Solutioning a True AI-Driven SIEM for Healthcare of Tomorrow

Solutioning a True AI-Driven SIEM for Healthcare of Tomorrow

GS Lab | GAVS/Englewood Health CHIME Collaboration Award application: Sept 2023

Inderpal Kohli, VP/CIO - Englewood Health

Avijit Kalita, Vice President – Healthcare Business Development – GS Lab | GAVS

Executive Summary

In the healthcare sector, the secure exchange of sensitive information across extensive networks is of utmost importance. However, the digital landscape also introduces significant cybersecurity vulnerabilities, including the threat of cyberattacks, data breaches, and unauthorized intrusions, which can have far-reaching consequences, ranging from financial losses and concerns about patient safety to regulatory fines. Traditional Security Information and Event Monitoring (SIEM) systems often prove insufficient, lacking the essential threat visibility and early detection capabilities needed to effectively combat modern threats of the Healthcare industry. Outdated technology and a lack of advanced analytics hinder legacy solutions from addressing these challenges effectively.

Englewood Health, a leading healthcare institution in New Jersey, wanted to strengthen their defences in light of the increasing trend in cyber-attacks. It relied on third-party SIEM tool which was functioning predominantly as a log aggregator. Recognizing the imperative of real-time security threat detection, Englewood under the leadership of Chime member and CIO, Inderpal Kohli, partnered with GS Lab | GAVS to bolster its security posture even more. Together, we decided to move to new SIEM product which would be fine-tuned into a solution for Healthcare requirements of tomorrow. The new product would also bring true AI/ML capabilities to future bolster the security landscape. This transformation not only addressed the critical security gaps but also provided a multiple benefit such as:

* Comprehensive Event Analysis

* Efficient MITRE Framework Integration

* Precise Behavior Analytics

* SOAR-Driven Automation

Key learning from this collaboration emphasize the importance of phase wise implementation, prioritizing quality over quantity, and the versatile applications of this solution across various healthcare security domains. Englewood Health's successful collaboration with GS Lab | GAVS showcases the power of partnership in addressing complex cybersecurity challenges and underscores the critical need for advanced SIEM solutions in healthcare cybersecurity.

About Englewood Health

Englewood Health, one of New Jersey’s leading hospitals and healthcare networks, delivers nationally recognized inpatient and outpatient care through its hospital and network of physician practices, urgent care centres, and imaging centres.

Founded in 1890, the organization consistently earns high marks for clinical excellence and patient safety. It holds the Leapfrog Hospital Safety Grade ‘A’ (spring 2023) and was named a Leapfrog Top Teaching Hospital (2022). Englewood Hospital is nationally recognized for nursing excellence, earning a fifth consecutive designation by the Magnet Recognition Program in 2021.

The Englewood Health Physician Network—a coordinated network of more than 600 office-based and hospital-based providers—offers primary care, specialty care, and urgent care at more than 140 locations in five counties across northern New Jersey.

The need for change: Challenges that stood between Englewood Health and their goals

Englewood relied on a SIEM system which was primarily serving as a log aggregator. However, this system lacked advanced analytics driven by AI/ML technology, leaving a significant gap in their security posture. Without the AI/ML-powered threat detection model, accurately identifying anomalies related to Indicators of Compromise (IoCs) was a challenge. This gap meant that the system might miss or misinterpret crucial signs of potential security breaches, carrying substantial risks.

Recognizing the critical need for real-time security threat detection and response, Englewood team recognized the necessity for an AI-based SIEM solution, a capability absent in their existing system.

Apart from identifying the right solution, following were the other challenges that Englewood faced.

Complexity

Networks in enterprises consist of various security elements, like firewalls, routers, web security tools, intrusion detection and protection systems, among other solutions crucial for network security. These components produce a significant volume of events and alerts. To effectively coordinate log collection, data analysis, and threat detection across such a diverse range of security elements, a meticulous process of discovery, planning, policy evaluation, and precise adjustments was necessary to ensure the SIEM solution meets the desired objectives.

