You may be asking yourself what threat modeling is and why it is important. In this episode, you're going to find out that healthcare has been under attack for a slew of reasons during the past ten years. Threat modeling, very simply put, is a way to model threats. Whether you are in healthcare tech or an insurance provider advocate, there is a benefit to understanding who your adversaries are and where you are vulnerable to threat actors.
Tony UcedaVélez: Hi, everybody, I'm Tony UcedaVélez. I'm the CEO and founder of VerSprite.
VerSprite is a cybersecurity company. We're globally focused and based out of Atlanta, Georgia, with a presence in Europe, South America, and North America. I'm also the Atlanta chapter leader for WASP, the open Web Application Security Project for the past ten years.
Last but not least, I'm an author. I wrote "Risk-Centric Threat Modeling" in 2015. It's a book around application threat modeling with a risk-centric approach.
Sierra: Thanks for providing some initial info about yourself. Paul, can you give us a background on yourself and your mission here at Paubox?Paul Giovacchini: My name is Paul Giovacchini. I have been a Customer Success Manager for about a decade. Saying that gives me a little bit of courage because I can't believe it's been that long.
I joined Paubox about a year ago. Our mission here is to make sure that our customers are getting the most out of the product. Any features, improvements, or feedback that the customers have, I bring it back to our product team to ensure that we deliver on to those requests.
Sierra: Okay, great. Thanks so much for that information, Paul. Tony, can you provide some background on VerSprite? Why did you start the company, what services you provide, where you guys are located, things of that nature?Tony: I was a senior director at a Fortune 50 organization. I was doing many things like Application Risk Management, Third-party Supply chain, Risk Management, and stuff like that. I was actually on the side of the business ordering services from different consultancies worldwide—groups like the Big Four. I saw an opportunity to go through the common deliverables that I got from some of these consultancy places, and I decided to start my consultant group.
The focus of VerSprite is meant to tailor that gap that I saw, which was a company that was strong in technical areas of cybersecurity, but at the same time had strong business acumen. I saw that there was oftentimes a disassociation of understanding the business context need for cybersecurity or tailoring the results of cybersecurity for the business.
So, in essence, VerSprite came out, which is a unique name. Its roots in terms of its name origin, versus is Latin for truth and sprite is Greek for spirit. So I wanted to begin a true spirited consulting practice that was globally focused, which was more risk-based for our audiences. It's resonated well with many of our clients today, in which we have over 200.
We have five different business areas. We have a security operations team, a group governance and compliance team, an offensive security team, and a research team. So that's at a high level really about the origin of VerSprite and how we came about.
Sierra: Tony, what is your website so that our listeners, if they want more information, can find you guys on google.Tony: Absolutely, it's www.VerSprite.com. You can find us on Twitter as well as Linkedin. We have a company page. Most of our ramblings are really about cybersecurity on multiple different threads as it pertains to healthcare—the technology-evolving threat landscape and so forth.
Sierra: Oh yeah, that would be great for our listeners. Thanks for providing that information. Tony, I know we talked a bit about your book titled "Risk-Centric Threat Modeling" in 2015. Can you tell us a little bit more about that and if there are any learnings or best practices that would pertain to our listeners in the healthcare space?Tony: Healthcare has been under attack for a good while because of a lot of different reasons. I think that attackers have moved away from the financial sector just a little bit and have set their eyes for the past ten years in healthcare.
That's because of some low-hanging fruit that they thought was appetizing to them as threat actors. Still, threat modeling is a way to model threats and any healthcare organization, whether in healthcare technology, healthcare system, or an insurance provider.
There are now considerations and many benefits that come out of modeling your threats and understanding who your adversary is. Like what are they after, and based upon those things, how much of a pain point will you cause you?
So the book that I co-authored in 2015 with my co-leader Mark Maronna. This one was risk-centric and what that means is we wanted to prove for the readers, "how do you prove that something is risky for a product owner,” or for an information owner or data owner within a business entity. So we came up with this seven-step process called PASTA, it's an acronym that stands for "process for attack simulation and threat analysis."
It's meant to be a linear step by step process so that if you've never done threat modeling before, you can go through these steps and perform various activities underneath those steps to build a model of threats against an application, product, or data environment that you might have in the cloud.
Sierra: Okay, awesome, and I would ask you about your risk-based approach to security. Is there anything else about that approach that you would like to mention?Tony: Everyone talks about risk-based in different circles, and it's dissecting that equation of risk equals threat, times probability, times impact, over some form of like controller countermeasure that stops all the bad things from happening.
A risk-centric approach is like trying to prove the most likely threats that could affect a healthcare entity, their product, maybe an application, a patient portal, etc., and the vulnerabilities associated with that. It doesn't have to be necessarily a technical vulnerability in the sense of a bug or a flaw. It could also be a poor design. That also counts as a weakness or vulnerability, and then often, you know, the variable that's very elusive to many risk professionals is the impact.
