that mobile infrastructure, primarily. That was the main thing we found.

Sanjay Raja:
But even their VM ware infrastructure was moving around a lot, and they had a lot of virtual machines, and they weren’t properly tracking any of those or really monitoring those carefully. Again, it can be a really huge issue. All it takes is a single end point to be compromised. Attackers will find those. They do look for those, and that’s part of the longevity of an attack, is when they get inside initially. They start to poke around to see, over months even. A lot of times you’ll find that an attacker has been running around there for three months, six months. They’ll be patient. When they’re trying to target you they’ll look and they’ll try to find that one system that is extra-vulnerable, or really they can figure out a way to exploit even further than the one they’ve necessarily compromised initially, and they’ll start to do damage. So really having full end point visibility is critical.

Sanjay Raja:
When you talk about unknown networks, this is where a network has, again, a shadow IT network. A network that for whatever reason isn’t communicating over a traditional network monitoring methods. It’s not refunding payments properly, route updates, whatever it is. But we’re still able to find some of those networks based on some other advanced techniques that we use. This is where we find huge numbers. Again, unfortunately, government organizations we’ve seen very often. There’s a lot of networks that have fallen off the network map, so to speak, that are not being tracked actively. Again, we’ve seen that quite frequently.

Sanjay Raja:
Unauthorized forwarding devices is where a router or switch has been left open in terms of the security around managing the route tables and configurations and things like that. Somebody’s either misconfigured the router or switch, or an attacker has basically been able to get into a router or switch and exploit that and create an illegal forwarding path. What we’re talking about is not necessarily, it is an illegal forwarding path. This is where we found a router or switch that is open for exploitation by an attacker, or can easily be misconfigured because somebody doesn’t have the right credentials to go in there and make changes. That’s where we see unauthorized forwarding devices.

Sanjay Raja:
Nonresponding networks, those are networks that aren’t communicating appropriately but are still out there, and they’re still trying to communicate and work within a particular environment. They still may be sending traffic. Different from unmanaged. Unmanaged is usually where for whatever reason they fell off a network map. They weren’t tracked any longer. Unresponding is when they’re really not responding to active mechanisms of trying to discover them and engage with them to be able to monitor them actively.

Sanjay Raja:
Then the last part I mentioned is leak paths. This is not necessarily a new leak path. This is where when we’ve gone into a particular organization and we install our product, we’ve seen all these existing leak paths that are there. Some of them are authorized. We’ve seen where a certain number are okay. But we’ve seen a huge set where people didn’t know they even existed, and they weren’t actively looking for them. Very often it can be where one was created and left open. It could have been something that was exfiltrated years ago. There are plenty of reasons for these paths to exist, and they’re usually not torn down as effectively as they should be.

Sanjay Raja:
We’ve also seen where in Cloud environments, most people don’t want a direct connection to the internet from their Cloud. They want the Cloud to tunnel back in, go through the normal security checks on premise, and then go back out to the internet. We’ve seen cases where there are leak paths running around from the Cloud that weren’t expected. Again, it’s very common with DevOps, especially when they’ve moved some stuff to the Cloud and they want to add some additional tools, or they want to do some other things. They’ll create some path to the internet so they can get around the normal process of doing things. Well, that exposed the organization to some security risks.

Sanjay Raja:
Big part of this is if you don’t see these end points, if you don’t see these networks, how do you know that you’ve got agents protecting them? Your end point protection response, your next gen AV. How do you know they’re patched appropriately, or that they’re not vulnerable the a new vulnerability or a new CVE that’s out there? If you’re not finding huge parts of the network or certainly individual networks, you certainly don’t have the end points protected on those networks because you’re not actively scanning them or managing them that effectively.

Sanjay Raja:
These type of visibility gaps are what attackers know exist. The fact that most systems are doing snapshotting or polling, we’ve seen attackers will spit out a little bit of traffic in less than a second, and then they’ll wait, and then they’ll do it again. And then they’ll wait and they’ll do it again. They’re very patient in how they do things, and this is a way that they can get around traditional polling. A lot of times vendors will say they do continuous monitoring. That’s really just polling or snapshotting. It’s not real-time, and they’ll take advantage of that. They’ll see those intervals, they’ll see those windows. They’ll be able to see the network traffic that’s doing that polling, and they’ll go, “Oh, let me try to fit in my illicit activity in between those polling intervals, and that way nobody will know I’m there.”

