This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Zero Trust Hospital Series: Understanding the Anatomy of a Breach with Tamer Baker

[00:00:00] (Intro) we get Half a billion transactions a day, and out of that half a billion transactions every single day, we get half of a trillion with a T signals out of it, so we could see all the good, bad, and ugly that's happening across all of our customers globally.

Welcome to This Week Health. Today, we're continuing a six part series on Zero Trust Hospital, the CXO vision. It's a new book by Zscaler. have one of the authors here with me, Tamer Baker.

Hi, Tamer.

Hey, Drex. Thanks for having me again.

Tamer's a healthcare CTO for Zscaler. I'm Drex DeFord, president of Cyber at Risk at This Week Health and the 229 Project. Welcome to the show. We've got a lot of stuff to talk about. We've been through a couple of episodes already. A lot of great insights on what Zero Trust is, what it isn't, some of the challenges, some of the other stuff.

Today we're going to talk a little bit about the anatomy of a breach and the stuff that's happening in healthcare [00:01:00] and how Zero Trust can help make that better for healthcare organizations. Yes. About if you walk me through the typical stages of a breach and how Zero Trust can help at each of those stages?

Again, I like to use analogies, and I think in the last episode we used the analogies of Netflix and DVD players, right? Yeah. Let's use an analogy of a bank robbery to start this. How does a bank robbery occur? We think about a bank robber first has to find a target. So I'm going to go target First National Bank they find all the different branches of First National Bank and they look for the weakest link, right?

So they're going to go see every branch out there and see which one's the weakest link. Once they've targeted that branch, then they infiltrate. So they break in, they, come in, stick them up, whatever it is that they're planning on doing for the robbery, and then they infiltrate the environment first and foremost.

After they've infiltrated and gotten in the bank, now they have to move laterally around through the bank and try and [00:02:00] find where the money is at. Yeah, I got the cash registers up front and the tellers and maybe there's people in the lobby. I'm going to take all their Rolex watches, whatever it may be.

And now I'm making my way to where the real money is, which is the safe. Once I've gotten to the safe, I crack open the safe or you typically make the branch manager, open the safe and steal all the money out of it. So when we take that analogy of a bank robbery and apply it to our world in IT and cyber, it's very similar.

The bad actor first has to find your attack surface. They look for you. They find you all over the internet, right? So all those things that are internet exposed, they're gonna find you. Once they've targeted you, they can find all the different ways that you're available online through the internet. After that They're going to infiltrate you.

So this is where they're going to do phishing. They're going to do malware installations, whatever it is that they're going to do to compromise you. So step two is to infiltrate, to get in and compromise you. What's step three? I've attacked, some poor users laptop that doesn't give me anything.

I need to. Move laterally throughout the [00:03:00] environment. So throughout your network environment that's super hyper connected I can quickly and easily find the high value targets and escalate Privileges and move laterally throughout once I found those targets. The fourth step is stealing your data, not without encrypting it first.

So everything's double extortion nowadays. So that fourth piece is I'm going to take your data and I'm going to exfiltrate it out to somewhere in the internet so that I have access to it later. So that not only do you have to pay me to decrypt you, but you also have to pay me to make sure I don't release your data.

And then they show you proof of some of that data that's stolen. So that's like. The four stages.

with those four stages in mind, zero trust, the architecture helps at each one of those stages. So tell me about what's the zero trust fight that you have at each one of those stages.

when we think about stage one, which is how they find you, one of the very first things that you're going to do, and once you implement zero trust it's one of the fastest wins that you get is you remove that attack surface. So they can't even find you. It's [00:04:00] an important and critical step because it minimizes so much risk to remove those externally IP exposed, surface area.

It comes to the point to where when they get to stage two, which is, phishing malware, all the other attacking of the users and endpoints, even if I have phished your credentials, Drex, if I can't even find a server to log into those credentials, whether it's an application, security appliance, whatever it may be.

Those credentials have become useless to me as a matter of fact. Because your

access for that particular credential is so limited because the architecture has been designed. We talk about blast radius. That's what you're talking about when you talk about blast radius.

So blast radius goes into that as well as stage three of the attack.

But stage two is an important concept when you think about zero trust. 80 to 90 percent of all attacks malware is encrypted nowadays, and all that passes right through firewalls, right? So this is a big part of what Zero Trust helps you do. It decrypts all that traffic to ensure that anything that may contain malware is [00:05:00] found sufficiently.

Oftentimes, what we've seen in our environments, especially when we go into things like proofs of concept, proofs of values, is, you don't turn any security things off when we're proving this out, and we still are blocking and tackling phishing attempts, meaning it has passed through all your other security means to try and block phishing.

