The Retail & Hospitality ISAC Podcast 7.26.23
Ep 32 | 7.26.23

Safeguarding Security with Associate Member Accenture, the Role of a BISO, & the Latest Intel Briefing

Transcript

[ Music ]

Luke Vander Linden: This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center. And you're about to listen to the RH-ISAC podcast.

[ Music ]

It seems like around once a year or so, some big cybersecurity event happens that overshadows everything else going on. It looks like the MOVEit vulnerability exploited by CL0P is going to be that event this year. Every other episode, we're joined by the RH-ISAC's cyber threat intel analyst and writer extraordinaire, Lee Clark, for the briefing. This week's episode is that episode, but we're going to go ahead and let CL0P overshadow everything else and do a deep dive on the who, what, and how of this ongoing event. I'm also going to get Lee to talk to us a little bit about a project RH-ISAC has been working on to address fraud in all its many forms. It's really ballooned into quite the exciting initiative with a lot in store in the coming months. And that's not all for this episode. I'm also going to talk with Piyush Jain, a managing director at Accenture Security, one of our associate members, on a wide range of some of our favorite strategic topics. Boards and governance, third party risk, engagement with business lines. And finally, we'll also be joined by Suzie Brown, a BISO, or Business Information Security Officer, at Sabre Corporation, the travel technology company and RH-ISAC member. We're all of course familiar with the Chief Information Security Officer, CISO, but Business Information Security Officer might be new to some folks. I'm confident you'll enjoy these great segments. As always, we welcome your thoughts about the podcast or anything else. Shoot us an email at podcast@RH-ISAC.org. Or if you're a member, hit me up on Slack or Member Exchange.

[ Music ]

Alright, I am now joined by Piyush Jain, managing director at Accenture Security. How are you, Piyush? Thanks for joining us.

Piyush Jain: Very good, Luke. Thank you so much for having me.

Luke Vander Linden: Of course, of course. So, tell us, let's just start by telling a little bit about yourself, what you do at Accenture and how you got to that role.

Piyush Jain: So I am managing director within our cybersecurity practice. And I've been in cybersecurity since the start of my career, 23 years now.

Luke Vander Linden: Wow.

Piyush Jain: So it wasn't a conscious decision, but it happened to be after graduation my first job was cybersecurity and I was in love with it. And since then, I have been in security around 20 years in consulting. So, very rewarding, very fulfilling career that I would say.

Luke Vander Linden: Excellent. Timing's everything. So, I imagine Accenture plays a lot of different roles for its clients in cybersecurity. But let's start first with a topic that we've discussed quite a bit on the podcast, including the last episode. Boards. And we know that security now is part of a board agenda. We also know that there's going to be increased guidance, regulations, rules from the FCC and rule makers as well. Increasingly pushing for information about board knowledge of cybersecurity and reporting and things like that. So, in your view, what are the key elements of a meaningful security discussion that a board should engage in?

Piyush Jain: I would say, what does that board require? What board requires is assurance that investment that an organization is doing in cybersecurity is delivering desired results. They require confidence into their matrix, into their risk, into the data that's presented to the board. That they can be able to make informed decision. So, security, there were times, and there are still some organizations which are considered dark art. But many a board, at the moment, is looking for the meaningful security decision. So what makes the meaningful security decision? So, boards are trying to move away from the meaningless matrix that is kind of a so what statement. They are more driven towards exposure led conversation. What is my risk exposure? Where is my business exposure? They are looking at it from a situational awareness perspective. In today's global organization, they operate in number of countries, multiple continents, different lines of business, and the [inaudible] perspective is not seen everywhere. Why? So your threat [inaudible] would be different from a threat that you would see in Europe. To the geopolitical situation in US, may be different, your threats may be different there as well. What boards are seeking into confidence that their business, their business exposure, whatever it is, A, they understand it. B, they are taking a meaningful decision to reduce that exposure. So, that's one thing. Other than that, the conversations is more from business driver [inaudible]. It's not about, you know, how much have been invested in security or what new technology are you bringing in. The board wants confidence into, you know, these are five key elements of our business. These are the five key business drivers. How secure are we? Do we have the right foundation? What is that we need to do against the residual risk? So those are the conversations that the board are driving. They're also looking at security from a business risk angle. It's not just a technology risk. So, and, what's the acceptability of the residual risk? Because your residual risk can be really, really large. Right? So board is presented with the right metrics, can intervene, can provide right investment, right guidance. So that is what they're looking at. And you know, last but not the least is security by design. It's not just, you know, technology problem. What do we do as a part of business, as a part of technology, it has to be secure. So those are the things that board are looking into at this vision. And the things that they're trying to drive in their organizations.

Luke Vander Linden: Right. So less, obviously on the more day-to-day and is more kind of a 30,000 foot view. And making sure that as boards have fiduciary responsibility, making sure that things are covered. But from a broad standpoint. So looking then at more of a structural standpoint, really who should be accountable for that kind of security? Should it be the board? Should it be the CEO, CIO, or is it down to the CISO?

Piyush Jain: I've been asked this question many times. And my response is if an incident can bring your organization, if one incident can bring your organization to its knees, it cannot be one person's responsibility. It has to be everyone's. Because so many a times we have seen [inaudible], right? That are wiped out, you know, the shared prices that is impacted in terms of organization reputation, the trust that the consumer puts in the organization. So, for sure, it's everyone's responsibility. Now, although CISO and CIO, they carry the majority of the primary responsibility, but more and more organizations are looking to make sure that the business managers, the business line managers, hold that accountability for their business in terms of cybersecurity and take that accountability right from risk reporting to the board room.

Luke Vander Linden: Luckily over the past couple years, particularly, we've seen that realization among businesses that it's not just the cybersecurity department's responsibility. But for those companies that are however struggling with making that change, how do you say is the best way to get more engagement with those various business lines for cybersecurity matters?

