Showing posts with label Paul Muller. Show all posts
Showing posts with label Paul Muller. Show all posts

Thursday, December 12, 2013

Healthcare Turns to Big Data Analytics Platforms to Gain Insight and Awareness for Improved Patient Outcomes

Transcript of a BriefingsDirect on the need to tap the potential of big data to improve healthcare delivery and how the technology to do that is currently lagging.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion of IT innovation and how it's making an impact on people’s lives.

Gardner
Once again, we’re focusing on how IT leaders are improving their services to deliver better experiences and payoffs for businesses and end users alike. I’m now joined by our co-host for this sponsored series, Chief Software Evangelist at HP, Paul Muller. Welcome Paul, how are you today?

Paul Muller: Fighting fit, and healthy Dana, yourself?

Gardner: Glad to hear it. I’m doing very well, thanks. We’re going to now examine the impact that big-data technologies and solutions are having on the highly dynamic healthcare industry. We’ll explore how analytics platforms and new healthcare-specific solutions together are offering far greater insight and intelligence into how healthcare providers are managing patient care, cost, and outcomes.

And we’re going to hear firsthand of how these new offerings, announced this week at the HP Discover Conference in Barcelona, are designed specifically to give hospitals and care providers new data-driven advantages as they seek to transform their organizations.

With that, please join me in welcoming our guest, Patrick Kelly, Senior Practice Manager at the Avnet Services Healthcare Practice. Welcome, Patrick. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Patrick Kelly: Thank you, Dana. It's great to be with both you and Paul.

Gardner: Just to put this into some perspective, Paul, as you travel the globe, as I know you do, how closely are you seeing an intersection between big data and the need for analytics in healthcare. Is this a US-specific drive, or is this something that’s sweeping many markets as well?

Muller: It's undoubtedly a global trend, Dana. One statistic that sticks in my mind is that in 2012 what was estimated was approximately 500 petabytes of digital healthcare data across the globe. That’s expected to reach 25,000 petabytes by the year 2020. So, that’s a 50-times increase in the amount of digital healthcare data that we expect to be retaining.
Muller

The reasons for that is simply that having better data helps us drive better healthcare outcomes. And we can do it in a number of different ways. We move to what we call most evidence-based medicines, rather than subjecting people to a battery of tests, or following a script, if you like.

The test or the activities that are undertaken with each individual are more clearly tailored, based on the symptoms that they’re presenting with, and data helps us make some of those decisions.

Basic medical research

The other element of it is that we’re now starting to bring in more people and engage more people in basic medical research. For example, in the US, the Veterans Administration has a voluntary program that’s using blood sample and health information from various military veterans. Over 150,000 have enrolled to help give us a better understanding of healthcare.

We’ve had similar programs in Iceland and other countries where we were using long-term healthcare and statistical data from the population to help us spot and address healthcare challenges before they become real problems.

The other, of course, is how we better manage healthcare data. A lot of our listeners, I’m sure, live in countries where electronic healthcare records (EHR) are a hot topic. Either there is a project under way or you may already have them, but that whole process of establishing them and making sure that those records are interchangeable is absolutely critical.

Then, of course, we have the opportunity of utilizing publicly available data. We’ve all heard of Google being utilized to identify the outbreaks of flu in various countries based on the frequency of which people search for flu symptoms.
There’s a huge array of data that you need to bring together, in addition to just thinking about the size of it.

So, there’s definitely a huge number of opportunities coming from data. The challenge that we’ll find so frequently is that when we talk about big data, it's critical not just to talk about the size of the data we collect, but the variety of data. You’ve got things like structured EHR. You have unstructured clinical notes. If you’ve ever seen a doctor’s scribble, you know what I’m talking about.

You have medical imaging data, genetic data, and epidemiological data. There’s a huge array of data that you need to bring together, in addition to just thinking what is the size of it. Of course, overarching all of these are the regulatory and privacy issues that we have to deal with. It's a rich and fascinating topic.

Gardner: Patrick Kelly, tell us a little bit about what you see as the driving need technically to get a handle on this vast ocean of healthcare data and the huge potential for making good use of it? 

Kelly: All the points Paul brought up were spot-on. It really is a problem of how to deal with such a deluge of data. Also, there’s a great change that’s being undertaken because of the Affordable Care Act (ACA) legislation and that’s impacting not only the business model, but also the need to switch to an electronic medical record.

Capturing data

From an EHR perspective to date, IT is focused on capturing that data. They take and then transpose what’s on a medical record into an electronic format. Unfortunately, where we’ve fallen short in helping the business is taking that data that’s captured and making it useful and meaningful in analytics and helping the business to gain visibility and be able to pivot and change as the need to change the business model is being brought to bear on the industry.

Gardner: For those of our audience who are not familiar with Avnet, please describe your organization. You’ve been involved with a number of different activities, but healthcare seems to be pretty prominent in the group now. [Learn more about Avnet's Healthcare Analytics Practice.]

Kelly
Kelly: Avnet has made a pretty significant investment over the last 24 months to bolster the services side of the world. We’ve brought numbers up to around 2,000 new personnel on board to focus on everything in the ecosystem, from -- as we’re talking about today -- healthcare all the way up to hardware, educational services, and supporting partners like HP. We happen to be HP’s largest enterprise distributor. We also have a number of critical channel partners.

In the last eight months, we came together and brought on board a number of individuals who have deep expertise in healthcare and security. They work to focus on building out healthcare practice that not only provides services, but is also developing kind of a healthcare analytics platform.

Gardner: Paul Muller, you can’t buy healthcare analytics in a box. This is really a team sport; an ecosystem approach. Tell me a little bit about what Avnet is, how important they are in HP’s role, and, of course, there are going to be more players as well.
What Avnet brings to the table is the understanding of the HAVEn technology, combined with deep expertise in the area of healthcare and analytics.

Muller: The listeners would have heard from the HP Discover announcements over the last couple of days that Avnet and HP have come together around what we call the HAVEn platform. HAVEn as we might have talked about previously on the show stands for Hadoop, Autonomy, Vertica, Enterprise Security, with the “n” being any number of apps. [Learn more about the HAVEn platform.]

The "n" or any numbers of apps is really where we work together with our partners to utilize the platform, to build better big-data enabled applications. That’s really the critical capability our partners have.

What Avnet brings to the table is the understanding of the HAVEn technology, combined with deep expertise in the area of healthcare and analytics. Combining that, we've created this fantastic new capability that we’re here to talk about now.

Gardner: Back to you, Patrick. Tell me a bit about what you think are the top problems that need to be solved in order to get healthcare information and analytics to the right people in a speedy fashion. What are our hurdles to overcome here?

Kelly: If we pull back the covers and look at some of the problems or challenges around advancing analytics and modernization into healthcare, it’s really in a couple of areas. One of them is that it's a pretty big cultural change.

Significant load

Right now, we have an overtaxed IT department that’s struggling to bring electronic medical records online and to also deal with a lot of different compliance things around ICD-10 and still meet meaningful use. So, that’s a pretty significant load on those guys.

Now, they’re being asked to look at delivering information to the business side of the world. And right now, there's not a good understanding, from an enterprise-wide view, of how to use analytics in healthcare very well.

So, part of the challenge is governance and strategy and looking at an enterprise-wide road map to how you get there. From a technology perspective, there’s a whole problem around industry readiness. There are a lot of legacy systems floating around that can range from 30-year-old mainframes up to more modern systems. So there’s a great deal of work that has to go around modernizing the systems and then tying them together. That all leads to problems with data logistics and fragmentation and really just equals cost and complexity.

One of the traditional approaches that other industries have followed with enterprise data warehouses and traditional extract, transform, load (ETL) approaches are just too costly, too slow, and too difficult for healthcare system to leverage. Finally, there are a lot of challenges in the process of the workflow.

Muller: These sound conceptual at a high level, but the impact on patient outcomes is pretty dramatic. One statistic that sticks in my head is that hospitalizations in the U.S. are estimated to account for about 30 percent of the trillions of dollars in annual cost of healthcare, with around 20 percent of all hospital admissions occurring within 30 days of a previous discharge.
Better utilizing big-data technology can have a very real impact on the healthcare outcomes of your loved ones.

In other words, we’re potentially letting people go without having completely resolved their issues. Better utilizing big-data technology can have a very real impact, for example, on the healthcare outcomes of your loved ones. Any other thoughts around that, Patrick?

Kelly: Paul, you hit a really critical note around re-admissions, something that, as you mentioned, has a real impact on the outcomes of patients. It's also a cost driver. Reimbursement rates are being reduced because of failure. Hospitals would be able to address the shortfalls either in education or follow-up care that end up landing patients back in the ER.

