Podcasts
The Retail & Hospitality ISAC Podcast
Ep 44
The Retail & Hospitality ISAC Podcast 2.14.24
Ep 44 | 2.14.24

New Malware Sharing Initiative & a Look Back at Cybersecurity Over the Past Decade

Show Notes
Transcript

Luke Vander Linden: Happy Valentine's Day. This is Luke Vander Linden, vice president of membership at the Retail & Hospitality Information Sharing and Analysis Center. And this is the "RH-ISAC podcast". [ Music ] Valentine's Day. And there's romance in the air for many of us. So let's make this episode about a couple of the RH-ISAC's relationships past and present. We have a new relationship with associate member Stairwell. Today I'm interviewing Aaron Mog, Stairwell's forward deployed CISO, about their malware analysis platform. Very romantic. And more importantly for RH-ISAC members, the sharing program they designed just for us. This interview is on the heels of a demo Aaron did for RH-ISAC members last week of the platform. We recorded that as well. Members, you can find it on member exchange. But if you need help finding it or for more information, send your favorite RH-ISAC CTIT member a love note or if you're not yet a member shoot me an email at podcast@rhisac.org and we can plan a date to go over it. As for a past relationship, in this episode RH-ISAC president Suzie Squier continues her series of interviews with the CISOs and cybersecurity professionals who had a hand in getting the RH-ISAC started 10 years ago, 2024 being our special milestone 10th anniversary. What's the gift for 10 years? Diamonds? I'm going to go with diamonds. We are planning celebrations throughout the year starting at our summit in Denver in April. More information at summit.rhisac.org. And at regional events throughout the year and then culminating at our member meeting in celebration in September. So for this episode Suzie sits down with Colin Anderson. Colin is now the CISO at Ceridian. They do human resources software and services, but prior to that he was the CISO at Safeway and Levi Strauss. Great retailers. And an RH-ISAC founder and past board member and past chair. So thank you for taking time out from any romantic interludes you had planned for today to listen to the "RH-ISAC Podcast." As always, if you have something cybersecurity related that you'd like to contribute, shoot us an email at podcast@rhisac.org. Or if you're a member, hit me up on Slack or member exchange. [ Music ]

Suzie Squier: Hello, everybody. This is Suzie Squier, president of the retail and hospitality ISAC. And I am joined today with a special guest from the Suzie's plus one. One of my all time favorite people. Scott Howitt who is the current chief digital officer for UKG. But formerly a board member of RH-ISAC and one of our founding members and founding board members. So, Scott, how the heck are you?

Scott Howitt: I'm doing great, Suzie. And it's really nice to be on here and being back involved with RH-ISAC.

Suzie Squier: I know. You've been such a key integral player in the history of this organization and you know we miss you terribly, but I know you're going on to bigger and better things. But let's start -- why don't you tell us a little bit about what you're doing right now at UKG before we start going into the -- what -- the past.

Scott Howitt: Yeah. Sure. I joined UKG about a year and a half ago right after they had their ransomware incident. So I am the chief digital officer, the CISO, the CIO, the chief data officer, and the chief risk officer reporting to me. So I'm not out of the woods with security. We're still alive and active on it and growing the -- growing the security team here.

Suzie Squier: That's great. Good to hear. Good to hear. Are you -- are you still in the Dallas area or --

Scott Howitt: I am kind of in the Dallas area, but I have a place down in Florida as well. One of our headquarters is in Weston, Florida. So I spend a lot of time down there as well.

Suzie Squier: All right. Great. Well, glad to hear things are going well, but let's go back a couple of years. Almost 10 years, if you can believe it.

Scott Howitt: That's hard to believe.

Suzie Squier: It is hard to believe, isn't it? And you and I look exactly the same.

Scott Howitt: Exactly. Beard might be a little grayer, but not -- not -- otherwise exactly --

Suzie Squier: It's looking great, babe. It's looking great. So can you remember back then you were the CISO? Was that your title at J.C Penny? Okay.

Scott Howitt: CISO at J.C Penny.

Suzie Squier: Yeah. J.C Penny. And one of -- one of the group that we pulled together in early 2014. And, you know, we've actually never talked about this or if we did it was 10 -- you know, 9 or 10 years ago. What was the atmosphere like in J.C Penny? You know, in the early days of 2014 after -- which wasn't one of the first breaches in the retail industry, but the largest at that time with the Target breach that happened. Were your leaders coming to you asking questions or do you happen to remember what it was like where you were?

