Uma Mahesh Reddy on Adopting a Threat-Informed Defense with AttackIQ Vanguard

Uma Mahesh Reddy
EPISODE 11: THINK BAD, DO GOOD

Uma Mahesh Reddy on Adopting a Threat-Informed Defense with AttackIQ Vanguard

Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy, AttackIQ

Guest: Uma Mahesh Reddy

In this episode, Uma and Jonathan discuss the practice of a threat-informed defense and how organizations can use real-time performance data to optimize their security program performance and make the most of their security investments. .

AttackIQ Vanguard has been instrumental in supporting Uma’s team with their cybersecurity readiness. Vanguard helps Prime Healthcare identify configuration errors, find security gaps, and enhance the team’s performance through continuous security control validation.

“Having cybersecurity controls (technology, people, process and procedures) in place will not alone protect your organization from breaches and attacks. Proactively measuring the effectiveness of your controls on a regular basis and fine-tuning them to keep up with the ever-changing threat landscape is imperative,” said Uma Mahesh Reddy.

When Jonathan asked Uma what AttackIQ’s slogan “we’ve got your six” means to him when it comes to cybersecurity programs, he explained with confidence, “You’re not only watching our back, you’re watching the other two sides too. We are focusing on the business, and how do we keep it running securely by having all these controls in place, but you are helping us to make sure that we are heading in the right direction towards our goal.”

Uma Mahesh Reddy

Uma Mahesh Reddy

Uma Mahesh Reddy is the CISO of Prime Healthcare Services. Uma is a cybersecurity and healthcare professional, with over 20 years of experience.


Transcript

Jonathan Reiber:

Thanks everyone for joining us today for our podcast here at attack IQ. We’re really pleased to have Uma Mahesh Reddy. Hey Uma, how are you?

Uma Mahesh Reddy:

Good, good, Jonathan. Thanks for having me, I really appreciate it.

Jonathan Reiber:

Uma, for those that don’t know him well – Uma, and I were talking about this earlier. He has gone in one and a half years on LinkedIn from having zero users to 24,000, which should tell you a little bit about this man’s expertise. He’s the CISO of Prime Healthcare, he’s got 20 years in cybersecurity, so he’s a healthcare professional and a cybersecurity professional. So it’s a real pleasure to have you on Uma. And today we want to talk about really the practice of threat informed defense and how organizations make the most of their cybersecurity investments and achieve real optimization in their business practices and in their teams. So let’s just dive in with some questions about that. Uma, when you think about cybersecurity management, what are the biggest issues you face when it comes to achieving cybersecurity readiness and how does a threat informed defense strategy help you overcome those challenges?

Uma Mahesh Reddy:

So the number one for me is knowing what we have in the organization, and what is its importance to the business. And next, is how do we secure it? Where do we put all our efforts in? So those two drive the whole program aligning the goals with the organization’s vision. We have organizations like prime, with about 44 hospitals, 300 clinics across 14 states. We have a comfortable amount of cybersecurity controls, 50 plus, we buy these tools and put them in place, but how do we know they’re working? It’s always a cat and mouse game, that we are cybersecurity.

You’re always in catch-up mode. You’re always 10 steps behind a hacker, unfortunately. So how do you make sure your controls that you put in place, process, and people are towards those goals right in securing the organization. So knowing those threats out there and being proactive, meaning before somebody finds a vulnerability inside your program, is always better. We keep looking for them and filling those gaps. So for me knowing where I am weak will make us ready for any unknowns. So for me, that is very important. And it has to be done by the right skill set, and it has to be validated.

 

Jonathan Reiber:

And how have you found the MITRE ATT&CK® framework to help you in the process? Has it changed your approach to cybersecurity management?

Uma Mahesh Reddy:

Yes, it did. We were not following this prior to when we came across AttackIQ. And once we started looking at AttackIQ, that’s when we got familiarized with the framework. We use it internally to map the threats, our intelligence team uses it.

Jonathan Reiber:

That’s awesome. That’s good to hear. And what are some of the strategic benefits you’ve gleaned so far from the process of continuous automated security control validation, given the breadth of your organization and the number of controls at 50 controls? What are some of the benefits you’ve achieved so far?]