You’re dead on with re-admissions, and from a big-data perspective, there are two stages to look at. There’s a retrospective look that is a challenge even though it's not a traditional big-data challenge. There’s still lot of data and a lot of elements to look into just to identify patients that have been readmitted and track those.

But the more exciting and interesting part to this is the predictive, looking forward and seeing the patient’s conditions, their co-morbidity, how sick they are, what kind of treatment they receive, what kind of education they received and the follow-up care as well as how they behave in the outside world. Then, it’s bringing all that together and building a model to be able to determine whether this person is at risk to readmit. If so, how do we target care to them to help reduce that risk. 

Gardner: We certainly have some technology issues to resolve and some cultural shifts to make, but what are the goals in the medical field, in the provider organizations themselves? I’m thinking of such things as cutting cost, but more that, things about treatments and experience and even gaining perhaps a holistic view of a patient, regardless of where they are in the spectrum.

Waste in the system

Muller: You kind of hit it there, Dana, with the cutting cost. I was reading a report today, and it was kind of shocking. There is a tremendous amount of waste in the system, as we know. It said that in the US, $600 billion, 17.6 percent of the nation’s GDP, that is focused on healthcare is potentially being misspent. A lot of that is due to unnecessary procedures and tests, as well as operational inefficiency.

From a provider perspective, it's getting a handle on those unnecessary procedures. I’ll give you an example. There’s been an increase in the last decade of elective deliveries, where someone comes in and says that they want to have an early delivery for whatever reason. The impact, unfortunately, is an additional time in the neo-natal intensive care unit (NICU) for the baby.

It drives up a lot of cost and is dangerous for both the mother and child. So, getting a handle on where the waste is within their four walls, whether it’s operationally, unnecessary procedures, or tests and being able to apply Lean Six Sigma, and some of these process is necessary to help reduce that.

Then, you mentioned treatments and how to improve outcomes. Another shocking statistic is that medical errors are the third leading cause of death in the US. In addition to that, employers end up paying almost $40,000 every time someone receives a surgical site infection.
From a provider perspective, it's getting a handle on those unnecessary procedures.

Those medical errors can be everything from a sponge left in a patient, to a mis-dose of a medication, to an infection. Those all lead to a lot of unnecessary death as well as driving up cost not only for the hospital but for the payers of the insurance. These are areas that they will get visibility into to understand where variation is happening and eliminate that.

Finally, a new aspect is customer experience. Somehow, reimbursements are going to be tied to -- and this is new for the medical field -- how I as a patient enjoy, for lack of better term, my experience as the hospital or with my provider, and how engaged I had become in my own care. Those are critical measures that analytics are going to help provide.

Gardner: We have a big chore ahead of us with the need for changing the way that IT is conducted in these organizations. Obviously, what you’ve just described are different ways of doing medicine based on data and analysis, but we also have this change in the way that medicine is being delivered in the US. You mentioned the ACA. We’re moving from a paid by procedure basis much more to a paid by the outcomes basis. This shifts things and transforms things tremendously too.

Now that we have a sense of this massive challenge ahead of us, what are organizations like Avnet and providers like HP with HAVEn doing that will help us start to get a handle on this? Give us a sense, Patrick, of what you are bring into the market with the announcement in Barcelona.

Kelly: As difficult as it is to reduce complexity in any of these analytic engagements, it's very costly and time consuming to integrate any new system into a hospital. One of the key things is to be able to reduce that time to value from a system that you introduce into the hospital and use to target very specific analytical challenges.

From Avnet’s perspective, we’re bringing a healthcare platform that we’re developing around the HAVEn stack, leveraging some of those great powerful technologies like Vertica and Hadoop, and using those to try to simplify the integration task at the hospitals.

Standardized inputs

We’re building inputs from HL7, which is just a common data format within the hospital, trying to build some standardized inputs from other clinical systems, in order to reduce the heavy lift of integrating a new analytics package in the environment.

In addition, we’re looking to build a unified view of the patient’s data. We want to extend that beyond the walls of the hospital and build a unified platform. The idea is to put a number of different tools and modular analytics on top of that to have some very quick wins, targeted things like we've already talked about, from readmission all the way into some blocking and tackling operational work. It will be everything from patient flow to understanding capacity management.

It will bring a platform that accelerates the integration and analytics delivery in the organization. In addition, we’re going to wrap that into a number of services that range from early assessment to road map and strategy to help with business integration all the way around continuing to build and support the product with the help system.

The goal is to accelerate delivery around the analytics, get the tools that they need to get visibility into the business, and empower the providers and give them a complete view of the patient.

Gardner: Paul, it’s very impressive when you look at what can be done when an ecosystem comes together. When you look at applications, like what Avnet is delivering, it seems to me they’re also changing the game in terms of who can use these analytics. We’re seeing visualizations and we’re seeing modular approaches like Patrick described. How much of a sea change are we seeing in terms of not just creating better analytics, but getting them to more people, perhaps people had never really had access to this intelligence before.
It’s the immediacy of interaction that is going to make the biggest difference.

Muller: That’s a critical element. It's simple, easy to understand, and visualizations are an important element of it. The other is just simply the ability to turn these sorts of questions around more quickly.

If you think about traditional medical studies and even something as simple as drug development, in the past getting access to the data, being able to have a conversation with the data, has been very difficult, because sourcing it, scrubbing it, correlating it, processing it has taken years.

Even simple queries could take days to run. It’s become more complex and you have to do things like look for correlation across longitudinal records or understanding unstructured clinical notes that have been written by a doctor or, more importantly, by different doctor's. Each of them is writing something similar, but in a different way. Then, there’s the massive volume of information involved. Patrick touched on some of the behavioral aspects or lifestyle choices people make.

The ability to take all of that information at one time and have a conversation, where it's a slice and dice it and interact with it, is another important aspect to the usability and the democratizing access to some of that information. Whether, it would be the researchers or government officials and health care workers looking for example for the potential outbreaks of disease or to plan a better health care system, it’s not just great visualizations that are important. That certainly helps, but it’s the immediacy of interaction that is going to make the biggest difference.

Gardner: Patrick, when you do these basic infrastructure improvements, when you create a different culture to make the data analysis available fast, you start to get towards that predictive, rather then reactive, approach. Do you have some sense or even examples of what good can come of this? Are there some tangible benefits, some soft benefits, to get as a payback. I’m thinking clearly pretty quickly because we probably need to demonstrate value rather soon in this environment?

About visibility

Kelly: Dana, any first step with this is about visibility. It opens the eyes around processes in the organization that are problematic and that can be very basic around things like scheduling in the operating room and utilization of that time to length of stay of patients.

A very a quick win is to understand why your patients seem to be continually having problems and being in the bed longer then they should be. It’s being able, while they're filling those beds, to redirect care, case workers, medical care, and everything necessary to help them get out of the hospital sooner and improve their outcomes.

A lot of times, we've seen a look of surprise when we've shown, here is the patient who has been in for 10 days for a procedure that should have only been a two-day stay, and really giving visibility there. That’s the first step, though very basic.

As we start attacking some of these problems around hospital-based infection, we help the provider make sure that they are covering all their bases and doing kind of the best practices, and eliminating the variation between each physician and care provider, you start seeing some real tangible improvements and outcomes in saving peoples lives.

When you see that from any population be it stroke, re-admissions -- as we talked about earlier -- with heart failure and being able to make sure those patients are avoiding things like pneumonia, you bring visibility.
A challenge for a hospital that has acquired a number of physicians is how to get visibility into those physician practices.

Then, in predictive models and optimizing how the providers and the caregivers are working is really key. There are some quick wins, and that’s why traditionally we built these master repositories that we then built reports on top of. It’s a year and a half to delivery for any value, and we’re looking to focus on very specific use cases and trying to tackle them very quickly in a 90- to 120-day period.

Gardner: Patrick, do you have any early-adopter examples you can provide for us, so that we have a sense of what types of organizations are putting this into place, what they’ve done first, and what have been the outcomes?

Kelly: We're partnering with a 12-hospital health care system, dealing with again some blocking and tackling around understanding better how to utilize their physician network.

A challenge for a hospital that has acquired a number of physicians is how to get visibility into those physician practices. How do you understand the kinds of things we've talked about -- cost, patient experience, outcomes -- out in the wild, in the primary care offices, and in the specialty offices? That data has traditionally just been completely segmented from the hospital systems.

The challenge is building tools that are going to be leveraged by the physician themselves, as well as the hospitals and at an executive level, and utilizing that information to help optimize how those practices are running. It’s kind of a basic problem for most businesses, but it's something very real for hospitals to deal with.

