Protecting from Ransomware & Modern Disasters: An El Camino Case StudySession 45, August 10, 2021
1
Chief Technology Officer, Veritas
Rick Bryant
DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
Chief Information Officer, El Camino Health
Deb Muro
2#HIMSS21
Welcome
Chief Information Officer, El Camino Health
Deb MuroChief Technology Officer,
Veritas
Rick Bryant
#HIMSS21
Conflict of Interest
Rick Bryant, CTO at Veritas and Deb Muro, CIO and El Camino Health have no
real or apparent conflicts of interest to report.
3
#HIMSS21
Agenda
• Overview of Veritas and El Camino Health
• Discussion of today’s complex threat landscape
• Case study on El Camino Health’s Ransomware Incident response, including
prevention, detection, containment, and remediation
• Tips for implementing a cybersecurity defense strategy and improving overall
quality of disaster response
4
#HIMSS21
Who is Veritas?The Global Leader in Enterprise Backup & Data Recovery Solutions
5
AvailabilityEnsure predictable availability, application resiliency and storage efficiency across multi-cloud, virtual and physical environments
InsightsGain visibility into your data, storage and backup infrastructure, so you can take control of data associated risks
ProtectionProtect your organization from the unforeseen and ensure your data is always secure, compliant and available—no matter where it lives
+ +
16x #16,000+
EmployeesWorldwide
2,000+
EngineersWorldwide
20,000+
GlobalPartners
80,000+
GlobalCustomers
800+
SupportedWorkloads
2,140+
GlobalPatents
87%
Fortune Global 500Trust Us
A LEADER IN GARTNER’S MQ FOR DATA CENTER BACKUP AND RECOVERY SOLUTIONS
MARKET SHARE FOR BACKUP AND RECOVERY SOFTWARE
#HIMSS21 7
Availability
Protection
Insights
InfoScaleVRP
NetBackup & AppliancesBackup ExecAccess & AppliancesFlex AppliancesCloudPointSaaS Backup
APTAREInformation StudioData InsightEnterprise Vault / Enterprise Vault.cloudeDiscovery Platform
#HIMSS21 8
In the Headlines
The 7 Biggest Ransomware Attacks of 2021 (So Far)
The DarkSide ransomware attack on Colonial Pipeline shut down fuel delivery for most of the South Eastern USA in May 2021. The victim paid almost $5 million USD ransom in Bitcoin to retrieve almost 100 gigabytes of data. A single compromised virtual private network (VPN) password was all the attackers needed to get access to Colonial Pipeline's network.
1
Acer $50MM3
Brenntag $4.4MM In May of 2021, Brenntag SE, a German chemical distribution company operating in over 77 countries, was attacked by DarkSideransomware and was forced to pay$4.4 million in Bitcoin. This came just days after the Colonial Pipeline attack.
2
4
Colonial Pipeline $5MM USD
In March 2021, computer giant Acer suffered the largest cyber attack in history when hackers used REvil ransomware to cripple the Taiwan-based manufacturer’s network defenses. The cost for Acer to retrieve their data was $50M USD in Monero cryptocurrency.
JBS Foods June 2021 $11M Bitcoin
#HIMSS21 9
• Immediate access to patient data• Lack of email scanning/filtering technology (86%
of hospitals)• High-value data regarding COVID-19• TeleHealth reimbursement enabled by national
emergency declaration • Thousands of caregivers started practicing at home using whatever
technology was available to them
• RDP improves ransomware success by 37%
• Difficulty with emerging threats – hospitals 6X more likely to host their own servers
• Hackers waiting dormant for the best time to strike
Why Target Public Sector?
Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020
#HIMSS21
What’s the New Approach? Why Change?
• Ransomware attacks in healthcare were typically not reported due to high confidence that the data had not been exfiltrated, e.g. no actual data breach
• OCR requires disclosure for any breach of 50+ records after a formal risk analysis determines there is a reasonable determination the records have been exposed
• Ransomware-as-a-Service gives any actor a prebuilt kit and existing attack systems; they just need to customize their target, write a ransom note, and set up a BitCoin wallet
• Two new ransomware variants emerged that actually exfiltrate the data before encrypting it at the attack site (Zeppelin and REvil/Sodinokibi)
• Exfiltration is used as “proof” but also requires healthcare to now report the breach, regardless of the ability to recover. Hackers then can sell the data and receive ransom
10
#HIMSS21
What Does the New Tactic Look Like?
11
Phishing emails with a
malicious attachment
Users clicking on a malicious
link
Users viewing an ad
containing malware
(malvertising)
Phish Targeting Foreign Visitors
Example of DocuSign Credential-Harvesting
Phish
SMS Delivery of Malware Links
Social Media Phishing Landing Page
Source: IANS, 2020
#HIMSS21
Ransomware Regulations by Industry
12
HealthcareAll healthcare providers must have a backup and protect all PHI (HIPAA 1996)
State & Local Government
Legal experts are generally skeptical that new laws are what's needed to secure the nation's cyber infrastructure within state, local and federal government
In California, ransomware is a felony –treated as a form of extortion
Michigan law criminalizes and prosecutes the possession of ransomware
Connecticut, Texas and Wyoming laws state that using ransomware software is a crime and can be prosecuted as a felony
Federal Government
The federal government does not negotiate with terrorists
The Federal Bureau of Investigation directs victims to their Internet Crime Complaint Center (IC3), and notes that paying the ransom also encourages future attacks from hackers
The Department of Justice (DoJ) does not encourage paying ransomware. In some cases, victims have been targeted again because of their willingness to pay
The Central Intelligence Agency follows the DoJ and FBI's guidelines on paying ransomware
The Department of Homeland Security follows guidelines from the U.S. Computer Emergency Readiness Team
#HIMSS21 13
• Required Risk Assessment Factors:• Nature and extent of PHI involved• The unauthorized person who used the PHI or
to whom the disclosure was made• Whether the PHI actually was acquired
or viewed• The extent to which the risk to the PHI has
been mitigated
Breach Notifications for Unsecured PII
Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020
#HIMSS21
Willful Neglect & New Safe Harbors
• Willful Neglect: Conscious, intentional failure or reckless indifference• No policy equals reckless indifference
• OCR will investigate all cases of possible willful neglect
• OCR will impose penalties on all violations
• OCR may penalize organizations without seeking informal resolution (settlements)
• CMS and HHS OIG finalized federal anti-kickback and Stark Law rules, which included provisions allowing health systems and hospitals to donate cybersecurity technologies to provider offices.
