"You always hear about SIEM implementations being endless and highly complex," he recalls, "but in our case we were able to show results in a very short time.“ Stefan Peters, Head of the IT Business Unit at Arnsberg Clinic.
Arnsberg Clinic is a group of clinics made up of Marienhospital in Arnsberg, Karolinen Hospital in Hüsten and St. Johannes Hospital in Neheim. The organisation, which also functions as the teaching hospital to the University of Münster, is made up of 25 clinics and 4 institutes with a total of 728 beds. Care is provided to acute and emergency patients, and a care facility with 90 places is also connected.
The challenge – protecting vital technology
IT in the clinical environment is of highly critical importance. It has to function reliably so that its operator can save lives. In February 2016, Arnsberg Clinic recorded an incident during which attackers were able to overcome the security systems already in place: Malware had found its way into the hospital group's IT landscape via links embedded into social engineering emails.
Since the essential medical equipment in place also functions without being connected to the network, patient care was guaranteed at all times. The clinic's internal communication processes, however, had to be handled manually for almost two days with an increasing amount of effort. "In our case, the staff managed to save the operation from the downtime with a tremendous amount of commitment simply by using 'scraps of paper”, states Stefan Peters, Head of IT at Arnsberg Clinic, reminiscing, “but we would have had our work cut out if we'd had to continue like that for a longer period of time." New patients could only be admitted in urgent cases, for example. In the end, the clinic ended up recording damage in the region of seven figures.
The solution – early warning system for cyberattacks
In order to be able to better counter further attacks of this kind in the future, the hospital decided, among other things, to invest in an early warning system against cyberattacks. The aim was to be able to detect and ringfence attacks more quickly, for example, to be able to shut down technology sections section by section in future. The ability to act and communicate should be preserved to the greatest possible extent in difficult situations in future. The implementation of a Security Information and Event Management system (SIEM) was examined early on as a possible solution.
Since a business relationship between the DTS as the service partner and Arnsberg Hospital already existed and they frequently exchanged views on security topics, the IT department at the hospital group contacted DTS. An agreement was made to evaluate a SIEM system from LogRhythm.
"You always hear about SIEM implementations being endless and highly complex," he recalls, "but in our case we were able to show results in a very short time." It was possible to put the LogRhythm system itself, for example, into operation in four hours, following which connection of the previously selected log sources immediately began. On the second day, it was already possible to switch on the first correlation rules. LogRhythm already detects, for example, ransomware in this phase, and alerts the security teams, thus enabling them to stop the attack within a few seconds, all of which takes place largely automatically.
The LogRhythm system proved flexible when it came to reacting to the golden image procedure on the servers in the hospital. The images are copied several times a week and the systems then started, which is not allowed to disrupt the log evaluation. Here, agent functionality of LogRhythm made it possible to install and configure a log collection agent on each server. Subsequently, the agent/log source configuration of each server copy was automatically stored centrally and re-pushed to the target system on each reboot. This eliminates the need for the complicated manual weekly reinstallation and configuration of the image server log sources at the hospital.
The decision to use LogRhythm productively was finally made in June 2016.
Successful transition to operations – An immune system against cyber-attacks
Along with the first alarm, the security analysts at the hospital now receive precise and clearly prepared information about the malicious processes detected including the name of the malicious process and the names of the already infected files. Additional information can be called up at the push of a button, including information about other potentially infected hosts. "It is information like this that would have allowed us to react in a more targeted manner during the original attack and either put a complete stop to the malware or, for instance, keep those systems in operation that we know were certainly not yet affected," states Stefan Peters, describing the advantage of making details of the attack available quickly. The existing IT security staff can easily operate the system. "The investment is certainly worth it – it increases the effectiveness of our security team tremendously at a reasonable cost," Peters sums up.