Massive opportunity

Gardner: Paul Muller, this seems to be a massive opportunity, something that will be going on from many years with HP, Vertica, and HAVEn. Trillions of dollars have been spent on ways that can give us better patient experiences, higher health rates, lower mortality rates. So, it’s a win, win, win, right? The hospitals win, the insurers win, the governments win, the patients win, the doctors win. What sort of opportunity is this and how is HP going at it?

Muller: You’ve absolutely nailed the assessment there. It’s an all-around benefit. A healthy society is a healthy economy. That’s pretty crystal clear to everybody. The opportunity for HP and our partners is to help enable that by putting the right data at the finger tips of the people with the potential to generate life saving or lifestyle improving insights. That could be developing a new drug, improving the impatient experience, or helping us identify longer-term issues like genetic or other sorts of congenital diseases.

From our perspective, it’s about providing the underlying platform technology, HAVEn, as the big data platform. The great partner ecosystem that we've developed in Avnet is a wonderful example of an organization that’s taken the powerful platform and very quickly turned that into something that can help not only save money, but as we just talked about, save lives which I think is fantastic.

Gardner: Patrick, as we wrap up, we can certainly see many ways in which these technologies in this analysis can be used immediately for some very significant benefits. But I’m thinking that it also puts in place a tremendous foundation for what we know is coming in the future -- more sensors, more information coming from the patients, more telemetry, so that it's coming remotely, maybe from their bodies, while they are out of the hospital.
In this industry, it’s very life and death, versus it's just purely a financial incentive.

We know that mobile devices are becoming more and more common, not only in patient environments, but in the hospitals and the care-provider organizations. We know the cloud and hybrid cloud services are becoming available and can distribute this data and integrate it across so many more types of processes.

It seems to me that you not only get a benefit from getting to a big-data analysis capability now, but it puts you in a position to be ready when we have more types of data -- more speed, more end points, and, therefore, more requirements for what your infrastructure, whether on premises or in a cloud, can do. Tell me a little bit about what you think the Avnet and HP Solution does for setting you up for these future trend? 

Kelly: At this point, technology today is just not where it needs to be, especially in healthcare. An EKG spits out 1,000 data points per second. There is no way, at this point, without the right technology, that you can actually deal with that.

If we look to a future where providers do less monitoring, so less vital collection, fewer physicals, and all of that is coming from your mobile device, it's coming from intelligent machines. There really needs to be an infrastructure in place to deal with that.

I spent a lot of time working with Vertica even before Avnet. Vertica, Hadoop, and leveraging economy in the area of unstructured data is a technology that is going to allow the scalability and the growth that’s going to be necessary to leverage the data that we need to make it an asset and much less challenge and allow us to transform healthcare.

The key to that is unlocking this tremendous trove of data. In this industry, as you guys have said, it’s very life and death, versus it's just purely a financial incentive.

Targeting big data

Muller: I might jump in on that as well, Dana. This is an important point that we can’t lose sight of as well. As I said when you and I hosted the previous show, big data is also a big target.

One of the things that every healthcare professional and regulator, every member of the public needs to be mindful of is a large accumulation of sensitive personally identifiable information (PII).

It's not just a governance issue, but it's a question of morals and making sure that we are doing the right thing by the people who are trusting themselves not just with their physical care, but with how they present in society. Medical information can be sensitive when available not just to criminals but even to prospective employers, members of the family, and others.

The other thing we need to be mindful of is we've got to not just collect the big data, but we've got to secure it. We've got to be really mindful of who’s accessing what, when they are accessing, are they appropriately accessing it, and have they done something like taking a copy or moved it else where that could indicate that they have malicious intent.
It's also critical we think about big data in the context of health from a 360-degree perspective.

It's also critical we think about big data in the context of health from a 360-degree perspective.

Kelly: That’s a great point. And to step back a little bit on that, one of the things that brings me a little comfort around that is there are some very clear guidelines in the way of HIPAA around how this data is managed, and we look at it from baking the security into it, in everything from the encryption to the audit ability.

But it’s also training the staff working in these environments and making sure that all of that training is put in place to ensure the safety of that data. One of the things that always leaves me scratching my head is that I can go down the street into the grocery store and buy a bunch of stuff. By the time I get to register, they seem to know more about me than the hospital does when I go to the hospital.

That’s one of the shocking things that make you say you can’t wait until big data gets here. I have a little comfort too, because there are at least laws in place to try to corral that data and make sure everyone is using it correctly.

Gardner: Very good. I’m afraid we’ll have to leave it there. Please join me in thanking our co-host, Paul Muller, Chief Software Evangelist at HP. Thanks so much, Paul.

Muller: Thank you for having me back on the show again, Dana. I really love being here.

Gardner: Of course and also a thank you to the supporter of this series, HP Software. And a reminder to our audience to carry on the dialog with Paul Muller through the Discover group on LinkedIn. We've been having a discussion about how big data and healthcare are intersecting and how there’s a huge opportunity for far greater insight and intelligence into how healthcare providers are managing their patient’s care, the cost and ultimately the outcomes.

And I’d also like to remind you that you can access this, and other episodes of the HP Discover podcast series on iTunes under BriefingsDirect.

And, of course, a big thank you to our guest. We’ve been talking with Patrick Kelly, Senior Practice Manager at the Avnet Services Healthcare Practice. Thanks so much, Patrick.

Kelly: Thank you, guys.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host for this ongoing series. And lastly, a big thank you to our audience for joining this HP Discover Discussion, and reminder to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect on the need to tap the potential of big data to improve healthcare delivery and how the technology to do that is currently lagging. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Thursday, September 12, 2013

Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Security and Risk

Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict system intrusions.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Follow the HP Protect 2013 activities next week, Sept. 16-19.


Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner
Once again, we're focusing on how IT leaders are improving security and reducing risk as they adapt to the new harsh realities of doing business online.

I'm now joined by our co-host for this sponsored podcast series, Paul Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you today?

Paul Muller: Dana, very well. It's great to be back, and I'm looking forward to today’s conversation.

Gardner: Yes, we have a big discussion today. We're joined by HP’s Global Chief Information Security Officer (CISO) to learn about how some of the very largest global enterprises like HP are exploring all of their options for doing business safely and continuously. So with that, let's welcome our guest, Brett Wahlin, Vice President and Global CISO at HP. Welcome, Brett. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Brett Wahlin: Thank you, Dana.

Gardner: Brett, there's been a lot of discussion, of course, about security and a lot of discussion about big data. I'm very curious as to how these are related.

It seems to me that I've read and heard quite a bit about how big data can be used to improve security and provide insights into what's going on within systems and even some greater analysis capabilities. Is that what you're finding and hearing from other CISOs -- that there is a great tool in big data that’s related to security?

Wahlin: Yes, big data is quite an interesting development for us in the field of security. If we look back on how we used to do security, trying to determine where our enemies were coming from, what their capacities were, what their targets were, and how we're gathering intelligence to be able to determine how best to protect the company, our resources were quite limited.

Wahlin
We've found that through the use of big data, we're now able to start gathering reams of information that were never available to us in the past. We tend to look at this almost in a modern-warfare type of perspective.

If you're a battlefield commander, and you're looking at how to deploy defenses, how would you deploy those offenses, and what would be the targets that your enemies are looking for? You typically then look at gathering intelligence. This intelligence comes through multiple sources, whether it's electronic or human signals, and you begin to process the intelligence that's gathered, looking for insights into your enemy.

Moving defenses

This could be the enemy’s capabilities, motivation, resourcing, or targets. Then, by that analysis of that intelligence, you can go through a process of moving your defenses, understanding where the targets may be, and adjusting your troops on the ground.

Big data has now given us the ability to collect more intelligence from more sources at a much more rapid pace. As we go through this, we're looking at understanding these types of questions that we would ask as if we were looking at direct adversaries.

We're looking at what these capabilities are, where people are attacking from, why they're attacking us, and what targets they're looking for within our company. We can gather that data much more rapidly through the use of big data and apply these types of analytics.

We begin to ask different questions of the data and, based on the type of questions we're asking, we can come up with some rather interesting information that we never could get in the past. This then takes us to a position where that advanced analytics allows us to almost predict where an enemy might hit.

That’s in the future, I believe. Security is going from the use of prevention, where I'm tackling a known bad thing, to the point where I can use big data to analyze what's happening in real time and then predict where I may be attacked, by whom, and at what targets. That gives me the ability to move the defenses around in such a way that I can protect the high-value items, based on the intelligence that I see coming in through the analytics that we get out of big data.

Muller
Muller: Brett, you talk a lot about the idea of getting in front of the problem. Can you talk a little bit about your point of view on how security, from your perspective as a practitioner, has evolved over the last 10-15 years?

