If there’s any consolation to be drawn from the cyberattack on SingHealth – Singapore’s largest healthcare group – in July 2018, it is that all patient records in SingHealth’s IT system remain intact; the group’s clinic and hospital operations were not disrupted during the attack, and patient care was not compromised.

Through an initial breach on a front-end workstation, the attackers obtained privileged account credentials and access to exfiltrate data from one of SingHealth’s IT databases. This was carried out from 27 June 2018 until database administrators at Integrated Health Information System (IHiS), the technology agency for the public healthcare sector, detected and halted the activity on 4 July 2018.

The commendable time to detection and swift implementation of additional cybersecurity precautions curtailed the attack, which had, by then, illegally stolen the non-medical personal particulars of some 1.5 million patients. Subsequent heightened monitoring showed continuing malicious activities.

Data exfiltrated include the patient’s name, identity card number, address, gender, race and date of birth, as well as information on the outpatient dispensed medicines of about 160,000 of these patients.

As part of post-incident containment and monitoring measures, Singapore’s public healthcare institutions have implemented temporary Internet Surfing Separation as well as added controls on workstations and servers, reset user and systems accounts, and installed more system monitoring controls on IT systems.

Big target

The SingHealth incident is yet another reminder of the daunting challenge faced by IT leaders in combating targeted and well-planned cyberattacks. It illustrates how every application, especially if they are connected to the internet, can potentially be a critical entry point into enterprise defenses.

“Gaining a foothold on one application or server opens up a wealth of avenues for attackers to explore,” warned Lori MacVittie, principal technical evangelist at F5 Networks in her blog post. “From credentials to connections, a single point of attack insidethe data center, whether public cloud or on-premises, is a greater threat than we like to consider.”

The growing adoption of multi-cloud strategies and array of Internet of Things expand the attack surface, multiplying the risk of any app being exploited as an attack vector. “There is no such thing as a non-critical app when it comes to security,” MacVittie added.

Organizations have recognized this and many have invested in web application firewalls (WAFs) to prevent application vulnerabilities from being exploited and defend against OWASP Top 10 threats such as cross-site scripting and SQL injection.

Although WAFs are still largely passive filter-based detection systems, much like NGFW and IPS technologies, they are specifically designed to analyze each HTTP request at the application layer, with full decryption for SSL/TLS.

But application-layer threats are evolving as well. The regularity in which many application-layer attacks today – sophisticated malware and automated bot- and IoT-driven threats, including credential stuffing – can evade detection in traditional WAFs has kept IT leaders awake at night.

Advanced WAF solutionsare clearly needed to fight these threats, especially by businesses increasingly operating across multiple clouds. In response,F5 has introduced its namesake Advanced WAF, which dynamically protects apps with anti-bot capabilities; stops credential theft using keystroke encryptions to guard against keyloggers; and extends app-layer DDoS detection and remediation for all apps through a combination of machine learning and behavioral analysis.

Deft ops

As a prominent component of the F5 BIG-IP Cloud Edition, the F5 Advanced WAF provides security services on a per-app basis to secure the app against automated web attacks, credential theft and L7 DDoS. Services are defined, updated and deployed for each individual application from a self-service catalog via a GUI or an API.

The F5 Advanced WAF’s support for various consumption and licensing models, including per-app, means that enterprises can seamlessly deploy, upgrade and automate trusted F5 security services in a consistent way across public and private clouds while also promoting service portability through microservices and container use cases.

“The per-app aspect of the BIG-IP isn’t necessarily trying to break that [traditional shared network service] model because there’s a lot of efficiency gains in putting all application services into a central place like BIG-IP,” said David Holmes, F5’s global security evangelist. “The key is that policies are consistent across [clouds] and that way, your apps can live anywhere and you can leverage the apps intelligence that you’ve always done with F5 into the different clouds.” Now, when a critical application is moved from one cloud to another, the application services follow it.

Taking advantage of automated security policy capabilities and cloud templates, the F5 Advanced WAF positions NetOps, SecOps and DevOps teams to collaborate in support of business priorities. On this front, Holmes highlighted the significance of the F5 Advanced WAF’s API protocol security tools, which secure REST/JSON, XML and GWT APIs. “Everything in DevOps should be programmable and automated so everything would be an API or should be an API,” Homes said. “There needs to be some kind of runtime protection. API security is going to be huge for DevSecOps and DevOps in general.”

The aim is to make it less onerous for IT organizations to secure growingattack surfaces due to rapid adoption of APIs, and detect automated threats that mimic good traffic or are ‘low and slow’. For example, the Advanced WAF’s Proactive Bot Defense uses advanced fingerprinting and challenge/response techniques in conjunction with other behavioral analysis to enable session-level detection and blocking of automated threats.

Again, as the attack on SingHealth proved, swifter detection of cyberattacks ultimately helps to limit the service disruption or data loss that they can cause.