Uma Mahesh Reddy:

AttackIQ has been very helpful, it has given us a different perspective on what we have in place. Not only from the technology point of view, but people and the process too. We validate with the tool, and we don’t announce any of these simulations we do. When we run these simulations, we come across things that we never thought about or could have imagined that there will be a problem with, it could be the technology process. So it has been really helpful in validating all those three.

Jonathan Reiber:

Can you talk a little bit about the lessons you’ve gleaned about on the people’s side? I think the technology side is relatively clear in that, like, if it discovers configuration management problems, but maybe a little bit more on the people and process, what are of the things you’ve learned so far or that you’re hoping to learn?

Uma Mahesh Reddy:

Sure. So when we run these simulations we expect our SOC to detect any of the anomalies that are found, either through the logs that we sent to the same or other controls in place. Then if they were able to find it, detect it, and respond – that’s when we tell them, this is just a simulation, and to just let it go for now. You know, there are certain times that not just the staff, but certain areas, we find some gaps with the detection that went unnoticed. And we were able to right away ask questions – the five whys, and quickly turn around to fix it.

Jonathan Reiber:

Yeah, this is a practice. I think that one of the automated security control validation is the investigative process that you do after you find a control failure. It’s to say, like, why isn’t this working? What happened? And one of the stories that actually Lewis Honour at Bupa said, is that you actually can find that in some cases, if you have an attrition problem, like a control may not have been solved because somebody may have left their role. And because they left their role, they haven’t filled out a contract for an MSSP. And then the question becomes, well, why did they leave their job? And one of the things that he discovered is there’s a salary suppression problem. And so the security team wasn’t actually being paid enough. And so then the human performance function is then from a manager standpoint is to call up the human resource head and say, okay, we need to actually start paying people. So I think it’s interesting, these sort of orthogonal benefits that come up from testing there, aren’t the initial benefit that you’d imagine, but that gives you a chance to improve your performance.

Uma Mahesh Reddy:

Honestly, my perspective on that is little different. I wanted a third party, unbiased opinion, invalidating the control. Right, we don’t want a fox to guard the hen house. We want somebody else who has nothing to do with what we are doing and no strings attached to us, who can speak freely and give their opinion and expertise. Because when we work as a team, sometimes we all start thinking in one way, you know, or certain ways. We all tune to each other one way or the other psychologically. They speak their voice and opinion and there’s more benefit I gain from that side. And secondly, honestly, what you guys (AttackIQ) provide when it comes to cost is just a fraction of the cost to what I can hire somebody and get it done. It’s a fraction of the cost, but the benefit that we reap out of this is tremendous. So that’s one reason we went with the Vanguard program. We’ve seen this from time and time again, you guys never left us high and dry. You’ve been really helpful. The team you have is excellent.

Jonathan Reiber:

I appreciate that very much. So was there something in particular about having a managed security service providing breach and attack simulation from the outside, and being involved as an expert team that has given you any other specific benefits, given the novelty of the model in particular that you’d like to surface?

Uma Mahesh Reddy:

Because when you’re looking at simulating an attack, we can tell you what systems, we can identify random systems in the network and say, Hey, these are the things that you’re going to do today. But we rely heavily on you, to ask for advice on what is happening out there? What’s the most exploited hack? Because your team is kept abreast of all the newer attack techniques, all the newer TTPs out there. You are in the loop and work with the MITRE framework very closely, so we draw that experience from you.

Even if we were to go hire somebody and do this, it won’t be that effective. I mean, our teams are involved very much in these activities, but having that extra help, and knowledge from your team to support is very valuable. And, secondly, the amount of knowledge they bring in and the post activity, they will walk us through. Not only do they just give you a report and say, this is it, they will walk you through what the findings are and they’ll help you validate those findings. You know, sometimes you find stuff that’s not valid, because you know every environment is different, whatever you find is not always a threat, but they also help you in that process. So for an organization of our size, I believe, having a team like this is very helpful.