Wahlin: Certainly. That’s a great question. Years ago, we used to be about trying to prevent the known bad from happening. The questions we would ask would always be around, can it happen to us, and if it does, can we respond to it? What we have to look at now is the fact that the question should change. It should be not, "Can it happen to us," but "When is it going to happen to us?" And not, "Can we respond to it," but "How can we survive it?"

If we look at that type of a mind-shift change, that takes us back to the old ways of doing security, where you try to prevent, detect, and respond. Basically, you prevented the known bad things from happening.

This went back to the days of -- pick your favorite attack from years ago. One that I remember is very telling. It was Code Red, and we weren’t prepared for it. It hit us. We knew what the signature looked like and we were able to stop it, once we identified what it was. That whole preventive mechanism, back in the day, was pretty much what people did for security.

Fast forward several years, and you get into that new era of security threats highlighted by attacks like Aurora, when it came out. Suddenly, we had the acronyms that flew all over, such as APT -- advanced persistent threats -- and advanced malware. Now, we have attacks that you can't prevent, because you don’t know them. You can't see them. They're zero-days. They're undiscovered malware that’s in your system already.

Detect and respond

That changed the way we moved our security. We went from prevent to a big focus on not just preventing, because that becomes a hygiene function. Now, we move in to detect-and-respond view, where we're looking for anomalies. We're looking for the unknown. We're beefing up the ability to quickly respond to those when we find them.

The evolution, as we move forward, is to add a fourth dimension to this. We prevent, detect, respond, and predict. We use elements like big data to understand not only how to get situational awareness, where we connect the dots within our environment, but taking it one step further and being able to predict where that next stop might land. As we evolve in this particular area, getting to that point where we can understand and predict will become a key capability that security departments must have in future.

Gardner: A reminder to our audience, follow the HP Protect 2013 activities next week, Sept. 16-19. Now, Brett, how long you have been at HP and where had you been before that?

Wahlin: I've been at HP for approximately eight months. Prior to joining HP, I was the CSO at Sony Network Entertainment. My role there was to put the security in place after the infamous PlayStation breach. Prior to that, I was also the CSO at McAfee. I did a stint as CSO at Los Alamos Laboratory.
One of the elements that we look at, of course, is how to add all this additional complexity and additional capability into security and yet still continue to drive value to the business and drive costs out

Years ago, I got my start doing counterintelligence for the US Army during the Cold War. So we had a lot of opportunity to drive and practice the intelligence gathering and analytics components to which I'm referring around the big-data conversation.

Gardner: I hear you talking about getting more data, being proactive, and knowing yourself, as an organization, in order to be better prepared for attacks. It sounds quite similar to what we have been hearing for many years from the management side of the things, the operations side, to know yourself to be able better maintain performance standards and therefore be able to quickly remediate when something went wrong.

Are we seeing a confluence between good IT management practices and good security practices, and should we still differentiate between the two?

Wahlin: As we move into the good management of IT, the good management of knowing yourself, there's a hygiene element that appears within the correlation end of the security industry. One of the elements that we look at, of course, is how to add all this additional complexity and additional capability into security and yet still continue to drive value to the business and drive costs out. So we look for areas of efficiencies and again we will draw many similarities.

As you understand the managing of your environments and knowing yourself, we'll begin to apply known standards that we'll really use in the governance perspective. This is where you will take your hygiene, instead of looking at a very elaborate risk equations. You'll have your typical "risk equals threat times vulnerability times impact," and what are my probabilities.

Known standards

It gets very confusing. So we're trying to cut cost out of those, saying that there are known standards out there. Let's just use them. You can use the ISO 27001, NIST 800-53, or even something like a PCI DSS. Pick your standard, and that then becomes the baseline of control that you want to do. This is knowing yourself.

With these controls, you apply them based on risk to the company. Not all controls are applied equally, nor should they be. As you apply the control based on risk, there is evaluation assessment. Now, I have a known baseline that I can measure myself against.

As you began to build that known baseline, did you understand how well you're doing from a hygiene perspective? These are all the things that you should be doing that give you a chance to understand what your problem areas are.

As you begin to understand those metrics, you can understand where you might have early-warning indicators that would tell you that that you might need to pay attention to certain types of threats, risks, or areas within the company.
There are two types of organizations -- those that have been hacked and those that know they're being hacked.

There are a lot of similarities as you would look at the IT infrastructures, server maintenance, and understanding of those metrics for early warnings or early indicators of problems. We're trying to do the same security, where we make it very repeatable. We can make it standards-based and we can then extend that across the company, of course always being based on risk.

Muller: There is one more element to that, Dana, such as the evolution of IT management through, say, a framework like ITIL, where you very deliberately break down the barriers between silos across IT.

Similarly, I increasingly find with security that collaboration across organizations -- the whole notion of general threat intelligence – forms one of the greatest sources of potential intelligence about an imminent threat. That can come from the operational data, or a lot of operational logs, and then sharing that situational awareness between the operations team is powerful.

At least this works in the experience that I have seen with many of our clients as they improve security outcomes through a heightened sense of what's actually going on, across the infrastructure with customers or users.

Gardner: Paul, as you’re traveling around and talking with a lot of organizations, do you sense that they're sharing Brett’s perception that risk is sort of the über concept, and that security and performance management fall under that? Or are they still sort of catching up to that concept, or even resisting it?

Muller: There's sort of a veiled security joke. There are two types of organizations -- those that have been hacked and those that know they're being hacked.

One of the greatest challenges we have in moving through Brett’s evolution that he described is that many executives still have the point of view that I have a little green light on my desktop, and that tells me I don’t have any viruses today. I can assume that my organization is safe. That is about as sophisticated a view of security as some executives have.

Increased awareness

Then, of course, you have an increasing level of awareness that that is a false sense of security, particularly in the financial services industry, and increasingly in many governments, certainly national government. Just because you haven't heard about a breach today, that doesn’t mean that one isn't actually either being attempted or is, in fact, being successful.

One of the great challenges we have is just raising that executive awareness that a constant level of vigilance is critical. The other place where we're slowly making progress is that it's not necessarily a bad thing to share negative experiences.

The culture 10 or 15 years ago was that you don’t talk about a breach; you bury it. Increasingly, we see companies like Heartland Payment Systems quite famously getting out there and being a big believer in sharing the patterns of breach that occurred to help others be more aware of how and when these things occur, but also increasingly sharing threat intelligence.

For example, if you're one bank and someone is attempting to break into your systems using a known pattern of attack, it's highly likely they're trying to do it with your peers. Given that your defenses between your peers and yourself might be slightly less than that between you and the outside world, it's a good idea to share that ahead of time. Getting back to Brett’s point, the heightened sense of threat intelligence is going to help you predict and respond more reliably.
We have to understand which ones of these we need to pay attention to and have the ability to not only correlate amongst ourselves at the company, but correlate across an industry.

Wahlin: Absolutely. We look at the inevitability of the fact that networks are penetrated, and they're penetrated on a daily basis. There's a difference between having unwanted individuals within your network and having the data actually exfiltrated and having a reportable breach.

As we understand what that looks like and how the adversaries are actually getting into our environment, that type of intelligence sharing typically will happen amongst peers. But the need for the ability to actually share and do so without repercussions is an interesting concept. Most companies won't do it, because they still have that preconceived notion that having somebody in your environment is binary -- either my green light is on, and it's not happening, or I've got the red light on, and I've got a problem.

In fact, there are multiple phases of gray that are happening in there, and the ability to share the activities, while they may not be detrimental, are indicators that you have an issue going on and you need to be paying attention to it, which is key when we actually start pointing intelligence.

I've seen these logs. I've seen this type of activity. Is that really an issue I need to pay attention to or is that just an automated probe that’s testing our defenses? If we look at our environment, the size of HP and how many systems we have across the globe, you can imagine that we see that type of activity on a second-by-second basis.

We have to understand which ones of these we need to pay attention to and have the ability to not only correlate amongst ourselves at the company, but correlate across an industry.

HP may be attacked. Other high-tech companies may also be attacked. We'll get supply-chain attacks. We look at various types of politically motivated attacks. Why are they hitting us? So again, it's back to the situational awareness. Knowing the adversary and knowing their motivations, that data can be shared. Right now, it's usually in an ad-hoc way, peer-to-peer, but definitely there's room for some formalized information sharing.

Information sharing

Muller: Especially when you consider the level of information sharing that goes on in the cybercrime world. They run the equivalent of a Facebook almost. There is a huge amount of information sharing that goes on in that community. It's quite well structured. It's quite well organized. It hasn’t necessarily always been that well organized on the defense side of the equation. I think what you're saying is that there's opportunity for improvement.