Scott Howitt: Oh. I do. It was -- it was like it went from security was very little concern to the forefront of everybody. I was answering to the VP of store ops. I was answering to the general council. I was answering to the CEO. And ironically, if you remember, we'll take it back even further back to the T.J Maxx days. J.C Penny was one of the companies mentioned. And so, you know, Gonzalez had broken into Penny's, but hadn't extracted any data when he got caught by the FBI. And I got brought in quickly right after that. And so but we kind of kept security a secret within Penny's for those four or five years, and then Target came along and suddenly, like I said, everybody was worried. Everybody was nervous. And, boy, then it seemed like from then on about every week it was a brand new retailer getting popped. And so, you know, I spent a lot of time with the board and a lot of time with the executives going over, you know, why we thought we were different than what happened at Target.

Suzie Squier: And I'm just curious. At that time did you -- I know you obviously have a peer network. Were you reaching out to peers here talking to them, seeing what they were -- what they were going through, things along those lines?

Scott Howitt: We were, but it was pretty far and far between. Like, you know, I never talked to the people at Target. I remember one time we had discovered some like gift card fraud on Silk Road. And I know we'd seen like, hey, Gap was a script out there so we called up the people over at Gap. But it was -- it was very rare that we ever got on the phone with them. I was more likely to be talking to the other CISOs in the Dallas area and talking to them about, "Hey, what are you doing?" You know, "What tools are you putting in?" But it was never really specialized around what was happening in retail. And, sadly enough, like we have a lot of big retailers in Dallas. We just didn't seem to, you know, reach out to each other a whole lot.

Suzie Squier: Yeah. So then -- then I came into your life.

Scott Howitt: It's a wonderful day.

Suzie Squier: And I was working with a trade association at that time and we had a lot of folks working on the government side, you know, because there was a lot, so you remember a lot of government questions about what's going on, what's retail, do they need to be regulated. There are a lot of questions about that up on the hill. And -- and then we were working on the operations side and we gathered folks together. And I think our first meeting it was at the NCFTA in Pittsburgh. Do you remember that?

Scott Howitt: I do remember that. What I remember is why anybody would want to go to Pittsburgh in March because it was very cold. But yeah. I remember that. And I had no idea what to expect when I showed up.

Suzie Squier: And we had those -- we were -- we were at like a small classroom. We had some presentations. We had I think Bill Nelson from FS-ISAC come up and talk about what their ISAC was doing and talked about different models and the ISAC model. And I think we had about 30 companies in there at that time. It wasn't a big group. And -- and we just kind of hatched it out. And I believe, correct me if I'm wrong if your memory serves you better, but we left that meeting saying, "Let's pursue this ISAC model."

Scott Howitt: Yeah. It was, you know -- It was super interesting because I remember there was -- there was a lot of open debate about it. Right? I think some of the CISAs were like, "Ha ha. It didn't happen to me. And as long as it doesn't happen to me, maybe it's a little bit of a competitive advantage." And there were others who were like, "No. Like I think what goes around comes around." Right? And like it's probably going to hit all of us if we're not really careful in banding together. And so, you know, I -- I had never really -- I dealt with other information sharing forms before. So I was familiar with the concept. But I think that was the first time it dawned on me that like, oh my gosh. Yeah. I -- surely we're seeing the same threat actors and the same people coming against us. Like why aren't we sharing this information? So I'd say there -- there were four or five of us that really got it. And then I think there was a whole lot on the fence and then there was some that I think they were like, "You know, I'll never join." Who changed their minds later.

Suzie Squier: Yeah. And I think you're right. I think there were some folks who this was kind of a whole new concept. You're right. You know? It was a lot of -- it was a lot of great -- great back and forth, great discussion during that time. And I always remember everyone was -- was open to talking. So that was really great. And then I remembered -- I just remember we had that meeting in D.C at Morrison Foerster's offices down there. You remember that?

Scott Howitt: Yeah. When you told me who it was at first, I thought it was maybe a joke. They'd need to find a better name to shortcut their name.

Suzie Squier: I know, but it's beautiful offices.

Scott Howitt: It was.

Suzie Squier: Great time. I think you and I ditched each other and we went to the wrong -- what is it? White and elephant or some -- some bar.

