Prestigious hospital. Outdated network.

Similar documents
Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Cisco Unified Computing. Optimization Service

Cisco Mobile Collaboration Management Service

BYOD Security Challenges in Education: Protect the Network, Information, and Students

Cisco SecureX Product Brochure

Cisco Virtual Desktop Infrastructure Strategy Service

Cisco TrustSec for PCI Scope Reduction Verizon Assessment and Validation

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Going Big (Data) with MapR Hadoop and Cisco UCS

PCI Compliance: Improve Payment Security

Planning the Migration of Enterprise Applications to the Cloud

SANS Top 20 Critical Controls for Effective Cyber Defense

Get More Scalability and Flexibility for Big Data

End-user Security Analytics Strengthens Protection with ArcSight

Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models

Secure and Effective IT Infrastructure

Deploying Firewalls Throughout Your Organization

Cisco Advanced Malware Protection for Endpoints

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Cisco TrustSec Solution Overview

Readiness Assessments: Vital to Secure Mobility

Transforming the Store Experience with Cisco Retail Solutions

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Zone Labs Integrity Smarter Enterprise Security

Network Access Control in Virtual Environments. Technical Note

Quickstart User Guide

Cisco Smart Business Communications Systems. Cisco Small Business Unified Communications 300 Series

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Securing the Database Stack

Requirements When Considering a Next- Generation Firewall

Veeam Backup & Replication Enterprise Plus Powered by Cisco UCS: Reliable Data Protection Designed for Virtualized Environments

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

How To Create An Intelligent Infrastructure Solution

Cisco Data Center Virtualization Assessment Service

To Cloud or Not to Cloud? Which Communications Deployment Option is Best for Your Business?

Cisco Nexus Planning and Design Service

How-to Guide: Top Ways to Improve Contact Center Performance

Telepresence in an IPv6 World. Simplify the Transition

Cisco Smart Business Communications Systems. Cisco Small Business Unified Communications 300 Series

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

THE BUSINESS VALUE OF MANAGED SECURITY SERVICES.

Preemptive security solutions for healthcare

Cisco Fog Computing Solutions: Unleash the Power of the Internet of Things

White Paper. Five Steps to Firewall Planning and Design

Technical Note. ForeScout CounterACT: Virtual Firewall

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Sygate Secure Enterprise and Alcatel

Securing Virtual Applications and Servers

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Leveraging Privileged Identity Governance to Improve Security Posture

The Cisco Smart Business Communications System

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

BeyondInsight Version 5.6 New and Updated Features

Cisco Cloud Web Security Datasheet

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

SCADA SYSTEMS AND SECURITY WHITEPAPER

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

Internet Content Provider Safeguards Customer Networks and Services

Independent Software Vendors: Upgrade and Unify Your On-Premise IT with Cisco

GETTING THE PERFORMANCE YOU NEED WITH VDI AND BYOD

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

The Connected Agency: Enhancing Collaboration in the Insurance Industry

Securing the University Network

Strengthen security with intelligent identity and access management

Network Design Best Practices for Deploying WLAN Switches

Compliance Overview: FISMA / NIST SP800 53

Network Virtualization Network Admission Control Deployment Guide

Sharing Content in the Web Meeting Room with Cisco Unified MeetingPlace Release 7.1

SECURITY ANALYTICS AND MORE Putting together an effective Incident Response plan

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Organizations See PCI as a Benefit, Not a Burden

Cloud Executive Perspective January 2015 CLOUD EXECUTIVE PERSPECTIVE. Cloud Computing. Changing the Role and Relevance of IT Teams.