Jonathan Reiber:

From a testing standpoint, the traditional model for testing, as we all know, is like penetration testing would happen once or twice a year at max. And they would never test your entire program. And so one of the value propositions that’s happening in this category and it’s grown a lot, right? Like there’s a lot more companies now than there were two years ago, which is great. And to me, that’s an indicator that folks are really catching onto. This is that continuous process of generating data is one of the real valuable elements. And I wonder if you have perceived a cognitive change in your team from that generation of continuous performance data. And if so, how has it changed their approach?

Uma Mahesh Reddy:

Yes, we definitely did. We test our controls, people, process, and procedures on a regular basis, we don’t miss it. So whenever we find the gaps, we go back and validate, not only just validate them, but I request our team to go ahead and update our SOPs. Because what you learn and the outcome of the exercise is very invaluable. You don’t just want this to be a one off thing, you want to learn from it and grow. So that’s one big thing that comes from these exercises. So it’s been invaluable for us, these simulations that we do on the network.

Jonathan Reiber:

Is there a cadence of testing and a structured process that you would like to get to? In other words, depending on this, you’re coming from a large organization, right? And I think small companies that have a security staff of three to four people, they may test their security controls once a month, which I try and tell them is insufficient. Others want to test some controls every hour. Certainly we know once a year, is not enough, but it may be that there are some controls you test every day, there are some you test once a week. And then you mentioned a tabletop exercise. You could also do a sort of larger event where you say, you know what, there’s an issue impacting the United States. There’s a contingency with Russia, could there be an issue whereby we have to elevate our security posture, move close to a higher level in DEFCON or may have you do a tabletop exercise that brings in other players. So I’m just wondering strategically how you see that, those potential evolutions over time in terms of frequency and scope.

Uma Mahesh Reddy:

It depends from organization to organization, right? And there are, like you said, certain exercises that you pick and choose to do, as these threats are out there moving, you want to pick those and flag it as a high priority, and it’s actively being exploited. Let’s just simulate that in our environment and see what comes out of that.

Regular exercises that you do on a monthly or a weekly basis, right now we do it monthly. We don’t want to overburden the team. We have to have a balance. Yes if we do it on a continuous basis, we come across these things, but what do we gain from that? For instance if we’ve discovered 10 things now, 40 in a month, do we have time to take care and to address them? Like any audit, I tell our team finding these things is not a big deal, but what you do with those is very important. If you don’t address what you found, what’s the use of finding them, spending the effort and finding them? So we have to balance that. So that’s what my message would be on, not the number of times you do, it’s what you do when you find it.

Jonathan Reiber:

Yeah the way that I think about security – you know, I worked in the Pentagon for seven years and now I’ve been in the private sector for three and doing research. If you think about the number of risks and the things that could go wrong on planet earth, you would never sleep. We have scarce resources and one of the things I love about the strategy of a threat informed defense, is twining it with high value assets, right? Like you identify your most important assets that you want to protect, you align your controls against them, and then you focus on the threats that matter most to you. So let’s actually think about it from a sector specific area. You’re in the healthcare sector and it faces its own set of unique threats. I wonder if you could talk a little bit about how you use Vanguard, to think about your specific risk strategy. How do you prioritize your approach?

Uma Mahesh Reddy:

So first is knowing what you have on your network, then putting a value on those. then you go to the next step of identifying how do we secure these assets? How much effort and time and money do we put in securing them and protecting these assets? That doesn’t just have to be printers, cameras, or applications, it can be people too. People are an asset for an organization. So we started looking at it differently, in looking at what is an asset, how do we define an asset? With Vanguard, it helps us once we know what those assets are, once we decide what number of assets we are going after this month, we don’t announce what those assets are. We don’t announce our activity when we are doing it, how, or what time we are doing. And none of that is announced to anybody except for one team, and then they go after them once we have those findings. That’s very crucial for us. We have a call with the Vanguard team, who takes these reports and goes over some of the findings. And we take your input before we even run these simulations. Then the team comes back and tells us which are the most important to start with and prioritize. We both agree upon the teams, and then we take those, we run those, and then we go over the findings together. That support is what’s needed from an external party, and in this case Vanguard.

