5 minutes with Motti Sorani - What is Device Centric Risk Management (DCRM)? | 2021-04-22

Device Centric Risk Management (DCRM) is a layered approach to cybersecurity that protects each device, driving remediation and mitigation directly on medical and IoT assets. To find out more about how this paradigm helps with regulatory compliance and helps mitigate cyberattacks, we speak to Motti Sorani, Chief Technology Officer at CyberMDX.

Security: What is your background?

Sorani: Currently I’m the Chief Technology Officer at CyberMDX, but I’ve spent most of my 20 year career in the cyber domain — both in startups and governmental units where my experience has included both the offensive and defensive sides of the space. Most recently, I worked in Israel’s Prime Minister's Office (PMO) where I established and led a department focused on what we saw as cutting-edge cyber capabilities. In the role I managed groups of skilled security researchers, software engineers and dev-ops, and I think this work in particular prepared me well for the nature of the medical space where lives are at stake.

Security: What is Device Centric Risk Management (DCRM)?

Sorani: Device Centric Risk Management is what we see as a layered approach to cyber secure unmanaged devices across the healthcare delivery organization’s (HDO) ecosystem. Unmanaged devices, or agentless devices, are the kind of devices that don’t have a management/security agent on them. This includes critical devices such as medical devices, facility devices and other IoT devices that participate in operational or clinical workflows.

DCRM is focused on creating layers of protection around each device that work together to remediate, mitigate or prevent cyber risks. It does this by leveraging on-device, on-network and on-perimeter security controls in a way that is tailored to each device. It allows security professionals to ask fundamental questions that drive the risk management process. For example: What vulnerabilities impact an asset? What is the severity? What are the factors that could impact patient safety or other business objectives? First you need to consider your on-device remediation options – including patching or applying configuration changes, and understanding what the expected risk reduction is in each case. Next, network based access policies and on-perimeter policies are engaged to maximize security. The DCRM approach also includes kickoff workflows and security orchestration to help security teams effectively manage the risks.

Doing so at scale, in organizations that have hundreds of different device families, and thousands of devices overall, is the core value of DCRM. This answers two fundamental questions in any on-going risk management process: 1. What should I handle next?; and What are my options? (i.e., all the ‘fix’ options).

Security: How can the paradigm help decrease the major increase of cyberattacks, such as ransomware, against hospitals and medical networks?

Sorani: Let’s use a fleet of radiology machines as an example here. These devices take part in many clinical workflows, from ER to patient discharge, and some, such as MRI machines are major sources of profit for hospitals that help offset the costs of other less profitable, but no less important, clinical activities. Due to outdated operating system exposed network services (e.g., SMB, RDP, SSH, etc.), many of these devices carry worm-able vulnerabilities. Because the impact on care availability is huge, yet the security fences are low, this combination makes these machines a typical target for ransomware threat actors. The worm-able vulnerabilities are exploited by the attackers to compromise these machines. As part of the lateral movement phase, they move from the penetration point to the targets - where the ransomware impact is maximized.

While the game plan of ransomware gangs is to move laterally, exploit vulnerabilities, and maximize the potential ransom, the DCRM game plan is to reduce the likelihood this attack will succeed by remediating/mitigating vulnerabilities and limiting the access to these devices. With the rising sophistication of today’s hacker, you can no longer stop cyberattacks solely by focusing on one issue. Putting up strong perimeter protection and hoping nothing gets by is no longer a viable strategy, and the same goes for any one faceted security strategy. DCRM synchronizes the security actions on multiple layers to ensure that even if something gets by one aspect, it will be stopped at the next checkpoint. The system utilizes domain specific knowledge to translate the technical vulnerabilities into business impact to help hospitals and HDOs prioritize vulnerabilities based on severity. Worm-able vulnerabilities will be at the top; then all possible mitigation/remediation options on all layers will be presented. These options include: 1. identifying whether there is a patch available 2. installing a security agent (AV/EDR) that is supported by the vendor, 3. using allowlist or blocklist policies to reduce the attack surface, and 4. limiting the vendor access or the device access to the internet. Once implemented, the chances that an attacker could laterally move into the device are significantly reduced.

Security: How does it compare to the current architectures in place? How is it different from a people-centric security framework?

Sorani: Most architectures are network-centric. In fact, traditional enforcers are generally not aware of the function of devices, their criticality level for patient safety, or risk level from a business perspective. By being device centric, DCRM bridges this gap - prioritizing actions on a device-centric basis. Some of these actions are carried by network enforcers, yet the policies derived are fine-tuned to secure these devices while still letting them function properly.

Similar to the way people-centric security frameworks consider people as the attack surface, DCRM considers the unmanaged devices as the attack surface used by attackers to create their malicious impact on patient data confidentiality, patient safety, or care continuity. DCRM calculates the risk exposure related to these aspects to prioritize security actions. It directly impacts the security benefit of these devices. Because of that, it also benefits the people connected to and receiving care from these same devices.

Security: Can the DCRM framework help achieve regulatory compliance?

Sorani: Absolutely. DCRM’s layered approach induces a policy per each device group. All the actions taken could be directly mapped to HIPAA regulatory citations and the security controls of the corresponding cybersecurity frameworks such as NIST CSF, HITRUST and CIS. It actually streamlines the compliance posture and tracks the remaining violations so you can demonstrate the actions taken and the progress made along time. HDOs can leverage DCRM to demonstrate their security best practices, as part of the HIPAA Safe Harbor, HR 7898.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.