Medibank Private finds the cure for ransomware

Upgrade from traditional antivirus protection stems flow of malware infections

Like most large businesses, health insurer Medibank Private was regularly experiencing a few of what CISO Stuart Harrison calls “significant incidents” every month.

Its predominantly antivirus-based security defences were missing new ransomware and other malware variants, resulting in the occasional infection of a computer that had to be restored from the company’s established backup system.

“Fortunately we had, and continue to have, a fairly robust backup and recovery strategy,” Harrison told CSO Australia. “Employees weren’t losing a lot of work as such, but it was time lost and just a bit of pain to constantly have to recover large volumes of data.”

Harrison’s dozen-strong security team began taking a more focused approach to security defences, leveraging a growing focus on automation to develop scripts that monitored the company’s systems for suspicious activity such as sudden, large volumes of disk reads and writes.

This “behavioural based approach,” Harrison said, improved the situation “a reasonable amount. But if new malware had a slightly different behaviour, we would have to modify the script.”

“This was a very manual, people-intensive approach to things. We had to get smarter about how we were solving the problem.”

The Medibank Private team went to market to evaluate more flexible solutions and ultimately settled on security tools from Carbon Black.

That company’s endpoint protection tools stood out for reasons such as its multi-platform approach; core integration with operating-system calls; suitability in heavily virtualised environments such as Medibank Private’s; and a strong roadmap that covered both protection and response.

“When we put the product through its paces, it stacked up really, really well,” Harrison recalled, noting that the broad platform support meant that 80 to 90 percent of the company’s back-end infrastructure was covered – and that outliers, such as legacy Sun Solaris servers, were in the process of being phased out anyway.

Putting security on the front foot

The system was rolled out “surprisingly easily and very much as a technical project” with just a few technical hitches that were remediated along with the support of Carbon Black. Months after the implementation, Harrison said, “we haven’t had an incident since”.

Tweaks have allowed the team to refine the enforcement level, which can be set at different levels to adjust the Carbon Black system’s aggressiveness in enforcement. This allows, for example, call centre workers to be put into a high-level enforcement mode that prevents them from running any kind of privileged command.

Yet while the new system has significantly improved the company’s security climate, reducing the incidence of malware helped the team in other very significant ways.

“The key value from my perspective is that we can start reappropriate our resources and staff to do more interesting and complex things,” Harrison explained, “because they’re not spending their day either recovering data or figuring out how to adjust the script.”

By improving their operational awareness, the security team has also been able to recast its role within the organisation.

This has, for example, enabled the establishment and promotion of a data-centric security strategy, with controls modelled on access to the data based on the criticality and sensitivity of that data.

Such a proactive approach has allowed the security team to engage with business units and executives in a way that is far less defensive than in the past.

Engagement with the board now focuses more on proactive security measures, Harrison explained, noting the adoption of ISO27001 and other information-management standards. “There has been a huge focus on compliance and regulation just generally,” he explained.

“We’ve taken a combination of various healthy things to deploy security in a business-friendly and intelligent manner within our organisation. We can report back and say that we haven’t had a Cryptolocker incident in 12 to 18 months – and the longer that goes on, the happier people are.”

Tags Medibank

Show Comments