In Carahsoft’s podcast, our featured speakers from the VMware Healthcare Industry Strategy team discuss how the threat landscape is changing, and how VMware acts to secure their customers.
Tim Boltz: Hello everyone. Welcome to the Carahsoft podcast discussing Security Threats in Healthcare. My name is Tim Boltz, Sales Director here at Carahsoft, and I would like to thank you for joining us for today's podcast. As the amount of security breaches increase, and the cost per breach explodes exponentially, we are going to focus our discussion on how Healthcare Providers are mobilizing to protect their patients, health system networks and IT systems. My guests on today’s show are Chris Logan and Rob Marti from VMware's strategic healthcare team. Good afternoon, gentlemen.
Rob Marti: Good afternoon.
Chris Logan: Good afternoon, Tim.
Tim Boltz: Yeah, thank you so much for being here today. Today, we wanted to talk about Intrinsic Security and some of the security threats that were popping up in the healthcare landscape today. And so I'd like to start the conversation off with some insight from the two of you. What is some concerning security trends that you're seeing in healthcare today?
Chris Logan: I'll kick this off. I think there's a lot of things that we saw take shape over the last year, which has going to bleed into the next year, right. So if I think about what are the things in 2021, trend wise, they're going to have large impacts across cybersecurity across industries. But in healthcare specific, I think there's going to be some security impacts or implications, as we still think about this, this idea of work from home, right COVID-19 is not going away, organizations have found a different model for working environments, that's going to continue on, I think we're gonna see more people at home. So a lot of tacks are going to occur on things like home computers, networks that are now connected back into corporate networks, right. So that whole work from home impact about the variability and the unknowns about those endpoints devices and activity it's going to take place, coming back into that corporate environment. So architectural weaknesses with how that's being deployed is going to be critical. I think we're also seeing a large rush to the cloud, folks are starting to realize the value that cloud brings. There's also another side to it as we run to the cloud, everything has to be reevaluated, right, we have to look at it from a security perspective, whether that's misconfigurations outages, creating resiliency, knowing that if you're going to put mission critical applications out there, you're going to have to start to pay attention now, because it's a different type of operating environment. And how do we start to simplify that? I think you're still going to see rapid growth in the security industry in general. So it's going to create a number of complexities with what solutions do we bring in? Should we bring in another point based solution? Should we start to look at security as a platform? Right? And then if I could go on and on the idea, especially in healthcare as we transition patients from primary care settings within hospitals, or ancillary care settings within offices, as you roll those people into the care setting of their choice, preferably their home? What about things like the internet, medical things connected devices? How do you keep in constant contact and monitor that patient remotely. So you take into consideration the work from home and rush to the cloud, the ever growing security industry woes, and then ransomware is not going to stop, it's just going to continue to get worse. And we're going to see new twists and turns with the idea of data stealing prior to encryption or packaging malware a different way, so that these other threats from ransomware start to target specific organizations at a much larger scale. So that's just a few of the things that I think are concerning to me as I look at it from what's going to happen this year where the potential to bad things to happen this year starts to lie.
Rob Marti: Now follow that the thing that's been probably most concerning from a security threat perspective, in my opinion, is the speed and complexity and just overall breadth of the latest attacks. You know, the idea of solar man's having with vulnerability having a supply chain perspective, having a global impact. And then just recently with the Microsoft Exchange vulnerability, being actively exploited within days of patch really is changing the game on a massive scale for the security defender, and really requiring us to take a new look, maybe a platform approach like Chris presented or just potentially any ability to gain context of, of an attack.
Tim Boltz: Yeah, no, Rob, Chris. It's not a very good time to be a CISO. You know, it seems like the pace of threats and the speed at which our healthcare organizations are sort of under siege, as well as the transformation of the operating model and how it is being consumed is really a challenging place to be, is a sort of building on sort of what threats are out there and what our customers are dealing with. How is VMware positioned to defend customers from the threat, you know, this threat landscape?
