All ContentAtrius Health: Reducing Operational Costs and Combating Ransomware
Atrius Health: Reducing Operational Costs and Combating Ransomware
CASE STUDY
seamlessly integrated with Microsoft Active Directory
and McAfee ePO software, the central console through
which Atrius Health information security engineers
manage McAfee endpoint and data protection suites. On
average, the system analyzes 24,000 events per second
(EPS) each day.
“In our initial evaluations, we were impressed by the
speed of the McAfee Enterprise Security Manager and
its tight integration with McAfee ePO software,” says
Diguette. “Since implementing the SIEM, we have also
been pleased with how easily it integrates with nonMcAfee resources. For instance, when our non-McAfee
firewall registers something suspicious, our McAfee SIEM
automatically alerts us in near real time.”
McAfee SIEM Saves the Expense of Hiring Three
to Four Full-Time Employees
As an alternative to purchasing a SIEM, Atrius Health
also looked at the option of adding more information
security experts and analysts to its headcount. “In our
ROI analysis, we figure that we saved three to four
full-time employees by going with the McAfee SIEM,”
claims Diguette. “The operational savings from more
robust protection, elimination of external log analysis,
and avoidance of additional headcount is huge. In
addition, our existing information security staff is now
more effective and can respond appropriately to security
events much more quickly.”
3
Automation Accelerates Threat Response
Alerts automatically triggered by the detection of a
potential threat on an Atrius Health endpoint or firewall
contribute significantly to increased efficiency and
reduced time to response. If ransomware is detected
and blocked on the endpoint by McAfee VirusScan®
Enterprise, for instance, McAfee ePO software instantly
shares that information with the McAfee SIEM,
automatically triggering an alert that notifies someone
on Diguette’s team who can run a correlation right away
to determine what action, if any, is needed.
“Using McAfee ePO software, we have built lots of rules
based on file types, signatures, and other parameters
to detect and block potential threats,” explains Diguette.
“As soon as an abnormal activity is detected on the
desktop, McAfee ePO software reports it, and the SIEM
sets off an alarm. Then the SIEM provides all kinds of
pertinent information—such as whether and where the
potential culprit ‘phoned home,’ what exactly it did, and
to whom—to help us rapidly determine the appropriate
response.”
Diguette also notes that McAfee GTI—a cloud-based
service that provides real-time intelligence on new and
emerging threats across file, web, message, and network
vectors—helps dramatically reduce security incidents in
the first place. Atrius Health leverages McAfee GTI both
on its endpoints and in the SIEM. “One time, we let our
McAfee GTI license expire,” remembers Diguette, “and
we were hit by malware that we are sure McAfee GTI
would have caught. It was just a minor incident, but it
shows how McAfee GTI makes a significant difference.”
Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security
Results
¦¦
¦¦
¦¦
¦¦
¦¦
Huge operational savings
Avoided hiring several fulltime employees
Accelerated decision making,
thanks to better visibility and
correlations
Robust detection capability
and faster response to threats
Improved security for virtual
environment
CASE STUDY
Improved Visibility and Advanced Correlation
Fast-Track Decision Making
Protection for Data and Virtual Servers
Facilitates Compliance and Savings
Atrius Health has also found that the combination of
widespread visibility, via out-of-the-box and customized
McAfee SIEM dashboards, and advanced correlation
capabilities has streamlined decision making in multiple
ways. For example, thanks to the SIEM, it was easy
for Diguette and other management at Atrius Health
to determine that geographic blocking should be
implemented to vanquish ransomware.
Like many organizations, Atrius Health has a hybrid
environment of both physical and virtual servers.
The organization also expects to expand its virtual
environment as it moves to an active-active environment
for continuous availability. Its Epic EMR application and
several clinical applications that integrate with EMR
currently run on a mix of physical and virtual servers. To
secure these virtual servers, Diguette’s team deployed
McAfee MOVE AntiVirus. According to Diguette, the
McAfee MOVE AntiVirus software was extremely easy to
deploy using the McAfee ePO console, conserves virtual
server resources, and saves on licensing costs compared
to traditional antivirus software.
“With the McAfee Enterprise Security Manager, we could
more quickly and easily investigate the ransomware
attacks, finding their targeted encryption keys and
tracing them back to their point of origin,” explains
Diguette. “Initially, that information showed us which
ports and IPs to shut down on our firewall, and it also
led us rather quickly to a clear-cut decision to implement
geographic blocking—since the vast majority of the
ransomware originated from places such as Russia and
the Middle East.”
Thanks to more advanced correlation, it is also easier
for the organization’s NAC to determine if rogue devices
attached to the network should be enabled or disabled.
“Often the rogue devices are new clinical devices that
have not yet been cleared through proper IT channels or
are part of an onsite product demo by a clinical device
company,” explains Diguette. “The McAfee Advanced
Correlation Engine’s advanced correlation helps us make
sure that the device in question is safe, has limited reach,
and employs antivirus protection.”
4
To protect its physical endpoints, Atrius Health uses
McAfee Complete Endpoint Threat Protection suite,
which detects approximately 100 viruses daily and
includes functionality such as McAfee ePO Deep
Command, for secure management of remote PCs,
and McAfee SiteAdvisor®, which enables employees
to surf the web safely. To comply with Massachusetts
regulations and keep data safe, Atrius Health relies
on aspects of the McAfee Complete Data Protection
suite for comprehensive endpoint encryption. The
organization uses the suite’s enterprise-grade drive
encryption to encrypt all of its more than 7,000 desktops
and is in the process of moving from another solution
to the suite’s file and folder encryption and removable
media protection.
Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security
“With the McAfee SIEM,
we could more quickly
and easily investigate
the ransomware
attacks, finding their
targeted encryption
keys and tracing them
back to their point of
origin. Initially, that
information showed
us which ports and IPs
to shut down on our
firewall, but it also led
us rather quickly to a
clear-cut decision to
implement geographic
blocking—since the
vast majority of the
ransomware originated
from places such as
Rus
Please complete the form to gain access to this content