Security

Review: Supporting Healthcare’s Zero-Trust Journey by Uncovering Network Assets

ExtraHop Reveal(x) can monitor cloud-based and on-premises assets to expose complex attacks.

Twitter

John Breeden II is an award-winning reviewer and public speaker with 20 years of experience covering technology.

Healthcare organizations face a challenging cybersecurity environment, with numerous connected devices, applications and users they must manage on their networks to support patient care. A smart hospital bed or an infusion pump may have vulnerabilities that can become attack vectors, offering a bridge into the core network.

This complex network environment can also make it difficult to implement advanced security approaches such as zero trust, since the risk of cutting off critical medical devices from backend databases and other assets is extremely high.

A sophisticated network detection and response platform with the ability to monitor devices by the traffic they generate, such as ExtraHop Reveal(x), can go the distance to protect healthcare networks and offer a strong foundation for zero-trust security.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

The ExtraHop Reveal(x) Platform Offers Critical Monitoring

Instead of working with agents that would need to be installed on devices, ExtraHop Reveal(x) pulls in raw network traffic from a variety of potential sources, including network taps or port monitors. For Amazon Web Services or Microsoft Azure clouds, it can read all the data coming from a virtual traffic mirroring feed. It then analyzes that traffic — and can do so very quickly at up to 100 gigabytes per second.

The platform then begins to classify every device operating on the network using its highly trained machine learning engine. In testing, it properly discovered everything from a Domain Name System server to a heart monitor. Reveal(x) comes pretrained so that it can quickly identify thousands of medical and Internet of Things devices. It can also learn about new or unique devices that may be operating within a healthcare network.

Once identified, devices are put into logical groups so that Reveal(x) can monitor traffic to determine what normal patterns flow within the network to compare against future outliers. It can also immediately identify malicious traffic associated with cryptomining or attack patterns.

The network discovery process is not a one-time event: Reveal(x) is always monitoring traffic, so every time a new device comes online, it will be identified the instant it starts to communicate. In this way, the platform can quickly identify and protect newly installed equipment; it can also reveal shadow IT or unauthorized devices before they can touch any other network assets.

Get More Support for Security Alerts with ExtraHop Reveal(x)

Once a potential threat is identified, Reveal(x) generates an alert and presents an explanation for its findings. This includes the devices and hosts involved, the IP addresses, the type of threat that is being launched and the severity of the alert. It explains why the threat is dangerous and what should be done to counteract it.

Reveal(x) will also offer to help with remediation, making it a great tool for less experienced security personnel.

Healthcare networks are necessarily complex behemoths so that providers can deliver high-quality patient care. A platform such as ExtraHop Reveal(x) can help to simplify some of that complexity, spotting threats and suspicious activities by their network traffic while exposing hidden behaviors that could be sheltering potential attackers.

SPECIFICATIONS

PRODUCT TYPE: Cloud-native network detection and response
DEPLOYMENT: Software as a Service
TRAFFIC ANALYSIS SPEED: Up to 100GBs per second
ENTERPRISE PROTOCOLS KNOWN: Over 70
TRAFFIC DECRYPTION ABILITY: Can passively decrypt SSL and TLS 1.3
MACHINE LEARNING ENGINE: Knows over 5,000 attack methods and patterns

What about Healthcare’s Encrypted Traffic?

The ExtraHop Reveal(x) platform is designed to monitor and protect east-west network traffic, covering devices and users operating within the security perimeter. In the past, all of that traffic has been unencrypted. However, with cyberthreats on the rise and many healthcare organizations moving to an assumed-breach mentality as the first step toward zero trust, east-west traffic is starting to get encrypted in some cases, especially for traffic interacting with critical assets.

This is happening quickly in healthcare because much of its east-west traffic contains HIPAA-protected patient data. However, if a network detection and response platform is not able to read encrypted packets, this offers attackers an avenue to hide their activities.

ExtraHop Reveal(x) can passively decrypt SSL and even Transport Layer Security 1.3 encryption with perfect forward secrecy. And given the massive bandwidth that Reveal(x) can handle, this process does not seem to slow down real-time analysis by any measurable amount.

If suspicious activity is detected using encrypted packets, Reveal(x) can still flag that activity. Administrators then have the option to download the session keys so that the packets in question can be fully decrypted for forensic analysis.

Encryption is a growing trend in healthcare for protecting east-west network traffic. A platform that can passively decrypt those packets is necessary to maintain full visibility and protection. Thankfully, that is something that ExtraHop Reveal(x) does automatically and quickly along with its other critical traffic monitoring duties.

UP NEXT: What is a rapid maturity assessment and why is it useful in zero trust?

Editor's note: This article was originally published on Feb. 9, 2024.