The Retail & Hospitality ISAC Podcast 11.8.23
Ep 39 | 11.8.23

Threat Landscape During the Holidays & Michael Francess Member Spotlight

Transcript

Luke Vander Linden: Hello, world. This is Luke Vander Linden, Vice President of Membership at the Retail & Hospitality Information Sharing and Analysis Center. And you're listening to the RH-ISAC podcast. I don't know what it's like where you are but where I sit at the very edge of the New York City Metropolitan Area, there is definitely a chill in the air, there are more leaves on the ground than on the trees, and Christmas music is already playing in the stores. Retailers are about to hit our busiest season. So, hopefully, the RH-ISAC podcast can give you a little support or maybe a much-needed break during these always-crazy times. As usual, we have a pretty packed agenda on today's episode. I will be joined by two stars from Target's cybersecurity team, Ryan Miller and Leah Schwartzman. Over the past few years, Target has developed a fraud intelligence capability applying very similar workflows, tools, and methodologies as their cyber threat intelligence team. We'll talk to them about that effort. I will also be joined by Tony Lauro of Akamai Technologies, one of our associate members. We'll talk about a threat that may be familiar to most of our listeners but that is evolving and growing, Magecart-style attacks. And finally, we have a member spotlight, Michael Francess, senior manager of cybersecurity advanced threat at Wyndham Hotels and Resorts. If you have something cybersecurity-related that you just have to tell us, send us an email at podcast@rhisac.org. Or if you're a member, hit me up on Slack or Member Exchange. And if your company is not yet a member of the RH-ISAC, what are you waiting for? Go to rhisac.org/join to learn more and to start the process. [ Music ] All right. We are now joined by two members of Target's amazing cybersecurity team, Ryan Miller and Leah Schwartzman. Thank you very much for joining us on the RH-ISAC podcast.

Ryan Miller: Thanks for having us.

Leah Schwartzman: Thank you.

Luke Vander Linden: So, Ryan, welcome back to the podcast. So, why don't you both tell us what you do at Target, your titles and roles, and things like that?

Ryan Miller: Sure, yeah. Ryan Miller, I'm a senior director of cyber threat intelligence and reverse engineering at Target. We also run fraud intelligence under that capability and really our mission is to understand the full threat landscape, pull that information and intelligence into the organization, prioritize that, and look for opportunities for collection and detection to, you know, harden our environment and protect the organization.

Leah Schwartzman: Leah Schwartzman. I'm a lead analyst on our cyber threat intelligence team, focusing on fraud intelligence and such. Really building on our capability around like ORC, fraud that's in the retail landscape and looking at it from an external perspective and trying to process that intel and bring it back to our business to work on ways that our engineers and investigators can mitigate fraud internally within our environment.

Luke Vander Linden: That's amazing. And it is really, really cool how you're developing this way intelligence practice based around cyber fraud that's fused with CTI, which is cool. So, could you talk to us a little bit about the evolving fraud landscape that retailers are facing these days?

Leah Schwartzman: Yeah. So, I'm sure a lot of people have heard on the news or see or are seeing, you know, stores getting hit with these organized attacks across the country at this point. And so, you know, that's not a victimless crime in that sense, you know, us we want to protect our guests. And that goes beyond just the in-store fraud that we're seeing. Threat actors are evolving. These rings are organized. And so, there's a cyber approach to investigating and mitigating this type of fraud. And so, threat actors, they are, you know, organizing across mainstream social media. You know, a lot of people might come across on TikTok or Instagram or Facebook these groups that look suspicious that are advertising, recruiting, or selling different fraud methods. And that's really escalating these threat actors in communicating with one another. Similar to how we are communicating via social media with our friends and family, threat actors are doing the same. And that's taking what used to be a very central organized group where they may have to go to their local pawn shop to sell their merchandise to this global economy that they can buy and sell merchandise online and with sites like eBay, Facebook Marketplace, Craigslist, the ability to monetize stolen goods in a very quick way very anonymously has led to this increase in crime opportunities for these threat actors.

Luke Vander Linden: It really is amazing and much more intricate than I think most people know. So, you're on the CTI team, but you're dedicated to fraud intelligence and you're not the only analyst I assume that's dedicated to that practice.