Sanjay Raja:
Even with virtual machines. They’ll bring one up and tear it down really fast, but they’ll do that multiple times to hide their activity. Again, they’re very smart about how they’re doing some of these things.

Sanjay Raja:
Let me talk a little bit about Lumeta Specter. The 40% number that we talked about is something that we’ve seen in organizations we’ve gone to. Again, this is over 15 years now, or approximately 15 years now. There are three foundational pieces to what we do, and how we do it differently. I’ll talk about them in a little bit. We provide full network infrastructure visibility in real-time. What that means is that any change that occurs, an end point moves around, a new leak path was created, a new router or switch starts communicating to a particular area of the network. We will see all that in real-time.

Sanjay Raja:
We use what we call active and passive listening techniques to be able to do that. Really the passive ones are we almost pretend that we’re part of the router and switch environment of the network environment, and we listen. We listen to updates. We pretend we’re communicating with an adjacent router or switch. We can identify all the end points there. But we also use some active techniques where we start to build out our map. We call that recursive network indexing, where we start to build out an entire network map of the environment.

Sanjay Raja:
I mentioned we were able to map the complete public internet. We can do that within an organization, and find all the shadow IT, find all the rogue infrastructure. It’s because we use nontraditional techniques to be able to do that, and it’s lightweight, doesn’t cause any disruption. But again, it is something that we can do effectively to be able to map out everything. We find everything. If it’s talking on the network in any capacity whatsoever, even if not broadcasting or whatever it is, we can find it.

Sanjay Raja:
With that, we pull in the security intelligence and threat intelligence feeds. Those feeds we map to the data we collect. We collect some NetFlow information as well. But we’re able to pull out certain sets of anomalies in the network. It’s mainly things like torrent traffic. Most organizations don’t want torrent traffic, or that kind of encrypted traffic, on their network. In the past, that was used very commonly for sharing pirated music and videos, and things like that. It’s a way to hide your activity through encryption. It’s used by malware and ransomware to hide their activity.

Sanjay Raja:
It’s hard to detect sometimes. That’s the whole purpose of it, is it’s very difficult to find running around the network. But it’s almost always not authorized. The ability to find that’s important. When you’re communicating with a leak path, is it going to a new malware site? Can I flag that right away to say, “Wait, based on the security threat intelligence we have, this is a malware site. You need to go and shut this down immediately.” Things like that we can determine. Certainly call command and control activity, call backs, things like that. Zombie nodes, we can identify that kind of stuff. Certain network anomalies we can find based on our knowledge of the network in real time.

Sanjay Raja:
Then the third piece is segmentation analytics. This talks about leak path to some extent, but really it talks to we are able to help, as you unflatten your network, because we understand the network really well. We can tell you, “Hey, is your traffic getting from point A to point B, or is it being restricted as it should be from point A to point B?” This is critical when you’re talking about separating medical devices from your financial systems, things like that, we can tell you whether your segmentation is working properly based on some of the analytics we have.

Sanjay Raja:
Securing patient data at the end of the day is a group effort. It’s something where we know that our solution can actually improve your security stack, regardless of what sort of piece of security you’re using. An example of that is we have an integration with RedSeal or Qualys and Tenable, those different vendors, as part of a company’s vulnerability management program where we will pull data from a, Qualys, let’s say. Understand all their end points that they’re scanning. We’ll do our assessment of the particular infrastructure, and we’ll compare the two and provide Qualys with the delta of the systems they still need to scan and that they didn’t know about.

Sanjay Raja:
We’ll also monitor in real-time, and say, “Hey, we found this new system here. Do you want to set off a scan now for this individual system, as opposed to waiting for the next scan interval?” Most of these systems are very intensive when they scan all the end points. You really don’t want to do that, so they have certain windows for those scans, late at night or whatever it is, to determine if there’s vulnerabilities. We can help them do an on-demand scan, or ad hoc scan, if a new device has suddenly come on board, and it’s very minimal when it does that. But really we can do that because we’re continuously looking at the network and changes. Again, the user can decide if they want to enable that or not in terms of doing that scan at any given time.

Sanjay Raja:
But it’s something that can be effective to make sure you have full coverage and really know are there any vulnerable systems out there that I need to address? Do I need to make sure that as I understand where these systems exist and what part of the network they are, I need to assess which ones are the highest priorities as well. We can help with that by doing that delta.

