Preventing Digital Fraud & Scams
Ann Johnson: Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other security decision-makers. I'm Ann Johnson, and today I am joined by Lou Manousos.
Ann Johnson: Lou is an acknowledged expert in internet security and threat intelligence. He has been developing enterprise protection technology for more than 15 years and is currently the CEO of RiskIQ. Lou spearheaded a new approach to use intelligence to help companies protect their organizations and reduce online fraud. Lou is responsible for malvertisments.com, the first and only public database documenting malvertising incidents continuously. Before RiskIQ, Lou was the VP of R&D at Securant Technologies, which pioneered identity and access management for web applications while also creating technologies for single sign-on security. Lou is currently a VP of product at Microsoft Security.
Ann Johnson: Welcome to "Afternoon Cyber Tea," Lou.
Lou Manousos: Hey. Thanks for having me, Ann.
Ann Johnson: We can talk about at the end of the show - I didn't know you were the VP of R&D for Securant. So you and I have some common friends there.
Lou Manousos: We have a lot in common. That's correct.
Ann Johnson: Yes, we do. I had no - up until I read your bio at the beginning, I actually did not know that. So we'll talk about that at the end. But let's talk about cybercrime for a while. As cybercriminals adapt to digital transformation in nearly every industry, attacks continue to rise and become more advanced. And internet crime only gets better and only gets faster. What role do you think information security plays in enhancing fraud prevention tools in organizations?
Lou Manousos: Well, I guess the role - we're the experts. And one of the things that I've seen that has been really game changing is not just looking inside your organization - like, what's happening inside your four walls - but, you know, what's happening outside and, you know, how are the bad guys or the adversaries looking at your industry, looking at your peers? You know, what activities is ongoing for them? So this emergence of, like, an intel-led strategy for everything - for every corporation. You know, certainly, when I started in security, it's just the way you thought. Like, you know, a lot of us were, you know, hacking ourselves as we learned, right? And, you know, we took that into the job and that - it's just so critical to have an intel program no matter what you're doing in InfoSec today. And it's something that I see really driving the path forward.
Ann Johnson: So when you think about companies and how they view their cybersecurity program, most of them are focused really on internal - right? - on keeping their enterprises safe from attack that would hit them internally. In your work that you've done - both with, you know, the Malvertising Working Group and with Securant and also with RiskIQ - you've really had an external lens of the industry. Can you talk to me a little bit about how companies need to be more focused on that external lens versus being so hyper-focused on their internal fraud posture and their internal security posture?
Lou Manousos: It's so simple, really. I mean, there's so many things to do in IT. There's so many problems to solve. And the thing that the external side reminds you of is it's not a problem that we're trying to fix. We're trying to win a game against an adversary. And those adversaries, just like us, have, you know, limited time and patience. So when you take that lens of the external view, now, all of a sudden, you're focused on the same things that your adversary's focused on. And that puts you in a position - you know, the rules are the same. It's - you know, an IP address is an IP address. An open port's an open port - you know, whatever the technical rules are. So that focus actually gives us a chance to win. When I look at internal security over the years, it often was solved like an IT problem. And, you know, that's - IT problems are great. When you fix them, you fix something and develop a new piece of technology. Now you have that problem fixed. But adversaries - they change their tactics, and that makes this job really, really hard. And so without an external view, you know, we just end up chasing our tail. So that's what I love about it.
Ann Johnson: I think that adds a dimension, too - right? - for our customers to think about how they're going to have a multidimensional approach to cybersecurity. And we know that cybercriminals are adapting to what we call digital transformation, right?
Lou Manousos: Right.
Ann Johnson: As customers move - yeah - their platforms and become more in the cloud and more digital, attacks are continuing. The cybercriminals aren't just going home and saying, OK, it's over. So that internet crime that we talked about is getting faster. It's getting better. When you think about, you know, the folks that are pure CISOs and their interplay with fraud prevention in the organizations, how do they need to be working with the fraud folks in their companies to actually make sure the solutions are holistic?
Lou Manousos: Yeah. You know, the fraud is, you know, one of the ways that a cybercriminal monetizes the - you know, the attack. And certainly, it does really depend what you do. You know, if you're a government agency or a Fortune 500 or financial services company or health care company, retail company - the reality today is it just does matter the business that you're in. You know, there's that old saying - you know, why do people rob banks? That's where the money is. I mean, it's silly. But at the end of the day, it's very, very true. You're going to attract adversaries based on, you know, what you do. And so, you know, tie it back to fraud. If your organization is in - you know, in a retail environment or financial services company, you know, fraud will be a big part of your cyber program or your threat intelligence program.