Leah Schwartzman: Yeah, we're integrated into our traditional cyber threat intelligence team. And there's three of us who are focused on cyber fraud. And we work really closely across the org within our cyber teams so that would be our fraud investigators and detection engineering team as well as we work in hand with our asset protection team who are boots on the ground surveillance of our stores across the country.

Luke Vander Linden: So, how did those roles come about? How did that whole practice come about within the CTI team?

Ryan Miller: Yes. So, it goes back a couple of years now, right, like we just took a holistic approach to fraud within our organization and, you know, the decision was made to bring fraud under our security umbrella. And so, with that was the evolution of threat intelligence and specialization to focus on fraud intelligence. You know, and really it became, you know, a need for us to understand that threat landscape, right, we need to understand what the threat actors are doing so we can defend against what those threat actors are doing. And the same concepts of how we track phishing and malware and, you know, APT groups, we need to apply that to fraud. So, if you don't have the dedication to the area, it becomes this second-hand approach which a lot of, you know, intel teams I think are initially are set up like that. So, as the landscape evolved, as fraud became more prominent, as we decided to get a stronger look into that from a security perspective, we had to dedicate fraud analysts -- intel analysts to really look at that intel and pull it into the organization.

Luke Vander Linden: You know, it seems like if I have a cybersecurity department and I wanted to spin up this kind of same service, it would be a daunting task, you wouldn't know where to begin. But you're using a lot of the same language that I think CTI and all of us already use. So, how is it different? How can cybersecurity teams use what they already know to help start such a practice?

Leah Schwartzman: Yeah, we really aren't reinventing the wheel here. We are using that standardized collection methodology, that traditional CTI teams are focusing on and just mapping that to fraud. And that's going to look very different depending on your organization, what experiences that you have for your guests. Nowadays with all these omnichannel experiences, guest pickup, drive-up, a same-day delivery although that's great for our guests, it's also exposing us to opportunity for threat actors to abuse those systems. And so, leveraging what you know about your own internal environment, we know our environment better than anyone else. So, leveraging those business partners outside of security to really understand how their systems flow, you know, what point, you know, are guests seeing this? How are guests impacted by different decisions that we make? And then taking that externally to say, okay, are we seeing any discussion of threat actors talking about these bypasses, these abilities to commit fraud against us in these variety of different ways? And that really is standard intelligence collection that can be applied to fraud. And once you gain that initial collection, it'll start flowing in. You know, there's an analyst pool of chatter out there of methods being sold, guides, threat actors talking about it, so once you establish that initial collection from a fraud perspective, you're going to start to get that actionable intelligence to share with your business teams.

Ryan Miller: And I'll just chime in that, you know, within the threat landscape, we're seeing the lines being blurred, right? Like cybercrime is crossing over into fraud and vice versa, right? Like handoff is not -- you know, it's not separate anymore. And so, by having a dedicated fraud analyst as well as a traditional threat intelligence analyst share the same platforms, the same tools, the same services and we're ingesting all of that data, the correlation of that data from what we might say is only fraud is not turning out to be only fraud, right? You have broader visibility. And so, you might see some of the tools that are used for DDoS, a botnet or something, right, that might also be leveraged to launch ATO attacks, right? And so, if you have these indicators from that, you can see that if they were completely separate, you know, you're going to miss some of that visibility. The same concept is like when fraud sits in some other corner of the organization than security does, you're not going to have that collaboration that you need to combat the threat.

Luke Vander Linden: Yeah, and the threat actor doesn't care if they're online, in-person, or wherever. And so, we need to talk to each other as well. You know, like again, you mentioned all the different ways now that retailers serve their customers. And even smaller organizations, smaller retailers also have to do those things but they may not have the resources as Target might. Do you have any advice for a smaller company that wants to get involved in this?

Leah Schwartzman: Yeah. Start with that first area of focus. And, you know, a lot of the help of the RH-ISAC, you know, people share information, people are sharing trends that could be out there in regards to how threat actors are operating. So, take that information back to your organization and build out what we call a kill chain. So, that's once again applying your traditional cybercrime to fraud and map out, okay, if I was a threat actor hitting my organization or a specific process within my guest flow, how would they be able to bypass the controls that we might have in place? And really visualizing in that kill chain flow is going to help you as one analyst to say, okay, who are the business partners within the organization that I need to basically make friends with to say, hey, your system is allowing threat actors to abuse X, Y, and Z. Maybe we need to have a discussion around changing that process or flow without impacting the guest. And so, all it takes is one analyst to begin to dive into that data. And once you have that key fraud focus area, it's really going out and getting that collection. So, scraping those Telegram, Discord, the social media channels where these threat actors are living in that ecosystem that they're communicating within. Leveraging that, pulling that in, and then applying that to your own organization. And it's a little time-consuming on the front end, but once you have that pre-established collection and visibility, it'll start to flow and it'll become very clear where you need to prioritize your efforts within your own organization as well.

