How SIEM Tools Fit into a Healthcare Organization’s Security Strategy

What Can a SIEM Tool Do for Healthcare Organizations?

The National Institute of Standards and Technology defines SIEM as an “application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.”

The primary value proposition for SIEM is its ability to bring a lot of security telemetry together, says Michelle Abraham, research director for security and trust at IDC.

“Rather than have that information in separate tools and have a security team look at identity, endpoint, network and email security solutions separately, SIEM brings it all together,” she says.

The advantage is correlation: Teams see a login attempt for a specific user ID on a specific device at a specific endpoint as a single incident, not three isolated events. 

Kaufmann agrees. Endpoint security tools provide good insight for a single device but don’t paint the overall security picture. “Without a SIEM system, you miss the forest for the trees.”

READ MORE: vCISOs collaborate to defend against ransomware.

How Does SIEM Work as a First Line of Defense?

Most healthcare organizations couple the implementation of a SIEM tool with managed services from their chosen vendor.

These services can take many forms, says Michael Gregory, CISO and executive healthcare strategist at CDW Healthcare. Some organizations — particularly those based in geographic areas where skilled cybersecurity professionals are in short supply — may opt for a fully managed SIEM. Others might use managed services to augment in-house staff, especially for threat detection and response.

“You can have excellent people. You may even have a cybersecurity guru. But you need a collective,” Gregory says. “You can’t build your entire enterprise around one person. You need to be able to provide business continuity.”

For Kaufmann, managed services offer a first line of defense. The vendor can provide around-the-clock monitoring and is empowered to address threats without waking up Amedisys security staff in the middle of the night.

Along with immediate responses to security incidents, a relationship with a managed service provider can give organizations a leg up on recruiting, Kaufmann says.

“You’re not just bringing in people to staff a security operations center,” he says. “You can invest in employees at a higher level. You can hire advanced engineers. You can hire for expertise in developing an enterprisewide security strategy.”

How Does SIEM Help Spot Cyberattacks?

Guidance from the IRS suggests organizations evaluating SIEM systems should look for automated data analysis, near real-time alerts, actionable information and quick ramp-up time that requires little training.

These capabilities matter given the increasing sophistication of cyberattacks, Gregory says. Where it once took months to gain access via brute-force attacks that were relatively easy to detect, today’s attackers can crack an identity in seconds. “They’re gathering intelligence, and they’re breaking into the right accounts to appropriate privileges,” he adds.

These attacks often span multiple resources, says Allie Mellen, principal analyst at Forrester. For example, an attacker may target a cloud-based application, get access to an employee ID, access the endpoint associated with that ID and then move laterally through the network.

EXPLORE: A penetration tester shares where to make healthcare security improvements.

“That spans a lot of controls. You need a holistic picture, not alerts about individual activities,” Mellen says. To that end, organizations also benefit from user behavior analytics, which build profiles of employees or devices interacting with the network to spot unusual behavior that might indicate an attack.

To gain such insight, SIEM systems need tight integration with security tools. After all, Abraham says, a SIEM platform can only send alerts related to data that it receives. If these connections don’t exist out of the box, a SIEM provider may add them upon request, or security teams may create them on their own.

Why Should Healthcare Organizations Get Back to the Basics First?

Along with possibly writing connections to endpoint tools, organizations should expect to put in the work to build response playbooks and automated workflows to act on SIEM insights, Mellen says.

“It’s incredibly useful to build workflows to add enrichment to an alert, take a response action or bring feeds from threat intelligence platforms into the SIEM platform,” she says. “When all of these pieces come together, you have a more structure and unified tool, but security teams need to put work into it proactively.”  

Ultimately, Gregory says, organizations need to have good governance established before implementing a SIEM system. That includes strong policies and tools for identity and access management, configuration management, supply chain management and so on.

“If you don’t have the fundamentals in place when you deploy a SIEM system to see what the network is doing, you miss the boat,” he adds. “You can’t correlate vulnerabilities or identify attack patterns. You don’t see the whole picture.”

This focus on the basics also helps CISOs make the case to other executives about the value proposition for SIEM, Gregory says. “If you can say that SIEM is a business continuity tool, that it helps you recover quickly from a security incident, then the CEO’s ears should perk up.”

UP NEXT: Attack surface management provides visibility in an era of evolving risk.