Piyush Jain: That has been a continuous challenge for the organization. And there's no one size fits all when it comes to getting more engagement. So organizations that are different, you know, level of maturity. But you know, more and more we are seeing the organizations we are dealing with as well is they are moving away from security as a technical risk. A technology risk. They're considering it as a business risk. Now cybersecurity incidents like data breach, you know, it can back up the organization. Increasingly, what we are seeing is the risk model being built around the financial uncertainty, legal liabilities, and these things cannot be separated from security risk. Security is an integral part of it. The business line executives, they are made accountable. They are made to explain to their boards what is the implication of security onto their business? Right? Some of these things are, you know, the boards are actively looking and the executives are actively looking to drive. Within the organization also, you know, the matrix of [inaudible] boards in terms of thresholds. Right? Those established matrix with limits and threshold, you know, more and more we are seeing it's standardized for the security personnel, and it's not just a CISO organization, it's a business that has to report in line to those [inaudible] as well.

Luke Vander Linden: Right. So one of the other topics that we have talked about a lot on this podcast is third party risk. And there's more, I mean, it's just incredible the number of relationships, third party relationships, that companies typically have these days. Obviously, they need those relationships to operate, but they also introduced huge amount of risk. The sheer magnitude of these relationships can make it challenging to effectively manage and monitor the associated risk. So in your view, what are organizations doing from an oversight and third party risk management perspective that are successful?

Piyush Jain: So, typically, these organizations have thousands and thousands of third parties. Right? And the problem is historic. It's not something that arises today. And increasingly the business models that we are seeing are [inaudible] where third parties are integral part of the organization's business or future growth plans as well. So, when the problem is this mammoth, the organizations are looking to slice and dice. And I say slice and dice, it means prioritization. Right? First thing at most of the organizations that we are working with, they're looking to have an addendum to the legal contract. Where the third parties they're dealing with, depending on the type of work that the third party does. They are liable to adhere to certain controls. Certain risk reporting. And [inaudible] certain level of security across the board for the area of work they are doing. And especially when it comes to dealing with data. So how long can they keep the data, and data destruction [inaudible]. So first is addendum to contract. Second is inherent risk, that's very important. Let's say organizations are dealing with 30,000 third parties. It's not humanly possible to address all 30,000 third parties in one day. Right? But the executives in the organization should have a view of where their risk exposure lies. And that inherent risk is very important. It's not that you don't pull a risk assessment, but you should have to understand the level of exposure. And that helps you during the prioritization. And once you prioritize, you will know okay, top five person or third parties brings 60% of my risk. How do I tackle that? Do we do a site visit? Do we do annual assessments? Well then, do we do once in six months depending on the [inaudible] of the third party? Which are the less riskier third party where we can do self assessment for those third parties? Where you have legal obligations, where's third party cuts across your, you know, legislations like DDPR and where you process data or share data with those third party. And last but not the least is leverage technology. Because these things cannot be done on a spreadsheet. Many an organization tried to do that. They need to leverage technology. Because it's not about knowing risk. But how do you mitigate those risks? How do you [inaudible] third parties? Because the problem is huge because organization may know that they have 30,000 third parties, but they don't know that who is the point of contact person in the third party, right? Because the data's historic. And the person would have left the organization. So, whilst organizations are looking and finding ways to address prospective issues for any new third party on board, most of the organization's getting very structured in terms of what sort of security they need, what sort of tracking, monitoring they need to do, and how do they tackle in terms of mitigation of those third parties?

Luke Vander Linden: Right. And prioritization, it's called risk management, not risk -- getting rid of risk altogether, so. It is what it is. There's always going to be inherent in the business. So. I guess finally, one last question. If you could make a wish and ask executives to do one thing that would benefit their security, what would it be?

Piyush Jain: One thing that I would wish is organizations should stop looking security as a technology issue. It's a business issue. Right? And it should be looked from the lens of your business drivers. If you look at organizations, any organizations in a public report, where they talk about, you know, an external risk, almost 60% of those risks are directly impacted by cyber. If your growth plans, if your logistical risk, if your supply chain risk is impacted by cyber, supply chain [inaudible], it cannot be a technology problem. [Inaudible] as well, but this is something that for most that, you know, I would wish that organizations start looking. And modernize technology. Now, modernizing technology is not the function of investing more money. It gives you [inaudible] to consolidate technologies. A lot of organizations we work with, we deal with, have more technologies than they ever need. Right? So they can consolidate and use the return on investment effectively to drive their transformation. Also, I would say create a pull demand. Because a lot of times, CISO's organizations seen as pushing security into an organization. It should be pulled demand from other parts of the organization as well. And last but not least, security should be outcome driven. It shouldn't be -- it means, I know it's a bigger statement I'm saying, time shouldn't be budget driven. But what I'm saying, a lot of organizations would look for budget benchmarks. Right? My situation can be different than yours, right? My investment historically can be different. My negligence historically can be different. My industry is different. And my exposure will be different. So how can you benchmark a budget, right? It all depends on what are you trying to protect, what level of protection you already have, how secure is your foundation, and from there on, how do you build it?

Luke Vander Linden: Well Piyush Jain, thank you very much for joining us. Really appreciate our chat together. Accenture's a great supporter of RH-ISAC, so appreciate their support as well. And thank you very much for your time.

Piyush Jain: Thank you so much, Luke. Really appreciate it. Thanks for having me.

[ Music ]

Luke Vander Linden: Alright. Now we're joined by Suzie Brown, a BISO at Sabre Corporation. Thanks for joining us on the podcast, Suzie.

Suzie Brown: Thank you for having me. I'm looking forward to our conversation.

Luke Vander Linden: So BISO is a term that might not be familiar with everybody. It's the Bonus Information Security Officer. So we'll talk about that in a second. And you can explain what that means. But before we get to that, why don't you tell us a little bit about yourself and how you got to where you are today?