Compatibility

The presence of varied network devices and applications in most organizations can lead to compatibility issues and security gaps in SIEM implementation. To enhance SIEM efficiency, seamless integration with existing network security tools, including endpoint protection, was vital. However, integrating SIEM with outdated legacy systems, generating logs in proprietary formats, further complicated the implementation process.

Collaborating for Success

Seamless cross-functional collaboration involving IT, networking, and security experts from all organizations was needed to bring the envisioned solution to life.

Tool Selection - The Englewood team engaged in collaborative efforts with GS Lab | GAVS team to assess the existing ecosystem. Together, we pinpointed the deficiencies of the current platform and outlined the requirements for the new platform. This served as the foundation for evaluating several SIEM platforms, ultimately leading us to select a platform tailored precisely to address these challenges, all with the ultimate goal of creating an incident-free environment.

* Tri-party Collaboration – Once the appropriate tool was identified, all three stakeholders – the product company, implementation partner, and the customer – joined forces to facilitate a seamless transition from the old SIEM tool to the new one, without disrupting operations. Daily synchronization meetings between all parties ensured effective resolution of obstacles in a short timeframe.

* Deep Tech Collaboration – The implementation process encountered a standstill when significant issues arose in synchronizing logs from Windows and Linux-based operating systems with the new SIEM tool. Proactive involvement from the Englewood team facilitated access to disparate systems, resulting in a substantial reduction in implementation time.

* Reducing Noise – Immediately after the go-live phase, a considerable amount of noise was generated as data began to flow into the system. Minimizing this noise required extensive collaborative efforts to identify false positives and exceptions within the new system.

Enabling a True AI/ML Driven SIEM

Leveraging AI, Seceon aiSIEM™’s advanced SIEM solution, promised robust threat detection, automated incident response, and real-time security analytics. After successful proof-of-concept demonstrations, EHMC decided to deploy Seceon aiSIEM™, thereby bolstering their security measures and ensuring proactive threat management.

Seceon aiSIEM™ was able to differentiate itself from Legacy and Modern SIEM solutions with:

* Automated Threat Containment and Remediation: Seamlessly integrated with IT infrastructure for swift action.

* Comprehensive IT Infrastructure Visibility: Offering insights into inventory, applications, users, and their interactions.

* Continuous Real-Time Compliance: Ensuring ongoing adherence to standards.

* MITRE ATT&CK Framework-Based TTP Insights: Identifying suspicious processes and behaviors.

* True SaaS Model: Delivered with NIST-defined characteristics.

* Multi-Tier & Multi-Tenancy Support: Ideal for Managed Service Providers.

* Scalability and Ease of Management: Designed for effortless expansion and administration.

The key highlights of the new solution include:

* Rapid Threat Identification: The implementation of Seceon aiSIEM™'s platform allowed for the swift identification of hygiene issues and existing attacks across diverse data sources, including endpoints, email servers, IoT devices, and cloud workloads.

* Auto-Remediation and Early Alerts: The platform was configured for auto-remediation on critical attack vectors, ensuring rapid responses to threats. Early warning alerts were thoughtfully configured, enhancing EHMC's proactive approach to potential data breach prevention.

* MITRE Framework Grounding: The implementation was firmly grounded in the MITRE framework, adhering to industry best practices. This approach streamlined rule addition, enabling EHMC to stay agile in the face of evolving threats.

* Context-Driven Security Rules: Extensive collaboration led to the creation of contextrelevant rules and policies. Understanding the context behind security alerts allowed the SIEM platform to differentiate normal behaviors from suspicious activities, reducing false positives.

* SOAR-Driven Automation: Embracing Security Orchestration Automation and Response (SOAR), the teams streamlined incident response through predefined workflows, integrations, and countermeasures. This empowered EHMC to create playbooks for automated alert responses, reducing incident response times and offering flexibility in remediation actions.

Key Outcome Highlights:

* Since the implementation of Seceon aiSIEM™'s at EHMC by GS Lab | GAVS, the tool has analyzed over 1.16 billion events, flagging 80 million threat indicators.