What is the business that data loss translates to in terms of hard dollars for litigation representation letters? This is going out; you know, any loss of accreditation where there's a number of different things that could spell financial fallout from an impact against a product or service.
The PASTA approach tries to look at not just risk but residual risk.
The last variable that I didn't talk about was the controls or countermeasure. What sort of things do you already have in your environment that are already safeguarding different types of threats you are building in your threat model.
For example, trying to look at the likelihood of extortion through ransomware. How would ransomware get into your environment, would it affect your cloud environment, and looking at you know what vulnerabilities are associated with that type of threat. What is the likelihood of that sort of threat happening, and what would be the impact.
What sort of countermeasures does your organization already have, or does your application already have it to reduce some of that risk where the residual risk analysis comes to life. This is at the heart of the risk-centric approach for threat modeling.
Sierra: Alright. Beyond VerSprite, you run the OWASP Atlanta, Ga Chapter, as you mentioned. Do you mind providing some more information on this organization?Tony: It's a great organization. I mean, it's been around for about 12 or 13 years, and it focuses on application security. It stands for Open Web Application Security Project. It has a member base of over 40,000 members worldwide and across the globe.
Some professionals work for Boeing, Coca-Cola, Google, and Twitter. You know the list goes on and on where there are engineers, programmers, developers, etc., that have partaken in various degrees to participate within the same mission. This is that everyone wants secure applications to secure data.
There are many project tools and references that have come about from a global collaboration of leaders, lawyers, engineers, developers, architects, etc.
So if you haven't heard of OWASP and you want to check out free resources that might be beneficial to you, especially if you're in the healthcare tech industry, and want to be able to elevate your maybe security architecture game or improve your secure coding skills, then there's a plethora of different things and projects out there that you can leverage for free right and that website is www.OWASP.org.
Sierra: Yeah, that's great. You know that we're always looking for resources to give our listeners in the healthcare space. That is a new resource that I have not heard on the podcast before. Tony, what provoked your need for Paubox Inbound Security and ExecProtect.Tony: We're big believers in Paubox. We work with a lot of different covered entities that are out there that automatically become business associates. So, information security data is extremely important now as security professionals, especially as a consulting group. You know the engagement models that we have don't put us right in front, touching necessarily protected health information directly.
We are examining the networks, systems, virtual systems, and cloud environments that might have PHI. So when it comes to ensuring the correspondence of email in a secure manner, we confide in the technology—the backbone of Paubox to ensure that our communication channel to our clients is protected.
I know that our healthcare customers are very thankful for that, and also, the ExecProtect is a step up so that we can protect what we call internally affectionately. We can protect the employees from what we call phony-tony, and phony-tony is those types of various actors trying to perpetuate me and establish a conversation about whatever to the employee base trying to perpetrate me solicit different things pieces of information and things like that.
So, ExecProtect was a worthwhile add-on to ensure that it came from me and not from phony- tony when I emailed employees.
Paul: Phony-tony. I love that moniker and what you're saying is spot on. We see the same thing with our customers as well.
So maybe bad actors were going after financials. Still, now especially with COVID and the drive for telemedicine and a remote workforce, we're starting to see those bad actors attack healthcare organizations.
With Paubox Inbound Security, it's not only scanning for spam fish and virus emails that could compromise your system. Something else that we monitor is ExecProtect.
We like to think of it as a bouncer at the door where we have a list of approved names and emails, and if your name is on, you can get through the velvet rope, and you get delivered to the inbox. Suppose your name is not on that list. In that case, we bounce it. That’s a way that we prevent those phony-tonys or those who are impersonating the CEO or leadership roles, trying to take advantage of the independent contributors or maybe even your new hires.
What's great about ExecProtect is we just got a patent for this, so our second patent comes with your inbound security at no additional charge. We want to make sure many of our customers are protected not only on the outbound with encrypted email but also with the inbound security.
Sierra: Paul, awesome. Good information. Thanks so much for explaining that to our listeners, and I absolutely love the terminology phony-tony. That is hilarious. So Paul and Tony, thank you guys so much for being here today. I appreciate it. If you're interested in learning more about Paubox Inbound Security and ExecProtect, we have some great resources on our blog at www.Paubox.com/blog . You may also start a free trial of products like email suite plus or premium at www.Paubox.com/pricing . Tony's presentation at Paubox Spring Summit is titled "The Cyber Threat Landscape Evolution." How the pandemic changed the attack surface. Healthcare attendees will learn the proliferation of cyber threats and the present and post-pandemic era risks to data in transit use cases for healthcare professionals and endpoint protection implications. Attendance is free, and please send an email to sierra@paubox.com if you'd like to attend. As a reminder, you can listen to other podcasts at paubox.com or subscribe via Apple Podcasts, Spotify, IheartRadio, Stitcher, or Amazon music. Thanks again and see you next time. SEE ALSO: HIPAA Compliant Email: the Definitive Guide