Wahlin: Yes, and as we look at that opportunity, the counterintelligence person in me always has to stand up and say, "Let's make sure that we're sharing it and we understand our operational security, so that we're sharing that in a way that we're not giving away our secrets to our adversaries." So while there is an opportunity, we also have to be careful with how we share it.

Muller: You, of course, wind up in the situation where you could be amplifying bad information as well. If you were paranoid enough, you could assume that the adversary is actually deliberately planting some sort of distraction at one corner of the organization in order to get to everybody focused on that, while they quietly sneak in through the backdoor.

Wahlin: Correct.

Gardner: Brett, returning to this notion of actionable intelligence and the role of big data as an important tool, where do you go for the data? Is it strictly the systems, the systems log information? Is there an operational side to that that you tap more than the equipment, more than the behaviors? What are the sources of data that you want to analyze in order to be better at security?
Let's make sure that we're sharing it and we understand our operational security, so that we're sharing that in a way that we're not giving away our secrets to our adversaries.

Wahlin: The sources that we use are evolving. We have our traditional sources, and within HP, there is an internal project that is now going into alpha. It's called Project HAVEn and that’s really a combination of ArcSight, Vertica, and Autonomy, integrating with Hadoop. As we build that out and figure out what our capabilities are to put all this data into a large collection and being able to ask the questions and get actionable results out of this, we begin to then analyze our sources.

Sources are obvious as we look at historical operation and security perspective. We have all the log files that are in the perimeter. We have application logs, network infrastructure logs, such as DNS, Active Directory, and other types of LDAP logs.

Then you begin to say, what else can we throw in here? That’s pretty much covered in a traditional ArcSight type of an implementation. But what happens if I start throwing things such as badge access or in-and-out card swipes? How about phone logs? Most companies are running IP phone. They will have logs. So what if I throw that in the equation?

What if I go outside to social media and begin to throw things such as Twitter or Facebook feeds into this equation? What if I start pulling in public searches for government-type databases, law enforcement databases, and start adding these? What results might I get based on all that data commingling?

We're not quite sure at this point. We've added many of these sources as we start to look and ask questions and see from which areas we're able to pull the interesting correlations amongst different types of data to give us that situational awareness.

There's still much to be done here, much to be discovered, as we understand the types of questions that we should be asking. As we look at this data and the sources, we also look at how to create that actionable intelligence.

Disparate sources

The type of analysts that we typically use in a security operations center are very used to ArcSight. I ingest the log and I see correlations. They're time-line driven. Now, we begin to ask questions of multiple types of data sources that are very disparate in their information, and that takes a different type of analyst.

Not only do we have different types of sources, but we have to have different types of skill sets to ask the right questions of those sources. This will continue to evolve. We may or may not find value as we add sources. We don’t want to add a source just for the heck of it, but we also want to understand that we can get very creative with the data as it comes together.

Muller: Brett makes a great point. There are actually two things that I think are important to follow up on here. The first is that, as it's true of every type of analytics conversation I am having today, everyone talks about the term "data scientist." I prefer the term "data artist," because there's a certain artistry to working out what information feeds I want to bring in.

Maybe "judgment" might be a better word in the context of security, a certain judgment or stylistic question in terms of what data feed I want to bring in. It's that creativity in terms of looking at something that doesn’t seem obvious from the outside, but could be a great leading indicator of potential threat.

The other element is that, once we've got that information, one of the challenges is that we don’t want to add to the overhead or the burden of processing that information. So it's being able to increasing apply intelligence to, as Brett talked about, mechanistic patterns that you can determine with traditional security information. Event management solutions are rather mechanistic. In other words, you apply a set of logical rules to them.
When you're looking at behavioral activities, rules may not be quite as robust as looking at techniques such as information clustering.

Increasingly, when you're looking at behavioral activities, rules may not be quite as robust as looking at techniques such as information clustering, where you look for hotspots of what seem like unrelated activities at first, but turn out later to be related.

There's a whole bunch of science in the area of crime investigation that we've applied to cybercrime, using some of the techniques, Autonomy for example, to uncover fraud in the financial services market. That automation behind those techniques increasingly is being applied to the big-data problem that security is starting to deal with.

Gardner: I was thinking that, too, Brett, when you were describing this opportunity to bring so much different information together. Yes, you would get some great benefits for security and risk purposes, but to Paul’s point, you also might have unintended consequences in terms of being able to better understand processes, operational efficiencies, and seeing market opportunities that you couldn’t see before.

Have you plumbed that at all? I know it's been a short time since you've been at HP, but are there ancillary paybacks that would be of a business interest in addition to being a security benefit?

Wahlin: Yes. As we further evaluate these data sources and the ability to understand, I believe that the insight into using the big data, not only for security, but as more of a business intelligence (BI) type of perspective has been well-documented. Our focus has really been on trying to determine the patterns and characteristics of usage.

Developing patterns

While we look at it from a purely security mindset, where we try to develop patterns, it takes on a counter-intelligence way of understating how people go, where people go, and what do they do. As people try to be unique, they tend to fall into patterns that are individual and specific to themselves. Those patterns may be over weeks or months, but they're there.

Right now, a lot of times, we'll be asked as a security organization to provide badge swipes as people go in and out of buildings. Can we take that even further and begin to understand where the efficiency would come in based on behaviors and characteristics with workforces. Can we divide that into different business units or geography to try to determine the best use of limited resources across companies? This data could be used in those areas.

The unintended consequence that you brought up, as we look at this and begin to come up with patterns of individuals, is that it begins to reveal a lot about how people interact with systems -- what systems they go to, how often they do things -- and that can be used in a negative way. So there are privacy implications that come right to the forefront as we begin to identify folks.

That that will be an interesting discussion going forward, as the data comes out, patterns start to unfold, patterns become uniquely identifiable to cities, buildings, and individuals. What do we do with those unintended consequences?
There are always situations where any new technology or any new capability could ultimately be used in a negative fashion.

It's almost going to be sort of a two-step, where we can make a couple of steps forward in progress and technology, then we are going to have to deal with these issues, and it might take us a step back. It's definitely evolving in this area, and these unintended consequences could be very detrimental if not addressed early.

We don’t want to completely shut down these types of activities based on privacy concerns or some other type of legalities, when we could actually potentially solve for those problems in a systematic perspective, as we move forward with the investigation of the usage of those technologies.

Muller: The concern that Brett raises is the flip side of a conversation I've been having surprisingly frequently, and it’s partly as a result of heightened awareness of some of the reported intelligence gathering activities associated with national governments around the world and the concerns as relates to privacy.

The flip side of this that we need to keep in mind is that, going back to the unintended consequences conversation, every technology that we introduce, whether it's the car, cell phone, or pocket camera, all can have obviously great positive effects. We can put them to great use. There are always situations where any new technology or any new capability could ultimately be used in a negative fashion by bad people, or sometimes even unintentionally.

The question we always need to bear in mind here is, as Brett talks about it, what are the potential unintended consequences? How can we get in front of those potential misuses early? How can we be vigilant of those misuses and put in place good governance ahead of time?

There are three approaches. One is to bury your head in the send and pretend it will never happen. Second is to avoid adopting a technology at all for fear of those unintended consequences. The third is to be aware of them and be constantly looking for breaches of policy, breaches of good governance, and being able to then correct for those if and when they do occur.

Closed-loop cycle

Gardner: Just briefly, if the governance can be put in place, and privacy protections maintained, the opportunity is vast for a tight closed-loop cycle -- of almost a focus group -- in real time of what employees are doing with their systems, what applications they use, and how.

This can be applied to product development and, for a company like HP in the technology product development field, it could be a very, very powerful and valuable data, in addition, of course, to being quite powerful for security and risk-reduction purposes.

So it’ll be a very interesting next few years, certainly with HAVEn, Vertica and HP’s security businesses. They're probably a harbinger of what other organizations will be doing. Going back to HP, Brett, tell us a bit about what you think HP is doing that will set the stage and perhaps help others to learn how to get started in terms of better security and better leveraging of big data as a tool for better security.

Wahlin: As HP progresses into the predicted security front, we're one of, I believe, two companies that are actually trying to understand how to best use HAVEn as we begin the analytics to determine the appropriate usage of the data that is at our fingertips. That takes a predictive capability that HP will be building.
The lagging piece of this would be the actual creation of agile security.

We've created something called the Cyber Intelligence Center. The whole intent of that is to develop the methodologies around how the big data is used, the plumbing, and then the sources for which we actually create the big data and how we move logs into big data. That's very different than what we're doing today, traditional ArcSight loggers and ESMs. There are a lot of mechanics that we have to build for that.

