The Retail & Hospitality ISAC Podcast 4.12.23
Ep 25 | 4.12.23

Threat Actor Profile Catalog, Upcoming Europe Events, & Cybersecurity First Principles

Transcript

[ Music ]

Luke Vander Linden: Hello everyone, this is Luke Vander Linden, vice president of membership and marketing at the Retail & Hospitality ISAC, and this is the RH-ISAC podcast.

[ Music ]

You have found the only podcast on the world wide web covering cyber security issues specifically for the retail and hospitality industries. Thanks for joining us. We have an even fuller show than usual this time with not one, not two, but three great segments. RH-ISAC president, Suzie Squier, joins us again for her namesake segment, Suzie Plus One, where she brings along a special guest for us to chat with. This time she's joined by Rafa Villoria Ferrer, head of Global Cyber Security Operations for Nestlé. Nestlé is a member of the RH-ISAC and they're hosting our upcoming regional workshop later this month at their cyber security operations HQ in Barcelona. Suzie is going to talk to Rafa about his background and how he got to where he is now in his career, but they're also going to discuss major issues and concerns in the world of cyber security today, like artificial intelligence, cyber fusion centers, these are all topics that by the way, that will be covered in even greater detail at the workshop in Barcelona on the 20th and 21st of April. So listen to the segment and then book your flight, you won't want to miss it. I'm also going to sit down with the CyberWire's own chief security officer, Rick Howard. Rick has done what many of us aspire to do someday, write a book and get it published. Rick has had a 30-plus year career in both the government and commercial sectors and has been able to curate his thoughts on cyber security starting with his own weekly podcast right here on the CyberWire Network; it's called "CSO Perspectives." And now he has a new book called "Cybersecurity First Principles: A Reboot of Strategy and Tactics." It's being published later this month, just in time for RSA. But first, I'm joined by two of my colleagues from the RH-ISAC; our own Vice President of Intel Operations, Bryon Hundley, and Principle Threat Researcher, JJ Josing. We're going to chat about a very exciting and dare I say, groundbreaking project that was just announced. Our intel team has started creating threat actor profiles. They're going to explain why and how these profiles are even more effective in helping good guys and how they're being created, how to find and use them, how to contribute to enriching them, and what the future holds. That's coming up first, but as always, we'd love your thoughts on these segments or anything you hear on the RH-ISAC podcast. Just let us know at podcast@rhisac.org, that's podcast@rhisac.org.

[ Music ]

I am now excited to be joined in our studio by two of my colleagues; we have Bryon Hundley, who's our VP of intel operations and JJ Josing, a principle threat researcher for the RH-ISAC, both my colleagues from the Intel Department and both not strangers to the podcast. I think you two have been on before. We're going to talk about an exciting new project that you guys have been working on to identify and better define threat actors, instead of just relying on the old IOCs and TTPs. I'd love for you guys to tell me more about that. Bryon, why don't you give us a-- give us a start.

Bryon Hundley: Yeah, well good morning, or good afternoon, wherever you're at listening to this podcast. Yeah, so you know, we at the RH-ISAC, it's very important for us to understand the threat actors that are targeting the various industries that we work with. You know, we work with several industries, everything from hospitality to gaming, of course retail is a big one, and then there's that whole space of consumer facing products and goods, right? So we decided that from our standpoint it was important for us to have a solid understanding of the threat actors targeting the industry and since we leverage MISP heavily, we created threat actor profiles in MISP that would help us to enrich the data around the threat actors, TTPs, tactic, techniques, and procedures, that were targeting the different industries that we work with so that it would help us to get a better understanding and of course our members to get a better understanding of the threat actors that are-- I hate to sound like I'm repeating myself but, you know, targeting our industry. And yeah, that's basically it in a nutshell.

Luke Vander Linden: So tell me like what exactly is a threat actor profile and how is it different from the way we've been tracking threat actors in the past?

Bryon Hundley: So you know, JJ, I'll let you answer that one I think, because you've been working so, you know, intently on this-- this project.

JJ Josing: Yeah, for sure. So a threat actor profile is just a description of a malicious individual or group that's either known or suspected of attempting to exploit a system or network, and can include information such as the threat actor's goals, their motives, tactics, techniques, procedures, it also includes information on their capabilities and the types of systems that they have targeted and the profile can be used to help members understand the risk and develop countermeasures and response strategies.

Bryon Hundley: Yeah, and you know, it's interesting because as we see threats expand and the threat actors change, right? You know, since 2019, you know, we've seen the threat actor landscape shift significantly, especially after the Ukraine-Russian War started, and so it's very important for us to be able to map, you know, the different TTPs that are associated with what they're doing. I mean when you look at ransomware itself, right, I mean it's still-- still a lot of the same tactics, techniques, and procedures, but some of the threat actors have differently changed. So it's important for us to have-- have these mappings so that our membership can understand what a-- an attack may look like as it targets, you know, their organization.