Scott Howitt: [inaudible 00:10:19] I hate that.

Suzie Squier: But we got together anyway. And then we began -- and then we began the journey and you, you know, were gracious enough to be on the board as part of our leadership. How did you feel at that time? You know, just -- I don't know. Again it's been a while, but you know helping to lead the group. And any thoughts as we were kind of beginning this? We were still forming. I mean when -- when we put the board together we hadn't hired anybody. We were just putting our governance together. Booz Allen was leading us, but it was just a lot of work on you and the core group on setting all of the foundations for the organization.

Scott Howitt: Yeah. It was interesting because like I never heard of a 501, you know, B, C, D -- like I had no idea what that was. I didn't know there was such, you know, legal ramifications of what we were doing. I think too it was -- it was really wow when I saw the disconnect because remember, you know, we had had somebody from either CISA or somebody like that come in and talk to us. And it was kind of like, "Yeah. We'd love to get all your information." Like, "We won't give you any back, but we'll take all yours." And it was like, "What? That doesn't seem right." But, you know, I -- you know, I was able to go to the board and say, "Hey, I think we need to put down this initial money. I think we should be one of the charter members." You know, if nothing else it shows that we have good will towards the industry and what we're doing. But I think that was the thing is I think most security people are mission driven. Right? And I think you get that a lot of us, you know, come from the military. But I think too it's just, you know, we're trying to do the right thing. And yeah. I want to do it for my organization, but if I can do it for the broader good, why wouldn't I want to do that too? And so I think it was the first time that, you know, I really started getting excited about, wow, you know, not only can I help what's going on with J.C Penny, but wow. We could help the industry as a whole and give, you know, consumers who were losing a little confidence in retailers, hey we could give them some confidence back. And so I thought it was great. And two. Like the cast of characters that were, you know, surrounding us all, like they were all of like minds too. And I think that was what was really cool about it is that, you know, their -- it was people who had kind of the same mission in mind.

Suzie Squier: Yeah. It was. It was. And, you know, I always -- I kind of think back at times. Not to equate it like founding fathers idea, but you know the -- when you're doing something like this, it's interesting the group that you -- that you surround yourself with. Or who gravitate to it. You know? And it's like you said. That mission. Having that mission over all. And we're fortunate to have a lot of great brands, a lot of great people who are willing to put the time because that was a lot of time put into that. You know?

Scott Howitt: It is more time than you initially thought. That's so true. But, like you said, I do think it was really rewarding, especially you know when you saw -- like wow. Like not only did this attack not happen in our organization, but I know like seven other people that I talked to today, it didn't happen in theirs too because we share that information. Right? And it was when we finally started seeing that kind of momentum, that was a real ah ha moment of how cool this could really be.

Suzie Squier: Yeah. I agree. And you needed that. And you really needed leaders such as yourself and the other founding members to take that under -- in their charge. You know, and to drive that which was -- which was also key. And to show people how it works. And then you had an another opportunity when you left J.C Penny and you went over to MGM. And can you tell us a little bit about the conversations you had with other gaming hospitality folks primarily in Las Vegas, but probably overall? When they were kind of looking at information sharing.

Scott Howitt: Yeah. For sure. And I think that's one thing most people, you know, don't understand. MGM Resorts is not just MGM Grand. It's -- it's 29 resorts across the U.S and in Macau and now there's properties popping up in Dubai and Japan. And so, you know, what most people don't think about when they think about a casino is, hey, you know, from a -- MGM Resorts at the time had 250 retail locations within our properties. And then at the time we were the largest non themed restaurant tour in the U.S with over 400 restaurants and bars and things like that. And so as I went over there certainly I had new challenges I never had in retail. You know, how do you coordinate with physical security? I had aquariums and dolphin tanks that I had never thought about how would I secure that. But what we were seeing is, wow, fin 7, fin 9 are coming against our cash registers. And they're coming against, you know, our restaurants and things like that. So it was a lot of parallels between what was happening in retail. And, in fact, it was kind of interesting because a lot of the things and techniques that we knew protected our registers and our stores in retail had not yet been applied in the casino space or in the hospitality space because they thought of themselves as different. And then when you got into this like actually like, guys, exact same threat actors. They're using the same techniques. And they've just realized that, wow, the retailers got smarter. Now I'll come after the hotels and the casinos.