Sanjay Raja:
When we talk about end point security, we work pretty strongly with McAfee. We work with Carbon Black. We want to make sure that those end point agents, that the end point detection response solution, next gen AV, they’re installed on every system. They’re there to help prevent any sort of attack. So any sort of IP-enabled device that can support those type of agents, we want to make sure those agents are on there. Our customers, they come to us and say, “We don’t have full coverage of that. We bought all these licenses. We have the solution here. We want to get the most effectiveness out of the security program, but if we can’t find all these end points,” and they’re certainly not able to, “what do we do?”

Sanjay Raja:
That’s the biggest part of both vulnerability management and end point, is that the end point folks, they need to know the network already and know the devices there to be able to install the agent. Then when you talk about vulnerability assessment, if you give them a network segment or an area of the network, a known address space, they will discover that known address space. They’re really good about being able to discover the end points or devices in that space.

Sanjay Raja:
But if you’re talking about shadow IT, or rogue systems, or any sort of unknown infrastructure, they have no idea. They cannot do full, comprehensive enterprise discovery, and certainly not under the Cloud of those systems. You have to give them the place to start, and they’ll start looking from there. That’s all they can really do. This is where our visibility can really feed these solutions and make your security program more effective.

Sanjay Raja:
We work with SIM, we are also working with certain network operations to improve visibility into difficult to reach environments. We work with Gigamon to work on Cloud environments more effectively, because sometimes it doesn’t scale very well. Lumeta itself can extend in Amazon Azure environments, and work fully there to provide full visibility. We’ll talk about that in a minute. We work with Cisco ISE, in their pxGrid platform as well as McAfee DXL, and that’s really how they share information across different security applications. We consider that kind of an overall policy management.

Sanjay Raja:
Then we work with GRC, the CNB platform. It’s very important to provide the asset information to those platforms as they start to score them for risk. And certainly as we even plug into security operation center team, where they’re finding an attack, they’re working with the network team to create a ticket to be able to make changes, or quarantine systems, or upgrade whatever they need to do. We need to work with these GRC and CNB systems to make sure that that ticket is working properly, and certainly as they have their IT change windows that we’re providing the full level of network context to that effectively.

Sanjay Raja:
We have some planned expansions there as well. You can see some on the list there. Pretty typical from the list that we have in terms of the partners we work with. But again, as much as we are very effective standalone in providing that network context for security teams, the reality is that as we work with these solutions and have integrations with them, we improve the overall security effectiveness of the existing products and solutions you’re already deploying. That’s really where we see us adding value to an organization.

Sanjay Raja:
Let me just talk quickly about how we can be deployed, just so you get an idea. Again, as I mentioned, we participate in the network as a kind of dummy piece of the network, so-to-speak. It’s a way that we don’t have to work off a span port. We’re not really… we’re working off a tap, like a lot of monitoring solutions do. We’re actually pretending, we’re sort of simulating we’re a part of the network, and participate in there. But it allows us to do a lot more than any other solution can do. We’re not relying on broadcast traffic. We’re looking at routed switch tables. We’re seeing updates from them. We’ve got some active techniques, where we’re kind of testing the waters and seeing what sort of responses we’re getting in some cases. We really have some strong analytics and algorithms to really look at those and start to build adjacencies, and start to explore and see the full extent of the network.

Sanjay Raja:
What we have is we have what’s called Specter Command Center. That command center, if you have a flat network, it’s all you really need, actually. It’s got the capacity in millions of IP addresses, and it can really do all the analytics from a single station if you really want it to. It’s that powerful.

Sanjay Raja:
We do have what’s called scouts. These are not agents. We don’t have any agents of any kind. The scout is a, again, a simulated small switch or router that sits within a particular environment. It pulls data in and it sends it back to the command center. It’s basically designed to get to hard to reach places in the network. Areas like branch offices, certainly Cloud environments. It can see where Amazon or Azure Cloud, where it’s a little bit more difficult to start probing in there and sending traffic. Certainly if you have very, very segmented parts of the network that are very restricted by firewalls, it’s an area that we can sit in. Again, still easily provide ways to get back. We can figure out how to get back to the command center, even if you have a very segmented network through firewalls, or routing and switching ACLs and things like that.

Sanjay Raja:
We’ve got different ways that we work that still allows us to scale. And the scouts are free. We don’t charge anything for those. Whatever number of scouts you need to get the deployment to work, we give those to you. Again, we are really able to find the far reaches of the network. Physical or Cloud. But the important thing is we provide that end-to-end view. When you look at our network maps, our network maps are fairly elaborate. They allow you to drill-down to an individual device. When you see those maps, we’ll provide, here’s your enterprise, here’s your core network. Here’s your Cloud environments. Here’s your branch offices. We’ll show all that visually to you as well. It’s one of our strengths, is we do these really, really elaborate maps that allow you to really see things at a high level but drill down quickly to details you need.