Then, as we move out of that, we begin to look at the actual actionable intelligence creation to use the analytics. What questions should we ask? Then, when we get the answer, is it something we need to do something about? The lagging piece of this would be the actual creation of agile security. In some places, we even call it mobile security, and it's different than mobility. It's security that can actually move.

If you look at the war-type of analogies, back in the day, you had these columns of men with rifles, and they weren’t that mobile. Then, as you got into mechanized infantry and other types of technologies came online, airplanes and such, it became much more mobile. What's the equivalent to that in the cyber security world, and how do we create that.

Right now, it's quite difficult to move a firewall around. You don’t just unplug or re-VLAN a network. It's very difficult. You bring down applications. So what is the impact of understanding what's coming at you, maybe tomorrow, maybe next week? Can we actually make a infrastructure such that it can be reconfigured to not only to defend against that attack, but perhaps even introduce some adversarial confusion.

I've done my reconnaissance. It looks like this. I come at it tomorrow, and it looks completely different. That is the kill chain that will set back the adversary quite a bit, because most of the time, during a kill chain, it's actually trying to figure out where am I, what I have, where the are assets located, and doing reconnaissance through the network.

So there are a lot of interesting things that we can do as we come to this next step in the evolution of security. At HP, we're trying to develop that at scale. Being the large company that we are, we get the opportunity to see an enormous amount of data that we wouldn’t see if we are another company.

Numerous networks

For example, HP has millions of IP addresses and subnets that are out there. We have to try to account for and figure out what's happening on any one of these networks. This gives us insight to the types of traffic, types of application configurations, types of interconnects between different subnets, types of devices, anything from printers all the way through unreleased operating systems.

How do you deal with things such as manufacturing supply chains, that are all connected to these networks. Those types of inputs begin to create the methodologies that feed into the an upcoming cyber intelligence center.

Gardner: Paul, it almost sounds as if security is an accelerant to becoming a better organization, a more data-driven organization which will pay dividends in many ways. Do you agree that security is still necessary, still pertinent, now that it's perhaps forcing the hand of organizations to modernize in ways that they may not have done, if we weren’t facing such a difficult security environment?

Muller: I completely agree with you. Information security and the arms race, quite literally the analogy, is a forcing function for many organizations. It would be hard to say this without a sense of chagrin, but the great part about this is that there are actually technologies that are being developed as a result of this. Take ArcSight Logo as an example, as a result of this arms race.
Just as the space race threw up a whole bunch of technologies like Teflon or silicon adhesives that we use today, the the security arms race is generating some great byproducts.

Those technologies can now be applied to business problems, gathering real-time operational technology data, such as seismic events, Twitter feeds, and so forth, and being able to incorporate those back in for business and public-good purposes. Just as the space race threw up a whole bunch of technologies like Teflon or silicon adhesives that we use today, the the security arms race is generating some great byproducts that are being used by enterprises to create value, and that’s a positive thing.

Gardner: Last word to you, Brett, before we sign off. Do you concur on this notion of security as an imperative, but that has a greater longer term benefit?

Wahlin: Absolutely. The analogy of the space race is perfect, as you look at trying to do the security maturation within an environment. You begin to see that a lot of the things that we're doing, whether it's understanding the environment, being able to create the operational metrics around an environment, or push into the fact that we've got to get in front of the adversaries to create the environment that is extremely agile is going to throw off a lot of technology innovations.

It’s going to throw off some challenges to the IT industry and how things are put together. That’s going to force typically sloppy operations -- such as I am just going to throw this up together, I am not going to complete an acquisition, I don’t document, I don't understand my environmental -- to clean it up as we go through those processes.

The confusion and the complexity within an environment is directly opposed to creating a sense of security. As we create the more secure environment, environments that are capable of detecting anomalies within them, you have to put the hygienic pieces in place. You have to create the technologies that will allow you to leapfrog the adversaries. That’s definitely going to be both a driver for business efficiencies, as well as technology, and innovation as it comes down.

Gardner: Well, very good. I'm afraid we will have to leave it there. We've been exploring how IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business in cyber land and we have been learning through an example of HP and how it's adapting its well.

So with that please join me in thanking our cohost, Paul Muller, the Chief Software Evangelist at HP Software. Thanks so much, Paul.

Muller: It's a pleasure, Dana.

Gardner: And I would like to thank our supporter for this series HP Software and remind our audience to carry on the dialog with Paul through his blog, tweets, and The Discover Performance Group on LinkedIn.You can also follow more HP security ideas on these products and research blogs.

Then lastly, a huge thank you to our special guest, Brett Wahlin, Vice President and Global Chief Information Security Officer at HP. Thanks so much, Brett.

Wahlin: Thank you, Dana, and thanks, Paul.

Gardner: And you can gain more insight and information on the best in IT performance management at HP.com/go/discoverperformance and you can always access this and other episodes in ongoing HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation. Thanks again for listening and comeback next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Follow the HP Protect 2013 activities next week, Sept. 16-19.


Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict system intrusions.  Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Thursday, July 11, 2013

Defining the New State for Comprehensive Enterprise Security Using CSC Services and HP Security Technology

Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner
Once again, we're focusing on how IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business online. I am now joined by our co-host for this sponsored podcast series, Paul Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you?

Paul Muller: I'm great, Dana. Thanks for having me back. It's good to be back, and I'm  looking forward to a great conversation.

Gardner: We do have a fascinating discussion today. We’re going to be learning how HP’s Strategic Partner and IT services and professional services global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape. Let's welcome our guests, Dean Weber, Chief Technology Officer, CSC Global Cybersecurity. Welcome, Dean.

Dean Weber: Hi, Dana. Happy to be here.

Gardner: Great to have you. And we’re also joined by Sam Visner, Vice President and General Manager, CSC Global Cybersecurity. Welcome.

Sam Visner: Thank you, and thanks for having us. We’re very grateful. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Gardner: This is obviously a hot topic. Now, we can sit here and gnash our teeth, and people can head to the hills, but I don't think that's going to do any good. Let's start with you, Dean. What is the scale of the threat here? Are we only just catching up in terms of the public perception of the reality? How different is the reality from the public perception?

Weber: The difference is night and day. The reality is that we are under attack, and have been for quite some time. We are, as Sam likes to put it, facing a weapons-grade threat.

Gardner: Is there something that people are missing in terms of understanding the threat, not just in the severity, but perhaps something else?

Visner: When I think about the threat, I think about several things happening at once. The first thing is that we’re asking IT, on which we depend, to do more. It's not just emails, collaboration, documents, and spreadsheets. It isn’t even just enterprise systems.

IT for manufacturing

It extends all the way down to the IT that we use for manufacturing, to control power plants, pipelines, airplanes, centrifuges, and medical devices. So, the first thing is that we’re asking IT to do more, and therefore there's more to defend. Secondly, the stakes are higher. It's not just up to us.

Visner
Government has said that the cybersecurity of the private sector is of public concern. If you're a regulated public utility for power, water, healthcare, finance, or transportation, your cybersecurity is an issue of public interest. So, this isn’t just the public cybersecurity, it's the cybersecurity of the private sector, which is in the public interest.

Third is the point that Dean made, and I want to elaborate on it. The threat is very different.

Today, intellectual property, whether or not it's possessed by the public sector or the private sector, if it's valuable, if it's worth something. It's worth something to a bad guy who wants to steal it. And if you have critical infrastructure that you’re trying to manage, and a bad guy may want to disrupt it, because their government may want to be able to exercise power.

And the threats are different. The threats are not just technically sophisticated. That's something a hacker, a teenager, can do. In addition to being technically sophisticated, they’re operationally sophisticated.
The threats are not just technically sophisticated. That's something a hacker, a teenager, can do.

That means this is foreign governments, or in some cases, foreign intelligence services that have the resources and the patience to study a target, a company, or a government agency over a long period of time, use social networking to figure out who has administrative privileges inside of that organization, and use that social networking to identify people whom they may want to subvert and who may help them in introducing malware.

Then, once they have decided what information they want, who safeguards it, they use their technical sophistication to follow up on it to exploit their operational knowledge. This is what differentiates a group of hackers, who maybe technically very bright, from an actual nation-state government that has the resources, the discipline, the time, and the patience to stick with the target and to exploit it over a long, long period of time.

So, when we use the term "weapons grade," what we mean is a cyber threat that's hard to detect, that's been wielded by a foreign government, a foreign armed force, or a foreign intelligence service -- the way a foreign government wields a weapon. That's what we’re really facing today in the way of cybersecurity threats.

Muller
Muller: You asked if the headlines are simply reflecting what has always been going on, and I think the answer is, yes. Definitely, there is an increased willingness of organizations to share the fact that they have been breached and to share what some of those vulnerabilities have been.

