Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables. (Source : RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Nick H. Yoo
Cybersecurity Roadmap: Global
Healthcare Security Architecture
TECH-W02F
Chief Security Architect

2. #RSAC
No affiliation to any vendor products
No vendor endorsements
Products represented here are just examples
References to any gaps, product information, and roadmaps are mainly for
illustrative purposes and do not represent any specific companies
Disclosure

3. #RSAC
Healthcare IT Challenges
3
Healthcare Industry is
Increasingly Difficult to Protect
&
Is becoming a Rich Target
Patients and Consumers
Payers
Product
Innovation
Pharmacies
Hospitals
Labs
Physician
Practices
Industry Certifications
Operations
And Support
Product
Development
Regulators
and legal
Cybersecurity
Public Cloud
Ransomware
Mobile & IoT Big Data
24/7
Always On
Web Trust
Healthcare
IT
Compliance

4. #RSAC
Cybersecurity Journey
4
Compliance-
Driven
Solutions-
Driven
Vulnerability-
Driven
Threat
Modeling &
Detection-
Focused
“Perimeter
Security”
“Layered
Security”
“”Identity as
New Perimeter”

5. #RSAC
Security Technology Landscape
5
Network App/Data IAM Endpoint Msg &
Collaboration
Monitoring

6. #RSAC
Technology Overview
6
Total # of Vendors70
Most # of Products by Domain: IAM20
130 Total # of Products
Least # of Products by Domain: Monitoring, Analytics & Audit8
Approximate # of Products: EOL, Obsolete in 12 – 24 Month30
Most # of Capabilities covered by one Vendor10
Total # of Capabilities covered by Product160

7. #RSAC
Threat Landscape
7
Source: Verizon Data Breach Report

8. #RSAC
NIST Cybersecurity Framework
8
Recovery Planning Improvements Communications
Asset Management Business Environment Governance
Risk Assessment Risk Management Strategy
Anomalies and Events Security Continuous Monitoring
Detection Processes
Access Control Awareness and Training Data Security
Information Protection Process & Procedures
Maintenance Protective Technology
Protect
Identify
Recover
Response Planning Communications Analysis
Mitigation Improvements
Detect
Respond

9. #RSAC
Cybersecurity Architecture Framework
9
Protect
Identify
Recover
Detect
Respond
Monitoring,
Audit, Analytics
App/Data
Endpoint
IAM
Network
Integrated
Solutions
Continuous
Feed
Architecture
Domains

10. #RSAC
Architecture Development Approach
10
Current
Capabilities
Current State
Direction
Gap
Analysis
Projects &
Initiatives
Business
Vision & Needs
Key Trends &
Emerging
Technologies
Regulatory
Compliance
Requirements
Guiding Principles
Architecture
Framework
Architecture
Vision
Future-State &
Roadmap
Policies,
Standards, &
Guidelines
Threat
& Risk
Emphasis
Foundational
Security
Controls

11. #RSAC
• From blocking and detecting attacks to detecting and responding to attacks
• Rapid breach detection using endpoint threat detection and remediation tools
• Aggressive segmentation of the network
• Spot abnormal user and session behavior by conducting continuous monitoring,
behavioral analytics and identity verification
• Use big data analytics of transactions, security events and contextual information to
gain faster and smarter correlation of security incidents so they can be rapidly
prioritized.
• Use and contribute to shared threat intelligence and fraud exchange services.
11
Key Trends
Source: Gartner

12. #RSAC
Cybersecurity Roadmap Development Process
Network Example
12
Current StateCapabilities Gap Analysis
Roadmap
Risk Analysis
Threat Analysis
Maturity Analysis
Future StateKey Trends
Overall
Security
Architecture
Initiatives
Network
SSL/IPSEC VPN
Network Intrusion Prevention
DNS, DHCP, and IPAM Security
Firewall/Next Gen
Secure Web Gateway
Network Access Control
Web Application Firewall
SIEM
DDOS Protection
Advanced Persistent Threats
Data Loss Prevention
Network Behavior Anomaly Detection
Network Policy Management
Network Sandboxing
Wireless IPS
Network Segmentation
SSL Inspection
Threat and Network Deception
Threat Intelligence
Network Forensic
Network Pen Testing
Reverse Proxy Services and LBPhysical and virtual DMZ
Public Cloud Security
Vulnerability Assessment
Unified Threat Management
Software-Defined Security
DETECTPROTECTRESPOND

13. #RSAC
13
Threat Modeling
Source: Lockheed Martin

14. #RSAC
Current Network Architecture
14
HQ &
Branches
Corp Data Centers
MPLS
Internet
BU
Data Centers,
Co-Los
BU
Sites
WAF
Cloud
Wireless
Wireless
SIEM
Email
DLP
NBA
NGFW
Core
Security
Rev.
Proxy/LB
Proxy
VPN
Customers
Teleworkers
Mobile
Users