Suzie Brown: Sure! Well, again, thank you for having me. So I'm Suzie Brown, I'm the Sabre Hospitality BISO for Sabre. So if you're not familiar with Sabre, we are a travel technology company. Together we make travel happen. So we do software behind the scenes, we have two main business units, our travel solutions which supports airline, air travel, and then I'm the BISO, the Business Information Security Officer for our hospitality business unit, Sabre Hospitality. So we support [inaudible]. And a little bit about myself. So I started my career in the development side. I've got a degree in computer science and so I spent the first 10 years of my career doing Java and C++ development. Went in and out of leadership positions. Came to Sabre about eight years ago as a development manager for the Trip Case app, it's a mobile and desktop application that supports travel. And then I started to get my security chops after Trip Case. I became the director of an organization. Prior to me joining that organization, they had a security incident. A major security incident that influenced certainly the culture, the work, the business that that team was doing. I came in as the director for their development team and helped them from -- to stand up not just to security but process, technology software process things. Stand up Agile scrum teams. Set up road maps. I took them through their first ever PCI audit. And it was by becoming the director of that team is where I got my security chops. It was on the job training. When they were learning about PCI, so was I at the same time. Learning about what are all the requirements, moving them from data centers, bringing in security tools? And so by having all of this on the job experiences where what ultimately led me into the security world. So after my time with that organization, I became the software process and security practice lead for the Sabre Hospitality business unit. So I was still reporting within the business. And then about two years ago, a little less than two years ago, I moved under our risk and security team, dropped the software process side, the software engineering process side, and stayed full-time security as the BISO for the organization. Didn't start out in security, started out in development, but this is where I landed. Kind of an interesting way to get there.

Luke Vander Linden: Well, it's quite the journey. And you know, I think, like most people, never intending to get in security but it somehow happened. So it's somehow indicative of just the way of the profession sometimes. So, you've been a BISO for about two years, you said? So what, was there a BISO before you or are you the inaugural BISO?

Suzie Brown: Well, maybe about five or six years ago, Sabre had the BISO position. And I think it got reworked into something else. And so for at least, I'd say, at least three years prior to me becoming the BISO for our business unit, there wasn't one. The work, though, that the BISO team was doing was getting done just in different ways.

Luke Vander Linden: Alright, so tell us a little bit about that. Because I think probably the need for the BISO isn't new. But formalizing this role has been a somewhat new thing. So tell us what a BISO does.

Suzie Brown: So BISO, Business Information Security Officer. So basically, I act as a liaison or a bridge between our risk and security team, or cybersecurity team, whatever you want to call it, and the business. The -- what, if it's in software, the product that you're creating, or what you're selling, or the value that you bring to your end customers. We act as the liaison and so we wear many hats. Sometimes I'm speaking to the risk and security team on behalf of the business unit. Saying on the business side, these are our goals, these are objectives, and we need to make sure whatever security requirements we're putting in place help support those goals. And then sometimes I'm speaking on behalf of the risk and security team to the business unit saying these are the security issues that we're seeing. Here are risks that we have, let's figure out how we can address those. I try not to be a middle man in the sense where I'm an obstacle or where I say people must go through me in order to get work done. Because that's not going to be good from an operational, you know, perspective. But I'm there because I think the BISO position is there to help be that bridge, especially in organizations where the security team and the business team are two separate teams. If your security is completely embedded within the organization, perhaps the BISO looks different or perhaps it's just part of other people's jobs, but if you have maybe a siloed organization or how Sabre is set up, we have like I said, our business units, our travel solutions, our Sabre Hospitality. Where I live is in our TEO, Technology Engineering Operations organization. Which is separate. We were responsible for infrastructure, for foundation, for Sabre, for our personal devices, our Sabre devices, for example. And that's where the risk and security team lives. And so it's important from a goals and objectives perspective to make sure that everyone is staying aligned with what's going on.

Luke Vander Linden: Right. So even though you're trying not to be a middle man, you are very much in the middle. And I guess you do have to pick a side. So you know, not speaking necessarily for your role, but I'm guessing you're active in our BISO community, which is fairly new. And so you interact with lots of other BISOs. Are they usually within the cybersecurity department? Are they usually on the business side? Are they usually a third party? Like who do they report up to? Like how is it structured so that they are clearly picking a side, or do they really have to be neutral and agnostic?

Suzie Brown: I think it depends on the value of the business. And where you want to put the investment. And then also, perhaps one side needs the most coaching or help or I think there's pros and cons and there's not a right or wrong answer. So like I said, I report in our TEO, our overarching engineering organization as opposed to the business. There are pros and cons to that approach. The pro is that my boss is the CISO. And so, I get the immediate feedback about what are the security goals of the company as a whole. I get that interaction with the rest of our security team about the things that they're doing. Especially the things that they're doing that may impact the business. The con there is that I have to very proactively stay in tune with the business. I have to make sure that I'm keeping up relationships, keeping up networking. And from a title perspective, I don't have direct control over what the business does. I have to use my influence and my negotiation skills because I'm not within their organizational chain. Say the flip side, if I was reporting in the business unit, everything I said was true but just flipped. I would have direct relationships with what the business unit is doing. I would need a very clearly or just easier be able to stay in touch with their organization, know their goals and objectives. The con there is I would have to proactively reach out to the risk and security team to understand what are they trying to do? What are their goals? And so, I think it's a business by business decision. I don't think there's a right or wrong answer. I happen to enjoy where I'm at from an organizational perspective. And I do think being on the outside of the business, I get a perspective that people in the business unit may not have. And so that's certainly very useful. And that may be, you know, what's needed right now for where Sabre's at.

Luke Vander Linden: So have the various sites been trained now so that they know to proactively reach out to you? Because, I mean, that's probably hard, you know, for a completely new role. And something new that they had to keep in mind.

