Managed service providers (MSP) for Life Science companies know that security is amongst the most critical services they deliver.
Recent reports of cybersecurity attacks against Life Science companies are said to originate from Russia or China, all deliberately targeting any form of COVID-19 related intellectual property (IP) and data. Given the growing complexity of the modern enterprise—considering the Internet of Things (IoT), the ‘new normal’ remote workforce, and modern cloud and container applications—‚ the ability to detect and respond to attacks should be the top concern for all life science and pharmaceutical enterprises.
For all life science and pharmaceutical companies, intellectual property (IP) is their most critical asset. To protect it, understanding where IP resides and flows throughout the application, systems, and network is critically important. Typically, those responsible for maintaining the applications, systems, and networks have either been overwhelmed by the need for access or incapable of consistently enforcing policies across their increasingly complex operating environment. Moreover, implementing seemingly robust firewall and perimeter security rules to block bad actors from gaining access IP can be simply (and very often) defeated by ‘power users’ complaining about application performance.
Our experience with one of the largest multinational pharmaceuticals in the world has shown that bad actors favor attacking individual employees to gain access to enterprise systems. Given the typically extreme focus on perimeter defense (i.e. north-south), insider threat and lateral attacks (i.e. east-west) detection is often underfunded and the simplest way to gain access to the enterprise. To detect a lateral attack, you must critically understand how IP is exchanged between users and ‘where’ that IP is stored and/or transmitted from. Moreover, you should typically assume that a malicious insider is already in place, using ‘standard’ access, and use that to qualify whether or not current privileges and entitlements are appropriate. These elements are key to the principle of Zero Trust.
Another example to consider is consultant access to enterprises systems. Again, in our experience, many customers ask for remote desktop usage (typically referred to RDP) to run data consolidation and processing scripts from home. With that level of approved access, it is possible that compromised home systems can access other servers within the proximity of the primary data processing platform – this is considered the ‘blast radius’, i.e. trusted systems in the proximity of a compromised platform. With the current capabilities of even novice attackers, data extraction off enterprise servers could appear legitimate given they are executed using accounts that passed basic authentication checks. Detection of data removal requires an understanding of your application environment, how data flows within it, and then intelligently monitoring for changes in data flow and connection behavior. Court Square Group utilizes vArmour, the leading provider of Application Relationship Management, to provide the ‘intelligent’ application view of our customer environments using network and data flow logs. It was by using vArmour that we were able to identify the anomalous traffic burst and to drive deeper investigation of the potential issue. Though many other platforms can report network-based events, only vArmour consistently identifies activities based on network and data flow logs.
Considering an incident with a large pharmaceutical client, while conducting platform diagnostics, we noticed a traffic spike originating from one of the network controllers on a server. That spike was found to be sustained over a period of time and triggered an immediate investigation. Based on our analysis and follow-up, we determined that a consultant was provided full access to customer systems and had copied one of their largest IP databases initially onto his laptop and then to an external device. This example reminds us that detection and response to insider threats requires a complete understanding of your application environment, where data resides and flows within it, and who should be provided access to it.
To summarize, those responsible for maintaining and protecting life science and pharmaceutical systems must effectively and consistently control access to their networks and IP. Critical to this, these resources must understand not only what applications are in place within the enterprise, but where IP resides and flows at the system and user levels. Provided that, effectively following Zero Trust and holistic application relationship management, you can sleep better at night knowing that your IP is protected!