Luke Vander Linden: So walk me through a little bit about how you built out these profiles, or at least the ones we have already, what your plans are for doing additional ones, and how it all-- how it all works functionally. Maybe JJ that's-- that's better for you.

JJ Josing: Well we start with identification, we're trying to identify the threat actors, their capabilities, and the industries that they've targeted, and focus those down to those that are relevant to our membership. Then we research, gathering data from within the RH-ISAC community and the open source on the threat actor and their tactics, techniques, procedures. Then we try to analyze the data to determine their goals and motivations and then we kind of pull all of that together and start creating a threat actor profile using all of that data and then our team does the review of the profile to ensure accuracy and completeness, and then implementation of the profile by putting it up into MISP in the MISP galaxy to help members understand the risks and develop countermeasures and responses, strategies.

Luke Vander Linden: That's right, and that's the second time you guys have mentioned MISP. Tell me more about where it's-- how that-- how members can find it, because this is a members only thing, right? How they can find it, how they're named, all the nuts and bolts for how members can access this.

JJ Josing: So we have our own community MISP instance for the RH-ISAC and the threat active profiles, each profile is a galaxy cluster. Now a MISP galaxy is just a simple method to express a large object, called the cluster, that can then be attached in MISP events or attributes. And a cluster can be composed of one or more elements and the elements are expressed as key-value pairs. And the galaxy clusters are used to provide the common language for describing groups of threat actors, their tactics, and the types of systems that they're targeting, and by having it within MISP, we're then able to tag all of the intel that gets shared and attributed to certain threat actor groups. So whether that's member shared something, hey, we saw threat actor, you know, intel threat actor xyz, or open source reporting that we saw that would be relevant to our membership because they mentioned going after, you know, this threat actor is going after ecommerce sites.

Luke Vander Linden: So this-- it sounds like most of the kind of set up and work so far is done by RH-ISAC staff. To what degree are our members involved and how do you see them being involved in developing these profiles moving forward?

Bryon Hundley: Yeah, I mean that's kind of the goal, right? Is for this to be community driven and community led, we're king of going out there and gathering all that initial data that we can find, stuff that's relevant to the membership, but we're really hoping the members get involved by reviewing the profiles as we release them and reaching out to provide any additional feedback or comments. They can reach out to either myself or Lee Clark. Also worth mentioning is that members can choose to contribute any additional information either with attribution or anonymously, without attribution to themselves or their organization. And lastly, any contributions to the threat actor profiles are going to be weighted highly for the sharing challenge scoring.

Luke Vander Linden: Oh excellent, our sharing and collaboration challenges we love. And you mentioned Lee, he's-- he's been on the podcast before as well. Not a stranger to our listeners. So kind of looking, stepping back to the-- kind of the way-- how this will impact our members' day to day work lives or their business. What's the business use case for this? And I guess either of you can answer.

Bryon Hundley: Yeah, I can jump in first. So, I think one of the big areas for threat actor profiles is helping with threat hunting, you know, a lot of our members are-- either have or are trying to start a threat ending program. And having this capability offered by the RH-ISAC, you know, it helps in like the data collection process or the big part of threat hunting is developing the hypothesis, you know, around what do they need to go look for? What types of threat activity is associated with different threat actors? And having these threat actor profiles helps with that hunting process tremendously by providing that targeted information to help them go and develop those hypotheses and then go and start those targeted threat hunts within their organization.

JJ Josing: And I'll just add onto that; you know, kind of our ideas, the goals for these threat actor profiles is to provide our members with a better understanding of the risk and to help them develop countermeasures and response strategies to these threat actors, right, they're called, you know, APTs, or advanced persistent threat actors, with persistent being, you know, one of the key words. They're going to keep coming, they're going to stop, they're never going to stop and by creating these detailed profiles, members can gain insight into the types of threats they're facing, the tactics, techniques, procedures that these actors are using and the industries that they're having been known to target, and this is going to help our members better protect their networks, their systems, and help them respond more effectively to any malicious activity they may encounter. I know you brought it up, I think earlier, mentioned about you know, shifting from you know, like IOC based you know, sharing, to you know, these threat actor profiles and while IOCs are great, you know, helps with when you're in an investigation and you're trying to kind of get a view of the bigger picture, you know, blocking based you know, solely on the indicators of compromise, it's like whack-a-mole, it's trivial for these threat actors to change these IOCs, but if you can start the shift towards blocking or detecting their TTPs, we're going to have a much more successful time mitigating some of these attacks.

Luke Vander Linden: I mean it really does sound like a great maturation in the kind of intel that our members are able to collect and have access to better defend themselves. Do you have any sense out there, I mean this is probably a hard question to answer, but do you have any sense out there of how many different threat actors there are that are large enough or active enough to create profiles around?