Suzie Brown: Well, one of the things that helped, and like I said, everyone has different career journeys, it certainly helped in my position that I came from the business side. People already, they already knew, you know, more than two years ago, reach out to Suzie for software process. For security questions. I was already involved from a compliance perspective. I was already, you know, had a list of security things that we needed to work through. So maybe some of that is just the coincidental luck of the draw. I was just in a good position, good timing. So if you didn't have that benefit of already being within the business unit, that would be absolutely one of the first things on my list. As if I were in a new BISO position is let's go make some relationships. Let's go get your network going. So that people know to reach out to you. I don't necessarily think there was training that we did. But something that I did do when I first started, I sent out an email saying hey, here's my distribution list. If you need to get in touch with me or my team, here's how you do it. Here are the types of things that we handle. If you have questions about what are my requirements or what do I need to do for this specific security case, or if you have a -- if you've noticed, we have this problem called See Something, Say Something. If you've seen a security issue, you're not really -- you don't think it's an actual incident, you don't think something bad is actively happening, but you feel the need to tell someone, come tell me and I'll help you get through this. And then again, representing the risk and security side. If you're on the risk and security side and you need the business unit to do something and you haven't figured out how to get involved, come tell me. So that was definitely one of the first things I did was just that communication of we're here, we're here to help. Here are the types of things that we do.

Luke Vander Linden: So then, where do you find yourself spending most of your time? Like what do you try to be focused on? Is it responding to things like that? Or are you proactive in your work?

Suzie Brown: Yeah, let me go through my team charter. What we have signed up to do here for Sabre. So we've already talked a little bit about our first responsibility is the liaison. That communication and that making those connections between people. Again, I -- if someone on the business side needs, has a question about [inaudible] access management or has a question about a customer questionnaire, security questionnaire that was sent to them. They can reach out to me and I can field those questions to the risk and security team. And then same on the other side. If someone on the security team needs to get in touch with the developer, I can -- and they don't know who to reach out to, I can help. So that's the first part of our team charter is that liaison. The second part is building the culture of security within the business unit. Helping our developers with security training, helping do reminders about security responsibilities. We reach out to more than just our product development team, but our sales team, our account managers. Reminding them about, we've got a monthly security tip that we send out about just general security roles. You know, we help out with phishing reminders. So that's kind of the second piece is that security culture.

Luke Vander Linden: So does that mean you're in charge of security awareness? Or you're a partner in that [crosstalk] okay.

Suzie Brown: The two things that I am specifically responsible for, we have a secure, and these are the two legs of my team, and this is the real work. This is the actual things that we do. We have a security backlog. Which is our security portfolio for our products. And so in the typical Agile scrum software world, this is a backlog full of user stories, features, team features that are security related. There are things, as I'll say in air quotes, as simple as changing your password from minimum characters from eight characters to 10 characters. That would be a simple thing. All the way to we need to completely re-architect our identity and access management system. Or we need to, I'm kind of throwing out half the examples. So we need to --

Luke Vander Linden: Yeah. All hypothetical.

Suzie Brown: We need to tokenize these areas of our credit cards. Or, so we're responsible for grooming that backlog, we have the authority to prioritize that backlog to say out of the hundred items on here, this is the next thing that we need to work on. And then we are responsible for that influence. For sending that future to the business unit, making the case for why they need to invest in it, and ultimately get it committed on their road map. So that's where my line of responsibility ends. Once the business unit has committed to doing the work, then they take over with their normal process. Whatever, you know, requirements, design, implementation, testing, whatever that's needed. And so my backlog is projects that hasn't started yet. I will say that our responsibility doesn't end from a point of contact, a question and answer, you know, so if there's issues, if there's road blocks or obstacles once a project gets picked up, our team is certainly there to help. In many regards, this leg of my BISO team is a product owner. We are product owner for the security features. Just like there may be product owners for other features or other themes within a business. So that was third of my team charters. With the liaison, the culture, the portfolio, the fourth piece is we are responsible for compliance activities. When I say responsible there, we are a partner. My team owns zero security controls. We don't own any of this. But we are there to help essentially be another aspect of a liaison when there is some sort of audit. And our three main ones that we'd be responsible for, PCI for credit cards, SOX2, and then we also help out with SOX, so SOX, the financial side of things. Because there are security pieces in that, embedded in that. What we do is help coordinate response audit from the business unit. We don't own the controls. But if someone who is a control owner has a question on what does this mean? What does this actually mean? Or what type of evidence do I need to provide? Or what is our auditor assessor looking for in this case? We can help talk through that. We can be a sounding board. And then on the flip side, if a business, if a control owner provides some evidence, and the auditor doesn't understand it, they don't understand the screenshot that they're looking at or how that solves the controls. We can help be that sounding board as well. The reason that we're able to do this again is because we understand the business. We understand the security side of what the security control is looking for. And we understand how that gets implemented on the business side. And so we can help speak both the language of the person responding and the person who's analyzing the evidence. In some cases, we can get hands-on. Just because of the nature of what we're doing. We may have access to reports that would satisfy an auditor. We may have access to screenshots ourselves. We can go take a screenshot. Again, we are there to help wherever we can. But so those are the four legs for how -- what our BISO team is set up for?

Luke Vander Linden: That's a big table with those four legs. So has there been an evolution over the course of the two years that you've had the role with more things being added? How have you seen it change?

Suzie Brown: It's fairly new. And so I think getting us to these table stakes has kind of been the evolution. We have started to get down into the finer details about, for example, like where risk lies in the system. And where we can help out identifying gaps and issues. So things that we don't do, for example, we're not the main owners of like incident response. And yet, if there is an incident, we're likely to come in from the beginning of that incident, listen in, understand the context, and the minute that there's an action, like a follow-up action that we need to take, perhaps there's an accident that happened and we need to go change some sort of code that would go in our backlog. And then we would again go through our normal process to get that prioritized. Sometimes it jumps to the very top. Sometimes it may be, you know, in the middle of the stack. But so that's where we get involved. I've heard in our BISO working group that there's some other BISOs who feel like they're the catch-all team. If they can't figure out whether this goes on where some sort of project would fit in, well let's let our BISO handle that. And I think at Sabre, we've tried to have a well-defined team charter. And those type of things where we can't necessarily figure out quite where -- since we're a sounding board, sometimes it does make sense for our team to handle it. Sometimes we can help flesh it out or figure out where the project should go.