Suzie Squier: Yeah. Just move on over. And I think at the time they were all thinking of maybe trying to start their own organization. And you were instrumental in saying like, "Look. We belong over here. You know, with the retail organizations." And -- and really, you know, we did a lot of kind of testing with them, you know. What we can provide and what they -- and what it would be for them to start up on self. Do you remember going through all that?

Scott Howitt: Yeah. They -- so when, you know -- when I came on board we were very active in the real estate ISAC and in also the information technology ISAC. And, you know, good stuff. Good stuff happened in both those organizations. But as I read through it it's like none of this is really relevant to what I'm actually seeing happen, you know, knocking on our front door. And so, you know, every year -- I'm sure you were just at it. In fact, now I feel -- I can't believe we didn't reach out to each other, but at Black Hat. You know, we hosted Black Hat every year and then DEF CON. And all the CISOs in town get together, you know, a few weeks before and talk about like, okay, what have we got to watch out for this year? And let's share. You know, we're on a call with each other every morning making sure we share information between properties. And so, you know, having the conversation with them of like, "Hey, look. Here's what I was getting out of the retail ISAC. I think we should talk about joining and pulling in other non gaming hospitality organizations as well." And it was a pretty easy sell. I mean I think they all got it pretty quickly and we started as kind of a little subgroup to start with and then it expanded out enough that we got to throw the H on -- it was a lot more fun.

Suzie Squier: It was. And it was nice getting rid of the original name which was a little, well, cumbersome. And yeah. I think you were a strong proponent of that, if I remember correctly.

Scott Howitt: I certainly was.

Suzie Squier: Well, that was great. And that did help, you know -- help launch, you know, taking in the hospitality and whether it's casinos or hotels. And actually now, you know, quick service restaurants. Same thing. It's like you said, you know, at MGM you had a ton of restaurants as well when you were there. So a lot of great stuff, and can't thank you enough for all that you guys did in bringing -- and you particularly in bringing that together for us as well. So it was fun. I do have to bring up a sore spot. Do you have an idea?

Scott Howitt: I do. I do.

Suzie Squier: And I can still say that you're not wearing the clothing that I gave you.

Scott Howitt: I'm not. I'm not. You know --

Suzie Squier: Would you like to -- would you like to tell the listeners about what I'm talking about? Or would you like me to bring this up?

Scott Howitt: You can tell the story, and I'll finish it out.

Suzie Squier: Oh. You'll correct me. Is that what you're saying?

Scott Howitt: I'll correct anything that you had wrong.

Suzie Squier: So you could -- you could give me the right year. I think it was 2015. 16?

Scott Howitt: That sounds right. 2015.

Suzie Squier: I can't remember. No. No. Maybe later than that. It was a hockey season. God, my -- the Washington Capitals will spare me for not knowing the date. No. It wasn't that long ago.

Scott Howitt: No. It's 17 and 18. Now that you say it, 17 and 18 is when it was. Yeah.

Suzie Squier: So my hometown team, the Washington Capitals, were playing your hometown team, the --

Scott Howitt: Las Vegas Golden Knights.

Suzie Squier: There you go. And in the -- in the Stanley Cup. And we had a bet that whoever won, the other would send them a team jersey and you would have to take your picture in front of your losing arena wearing the winning jersey.

Scott Howitt: That is very true. I wish I -- I wish I could replay that in another way. And I can't. So now that I don't live in Las Vegas it's just taking longer to get it. But I --

Suzie Squier: Oh. Is that what it is?

Scott Howitt: That's what it is.

Suzie Squier: Because just so everybody knows, I never got the photo. Never got the photo. I sent the jersey.

Scott Howitt: She did not. I actually put on the jersey. It was very painful. And it fit well and everything. But I just never had occasion to get down in front of T Mobile. But I -- you know what? I think I'm going back in October. So I will pack the jersey and brush all the dust off and do that. Yeah. Like it doesn't matter we're the world champions right now.

Suzie Squier: I know. Now you've got it. So the sting won't be that bad, will it? I know.

Scott Howitt: It will not be as bad as it was. So I think I got a little, you know, over my skates so to speak when we won game two. But yeah. You guys slaughtered us. Much like we slaughtered the Panthers this year. So I feel pretty good about it.

Suzie Squier: That's true. You did. All is fair. Right? All is fair.

Scott Howitt: All is fair.