Sanjay Raja:
I’ve got a few case studies here. Let me just go over them quickly. There’s a lot of words here. I’m not going to spend too much time on them. We’re recording this, so you can take a look again at your leisure. This was a large, nonprofit healthcare provider, and they were concerned about IoT security. They had a lot of new medical devices running around on the network. A lot of them were wireless. They were using a lot more wireless technologies because as medical staff are walking around, visiting with different patients, as they were moving devices around on the cart, they didn’t want to be tethered. They were adding a lot more wireless devices. In some cases, they didn’t know all the devices being added.

Sanjay Raja:
They didn’t want to analyze all the systems and make sure they were using standard operating systems, certainly that they were resilient against vulnerabilities and they were being patched appropriately. They wanted to hardy their systems, and put in this sort of end point protection that would work and the particular end point as needed.

Sanjay Raja:
Those were really the challenges they were having, is they didn’t really have a good handle on that. Certainly couldn’t identify all the new devices. This is where Specter was able to really discover, and I use the term indexing, all the devices on the network, including through undocumented networks that we found. We found a few of these straggler networks here and there. Want to identify all those as well.

Sanjay Raja:
Then actually we worked with two partners. One was McAfee. This particular institution was using McAfee, and specifically their EDR solution, not their AV solution. They felt it was more powerful for what they were looking to do. So we worked with McAfee EPO, which is their policy management platform. We told EPO, “Hey look, here’s all the IP addresses that you’re not managing, and certainly don’t have agents installed. You need to basically install your VR agents on there to actively monitor them to make sure they’re protected.”

Sanjay Raja:
With that, they’re using Tenable as part of their vulnerability analysis program. Again, we were able to feed Tenable with a bunch of data. Tenable is able to see this device that just came online, is it something I’ve already scanned recently, is it something I need to scan? Critical for medical device technology. Again, this was something that they were able to really investigate to make sure that they weren’t doing unnecessary scans, but also they had full coverage.

Sanjay Raja:
The impact is that we found basically 27% more end points and devices than they knew, based on Tenable’s discovery mechanisms, and McAfee’s. Pretty significant number there. The important thing was we were able to make sure that all their devices were covered 100%, and that’s really the key here.

Sanjay Raja:
This is actually a healthcare insurance provider. This is not a medical institution, necessarily. They actually operate in both the US and Latin America. They were more concerned about the fact that they had, again, a lot of remote subsidiaries. They had a lot of different branches and offices everywhere. They wanted to keep tight control over those, and they didn’t necessarily have monitoring in place to be able to do that. They wanted to make sure leak paths weren’t being created from a remote office to the internet, that there weren’t some sort of breach activity there, or somebody wasn’t compromising systems there and then trying to breach the central servers.

Sanjay Raja:
Again, this is where they wanted to see if there were any sort of policy violations. But they didn’t necessarily want to roll out a ton of agents to all of these different remote offices. Honestly, some of them were subsidiaries. They didn’t really have the control to be able to do that. They wanted to get a full asset mapping to make sure they were compliant. This is when we weren’t able to really map everything. It’s where Lumeta came in, and we found all the leak paths that may have been existing between some of these offices too, and we would send a report. We generate a report that they would send to those subsidiaries and offices saying, “Hey look, you’ve got all this stuff running around. You need to know about it. Please go shut it down or lock it down if you need to.” Again, we were giving periodic reports to them about certain assets, certain leak paths that they were concerned about running around there.

Sanjay Raja:
Again, we were able to provide a comprehensive view of all the segmentation violations, policy violations there, leak paths. They were using a monthly security report. Initially it was the right of way, but over time they started to get into a cadence of monthly they would provide these reports to the different groups. Any sort of changes in real time, they’d be able to flag immediately and say, “Hey, this has occurred there. What’s this path being created?” And be able to alert them immediately outside of the monthly reports they were created. That’s basically how I helped them.

Sanjay Raja:
Last but not least, this is the State Department of Health and Human Services, in the US specifically. This was a particular state organization. Not a very large organization, one of our smaller ones I’d say in terms of the number of employees. But again, their problem, because they were so small, is that they had a very small security team, and even network operations team. So they had full visibility across headquarters and they needed something that would provide them with full map both groups could use effectively.

