Security Engineering Case Study #
Problem Statement #
A healthcare organization suffered a prolonged security breach that originated from a vulnerable public-facing web application and escalated into full compromise of internal Windows and Linux environments. The attacker achieved lateral movement, privilege escalation, and long-term persistence, resulting in exposure of PHI, PII, and proprietary research data.
The objective was to engineer a secure, compliant, and cost-constrained security architecture that:
- Prevents initial compromise
- Eliminates lateral movement paths
- Detects and contains attacks quickly
- Meets healthcare regulatory requirements (HIPAA, SOC 2, GDPR)
My Responsibilities #
As the Security Engineer, I was responsible for:
- Performing incident root-cause analysis
- Conducting STRIDE and DREAD threat modeling
- Designing a Zero Trust–aligned security architecture
- Selecting and justifying security tooling
- Engineering network segmentation and access controls
- Defining encryption, monitoring, and response standards
- Delivering the solution within a $500,000 budget
Incident Analysis (Technical Breakdown) #
Initial Access #
- Exploited command injection in DMZ-hosted web application
- Achieved reverse shell access to the web server
Privilege Escalation & Lateral Movement #
- Pivoted into Windows admin network via misconfigured firewall rules
- Leveraged Samba services on a Domain Controller to enumerate trust paths
- Escalated privileges on Windows host and accessed Linux research systems
Persistence & Impact #
- Maintained access for >2 months
- Exfiltrated PHI, PII, and research data
- Bypassed detection due to limited monitoring depth
Engineering Failures Identified #
| Area | Failure |
|---|---|
| Network Security | Flat trust boundaries, single firewall |
| Encryption | TLS 1.1 in transit, DES at rest |
| Identity | Weak privilege boundaries |
| Endpoint Security | No EDR, poor patch hygiene |
| Monitoring | Single IDS/IPS, no SIEM correlation |
| Resilience | Untested backups, weak IR plan |
Threat Modeling & Risk Analysis #
STRIDE (Selected Examples) #
- Spoofing: Credential theft, identity impersonation
- Tampering: Patient and research data modification
- Information Disclosure: PHI exposure
- Elevation of Privilege: Unrestricted lateral movement
DREAD (Highest-Risk Threats) #
- Phishing & social engineering
- Malware / ransomware
- Web application exploitation
- Credential compromise
Security Architecture Design #
Core Engineering Principles #
- Zero Trust (identity-first security)
- Defense in depth
- Least privilege by default
- Continuous verification and monitoring
Controls Implemented #
Network Security Engineering #
- Segmented architecture:
- DMZ
- Windows administration network
- Linux research/data network
- VPN user zone
- Next-Generation Firewalls (NGFW) at each trust boundary
- East–west traffic inspection
Identity & Access Engineering #
- Role-Based Access Control (RBAC)
- Mandatory Multi-Factor Authentication (MFA)
- Privilege separation between Windows and Linux domains
- Credential rotation policies
Endpoint & Host Security #
- Endpoint Detection & Response (EDR) across all servers and workstations
- Behavioral malware detection
- Automated containment and rollback
- Patch management enforcement
Monitoring, Detection & Response #
- Centralized SIEM for:
- Log aggregation
- Correlation across network, endpoint, and identity layers
- Compliance-ready audit logging
- Network-based and host-based IDS/IPS
- Defined alert severity and response playbooks
Data Security #
- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- Data Loss Prevention (DLP) policies for removable media and exfiltration
Web Application Security #
- Web Application Firewall (WAF)
- Input validation and sanitization
- Content Security Policy (CSP)
- Secure authentication flows
Technology Stack (Justified) #
| Security Function | Tool |
|---|---|
| NGFW | Palo Alto PA-5400 |
| SIEM | SolarWinds SEM |
| EDR | SentinelOne Active EDR |
| DLP | Acronis Device Lock |
| WAF | Cloudflare |
| IAM | MFA + RBAC |
Tooling decisions prioritized engineering visibility, automation, and attack surface reduction over signature-only defenses.
Zero Trust Implementation #
Zero Trust was enforced across:
- Users
- Devices
- Networks
- Applications
- Data
Key outcomes:
- No implicit trust based on network location
- Continuous identity verification
- Strict policy-based access enforcement
Budget-Aware Engineering #
- Total Budget: $500,000
- Delivered solution at $418,320
- Remaining funds allocated to staffing a junior security analyst to support detection and response engineering
Results #
- Eliminated single points of failure
- Prevented lateral movement paths
- Reduced attacker dwell time from months to minutes
- Established compliance-aligned security controls
- Delivered scalable security architecture within budget
What This Demonstrates as a Security Engineer #
- Translating attack paths into engineered controls
- Designing security architecture, not just tools
- Applying Zero Trust in real environments
- Balancing security, operations, and cost
- Building systems that assume breach and respond effectively
This case study reflects my approach as a Security Engineer: understand how systems fail, design controls that remove entire classes of attacks, and build security that scales with the business.