Suzie Squier: So I'll ask you. Your best thoughts or take away from information sharing. You know, what we built together and where you think it's going or, you know, why people should, you know, be a part of an information sharing organization. Any parting words from the legendary Scott Howitt?

Scott Howitt: Yeah. What I would say is -- and maybe you'll remember this. When we all got together in Dallas at Deloitte University and we talked a little bit about what was our visualization of what the ISAC should be. Like when we looked at it for New Years. And I remember somebody saying this, and like it hurt my heart a little bit because I didn't mean it in that fashion, I said, "You know, I would like to walk away from the ISAC thinking wow we really created something that was meaningful and people are going to look at and say, "Wow. That was really cool." And they use it on a daily basis." And somebody -- I remember somebody going, "Well, that's pretty narcissistic." And it was like it's actually not what I -- I didn't mean it narcissistically. I just thought it would be cool to see something where like, you know, I know the way I succeeded in the security industry because I had a lot of people who picked me up along the way. It's the way I've succeeded across my career. Right? Is thank God I've had a lot of people that were willing to make time for me and help me along the way. I think, you know, an ISAC is just a formalization of that. Nobody -- if you think you have Seal Team 6 as your security team, then I think it's your obligation to join an ISAC and each other's. If you think you have a team who is, you know, boy scout group 101 and you need a lot of help to become Seal Team 6, you should join an ISAC and get that help. Right? There -- there is nothing wrong with asking for other's help. We've got to remember our adversaries are organized crime rings that have millions to billions of dollars. If ransomware were a Fortune 500 company, they would be 150. Right? Like we need to think about that. And so, you know -- and so what I would take away is, listen, you're going to meet a bunch of great people who are like minded like you. You're going to make lifelong friendships like you and I have made. We would have never met each other otherwise. Right? And, you know, I love you and the tea to death over there. And it's just, you know, they're building this as a community and fighting as one is always much more powerful than trying to be the lone wolf. And so if nothing else you'll make a few good friendships, have a few good laughs, but I've never seen a company join this and not benefit from it.

Suzie Squier: Yeah. Thank you. I agree. And I think -- I think you said it perfectly. If you are -- if you are a leader of the pack, jump in and help. Help somebody else. You know, that doesn't mean you don't have a role. You -- you have a key role. And -- and you always said that. I know you're big into mentorship. You've got -- I don't even know how you keep up with all the folks that you help along the way which is really, really awesome to hear. And, you know, I just got to -- I've got to say that I'm so happy that you came into my life because we just have a -- we just laugh at each other every time we see each other.

Scott Howitt: That we sure do. So I just can't bring my wife around you because you'd let her know all the time, you know, how I'm punching above my weight. So --

Suzie Squier: Gee. So true. So, so true. I just -- I just want to pull her aside and go, "Girl." No. You're the best. Thanks for hanging around. Looking forward to seeing you in Dallas.

Scott Howitt: For sure. For sure.

Suzie Squier: And I did not go to Black Hat this year, but we do have to make a better plan that if we -- you know, when we go to those things that we can get together with some of these other cronies that I'm going to be pulling on here. Colin Anderson. David McLeod. When was the last time we saw David?

Scott Howitt: Yeah. It's been a long time. I did see Colin at Black Hat. So he and I sat and chatted for a little while.

Suzie Squier: Oh good. He's great. Well, I think we'll have him on as well. So, well, Scott, you know it's always great chatting with you. Thanks so much for being a part of this fun little podcast that we have going on. And -- and, like I said, I'll reach out to you when I'm in Dallas so we can get together.

Scott Howitt: Looking forward to it.

Suzie Squier: And bring your wife.

Scott Howitt: Well maybe, we'll see.

Suzie Squier: All right. Take care, Scott.

Scott Howitt: Okay. Bye. [ Music ]

Luke Vander Linden: All right. We are now joined on the "RH-ISAC Podcast" by Aaron Mog, forward deployed CISO. Great title. From Stairwell, one of our associate members. Thanks very much for joining us on the podcast, Aaron.

Aaron Mog: Thanks so much for having me. Appreciate it.

Luke Vander Linden: So for those of us who don't know what Stairwell is or what it does, give us a -- give us a broad description.

