Enabling state-of-the-art cybersecurity at a comprehensive cancer and research center

This world-class comprehensive medical center has grown into a leader for advancing cancer research and treatment protocols and is consistently ranked among the nation’s “Best Hospitals” in cancer care by U.S. News & World Report. It is designated a comprehensive cancer center by the National Cancer Institute and is a founding member of the National Comprehensive Cancer Network. Their work to combat cancer and diabetes there is life-changing.

Achieving the outcomes that they are known for requires not only expert staff and treatment modalities but also advanced cybersecurity to ensure all of their data, including PII (personally identifiable information), and communications are secure. In today’s complex and active threat landscape, a medical institution’s cybersecurity practices must be as innovative and transformative as the work they protect.

Their chief technology officer understands this critical need well, affirming, “If you look at innovation in healthcare, you’re hard-pressed to see something that’s not technology enabled,” so there were plenty of technology solutions that they were called on to deploy. To ensure success, their CTO looked to what they considered to be the pillars of successful tech deployment: “It’s cost effective, it meets business outcomes. It delivers a good user experience. And then we always end with, ‘Can we secure it?’ And we want to say that in every case,” they added.

On top of that, they specified the challenge of managing the veritable explosion of data taking place in healthcare—and the requirement to adhere to compliance and security mandates. As a result, their IT team has to think about protecting data in all of its forms, from clinical trials and the research their institution leads to the data within its core systems from ERP to financial accounting.

To advance their cybersecurity maturity to the next level and lay the groundwork for building a modern SOC, the first line item was updating or replacing their existing security orchestration capabilities. The security and infrastructure engineering director also sought to expand endpoint security beyond antivirus to a full-featured, next-gen EDR (endpoint detection and response). “To maximize our security and investment dollars, I knew we had to be strategic about how we were defining our design and looking at our existing infrastructure,” the director said.

Little did the director know at the time, but their group would soon also be responsible for scaling their security and response to protect a remote, home-based workforce due to COVID-19. Even with this added challenge, the center was able to successfully stand up their new Cyber Defense Operations Center (CDOC), their preferred name, over the more traditional SOC nomenclature. However, there were many decisions and needs to be addressed on the way to that significant milestone.

When embarking on his journey, the security and infrastructure engineering director already had three requirements:

The SOC must be based on next-gen SOAR (security orchestration, automation, and response).

It should be a cloud-based solution.

It should serve to upgrade their endpoint protection—integrating with their SOAR to automate many of the functions that SOC analysts in their industry and others often spend too much time on.

Specifically, they wanted SOAR and endpoint tools working together for full SOC capability. The SOAR they chose would need to orchestrate detection and response on the network and endpoints, with automated capabilities and playbooks that enable security staff to focus on higher-level security and risk management tasks.

Along with orchestration, the center needed full visibility into all endpoints and next-gen endpoint protections to supplement and orchestrate under their SOAR-based SOC. They also needed this level of integration to easily and quickly identify and classify all assets in the enterprise, manage their vulnerabilities, and automate responses. Most importantly, they needed it to detect unknown threats to ensure that no devices would infect the network.

While assessing and inventorying their existing security products, the security and infrastructure engineering director was determined to consolidate systems while also reducing costs and complexity. “We needed to understand what we knew, which meant getting an inventory, and then we needed to understand what we didn’t know and protect against it,” they explained. “I knew a SOAR was going to be the core of our SOC. So, the first thing I did was look into the endpoint and SOAR solutions we already had in-house.”

The center’s original orchestration and endpoint solutions came up for renewal during the planning process, and the orchestration system, in particular, had a hefty price tag for renewing. So, before moving ahead, the security and infrastructure engineering director and CTO asked for a new demo of their current product.

During that demo, the leaders noted that the main benefit of their current orchestration system was its ticketing system. However, it lacked the level of automation they really needed to support a next-gen SOC. This led them to request a live demo of Palo Alto Networks Cortex XSOAR. Seeing the tool in action made them confident they’d found the perfect solution.

“Palo Alto’s XSOAR was a SOAR on steroids. Once I found out what Palo Alto had and how it integrated into our stack, and because we were already working on vendor consolidation, Palo Alto became our primary vendor to support the four pillars of the SOC, which also meant we would utilize them for securing our endpoints,” the director added

Once installed, they then focused on the endpoints, installing XDR with XSOAR to identify their gaps and applications of value (such as its critical SAP servers), to learn behaviors, and to prioritize security updates.

