H-ISAC keeps security leaders connected in Mattermost for faster breach resolution
“Many of our larger members could never discuss security issues with each other in real life because their lawyers would go crazy. But because Mattermost provides a secure platform, they can collaborate with other organizations within H-ISAC to solve problems.”Josh Singletary CIO, H-ISAC
Health-ISAC Inc. (H-ISAC, Health Information Sharing and Analysis Center) is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating, and sharing vital physical and cyber threat intelligence and best practices with each other. From large, multinational pharmaceutical companies and large hospital networks to payers, providers, and medical device manufacturers, over 500 institutional members rely on H-ISAC to connect with other security leaders in the industry.
Facilitating communication and collaboration between members is essential for H-ISAC. But many of the collaboration solutions available left the team and members nervous about security. The platforms and portals that H-ISAC used in the past had been ineffective. Mattermost offered H-ISAC a trustworthy platform for communication and has helped members connect and accelerate knowledge-sharing during crises.
Creating a secure connection for the community
In the past, an email distribution list had been a major communication driver for the H-ISAC community. But email threads can be challenging to follow and keep organized, especially when the industry is dealing with a security breach. H-ISAC also found that teams were sometimes reluctant to share essential information about breaches via email, since they didn’t know exactly who was on the distribution list. “There was this desire to share information without filling up everyone’s inbox. With email, we would have someone post a question and maybe get a few responses,” says Errol Weiss, CSO for H-ISAC. “But not all responders would hit ‘Reply All’ because they weren’t sure who they were sharing with. Chat gives better transparency on who is on the other end, which gives security.”
H-ISAC initially tested a different real-time chat platform for the member community. But concerns about using a cloud solution to share sensitive information hindered wide-scale adoption, and ultimately the solution was spun down.
A few months later, a few members who were already using Mattermost within their organizations asked H-ISAC to beta test Mattermost. H-ISAC was able to trial Mattermost’s open source solution before they decided to invest money in it. As an on-premises solution, Mattermost offered the security that the H-ISAC community needed to confidently adopt it, including an Okta integration for SSO. Now, nearly all of their 4,000 list members are active in Mattermost.
Enriching peer-to-peer chat and improving networking after events
Mattermost has helped H-ISAC members get the most out of their membership by connecting directly to other stakeholders. The community has a number of small groups and committees, and Mattermost makes it easy for these groups to communicate easily and securely.
Additionally, as the community has grown, members have a desire to continue conversations after H-ISAC summits. Mattermost makes it easy for members to find and connect directly with other members. They can also create or join topical channels easily, helping the community grow and learn from each other on a daily basis.
Providing a shared environment for security experts to collaborate during incidents
While Mattermost has been helpful for keeping the H-ISAC team and member organizations connected day-to-day, it has truly been a boon during wide-scale security incidents. During WannaCry, which occurred soon after H-ISAC implemented Mattermost, the healthcare community used Mattermost as a way to learn more about what was happening from other peer security experts and find out what they needed to do to stop it.
NotPetya offered the first opportunity for the full community to come together to help each other. When NotPetya hit, Mattermost became an active command center for teams to share knowledge and troubleshoot issues. Community members ran ransomware in a sandbox, and the group then shared information and insights with each other in a Mattermost channel, then shared those findings out to the broader membership.
“Many of our larger members could never discuss these security issues with each other in real life because their lawyers would go crazy,” says Josh Singletary, CIO of H-ISAC. “But because Mattermost provides a secure platform, they can collaborate with other organizations within H-ISAC to solve problems.”
Extracting and synthesizing security findings effectively
During and after incidents, the H-ISAC team monitors and pulls information out of Mattermost and turns it into advisories and alerts that can be shared both internally and externally. A Zapier integration is used to scrape Mattermost for indicators of compromise, which are then made available to Health-ISAC members who can leverage the indicators within various cyber security platforms including SIEMs, firewalls, and endpoint protection systems. Additionally, members may automate Health-ISAC’s threat intelligence directly into their SIEM and firewall protection for added security from emerging cyber threats.
“The Zapier-Mattermost integration has greatly enhanced the Health-ISAC automated IOC sharing for our members,” Errol says. “It’s much easier to collect information out of a Mattermost thread as opposed to pulling it together from emails.”
During NotPetya, H-ISAC was able to share applicable information that it was getting with trusted partners to correct/add to their reports, including other sectors. “Not only were we helping the health sector, but we were also helping the financial sector and other sectors as well,” Josh adds. “Mattermost helped us facilitate cross-communication amongst our own sector, but also contributed to helping other sectors and partners across the world solve the problem.”
Founded in 2010, Health Information Sharing and Analysis Center (H-ISAC) is a trusted global community focused on sharing timely, relevant and actionable information to prevent, detect, and respond to cyber and physical security events so that members can focus on improving health and saving lives.