There are many parallels between cybersecurity and healthcare. Some are as simple as shared terminology — virus, infection, containment, etc. — while others are as complex as the architecture and epidemiology of each.

Just as hospitals and doctors stay informed about new illnesses, treatment recommendations, and preventative care, so must security professionals stay on top of:

  • New and emerging threats;
  • Optimal responses to cyberattacks; and
  • Preventative measures to avoid successful attacks.

In a recent webinar, I was joined by Annalea Ilg, CISO for Involta, to discuss these parallels and look into the newest generation of managed detection and response (MDR) services. Involta recently published an accompanying article that recaps today’s security challenges and risks. In it, they demonstrate why no organization’s cybersecurity can always be perfectly healthy. In this post, I’ve got a couple of additional points to add:

  1. The root causes of successful attacks
  2. Additions to a security portfolio that will help to prevent them

As with our own health, all of our preventative measures will not make us immune to everything. Attacks and breaches (like illnesses) will happen. The key is to limit the likelihood and be prepared to respond quickly and effectively in the case that one prevails.

Root Causes of Successful Attacks

There are two general conditions that lead to the success of attacks, and to the amount of damage they cause — drift and dwell time. If your organization can address these two key areas, you are guaranteed to decrease events, recovery costs, and very bad days in the security office.


Drift occurs when an organization allows their security to erode over time because of change. Constant vigilance is required to ensure you remain strong because drift is like entropy: It is a continuous deterioration of order into chaos.

For example, we all use applications and software provided by multiple sources. While we are doing this, other organizations are constantly looking for vulnerabilities inside those same bits of code in order to breach our systems. If an organization has adopted a piece of technology and suddenly a vulnerability is discovered within it, that once-secure environment is now at risk — it has drifted. To give you a sense for how pervasive this kind of drift has become, the US National Vulnerability Database shows that there are over a thousand new vulnerabilities that are publicly reported every month.

Misconfigurations are another area of significant drift. It’s natural, because cloud services are designed to be scalable, flexible, and dynamic. Unfortunately, that level of flexibility increases susceptibility to the types of errors that happen all the time in drift, and recently McAfee reported that 99% of cloud misconfigurations go unnoticed. That is a stark example of the reality of drift.

Tying drift into our healthcare metaphor, it’s like taking your temperature, watching your health, and receiving a physical every year. Even when we feel mostly fine, we are conscious of our health and value early intervention. Nobody wants to procrastinate on diagnosing an illness to the point where it can’t be cured. We are, in effect, avoiding the equivalent of drift in our own health.

Dwell Time

The second root cause of damaging incidents is dwell time, which refers to how long a successful attack will exist within an environment before being discovered.

With some attacks, dwell time is negligible. Simplistic ransomware attacks succeed by creating very noticeable effects and sending demands as soon as the attack succeeds. More sophisticated attacks are designed to remove all traces, hide themselves, and persist without being detected. The purpose of these are not simple ransom demands, instead they are carefully exfiltrating confidential data and stealing user credentials. Over the course of the last decade, credential theft has become the most common goal of attacks, and attackers want stolen credentials to have a long lifespan. This works best when the victims don’t know that their credentials were ever stolen.

Another, more insidious impact of long-lived attacks is the danger for those that trust you to be secure. Both partners and customers can be infected or defrauded by a well-established attack within your systems or by a credential that’s been stolen. It’s a responsibility of all members of our highly interconnected environment to quickly identify, diagnose, and address attacks before they can spread beyond the initial targets.

To avoid long running breaches, you need to ensure that you’ve got solid visibility and that you’re watching closely for system changes or unusual behaviors that are likely to indicate that your system has been coopted. This means 24X7 monitoring, it means specific response procedures, and it means that you need to take it seriously.

Drift and dwell time are both measurable, addressable, and are great targets for investment as you look to improve the health and visibility of your security.

A Healthy Security Portfolio

Decreasing drift and dwell time require attention on a variety of targets and systems. This applies to ensuring good health for your body and performing solid detection and response for your cyber health. Here are areas to think about:

  • Threat research and intelligence — To fully understand new diseases or new cyber threats, you must invest in research and the conversion of that research into actionable intelligence.
  • Know the key assets — A diagnostician in a hospital must be able to analyze blood, respiration, temperature, etc. in the same way you must be able to analyze the state and behavior of your network, endpoints, and resources in the cloud.
  • Effectively detect and respond — Thorough knowledge of the victim and the illness is crucial before you can put a system in place that can detect and respond appropriately. You need to understand both the illness and the patient, the attack and the target, and prioritize actions over time to close the gaps and disrupt the damage.
  • Ensure continuous coverage — Hackers do not wait for you to get to work before they attack, just as germs don’t wait for a convenient time to make you sick. You need continuous coverage by a team who fully understands what’s happening before and after an attack.
  • Control your costs — To be an effective and long-term remedy, security must be delivered at reasonable cost inside the execution of the business strategy. It cannot take precedence over mission-critical revenue drivers in the same way that preventative healthcare cannot prevent an active and fulfilling lifestyle.

Ensure Your Organization Is Protected

With these components in place, your organization will be prepared to prevent and respond to attacks. If you are busy doing something else, or if you simply lack the resources to take on this complex set of challenges, it will be impossible without the support of a trusted partner.

For our healthcare, we depend on hospitals, medical professionals, and an entire healthcare ecosystem rather than determining and delivering treatment on our own. Organizations require the same level of expert support with cybersecurity — especially when considering the integration of more sophisticated technologies and the ever-expanding remote workforce.

This is where adopting a managed service model through MDR becomes a critical element of your security portfolio. To learn more about this model, be sure to check out the MDR Manifesto and listen to the full webinar on keeping cybersecurity healthy.

Our friends at Involta are currently offering free Security Awareness Calls to their customers to review the current threat landscape and advise on the best path forward to achieve their security goals, regardless of circumstances or budget. If you are an Involta customer, you can reach out to your Involta Account rep to schedule a Security Awareness Call, or you can also request a meeting here.

Fortra's Alert Logic
About the Author
Fortra's Alert Logic

Related Post

Ready to protect your company with Alert Logic MDR?