1

Session #29, February 20th 2017

Laura Morgan, System Director Internal Audit & Corporate Compliance,

Edward-Elmhurst Health, IL

Amit Kulkarni, CEO Cognetyx Inc.

From Firewalls to AI: How to Stop Insider Threats

2

Speaker Introduction

Laura Morgan, CPA, CHC and HCISPP

System Director Internal Audit & Compliance

Edward-Elmhurst Health, IL

Add Speaker

Photo Here

3

Conflict of Interest

Laura Morgan, CPA, CHC and HCISPP

Has no real or apparent conflicts of interest to report.

4

Speaker Introduction

Amit Kulkarni, M.S, MBACEO Cognetyx Inc

Add Speaker

Photo Here

5

Conflict of Interest

Amit Kulkarni, M.S, MBA

Ownership Interest : Cognetyx Founder & CEO

6

Agenda

• Scope of healthcare data breach problem

• Problem with Systems and their User ID’s

• Security Basics – Auditing Access

• Hacker/Malicious user behavior

• New technologies & methods – User Access Behavior

• Machine Learning(ML) & Artificial Intelligence(AI) basics

• ML based approach – New level of detection

• Takeaways

7

Learning Objectives

• Identify to attendees the true scope of the problem of insider threats,

which is often overlooked as most current systems deal with outside

threats from hackers or malware.

• Evaluate how to identify the most common types of insider threats, including misuse of legitimate credentials and detection of stolen credentials used to access systems.

• Describe recent technological advancements in AI and ML to help identify and stop malicious users by constantly monitoring normal use by authorized users, and detecting abnormal use when legitimate credentials are used to access the system.

8

We cannot solve our problems with the same thinking we used when

we created them

“”

Picture: http://cecimath.wikidot.com/albert-einstein

9

Can You Identify The Data Breach /

Privacy Violation Threat(s)?

01 02 03 04 05 06 07 08

09 10 11 12 13 14 15 16

17 18 19 20 21 22 23 24

Insider Insider Insider Insider

Insider Insider Insider

Insider Insider Insider Insider

Vendor

Vendor Vendor

Hacker Hacker Hacker

Hacker Hacker Hacker Hacker Hacker

Hacker Hacker

They are ALL THREATS!

10

Ponemon Institute 2015 Cost of Data Breach Study (n=350)

1/3 of all

American’s

Health Record

Compromised

in 2015

Increases

savings by

avoiding

penalties,

lawsuits

Electronic

Secure

Data

SavingsIncreases

need for

newer

techniques

to mitigate

data theft

Decreases

time needed

to comply

with HIPAA

An Introduction to Benefits Realized for the Value of Health IT

11

Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016

May Have Already

Passed A Tipping

Point in USA For

HealthCare

89% Of Health

Organizations

Breached; 61% Of

Vendors/Supply

Chain Breached

Rate of ePHI Data

Breaches &

Privacy Violations

Out Of Control

& Accelerating

Big Problem – Face Facts

Today, Healthcare Data Breaches & Privacy Violations Are At “Crisis” Levels

12

Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016

89%

45%

1 Breach Last 2 Years

5 Breaches Last 2 Years

US Healthcare Org. Business Associates

61%

28%

Don’t Know If Breached ?? 100% 100%

Big Problem – Face Facts

13

Ponemon Institute Sixth Annual Patient Privacy & Data Security Report 2016

Average of 226 Days To Discover Breach;

0102030405075100150200205210220221222223224225226 0102030405060636566676869Days For Discovery + Days To Stop

+ 69 days To Stop The Breach

Big Problem – Face Facts

14

Everything is networked

15

The Basics- The OSI Layers

16

Inventory

Control

Secure

Network

Engineering

Secure

Configuration

-Servers

Vulnerability

Management

Malware

Defense

Application

Security

Wireless

Control

User Data

Encryption

Secure

Configuration

-Perimeter

Control of

Admin

Privileges

Boundary

Defense

Access

Monitoring

& Audit

Data

Loss

Prevention

Incident

Response

Penetration

Testing

Identity

Management

Source: Spring 2013 SANS Poster

The Basics- Security Controls

17

Ponemon Institute 2015 Cost of Data Breach Study (n=350)

Value of User IDs

18

Value of Standardizing User IDs

Categories of Users across the system.Makes it easier to do analytics on data.

Differentiate privileged users from regular –functionality & access

Helps analyze how users are using credentials for non-business activities

Helps track Malware & Ransomware across your network & Your partner organization’s networks

19

Covert Channels

• Clever social engineering

• Phishing emails

• Nearly undetectable

• Not all that uncommon “They’ll never see me coming!”

20

Criminal Outside

Hackers- 45%;

Malicious Insiders

32%; Rogue Vendors/Supply

Chain 23%

Data Breaches & Privacy Violations Are

Committed By THREE Distinct Groups

Connect The Dots

21

They All Use the Same Method

to Gain Access to Data

LOGIN Credentials ! ! !Sources may be different: Phishing Emails, Malware / Trojans, RansomWareWeb browser – stored passwords

Connect The Dots

22 www.securehealing.com

Perimeter/Network/Internet

Data Security/Privacy Layers vs. Hackers; Insiders; Vendors

Policies, Procedures, Awareness, Training

Host/OS

App 1

Host/OS

App 2

Data Data

Steal Credentials Steal Credentials

Steal Credentials

Steal Credentials

Steal Credentials

Steal Credentials

Steal Credentials

Steal Credentials

23

INTERCEPT

Generate Digital ‘Fingerprint’ Of Normal User Activity

For EVERY User Login ID Interacting With Data

New DEFENSE Shield – Surveillance Of User Access Behavior

Mitigate Data Breaches & Privacy Violations

24

Machine LearningCloud Computing

Confluence of Two Technological Forces

25

Medical Records (ePHI)

Employee Records

Patient Schedule Data

Billing/Finance

…OR ANY “Data”

User Behavior Access Profiling- Artificial Intelligence

26

Source patternex

A Learning Engine

27

Source patternex

A Learning Engine that “learns”

28

CriminalOutside Hackers

MaliciousInsiders

Rogue Vendors

Supply Chain

Goal: To Create a Virtual Defense Shield

45%

32%

23%

Data

29

Save millions of $ by speeding

investigations, limit financial

and informational losses and

related legal expenses

Reduce the amount of time to detect a

breach from 226 days to much less and

hence limit the amount of data stolen

Review of Benefits Realized for the Value of Health IT

Electronic Secure

Data

ESavings

S

With newer generation of tools that use Machine Learning, you can…

30

It is essential to add a bit of a human touch in the incident lifecycle to develop a truly learning artificial intelligence system.

The variety and richness of data ingested is key in getting actionable insights; without it you will have to ask your analysts to investigate everything.

Lessons Learned

31

• Assume you will be targeted/hacked by a

rogue insider or malicious outsider

• Defenders need to look for indicators of

compromise across many sources

• SIEM solutions centralize data, but often lack

Machine Learning analytics

• Start small with basic methods, test, and move

to more advanced techniques

• Goal is to detect compromise as early as

possible with minimal false positives

Key Takeaways

32

1. Scikit-learn – Machine Learning in Python.

2. Apache Spark – ML LIB.

3. WEKA – Data mining in Java.

4. Tensorflow – Google’s deep learning.

5. Microsoft – Azure ML Studio.

6. Amazon – AWS Machine Learning.

Open Source Machine Learning Technologies

33

Laura MorganLaura.morgan@eehealth.org

Amit Kulkarni amit@Cognetyx.com

Thank You