That's part of that stage two, and all that gets removed. Stage three is the significant portion of where you remove the blast radius because that's the preventing lateral movement. That's that network segmentation device segmentation as well as user to app segmentation where you make sure that even if somehow a bad actor somehow gets through, they can't get anywhere.

They can't escalate privileges. They can't even see. Any of the other applications on your network, they can't even see anything to be able to try and target to be able to try and move laterally, let alone trying to attack it. So that's the blast radius piece. And that stage four of the data exfiltration a big component, making sure again, because we're decrypting [00:06:00] traffic, we can see where all the data is trying to move and what data is trying to move out.

And you can block and tackle no matter where the data lives, no matter where the data is moving, and no matter where that Quote unquote user is trying to move that data all that gets seen and protected to make sure sensitive information doesn't get exfiltrated

It almost sounds like magic

and

as a result of all of this have a lot of insights into the bad guys and how they work and the ways that they attack and move what are some of the most common attack vectors in health care if you were just taking a step back and looking at that.

The beauty of our platform being, like I mentioned before, like a Netflix in the last episode is that we get a ton of traffic we get Half a billion transactions a day, a billion with a B, and out of that half a billion transactions every single day, we get half of a trillion with a T signals out of it, so we could see all the good, bad, and ugly that's [00:07:00] happening across all of our customers globally.

That also gives you the cloud effect, so as soon as one bad thing happens anywhere, we're helping everybody. We're updating our security policies. Billion policies get added every single day security policies without you having to lift a finger. Number one, number two, attack vectors today. Phishing of course, is still very popular attack vector and that they're getting much better with it because of the use of AI on the bad actor side. And number two, they're attacking security appliances directly. That has become one of the leading attack factors.

And if you've read about all the attack factors last year from all these things that have happened to big. New splashes that have hit they're coming straight onto those security appliances that are riddled with vulnerabilities constantly we don't have to name names, but there are companies that have been acquired very recently and Their security has been hard to keep up with So when you think about zero trust and the number one and number two attack vectors into that picture is one those appliances that are being attacked directly and Just take them [00:08:00] off the internet.

You can oftentimes replace VDI and the likes with zero trust where you don't even need them online at all anymore, but in those instances where you may still need them online, just hide them so that they can't even be accessed from the internet, which helps with attack vector number two, which is.

phishing is the second most popular. Actually, first and second, depending on which report you read from which vendors put out another report on, these vulnerabilities that have hit last year. When you think about that phishing piece I mentioned earlier. If I have your credentials, what good are they?

I can't use them if I have no application to even see or find no security appliance to log in with to, gain access to your network. So

yeah, so the other part that I want to dig in on a little bit because I find it fascinating is that we talk about information sharing and the things that we share with other health systems to help them be better prepared or not be attacked.

This, yeah. Zscaler ecosystem that you've created actually creates a situation where [00:09:00] there is a community protection that happens just because you're part of that ecosystem, as you see across tons of customers all over the world, not just healthcare customers either, but other commercial customers, bad things start to happen.

You catch it and kill it. Zscaler customers get immunity from that, right? They get the updates and the information that kind of keeps them safe.

That's right. Yeah, one of the things that I always like, especially when we do a proof of value or proof of concept, is we turn on things in our security platform, part of our platform that we detonate bad files or bad, detonate files to make sure there's no bad things in there.

And we show a report at the end of it and say, hey, out of the 300,000 files that came in during this short little POV, three dozen of them were malicious, and out of the three dozen of them, 30 of 'em were actually known already because of the cloud effect. Of which includes other companies like CrowdStrike and about two dozen other threat feeds.

It's not just our own [00:10:00] 500 trillion transactions. But then we show these six files were unique to you. Somebody specifically targeted your organization, crafted a very unique, malware just for you that we found and blocked. But now every other organization gets that same cloud effect protection in case they become the next target of that, black cat or whomever it was that was targeting you.

I really appreciate you coming in explaining a lot of this stuff to us today. We're going to continue to do more episodes. If you're watching this one, you're behind. There are other episodes ahead of this one. And if you're watching this episode there's more to come. So I appreciate you being here, Tamer.

Yeah. Thanks Drex. I love being here with you. Appreciate you having me.

thanks for tuning into episode three of our Zero Trust series. You want to dive in deeper? You can pick up a signed copy of the book at either VIVE or HIMSS. Plus, you can get the other book in the series, The Architect's Approach.

That book is targeted really much more to your team. And if you can't wait, register now with the link that we'll provide in the video description. And you can [00:11:00] receive the ebook automatically in your inbox during VIVE. We have three more episodes coming up in this series. And don't miss the special webinar that we'll do with industry experts on March 27th.

You can register for that right now at ThisWeekHealth. com slash Zero Trust. Thanks for being with us.