Chris Logan: Yeah, that's a great question, Tim. And I want to go back to something you just said, right? You know, now's a great time to be a CSO, because the opportunity to really transform how you protect your organization to ensure security as a business enabler is staring you right in the face. I mean, there's so many opportunities now for security, to really take a very important seat within an organization to really start to move the needle to how those businesses are going to react, and deliver new capabilities and services to take care of populations, people. So I think it's an incredibly, incredibly important time for the season. And I think security is going to have its opportunity to shine here. But again, like you said, the threats are ever mounting. And, and we love to chase threats. That's one area where I think we have a huge issue. So I think about a couple of factors that really inhibited security. You know, for years up until this point, even today, it's still plagued this way. But the idea is that it can be changed. And I think VMware has got a great proposition, or in a story around how we can change it. So first and foremost, security has always been bolted on and what I mean, when I say bolted on, there's too many products, too many agents, too many policies, point solutions, you're not using the full capability of a solution that you bought, maybe using 20 or 30% of the functionality. And the rest of that 70 80% is just sitting on the shelf someplace. Secondly, security's always been siloed. So if you think about what we've done from a security perspective as security practitioners is that we kind of stepped away from the business and told them how they had to operate. We worked in this weird little silo, that silo creates misalignment across tools, and definitely across teams, if you think about how we have to come together to solve patient care problems. And then the third piece is it's always been threat centric. We love to chase the bad stuff, right. And this is always gonna be an issue with security. And so we start to think about a little bit differently. So when we're threat centric, we're very active, we're too focused on previous things that have plagued our organizations where VMware sits, and where we need to start thinking differently about security is that, from our perspective, from a VMware perspective, security is transformed in these ways. It's not bolted on anymore, right? It's not an after the fact it's built in. It's part of the core DNA of the entire platform that's running those critical applications that's providing a specific experience to an individual, before where it was siloed. It's now becoming much more unified. And why do I say that because within the same security control set, or the products that you're running, everybody has a say in how security policy starts get delivered a new perfect example. So the security team may set a policy for how virtualized desktops need to be deployed, when the actual person who's running that program and making sure those controls are in place, is that end user computing. So we've dropped the silos about how we're working across the technology teams now to provide a service back to an endpoint customer. And I think this one is probably the most important one, this whole idea of threat centric. And again, if you think about it from the landscape of security products, what used to be point based solution signature based solutions, we would wait for something bad to happen. We develop a signature, the vendor would develop a signature to protect you from said bad thing from happening. This is a horrible model, right? This, this model only perpetuates that you've been breached, essentially, because you can't defend yourself against an unknown actor unknown vulnerability or threat that could be coming down. So when we take that threat centric approach and make it context centric, now, I'm being much more preventative. And where we start to play in the stack is because VMware is in that isolated layer for virtualization and abstraction is that we can see a lot of things we put a lot of those different silos into context by working together. More importantly, we can now start to take action based upon variability. If something's not running the way that it should, we can no force an action to take place on that workload that user the piece of data that would have to be done in pockets before. So it's really changing the landscape and transforming it so that it's not, again, not bolted on but built in not siloed but unified. And finally not chasing the bad by being threat centric, but being more preventative because it's more context centric.
Tim Boltz: Love that, Chris. Rob, do you want to weigh in on you know, the worst position to defend customers from this ever evolving threat landscape?
Rob Marti: Thanks, Tim. I think the idea here is this platform context aware approach is a game changer for VMware and VMware customers. I think the idea that I have context or that is provided by the infrastructure, and shared across the security tools. That gives me an idea of not just the signature of the file that said some heinous is known bad but the idea of even tools that primarily used by IT administrators for their daily work right being used in a way that it presents a threat to the organization, right? The idea that attackers are living off the land or using these tools that are already resonant in the environment to do their bidding, right. So the idea that the infrastructure and the security control tools are sharing this information about how processes on an endpoint device are working and sharing that the entire it ecosystems gives us visibility and new visibility, one that previously we have respond to make the endpoint team take a response, sans the security or workload team and a firewall team right now, the value really is bringing each of these components together, and being able to orchestrate a response across the team, and really provide a value that that is provided innately by the platform, right? This supporting the ideas of zero trust and just behavioral analysis and determining whether your activity is something that should continue on or potentially be stopped.