15. #RSAC
Future State Network Architecture
15
HQ &
Branches
Corp D/C
Hybrid
WAN
BU D/COther
Sites
WAF
Email
DLP
IDPS
Core
Security
Proxy
VPN
Customers
Teleworkers
Mobile
Users
NAC
APT
NGFW CASB
Hybrid
WAN
Internet
Internet
Improved
Segmentation
Secure Wired
Secure Wireless
Rogue AP Detection
Controls
SSL Intercept
SIEM
Controls
ControlsControls

16. #RSAC
Architecture & Roadmap
16
Years
FY16
FY17
FY18
FY19
WAF
IPDS
Wireless IDPS
Public Cloud
Network
Secure Cloud Exchange
Guest Wireless NAC
Home VPN NAC
Segmentation
APT
NetSec Policy
Management
SSL Interception
Secure Hybrid WAN
NAC
Network Pen Testing
Unified Threat
Management
Threat
Deception
DDOS & DNS Protection
Software Defined
Perimeter
Mobile
Users
Home
Office
Corporate
BUs
DCs/Retails
Data Centers
Proxy
Intrusion
Detection
Network Access
Control
Data Loss
Prevention
VPN
SSL Inspect
Advanced
Threat
Analytics
SIEM
SSL Inspect
MPLS/
Broadband
Hybrid
WAN
Broadband
VPN
Identity &
Access
Cloud Access
Security Broker
(CASB)
Broadband
Illustrative

17. #RSAC
Cybersecurity Roadmap Development Process
IAM Example
17
Current StateCapabilities Gap Analysis
Roadmap
Risk Analysis
Threat Analysis
Maturity Analysis
Future StateKey Trends
IAM
Workflow and Approval Management
Access Request Management
Password Management
User Self Service
PROTECTDETECT
Monitoring, Audit & Compliance
Monitoring
User and Entity Behavior Analytics Role Mining and ManagementSegregation of Duties Detection
Access Recertification Audit, Logging, Reporting
Identity Management
Cloud/On Premises Provisioning
Identity Proofing
Privileged Access Management
Access Management
Web Access Management / SSO
Cloud / Federated SSO
Authentication
Authorization
Risk-Based Adaptive Access
Mobile SSO
Passwordless / MFA
Identity Data Services
Identity Data Storage
Virtual Directory Services (VDS)
Meta Directory
Data Synchronization / Replication
Graph Data Services
API Security
Overall
Security
Architecture
Initiatives
Illustrative

18. #RSAC
18
IAM Technology Roadmap
Years
FY16
FY17
FY18
FY19
Oauth 2.0Risk Based
Access Control
IDAAS
ID Proofing
Services
Open ID Connect
Protect
Business Risk
High Medium Low Unknown
UAR
UBA
Federated ID Mgt.
MFA
PAM
Biometric
Authentication
High Assurance IDP
SCIM
Mobile SSO
SOD Controls
API
Gateway
IGA
FHIR
Security
Monitoring
Dashboard
Role Lifecycle Mgt.
Virtual Directory
BYOID
UMA
ID
Lifecycle mgt.
Graph
Directory
Block Chain
Technology
Illustrative

19. #RSAC
19
Cybersecurity Framework Domain Mapping
Cybersecurity Framework Network IAM Endpoint
App/
Data
Monitor
Identify
Protect
Detect
Respond
Recover
Observations
• Sufficient coverage for endpoint
• Network domain lacks detection controls
• Overall lack of detection controls
• Monitoring capability exist mainly in the Protect
Rating Scale Description
Fully Meet
Usually Meet
Partially Meet
Rarely Meet
Does Not Meet
Illustrative

20. #RSAC
• Multi-factor
• UEBA
• Cloud IDaaS
• User Managed Access
• Identity Governance
• User Access Review
• Federation
• Virtual Directory
Other Domains
20
Key Initiatives
• Intrusion Detection & Prevention
• Network Segmentation
• Wireless Detection
• Cloud Access Security Broker
• Network Access Control
• Network Security Monitoring
• Threat Deception
• DDOS
• Multi-factor
• UEBA
• Cloud IDaaS
• User Managed Access
• Identity Governance
• User Access Review
• Federation
• Virtual Directory
Security
Analytics
Adaptive
Authentication
(IAM)
Advanced
Detection
Malware
protection
system
Threat
Intelligence
Advanced
Endpoint
Protection &
Detection
Cloud Security
Application
Security
IAM
Network
Respond
Protect
Detect

21. #RSAC
Core Solutions Architecture
21
Network App/Data IAM Endpoint
Monitoring/Analytics
Illustrative

22. #RSAC
“Apply” Slide
22
Next week you should:
Begin needs assessment
Begin collecting current security controls, tools, and products
In the first three months following this presentation you should:
Tailor cybersecurity framework, architecture domains, and assessment process
Begin documenting current capabilities and gaps
Within six months you should:
Complete the current capability assessment
Begin developing future-state architecture and roadmap