In the midst of all of this transformation, COVID-19 protocols and new work-from-home mandates led them to move much of their workforce to home offices in March 2020. Fortunately, they were able to pivot easily by installing Palo Alto Networks GlobalProtect for firewall and VPN-layered access protections on the network, which integrated with their new Cortex XSOAR for SOC orchestration.

By upgrading to Cortex XSOAR orchestration and Cortex XDR for endpoint protections, the medical center’s security and infrastructure engineering director built the CDOC and accomplished the top three goals for the team: integrative orchestration and response; expanded visibility and automation; and vendor consolidation. Achieving these things has elevated their security posture and even shifted the focus of the team in positive ways.

When the CDOC went live in October, the team initially fielded 1,500 alerts and resolved all of them within a month by utilizing their playbooks. They could have pulled the trigger to automatically resolve all the alerts overnight, but they chose to slow down the process and use the alerts to learn and understand their new playbooks and capabilities. Now alerts are down to a manageable 40 per day, most of which are automatically resolved based on playbooks and automated analysis.

“For us to have been able to do that work,” stated their security and infrastructure engineering director, “I think about seven FTEs we would’ve needed … And so, from a resourcing perspective, I saved a lot of money to be able to manage this amount of work with the four analysts that I have in the SOC.”

XSOAR provides playbooks that, once set, automate many of the detection, investigation, and response actions—such as log analysis, device, access and application behavior analysis, and whois lookups—that analysts usually do manually. “What I really love are the playbooks that allow us to document our investigation and response processes and model our security practices. We worked with Palo Alto extensively to set policies for dozens of playbooks and sub-playbooks to automate responses,” added the director.

As an example, the playbook performs automated blocking of malicious IP addresses. Cortex XDR uses behavioral analytics to identify a malicious IP address and then processes it using the following steps:

1. IP Enrichment
   • Checks several threat intelligence sources.
   • Generates an automated scoring calculation.
   • Automatically determines if the IP address should be blocked based on threat analytics.
2. Queries Palo Alto Networks Panorama™ or firewall to determine if the IP address already exists as part of the Static Block Group.
3. Adds IP address to the Static Block Group.

Those playbooks force the exact same processes to occur under the playback scenarios for classified incidents and protected endpoints. That means that new staff members are easily trained, and the playbooks also remove a lot of the redundant work of trying to discern and identify real alerts from network noise.

“Because XSOAR automates our playbooks’ steps and processes, it frees up our analysts’ time, and it allows me to involve them in other facets of security that keep their interest. This frees up our team members to learn new things, which keeps them interested in sticking around,” the director notes. “We’re also focusing on red and blue teams (for security and vulnerability testing), holding brown-bag lunches, and hosting tabletop exercises.”

With the implementation of Cortex XDR on endpoints, the new CDOC has achieved near-full coverage, even with the added stress of securing remote teams during the pandemic. As a result of this coverage, visibility into endpoint states and threats has improved dramatically. They attribute this in part to the Cortex XDR-generated data lake, which pulls alerts, logs, and behavioral activity from their 14,000+ endpoints into a cloud-based data lake for analysis and correlation.

The director affirms, “We have 98, 97% coverage of XDR in our environment, which is really great because not only do we have XDR, but we have the [Cortex] Data Lake, which takes the alerts from all of those endpoints and puts them into that Data Lake cloud, which gives us more visibility ... I really liked the Palo Alto frameworks. The visibility is critical.”

When the world changed in March 2020 due to COVID-19, suddenly, nearly everyone needed to work from home. Organizations had to pivot quickly to figure out how to secure people working remotely and give them access to the appropriate resources. Fortunately, the center was in the midst of a proof of concept (PoC) for Palo Alto Networks GlobalProtect. When COVID-19 happened, they were able to jump in and leverage GlobalProtect to get nearly 3,000 staff working from home in a matter of weeks to securely connect to their network.

For the security and infrastructure engineering director, one of the best parts about deploying GlobalProtect was its single sign-on (SSO) ease of use. “If you sit there and you visualize you as that person at home working, you see how much better it is to be able to just open up your laptop, log in and work, as opposed to going through hoops.”

“XDR orchestrated through XSOAR uses threat intelligence, AI, and behavioral analysis to determine that if it walks like a duck and quacks like a duck, it’s a duck. In the same vein, if it takes actions like a threat, it’s a threat; the need for signatures is not necessary. It determines incidents by their actions and behaviors,” the director continues.

For example, in December 2020, Palo Alto Networks detected and remediated the trojanized backdoor malware, SolarStorm, part of the SolarWinds SUNBURST supply chain attack. This was before the SUNBURST attack had been made public. The trojan attempts were detected based solely on the behaviors of the malware trying to install itself, and response actions were executed through the playbooks.