Mobile Collaboration in the Public Sector: Work Your Way, on Any Device

VDI Security for Better Protection and Performance

Beyond passwords: Protect the mobile enterprise with smarter security solutions

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

The Benefits of an Integrated Approach to Security in the Cloud

LOG MANAGEMENT: BEST PRACTICES

Cisco Cyber Threat Defense - Visibility and Network Prevention

Symantec Endpoint Protection Datasheet

Alternative Device Integration For Enhanced Security

Tufin Orchestration Suite

How To Protect Your Network From Attack From A Network Security Threat

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Transcription:

Prestigious hospital. Outdated network. What happens when a cuttingedge medical center suffers from outdated network security? It s possible to lead the world in an industry medicine in this case and to simultaneously lag behind when it comes to network security. One large national hospital system faced serious IT challenges. Network investment had been put off to the point of opening critical security vulnerabilities. A massive attack surface and limited visibility meant a threat could penetrate the network and remain hidden for months. It put critical systems, employees, patients, and the hospital s reputation at risk. We have done ourselves a disservice by letting our network infrastructure degrade to the point where it can no longer support business services. Customer statement CHALLENGE Secure 500 sites and thousands of devices. Enable network segmentation for HIPAA and PCI compliance. Gain visibility and control over threats. SOLUTION Architectural network refresh along with security implementation Network as a sensor (NaaS) and network as an enforcer (NaaE) Cisco IOS NetFlow, Cisco Identity Services Engine (ISE), Cisco StealthWatch, and Cisco TrustSec solutions Cisco consulting services for guidance at every step RESULTS Prevents lateral spread of advanced threats with network segmentation Provides deep visibility for better access, policy, and control Delivers improved safety and accessibility of patient information

Problem Several factors combined over time to put this hospital especially at risk. IF A THREAT GETS IN, EVERY SYSTEM IS EXPOSED. A flat network The hospital s aging network infrastructure including outdated switches left it open to threats. Most hospital networks have parallel networks that separate clinical systems, research facilities, guest access, and administration. In theory, different networks should never touch each other. However, this hospital had a flat network without separation or network segmentation. Rather than separating by function, VLANs were assigned by floor. Doctors, staff, students, and medical equipment shared the same network, multiplying the attack surface and exposing the hospital to threats. Gaining visibility into suspicious behaviors on the network was challenging, and ensuring compliance with HIPAA and other regulations was a struggle. Device overload The hospital had more than 15,000 nonupgradable endpoints, and many of them were interconnected. Heart machines, lung machines, proton-beam therapy machines, and others were connected to the network and even to the Internet. The hospital needed to gain control of its flat, exposed environment. Some endpoints were running versions of MS-DOS that had been installed as far back as 1992, leaving the network vulnerable to advanced or sophisticated threats. More than 600 Windows NT4 devices and nearly 7000 Windows XP devices on the hospital s network suffered from end of support, lack of patches, and an inability to run current antivirus software. To make things more difficult, FDA approval required devices to remain as originally shipped from the manufacturers, so a system upgrade could mean noncompliance. EMPLOYEE WORK STATIONS EMPLOYEE- OWNED DEVICES PLATE READERS IV PUMPS/ DRUG DISPENSARY SERVERS X-RAY MACHINES PATIENT AND RESOURCE DATABASES CACHE SERVERS MANUFACTURERS CLOUD RESOURCES

A patchwork of unsuccessful solutions IT had tried to make things work. They segmented the network using traditional models. They patched and established VLANs. They even tried transparent firewalls to limit user access to appropriate files and resources without much success. Buying new devices would mean spending lots of money without solving the underlying issues. The team faced a harsh reality: They needed more visibility, insight, and control, while meeting compliance guidelines. The client asked, what percentage of the infrastructure could even do policy segmentation today? The answer: less than 10 percent of their current network. Cisco consultant Fixing the problem Third-party consultants, hospital IT professionals, and hospital executives agreed that something had to be done, and that they should step back and look at security holistically. The right strategic approach was to find a way to understand how the applications, users, and devices were connected and to put network controls in place. Cisco security consultants led a 2-week workshop with engineers, business analysts, and executives. Concluding that the hospital needed a more advanced network that could support segmentation, the team crafted a high-level network design, an 18-month rollout plan, and a detailed governance model. The most intelligent approach was to use the architecture supporting the network (NetFlow) to link its security and networking together. The plan was simple: Upgrade legacy switches, routers, and wireless technology to incorporate key security solutions including NaaE and NaaS, allowing for visibility, segmentation, and control. Engage the Cisco Advanced Services team to ensure a successful implementation within the allocated time. Standardize the process for adding new components onto the network.

