BIZTECH: When did you first get interested in zero trust as an architecture and as a general framework?
FRENZ: Actually, back in 2015, the hospital I worked for at the time became very concerned about the possibility of a ransomware or other widespread malware attack hitting the organization. One of the things we decided to do was simulate what it would look like if a malware attack were to hit the hospital.
We took what’s called the EICAR test string — if anybody is unfamiliar with that, it’s a harmless string of characters that years ago all the anti-virus makers got together and agreed to treat as a virus. It provides a safe but effective way to test malware defenses — and I wrote a script that would take the EICAR test string and attempt to copy it to every PC within the hospital.
Now, this was an exercise that was executed without anyone else in IT being aware. We launched a script and simulated the malware spreading through the organization. By doing the exercise, we learned quite a bit about which controls were effective, which controls didn’t work and, in some cases, how people responded to the attack, both in terms of the users and in terms of incident response.
One of the controls that stood out as really effective from doing that test was network segmentation. And the interesting thing we saw is that the network segmentation we had, which was by department, mostly of access control lists and virtual LANs, did a good job of keeping that threat contained to just that particular department. But as a hospital, one of the things we learned is that if we were to lose an entire clinical department to ransomware or other types of attacks, it was going to be disastrous to clinical operations at the hospital and potentially patient safety. So, we began to think about ways we could take network segmentation to the next level. And that’s what kicked off our zero-trust initiative.
BIZTECH: When you were looking at network segmentation in those early stages of that zero-trust initiative, what kind of challenges did you encounter?
FRENZ: The first major challenge was establishing an asset inventory. For anybody starting on a zero-trust initiative, one of your first challenges is figuring out everything that’s on the network. Establishing this inventory is the first stage. After that, the biggest challenge is figuring out how all those various assets talk to each other. It’s important to figure out those different traffic flows and map them out in the organization.
In terms of our zero-trust initiative, we started by interviewing the administrators for the various systems. In some cases, they knew the traffic flows. In some cases, we were able to pull it from vendor documentation. In some cases, we used the NetFlow traffic analysis or various tools like that. And in some cases, we had to resort to tools like Wireshark to discover the traffic flows.
That’s one thing that’s changed since 2015. A lot of the more modern zero-trust tools do a much better job of giving insight into the traffic that occurs between systems. So, it’s gotten a little bit easier, but that’s still where your biggest challenge is going to be. And I recommend anybody doing a zero-trust initiative spend time completely learning those traffic flows. The better picture you have of the traffic that’s required in your organization, the less likely you’re going to be to break something when it comes time to put the policies in place, because once identified, traffic flows will form the basis of your zero trust policies.
BIZTECH: Let’s take a little bit of time to talk about what you call evidence-based security. What does that incorporate and how did it factor into your plans when you were trying to adopt zero trust?
FRENZ: I’m very big on security testing. One of the things I like to do is find ways to quantify security, make security measurable. And the EICAR test example is an example of that, by simulating an attack or some other security incident, developing metrics around that to determine how well your security controls are working or not working and using that to identify improvements in security. I really liked that approach because it gives you a clear idea of what works and what doesn’t work. As you make changes to the organization, you can quantitatively see if you’re making an improvement or not. I find that a very effective way to make security decisions.
BIZTECH: Did you find that a lot of the different tactics that you learned in the first go-round were able to be transferred to Mount Sinai? Or did you find that there were quirks between the different organizations that you had to account for?
FRENZ: It was basically the same approach of doing the asset inventory first and then taking the asset inventory and using that to figure out the data flows. Those techniques were definitely transferable. The other important lesson to learn from the first time that’s made it a little easier doing it a second time around is not to try to bite off too much at once. It’s important to understand that zero trust is not something that you’re going to just flip a switch one day and be all zero trust. Zero trust is a process, and you’re going to want to roll it out over time to avoid breaking stuff.