Leading Healthcare Provider

Multi-disciplinary effort to find the right network detection and response solution

This large healthcare provider has grown through acquisition, which typically brings with it a plethora of diverse IT infrastructure strategies. This fast growth resulted in an organization of over 75,000 employees. To gain much-needed visibility in its busy network traffic and to improve cybersecurity incident response time, the organization turned to its trusted partner Optiv. Optiv consultants work alongside clients to manage cyber risk and equip them with perspectives and programs to accelerate business progress. Connor Inglis, Client Manager for Optiv, explains further: “As a healthcare organization, this client is required to comply with regulatory data privacy requirements and the need to securely store sensitive medical data for 30 days. In addition, its security operations center (SOC) needs contextual data to understand security alerts quickly and efficiently. Network metadata retention is a must, through packet capture (PCAP). Without access to the ground truth, it is almost impossible to investigate generated alerts quickly and effectively. Our client had done its due diligence and when we suggested a close look at Network Detection & Response (NDR), that was already a solution under consideration by them.”

By fusing real-time visibility, advanced detection, analysis, forensics, incident response, and threat hunting into a single platform, NDR enables organizations to find, understand, and act on relevant threats. The client’s Director of Security led the effort and worked closely with Optiv and OpenText (formerly Micro Focus) to understand NDR’s capabilities. Knowing that this would impact multiple departments and processes, representatives from the organization’s SOC, Red Team, and Networking teams were involved in determining the criteria for success.

The more recent integration with our new SIEM shows us NDR’s flexibility, giving us 360° visibility to support our regulation compliance and our cybersecurity posture improvement.

Comprehensive NDR evaluation and fully supported implementation

Following extensive demonstrations, it was time for some hands-on experience with NDR. OpenText (formerly Micro Focus) offers the opportunity to open its NDR lab for potential clients and create a virtual environment to simulate a client’s own infrastructure. Whereas a physical proof-of-concept (POC) requires dedicated hardware and securely interacting with a client’s own data, the lab experience gives a client the opportunity to exclusively explore NDR using simulated data. It allows client teams to evaluate NDR visibility, detection, threat hunting, integration, speed, and overall efficiencies in a web browser without paperwork or software downloads. The organization’s security incident response team also engaged in a ‘capture the flag’ exercise. This is a threat-hunting challenge, showcasing NDR’s capabilities in support of improving cybersecurity.

The team decided to purchase NDR as a turnkey solution, including the required hardware. The agreement also included a 90-day contract for an OpenText (formerly Micro Focus) technical account manager to assist with the installation, deployment, and configuration of the new system. This also presented a good training opportunity so that the client SOC team could familiarize itself completely with the ongoing data tuning and configuration requirements to ensure the maximum value delivered by NDR.

With a large organization such as this, network traffic can soon become unmanageable. This is where OpenText Smart PCAP can come to the rescue. Smart PCAP captures relevant raw data from packet transfers associated with security alerts, using protocol analyzers to understand what’s in those packets. This provides SOCs with the means to search the right packets immediately after receiving an alert, optimizing their threat hunting and triage efforts. Smart PCAP also allows for a more selective process that results in fewer packets retained for the 30-day compliance requirement.

The client teams were happy with NDR, and when we were asked to support NDR’s full integration into the SIEM, we knew NDR had truly earned its stars.

Seamless SIEM integration, full regulation compliance, and future-proof scalability

Once NDR was up and running, the teams started to reap the benefits of real-time traffic visibility straightaway, though a big leap in its value was realized when the organization introduced a new security information and event management (SIEM) solution. “We were closely involved in selecting, acquiring, and then managing the SIEM on our client’s behalf,” says Inglis. “The client teams were happy with NDR, and when we were asked to support NDR’s full integration into the SIEM, we knew NDR had truly earned its stars.”

Optiv consultants supported NDR’s SIEM integration and reported back how smooth this was. “All NDR data logs are now directly ingested into the SIEM and correlated in real time with the captured security events and alerts,” according to Inglis. “For us managing the SIEM, it’s a major benefit to have a central console that overlays the SIEM and allows us to access all the integrated technologies. A user-friendly dashboard includes NDR and gives us full visibility to everything that matters most in the network.”

The last word goes to the client’s Director of Security: “We are a growing and diversifying organization, subject to many compliance regulations as a medical healthcare provider. Scalability is important to us when we make technology decisions and we were pleased to see examples where NDR had demonstrated huge scalability, assuring us that this is a solution that will see us far into the future. The more recent integration with our new SIEM shows us NDR’s flexibility, giving us 360° visibility to support our regulation compliance and our cybersecurity posture improvement.”