I'm Mary Ann Kolbizak-McGee, Executive Editor at Information Security Media Group, and today I'm speaking with Michael Berry, CISO of Kettering Health Network, which includes nine hospitals and over 120 outpatient facilities serving Southwest Ohio. Michael will be speaking to us about steps that his organization is taking to protect its 17,000 endpoints and servers against ransomware, other malware attacks, and other cyber threats. So Michael, for starters, please describe the top security challenges that you're facing, especially in terms of ransomware, phishing, and other related attacks that we see so much of in the healthcare sector. Well, our number one threat, of course, is going to be phishing.
It's the easiest way to get into a network currently. You don't have to have any computer knowledge to launch a phishing campaign any longer. You can simply purchase a software package off the dark web for a few hundred dollars, point it at any organization, click and go. As far as the information security side on our side of the house, the biggest challenge is going to be to see the information security awareness and training program to get that information out, because that's going to be our number one defense.
As you stated, phishing is a very large attack vector that we have to face as a CISO for an organization like this. It's my responsibility to keep all users and endpoints safe. All the bad actors, their goal is just to find one hole in our defense. Now, Michael, you mentioned workforce training awareness, but from a technology standpoint, can you describe a little about what you're doing to bolster endpoint security and avoid falling victims to these kinds of attacks?
Well, we're a firm believer in the layer defense type of concept where there's no one silver bullet or solution that's going to stop all types of attacks. So we make sure that we have several different technologies in place to, if not stop, then to slow down the attackers to where we can intervene at that point. We have the normal solutions, which are firewalls and things of that nature, any SIPS solutions that would detect and prevent any types of attacks. But again, as I said, there's no one solution that stops everything.
So we were looking further into solutions that would help us and kind of be able to safety net when things get through, and that brought us to the Neutron's paranoid solution. And so, Michael, can you tell us a little bit about how that solution falls into your endpoint security strategy and what else you're doing? So Neutron's paranoid solution is endpoint protection solution that takes what we've thought about endpoint protection and completely reverses it. To this point, we've always thought about endpoint solution as defining and stopping all of the bad.
Any malicious software out there, any malware, viruses, worms, things of that nature. But in order to do that, you have to explicitly define what is bad out there, and the definitions of what is bad is pretty much infinite. So what they did is they mapped out all the known good ways an operating system would operate at the current level. And that is a very finite definition.
So rather than trying to figure out all the known bad, they mapped out the known good, and they blocked or ignored everything else. So how is that working out, and how does it kind of fit into the bigger picture there? So this solution peak our interest because of the fact that it would allow us to even have an infected device and allow us to install the software and would prevent all the nefarious actions after the fact. What we were concerned with was other technologies that you would install that would quote unquote whitelist processes.
We're using machine learning or AI to map out these what they call known good processes. Unfortunately, what was happening was you took a machine that was already infected and installed the software on this. It may take something that was a bad process and map it out as something you thought was appropriate. So the apparently product already has everything mapped out where you can install it on an already infected device.
It would recognize that as something that is not performing correctly and block that activity. We decided to go forward with this and tested it during a proof of concept that we have. We were testing it on a group of devices. In that meantime, we had another device not part of the trial that was infected with the virus.
We took that virus and in a lab environment applied it to a machine that had the paranoid product installed. While the intent of paranoid is not to prevent the installation of the malware, to prevent all activities that are performed after that fact. So this virus in question was actually reaching out to a command and control server and attempting to download ransomware. So we proved the point that it would not allow the connection to the command control server because it was doing it in a non-standard fashion as well as we took the next step of actually infecting a lab environment device with ransomware.
While it did not stop the ransomware installation, it prevented all activities that would happen there after including any potential encryption of files, shares or drives. So Michael, in terms of ransomware attacks, has your organization previously fallen victim to any of these sorts of attacks? And so what was the impact? How did you remediate it?
Were you able to prevent this from happening even prior to the new tactics that you've been using the new products? We've seen traffic that could potentially have turned into ransomware. However, with the R-layer defense approach, we have not fallen victim to anything of that nature. So Michael, what about protecting medical devices, including those running legacy operating systems and other outdated software?
How are you addressing those issues? So medical devices are always going to be a challenge because of the nature of the certification that they have to go through in order to be present in a network. Ideally, they're going to run a software that would be supported like controls similar to neutrons, paranoid, which does support Windows OSs, including legacy ones. So currently in our environment, we are evaluating all the medical devices that paranoid could be installed on, and we are going to place it on those devices as an extra layer of protection.
Those who cannot have any protective layers placed on them, we are going to quarantine through their own networks and allow only traffic to and from the appropriate devices. Overall, how big of a headache is medical device cybersecurity? Again, you have a lot of outdated software, sometimes the vulnerabilities are found by researchers that purchase some of this equipment online, and then there's no way of patching. How do you deal with that?
Well, as you said, it's a very large headache. It is a very large concern for us. As I said previously, it's my responsibility to keep everything protected while they only need to find a single hole. While the medical device field taking out as a whole vertical is a very large hole to get into any type of network, whether it be healthcare in this nature, but also other things that are unmanaged like IoT, taken HVAC system.
The HVAC system was a great example for the target three years ago. It was just a vendor third-party account that was like active, a bad actor came in and was able to take advantage of. So things of that nature, whether it be biomedical, whether it be just IoT, internet of things, any unmanaged devices are always going to be a challenge. And it is our best approach is to, again, layer it to see what additional mitigating controls can put around those devices if we are not able to patch or put any mitigating controls physically on that device, like a paranoid solution, any other endpoint protection solution.
For example, putting firewalls in place to limit the traffic protocols and ports that are able to communicate to and from those devices. And finally, Michael, as a SISA, what keeps you up at night? It's the enormity of it. It is the constant evolution of the bad actors and the limited resources we have available to us for educating our current employees, growing the skills of our information security team.
It seems the delta between those two seems to be growing more and more and we are not able to keep up. Whether those resources are hard resources like tools and money or soft resources like individuals, people, staff, employees, it's just a challenge to try to keep pace with the bad actors out there. The other thing is the fact that this is basically a nine-to-five job for some people. You come in every morning, they clock in and start attacking.
So we see it like regular clockwork, certain times in the middle of the night and certain times later in the afternoon, we see a rise in the attacks. Also certain areas of the world are just like clockwork, like they send attacks, it seems like when they're coming in at 8 a.m., and it's 24 hours for us, you see higher attacks for us during Friday evenings and the weekends, it seems that they don't expect us to be on guard during those times. To use a sports metaphor, it's up against the world. Thanks, Michael.
I've been speaking to Michael Berry. I'm Mary Ann Kolbasak-Nighi of Information Security Media Group. Thanks for listening.