15Source: “Final HHS Rules Provide Safe Harbor for Cybersecurity Tech Donations,” Health IT Security, Nov. 24, 2020
#HIMSS21
Breach Notification for Unsecured PHI
16
Harm Threshold
1
2
3
Notification of the Media
Notification of the Secretary
Notification by a Business Associate41The new rule does not say what “compromised” means.
Source: HIPAA Omnibus Final Rule
#HIMSS21 22
Security Controls for Data Integrity
PROTECT
• Identity and Access Management (Multi-factor auth via SAML) – Zero Trust Access
• Data Encryption – In-Flight & at REST
• Solution Hardening – Intrusion Detection/Intrusion Prevention
• Immutable Image Management and Storage (On-premises and Cloud)
Cohasset immutability assessment (in compliance mode): • Securities & Exchange Commission (SEC) in 17 CFR §
240.17a-4(f)• Commodity Futures Trading Commission (CFTC) in
regulation 17 CFR § 1.31(c)-(d)
#HIMSS21
NetBackup | Flex Immutability Solution
23
Immutable Storage Management
• Immutable storage and policy setup
• Backup image management
Immutable Storage with Flex (5150 & 5340/5350)
Data Integrity, Security Controls across Backup Software & Appliance(s)
Support for primary, backup, and AIR replication
• WORM Storage Server (MSDP Container)
• Compliance timer\clock
• Compliance and Enterprise modes
#HIMSS21
NetBackup Flex Security
24
Updated hardware and software architecture to protect immutable storage
Logical attack protection
• NetBackup WORM storage server
• Appliance Platform Security
• Zero Trust Access
• Enterprise and Compliance lock down modes
• No storage reset
• No custom ISO boot
• Hardened containers & storage array
• Intrusion Detection System (IDS) / Intrusion Protection System (IPS)
#HIMSS21
Anomaly Detection Workflow
27
Initial Configuration
Anomaly Detection
Train base model using customer information
Customer Historical Backup Metadata ML Database
Customer Sensitivity Setting Backup Job Metadata ML Database
ML DetectionAlgorithm
Anomaly Alerts
Eliminate false positives
Valid observations for continued
learning
#HIMSS21
Anomaly Detection in Backup Flow
• Jobs data based features would be considered
• Below are the 3 new services will be created in NetBackup • Management Service
• This service mainly used for data gather• Data gather from two different sources: Image data / Jobs data
• Detection Service• Detection service will leverage clustered ML implementation to detect
the Anomaly.• Alert Service
• Alert service would be used to send alerts for example NetBackup WebUI
28
No Features
1 Client Name
2 Policy Name
3 Schedule
4 Policy Type
5 Storage Name
6 Image Size
7 Number Files
8 Total Time
9 Kilobytes Transferred
10 Dedup Ratio
#HIMSS21 29
Illuminate Anomalies
Ransomware Detection: Risk Mitigation Analytics
Baseline of Last Known Successful Backups by Application
Predictive Analytics Correlating 50,000 Unique Data Points
Historical Trending of Dozens of Risk Analysis KPIs
#HIMSS21
Detect Ransomware
30
Data Management
• Scan for ransomware item typesData Insight
• Monitor data change and deduplication ratesData Insight / APTARE & OpsCenter
• Monitor file access by usersData Insight
Third Party Tools
• Endpoint securitySymantec
• Monitoring of file changesTripwire
#HIMSS21
Meet RPO and RTO Requirements at Scale
32
NetBackup Resiliency
• Automation and orchestration
• Full RPO coverage
• Test, Validate, Disinfect
#HIMSS21
Support Diverse RPO and RTO Requirements
34
Comprehensive Recovery Options
• NetBackup Resiliency
• Continuous Data Protection (CDP)
• Instant Access: VM and SQL
• Cloud and On-Prem Snapshots
• Bare Metal Recovery (BMR)
• Traditional recovery
#HIMSS21 35
• What is it?• An expert assistance program giving
customers comprehensive advice on ransomware protection strategies and issues
• Key Differentiators:• Holistic approach to overall data
protection, including detection, prevention and data recovery
• Providing practical advice based on our real-world experiences – not just providing a high-level “what to do” but also “how to do it”experiences and best practices
• Customizing solutions to each customer’s environment and readiness
Veritas Ransomware Data Protection Assessment Program
Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020
Assessment One-week, data-
driven and consulting-led services designed to assess “as-is” posture of data protection against ransomware
High-level roadmap with action items and defined future technical architecture
Delivered by Advisory and Consulting
#HIMSS21
With a Unified Approach, You Get:
36
Better resiliency against ransomware
Data that’s protected and recoverable no matter where it lives
Simplified management across heterogeneous environments
More visibility to optimize infrastructure, cost, and compliance
All without compromise
37
El Camino Health
Prevention, detection, containment, and remediation
RANSOMWARE INCIDENT RESPONSE