That's actually a healthy thing for society as a whole, rather than pretending that nothing is going on. Reporting the broken window is good for everybody. But, the reality is the sophistication and the scale of attacks as we have just heard, have gone up and have gone up quite measurably.

Cost of cybercrime

Every year we conduct a Cost of Cyber Crime Study with the Ponemon Institute. If we look just at the numbers between 2010 and 2012, from the most recent study in October, the cost impact of cyber crime has gone up 50 percent over that period of time. The number of successful attacks has gone up by two times. And the time to resolve attack is almost doubled as well. So it has become more expensive, greater scale, and it's becoming more difficult to solve.
The number of successful attacks has gone up two times. And the time to resolve attack is almost doubled as well.

Gardner: What strikes me as being quite different from the past, too, is when businesses encountered risks, even collective risks, they often had a law enforcement or other regulatory agency that would come to their rescue.

But, in reading the most recent The New Yorker, the May 20 issue, in an article titled Network Insecurity by John Seabrook, Richard McFeely, the Executive Assistant Director of the F.B.I, says quite straightforwardly, "We simply don't have the resources to monitor the mammoth quantity of intrusions that are going on out there."

So, enterprises, corporations, governments even can't really wait for the cavalry to come riding in. We’re sort of left to our own devices, or have I got that a little off-base, Dean?

Weber: The government can provide support in talking about threats and providing information about best practices, but overall, the private sector has a responsibility to manage its own infrastructures. The private sector may have to manage those infrastructures consistent with the public interest. That's what regulation means.

Weber
But the government is not going to provide cybersecurity for power companies’ power grid or for pharmaceutical companies’ research program. It can insist that there be good cybersecurity, but those organizations have always had to manage their own infrastructures.

Today, however, the threat to those infrastructures and the stakes of losing control of those infrastructures are much higher than they have ever been. That's what's amplified now.

There is also a tradeoff that can be done there in terms of how the government shares its threat intelligence. Today, threat intelligence shared at the highest levels generally requires a very, very high level of security, and that puts it out of reach of some organizations to be able to effectively utilize, even if they were so desirous.

So as we migrate ourselves into dealing with this enhanced threat environment, we need to also deal with the issues of enhancing the threat intelligence that we use as the basis of decision.

Gardner: Well, we've defined the fact that the means are there and that the incidences are increasing in scale, complexity, and severity. There is profit motive, the state secrets, and intellectual-property motives. Given all of that, what's wrong with the old methods?

Current threat

Weber: Against the current state-of-the-art threat, our ability to detect them, as they are coming in or while they are in has almost diminished to the point of non-existence. If we're catching them at all, we're catching them on the way out.

We've got to change the paradigm here. We've got to get better at threat intelligence. We've got to get better at event correlation. We've got to get better at the business of cybersecurity. And it has to be a public-private partnership that actually gets us there, because the public has an interest in the private infrastructure to operate its countries. That’s not just US; that’s global.

Visner: Let me add a point to that that’s germane to the relationship between CSC and HP Software. It's no longer an issue of finding a magic bullet. If I could just keep my antivirus up to fully updated, I would have the best signatures and I would be protected from the threat. Or if my firewall were adequately updated, I will be well protected.

Today, the threat is changing and the IT environment that we're trying to protect is changing. The threat, in many cases, doesn’t have a known signature and is being crafted by nations/states not to have it. Organizations ought to think twice about trying to do these themselves.

Our approach is to use a managed cybersecurity service that uses an infrastructure, a set of security operation centers, and an architecture of tools. That’s the approach we're using. What we're doing with HP Software is using some key pieces of HP Software technology to act as the glue that assembles the cybersecurity information management architecture that we use to manage the cybersecurity for Global 1000 companies and for key government agencies.
Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it.

Our security operations centers have set of tools, some of which we've developed, and some of which we've sourced from partners, bound together with HP’s ArcSight Security Information and Event Management System. This allows us to add new tools, as we need to retire old tools, when they are no longer useful.

They do a better job of threat correlation and analysis, so that we can help organizations manage that cybersecurity in a dynamic environment, rather than leave them to the game of playing Whac-A-Mole. I've got a new threat. Let me add a new tool. Oh, I've got another new threat. Let me add another new tool. That's opposed to managing the total environment with total visibility.

So that managed cybersecurity approach is the approach that we're using, and the role of HP Software here is to provide a key technology that is the sort of binder, that is the backbone for much of that architecture that allows us to manage organically, as opposed to a piece at a time.

Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it. They're always playing catch up with the latest threat and they are always at least one or two steps behind that threat by trying to figure out what is the latest band-aid to stick over the wound.

Increased sophistication

Muller: Sam makes a great point here, Dana. The sophistication of the adversary has risen, especially if you're in that awkward position -- you're big enough to be interesting to an attacker, especially when it’s motivated by money, but you are not large enough to have access to up-to-date threat information from some of the intelligence agencies of your national government.

You're not large enough to be able to afford the sort of sophisticated resources who are able to dedicate the time taken to build and maintain honey pots to understand and hang out in all of the deep dark corners of the internet that nobody wants to go to.

Those sort of things are the types of behaviors you need to exhibit to stay ahead, or at least to not get behind, of those threat landscape. By working with an organization that has that sort of capacities by opting for managed service, you're able to tap into a skill set that’s deeper and broader and that often has an international or global outlook, which is particularly important. When the threat is distributed around the planet, your ability to respond to that needs to be distributed likewise.

Gardner: So I'm hearing two things. One that this is a team sport. I'm also hearing that this is a function of better analytics -- of really knowing your systems, knowing your organization, monitoring in real time, and then being able to exploit that. Maybe we could drill down on those. This new end-state of a managed holistic security approach, let's talk about it being a team sport and a function of better analytics. Sam?

Visner: There's no question about it. It is a team sport. Fortunately, in the United States and in a few other countries, people recognize that it's a team sport. More and more, the government has said that the cybersecurity of the private sector is an issue of public interest, either to regulation, standards regulation, or policy.
There's no question about it. It is a team sport.

More and more in the private sector, people have realized that they need threat information from the government, but there are also accruing threat information they need to share with the government and proliferate around their industries.

That has happened, and you can see coming out of the original Comprehensive National Cybersecurity Initiative of 2006-2007, all the way to the current recent executive order from the President of the United States, that this is a team sport. There is no question about that.

At the same time, a lot of companies are now developing tools that have APIs, programming interfaces that allow them to work together. Tools like ArcSight provide an environment that allows you to integrate a lot of different tools.

What's really changing is that global companies like CSC have become a global cybersecurity provider based on the idea that we will do this as a partner. We're not going to just sell a tool to a customer. We're going to be their partner to manage this environment.

More and more, they have the discussion underway about improved information sharing from the government to the private sector, based on intelligence information that might be provided to the private sector, and the private sector being provided with more protected means to share information relating to incidents, events, and investigations with the public sector.

Team sport

At the same time, enterprises themselves know that this has to be a team sport within an enterprise. It used to be that the email system was discreet, or your SAP system was discreet, inside of an enterprise. That might have been 10 years ago. But today, these things are part of a common enterprise and tomorrow they're going to be part of a common enterprise, where these things are provided as a service.

And the day after that, they'll be provided as a common enterprise with these things as a service on a common infrastructure that we call a cloud. And the day after that, that cloud will extend all the way down to the manufacturing systems on the shop floor, or the SCADA systems that control a railway, a pipeline, or the industrial control systems that control a medical device or an elevator, all the way out to 3D manufacturing.
The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities.

The entire enterprise has to work together. The enterprise has to work together with its cybersecurity partner. The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities. Governments increasingly have to work together to build a secured international ecosystem, because there are bad actors out there who don’t regard the theft of intellectual property as cyber crime.

Now fortunately, people get this increasingly and we're working together. That’s why we're finding partners who do the manage cybersecurity, and finding partners who can provide key pieces of technology. CSC and HP is an example of two companies working together in differentiated roles, but for a common and desirable outcome.

Three-step process

Weber: So let me think about how we chop this up, Dana. It’s a three-step process. The first is see, understand, and act -- at the risk of trivializing the complexity of approaching the problem. Seeing, as Sam has already pointed out, is to just try to get visibility of intent to attack, attacks in progress, or worse case, attacks that have taken place, attacks in progress, and finally, how we manage the exfiltration process.

Understanding is all about trying to unpack the difference between "bragging rights attacks," what I call high-intensity but low-grade attacks in terms of cyber threat. This is stuff that’s being done to deface the corporate website. Don’t get me wrong, it’s important, but in this scheme of things, it’s a distraction from some of the other activities that’s taking place. Also understanding is in terms of shifting or changing your compliance posture for some sort of further action.

