Layered security controls to quickly identify and shut down attacks
Improved MTTR with constant monitoring and better visibility
Faster and more complete issue identification
Executive Summary
MEDHOST
Healthcare is a prime target for bad actors. With ExtraHop Reveal(x), we have forensic knowledge at our fingertips that helps us stop attacks cold—before they can impact our systems or our customers' systems.
Todd Williams
Director of Information Security,
MEDHOST
The Beginning
Protecting the security of medical records and health data
MEDHOST manages its own security, but also hosts hospital systems in its cloud. While MEDHOST does not own its customers' networks and security controls, it can be impacted by customers' vulnerabilities. In early 2022, the threat landscape shifted for MEDHOST as Russian attacks on Ukraine put critical industries like healthcare in the crosshairs.
"We've been on high alert over the past few weeks," says Todd Williams, Director of Information Security at MEDHOST. "From the contractors we use to our offshore vendors to our supply chain—bad actors would love to get their hands on patient health information and healthcare source code."
Since the news broke, MEDHOST has been peeling back the covers to ensure effective execution of the fundamentals––for itself and its customers. From geographically distributed systems to connected medical devices, MEDHOST has worked tirelessly to eliminate vulnerabilities throughout their connected ecosystem.
MEDHOST's top security priorities are to prevent ransomware, data exfiltration and manipulation, and software supply chain attacks on its CI/CD development pipeline.
The Transformation
Better Visibility Creates Stronger Security for Sensitive Data
MEDHOST has used ExtraHop for several years, first to improve network and application performance, and more recently to provide real-time threat detection across its hybrid environment.
"Visibility used to be a real issue," says Williams. "ExtraHop really opened our eyes and allowed us to put our arms around all the data—especially with the addition of Reveal(x), which gives us behavior monitoring. It's always watching. Combined with our log aggregation, Reveal(x) gives us a complete picture of activity that's happening on the network." With Reveal(x), MEDHOST can see adversaries testing the fences to see where any weak points might be.
It's this deep visibility and awareness that helps MEDHOST stop lateral movement within its systems.
But it's not just the behavioral anomaly detection that sets Reveal(x) apart. For MEDHOST, which relies heavily on encryption to protect highly sensitive patient data for its customers, the ability to securely decrypt and inspect the traffic for indications of compromise has been game changing.
"ExtraHop can decrypt and inspect things like Active Directory and TLS 1.3 protocols in-line across my entire network, including east-west traffic. I don't have to go through 15 change management cycles and three months' worth of work with development teams and server teams just to go see our own traffic. It's game-changing."
ExtraHop is also key to more accurate asset management for MEDHOST. Previously, the security team could get different information from different security tools. Now, MEDHOST uses Reveal(x) to integrate all its security tools so it can also act as a "traffic cop" to help ensure optimal device discovery.
The Outcome
More Efficient Security and Network Coordination
Baked-in security
Reveal(x) helps MEDHOST create a substantially more secure product, which is critical when hosting hospital data. "During any incident response, our clients need to know that we've got it handled, and that their data is protected," says Williams. ExtraHop allows MEDHOST to build security frameworks and layered security controls right down to the OSI layer.
In one incident, Reveal(x) alerted MEDHOST to an attack through its on-prem Active Directory federated services. "It was password spraying and locking out users," says Williams. "With Reveal(x), we could look into the payload and see it was coming from North Korea before we shut it down."
The fifth manMEDHOST security currently consists of four engineers, and Williams describes Reveal(X) as "the 5th man." He compares it to a DVR, continuing to scan and record even when the security team isn't present. And when the team starts work the next morning, they know instantly where to look, confident they've got the full details.
Reveal(x) also helps the MEDHOST network and security teams work together better. Williams says Reveal(x) has helped the networking team to become more security aware. Through understanding how apps behave on the wire or recognizing what data resides behind a firewall, the network team has clearer insight into how their work directly affects security.
Detection of threats other tools missMEDHOST quickly discovered that Reveal(x) is a more powerful tool for network security than its closest competitors. In its initial penetration test, Reveal(x) returned alerts that other tools simply missed. "Right out of the box, we plugged Reveal(x) into the network and turned it on at 8:00, and it was scanning our network by 8:01," says Williams.
"As the day went on, we continued to get alerts—but none of our other security tools indicated that we had an issue. After a simulation of the domain takeover at 8:00 that night, we finally got an alert from another tool indicating that an incident had taken place—far too late to act on the information."
The team also quickly learned how to use Reveal(x) to get more information behind each alert. "Reveal(x) surfaces a tremendous amount of key information in the alerts—including data that lets us blunt attacks much more quickly," says Williams. That kind of information means the MEDHOST team can perform root cause investigations to identify activity that occurred during specific incidents.