Luke Vander Linden: Right, so, it's clearly, the BISO role in your department has really become integral to Sabre's operations. Is there any advice that you would give companies that don't have this role or don't have this department on why they need to create it? Steps that they could take? Pitfalls to watch out for?

Suzie Brown: I think the first thing to figure out is what are the problems that that company is trying to solve? You know, some of the challenges even that we encounter in our role, one of the reasons why we said well we need a BISO team, especially on that portfolio side, because the business, they have so -- I'm assuming, most companies are like this. They have so many goals, objectives, things that they need to do. Customers that they're trying to satisfy, revenue that they're trying to make, they've got a lot of priorities to juggle. And let's face it, security is just one of the priorities. It's not, it's often not the overarching, be all end all of everything. And so if companies are struggling to get to a security risk level that they're comfortable with, perhaps having a BISO or someone who can champion the security projects, but who's also aware of the challenges that the business unit is facing even without security, that may be useful for them. Someone who can holistically look at the big picture and help the business unit understand where security would fit in. You know, I've mentioned the word influence quite a few times. And because that is one of the challenges that we face is with all of the pressures that our businesses are typically under right now, for profits, for revenues, helping them understand the risks of not, either not doing security projects, or not getting to a level that we're comfortable with, that is somewhere an area where we spend a lot of our time is trying to educate and trying to talk through why these security projects are important. Why is it important to go from eight to 10 characters, if that's, you know, the thing? Or why is it important to re-architect our identity system?

Luke Vander Linden: So from a company level, that's great. What about an individual who may be at an organization already or finds this kind of role interesting. What kind of advice would you give them?

Suzie Brown: Well, I think there's some key, I don't know, soft skills, if that's still the term that we use? Key attributes that a person would need in order to be successful at the BISO role. One is having that business unit knowledge. Whether you have gained that because you've come through the business unit or because you're adept at picking up things quickly. But you've got to know the people, the process, the technical side, you've got to know the product. You have to have that knowledge in order to be able to not only speak on their behalf but help influence the BU to make changes, whatever that is. So being able to learn and having that business unit knowledge, that's key. Another piece is being able to communicate complex topics easily. That liaison piece is so important because the security team may speak one language, your business team may speak a different language. And typically we're talking about complex pieces. These aren't always just easy, simple topics. Being able to communicate and do that translation of what each other are saying until they get to the point where they can, you know, speak and you know, everyone's aligned together. That's a very important piece for a business. Or for a BISO. Having that communication. Like I said, my team is responsible for prioritizing our backlog. And so, the ability to assess risk and basically, to have good judgment. Sometimes it does get down to judgment calls. We've seen, another challenge we have is we've seen it's very difficult to translate a security project into the dollars and cents that we'd want to see. On the product side, you can often say a customer is going to pay us 100 dollars to do this. And so will this cost more than 100 dollars to implement or will it cost less? Are we going to get a revenue? You know, from it. But the security projects don't always feel like that. You're trying to prove the negative, you're trying to prove what could happen if we don't do this. And typically there's not, you know, revenue or profit that comes in from doing these security projects. Being able to assess the risk and making good judgment calls in the absence of financial data is very important for a BISO team. The way that we handle it, I'll give some behind the scenes, is we have a security calculator that has factors such as severity, urgency, does this put us ahead of our competitors? Does this make life easier for our developers or make life easier for our customers? Sometimes security can move us forward and make something easier. What's the complexity of the project? What's the effort to implement the project? We have like about 10 different criteria. We fill it out on spreadsheets, fill it out, and then it pops out a number. And that's how -- that is the most objective way that we've figured out to help prioritize our projects. But so that ability. That ability of good judgment. Another key attribute to make a BISO successful, that persuasion, negotiation, being able to influence others. I've had to work on my sales skills. I'm the type of personality, I typically like to run to data and let the data speak for itself. And I've had to learn to not always use data but sometimes to use a story. Sometimes to use that anecdotal evidence. Because that emotional aspect can help just as much as the data can. If I'm saying well remember last incident, remember the stress that you felt? Remember those weekends? We don't want to go through that again. Having that sales persuasion, negotiation, influence, and whatever means you can is very important. The last one I'll say here is that servant leadership. And maybe this again is just kind of a personality thing. But I think we are here to help. We have maybe on our TEO infrastructure team, and maybe we're supporting risk and security. But I do want to support, I want our business to succeed. I want our risk and security team to succeed. I may have a CISO as a boss, but I've got many bosses. I've got many, you know, people who are wanting things. And so anything that I can do to help serve them and help with that quiet leadership, I think, is very important and very useful in our position.

Luke Vander Linden: Suzie, thank you very much for joining us. Suzie Brown, Hospitality Solutions Business Information Security Officer at Sabre Corporation. Thanks so much for telling your story and joining us on the RH-ISAC podcast. Fascinating role and hopefully we'll hear more from our BISO group and from you in the future.

[ Music ]

Alright, and now we're joined by a podcast favorite, Lee Clark, thanks very much for joining us.

Lee Clark: Hey Luke, thank you for having me.

Luke Vander Linden: Now normally you give us a great briefing of threat intel trends that have been from the last month or so. But a lot of, a couple of pretty big initiatives and things happening right now. So let's dispense with the normal briefing and just drill down on these two big topics, if you don't mind. If you think that's a good idea.

Lee Clark: Yeah, let's do it.