Tim Boltz: Yeah. Rob, appreciate your comments and weighing in something that I think both you and Chris touched on is this ability to provide context and sort of, instead of viewing security as a bolt on it's built in, and then unifying all the different silos across the IT infrastructure, you know, provides that context, which is going to be critical and facing, you know, this ever changing threat landscape. The next question is around, and Rob, you touched on it, zero trust. Gentlemen, would you define zero trust for the listeners, and why it is important, you know, in this ever evolving threat landscape?
Rob Marti: Sure. I think the idea of zero trust really is at its heart, this device, user location, awareness, right, this constant checking to see are these what characteristics are being exhibited? Real time? And are these things typical behaviors were known good behaviors versus that's something that is potentially a threat, right? And that can come from a number of things? Is the device patched? Is the device on a public Wi Fi network or an unknown network? Right? Is this a known user trying to access internal resources or a guest right in the infrastructure, continually modeling those attributes and behaviors and adjusting accordingly, based off of those risk attributes?
Chris Logan: Let me just jump in here for a second because I think it’s changing mindset. Now, if I go back over a decade, we had this, you know, this concept of trust, but verify, right, trust, but verify? Well, the problem is we trusted everything we didn't verify, right? So everything just kind of ran the way that it should, because we didn't want to interrupt what the technology was supposed to do when it came time for things like taking care of patients, or time for transacting to get revenue back into the organization. Zero trust is really a, I wouldn't say it's a new concept. I think it's really built upon the concepts of least privilege added sense route, right. But the idea here is that you just don't trust anything inherently, it needs to be defined, and it needs to be verified. So if we're basing this upon this concept of least privilege, or that model, we can define zero trust through things like identity. So the user themselves, their authentication, the device, the application and network data and infrastructure. Essentially, what we're trying to do is redefine what the perimeter is. So insecurity today, in any industry, I want you to think about the perimeter as being gone, the perimeter is dead. Because if we tried to put a big perimeter around everything, it's bound for failure, with a model like zero trust, because we're not inherently trusting anything. And we're actually verifying how it should be working. We're now putting a perimeter around every single one of those inputs that I've identified before that Rob already talked about with an application. I know exactly how that application is supposed to work. I know the inputs, I know the outputs, I know everybody who should have access to it. That way, I only grant that access based upon that least privilege. And then when something goes wrong, I know the visibility into variability, which gives me the opportunity to react to it in a more timing, full and meaningful manner. In short, we're really redefining the perimeter around each one of those inputs to solve for the greater problem of protecting each one of those assets.
Rob Marti: And in doing so, really containing any potential vulnerability or threat that is acted upon right, you know, creating kind of this walled garden. That way, if something does slip through the cracks, you know, that the blast radius can be managed in contained group, we can react to it critically, potentially, in the case of a modern application, we just destroy that container. And the infrastructure group provisions another right. These are kind of the concepts of least privilege and environment that Chris was speaking of.
Tim Boltz: I think that's changing the mindset and sort of focusing around zero trust or reorganizing security policy around zero trust. And essentially, verifying that actor is known good is definitely something that we are going to see move or the industry move to in the future. So with that, maybe we talk a little bit about VMware, his approach to Intrinsic Security, and your vision on how VMware takes this context, as well as the zero trust architecture, or operating model and how that applies to some of the components of you know, security.
Chris Logan: Yeah, so let me start by, you know, in my terms, my layman's terms, your defining VMware, Intrinsic Security vision, right. So Intrinsic Security, fundamentally, is a different approach to securing your business. It's not a product. It's not a specific tool or a bundle of solutions for your organization. We view it as a strategy for leveraging the infrastructure that you have, in your control points in new ways, in real time, across this concept of any application, any cloud or any device, so that you can shift from a relative or shift from this, this reactive security posture to a position of prevention, right, again, going back and build upon that zero trust model. But the idea is that it's about having, we're using what you have in a new way. So that can help unify your security. And it teams really accelerate how you identify risk, prevent, detect, and respond to threats with the right context and insights because it's across the entire platform. So at its core, like I said before, Intrinsic Security is really the concept of security that's being built in unified and context centric, and it does scope and cross across a couple of key areas, right. So and I know we'll talk about these a little bit more in depth here in a second. But thinking about it, where do we see these entry points. Think about it as the control points as endpoints and workloads, the network itself, workspace type security, and then cloud, right. So from a VMware perspective, because security is built into the DNA, it's built in, it's unified, it's context centric, and we're looking across the entire platform to solve for the security conundrum to be much more preventative, we can see clearly across those control points, and take reactive measures, or preventive measures to prevent things from happening, that shouldn't be taking place.
