Cyber Threat Intelligence (intel) is an important component of our security operations strategy. We believe it is critical to gather intel from multiple trusted sources and use it as a force multiplier. Our security operations team uses this data across multiple tools in our security portfolio. Enabling us to proactively identify and prevent cybersecurity incidents.
Industry Intel Feeds
While we have multiple Intel sources, one of our most valuable is the Health Information Sharing and Analysis Center (H-ISAC). H-ISAC is comprised of critical infrastructure operators and owners within the Health and Public Health sector, that share information in real time such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), best practices, recommendations, as well as mitigation strategies. In additional to intel feed access, our H-ISAC membership also provides resources such as white papers, information and awareness videos, sector relevant news, and more.
Automated Endpoint Defense
Utilizing the data from our intel feeds, we can leverage automation to proactively update our endpoint controls to block communication with potentially risky sites and prevent malicious downloads from even reaching the machine. We can update our firewalls with ever changing list of malicious and suspicious IP addresses. We are also able to leverage these feeds while triaging security events from the endpoint, to determine if a file, process, or action needs to be quarantined or blocked. This streamlined process not only cuts down response time, but also ensures timely remediation and a complete review of the detection.
Automated Log Detection
Log sources from endpoints, firewalls, and network access points are collected and stored for analyses. Log collection allows us to categorize log events into different severity levels. Rules are then set on these events to trigger a notification to the security operations team, and other alerting tools in order to perform a remediation. Because logs are fed into a single source, if one malicious event is detected, our security operations team is able to quickly determine the scope of the detection. The scope analysis can identify changes in permissions, leaked credentials, and other events that would be considered changes in normal behavior. If abnormal behavior is detected for a specific user, additional steps would trigger to reflect the increased risk.
Bringing It All Together
When multiple intel feeds are used, HealthEdge is able to validate intel and make informed decisions on how to keep our network safe. We don’t rely on a single source for intel, but rather take full advantage of reputable external resources and internal resources that provide us with a complete picture. Our goal is to bring all the information together to ensure our security strategy is comprehensive and robust.