* The seamless integration of the MITRE framework with every alert triggered by the solution empowers the SOC team to swiftly identify and address MITRE attack techniques. This integration streamlines alert triage, ensuring that critical threats are prioritized and mitigated promptly.

* By implementing Seceon aiSIEM™'s advanced "Behavior Analytics," EHMC gained precise insights into user and host-level anomalous behavior. This capability enables SOC associates to discern genuine threats from false positives effectively, ensuring that resources are focused on critical security issues.

* Seceon aiSIEM™'s Security Orchestration Automation and Response (SOAR) capabilities provided EHMC with the ability to craft playbooks for automating alert responses. This automation significantly reduced response times, enabling rapid and efficient incident resolution.

Key Learning

A Phased Approach to SIEM implementation is a prudent strategy for healthcare organizations when migrating sensitive information. This method entails a systematic and gradual transition, beginning with critical devices and progressively expanding to encompass additional components of the ecosystem. The rationale behind this approach is to ensure a smooth and controlled migration process while simultaneously gaining a comprehensive understanding of how the monitoring tool integrates and functions within the healthcare environment.

The key benefits of adopting a Phased Approach are as follows:

* Risk Mitigation: By starting with critical devices, healthcare organizations can minimize the potential risks associated with data transfer. This allows them to focus on safeguarding the most vital aspects of their operations.

* Requirement Assessment: As the migration progresses, the organization can continually assess its evolving requirements. This ongoing evaluation ensures that the monitoring tool aligns with the organization's changing needs and objectives.

* Operational Clarity: A phased approach provides the opportunity to gain clear insights into how the monitoring tool operates within the healthcare environment. This operational clarity is crucial for fine-tuning the system, optimizing performance, and enhancing overall security.

* Resource Allocation: Gradual migration allows for efficient allocation of resources. Healthcare organizations can allocate resources judiciously based on the specific needs of each phase, optimizing budget utilization.

* Adaptation and Learning: The phased approach facilitates a learning curve for staff. As the monitoring tool is implemented in stages, teams can adapt to its functionalities progressively, reducing the potential for disruptions and ensuring a smoother transition.

In summary, a phased approach to implementation in healthcare not only minimizes risks but also provides the flexibility to adapt to changing requirements, gain operational clarity, optimize resource allocation, and facilitate a more seamless learning and adaptation process for the organization.

Learnings to be adopted by the Industry

Industry players in the healthcare sector can draw several valuable lessons from the successful implementation of a True AI-Driven SIEM (Security Information and Event Monitoring) system at Englewood Health (EHMC). These learnings can guide other healthcare organizations in addressing their cybersecurity challenges effectively and preparing for the healthcare of tomorrow.

* Tailored Healthcare SIEM Blueprint: One of the most crucial takeaways from this endeavour is the importance of tailoring SIEM solutions to the unique needs of the healthcare industry. EHMC's collaboration with GS Lab | GAVS has provided a clear blueprint for healthcare organizations to follow when implementing SIEM solutions. Recognizing that healthcare deals with highly sensitive patient data, a blueprint that prioritizes security, compliance, and precision in threat detection is essential.

* Collaborative Cross-Functional Approach : Collaboration is key in addressing complex cybersecurity challenges. Industry players should emphasize seamless cross-functional collaboration involving IT, networking, and security experts. Bringing together diverse skill sets and perspectives can lead to more comprehensive and effective solutions.

* Phased Implementation Strategy : Adopting a phased approach to SIEM implementation is prudent for healthcare organizations. This approach minimizes risks, allows for ongoing requirement assessment, provides operational clarity, optimizes resource allocation, and facilitates a smoother learning curve for staff.

* AI and ML Integration: Embracing AI and ML technologies in SIEM solutions is critical. These technologies enable real-time threat detection, automated incident response, and the ability to differentiate normal behaviors from suspicious activities, reducing false positives and enhancing security.