Luke Vander Linden: So let's start with this great initiative. It's not entirely new, it's a [inaudible] effort that we've been talking to our members about for a while and trying to address. But now it's really, really starting to gel. And that is addressing fraud as a topic.

Lee Clark: Yeah. We're working here at the ISAC on a sort of multi-pronged fraud effort right now that we think is going to be really beneficial for the community.

Luke Vander Linden: That's great. So, whenever I talk to members about fraud, and it does come up quite often, the definition of fraud changes depending on what sector the member's in. It's kind of hard to pin down. So how are we approaching this for our members? Even within the retail and hospitality sectors? Wildly different definitions. So how are we approaching it and tell me a little bit more about this project.

Lee Clark: Sure. So our vision for the project is that we'll develop what we could call a clearing house for fraud that's facing the industries covering the RH side, that community. And that this will function as both a reference and a repository for technical intelligence, qualitative intelligence, tactics, techniques, procedures, detection, mitigation, and best practices. And whenever we talk about fraud in this context, that could have a million definitions from a million different sources. So the way we're thinking of fraud here is malicious activity that exploits legitimate business practice using deceptive tactics for financial gain. And what we're primarily focusing on is fraud against enterprises. Right? In our particular industries, all of our members are consumer facing. So they have to deal with fraud against themselves and against their customers or their guests. Right? And for the purposes here, we're primarily focusing on fraud against the organizations themselves. Because to undertake both at the same time would probably be more than a single project can handle.

Luke Vander Linden: It sounds like a lot. So how do we get started and how is your team getting started? What do we expect to see first?

Lee Clark: Right. So the first thing that we decided to work on was using resources that the RH-ISAC already has available to us. And this will intersect with a couple of different efforts in interesting ways. It's going to involve heavy use of our MISP platform, which members will remember from previous podcasts, how we've plugged the way we're developing MISP as a resource for the community. And it's going to intersect with working groups. Where we're sort of developing and improving processes and the way working groups are functioning. And this is going to be an effort. It's going to intersect with that in a couple ways. It's going to inform content for those groups and it's going to be drawing significant inspiration from topics that are discussed there.

Luke Vander Linden: It does seem like this fraud could be a common theme that could flow through a lot of the disciplines our members work with, which is obviously how our working groups are arranged around.

Lee Clark: Yeah. So, I mean, the major types of fraud we're looking at run the range, right? We're looking at gift card fraud, which is primarily big box retailors and ecommerce organizations. We are look at booking fraud, which involves our hospitality and travel members. And then things like loyalty fraud, which spans all of our industries, any organization that would have a loyalty points program could be the target of something like this, right? So all of our members deal with this in a number of ways. And one of the big things we've discovered as we've started this is that cross team collaboration within membership is one of the things that seems to be extremely important for successfully countering fraud. Making sure that legal is working with intel, which is working with incident response, which is working with the security team. Because most organizations don't house their fraud teams inside their cyber teams. So making sure you've got processes in place for those teams to work together is one of the things that can make or break.

Luke Vander Linden: Right, and you know, that's interesting because I think we've talked about this on the podcast before. That when we're talking about physical security or loss prevention, we -- it's so important to get those folks to talk with cyber just because the threat actors don't care if they're online, if they're on a line, in a store. They're going to go after the targets that they can go after. They don't care whether it's cyber or not, so. If anything we can do to encourage those groups to speak with amongst themselves, it'd be great. So again, this just seems like a massive undertaking. So what are the outcomes that we should look for?

Lee Clark: Sure, so we're looking at two primary outcomes here. The first is our regular listeners will remember that we've developed a threat actor galaxy in our MISP, it's basically an encyclopedia of threat actors and intelligence related to them. There's sort of a parallel effort to that in the MISP space. We're going to launch a galaxy in MISP that will function as a fraud database. It'll be an encyclopedia as well as a repository for documentation related to fraud types, categorization based on industry type, indicators compromised, tactics, techniques, procedures, detection mitigation options, as well as best practices and when we talk about documentation, I'd like to be a little more specific here. One thing that we are really impressed by when we first started working with members to see how best to direct this project was a lot of members had really advanced and highly developed sophisticated procedures, play books, process diagrams of how they handle a fraud incident once it's discovered. And we know at the RH-ISAC that our members run the entire spectrum of sophistication from organizations that have the most sophisticated cybersecurity operations that you could want in an enterprise, as well as organizations that don't have those levels of resources and are working with one or two person teams, right? So one of the things we thought that this could help with is taking some of the best practices and policies and sophisticated network flows that these larger organizations have and helping adapt them to be fit for purpose for some of our smaller members who don't have that level of organization or resources that their disposal.

Luke Vander Linden: That's great, so the power of sharing continues through everything we do. How else do we want members to participate, if they're not already involved, how can they get in touch and become active in this initiative?

Lee Clark: Yeah. So we are reaching out to members that we know are interested in the fraud space based on their participation in our working groups and based on information that they've been sharing with us to date. So generally, what we're looking for from members is documentation. If they have set processes and procedures in place, we'd love to hear how that works for them, what they think could be improved. As well as technical information. So in addition to the ongoing MISP development we're doing, increasing automation of technical indicators in MISP only increases the value of MISP. And that's true both for threat actor profiles and for fraud indicators. So a second outcome of the fraud effort is what we're envisioning will be an infographic or a working sheet, this will be TLP clear, that will be a summary of this database that will be proprietary to our members. Right? So, it will be a condensed version that will be a working form with RH-ISAC letterhead on it that will be usable for the community. And it'll break down the major types of fraud, major sub-types, major mitigations in a really easy to digest format. And that'll be available publicly as well as for RH-ISAC events, right?

Luke Vander Linden: Oh, that's terrific. I mean, I just tell people all the time, we're the ISAC for the sector, not just for our members. So that's a great service for all of retail and hospitality and not just our members.