Jonathan Reiber:

That’s awesome. What you’ve just described is like, it sounds to me like a very collaborative process and it, it sounds like it would build team cohesion around your threat and form defense strategy, give you a sense of prioritization. You agree on the threats. And it might also, it sounds like, and I’m not trying to lead the witness too badly. It sounds like it would enable an ability to communicate upward and across the organization about your threat focused strategy. So you could say to your CEO, you could say to the board, you could say to shareholders, we are taking this approach because this is, we know this threat is after us, or we know that we’re concerned about this particular kind of data assurance. And so we just wanna assure you, so have you found that it increases the level of confidence and comfort between and amongst teams and leadership?

Uma Mahesh Reddy:

Yes, it does. You know, I’ve been very fortunate to work for an organization that puts a lot of trust in us. I’ve grown with the company, they’ve given me the opportunity. I started as a programmer in 2002, when I came to the US. Prime was one hospital, 10 clinics back then, now we are 40 hospitals, 300 clinics. One of the top five for profit healthcare organizations in the country. They have put a lot of trust in us and the team. So when I heard of the service that you’re offering with it, I didn’t even have to think for a second, I said let’s just take it, because not only it’ll help us to utilize the tool to the fullest extent, but also help us to use the other tools to the full extent. The knowledge that the team brings in, will add a lot of value. With Vanguard we are not only gaining the value from them, but we are also using their knowledge to make the other tools better. Let’s say you have a DLP program and a tool in place. That’s good, but how do you know that it’s doing what it’s supposed to do, right? How effectively are we using all that you have put in place? We get that from the Vanguard program and AttackIQ and that’s not only what your team helps us with, but other areas, they help us to get us strong.

Jonathan Reiber:

Yeah. We’ve spent some time thinking about the return and investment function. In other words, like if you’re spending a million dollars on security controls, and they’re only performing at 25, 30% of what they’re supposed to be performing at, or some number like even 50% or 60%, then you’re wasting half a million dollars. That’s just a number I just made up. So if you spend a hundred thousand dollars on top of that, or some other number associated, like close to that for a security control validation process, whatever the number is, then you’re having a moderate increase in spending that then enables you to maximize your ROI, that you’re otherwise wasting all this money, because you have simply no understanding of where your controls are. We just passed the one year anniversary of Solar Winds. If I was a member of Congress, I would return to the US government and I would say, okay, it’s been a year, show me how well you’re prepared for those exact tactics and techniques. And I would hope that the government would be able to say, yes, we’ve run the following tests But that’s where we’re trying to get to – you’ve got a modicum increase in spending to maximize your ROI. And I hope that, that you’re, you’re finding that kind of value.

Uma Mahesh Reddy:

Yes we are. And one thing, all security professionals have to accept and realize is it’s a continuous process. It’s not a one time thing. I’ve started my career as a programmer, and then moved to systems and administrator. As a system admin or a network admin, what do you do? You take a switch, you program a switch, then it’s solid sitting there. You don’t have to go back and then check it every day or every minute. But that’s not the case in the cybersecurity world. I tell my team, you know, you need to have a different mindset for it. It’s a continuous process. You are always learning and you’re growing. You’re always testing, testing, testing, see how it is doing. And that has to be part of your cybersecurity program. If it is not, then you are failing, then and there. You can’t install network every IDS and IPS out there, and configure half the two up and running and configure it and then say, forget about it. You can do that because the threats and techniques exploited out there are changing constantly every second. So as these things happen, you have to catch up, it’s a cat and mouse game. You’re always in the catch up mode. You’re trying, you’re fine tuning, you’re tweaking, you’re testing. So that has to be part of your security program. To realize the ROI on any tool or control you have on your security program – people and the process has to be included, constantly being monitored, measured and fixed – it’s a cycle.