Aaron Mog: Yeah. Absolutely. So Stairwell is a startup based in Silicon Valley formed by some ex Google folks and funded by Sequoia and Accel and all of the standard, you know, high profile Silicon Valley VCs. But really it's a company born by practitioners. It's a company born by people who, you know, do incident response for a living, deal with threats for a living. Our founder, Mike, was the person who built Chronicle, one of the original tag members at Google, and then built Chronicle which was the Google SIEM and left there to start Stairwell. So our DNA is kind of around big data, scalable Google style data management, things like that. And then really attack the problem of files. Right? So investment money in this industry and logs and telemetry data and files exist where they exist. Right? They sit on the end pointers so that the server. So we really built a mechanism to bring all of that data into kind of a modern data lake, and then to also to find the touch engineering with it. Right? Is sort of where we are born from.

Luke Vander Linden: Fascinating. So I do want to ask. You have a great title. Forward deployed CISO. What does that mean?

Aaron Mog: Straight up ripped off of Palantir. It's what they call their engineers. So my boss, Eric Foster, loved the genesis of that from the Palantir days and this idea that you're embedded within -- in your companies. So I have a history of being a field CISO which is a very honored title in vendorland of going out and helping customers from a more strategic perspective. So I was a field CISO with Sky Q, a field CISO at Trace 3. So, you know, different companies. But, you know, a fundamental here we really get a hands dirty engineering driven company. So that's where it comes from.

Luke Vander Linden: Excellent. Love it. So as an associate member we have a partnership where we -- our organization, not me particularly, we have some projects that we're working on. Tell me a little bit about the program that we've -- we started together.

Aaron Mog: Yeah. Absolutely. So, you know, one of the first things I did when I came in was to start building relationships with the ISACs. You know, I believe it's where a lot of the folks in our community come together, share data in a -- in bodies that have some legal structure around it. And, you know, obviously on the IR side we're always sharing data. But, you know, it's a great way to sort of get more community access. So as we started doing that with RH-ISAC we realized that some of the technology that we bring to the table around malware sharing, data links around malware, could have a pretty big effect on membership, you know, from a -- both a vendor side and the, you know, retail and hospitality side. So we wanted to offer a solution to essentially share malware samples. And it's traditionally very tricky thing to do. Right? First of all, everybody tries to stop you because everything steals malware off of file shares and email, things like that. And then it's just a very difficult thing to scale. Right? Like, you know, you and I may shut up a file share where I drop one file to you, but it doesn't really grow. So the fundamental architecture of Stairwell is every customer and every researcher gets a private data link of their files. And then there's a very big data link which every Stairwell customer can see of essentially all of the Malware. Right? What we've built for RH-ISAC is essentially a middle layer which is a data lake of malware samples that's fully anonymized and not attributable. Right? Meaning if you put malware in that pool I don't know that you did it. It just shows up. But it's a private data lake for members to share malware samples both upstream with RH-ISAC researchers and with each other. Right? So if you're at, you know, one of the hospitality chains and you're nervous about, you know, the latest ransomware attack [inaudible 00:30:13] and you have a sample or want to get your hands on a sample, that's not the easiest thing to do in our industry. So that's basically what we've built out for RH-ISAC. It will allow reports to contain malware samples that are downloadable. Every piece of malware in our entire platform is always downloadable. So there's something like 800 million pieces of malware that you can download along with now a private data lake that RH-ISAC member can share. So I'm pretty excited about that. It is 100% free to any member that wants to do it. You can be an individual researcher. You could be inside of an organization. Obviously do it on an organizational level. We have some member friends that are already customers and have that capability out of the box. But this is not a commercialized program in the sense of you don't have to pay for play. You can -- you know, you're a researcher at a retailer. Let us know. We'll give you access. And tomorrow you can see all the malware samples and do what you need to do. And it's a pretty exciting program.

Luke Vander Linden: That's -- that's outstanding. And so -- so thanks for that. So how does that fit with how a retailer, hospitality, any company, really uses your platform normally to power their security program?

Aaron Mog: Sure. So our -- our normal use case is let's call it value binaries. Right? Let's put it in a data lake. Let's provide you value from your endpoints, from your telemetry, into a big data lake. So we have customers that have 80, 90,000 end points on the platform that are forwarding binaries to us all day. That's how we commercialize the product. Right? It's how we scale. Basically the same way anybody else sells data lakes. So give me all your data. I'll help you process it. We do some magic with that around, okay, now I have the file. What do I do with it? Right? So we have malware we're securing at scale. We've got YARA rules at scale. We've got the ability to write sandboxing at scale, to consume and compare a threat intelligence at scale against your files. That technology extends to now doing it against samples. Right? So if you want to write a YARA rule it's very difficult because you'd need a lot of samples to run against. Our platform was built for that. Well, now we have this extra data lake of the things that are available just to RH-ISAC members. The technology's the same whether the files come from a million endpoints or one researcher doing a sample or all of the bad malware we get our hands on. It's the same technology. So obviously eventually we would love for our, you know, associate member firms and RH-ISAC members to become several customers as a place to keep their data. But that's certainly not a condition of using our platform to be a part of the community or be a researcher.