Lee Clark: Yep.

Luke Vander Linden: Well that's great. Keep us updated on how this initiative proceeds. I'm sure you'll be back to tell us more. Now, I said at the beginning we were only going to talk about the threat landscape right now. But there is one breach attack group in the news that's really covering everything, and that's CL0P. I think daily, you give us updates on CL0P. CL0P won't stop. It's not really, that's the name of the group. Some people call it that, not everybody does. We'll talk about them and who the who is in a second. But let's start off by laying the scene on the what. So this is really about a vulnerability in the MOVEit file transfer app that was exploited by this group, CL0P. Tell us a little bit more about what this all about.

Lee Clark: Yeah, so it might be helpful to talk about this in terms of like a timeline, right? We've got some ongoing incident, and it's complicated and involves a number of parties. So, like you mentioned, on June 2nd of this year, a zero day vulnerability gets reported publicly in the MOVEit transfer manage file transfer, MFT solution. Right? This is widely used across a number of industries. Over the next week or so after the 2nd, more CVEs emerge. Last count is three total, all with a high or critical severity. Now initially, there are questions about whether this has been exploited in the wild or not and then it becomes immediately clear that it has been exploited in the wild. Then there are differing claims in open source that deal with attribution. Different organizations are arguing that different groups are responsible based on different patterns and indicators that they have indexed. Until it pretty much becomes indisputable around June 5th, when CL0P claims responsibility publicly. Now there's a couple of things that complicated this attribution originally. Right? And this is a good point of discussion for the fraught nature of attribution and naming in cyber threat intelligence, right? So CL0P goes by a couple of different names. One of them we identify them by is TA505, which is typically how I think they're tracked by both Mandiant and MITRE. Right? We track them as TA505. CL0P is a common name for them. But here's the tricky part, right? CL0P is the name of the ransomware that this group operates as well, right? And most CTI professionals caution against using the name of a tool for the name of the group or organization that's operating that tool. Because it can become confusing when you try to start developing a taxonomy or a pattern to try to track these groups. There's also ongoing debate in the CTI community about the value of attribution at all. Right? I've been part of more than one debate where one side of the debate basically says why do we care who is compromising us? The fact is we're being compromised. Well, in this case, it becomes kind of important because it might be helpful to know who's robbing you, or God forbid, you have to pay the ransom, you have to know who to actually make your payment to. Right? So around the 5th of June, CL0P claims public responsibility. Now, this is where we go off to the races. CL0P at this point is publishing four to 10 different organizations a day. Some open source organizations are saying that we're up to 370 affected organizations, right? So now we're absolutely off to the races.

Luke Vander Linden: Right. And this is probably why we hear from you every day on updates about CL0P. No, just going back real quick though to knowing who your threat actor is. And I think our bias and our belief as the RH-ISAC is that it's important to know who your adversary is. Which is why we created our threat actor profiles. And we knew about this group under various names because this was actually the second group that you guys, your team, profiled in our galaxy of threat actor profiles.

Lee Clark: Yeah, so here at the ISAC our stance, as you say, is that it is valuable to determine attribution when and where possible because you can begin to predict behaviors based on past known behavior. If we know tactics, techniques, and procedures that are commonly used by these organizations, or if we know common vulnerabilities that they're known to exploit, or if they reuse tools, those things can all be helpful in defending. And yeah, once we started the threat actor galaxy, where we do catalogues of major threat actress facing the RH-ISAC community, TA505 or CL0P was the second one. That we actually produced. So at this point, we just add new intelligence to the same profile as it comes as a course of routine maintenance.

Luke Vander Linden: Right. So obviously we know them as a ransomware group. And but this is not ransomware. This is access to data, and then they're reaching out or, we'll talk about how they're reaching out to victims in a second, but this isn't ransomware. Why is it that their method has changed in this particular attack?

Lee Clark: So in this case, we might be a little bit lucky. So, CL0P itself is a ransomware. But in addition to locking files in exchange for ransom for unlocking them, it's not uncommon for ransomware threat actors to also demand an additional ransom in exchange for not publicizing stolen data. It's often called double extortion, right? And sometimes threat actors do one and not the other and there are different reasons and different situations for that. In this case, it looks like none of the organizations that have been impacted by CL0P as a result of the MOVEit vulnerability, doesn't look like any of them have actually experienced encrypting and locking of their files and systems. It looks like it's just stolen information that they're being extorted to not have published. Now this could be a little bit of a sign that the vulnerability in the organization that was breached and therefore enabled a third party breach, right? Didn't have the level of access that would have allowed the CL0P ransomware to do the encryption, but it did give them enough data that they could exfiltrate it and extort these organizations to sell it. So in a way, this could be worse, right?

Luke Vander Linden: It could be, right. So they just jumped right to the double extortion part of things. So, normally they would communicate with their victims via the screen that pops up and via the mechanism that they've used to lock down and freeze their victims' systems and data. How are they reaching out to their victims now if they just have the data and not direct access to communicate with them?

Lee Clark: Yeah, so very shortly after they publicly claimed that this was them and it's determined that like alright, hundreds of organizations are impacted. This CL0P actually puts out a public statement on their blog saying if you use MOVEit, you should assume that we have your data. And you should contact us to pay us before we publish your stuff. Because here's the thing. CL0P actually stole so much data as a result of this that it's going to take them months to figure out what data they have. That's why every day, we're seeing a few new organizations listed on their dark web blog. Is because they're parsing through all the data they've stolen and figured out whose stuff they've gotten and posting it.

Luke Vander Linden: Yeah this is crazy, they don't know what they have. And so I was going to ask exactly that. Why are they leaking this out over the last month and a half or so four, five, six victims a day? It's because they don't know what they have. And they're slowly discovering what they have and making these announcements.

