By bringing all that valuable telemetry into the Splunk environment, we gain the visibility needed to protect data, no matter where it lives.
Children’s National Hospital needed to expand visibility into its threat environment, increase detection rates, and respond faster to devastating threats and disruptions that could compromise medical systems and jeopardize patient care.
With Splunk, Children’s National Hospital added dozens of new security use cases and attack frameworks, allowing the security team to correlate incidents and events to accelerate threat detection and response.
That’s no small task. As a Level One trauma center, the $1.9 billion healthcare organization supports around 17 affiliates and serves 360,000 patients annually.
With many of the children requiring complicated, long-term care for cancer and other severe conditions, ensuring connected X-rays, heart monitors, and other medical systems are secure and protected from attack is vital for the health and safety of the child patients.
“I think we can safely say that the gloves are off in the bad guy community. Children's hospitals are no longer off limits,” said Sharon Finney, director of cybersecurity operations at Children's National Hospital, where she oversees security cyber security analytics, vulnerability management, IoT, and identity and access management teams.
That’s where Splunk comes in. Since Children’s National Hospital became a Splunk customer four years ago, Splunk Enterprise Security has empowered Finney and her teams to detect 40% more threats and shut them down in record time, keeping the hospital — and its young patients — protected and secure.
In a fast-paced, high-stress environment like a hospital, confusion created by tool complexity is the last thing that security teams need to contend with. But before implementing Splunk, Finney and her team dealt with it daily. To add another complication layer, teams ran numerous specialized tools and applications specific to pediatric medicine, contributing to swivel chair syndrome and compounded visibility issues.
“There was no one place where all the information produced from those tool sets was gathered into one centralized location. We had to switch between tools, manually correlating data or trying to spot incidents as they happened or shortly after. It became overwhelming – humans simply can't process that much information,” said Finney.
Finney and her team needed a centralized platform to aggregate data from devices, identity assets, and network traffic, enabling normalization and correlation before evaluating it against modern attack frameworks, regulatory standards and various threat vectors.
Splunk’s centralized platform allowed them to see the attack environment more clearly, including which threats they successfully blocked. It also allowed them to see the threats getting through their security defenses, as well as indicators of compromise (IoC) from threat intelligence feeds so they could detect threats traveling laterally, then alerting Finney’s teams so they could respond faster and more accurately.
“The bad actors only have to be right one time, but I have to be right every time. In order to be right every time with that much data and that many disparate tools, I have to hire a correlation engine that can bring all that together,” said Finney. “With the right tools in place, we’re now uncovering more insights every day."
By bringing all that valuable telemetry into the Splunk environment, we gain the visibility needed to protect data, no matter where it lives.
Initially, Children’s National Hospital began its Splunk implementation on-premises. Over the course of the first year, it became clear that the organization needed to transition to the cloud to lighten the burden of managing infrastructure. A cloud migration, in turn, would free up staff to focus on data analysis and build out the Splunk environment.
“We were not utilizing the features and functionality of the tool because we were too busy trying to keep it up and running and getting data sources in it. Ultimately, we needed to make some really hard choices about our progress over the next three years,” said Finney.
The SecOps team at Children’s Hospital chose Splunk Cloud to focus on developing use cases, data models, and indexes that gave them value as a security organization — and getting more of that corresponding data into Splunk.
With the help of their MSP Trustwave, the Children’s National Hospital SecOps team has thus far built about 80 use cases over the last year and a half. They ported those use cases to Splunk Enterprise Security, which is now the central hub for all the hospital’s security operations. “It was better for us as an organization to have Splunk in the cloud, to not have to worry about all the infrastructure pieces,” Finney said. “That takes a great burden off of us and allows us to really put our efforts towards the development of Splunk.”
For security analysts and threat hunters, seeing the big picture of the environment is critical. Before utilizing Splunk, the team had trouble seeing threat patterns—including social engineering patterns and tactics. Splunk’s automation not only allowed the teams to see threat patterns but also enabled them to act on them quickly.
Cyber attackers were using phishing campaigns and other social engineering techniques to gain unauthorized access to user credentials. These attempts occasionally led to password resets, sometimes involving changes to contact information. By analyzing patterns of recent password resets and contact updates, the team identified behaviors that could effectively be detected and mitigated via automation.
“We started talking about how we could automate that process by firing an alert to the security team and delving deeper into what was happening with these password resets so that we could stop this,” Finney said. With Splunk, the security team was able to use automation to assign alert notifications to the help desk, allowing them to respond and remediate threats faster.
As an additional benefit, initial Splunk implementations have reduced the amount of time they spent per week on routine administrative functions by 25%, freeing them to focus on critical investigations and other high-value tasks that drive the organization forward.
For Finney and her team, Splunk Cloud has opened up a new world of possibilities. The team is handling new data streams from numerous sources, with access to better telemetry data than ever before. And they're building out better data models from those sources every day.
They’re also identifying new threats. Splunk enables the team to drill out laterally from a singular event, helping them see across the enterprise so they can detect similar incidents or correlate activities to bring potential cyber threats or anomalies into full focus — often within 15 minutes of getting an alert.
However, with the slew of new alerts, Finney said that the team has an opportunity to reassess and uplevel their response strategy as well as continue to invest in training so they can get on the same page when interpreting events. “These events have the potential to affect broad systems in our environment that are very close to our patients and patient care. We've got to get a hold of people who might be on a clinical floor treating a patient. There's a different level of escalation that needs to happen when it's a clinically based system versus an individual's laptop,” Finney said.
For the SecOps team at Children’s Hospital, improved visibility and expanded threat detection are just the beginning. Finney said that leveraging AI in Splunk SOAR will also give them access to an even broader spectrum of data, allowing the team to build algorithms that help their analytics become more predictive.
As the security nucleus of the hospital, Splunk is already at the heart of the security team’s prevention, detection, and response strategy. Looking ahead, however, Finney says that she aims to use the platform to build out more dedicated security use cases and attack scenarios related to specific departments, in the event they’re affected by a cyber catastrophe. “I think about Splunk as sort of the center of the wheel, and then I want to spin off communication to other tool sets throughout our organization that help us reach out to those different departments, in different areas of the hospital that need to respond to particular incidents,” she said. “If I need to shut certain portions of our environment down. I can do that and build in everything that I need to get that message out fast.”