Solution Cisco secures the network. Cisco NaaS turns your network into a threat monitor or sensor. It includes NetFlow technology, which is already embedded into most Cisco IOS networking devices; Cisco StealthWatch solutions; and the Cisco Identity Services Engine (ISE). Cisco IOS NetFlow was created by Cisco to provide visibility into the network. NetFlow tracks every network conversation with a record that includes source, destination, timing, and protocol information for deep visibility. It can tell who is talking to whom, with what, from where, and for how long, including how much data was exchanged, storing months of information. Cisco StealthWatch adds threat intelligence through analytics to NetFlow data to accelerate response. The Cisco StealthWatch solution can analyze network audit trails, identify anomalous activity, and zero in on the root causes of attacks. With the solution, you can detect network traffic flows and behavior associated with advanced persistent threats (APTs), distributeddenial-of-service (DDoS) attacks, and insider threats. Cisco ISE provides contextual data including who, what, where, when, and how users and devices are connected and accessing network resources. Cisco NaaE enforces security policies. It extends capabilities by activating Cisco TrustSec technology already embedded in Cisco ISE. If there s a physician in a remote clinic who is accessing a ton of records at 5:30 p.m. after the clinic is closed, this is abnormal. If I have NetFlow enabled, this will be flagged. Cisco consultant Cisco TrustSec technology works with ISE to contain the scope of an attack. Cisco TrustSec technology uses security group tagging to create virtual network segmentation, and ISE enforces policies across the segments. Segmentation allows for quarantining of threats to limit malicious activity.

These solutions not only help the hospital identify threats, but also help it understand legitimate data flows and logical traffic groupings to determine network segmentation. Cisco TrustSec technology can be integrated easily with newer switches, access points, and firewalls. With Cisco TrustSec solutions, the hospital doesn t need to worry about the IP addresses. It can focus on classification. And the clarity provided by NetFlow allows the team to develop a set of rules that make sense. ISE creates user policies and puts users into groups. Granular business and policy rules allowed the hospital to enforce access, enabling the appropriate communications for the appropriate devices. It is vital to be able to isolate medical equipment and data from the rest of the network so the hospital can prevent attacks by enforcing segmentation and user access. Now even if attackers get in, their access is limited to one network segment.

Results Bonus benefit: Outstanding security drives innovation. Employee satisfaction Productivity Quality research More meaningful patient experiences Beyond the immediate security and compliance benefits, the hospital had witnessed a significant unexpected benefit: operational efficiency. They have reduced manual updates, human error, and repetitive tasks, and the network team can now quickly identify application, server, and network performance issues. The new agile network gives patients and employees what they want most: security, speed, availability, and improved services. It is the foundation for other future technologies. With security covered, the hospital can begin rolling out new applications that connect employees with each other and with patients in innovative ways. New mobility, informationsharing, and collaboration applications have potential to further streamline operations. TECHNOLOGY BENEFITS Security woven in at every level switches, routers, and access points Upgraded network architecture across the hospital Deep and broad visibility into unknown devices and unusual traffic patterns Authentication of users and devices Enforced policies across wired, wireless, and VPN topologies BUSINESS BENEFITS Keep current with constant waves of new users, devices, and applications. Reduce manual updates, human error, and repetitive tasks. Easily comply with audits for HIPAA, PCI, and other regulations. Reduce downtime costs and liability. Ultimately deliver more accurate and reliable patient care. To learn more about these Cisco solutions, visit cisco.com/go/networksecurity. Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. 2016 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, Cisco IOS, Cisco StealthWatch, and Cisco TrustSec are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, see the Trademarks page on the Cisco website. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1607R)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information