Case Study

Highmark Health Accelerates SOC Automation with Recorded Future®


A Reactive Intelligence Approach Puts Healthcare Systems and Data at Risk

Today’s healthcare organizations face cyber threats from every angle. Their expanding ecosystems of connected medical devices and systems hold a treasure trove of valuable data — from patient records and personally identifiable information, to biometrics, to intellectual property — making them attractive targets for adversaries. Vulnerabilities, ransomware threats, and patient data theft are just a few of the many cyber threats keeping the security professionals at Highmark Health up at night.

“Before 2020, our threat intelligence program was mostly a reactive function — when something big happened, we’d create a report, but it was inconsistent and difficult for one dedicated team member to manage, let alone scale. But in the wake of COVID-19, everything changed and there was an urgent need for timely, accurate intelligence,” explains Ed Marrow, Manager, Team Information Risk Management at Highmark Health.

Several teams across the organization’s Security Operations Center (SOC) banded together, creating a “SWAT Team,” led by Katie Schwalen, Team Lead, Threat Management, to mature the program and produce actionable, high-value intelligence to proactively protect the Highmark enterprise.

“Health-ISAC and Recorded Future are two of our most valuable intelligence partners – and this integration has only made that relationship stronger. If your leadership is pushing for more automation for your SOC, this integration is an absolute must-have!”

Katie Schwalen Team Lead, Threat Management

A Powerful Integration Takes Shared Sector Intelligence to the Next Level

“One of our main objectives is to cultivate and maintain intelligence sharing relationships both inside and outside the healthcare industry,” explains Schwalen. Like many healthcare organizations, the Highmark Health team relies on Health-ISAC, a large community of critical infrastructure owners and operators within the sector, for targeted healthcare intelligence.

“Security as a whole can be a very lonely business,” adds Marrow. “As you work in your SOC, you’re not seeing what else is going on. Talking and sharing with other security professionals is essential for informed decision making and peace of mind — after all, we’re all in the trenches together.”

The opportunity to layer real-time security intelligence from an unrivaled variety of open source, dark web, technical sources, and original research over shared H-ISAC insights was a no-brainer for the Highmark team.

Integrating Recorded Future with H-ISAC threat intelligence empowers the Highmark team to amplify their impact and proactively defend their network by:

  • Enriching insights from the Health-ISAC community with real-time, actionable security intelligence
  • Quickly transforming raw data in the H-ISAC WeeSecrets chat into complete, contextualized intelligence — driving fast, confident decisions
  • Automating manual IOC triage and speeding decision making
  • Identifying, tracking, and better understanding frequent threat actors
  • Gaining visibility across the broader threat landscape, such as threats on the geopolitical stage

Recorded Future provides us with highly customizable security intelligence that's unique to our environment. We can dig into the platform, put our hands on alerts we're seeing, and enrich the intelligence we receive from Health-USAC and vice versa - it's been a huge win for us."

Katie Schwalen Team Lead, Threat Management

Actionable Security Intelligence Drives Proactive Protection from Targeted Threats

“In times of crisis, the ability to combine and corroborate data from both Health-ISAC and Recorded Future has proven to be invaluable,” says Schwalen.

For example, in October 2020, the FBI issued an alert to US hospitals and healthcare organizations of an imminent threat of Ryuk ransomware attacks. Highmark immediately activated its Cyber Incident Response team to harden systems at its hospital locations and affiliate entities. “Security intelligence from Recorded Future was imperative during this incident – from real-time alerts on Ryuk and Trickbot malware indicators, to automated IOC ingestion, to webinars and prescriptive guidance for defending our organization,” notes Schwalen.

“Recorded Future provides us with highly customizable security intelligence that’s unique to our environment,” says Schwalen. “We can dig into the platform, put our hands on alerts we’re seeing, and enrich the intelligence we receive from Health-ISAC and vice versa – it’s been a huge win for us.”

She concludes, “Health-ISAC and Recorded Future are two of our most valuable intelligence partners – and this integration has only made that relationship stronger. If your leadership is pushing for more automation for your SOC, this integration is an absolute must-have!”

To see the full PDF, download here.