Tim Boltz: Love that, Chris, and also appreciate you breaking down Intrinsic Security for myself, you know, the layman on the call. And so it sounds to me like there's this shift, and that's undergoing in the IT, cybersecurity landscape, on how security should be thought about how the security posture needs to change, from Bolton to build in, in basically, it's a new approach on providing context, you know, throughout the DNA to all the different silos within the IT organization today to sort of track known good and preemptively stop known bad because it's a new approach or a new vision, potentially, in the security marketplace today. Why should network and security administrators trust VMware with their data center security or the application security or this new strategy?
Rob Marti: I think that the these security teams should trust VMware, because we can offer the context that really no other provider can that cross those domains of network, workload endpoint security, the digital workspace and public cloud, the security platform, if you will, is consistent, consistently operated across all of the locations that they're asked to secure. And it's done with consistent management tools and management plane right that that allows the organization any organization in order to get the most out of the other technologies and out of the people that they have orchestrating them.
Chris Logan: I'm going to add something in here and Rob spot on with us. Again, it's about dropping those silos, unifying the teams making it more context centric. I prefer to throw down the gauntlet myself and I like to challenge people when it comes to this because Why shouldn't you? So if I think about why should networking security administrators trust VMware, their data center security, their endpoint security, so on and so forth? Why shouldn't you? Has what you done up to this point by creating silos and chasing bad threats actually worked for your organization? Have you been a barrier to implementation to get your organization running a new product or service? Why would you continue to do things the same way day after day, knowing that they don't work? Maybe you've been breached in the past, maybe you haven't been breached in the past, but maybe you're a detriment to your business, getting to the market quicker, or treating the population of individuals quicker with much more agility and quality. My question back to that question is, why wouldn't you, if you continue to do the same thing day in and day out, and you expect a different result? That's kind of insane at the end of the day, right? So we want people to start thinking differently about how security is done within their organization, bring more people into the fold, make it a true differentiator for their organization while protecting themselves from the stuff that's out there. Because the exploits that are out there today, they're not the same as 10 years ago, and 10 year ago, thinking is only going to get you sabotage in the long run.
Tim Boltz: Chris, great point. And I love the attitude of you know, throwing down the gauntlet, it really shows the trust and the belief that this is the right platform, the right vision, the right way to deal with these new security threats. And I'd love it. If our customers are interested in learning more about the VMware Intrinsic Security portfolio, how can they learn more? Where should they go?
Chris Logan: In its simplest form, obviously, we're going to direct you to a website, right? So www.vmware.com/security, that's going to let you explore VMware Intrinsic Security story across those access points that I talked about before, right. So not just one Intrinsic Security is but looking at it from categories and solutions like endpoint workload, network, workspace and cloud. And at the end of the day, just making sure that at its core, again, security becomes a part of the DNA of not just a platform you're running, but the DNA of the people that are supporting it, its unified and how it behaves, how it acts, and that its contract set context centric, so that you can take a much more preventative stance.
Tim Boltz: Fantastic, Chris, Chris. Rob, I really appreciate you taken the time to talk to the Carahsoft team and our healthcare customers about VMware, his vision on Intrinsic Security, and how VMware is raising the stakes when it comes to protecting the data center, protecting the endpoint, the network and remote workspace. So really appreciate the time today, gentlemen.
Chris Logan: Absolutely. Tim, thank you again for your time.
Rob Marti: Much appreciated.
Tim Boltz: All right. Thanks, team.