Lee Clark: So there's another aspect to this as well. Just as much about financial gain. Being a cyber threat actor is also about clout. Showing off your skills so you get future jobs, or just being able to flex on your competition and show strong your skills are. One of the things that CL0P's doing right now is they are guaranteeing that their name is on the lips of every security researcher for the next few months. I anticipate I'm going to be writing about this well into early next year, right? So they've insured their relevancy, and with the sheer scale of the information they've stolen, they've guaranteed that they're going to be in cybersecurity textbooks as an extremely large-scale, high profile attack, right?

Luke Vander Linden: Yeah, I mean, this is absolutely massive. So, you know, it's interestingly, so, MOVEit is the one, and we've talked about third party risk before. This is a textbook example, as you say, of this. MOVEit's the one that had the breach. But of course, it's their customers who are the victims. And now we're learning that even if a company didn't use MOVEit themselves, there are companies being victimized because their vendors used it. So it's like third and fourth party risk that now we're dealing with. I mean, it's just a massive, massive thing.

Lee Clark: So one quick note I'd like to make here is it's important to note MOVEit themselves were not breached. Well, let's take a step back from that. Alright, MOVEit is a software run by a company called Progress. Progress was not breached. The specific technicality here is that MOVEit has a problem within it that enabled threat actress to steal data from people who use MOVEit. Right? But you're absolutely right on the third party nature of this. Because now what we're discovering is that organizations are experiencing second order effects. Even if a company doesn't use MOVEit themselves, they subscribe to a vendor that uses MOVEit. And because their data is held by that vendor, it was able to be stolen. Right? So, CL0P's claim is that you should contact them if you use MOVEit because they differently have their data. The thing is, you don't know if they've got your data or not because it's not always possible to know if every single vendor your organization uses has MOVEit or not.

Luke Vander Linden: Absolutely, wow. So I stand corrected on that nuance. That's absolutely true. But this is just, it's so massive for all the reasons that you've described.

Lee Clark: Yeah, 100%. And this is sort of the price of success. Be careful what you wish for, right? A score this big is hard to carry. So imagine if you and I, Luke, decided to rob a bank. And once we got into the vault, we found a billion dollars in gold bars, right? This is the biggest score either of us could have ever dreamed of, right? How are we getting it out of the bank?

Luke Vander Linden: Gold's very heavy.

Lee Clark: Yeah. We're not getting this out of the bank. So, alright. Not to throw shade or anything, but CL0P's dark web blog is buggy. It goes down a lot, whenever you log in to try to download samples that they've posted to prove the leak is legit, a lot of times you just get a spinning wheel and the data never downloads and then eventually the window crashes and you have to reconnect and everything and try again, right? So, their website's always been a bit buggy. But what's interesting here is they're having more technical difficulties than usual, right? On the 14th of July, CL0P actually stated on their blog that they have lost access to their email account for technical reasons. And they request that organizations who were in communication with them restart those conversations in a new email exchange with the new account that they've started up. So the pitch here is basically please email us back again to pay your ransom. Apologies for the inconvenience, but we're having trouble robbing you.

Luke Vander Linden: Right, that's crazy, you know? Call volumes are larger than expected. So wait times might be longer than usual. Absolutely crazy. They're dealing with all the problems that everybody has I guess.

Lee Clark: Yeah, 100%. I mean, CL0P's one of those really sophisticated threat actors that is organized exactly the way that you would expect any enterprise to be, right? They have program managers, they have salaries and benefits, right? So yeah, sometimes your call volume is higher than what you're expecting, right? You're expecting to ransom four or five people a month, right? And all of a sudden, you're on one of the biggest scores anybody in cyber has seen in the past few years.

Luke Vander Linden: Right. Right, right. So, alright, so let's, there's got to be a fix for this. So I assume there's a patch or patches for all these zero days that have been discovered. All these vulnerabilities. What else should companies be doing? If they think that they're impacted by this?

Lee Clark: Sure. So any organization that uses MOVEit are advised to apply any up to date patches and to follow recommended mitigation guidance and monitor for indicators of compromise. Progress themself's been urging customers to only use patch links that are included in their official documentation. Now they have released a patch for all of the vulnerabilities at this point. These are all available on their sites. And in addition, they've publicly committed to instituting an ongoing patch service that they're calling a monthly service pack. And the July service pack is going to have fixes for all the newly disclosed CVEs. Now, for organizations who were concerned that they might get secondarily impacted by this, you don't use MOVEit yourself. But you don't know if your vendors do. But it's a conversation that's worth your security folks having with your vendors. It's if you use MOVEit in their environments, what of your data's in the environments that MOVEit is connected to and what mitigations they have put in place, right?

Luke Vander Linden: Wow. So this is big, it's going to be here, as you said, you're going to be writing about this for the next year. I imagine we'll be having briefings for our members in the foreseeable future coming up. So, thanks for this, this is a great summary of the situation as it's known today. Appreciate you coming on. Also, excited to hear about the fraud initiative. Any members that want to be involved in that should reach out to us as well. Lot going on, Lee, thanks very much for joining RH-ISAC Podcast as you do every month.

[ Music ]

Thank you to Lee Clark, RH-ISAC's cyber threat intel analyst and writer. You should be doing this anyway, but if you're an RH-ISAC member, be on the lookout for any messages you receive from us on all of our communication channels, as there will definitely be more to come on CL0P. Big thanks to my other guests as well, Piyush Jain, a managing director at Accenture Security. And Suzie Brown, Business Security Information Officer at Sabre Corporation. If you want more information about anything you've heard today, or if you have an idea for a podcast segment or want to be on yourself, or if you want to become a member of the RH-ISAC, shoot us an email at podcast@RH-ISAC.org. As always, thank you to the production team, we couldn't do it without you. For the RH-ISAC Annie Chambliss and Marisa Troscianecki, and from the "CyberWire," Jennifer Eiben, Tre Hester, and Elliott Peltzman. Thanks for listening, and stay safe out there.

[ Music ]