Luke Vander Linden: It's always fascinating to me when I talk to folks from companies that have this kind of 30,000 foot view of a lot of companies. What kind of trends are you seeing out there whether it comes to malware or anything else that you're working with?

Aaron Mog: So our biggest focus area I would say from an analytics perspective -- so once you have the data. Right? What do you do with it? We are very much in a world where variance and uniqueness is hurting us. Right? So, you know, every company you read about that's breached, it's not like they didn't have security technologies. Right? It's they have prevention and they have detection. So what's happening? One of the things the adversaries are very good at is evasion and building malware packages, ransomware packages, that evade defenses. So one of the coolest things about binaries is you can't hide. Right? You can hide behavior. You can tunnel traffic. But like a file's a file. Right? The code is the code. So what we focus a lot on is the idea of variance. So if I get a file, that file may not trigger any alarms, but that file at a DNA level will look like other threats. So one thing we do is -- so example would be if you put a sample into your data lake it will instantly tell you the other files in the globe that look like that file. And obviously if those are bad, you can make some determinations about how bad that file is. But really what we're trying to do is attack the problem of variance with data science. And it's not something that's being done a ton on the detection side. It's certainly being done on the prevention side. Right? So YARA companies do this for a living. But it's difficult. It's a very difficult problem. And, you know, the prevention companies are fighting this global battle against all of the threats we're facing. But each individual organization has to fight their own battle. Right? You know, so one of the things I talk about is these big defensive companies thinking they're going to come help you when you're in your own breach scenario. It's very difficult. Right? Because they're fighting -- you know, it's sort of like expecting the army to show up and pull your car out of a ditch. Like could happen, but they probably don't care as much. They're fighting a bigger fight. So I'm really focused on each individual company and organization can understand the files I touch and how they relate to other potential badness. Right? There's only 12, 14, 15 malware kits in use at any given time. It's not that many variants. But it's very, very easy to hide them. And so that's really what we're focused on is what we do at a code level. Right? So this code looks like this code. Therefore it might be that or good is really one of the things we focus our energy on.

Luke Vander Linden: Wow. That's -- that's fascinating. And so where do you see -- if you had to put on your soothsayer hat or your crystal ball, where do you see this -- any trends going in the future?

Aaron Mog: So, you know, I think just as a macro trend I think security needs to be better at attacking problems with better data. And I think in this case we're behind our friends in IT on this. They've been doing this for a while of let me solve big complicated business problems with data. And obviously AI and ML. But like you have to have the data. If you don't have the data, you're not going to win. Right? And so, you know, retailers obviously part of our RH-ISAC community, they've been doing this for, you know -- big retailers could tell you how many bananas are going to sell when there's a storm. Like they -- they're very good at data set. We're incredibly immature at it in security. So I think as a macro trend, you know, building capabilities around large data I think is very important. We've been doing it around logs for a while. I think we've got to extend that into identity files, cloud behaviors, even code. Right? I think those are things that are at a macro level really interesting to me. I think that's where we're headed. And also honestly just as where scale comes from. Right? You can -- like even for us, right, you can only hire so many malware reversers. You can only hire so many experts. And if you don't extend that with scalable technology, I don't care who you are, it's a people problem. So I think those are the macro trends. I think where I would say we're headed. And the flip side of that obviously on the threat side is, you know, the threat actors getting more sophisticated. Right? In a sense of like running it like a business. You know, certainly we've seen that the last few years. You know, it's tied to a lot of -- obviously a lot of consumer behaviors and like what pays in that moment. And, you know, the move from ransomware to monetizing data outside of companies is very interesting. I don't think -- I don't really see that changing a lot in the next couple years. I mean it certainly could. But I would say for companies it's, you know -- it's whack a mole at a global scale. And it's getting harder than it's ever been. It's actually almost impossible most days. So yeah. I would say that would be the macro trend I would certainly see.