Jonathan Reiber:

That’s a great way of saying it. The way I like to think about it, because I worked in the defense department, I come from a national security and military planning standpoint. If you’d built the best Navy in the world – 11 carriers, 11 carrier strike groups, which is what we have, and you have them in port, but you never exercise them, ever. The sailors would be, you know, not the fittest guys in the world. If you never practice take offs and landings, how would you expect to perform against a near peer adversary? The missions would all fail. So the interesting thing is, we now have the civilian sector in the United States. It’s as the internet has grown from zero to 4.3 billion users in the same age as Nicki Minaj and Chris Hemsworth, which is 39 years, we now have civilians who are being targeted by criminals in nation states. So it’s a little bit of a flipping of the process and it’s probably why so many natural security people go into cybersecurity is this continuous exercise process for the massive investments that have been made it’s absolutely required because you have to shift your focus, like look at some of the threats in minor attack you’re facing off against, like FIN6, criminal groups all over the world or nation states. You have to be ready for these groups, and that requires a certain amount of focus.

Uma Mahesh Reddy:

You’re absolutely right Jonathan on that. And when we first started in Prime, I built this program from the ground up. The closest we had cybersecurity controls back then was an antivirus. Each hospital had their own installs and a backup program. That’s about it. So the CIO back then pushed me into it. What I realized is having these controls is easy, but keeping up with them is not. When we first started in Prime, I won’t go into much details, but we had a MSSD program for our SOC.  We were completely managing and maintaining it, with only two people in the whole cybersecurity management supporting hospitals. And that miserably failed us. For an organization of our size, going to a SOC didn’t make sense to me, and then we built the team internally. But for a program like Vanguard, I would in a heartbeat recommend to people just get it, it’s worth every penny of what you do.

Jonathan Reiber:

At AttackIQ, we like to say, we’ve got your six and this refers to in World War II and World War I fighter pilots. If you imagine a clock you couldn’t see behind you easily, so you had another pilot who would watch the back of your, you could see the 12 in front of you, but you couldn’t see the 6, you couldn’t fully turn around. So you had another pilot behind. Does that phrase resonate in a sense, because that’s kind of what the Vanguard wants to provide. We want to say we’ve got your six when it comes to thinking about the gaps that you may not be seeing.

Uma Mahesh Reddy:

That’s a very good phrase and technique. I mean you can definitely say, you not only watch the back, you watch the other two sites too. We are focusing on the business, how do we keep it running securely by having all these controls, but you are helping us to make sure what we are trying and where we are heading towards is right, clear, and making the way to head towards our goal. You’re not only watching the back, I would say you’re watching on the other side too, the other two wings.

Jonathan Reiber:

That’s awesome. I love that. You’re building on the phrase. It allows the plane to keep flying straight because you know that there are folks that have your wings. You’re playing your wing man, that’s exactly what we want. Are there any other lessons you’d like to offer to your fellow security practitioners, as you think about the process of continuous control, validation, training and exercising. As someone who’s really taken a strategic and forward-looking view on this, are there any other lessons you’d like to offer?

Uma Mahesh Reddy:

Sure. I would suggest making this part of the security program, continuous testing and validation, fixing what it comes across. I would suggest as any security professional, you have to make this as part of their security program, otherwise you’re failing in more than one way. You’re blindsided if you think everything you’re doing is right, when it’s probably not. How do you know for sure, and have the peace of mind. I think there’s multiple ways to do anything, and other ways to do things better than what I do. I know I’m not the smartest person in the world. They’re smarter. There are people smarter than me out there. So I’m always trying to learn, this process helps you learn and grow. To see what exactly is happening out there. How do we measure, with knowing what others are doing.

Jonathan Reiber:

That’s wonderful. I really appreciate that. Uma, it’s an honor to get to partner with you, in this process. It’s an interesting thing. One of the reasons I joined AttackIQ was because it was a new concept, that was solving a problem that I knew existed when I was in the defense department. Which is that our weapons platforms and our networks were totally vulnerable to exploitation and attack. And the only way you could determine that and generate data was through automated testing, but it’s been so cool in the last two years to join folks like you and say, this is a new thing we’re trying to do. We’ve recognized this problem. And there’s obviously like a catalytic for folks that are in the Vanguard. So actually you’re more in the Vanguard probably than, uh, you know, you’re included in the Vanguard as it were, um, of folks who were out, out in front thinking about the issues. So I really appreciate the time and congrats on being a part of Prime as it grew. You grew a small organization, that’s now quite big and you’ve reached the pinnacle of your security work in the company. That’s awesome.

Uma Mahesh Reddy:

Thank you.