Then, the last part is acting. It’s not good enough to simply to understand what’s going on, but it’s shutting down attacks in progress. It’s being able to take proactive steps to address breaches that may exist and particularly to address breaches in the underlying software.

We have always been worried about protecting the perimeter of our organization through the technologies, but continue to ignore one of the great issues out there, which is that software itself, in many cases, is inherently insecure. People are not scanning for, identifying, and addressing those issues in source code and binary vulnerability.

Gardner: Well, it certainly sounds to me as if we're going after this new posture with added urgency because of cybersecurity, but it’s dovetails with a lot of what companies should have been doing for a lot of reasons. That is to get to know yourself better, know your systems better, putting in diagnostics and monitoring capabilities, and elevating those to a more centralized approach for management and reporting.
These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk.

Cybersecurity is a catalyst, but these are going to make companies more healthy. These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk. Any thought about why this is just good business, not just good cyber-security prevention? Sam.

Visner: Security is a journey. Paul was saying that organizations have to stay up with it. They can’t just rest on their laurels regarding their defenses. They have to continually evolve with the threat and to do that means that, as we get better at one level of security, another level of security becomes the low hanging fruit. As we get better at infrastructure security, application security becomes more of an issue.

And organizations aren’t doing the appropriate level of source code and binary scanning. They aren’t doing the ad hoc or interval scanning that is necessary to make sure that their applications not only were developed correctly, but they were also deployed correctly, and remain correctly deployed throughout their lifecycle.

Again, this is where integration of the technologies that are available to us today and that has never been done before is important for organizations to consume. With that being said, this is a huge undertaking, to be able to include your application code scanning in with your security event and information management is a difficult prospect. But it's one that CSC and HP have collectively decided to take up.

Muller: Having terrified everybody, shall we talk about next steps?

Gardner: We're coming up a bit on the end of our time. Before we sign out, I'd like to try to do just that. What are some of the two or three major pillars that organizations should start to inculcate as a culture, as a priority, given how pervasive these issues are, how existential they are, for some many companies and organizations? What do you have to do in terms of thinking differently in order to start really positioning yourself to be proactive and aggressive in this regard? Let's go down our list of speakers. Let's start with you, Sam.

Visner: The first thing is that you’ve got to make an adequate assessment of the kind of organization you are. The role information and information technology plays in your organization, what we use the information for, and what information is most valuable. Or conversely, what would cause you the great difficulty, if you were to either lose control of that information or confidence in its integrity.

That has to be done not just for one piece of an enterprise, but for all pieces of the enterprise. By the way, there is a tremendous benefit, because you can re-visualize your enterprise. You can sort of business-process reengineer your enterprise, if you know on and what information you rely, what information is most valuable, what information, if was to be damaged, would cause you the most difficulty.
Rather than trying to manage it yourself, get a confident managed cyber-security services provider.

That’s the first thing I would do. The second thing is, since as-a-service is the way organizations buy things today and the way organizations provide things today, consider taking a look at cybersecurity as a service.

Rather than trying to manage it yourself, get a confident managed cyber-security services provider, which is our business at CSC, to do this work and be sure that they are equipped with the right tools and technologies, such as ArcSight Security Information and Event Management and other key technologies that we are sourcing from HP Software.

Third, if you're not willing to have somebody else manage it for you, get a managed cybersecurity services provider to build up your own internal cybersecurity management capabilities, so that you are your own managed cybersecurity services provider.

Next, be sure you understand, if you are part of critical infrastructure -- and there are some 23 critical infrastructure sectors -- what it is that you are required to do, what standards the government believes are pertinent to your business.

What information you should have shared with you, what information you are obligated to share, what regulations are relevant to your business, and be sure you understand that those are things that you want to do.

Strategic investment

Next, rather than trying to play Whac-A-Mole, having made these decisions, determine that you're going to make a strategic investment and not think of security as being added on and what's the least you need to do, but realize that cybersecurity is as organic to your value proposition as R&D is. It's as organic to your value proposition as electricity is. It's as organic to your value proposition as the good people who do the work. It's not once the least you need to do, but what are the things that contribute value.

Cybersecurity doesn’t just protect value, but in many cases, it can be a discriminator that enhances the value of your business, particularly if your business either relies on information, or information is your principal product, as it is today for many businesses in a knowledge economy. Those are things that you can do.

Lastly, you can get comfortable with the fact that this is a septic environment. There will always be risks. There will always be malware. Your job is not to eliminate it. Your job is to function confidently in the midst of it. You can, in fact, get to the point, both intellectually and emotionally, where that’s a possibility.

The fact that you can have an accident doesn’t deter us from driving. The fact that you can have a cold doesn’t deter us from going out to dinner or sending our kids to school.

What it does is make sure that we're vaccinated, that we drive well, that we are competent in our dealings with the rest of the society, and that we're prudent, but not frightened. Acting as if we are prudent, but not frightened, is a step we need to take.
It's as organic to your value proposition as the good people who do the work.


Our brand name is CSC Global Cybersecurity. The term we use is Cyber Confidence. We're not going to make you threat proof, but we will make you competent and confident enough to be able to operate in the presence of these threats, because they are the new norms. Those are the things you can do.

Gardner: Dean, quickly, a number of things from your perspective that our top of line thoughts, and perceptions, ideas that people should consider as they move to this new posture?

Weber: In addition to what Sam talked about, I'm a huge fan of data classification. Knowing what to protect, gives you the opportunity to decide how much protection is necessary by whatever data classification that is.

Whether that’s a risk management framework like FISMA, or it’s a risk management framework like the IL Series Controls of the UK Government or similar in Australia, these are risk management frameworks. They are deterministic about the appropriate level of security. Is this public information, in which case all you have to do is worry about whether it’s damaged and how to recover if and when it is? Or is this critical? Is this injurious to life, limb, or the pursuit of profits? And if it is, then you need to apply all the protections that you can to it.

And last but not least, again, as I pointed out earlier, our ability to detect every intrusion is almost nil today. The state of the threat is so far advanced. Basically, they can get in when they want to, where they want to.

They can be in for a very long period of time without detection. I would encourage organizations to beef up their perimeter controls for egress filtering and enclaving, so that they have the ability to manage the data that is being actually traded out of their networks.

Cultural shift

Gardner: Paul Muller, last word to you, top of the line thoughts, cultural shift what is the new rethinking that needs to take place to get to this new posture?

Muller: There has been so much great content today that summarizing the action is going to be challenging. Sam made a point. It’s important to be alert, but not alarmed. Do not let security send you into a sense of panic and inaction. Don’t hire an organization to help you write security policy that then just sits on the shelf. A policy is not going to give you security. It’s certainly not going to stop any of bad guys from exfiltrating any of that information that you have.

I'll say a couple of things. First, it’s not like buying an alarm and locks for your organization. Before, physical security was kind of a process you went through, where you started, it had a start and middle and an end. This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

It’s an ongoing process. As a result, as we said earlier today, security is a team sport. Find a friend who does it really well and is prepared to invest on an ongoing manner to make sure that they're able to stay here.

I'd concur with Dean's point as well. Ultimately, it's about the exfiltrating of your data. Put in place processes that help you understand the information that is leaving your organization and take steps to mitigate that as quickly as possible. Those are my highest priorities.
This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

I'd also add that if you're having trouble identifying some of the benefits for your organization, and even having trouble trying to get a threat assessment prioritized in your organization, have a look at the Cost of Cyber Crime Study that we've conducted across the Globe, United Kingdom, Germany, Australia, Japan and of course the US, was the third in the series, now we do it annually. You can get to hpenterprisesecurity.com and get a copy of that report and hopefully shift a few of the, maybe more intransigent people in your organization to action.

Gardner: Well I'm afraid we will have to leave it there. We've been learning how HP’s Strategic Partner and IT Services and Professional Services, global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape.

I like to thank our supporter for this series, HP Software and remind our audience to carry on the dialogue with Paul Muller and others through their blog tweets and their Discover Performance Group on LinkedIn, and I'd also like to thank our co-host Paul Muller.

Muller: Always a pleasure.

Gardner: And also huge thanks to our special guests, Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity. Thank you, Dean.

Weber: Thank you.

Gardner: And also Sam Visner, the Vice President and General Manager there at CSC Global Cybersecurity. Thanks so much, sir.

Visner: Thank you, it's been a pleasure.

Gardner: And a last thank you to our audience for joining this special HP Discovered Performance Podcast. You can learn more about the best of IT Performance Management at www.hp.com/go/discoverperformance and you can always access this in other episodes of our HP Discover Performance Series on iTunes under to BriefingsDirect.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this on going discussion of IT innovation and how it's making an impact on people's lives. Thanks again for listening and comeback next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: