Castlight Health makes healthcare more secure with Google Chronicle

Imagine you’re ill or just interested in exploring treatment options, but you don’t have a primary care provider. What would you do? You could search the internet topic by topic related to health, but this would be haphazard. You could reference a medical publication site, but that could be too specialized. A better option would be to consult an online resource that combines multiple aspects of healthcare, driven by data, technology, and a team of clinical experts. That’s Castlight Health, a leading healthcare navigation company.

“Castlight Health provides the technology to guide people through the healthcare jungle,” says Tony Cromer, Information Security Analyst at Castlight Health. “Patients often are trying to find a physician in their area who specializes in the specific care they need. Or maybe they don’t know what kind of care to get. They just need advice about how to search for that. Castlight Health has that information.” 

Business challenge

Castlight Health operates many different business systems. With up to 250 security alerts per day that need to be ingested from disparate systems like email directories, CRM solutions, office productivity suites, and threat detection/prevention applications, their security team was splitting time among multiple panes of glass to maintain visibility of the entire attack surface. Their goal was to have a single unified pane of glass to better understand the relationship among all these data points in real time. Another challenge was that their current security tool capped the amount of data they could ingest.

Castlight Health’s top priority is protecting their customer data. In addition, they must maintain compliance with the Healthcare Information Portability and Accountability Act (HIPAA). This federal law governs the privacy and security of individual consumers’ Protected Health Information (PHI). 

“Because Castlight Health deals with patient data, we have to protect it at all costs,” says Cromer. “Another high priority is to make sure we’re HIPAA compliant. We have to keep an eye on a variety of threats, including malicious outsiders and even possible negligence by insiders.”

With many internal and external systems, Castlight Health was continuously barraged with security alerts, the vast majority of which were low priority events. They needed a solution that could automate the analysis and remediation of routine alerts so they could concentrate their manual efforts on high priority and critical alerts.  

Solution

Castlight Health looked at Google Cloud, AWS, and Azure as possibilities for solving their security data ingestion challenges. They chose Google Cloud based on several factors. “When we looked at Google Cloud, AWS, and Azure, we found that Google Cloud’s organization, the way the environment was set up, and the cost structure made Google Cloud a more compelling solution,” says Cromer. 

To deal with all the logs and streaming data alerts coming in from multiple sources, Castlight Health chose Chronicle, Google Cloud’s next-generation security information and event management (SIEM)/threat hunting tool. Built on the power of Google Cloud infrastructure combined with Google Cloud’s threat intelligence insights and flexible rules, Castlight Health has unmatched analytical power to uncover actionable threat information in seconds or minutes. 

Chronicle APIs can support external playbooks that Castlight Health creates to respond automatically to alerts seen on a daily basis. “We know most of these events and alerts are benign,” says Cromer. “Coupling the playbooks with the threat intelligence in Chronicle, we can zoom in on the behavioral aspects of what’s going on with our systems and environments.”

To get started, Castlight Health engaged SADA to implement enterprise system data ingestion into Chronicle and to activate SADA’s standard Chronicle ruleset. Additionally, SADA provided learnings to the Castlight Health team to execute CRM data ingestion after proper provisioning. 

Initially, we thought, ‘We have a full security team, let’s set up the Chronicle ingestion and rules ourselves.’ We found out that was a dumb idea. So we got smart and asked Google Cloud for a Chronicle expert, which was SADA. We started working with them, and we haven’t been disappointed. It was a great decision to work with SADA.

Tony Cromer | Information Security Analyst at Castlight Health

SADA helped Castlight Health set up Chronicle rules, which are based on the YARA-L detection language used to query data ingested into Chronicle. The rules are stored within Chronicle to constantly evaluate and generate alerts based on the security telemetry ingested into the platform.

Results

With the rules that SADA helped Castlight Health configure in Chronicle, they’re now able to look specifically for high-priority and critical security activities. Additionally, with Chronicle, Castlight Health can devote more time to threat hunting and automating other aspects of their security. 

Based on Chronicle automation, our security team has more time to devote to value-added security work; it’s like compound interest. As a security department, we want to spend 50% of our time automating security operations and 50% of our time performing other security work like threat hunting. That way, we’re always giving ourselves more time for other tasks. With the help SADA gave us to implement Chronicle, we’ve been enabled to deliver faster, more accurate security than ever.

Donovan Ellison | Cloud Security Engineer at Castlight Health

With Chronicle ingesting alerts from all of Castlight Health’s enterprise infrastructure, they can be concentrated in a central location for a single source of security truth. “Using Chronicle, the Castlight Health security team can collect all the log data from all these disparate systems,” says Cromer. “Then we can correlate and consolidate all that data from across our multi-cloud and on-prem environments into one succinct point of reference.”

Overall, SADA helped Castlight Health implement Google Cloud’s Chronicle security solution in order to:

• Focus on high-priority and critical security alerts
• Consolidate 100% of on-prem and cloud security data in a single source of truth
• Free 50% of the security team’s time for tasks other than triaging security alerts