Q&A with Intermountain Health VP/CISO Erik Decker & Director of Endpoint Data & Application Security Shawn Anderson: “Active Directory Revamp Can Help Slow Intruders Drive to Domian Dominance”

It makes perfect sense – study what your adversaries are doing and plan your defenses accordingly. If they’re coming in the windows every time, perhaps you don’t need to keep adding locks to the door. And studies have been done in healthcare showing there is a typical attack profile that often entails moving from a beachhead attained via some sort of social engineering or phish to finding an admin account in order to obtain domain dominance, before ultimately encrypting files, exfiltrating data and deploying ransomware. And one of the dynamics that allows for such escalation is when administrators are doing both privileged and run-of-the-mill productivity work (think email) from the same workstation. To help combat this, Intermountain Health VP/CISO Erik Decker & Director of Endpoint Data & Application Security Shawn Anderson are working to implement a new construct of Microsoft’s Active Directory that will make such a push to domain dominance more time consuming and expensive for the bad guys, rendering it less attractive. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Decker and Anderson discuss why such a change can be beneficial, who it’s right for, and what it entails.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

… when you’re doing the management of the IT work from the same place that you do the management of your productivity, your email, you just opened up the door to where those bad actors can operate.

The game that we’re playing – and it’s a horrible game – is we want to break the methods that the bad actors are using at scale. If you break the method, then they have to deploy and invest a lot more in order to do what they’re going to do, which they still might do. Don’t get me wrong. It’s not a panacea. But you are making it more expensive for them to do what they’re trying to do, which is absolutely what we’re trying to do.

… you have to start changing the way you think about this from a perimeter mindset, from a network mindset, from a “trusted user mindset,” and just assume that something bad is happening.

Anthony: Welcome to healthsystemCIO’s interview with Erik Decker, VP and CISO at Intermountain Healthcare, and Shawn Anderson, Director of Endpoint Data and Application Security, also with Intermountain. I’m Anthony Guerra, Founder and Editor-in-Chief. Erik and Shawn, thanks for joining me.

Erik: Thanks for having us, Anthony.

Anthony: All right, very good. Let’s jump right in. Let’s start with the usual. Tell me a little bit about your organization and your role. Erik, let’s start with you.

Erik: Sure. So Intermountain Health, we’re an integrated delivery network located in the Mountain West region in about seven states. Headquartered in Salt Lake City, about 70,000 employees, $16 billion in revenue, 34 hospitals, and a health plan that covers a million lives. That’s what makes up the integrated delivery network. We’ve got a pretty broad expanse. We believe in value-based care as the healthcare model, meaning the best care comes from preventative wellness and so forth. And the whole capitative model around population health and keeping people out of the hospital as much as we possibly can, and of course, when acute and chronic issues arise, caring for those people. That’s pretty much who we are.

I’m the CISO for Intermountain, so I head up our cybersecurity program. I have a great organization, 150 caregivers on my team. Shawn is one of them,