Fortune 100 healthcare company Aetna has been on a journey to what they call Model Driven Security. In this webinar, Aetna’s CISO discusses how this approach combats real world security threats and serves as the foundation of their security program.
Kurt Lieber currently serves as the Chief Information Security Officer (CISO) at Aetna. He is responsible for overseeing the Fortune 100 healthcare company’s risk, identity and access management. Additionally, Lieber serves as the VP of the Program Management Security Office of Aetna’s global team. He has over 20 years of experience in information technology in a variety of industries including retail, healthcare and financial services.
Before we dive into Aetna’s journey, let’s take it back to 2017 when the malware NotPetya infiltrated the servers of a Ukrainian software firm to some of the largest businesses worldwide.
NotPetya was the most expensive cyber attack in world history with damage estimated at $50 billion. Maersk, a shipping company, estimated a loss at $300 million. FedEx, another shipping company, reported a $400 million loss. Merck, a pharmaceuticals company, estimated a loss right under $1 billon.
What doesn’t get discussed by the press about this attack is the speed at which the attack happened. Merck lost almost their entire windows infrastructure when 15,000 servers were taken down in less than 90-seconds. That’s 166 servers per second – PER SECOND!
“I don’t care how good your incident response process is,” explains Lieber. “I don’t care how good your security operations center is. There is no SOC in the world that is good enough to respond to 15,000 servers in less than 90-seconds. You’d be lucky to learn that the event was even happening in less than 90-seconds.”
Organizations need to move at machine speed to protect against emerging threats. The historical static security controls they once relied on are no longer enough.
Model Driven Security is a real time security control. Aetna collects all enterprise intelligence data that can be correlated back to a single user identity such as proxy logs, entitlements, actions taken using those entitlements, and basically anything they can bring back into a data warehouse. Then, Aetna runs behavioral models on the data sets to develop a risk score for our users within the company.
“Every single one of our users has a risk score,” Lieber explains.
Risk scores are like credit scores. The same way your credit score goes up and down depending on money you owe and how well you pay your bills, a user’s risk score goes up and down depending on the actions taken while using the access they have. The risk score is adjusted dynamically and as close to real-time as you can get based on your user behavior.
“That score is the foundation of most of what our new security controls are being developed.”
Using Risk Scores as a Dynamic Security Control
Aetna looks at a user’s risk score as a dynamic security control. If the score is high, the organization might block the user, or if it’s medium-risk, they may ask a user to call in to the help desk to voice verify. This has been historically impossible to do until the ability to risk score dynamically. When a user’s risk score jumps in a short amount of time, or passes a threshold, the organization can send out an alert, lock an IP address, restrict all traffic via DLP, open a security incident, etc.
The risk of the user correlates with the risk of the assets under request. Unlike the waiting process that could take up to 5 days for a manager to approve or disapprove, model driven security enables a real-time decision. Thanks to dynamic provisioning, 75-85% of access requests fall in medium-risk or below categories, which makes it easier for managers to pay attention to remaining 15-25% of access requests. This eliminates 75-85% of situations where the user needs to wait.
“This has a massive soft cost savings for any organization of any size,” says Lieber.
Authentication Cut Off
You should know the list of identities that should be logging into 50 servers in a short amount of time. It should be a very small number. Anything else logging into 50 servers should give you the confidence that something wrong is happening there. You should take the risk of business impact and shut the servers off.
Given the example of Merck, where they lost 15,000 servers in 90-seconds, is it safe to risk the business impact of shutting down 150 servers if it avoids you having that “Black Swan” event where you lose your entire network? Of course, but it will cause business impact. The key is being able to show the success of the models.
Aetna started with one single model around privileged users to detect anomalous activity. Four years later, Aetna now has over 300 models to predict, detect and prevent attacks. Aetna’s model inventory management uses KPI’s to measure a model’s success. Lieber notes that it’s important to keep a catalogue of each model, what they do and how many times they’ve triggered an alert.
Did Not Happen Overnight
Aetna’s security orchestration program is four and a half years in the making. To get on Aetna’s level, there are three important details to remember:
- The system is only as good as your log data
- You must be able to correlate back to a single user ID
- Start small and build on your successes