Lou Manousos: You know, I love looking at fraud use cases - A, just really some of these schemes are just elaborate and extremely fun to look at and study. But it - you know, it shows you the infrastructure that the fraudsters set up. You know, if they could set that infrastructure up to pull off a cyber heist, you know, that can also be used by nation-states. It can also be used by, you know, other attackers that are trying to infiltrate your organization. So bringing those fraud teams into the picture and using that same fraud intelligence as part of your broader security program is just a great idea.
Lou Manousos: And the main overlap you see is with anti-phishing programs. You know, the phishing account takeover use cases is one that we all see no matter what industry we're in. But clearly, the way to monetize phishing mostly, historically, has been in financial crime - you know, transferring money out of an account or something along those lines. But we saw that one just dramatically carry over where anti-phishing and programs now are essential for any type of breach of an organization. And, you know, those credentials get reused and, unfortunately, people make mistakes. And now once I breach the organization through a phishing attack, you know, you have everything from, you know, wiper malware to, you know, ransomware, which has emerged. So these things are all connected. And, you know, I think you can learn an awful lot studying fraud use cases.
Ann Johnson: So when you think about that, I want to pivot just a little bit to consumers - right? - because we know that organizations are spending a lot of time, a lot of money on their cybersecurity program. But consumers are distinctly at a disadvantage - right? - because cybercriminals are spending the time and money to evolve their attacks. They're looking for new flaws. They're looking for flaws in software. They're exploiting vulnerabilities. They're launching new phishing-types attacks. They're using the phone to actually make physical phone calls versus phishing attacks. They're launching attacks via QR codes. How do you recommend folks, who are consumers who may not be as cyber-sophisticated, protect themselves in their home environment or their personal environment?
Lou Manousos: Yeah, it's a question I get a lot, right? You know, I think a lot of folks who work in the intelligence and anti-fraud world get this. And it's a really tough one - you know, the grandma call, right? Your grandma or your grandfather calls you or your mom or dad, depending on how technical they are - you know, hey, what do I do to protect myself? I mean, it really does - we do need to be building more security into the products that we use, whether those are online, you know, social media sites or, you know, the bank websites we use, the - you know, the computers and phones that we use. But, you know, that's - there's always an angle, right? Everyone's going to adapt all the time. So, you know, the best advice I have is, you know, really simplify your online digital life. Like, simplify it - remove all the variables, don't have a million things going on, you know, using operating systems that are modern and patched and updated. And, you know, if you have a really old computer or old phone that can't be upgraded anymore - and that's often the people that you see that fall victim to, you know, the worst of online malware. We're all seeing it now, right? You use your phone and it's forcing you to upgrade. And that's a great, great thing. So let's continue to adopt that.
Lou Manousos: I think education is probably the biggest part of it. The thing about fraud use cases for victims is they just aren't aware of the latest, greatest scam. And you've got to stay on top of it and make sure you're just talking to people and talk to other people in your family. You know, I wish I had better advice on this. I think it's gotten a lot, lot better. You know, with malvertising - what was really scary when the malvertising industry was taking off and you saw threat actors selling this activity, it was zero-click. So I couldn't really give anybody any advice. It's like, don't open your computer. Don't use your computer, which, of course, doesn't work.
Ann Johnson: Yeah.
Lou Manousos: You know, now it certainly starts to look sneaky. You know, you have to do something. You've got to click. You've got to go to a landing page. You've got to fill out a form. And so I think it's getting much better and we're doing a better job patching the browser. We're doing a better job with, you know, getting patches out for the operating system. But then it's just really driven an uptick in these social engineering scams. So you've got to stay on top of it as an end user.
Ann Johnson: Yeah. And when you think about that, we've also - we're in this era of social media, right? And - where we're concerned about people recreating your identity, using a deepfake - right? - using your picture and something that sounds like you and creating, actually, a social media platform that actually isn't you. These identities are super easy to create, right? You could have, you know - Lou Manousos could be on, you know, Twitter and could be on Instagram and be on LinkedIn before you even know it exists. And people could be sending messages to other folks. So how are security teams going to protect their executives and their employees from being exploited by these deepfakes and these messages that could be potentially going out and really causing brand damage to companies?
Lou Manousos: Well, that's I think, something that is more practical. I mean, every company can build a - you know, call it a brand security program, an executive, you know, guardian program. Like, let's - who are the main targets in your organization or the targets that, you know, have the keys to the castle, like the IT administrators or other people who have privileged access in the organization. Those individuals will be targeted with these deepfakes, with copycats of all sorts. Monitoring social media, you know, looking at your domain name registrations - relatively simple online hygiene, but just the vast scale of the internet makes it complex. So we do think that this is a solvable problem. You can build monitoring for organization and you can study, you know, how would an attacker look at your executives and these privileged individuals in the company and how might they launch an attack against you. And that does start with, you know, protecting the brand and building security into your online presence. Every company now relies heavily on the internet. The internet is everyone's network. You know, we're not using private networks anymore. Everything is SAS application, so the avenues to attack are large. So it does require automation and, you know, building that into the security program. I like to see that type of a program live both with intelligence and the people who, you know, work with your CISO and with people in the business that are the targets. But also, it's an operational program, so it has to have connection into the 24-by-seven security operations. So as we modernize the SOC, you know, I think the companies that are leading the way here have built brand security into that SOC and made it a part of how, you know, we're triaging incidents and, you know, supporting the organization where it matters the most. And this is something that's unfortunately an increasing attack vector.
Ann Johnson: Yeah. And I think that the one thing - and you said it in a prior answer - is we have to get better about educating consumers, right? In addition to things that companies can do and tools that can be built, people have to actually be educated on what the possible exploits are and how to protect themselves. Do you have any good recommendations of how we do that, you know, mass education for folks that, again, aren't that technical and don't think about cybersecurity every day?
Lou Manousos: Well, like everybody here that's listening, you know, I get tripped up all the time on, like, my privacy settings, you know? Well, did I - do I want to share this? Do I not want to share this? Do I want to be visible? Do I not want to be visible? So I think some of the default settings - and, you know, defaults are scary. You know, you want it to be default secure, default private. That's - at least I do.
Lou Manousos: And I feel like often that's where it starts - is educating both our internal users. And, you know, the companies that build these online applications could put some amazing training, you know, right into the profile that you're managing for yourself. And I think, you know, a little goes a long way. You know, how often do you go in and change that stuff - so when you do, like, walking, you know, the customer through or, you know, the consumer through the process - and then, in your own organization, like, reminding users to go back in and building, you know, some really actually interesting training that's out there now that is fun to watch. And I think the more investment in that area, it pays, you know, massive, massive dividends. But I think the default settings and, you know, understanding, am I default secure, is a great place to train your users.
Ann Johnson: Let me ask you the cliche question, Lou. What's keeping you up at night right now? What do you think that, as an industry, we're not prepared to defend against?
Lou Manousos: Well, right now we're all, in cybersecurity, I think, looking at this Ukraine situation and wondering, you know, how a lot of the cybertools are being weaponized, you know, in an actual, physical war situation. And, you know, it's certainly an eye-opener to see a lot of the techniques that have been used for sort of ordinary cybercrime, ransomware, you know, now weaponized in this way. It's definitely got everyone's attention in the industry and just heartening to see everybody pitch in. But it just highlights how important, you know, it is for us to continue to work with all the stakeholders, right? It's a multi-stakeholder issue.
Lou Manousos: So, you know, that's the one that's really top of mind for me and, you know, how we can work together as a community. You know, you were talking a lot about fraud earlier, and loss of money is certainly a cause for concern. But, you know, loss of life is a really much bigger cause for concern. So as we see how cybersecurity can be weaponized in these ways, it's really the - one of the most important things and just highlights how important this job is.
Ann Johnson: Yeah, there's no doubt. So as you were thinking about, you know, coming over to Microsoft - right? - with the Risk IQ acquisition we made, it'll be, I guess, a year in August, so in a couple of months here. What were the natural synergies you saw between the two organizations and how you felt that Microsoft could help expand the mission and the work of Risk IQ?
Lou Manousos: Our vision was, how do we help build a safer internet? And I always said help build. So we work with our customers. You know, we're working together to secure attack surfaces and reduce the foothold that attackers have. You know, the internet is everybody's network. And that was just so important to me. You know, we talk about, you know, my early work in identity, and why identity was so exciting is it was helping the internet grow as more and more online services were built.
Lou Manousos: And so securing the network aspect and reducing the footholds in the attack surface of the overall internet - you know, as I adopted that vision and executed on it, we started working with Microsoft really over the last four or five years on many of these massive internet-scale attacks. And I remember talking to some of the people on the team about a team - the security team's mission. And one of them was like, yeah, it's protect planet Earth, which only a company at the scale Microsoft, you know, can actually say. You know, I just said I'm trying to help. So the Microsoft security team - and they really take that seriously. And it's a big responsibility. But I was very impressed that it wasn't just that they could say those words - the actions and, you know, every day, just the thousands of people that worked to make that a reality. So, you know, all great organizations have to be mission-driven. And I - you know, I believe that for RiskIQ. And I've been extremely happy to see how our missions are melding together and, you know, we're taking it just a step further. And so, yeah, thanks for having me here. And I'm really honored to be on the team and fired up to take, you know, all the RiskIQ software and get it into the Microsoft platform.
Ann Johnson: Yeah, well, we're thrilled to have you here - right? - because we do think that, you know, you give us that expanded view to help protect our customers and to protect planet Earth, and that's the important thing, right? I mean, we're all doing the same mission work, and any tool we can put in the arsenal to defend against bad actors is a good tool.
Ann Johnson: What are you working on right now? What's the team - you know, what's the team thinking about today and for the next couple of years?
Lou Manousos: Well, you know, the main - and I just said it. You know, we want to get the RiskIQ platform, you know, fully integrated and allow, you know, all the Microsoft customer base to leverage the work that we've been doing. And so that is a big job. But as I'm doing that, what I'm seeing is there's all the signals and all the intel teams at Microsoft and how we can take that and supercharge the RiskIQ platform. So it's something to look forward to, and I'll be talking more about that in the coming months. But we have, you know, some big things planned for this summer to take that internal developed Microsoft intelligence and deliver that through, you know, the next version of the RiskIQ platform, which will be a Microsoft product. And, you know, this is intelligence, as I've been finding out, that we've been using internally to make the products better. But, you know, now we'll have an opportunity for end customers to leverage this intelligence in their own security program. And that's extremely exciting - just to see how we'll be able to magnify the efforts of so many great organizations that now will benefit from this massive visibility that Microsoft has.
Lou Manousos: Another thing I'm working on is supply chain, and it's a very interesting attack. When you have a weakness in your supply chain, it's really the way to get to a tough target. And we - you know, we saw that with SolarWinds, and, you know, we're seeing that again with some of the Ukraine activities. So we've been thinking about how we can take the RiskIQ technology - we had a play in supply chain security, but we're looking to put more effort there and help our customers not only protect their first party, but, you know, look through the lens of intelligence against their third parties and how that could bring weakness to their organization.
Ann Johnson: Is there one or two things you can tease for us that's just super interesting that you found in doing that work? As you're thinking about, you know, the things you're bringing to the future, what's been the hardest thing?
Lou Manousos: You know, unbelievably, you know, organizations don't really understand their supply chain. Just discovering, like, who are my key suppliers that aren't just the suppliers that I know about that are the major ones, but, you know, who has access to data? What type of network connectivity do they have - you know, remote access and things like that that they need to - in order to carry out whatever vendor relationship they have with the company? But the idea of asset discovery and, you know, what assets are exposed, it extends to a vendor discovery. Like, what vendors do I have, and do they have the keys to - you know, to my shop? So I've been really surprised at how few organizations really have a good handle on the vendors that they do business with and the type of access that they have. So we've been starting there with discovery and how we can really tighten up who those vendors are and then expand the view into the weaknesses that that brings to your organization.
Ann Johnson: Fantastic. We like to send our listeners off with one or two actionable things. What are the one or two actionable things you would tell people to do today?
Lou Manousos: If you're not already investing in an intelligence-led security program - and that doesn't just mean, you know, building out threat intelligence as a discipline in your organization - it is infusing that mindset of whether it's the fraud mindset of the bad guy or the - you know, the nation-state threat actor, the concept of, hey, security is a game and we want to win. So infusing that into all of the security programs that you run - whether that's your patch management or your vulnerability management program - you know, not just making it a single-siloed intelligence function - that, I feel, is something that will really change things for your organization, and I would highly recommend looking into that.
Ann Johnson: Excellent. Well, thank you so much for joining me on "Afternoon Cyber Tea" today, and many thanks to our listeners also.
Lou Manousos: Thanks, Ann.
Ann Johnson: And join us next time on "Afternoon Cyber Tea" on thecyberwire.com or wherever you get your podcasts.
Ann Johnson: I invited Lou to join me on "Afternoon Cyber Tea" because he is such an industry expert with many years of experience dealing with digital fraud, helping both consumers and organizations protect their digital landscape. And as we're moving into this world of the metaverse and we're moving into the world of more social media, there is an increased need for consumers and organizations to protect themselves against digital fakes and frauds and all kinds of online identity threats. I knew Lou would have valuable contributions to that conversation, and he met my expectations and exceeded them.