Luke Vander Linden: Wow. So for any companies and any of our members that want to get involved with the project we're working on together, what advice would you give to get ready or to prepare?

Aaron Mog: Understanding how you want to interact with samples is very important. I think a lot of organizations in general struggle with this. You know, are you collecting samples in a meaningful way? Are you adding them to some library? If you are, how do you hook that library to your ops? You're doing post mortems, all this sort of stuff. So certainly you can talk to your peers about what they're doing. Some of them are going to be involved in this effort. I and my team are happy to talk to people I know. You know, the threat team at RH-ISAC is happy to talk to you about ways to use this. You know, this is an augmentation of what everybody's doing. It's not a [inaudible 00:38:15] replacement. It's not a temp replacement. You know, intel is so super important. It's a tool in the tool box. And so I would say preparation wise it's thinking about how you want to, you know work with malware. I think one of the hardest things with malware is when you get a sample. By the nature of you having that sample you're sort of admitting that you've seen it or been hit by it in some ways. So the ability to do it anonymously I think is pretty killer of just being able to go and say like, "Hey, community, here's a file. It's not attributable to you. It's not attributable to your username. Everybody should see this." And from a behavioral standpoint understand it. And from an IP and hash perspective understand it. Go see if you're being affected by it. Oh, and by the way, the variants of that. Right? If I'm sitting at a desk every day, that's one of the things I want to know. You know, you may not want to download the sample and reverse engineer it. And that's okay. But you've got to make it useful. You know, we all struggle with operationalizing intel and operationalizing outside advice. It's just one of the hardest things to do in security. So hopefully this will nudge it along. You know, I -- we do this a lot in the research community in general. Right? So we've got thousands of researchers on the platform already. And they use it as a way to go to market faster essentially, to build better YARA rules, to build better detections. There's an entirely new sort of part of our industry called detection engineering which is around building individual companies' defenses. Right? Detection engineer's from vendors and now it's become corporate. So power detection engineering. Would my rules work? Is another great question we can answer. It's I am going to write this detection. Would it catch anything? I don't know. Like you don't want to wait until it happens. So, you know, testing that against samples is a great way to monetize and monetize your program in an effective way of like, hey, would I catch these threats? I don't know. Let's try it out. So all of that is available to anybody who wants to try it out. Also we love working with other -- our friends, other vendor partners who work with intel companies, who work with EDR companies, who work with service companies. So if we have any of those folks, we fundamentally believe that community's the only answer to this. Like we've got to scale together. No one company can do it by themselves. I don't care who you are. And so we really believe that is part of our value add.

Luke Vander Linden: We're stronger together. That's what the ISACs are built on. So anyway Aaron Mog from Stairwell. Really appreciate you joining us on the podcast. Thanks very much. And thank you for your support of our community.

Aaron Mog: Absolutely. Thanks a lot. Appreciate it. [ Music ]

Luke Vander Linden: Thank you to my great guests, especially RH-ISAC president Suzie Squier for interviewing Colin Anderson and to Aaron Mog, forward deployed CISO at Stairwell. If your company doesn't have a relationship with the RH-ISAC yet, we're waiting by the phone for you to call and ask us out or swipe right or something. To find out more about membership, go to rhisac.org/join. Show us some love and start the process. And, as always, thank you to our lovely production team who do their best to make us sound good. For the RH-ISAC that's Annie Chambliss. And from N2K networks Jennifer Eiben, Tre Hester, and Elliott Peltzman. And thanks to you for being my valentine and for tuning in. Stay safe out there. [ Music ]

The Retail & Hospitality ISAC Podcast
Podcast Info
HOST(S):
Luke Vander Linden
Luke Vander Linden is the VP of membership and marketing at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), the cybersecurity sharing and collaboration community for the consumer-facing business sector. In his role at RH-ISAC, Luke is responsible for member growth and engagement and, as part of the leadership team, overall organizational strategy. Luke lives in Connecticut with his wife and two sons.
Schedule: Biweekly. Wednesdays.
Credits: RH-ISAC Producers are Annie Chambliss and Marisa Troscianecki, Senior Producer is Jennifer Eiben, Theme Song by Elliott Peltzman, Mixing by Tré Hester.
Creator: Retail & Hospitality ISAC
The Retail & Hospitality ISAC Podcast