JJ Josing: I mean we have about a dozen or so kind of in our pocket that we're working on and we're releasing these profiles on a cadence here, so we're not-- they're not all being released at once, but attribution to threat groups, it's kind of tricky, right? Like I know some of the, you know, the Mandiants of the world, you know, they'll spend years researching a particular cluster of new threat activity before they, you know, definitively mature it into, or merge it into a known, existing group, and so we're kind of focusing on those already known, existing groups. However, there are these cases where, you know, activity will bubble up and you know, it looks similar to another group and you know, we're always looking for the feedback from the membership so, you know, if there's a new group that, you know, they're interested in or focused on, or looking to follow, I mean, reach out, you know, do an RFI, we can you know, add that actor to our list and we can definitely try to do some of our own research and collaborate together with whoever in the membership, and try to create another profile.

Luke Vander Linden: Well it sounds great and I know that since they've-- this has been-- project's been released, there’s been some great feedback from members so, it's only going to get better from here. What else-- what else do we need to know? Is there anything else? I don't know what I don't know, what else do our listeners and our members need to know?

JJ Josing: I guess the biggest thing would just be to, you know, if you haven't already checked out MISP, log into it and look around, go to the MISP galaxies, look for the RH-ISAC threat actors, and from within there you'll be able to see the different profiles attached and reach out, you know, if you see something in there that you disagree with or you feel very adamantly one way or the other, you know, reach out and you know, we can collaborate, we can add that in, make any edits or adjustments if there's additional TTPs you've observed from this group that we aren't already tracking, that's very valuable to know because you know, the threat actors are constantly changing how they're doing what they're doing, you know, you plug one hole and they'll find two more to come in. So, any additional information on these groups that we can get is going to be more valuable, not just for us but for the community as a whole.

Luke Vander Linden: Excellent, truly is a collaboration. Bryon, any final words on this terrific project?

Bryon Hundley: Yeah, I'll just say, get involved, I mean you know, we've got tons of different mechanisms, right, to get involved. Whether it's you know, discussions on Slack about threat actors, or our dark web working group, I think that's an excellent way to get involved and to help us to, you know, enrich these threat actor profiles and please, you know, share. Like share information, like get in there, help us to enrich these profiles and like JJ said, if you see something that's wrong, please point it out, or if you see something that is of a concern, you need more information on, please you know, talk to us or you know, if there's another member that we know who can help you with your question or issue, then we'll help to identify that person and then point them in your direction. So yeah, get involved.

Luke Vander Linden: Excellent. Well Bryon Hundley, JJ Josing, thank you very much for coming on and please, come back when there's any updates to this project or anything else that's going on in the Intel Department, love to have you on as much as you can come on.

[ Music ]

And now Suzie Squier, welcome back to the RH-ISAC podcast and thank you for bringing a plus one. Who did you bring with you?

Suzie Squier: Today with me, Rafa Villoria Ferrer. Am I pronouncing your name correctly? Last name--

Rafael Villoria Ferrer: Yes, you do. That's okay.

Suzie Squier: Thank you. Rafa's the head of global cyber security operations for Nestlé and he is also the host of our first ever upcoming workshop in Europe. So, we're really very grateful to Nestlé for letting us use their space and to bring in a cyber security teams from across Europe for this meeting. And we thought it would be great to learn a little bit about Rafa and how he got-- and why he really is excited about this workshop as we are. So, Rafa, can you tell us a little bit about yourself?

Rafael Villoria Ferrer: Sure, thanks Suzie. So, as you highlighted, I'm Rafa Villoria Ferrer, I'm responsible for the global cyber security operation center of Nestlé. I'm currently based in Barcelona, Spanish. It happened that I actually end up at Nestlé now 15 years ago, I was actually in a big four before in Spain, more on the kind of IT auditing and then you know, for kind of personal reasons, I moved to Switzerland, one of those typical objectives, I was going there for a couple of years but then I ended up being a few more, so I joined Nestlé, the headquarters in Switzerland, starting on the kind of IT audit, I was concluding around that area and then from there I had the opportunity to travel around the world in the various units of Nestlé, which allowed me to kind of learn a lot of IT part and obviously a lot of security. And as we were moving along, along the years, and I took also over there, kind of responsible for the IT audit for the group, and security was becoming more and more important, I think, in general within IT. Which obviously translated that it was more and more important kind of chapter within our audit assessments and our audit work. And then to a certain extent I think either I was highlighting too many gaps or also how they kind of thought it best to kind of have that person to kind of fix things, rather than finding the challenges, so they proposed me to kind of join to their security function, and actually was with the objective of then later on relocate to Spain to set up our security operations center for Nestlé. So we moved from, I'm trying to kind of move from a fully MSSP to a more homegrown capability for the company. And that was around 2016, then since then I've been heading the security operations center at Nestlé in the last seven years until now. So really interesting journey and seeing how, you know, the whole landscape of IT security and SoK operations have actually evolved and I think often very, very, kind of important for majority of the companies.

Suzie Squier: Yeah, that's great. So you built it from the ground up? Still there running, operating, all good?

Rafael Villoria Ferrer: Yeah, yeah, I contributed with obviously many other people that joined along the way and we keep growing and one of the very important things actually, and maybe we'll come back on that later for sure is then on changing with many other peers. Knowing which to understand and to discuss how things can be done and what the best ways or that has worked well for someone, what maybe has not worked that well, and so that we avoid too many all of us making same mistakes.

Suzie Squier: Yeah, I mean that's the whole, you know, one of the goals of the ISAC, obviously threat information sharing, but also just helping each other on the journey and like you said, you can help someone avoid at least one pitfall, that helps, they may have their own, but you can often avoid something. Well and that is exactly what we want to try and get out of this first workshop, you know, pulling everyone together, members and non-members alike within Europe, because although the virtual is you know, very helpful, there's nothing like getting in-person and sitting across the table with your peers and having conversations. So, I think if I remember, you and I were communicating via email for some reason and I asked if you would be willing to host this workshop and you jumped in and said you would. So, explain you know, kind of to what you were talking about before, about you know, the value of networking, is that kind of the reason behind your willing to throw your hat in the ring and help us with this effort?

Rafael Villoria Ferrer: Yeah, yeah, indeed it is. And also, to a certain extent I would say that we are, I would say I was always very jealous not to see the active community in U.S., North America, and then while we are a global company, because physically we are in our case, located in Barcelona, our operations are located there, we have had the opportunity to you know, be face-to-face with other colleague with RH-ISAC, so we always communicate through the other channels, which is good but a certain extent is always better to have some connection where you do face-to-face with then after will then translate in a more rich sharing, and also when you obviously came with a proposal, I was very happy to be able to host that event and be able to you know, get to know the other colleagues that are part of RH_ISAC at least on the European side, or from anywhere, but I mean, anywhere from Europe so that we can then have these face-to-face connection, network, and then from there I'm sure there will be more opportunities to collaborate which are actually much easier than if you would have done it only through any of these digital means now. So that was really the main idea is to really have to opportunity to mingle with other colleagues.

Suzie Squier: Yeah, and you're right, it's like a jumping off point. So once you make those connections, then the follow-up conversations and meetings are that much easier. And I know you're working with some colleagues that you're getting to know, Marnie Wilking of bookings.com, Carl Cahill, Ahold Delhaize, and Grant Thompson of citizenM Hotels, which is located in the Netherlands, so even going through that process of working with them, has it been a fun, interesting experience so far in putting the program together?

Rafael Villoria Ferrer: Yes, yes really, that's really a very good experience. Also because you start seeing also what are the kind of top of mind topics for your colleagues, you know, for your peers as well. Which is then known by the effort of discussing or trying to build an appealing agenda. As you see from one side how much are many common areas, that are actually the central challenges or interesting topics that everybody, that in general people want to discuss and see how different companies are approaching those. And all these may come for a specific from a specific industries but at the same time which are a bit of an eye opener sometimes, like oh, interesting, that was not in my radar but that, but indeed actually something I want to learn more. And also, it brings it to the mention of kind of getting reassured that some areas are very common across, and others that give you a bit of going of your, you know, your view, and start getting, oh, let me see how other people, what are the other things they see that maybe I was not, I wasn't considering that's also things very enriching. So otherwise when you're in a company, you tend to focus on your topics and you may miss things that you have not in mind, no.

Suzie Squier: So true, and that's why I think that this second day, so the way that this workshop is being set up is a little different than what we've-- we've done in-- but we have done this before, we'll be starting in half day on the Thursday so people have the easy opportunity to fly in that morning or get in. And then a day afternoon, a nice networking dinner and then starting in the morning where we will separate our groups, so we'll have the strategic leaders and the head of our threat analysts and operations have separate conversations, and I think in the CSO open forum, that's always been the, one of the most popular areas, exactly what you're saying, being able to just bring top of mind issues that you're dealing with. Are you looking forward to that as well as the other, more formal presentations that we'll be having?

Rafael Villoria Ferrer: Definitely, I mean this is again one of the most rich ones. Obviously, as I said, because when it's a little bit of an open agenda is where everybody will highlight things that they have in mind-- that are top of mind, and those items that are kind of key on their agenda. So, an understanding of you know, how many of those are much in your priorities, how many are kind of things you maybe have not thought about it. I think that is what is very enriching. Definitely these. And then of course, all the other sessions, I mean that's [inaudible]

Suzie Squier: Yeah, and speaking of the session, your team members, someone from your team is going to be presenting on AI and machine learning and its use, and that's a very hot topic. A lot of conversation about ChatGPT we had a couple of weeks ago within the CSO community. Without giving away too much, because we want people to learn more at the event, but how has that, the use of AI ML really helped in your program?

Rafael Villoria Ferrer: I think a lot, so things we started already our operations, we always had in mind that we had to have in-house capabilities to drive threat detection also through machine learning and AI. And so we have been growing this since we started and we want to share a little bit our journey and also share that the challenges we see and how other people are approaching these, because there are obviously either many solutions you can also obviously consume or there-- you can also have your own in-house capabilities that you can use and that come with your benefits but also with their challenges as well. But definitely it's something that we are increasingly using to have not only certain [inaudible] capabilities with the traditional tools or more rule-based type of approach we cannot do, but also something as basic as exploiting the data that we have and then bringing a lot of insights from a huge amount of data we collect, which then help us to identify, I mean to bring more information to our decision making, more insights into our decision making, understand better what's happening in our overall infrastructure, so want to touch base a little on this and then open up the discussion with the peers to see how they see the usage of those capabilities and of course, I'm sure the topics of ChatGPT will come up because it always everybody's trending topic, and it's really in the early, it's really making democratizing a little bit a lot these type of capabilities and it seems that it's going to quickly explode in a huge number of use cases, some of those on the defensive side, but others maybe not always on the defensive side, maybe for attackers also know they are always looking at how are they going to leverage that technology, which is an angle also I think we will have to discuss not only how we use machine learning for threat detection and cyber defense, but how to actually understand what are the cyber threat actors doing also with that technology.

Suzie Squier: Yeah, totally, that's exactly some of the conversation we had, and I know we'll have that more at this workshop because it's a-- it's amazing just within what, a few short months, how ChatGPT is, like you said, dominated a lot of conversations. So looking forward to that. Another session that we're having is about cyber fusion centers that another, Ahold Delhaize will be presenting on. Is that something that is top of mind for you and you know, is that appealing to you? Are you looking forward to that conversation that we're going to have around that topic as well?

Rafael Villoria Ferrer: Yeah, very much looking forward to see what they present. I mean from our perspective, and this always has been always an interesting topic because for as we call our unit a security aversion center. But there are many names out-- nowadays out there. I mean and so [inaudible] that some companies will consider only a specific area within their scope, you have cyber defense centers, fusion centers, et cetera, et cetera. For us within our SoK operations we actually have multiple units, including intel respond, [inaudible] management, threat intelligence, et cetera. So maybe we are closer to what is maybe considered a fusion center, so I'm keen to see you know, how they approach this aspect of fusion center, what it's considered to be part of a fusion center and actually most interesting at the end of the day is really how you bring all these things together for the benefit of increasing the cyber resilience for the business. You can name it the way you want and whatever, but at the end of the day I guess, the idea is how is best to organize the teams and the units so that they bring the most value to the company in the sense of cyber resilience, which I think is also an interesting topic. Which links also beyond cyber to business resilience nowadays, considering that a big part of the businesses is all done through the IT systems and digital means.

Suzie Squier: Yeah, that is another great topic to bring up on the business resilience and cyber's role in that as we're seeing through a lot of the supply chain situations and attacks along those lines. I'm also interested in making and having someone from ENISA come and to give us a landscape throughout Europe and the threats that they're seeing and I know that your team does have some contact with that organization. Am I right?

Rafael Villoria Ferrer: Yes indeed, so actually part of our threat intel team, we had one person in the team that was, has been collaborating with ENISA on the latest some research programs they had and it has some very, really, really, interesting for him as a development and actually that's actually a good topic also to discuss as well and to share in terms of talent development and retention, et cetera, so on one hand was obviously a sense of providing opportunities for our people to find and develop and get to experience outside of the kind of private company, so that from one side, and then the other side of course, as benefiting of that experience of that learning in a completely different environment and bring these back to us and to the rest of the team. So, very enriching, and something that really encouraged other companies and other [inaudible] to look at these opportunities, either in this case with ENISA, with any other organization similar in nature. Because it really brings the person in the different context, getting a little bit out of potentially of the comfort zone and the most common day to day operations, but also it's very enriching not only personally but for the-- for the farther group, for the group itself, not for the company in terms of the insight that it's going to bring and then share with their colleagues. But very, very happy for that experience and I think it's continuing with less intensity, but it's continuing and obviously has opened up for that person and for us to extend in terms of networking as well. And so that also has this angle of networking which you never know when it can also be needed, especially as we are very interconnected and you mention it around supply chain attacks for example, so some of those things, these kind of national and European organizations are very helpful also to put-- to connect the dots and then share support some kind of the private companies in some of these [inaudible] issues.

Suzie Squier: Yeah, and that's a really good point that really does, it's-- it does help with the retention and their growth, is it something that you're thinking of, not to get too off the topic of the workshop, but just curious, is it something you're thinking of rotating positions around? You know, maybe have someone in that role, in that connection for a while and then move it to somebody else for the experience? Or is it better to keep it with someone to build that relationship and to you know, strengthen that relationship?

Rafael Villoria Ferrer: So most likely on the first one you mentioned, the first one you highlighted in terms of trying to rotate, I mean without forcing it, but seeing it naturally at some point after a while you also want to continue in other areas and you know, give the opportunity for someone else to participate and get to experience and develop in this. And also I think it's good to, as we are very keen on this and their rotation is always a good approach with this, and within other areas as well, similarly in terms of participating to conferences, et cetera. It's completely different, but the same concept, not to have some one person who is going to some place we're trying to rotate so they experience that everyone can also experience and develop, always aligned with each one personal development plans. So, but given that the opportunity, it's key, and being flexible I think nowadays is very relevant to ensure that we have everything we can do to retain the talent and to retain, but also develop the talent. At the end of the day that's the most important part and everybody can decide to move wherever it is, but as long as we provide good development, there's always the high likelihood that they will stay longer, but also that wherever they go, they're also going to contribute and the other thing that's a collective [inaudible].

Suzie Squier: Agree, agreed. Well, we're looking forward to having that, they're going to do the Europe, European threat landscape and they'll follow it up with our own Lee Clark, who will do kind of the retail, hospitality, travel, CPG, you know, landscape that we're seeing through our member sharing and things along those lines. Well as we're wrapping up here, maybe is there anything else you know, about the workshop that you're excited about or that you want to make sure that folks are aware of?

Rafael Villoria Ferrer: So I mean we kind of mentioned it already you know, but I think it's a great opportunity to connect with other peers, to connect with companies that obviously are going to have similar challenges, have good exchange and have networking and I think for us, we are always very happy with the support and with the level of exchange and value we get from RH-ISAC, so also it's a call for everyone to maybe join, see that value, and potentially be part of RH-ISAC as well, and making growing that community because at the end of the day the more we are and the more we exchange, the more value we all can get, you know, so for us I think this has been very valuable, we got to know the way-- we got to know about the RH-ISAC by another company now different companies where they were highlighting us that they were getting very good value from a [inaudible] perspective, so we said okay, we never thought about it because at first sight it's kind of retail, hospitality, maybe we are not really fully in the industry but we'll give it a go and we were very happy, we are very happy, so we are actually encouraging anyone else to consider the event to join, we’re going to really welcome you with open arms in Barcelona, hopefully with good weather, and I think we have a good packed agenda of sessions, but as well of some time to network and talk with participants. So and obviously with some fun as well. So I think it really encouraging everyone visiting to consider the event and joining as much as possible.

Luke Vander Linden: Thank you very much, Rafa Villoria Ferrer, for joining Suzie and me and all of our listeners. It's going to be a great event in Barcelona. Suzie, I can't wait to see you who you're going to bring as your next plus one.

[ Music ]

Luke Vander Linden: Alright, I am joined now by Rick Howard, the chief security officer, chief analyst, and senior fellow at the CyberWire N2K Networks. Thanks very much for joining me, Rick.

Rick Howard: That is a mouthful, but thanks Luke, for welcoming me to your show.

Luke Vander Linden: It sure is, and I want to hear all about what all that means and what you do in a second, but I just have to say, ever since we, our podcast joined the CyberWire Network of podcasts, your team, the whole team has been very, very welcoming and very, very helpful with this, so thank you to you on behalf of them and when you see them at the water cooler in the CyberWire studios, please let them know how appreciative we are for their assistance. But, but tell me, Rick, tell me what all those titles mean, what do you do at the CyberWire and N2K.

Rick Howard: Well, my previous jobs you know, I was a, I worked for a couple of security vendors and I would come on-- this was years ago, I would come on the CyberWire show and you know, as one of the subject matter experts, so I knew everybody over there. And then when I transitioned my last job, as a lark I sent a note to Peter Kilpe, who is the CEO and said, you know what you should do is let me do my own podcast and you know, he called me the next day; what you should do is come work for us. So that's what I'm doing. I'm, I have two hats; I am their chief security officer for a startup, which is a lot different from what I'm used to, which is very interesting, and I also host two or three podcasts on the CyberWire Network, so I get to do both of those things. And it's been a blast for the last three years. I can't believe they pay me money for this.

Luke Vander Linden: Right, so you thought you would just have the easy job of podcast host, being able to talk for a living and they put you to work being an actual practitioner setting up their own security.

Rick Howard: Can you believe that? I can't believe they made me do that.

Luke Vander Linden: Terrible, terrible. Well, I hope you're keeping it all safe because a lot of our data is now going over, going over to CyberWire.

Rick Howard: Yeah, of course.

Luke Vander Linden: So what are your podcasts? What are you-- what do you host? Do you have a certain theme or what do you talk about?

Rick Howard: Yeah, in fact when I came over, we were just starting our Pro side, you know, I like to call it the Netflix side, the subscription side to our podcasts. And when you buy a subscription at CyberWire, all the ads are taken out of all the shows and we have like 15 or so shows, including yours, right? But if you get a Pro side, you get all the ads taken out, plus you get my podcast that only lives over there, it's called "CSO Perspectives" alright, and it's about how senior security executives think about cyber security and the problems that face them on a day to day basis.

Luke Vander Linden: Excellent. So speaking of all those probably you have like, as you said, I think 30 years of experience in the cyber security world and the security world. You've done something that I think a lot of us think that we can do and plan to do someday, you wrote a book.

Rick Howard: I did.

Luke Vander Linden: It's not the great American novel, but what does it cover?

Rick Howard: Well, what's interesting is the way I do my shows, I don't know how you do your shows, Luke, but for me to get my thoughts together, I always write an essay about whatever the topic is and then I write the script and figure out how to record it and who, what guests I need and things, right. But because I've done that for the last three years, last summer or so, I looked around and I said, I have enough material here for a book. Because we've been covering cyber security first principles in my podcast, trying to get back to the basics. So I had all this material, I said well, that should be easy, right, I should be able to just write a book with all that stuff. I have to tell you that even with all of that material underneath my table, it was still a lot of work to get done.

Luke Vander Linden: Well you shouldn't let everybody see what happens behind the curtain. I'm trying to pretend I'm just speaking off the cuff here, no preparation at all. Just--

Rick Howard: Oh no, I'm just that good.

Luke Vander Linden: Yeah, just that good. So, first principles, is this, like you said, back to the basics. You know, it's not the sexy thing that everybody thinks about, but the fundamentals?

Rick Howard: Well I've been thinking about this for about 10 years. I had this nagging feeling in the back of my head that we all kind of glommed on to a couple of assumptions early when cyber security was just getting started. This is you know, back in the '90s. And two ideas emerged through a bunch of really smart people writing papers and thinking about how to do cyber security. The two big ideas that emerged was the first one was, we're going to know how to secure computers, you know, we're going to be able to configure them so that nobody can break into them and we can see how well that has turned out. Okay, that hasn't really worked at all, in fact, one of the big-- one of the big researches, the Schroeder paper, they pretty much said in their paper, well, we provide that you can do it but how would you prove that you actually did it correctly is the problem. Right? And so we've kind of thrown that idea out. The second big idea that emerged and everybody still uses it today, is something called the CIA triad and if you talk to most practitioners, they've heard of it, they're trying to do pieces of it, and my thought is that really hasn't helped us that much. It feels, if you read the news headlines today, okay, that we're getting more attacks today than we did back in the '90s, right? So, maybe the CIA triad isn't elemental enough. So I went back and was thinking about what-- how can we rethink this? And I went back to some of the early days, you know, we're talking about Aristotle, we're talking about Descartes, Euclid, even up through the modern days of how Elon Musk runs his companies. You know, when he decides that he wants to figure out how to go to Mars, he didn't take what NASA and Boeing did and took the next step, he threw it all out and says, what is the essence of going to Mars? And that's how-- that's why he's a gazillionaire and you and I are doing podcasts, right? Because he knows how to do that, right? So I went back and started thinking about, well what is the absolute cyber security first principle? And the idea here is you have to get it down to its essence, meaning that when you figure out what this is, there's nothing before it and everything that we do in our profession is derived from this first statement, right? And so that's kind of the thought process here.

Luke Vander Linden: Yeah, you know, so much, particularly in our world, not just the cyber security world but the tech world, is even though it's a young industry, it's larded up with all this stuff of what we did in the past. You know, whether we're talking software, whether we're talking code, or just processes, so this is, you're saying, just rip it all up and start over and come up with the original principles again.

Rick Howard: Exactly. And that's what the-- and that's what the book is called, it's called "Cybersecurity First Principles: A Reboot of Strategy and Tactics," that we're going to release at the RSA conference coming up in a couple of weeks.

Luke Vander Linden: That's excellent, perfect timing because you're going to get a lot of folks there. A lot of our members go to that. We're having a little meet and greet on the Wednesday evening. Everybody's invited, if you're in retail and hospitality. But, but so can you give us a little teaser of some of the things that are in the book? Or do you want to keep it all secret?