Sanjay Raja:
Same kind of issues. They were outsourcing a lot of this to Cloud providers, and they didn’t really have a good handle on how well the Cloud providers were protecting their infrastructure, and if they were compliant or not. They didn’t have the staff to handle more agents. That was one of the first things we heard when we went in there is, “Okay, if you’ve got an agent approach, we don’t have time for you. We already have too many agents running around. We’re trying to consolidate all of them. We’re definitely not going to add another one, so if you can provide us visibility without an agent, that’s a start.” Very important to them.

Sanjay Raja:
We provide the infrastructure and visibility on premise but into the Cloud, and that was really what they wanted to do even to their hosting provider. The fact that we can do real-time network monitoring, we were able to find any unapproved connections. Their biggest concern was in Cloud environments that new connections would be created, or there’d be some sort of activity there. We provide an early warning.

Sanjay Raja:
One of the things we do with our network anomaly detection, is we would provide an early warning to activity that’s occurring. If I start to suddenly see communication to a malware site, I can put a stop to it right away and quarantine that particular server that’s communicating with that site and start to remediate. That’s something that they were looking for as well that we were able to provide. For them, the real-time maps were critical. They really needed that because they were so down on resources, they wanted to have something visually they could easily drill down into. They didn’t want lists and things like that of addresses or assets. They wanted to have a visual map to make it easier for them.

Sanjay Raja:
We detected over 22 existing leak paths in this organization. Not too many. Pretty on the low end. But again, if it’s a small group, they didn’t have more than that. But we were able to find those immediately and they were able to determine what they wanted to do with those paths that were existing, and if any of them were authorized.

Sanjay Raja:
Basically that’s it. I just wanted to provide some use-cases around how we’ve been effective in healthcare organizations. Happy to open it up to questions. We’ve got a little question area that you can submit questions, certainly. That’s probably the best mechanism to use. But yeah, we’d love to get any questions about what we do in our technology. If there’s any other questions about certain attacks or anything I covered in the beginning of the presentation, we’ll be happy to answer any of them. We’ve got about 15 minutes left. You can definitely use the chat window to be able to ask any questions.

Sanjay Raja:
Also, you’ve got my email address there. If you have any questions and you want to email me directly. Otherwise on our website, www.lumeta.com, we do have some case studies. We do have some additional information, especially on IoT security.

Sanjay Raja:
Lumeta actually just picked up the award two weeks ago, Frost & Sullivan awarded Lumeta a best practice award around cyber security for IoT. We won that award as being innovative technology, where we beat several vendors around the visibility we provide to security teams around IoT. It’s something that can be used today, and it’s relevant to anyone in the healthcare space. They actually talked about that a little bit in the report.

Sanjay Raja:
But again, we won that award just a couple weeks ago. That write up about why we won the award is up on our website as well. Something to definitely take a look and download. You can get a better view of the criteria that was used, and why we were so important to the security in IoT environments, including healthcare.

Sanjay Raja:
I will give just one more minute for any quick questions on the chat window. If I don’t see anything we can shut down. Let me give just one more minute in case there are any other questions. Feel free to ask anything.

Sanjay Raja:
Yeah, the one piece we do see very often in IoT space, I talked about it a little bit before, is a lot of utilities, healthcare, manufacturing, etc., are looking at strong separation between their manufacturing environments or areas of the network. Like where all their medical devices are sitting on that part of the network for sharing imaging information, the details around whatever sort of measurements have taken. Those types of things usually run on separate networks too, and they like to keep them separate. Again, at a very minimal communications between that and the normal IT systems that are running payroll and finance, etc. Scheduling, all that kind of stuff.

Sanjay Raja:
A lot of times they’ll keep them separate, and they want to have strong separation between the two. That’s becoming harder and harder to do. We’ve been used in a lot of environments for that purpose across the different industries. Utilities, you can see where that’s very important to make sure malware doesn’t affect those control systems, for example. We’ve seen where malware and ransomware has been used effectively to shut down a manufacturer for days, or weeks even in some cases. These are areas we’re very strong in terms of providing visibility, but also those segmentation violations in real-time.

Sanjay Raja:
All right, I don’t see any questions. I guess that’s good. This session will be recorded. You can certainly view it later, and maybe take a better look at some of those use-cases that are listed there. Other than that, I thank everyone for attending today, and have a good day.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO