Consumer Safety in the Cyber Landscape & Chris De La Rosa Member Spotlight
Luke Vander Linden: Hello, everyone. This is Luke Vander Linden, vice president of membership and marketing at the Retail and Hospitality ISAC, and this is "The RH-ISAC Podcast."
Luke Vander Linden: You're listening to the podcast for retail and hospitality cybersecurity professionals, CISOs, analysts and other practitioners. We focus on content about the latest challenges, opportunities and best practices unique to cybersecurity, specifically in the retail and hospitality industry. New episodes drop twice a month. You can hear the new ones and all the old ones at thecyberwire.com.
Luke Vander Linden: So let's get to it. Today we're joined by Courtney Radke, field CISO for retail and hospitality at Fortinet. Courtney is no stranger to "The RH-ISAC Podcast." He has regularly brought us his insights, and Fortinet has been a great supporter of the podcast since its inception. Today Courtney also brings us a guest, Ryan Lange, who is the IT director of security and infrastructure at Batteries Plus. We're going to have a great conversation that will touch on everything from how the rapid adoption of technology over the past few years has impacted cybersecurity to third-party risk to the blurring of lines between physical and digital. Then we will have a member spotlight. This will also be a recurring feature of the podcast.
Luke Vander Linden: Today we're joined by Chris De La Rosa, senior threat intel analyst from Dick's Sporting Goods. He's one of our more active members. His name and voice pops up on our calls and on our sharing platforms all the time. We'll learn a little bit about Chris on a personal level, then how he got to where he is now career-wise. And also, Chris attended the first of our regional workshops in Phoenix a couple of weeks ago. He'll talk about his experiences there.
Luke Vander Linden: But before we get to those two segments, I do want to talk about some fairly big news out of Washington, D.C., last week. The White House issued a new national cybersecurity strategy, the first such cybersecurity strategy released since 2018. Our partners at the National Retail Federation highlighted two areas for us in which the strategy is potentially relevant to the retail sector. One is a general call for broader cybersecurity regulatory action in critical infrastructure sectors, and the second is a focus on shifting responsibility away from end users to software and technology companies.
Luke Vander Linden: So let's look at both of these closer for a second. First, the increased regulatory action builds on what the current administration has done over the past two years to mandate cybersecurity improvements in, quote, "critical sectors," which usually means things like pipelines, maritime transportation, aviation systems, things like that. Retail is considered a subsector of the commercial facilities sector. We're getting into real government speak now. But as a result, while there is no denying that retail is fundamentally vital to our society, there are some concerns that broad-based cyber regulatory activities that are intended for those higher-risk sectors I just mentioned - energy, transportation, water, etc. - could have an inadvertent impact on retail.
Luke Vander Linden: Second, the White House calls on software and technology companies to build greater responsibility for cybersecurity, noting that, quote, "end users bear too great a burden for mitigating cyber risks." The White House is calling on Congress to develop legislation, meaning laws, establishing liability for software products and services. Generally speaking, this broader focus around cyber software security risks could be a net positive for the retail sector, given that many retail cyber incidents today are the result of third-party software vulnerabilities.
Luke Vander Linden: Now, the RH-ISAC doesn't do any policy work ourselves, but we will stay abreast of these and all regulatory issues affecting our members' work through our partnership with the National Retail Federation. If you want to be a part of that work or if you want to opine on anything you hear on "The RH-ISAC Podcast," let us know at firstname.lastname@example.org. That's email@example.com.
Luke Vander Linden: All right. And now we are joined by Courtney Radke. Courtney is the field CISO for retail and hospitality for Fortinet. Court and I got to spend a little time together at the National Retail Federation big show in New York in January - good to see you again, Court.
Courtney Radke: Good to see you, Luke. That feels like a lifetime ago.
Luke Vander Linden: It does. It does. So much has happened since then. But, you know, you're not a stranger to our podcast. Fortinet's been very, very supportive of "The RH-ISAC Podcast" from the beginning, so we like to have you on occasionally. Courtney, you brought a guest today. Who do you have with you?
Courtney Radke: I did. I did. I'm joined by Ryan Lange, the IT director for security and infrastructure at Batteries Plus.
Luke Vander Linden: Welcome, Ryan - good to see you.
Ryan Lange: Thank you for having me.
Luke Vander Linden: So, Court, you're going to start with a little bit of a brief for us and tell us what you guys are seeing in your work these days.
Courtney Radke: Yeah. I mean, it's an appropriate time because Fortinet just released the half two of 2022 threat report. It's our annual threat report. We kind of break that up into two cycles in a year. And honestly, guys, 2022 was a lot of the same. And in going into 2023, we're seeing kind of ebbs and flows, you know, throughout the year. We see it spike towards the mid-summer, fall. We see that, you know, late-year push with the holiday shopping and things like that gradually coming to normal levels. And I do - you know, I do normal with air quotes here because what is normal anymore? We've set such a high precedence for the amount of ransomware, the quantity and quality that's been going out there, that we just continue to set records every year.
Courtney Radke: So what we found, you know, was it's kind of whack-a-mole a little bit, where some of the most prevalent ransomware groups that we saw previously - they either, on purpose or sometimes inadvertently, they halted their operations a little bit. But when that happened, it allowed for another one to emerge, another one to come up. Why is that happening? Well, one of the most troubling things that we've seen is just how easy it is to kind of put these ransomware campaigns out there to create these crime-as-a-service offerings, as you will. They're almost a la carte. You know, we saw one recently where it included an entire server. It included the remote access trojan. It included every single piece. And you could add a little bit more on if you paid for it. It's truly becoming a business. We saw about 40% - I think it was 37% of all ransomware campaigns come from the top five families because they're merging together. It's a big business for them. It's really crime as a service.
Courtney Radke: So the bigger issue that we've kind of seen - while ransomware is huge, botnets, all that stuff is huge, I'm sure you guys have heard of this and are watching for it, too - is wipers. You know, they really have been around for a long time. We saw the first instance of a wiper, I believe, in 2012 and then a resurgence with, you know, the war in Ukraine. But we know that those geopolitical boundaries rarely stay there. And they found that they could use that for harm across the world in all different industries. So wipers have really had a resurgence as of late, and that's kind of where I want to go, the kind of setting the tone of it's a little bit of the same, but they're kind of changing their approach a little bit. More groups or new groups are coming up. That's not to say that the, you know, the tried-and-true baddies aren't out there, they still are. The large groups, the Lazarus groups and, you know, REvil group and others, they're still operating and they're still making a lot of money. It's not all doom and gloom because we have seen in the news, you know, that they have been arrested. Some of these groups are getting shut down. But it's still a constant struggle out there.
Courtney Radke: So I want to kind of set the tone here, guys, is talk about, you know, in retail, how have some of the paradigm shifts over the last year of bringing on new technology, new business models, you know, in supply chain, all of these things, how has that kind of changed the approach that us as security practitioners have to take? And specifically, Ryan, you, get your insights and perspective on what is it like out there? What is it like in the world right now being, you know, a security practitioner in the real world, in the business? So let's kind of start there. I just kind of teed it up a little bit of the adoption of technology. Ryan, I'm sure that you have created a lot more - you know, had a lot more technology adoption, invested a lot more in technology. It's supposed to make the customer journey easier, frictionless experiences, create better employee experiences. But, you know, double-edged sword, it normally comes with an increased risk. So maybe talk to me a little bit about, you know, some of the implementations you've had and how that's, you know, increased risk and kind of what you guys are doing about it.
Ryan Lange: Sure. Absolutely. One of the biggest changes that we had was in all 750 locations, we moved to enabling buy online and curbside pickups. And just implementing that strategy moving forward, it was very tedious to make sure that we had all the security in place because now we're actually taking - outside the store, we're actually, you know, taking credit cards and that sort of information and making sure that's secure all the way back to our trusted platform for credit card payments. That was one of the biggest things just to make sure that was done correctly. And that was very much because of the pandemic that it was a requirement.
Luke Vander Linden: Right. Everybody became an e-commerce retailer during the pandemic, right?
Courtney Radke: Overnight, overnight. If you didn't have an e-commerce website, you were struggling. We often talk about this in the terms of people don't really say digital transformation anymore. It's either digital acceleration or differentiation because you've already done it. You've already put in this stuff. And, Ryan, I have to assume that that included, you know, the buy online, pickup in store, that it included increases in your cloud landscape, it included increases in IoT inside of the stores or tablet or something, some sort of technology to make sure that you knew people were there or point of presence, something like that.
Ryan Lange: Yeah. On the store side, it wasn't - we were lucky enough to be set up a lot for some of the mobile stuff. So that wasn't a big driver for us just because we were set up to - we were already installing batteries in people's cars outside. And so it was just a matter of figuring out, OK, now we really don't want them in the store at all. How do we go about doing that?
Courtney Radke: Yeah, that's interesting. We don't want you in the store, you know? You can come in if you want, right? But we want you to stay outside. And honestly, we've gotten so used to, as consumers, that, right? I pull up, I check in and within, you know - I like it to be within, you know, five minutes at the most that you're out there and you're delivering my product. I think we've become creatures of habit, and we like that. I think, you know, maybe you were set up for this, but, Ryan, as you know, a lot of businesses, they had to quickly adapt and adopt new technology. They threw in sensors, new mobile apps, new, you know, e-commerce. That check-in system, they didn't have that before. So what we've seen is because of that, that increase in vulnerabilities that I talked about, that 200,000-plus, that total attack surface, attackers know that, too.
Courtney Radke: And so one of the biggest things we've seen is kind of a shift in mindset of less on the objectives at the end. They're still, obviously, you know, being successful in some cases, but they're focusing so much more now on the recon and the weaponization. And so they may be looking at you from an external attack service perspective or looking at your newswire or, you know, just trying to come in to your business and move horizontally without making any noise before they ever attack. So the recon and weaponization is definitely a higher focus for threat actors. They're learning the gaps. They're learning the vulnerabilities. They're learning what that red zone is - right? - the ones that actually impact you. And so again, we talk about it in the total - and that's that 200,000 - the open, which is what is pertinent to your business, and then that red zone of the - we find that it's about 1%, honestly, of that 200,000 total it's really actually critical to look at right now. So from your perspective, are you focusing more time on that, the pre-attack? Obviously, we'd like to stop it before it ever happens - right? - so that technologies that are in place for the left of the attack are critically important right now.
Ryan Lange: Yeah. And a lot of that comes down to - it's hard to predict what's going to be next. So it's just a matter of being prepared for what's coming. And that's where we're really helped - being helped with, like, segmenting things on our network. And that's just a very basic thing. Like, we always talk about zero trusts. And sometimes it's available to us, and sometimes it's not. But from my perspective, it's about providing flexibility to the franchise because we're a franchise-owned company. And we want to make sure that that franchise has the ability to do the business the way they want to do business and, at the same time, being able to provide a secure product for them against all of these vulnerabilities.
Ryan Lange: And it's a give and take on the security landscape because to have flexibility, you have to give up just a little bit of security. And it's just a matter of, where's the right risk factor? And what threats are pertinent to the business? And what threats aren't pertinent to the business? Some of it is protected from us from the firewall perspective. Like, they're not - we segment all of our stores so they cannot get back to our corporate office. And that's by design. So therefore, if something happens at a corporate store, it is isolated to that store.
Ryan Lange: And that's one of the big things that we do to make sure that threats aren't coming into the network, so if - from two things. Threat can't come in through our Fortinet system, and it's amazing. We like it - and then making sure that it can't traverse from store to store and can't traverse within the store. For instance, we were thinking about drive-bys, someone with a wireless scanner that's driving past our store that has all of a sudden - because, like I said, we're in the parking lot doing work. What if someone has a wireless scanner? And it's making sure that's segmented off from the rest of the network so they can't get and propagate and traverse through our network.
Courtney Radke: Yeah, I mean, that's one of the biggest things that we see. And that's an important note because we still see organizations - Luke, I'm sure that you've talked to some out there as well - that segmentation is still a concept that they haven't quite grasped yet, right? They're still a flat network. Everything can talk to everything. And, whew, that's just a recipe for disaster right now.
Luke Vander Linden: Right. And dealing with franchisees is another layer of risk, right? You know, we're - third-party risk is something that we're all - there's a lot of focus on. And that - you have it on both ends, both your franchisee's but also then your supplier's end as well, right?
Courtney Radke: Yeah. Let's touch on that a little bit. So third-party risk can mean a lot of things. It can mean the franchisees and the technology that they bring into the organization. But also, think about your supply chain. And now, in retail, we talk about supply chain as, let's get the product into the customer's hands. That - yes, that is supply chain. But what it also means is all of these integrations that you've had to take for your digital transformation - you're talking about, you know, your pick-up and go, your curbside, your delivery services, warehousing, distribution, logistics, on and on - all of those are normally different pieces, parts, integrations into the environment.
Courtney Radke: And if we go back to the - you know, the hacks of years past, it's not you that was the target, or it wasn't your systems that were necessarily vulnerable. It's, you know, the HVAC system or the something else. So maybe talk about, you know, Ryan, what you guys are doing to enable safer integrations of third-party technology or, you know, through your partnerships because you - you know, Batteries Plus probably has a bunch of partnerships that you leverage to make that machine work. How are you working through enabling better integrations? And maybe talk about how you conduct or how you assess risk when you're bringing on new third parties.
Ryan Lange: So speaking to the integration piece first for our third party for - specifically for our warehouse, we went to the cloud. We made sure that we could do all of our transactions cloud-based and then made sure that the internet was available by bringing in multiple connections into that warehouse to make sure that we always had connectivity to the internet because now the internet is a - and having that connectivity to our third parties is very important to making sure our warehouse - if our internet goes down, our warehouse stops. And that's something that we have to make sure that we maintain. As far as vetting the vendors, yeah, that's a huge piece because of all - everything's integrated. And it's not even vetting the vendors. It's, what are those vendors? What third parties do they have? And that's where the layers deep come in. And you have to figure out, OK, who are they playing with to make sure that they're also responsible? And that's where it gets a little fuzzy. So...
Luke Vander Linden: Right. No one ever calls it this, but I call it fourth-party, fifth-party, sixth-party risk.
Ryan Lange: Sure.
Courtney Radke: Let's coin the term now. It's the six degrees of separation because you're absolutely right. Everybody's doing business with somebody else. And if - again, if we look at not of yonder but of just over the last year, some of the largest attacks out there have been in the supply chain, meaning software, you know, the widely used software packages that everybody has out there. You know, that's been the target because they know that everybody's using them. And so, you know, you may not have something in your organization. You feel like you don't have a vulnerability. I think, you know, the hafnium exchange vulnerability of a year ago or so - you know, people may have not known or may not know that they had exchange on prem or they were doing business with somebody that had exchange on prem. And then so they're, you know, susceptible to attack because they're doing, you know, business with somebody else that has it.
Courtney Radke: So it's tricky. We've seen a lot of organizations doing third-party risk assessments prior to. But then how do you write that to letter of law and say, look; I'll do business with you if you meet these standards? But then how do you impress upon them that everybody that they're doing business with has to meet the same standards? It's tough. It's tough. And I don't know if you talked about drive-by in this way. You're talking about, like, Wi-Fi sniffers, Flipper, right? The RFID one - that's a pretty interesting one right now.
Ryan Lange: It's amazing. It's a really cool tool. I highly recommend picking up a Flipper. And it is eye-opening to see what you can see.
Courtney Radke: I have - I use it for good because I reprogram, like, RFID keys, like, for gyms or something else and just program to my phone so I can - only have to carry my phone. But it can be used completely the wrong way - right? - to copy cards, to do things that you shouldn't ever be able to do. But it just opens your eyes to, wow, I didn't know it was that easy, right? So there's new tools that are out there. That goes back to the commoditization of it. It's as a service, and all of these tools are out there. They could be used for good, but in the wrong hands, they could be used for bad.
Luke Vander Linden: It also speaks just a little bit here to the merger of the cyber world and the physical world - right? - that these tools, these technology tools are used to kind of create another vulnerability in the physical world.
Courtney Radke: Absolutely. And where is the conduit for the physical, right? It's the person. And so when we talk about things like drive-by downloads, we talk about things like phishing, spear-phishing, smishing, vishing, all of these -ishings (ph) and then the social engineering, all of the aspects of that, those are the predominantly successful methods. It always comes down to layer eight. It's normally the person that's - whether it's nefarious or not, you know, mistakes get made, misconfigurations. That is No. 1. I feel like, though, the people get a bad rap. The human firewall can be your first line of defense instead of the weakest link. So maybe, Ryan, talk to me a little bit about how you are trying to make sure that the human firewall is that first link with training and awareness and some other stuff within Batteries Plus.
Ryan Lange: Oh, yeah. And the human aspect - that is how they're going to get in almost indefinitely. So it is the No. 1 thing that you need to protect - is you need to protect people from themselves. At Batteries Plus, we do a lot of phishing campaigns, a lot of spear-phishing campaigns. Like, we'll create custom campaigns for certain departments to make sure that they're doing things the right way and making - we still have to do our compliance, do our annual training, which most people find a little bit dry. But it's a great reminder to exactly what's out there and to make them cognizant that it is - these things are happening. And you're one click away from doing harm to the organization, whether you meant to or not.
Ryan Lange: And nobody means to. It's just a matter of making sure that they know, if it looks suspicious, tell IT. That's the first thing we say - is just the basics. You know, tell IT. Never give out your password - just very basic principles. If it smells funny, looks funny, you know, tell us. We'll take a look at it. And that's one of the communications that we're trying to send out almost on a monthly basis without trying to get fatigue in the user seeing all of these notifications all the time from IT saying, you have to be careful. So it's a line you got to walk.
Courtney Radke: A lot of our campaign - we do the same, right? As a cybersecurity organization, we should. But they become pretty good, too. You know, some of them, ooh, I think twice. I look at it. Like, this looks - it is targeted towards me. And so they're getting pretty good about it. I think what we've - you know, we've done a good job about and other organizations - gamify it, right? Just make sure that it's engaging. Yes, sometimes it can be dull, and sometimes, you know, the employees ask themselves, shouldn't I be protected from this? Why am I getting so many fake phishing campaigns? But, again, all it takes is one click.
Ryan Lange: And that's one of the things we did have to combat - is we had, like, people on Slack all of a sudden saying, hey. This phishing campaign's coming out. And I'm like, no, you can't tell people it's coming. It's always coming.
Courtney Radke: Oh, come on. Help each other out, right?
Ryan Lange: Right.
Courtney Radke: So, Ryan, in your world, then, with all of these threats coming at you fast and furious, how - aside from obviously listen to the RH-ISAC and everything that they have to offer, how do you stay up with the latest cyber threats facing the business?
Ryan Lange: A lot of it is community reading. So a lot of it is understanding who's in your community and what they're seeing in - I like to see in the atmosphere because it's not quite down on the Earth yet, but it's in the atmosphere. It's around. What are people sniffing out? How are people being attacked? - because it could happen to you. It ends up being attending conferences. I found attending conferences and getting my network to be larger to understand all the different places that I can look to get information on what the landscape looks like for retail and specifically for retail because it has slightly different characteristics than straight manufacturing. I mean, I came from manufacturing - different threat landscape.
Courtney Radke: The vectors are kind of the same. You know, how they get in are kind of the same. But it is different. There's nuances that you have to understand to be able to protect your business effectively. So, I mean, I think the community, group, peer-to-peer relationships, those types of things - those are absolutely critically important. Unfortunately, sometimes the best information that you can get is, oh, it happened to somebody else. You know, you learn that information. But we learn. We do truly learn from that. And I think it's important to kind of share that information out there.
Ryan Lange: And it's really important to see all the public bulletins that are being published by the manufacturers of your equipment, whatever it is, because they'll tell you when there's a security vulnerability 'cause they have people looking at it. And it's really important not to ignore those. And that sounds like, oh, this one's not going to affect me. No, no, you have to do something about it, and you have to have a plan in place on what's going to happen when it happens. You just need to have that.
Luke Vander Linden: Well, I really liked what you had to say about sharing and collaboration, particularly with your peers in the sector because there are unique threats in the consumer-facing sector as well. Courtney Radke and Fortinet and Ryan Lange from Batteries Plus, thank you so much for joining us on the podcast today. I really appreciate your insights and look forward to staying in touch with you guys moving forward.
Courtney Radke: Absolutely - appreciate it.
Ryan Lange: Thank you for having me.
Luke Vander Linden: And coming up next, our March member spotlight - Chris De La Rosa from Dick's Sporting Goods.
Luke Vander Linden: Chris De La Rosa from Dick's Sporting Goods, senior threat intel analyst, thank you for joining us on the RH-ISAC podcast.
Chris De La Rosa: Yeah, thanks for having me - appreciate it.
Luke Vander Linden: So you've been a pretty active member for the time that you've been with Dick's Sporting Goods. Why don't you start off and tell us a little bit about yourself and a little bit about your background?
Chris De La Rosa: Sure. I'm a senior threat intelligence analyst at Dick's Sporting Goods. I've been on the team for going on two years. Prior to doing DSG, I worked six years in managed services, you know, kind of working with, you know, different clients when I was at, you know, EUI and VMware and A&M.
Luke Vander Linden: Right. So what - how did you get into cybersecurity? And how did you get into the role that you're in now, the part of it you're now?
Chris De La Rosa: It was a natural progression from working at the helpdesk. I had an interest in cybersecurity, and I was fortunate enough to be given an opportunity. My wife is actually in cybersecurity, which is why I was able to make the transition from a typical SOC analyst to threat intelligence. You know, the work that she did always interested me. And she kind of helped give me guidance on how to get into CTI, you know, what to study, read and listen to. And she was the one that kind of tipped me off to intel techniques from Michael Bazzell. Then once I kind of got that book a few years ago, it was kind of just off to the races after that.
Luke Vander Linden: Wow. So it's really a family business for you.
Chris De La Rosa: Yeah, no, it's definitely cool to have, like, your wife as a, you know, threat intelligence and cybersecurity professional, like, in the same room. I also have a brother who works for, you know, Dragos in the accounting department. But, yeah, it's definitely cool to have, like, family and the kind of - you know, your wife kind of understands, like, what you're going through, what some of the challenges are. And it's cool to, like, bounce ideas off of her.
Luke Vander Linden: When you're at family dinners or at family barbecues, do you have your own traffic light protocol that you have to follow just to make sure you don't talk about things?
Chris De La Rosa: Yeah, we actually do. Like, whenever, like, something happens, me and my wife are like, OK, well, I know it was, like, really crazy at work, but we kind of got to give, like, a high-level overview. And don't mention any clients. Don't - you know, be really vague about it. And most of the times, like, our family is just like, OK, yeah, y'all guys do something with computers. And we're like, yeah, pretty much. Like, that's what we do.
Luke Vander Linden: Sure, sure. Just - whatever you say, we do that. We do that. Yeah.
Chris De La Rosa: Yeah.
Luke Vander Linden: So what is your day-to-day like in your current job?
Chris De La Rosa: Yeah. My day-to-day - it isn't consistent. It depends on my research, the business needs, however I can help the team - you know, that includes threat writing, OSINT, working with digital fraud, marketing, social media operations and legal, even work with different members of the RH-ISAC.
Luke Vander Linden: Right. You're very collaborative, I have to say. So you got to go to the last - or the workshop that kicked off our season of regional workshops last month in Phoenix. And so tell us all about that. And how did that compare to the other events you've been to for the RH-ISAC?
Chris De La Rosa: It was great. You know, being able to go out and meet different RH-ISAC members is always good. You know, I enjoy seeing some friends from the RH-ISAC. You know, J.J. (ph) was there, so it's cool to, like, meet them in person. And, you know, since it was PetSmart, you know, Chris Trudel was there. And I got to talk to him, and he was one of the presenters. So it was cool to, like, listen to your friends who were presenters. And you get an opportunity to hear about a bunch of different things that I typically wouldn't work with, whether it's, like, vulnerability management or automation.
Luke Vander Linden: Oh, so it gives you a little more insight into the broader cybersecurity landscape and not just your own activities.
Chris De La Rosa: Yeah, exactly. Like, my main wheelhouse is just CTI. And so being able to hear things from, like, an engineering perspective on how automation can make things easier is really awesome.
Luke Vander Linden: So is that, would you say, one of your main takeaways from the workshop?
Chris De La Rosa: Yeah, I think one of the main takeaways that I got was everyone has the same pain points. You know, we're all customer-facing. So the challenges are very similar regardless of what company that we work for. You know, phishing attacks are the main vector that threat actors used to target us and customers, and you get thousands of emails a day. And you need to be able to manage the workload and find a way to automate what you can. And with automation, it helps make our lives easier. It helps with the staffing. If you don't have the headcount and you're understaffed, it helps you kind of get through the day. You're going to need a good tool set and people who can help code to make that happen. That was, you know, one of the main things that we - that they talked about at the workshop.
Luke Vander Linden: Yeah. You know, I don't know. I wasn't there, unfortunately. I'll go to one of the future ones we have. But I've heard - and I can't remember where I heard this - that automation is a great way to not only ease the burden on CTI analysts, but it helps with retention as well because you get to focus on more interesting things that require human touch and not just kind of the rote responding to every single incident you see. Would you agree with that?
Chris De La Rosa: Yeah, definitely. I think it makes the OSINT and the research a lot quicker. You know, a lot of people can do the manual process of OSINT. But if you have, like, a tool that kind of scrapes all those data sources, it helps you focus on more - on the more important things instead of, like, let me go out and identify, you know, this Telegram, this Discord or this crack forum, this post and this content that we need to be interested in.
Luke Vander Linden: Excellent. So looking beyond other activities other than the regional workshop you just attended, how else are you involved with the RH-ISAC?
Chris De La Rosa: I'm in a few of the RH-ISAC interest groups. My favorite one is a dark web working group. You know, we have biweekly syncs, work with - you know, work on different items that the members bring. We go over different ways that we can improve as analysts and bounce ideas off each other. Me and a few of the members of the dark web working group, we gave a talk at last year's RH-ISAC Cyber Intelligence Summit, so it was cool to be a part of that. And, you know, I do want to say, you know, I appreciate the opportunities that I've been given by the RH-ISAC and, more specifically, Muktar Kelati. He's awesome. I can't say, you know, more great things about that guy.
Luke Vander Linden: We'll have to get Muktar on the podcast. J.J. has been on a couple of times, but I don't think Muktar has been yet. So you went to the summit last year. I think that's when we met. Are we going to see you, then, at this one this year or any other RH-ISAC events coming up?
Chris De La Rosa: Yeah, definitely. I'll be going to the Cyber Intelligence Summit again. And with COVID, it kind of limited the amount of human interaction that I had the last few years, so it was great to go to the summit and meet people in person. And I'm also going to be, hopefully, giving another talk at the summit this year. So that'll be pretty good to do that again.
Luke Vander Linden: I'll put a good word in for you when you submit your proposal to speak. So, like, just going back, broadly, to your career path and how it wasn't exactly a straight line to get to where you are today, would you have any other advice for anybody else looking to either get into cybersecurity or who may be in and trying to figure out what their next steps are?
Chris De La Rosa: Yeah, definitely. I think, like, trying to find, like, what you really like. Like, I did, you know, SOC work for, like, a while. And I always had that interest in doing research. And like you mentioned, my way to cybersecurity was really unconventional. I got a degree in liberal arts. I was a history major in college. So, you know, I never would have imagined that, being a history major when I was going to school and then where I am right now - it was definitely something that I didn't imagine. I think, like, if you can figure out what you're really passionate about and what you like, it kind of helps drive you for that. Like, for me, my passion is threat intelligence, anything that I can learn or identify or new OSINT techniques. Like, I'm always trying to find new things that people can use and make things a little bit easier.
Chris De La Rosa: And people who are - even cybersecurity professionals who are new to the retail industry, I would recommend joining the RH-ISAC weekly call and Slack channel. There's a lot of good information-sharing that goes on with there, you know, and the Slack channel is always good because there's - people are constantly posting reports that come out or things that they find or articles and even joining, like, a working group. There's one for everyone. There's IR, dark web, digital fraud. I just really enjoy the dark web working group, personally, just 'cause, you know, I'm a part of it, and being able to collaborate's really, really awesome. And another thing - even if they aren't necessarily in retail - like, listening to this podcast is super awesome. Like, one of my favorite episodes is the Ira Winkler one. Like, I love his book, you know, "You CAN Stop Stupid." So it was, like, cool to, like, listen to that. And he was at the summit, so it was cool to, like, hear him present and then also hear him on the podcast.
Luke Vander Linden: Yeah, that was a great interview. I was very lucky to have been assigned that one to interview Ira, and I got the title of his book wrong. "You CAN Stop Stupid" is what he wanted to stress and emphasize. So that was great. Well, Chris, thank you very much. I'm glad that we had a chance to chat, and I look forward to hearing your voice on the weekly intel call and seeing you out there on the sharing channels.
Chris De La Rosa: Yeah, appreciate it. Thanks for having me on.
Luke Vander Linden: Chris mentioned that interview with Ira Winkler recorded during the RH-ISAC summit last year. I was very lucky to be the interviewer in that segment, and it truly was a fascinating conversation. That entire episode can be found at thecyberwire.com or wherever you listen to high-quality podcasts like ours. Just look for Episode 16 from October 12, 2022. Here's a little taste.
Luke Vander Linden: Now, in your presentation, Ira, that you just gave - you're fresh off the stage at the summit as a keynote - you talked a lot about how awareness is only, really, a smaller part of the problem when it comes to the human element of cybersecurity. Tell us a little bit about that.
Ira Winkler: Well, basically, when people think of phishing messages, they think a user clicked on a phishing message. The knee-jerk reaction is, oh, we're not going to blame the user; we just don't think they're aware enough, which is blaming the user when you think about it. But, really, the situation is how did the email, the phishing message, get into the user's inbox in the first place? And then even if a user does click on a phishing message, in theory, why is that the end of the - you know, why is that the endgame? You, theoretically, should have - and I shouldn't say theoretically. You should have a variety of protections in place. Everybody, for example, has anti-malware. Everybody - well, most organizations have web content filters and data leak prevention, as an example. All of these things go ahead and basically supplement awareness in stopping the problem. Awareness is a tactic. You need a strategy to deal with the human problem because, no matter what, there is no such thing as a human firewall. There is no such thing as a perfect user. And even if a user is perfect in theory, in knowing what to do, they're going to make mistakes, inevitably.
Luke Vander Linden: I do recommend listening to the whole interview when you get the chance, but I do apologize for the sound quality. We were on location at the Hilton Granite Park in Plano, Texas, and it was recorded before we had the amazing team at the CyberWire doing our production for us. Speaking of whom, thank you to our senior producer Jennifer Eiben and the sound team of Elliott Peltzman and Tre Hester and to our own producers at the RH-ISAC, Annie Chambliss and Marisa Troscianecki. Once again, if you have anything you want to say to us - good, bad or ugly - shoot us an email at firstname.lastname@example.org. We'll have a new episode in two weeks. In the meantime, stay safe out there.