How to Accurately Detect Suspicious Traffic & Prevent Attacks

Stephan Goldberg

VP of Systems Engineering

16 Sep, 2020 • 4 minutes read

Assuming you are able to discover and identify all the different connected devices in your clinical network, their manufacturers, proprietary protocols and their operational parameters. What is next?

Next is understanding what they are doing AND whether or not they should be doing it. This is how you start to detect attacks and unauthorized use, so you can take precise action to mitigate any potential impact. But uncovering what is normal and what is not is no simple task. It takes combining deep medical expertise with cybersecurity intelligence to be able to discern the innocuous from the potentially malicious.

We, at Medigate, have brought these two disciplines together to accurately identify suspicious traffic. We start by building a ‘baseline,’ based on a device’s intended usage and workflows. These baselines give your security teams the initial set of approved protocols, ports, and destinations that the device should be able to communicate with. In other words, your teams know what a device SHOULD be doing, which makes it easy to then spot activity that SHOULDN’T be there.

We built these baselines by observing the communication streams of each particular device type and model across a variety of different clinical network settings. By comparing device behaviors across sites and healthcare systems, we eliminated differences that are normal (e.g. port configurations and certain implementations) and focused in on the variations that could matter. Medigate labs also has processes to rigorously verify these baselines, checking them against manufacturer documentation, where applicable, to ensure their validity.

We use these baselines to provide robust out-of-the-box policy recommendations for different device types or groups of devices. Currently, we offer these baseline policies for more than 75% of our extensive device library. This saves your security team a ton of time and effort, allowing them to focus on customizing versus having to establish communication policies.

The Power of Profiling

Creating individual policies for each and every individual device is impractical for most healthcare delivery organizations. Instead, we have developed a strategy to group different devices with similar classifications to reduce the number of policies that need to be defined. Based on your environment, we look for the most efficient grouping strategy. We consider meaningful commonalities between devices, such as:

  • Manufacturer, make and model – making it easy to identify the same device throughout your environment. e.g. 100 Siemens CT scanners, 5 Siemens MRI machines
  • Specific functionality – making it easy to identify all the devices that serve the same purpose in your network, e.g. all the CT scanners from Siemens, Philips, GE, etc.
  • Similar characteristics – making it easy to identify all the devices that use the same protocols, behave the same, or communicate with the same devices. E.g. all lab devices using the LIS2A2 protocol.

All these insights are used to inform policy development to ensure you can establish an optimal security posture and prioritized risk abatement. With these profiles, Medigate can create policies tailor-made for groups of devices, based on type, functionality and risk-levels, that effectively protect your network.

Detecting & Preventing Anomalous Activity

Medigate’s baseline abstract policies can be used to generate environment-specific network security communication policies for your infrastructure (e.g. ACLs, firewall rules, NAC policies) that streamline the effective detection of suspicious communications and prevention of unauthorized communications such as containment of attack spread throughout the network via lateral movement. The policies can classify traffic as essential – e.g., dedicated medical protocols, manufacturer communications, or critical network services –; complementary – e.g., monitoring/scanning traffic; or prohibited – all other communications. The Medigate Platform can then flag any communications that fall outside the approved patterns and automate appropriate action via a firewall or NAC to contain (quarantine) or prevent it altogether.

This information can also lead to clinical-aware network segmentation policies that can further strengthen the stance of the organization. This is an additional network-level enforcement layer that is added on top of the device-specific enforcement policy. It suggests a grouping strategy for the various connected devices and indicates the suggested policies between them (SG-ACLs/DAG firewall rules), giving you an easy to deploy network segmentation strategy that can help you contain any attacks to mitigate their impact and accelerate their remediation and recovery.

If you would like to learn more about how Medigate provides the visibility, classification, grouping and policies that will help your HDO start to flip the script on attack stats and success rates, contact us here.

Stephan Goldberg

VP of Systems Engineering

16 Sep, 2020 • 4 minutes read

Threat Center

View the latest virus alerts and vulnerabilities and get tips on how to mitigate their risks