Rick Howard: No, no, absolutely, I mean you can listen to all the pod-- the reason we wrote the book is that you can get all the information from the podcast and the essays we published, but it's scattered across three years and multiple webpages and if you want to get, you know, a big gulp of it in one take, the book is probably the best answer. So, let me just tell you this, here's what I think the absolute cyber security first principle is and it's like a Twitter line and it kind of blows people away that it's so short, but here it is; everybody in our profession should be doing this thing, I believe, is reduce the probability of material impact to our organization over the next few years. Right? And there's three things in statement that may not be obvious when you just hear me say it out loud. The first one is reduce the probability, alright, we're not saying we're going to stop all attacks, we're not going to say we're going to prevent all exploits, we're not doing all that. What we're saying is that it is possible to reduce the probability by doing some very specific strategy and tactics. The second big part of it is materiality, right? Especially now I'm working for a startup, okay, I have no resources to spend on extra things. So if it doesn't, if whatever we're doing doesn't impact the materiality of the business, meaning that if some bad thing happens, it's going to destroy the business, I need to prevent that from happening. That's what I should be focusing on. Everything else is just nice to have. And then third element is it's time bound, because you and I know, Luke, we've been doing this a long time, if you just say is it possible that we're going to get hacked sometime in the future? Yes, of course you will, right? But if you time bound it by something that makes sense for your organization, let's say three years or two years or five years, whatever your financial cycle is, you can-- you can estimate that probability and decide to make some resource decisions for that information.

Luke Vander Linden: Right, so even though it is kind of a back to the basics simplification, it really does address and kind of speak to the sophistication of both the threat actors and our ability to defend these days and it kind of puts everything in perspective in a much better way.

Rick Howard: One of the key things that comes out of that, of the book, is an understanding of the difference between strategy and tactics. Right, and the most-- I've talked to a lot of CSOs in doing this job, in fact my career you get to talk to a lot of them. Luke, you get to talk to them. Right? You ask any one of them and most of them don't understand the difference between the two, alright? So let me just be clear, a strategy is the what we're trying to do. The tactics are how we're going to do it.

Luke Vander Linden: The how, right, exactly.

Rick Howard: It doesn't matter how hard the strategy is, okay, when you say oh, I want to cure cancer, okay, that's the strategy and I know it's hard, now we're going to do some tactical things in order to figure out how to cure cancer, right? So.

Luke Vander Linden: Right no, with the difference of strategy and tactics kind of, and the confusion about it crosses over many, many different industries, so it's an important thing to reflect on here.

And if you talk to some peers, some of them have a strategy with no idea how they're going to go about doing it, right? They'll talk about CIA for example, right, and they don't have any really practical ways to go about implementing it. Others do a series of tactics like oh, vulnerability management and anti-malware and security awareness training. These are all tactics, things that we could do, with no idea what they're actually trying to accomplish, right? And so what my whole point here in the book is to say, we're going to accomplish these things as strategies, and we're going to hear the tactics we might use to go about it.

Luke Vander Linden: Right, so this book is appropriate for CSOs, practitioners, analysts, anybody really in the cyber security world.

Rick Howard: Yeah, it can go all, yeah, up and down the chain and I think anybody can get a look, or benefit from thinking about these ideas.

Luke Vander Linden: So, not published yet. You know, in the podcast world, as hosts, we like, we always have to think of the people who are listening to this in the future. So as we're recording, it's not published yet. Going to be published at the end of April 2023, kind of in line with RSA.

Rick Howard: Yeah, we timed it so that we would do all that and I am signing books at the RSA Conference if you're going to be out there, on Thursday, or Wednesday I'm sorry, Wednesday afternoon. I'm also giving a talk on a different topic but-- so late Wednesday afternoon I'll be at the bookstore signing books if you want to come along and find it.

Luke Vander Linden: Perfect, and that sounds like it's right before our meet and greet, which is Wednesday evening. So we've already helped people set up their agenda. Excellent, thank you. You're a busy guy, Rick, thank you very much for taking some time out to join us and I appreciate talking to you. Thanks for doing this, Luke.

Luke Vander Linden: And that'll do it for another episode of the RH-ISAC podcast. I want to thank Rick and all of my guests; Bryon Hundley and JJ Josing, from the RH-ISAC threat intel team, and Suzie Squier and her plus one, Rafa Villoria Ferrer. And as always, for making it sound good, thank you to our senior producer, Jennifer Eiben, and the sound team of Elliott Peltzman and Tré Hester, to our own producers at the RH-ISAC, Annie Chambliss and Marisa Troscianecki. This episode and all of our past episodes can be found at thecyberwire.com or wherever you listen to high quality podcasts like ours. Once again, if you have anything you want to say to us, good, bad, or ugly, shoot us an email at podcast@rhisac.org. We'll have a new episode in a couple weeks. In the meantime, stay safe out there.

[ Music ]