Ryan Miller: And I think the concept doesn't require, you know, a 15- or 18-person team, right, like we're tackling one threat at a time. And so, if you approach it in that way where you have an analyst that is going to look at, we're seeing ATO, let me dive into ATO, right? If you just spend a little bit of time developing collection and identifying that activity externally in the threat landscape, if you bring that in, you can start to then realize that unrealized fraud is happening in your organization. So, things you didn't have visibility into that are being successful because they're talking about it, selling it, access, whatever, externally, you bring that in and now that's a threat to pull down, right? So, it's something you never had visibility into before, now you can create controls around. And again, it really just takes one analyst looking out there, trying to find this stuff.

Luke Vander Linden: Right. Looking at it in a different way. So, all this being said, we are about to enter the busiest season of the year for retailers. How is Target preparing for the holiday season?

Ryan Miller: Yeah, this is -- I love this question. We get asked this every year. But, you know, we don't do a lot different, right? Lie we take the approach like let's just see as much as we can all year round, right? Because the way that the fraud landscape had shifted -- really the cybercrime landscape has shifted is they don't stop, right? So, yes, they ramp up a little bit but really for us, it's just really scrutinizing data a little bit more, right? So, things that might have been a lower threshold in March and April are now going to be, hey, let's scrutinize this a little bit. What activity is really going on here, right? So, you know, take ATO, for example, we'll probably going to start to see an increase in that actors are preparing for the holiday season but that doesn't happen in December when, you know, you would think it would happen. That happens in September and October, they're trying to compromise those accounts ahead of time. So, when they start to see people add credit cards or add gift cards that they get for the holiday, they already have access and can leverage that.

Luke Vander Linden: They need to prepare too, yeah.

Ryan Miller: So, for us, it's just -- you know, it's kind of status quo but like being more vigilant, being more aggressive in the approach we take at our collection efforts and the analysis that we do on the alerting that we get and just looking for these anomalies or -- you know, in the fraud case, right, like what are the threat actors interested in. And that can change on a weekly basis but during the holidays, right, it's going to be gift cards, it's going to be washing gift cards or leveraging gift cards to purchase things. What are the hot items right, that sell really great around the holiday? And how are they trying to hide in the mix of the heavy volume of traffic, right, that comes to our organization during the holiday season and to try to kind of fly below the radar? So, those are really the things that we're focusing on to get ahead of the holiday.

Leah Schwartzman: Part of intel collection on that is knowing what items are being launched across the industry. So, whether they'd be like the hot commodity items for their resell value. So, getting ahead of what those trends could look like to pre-establish that visibility internally can help mitigate it before it becomes a fire drill during the busiest season.

Luke Vander Linden: Excellent. Leah, Ryan, thank you very much both of you from Target's terrific CTI team. Amazing. Thank you very much for joining us on the RH-ISAC podcast.

Ryan Miller: Thanks for having us.

Leah Schwartzman: Thank you. [ Music ]

Luke Vander Linden: All right. I'm now joined by Anthony Lauro, Director of Security, Technology, and Strategy for Akamai Technologies. Tony, welcome to the RH-ISAC podcast.

Anthony Lauro: Thank you for having me, Luke.

Luke Vander Linden: Now, Akamai is one of the RH-ISAC's associate members so we thank you for sharing your expertise with us, particularly with this year's holiday threat trends report. But let's start learning more about Akamai. Tell me a little bit about what Akamai is, does, its history, etc.

Anthony Lauro: Yes. So, Akamai is one of the world's largest cloud security platforms. We started off in the late '90s as a CDN but quickly realized that as we're developing technology to stop the world's largest threats as well as deliver the world's largest, you know, streaming services and things like that, that the CDN network comes in very handy to be very close to where the attackers are located. So, just like -- you kind of think of the opposite of delivering a speedy download for a game maybe. when an attacker attacks a site that's on Akamai, they hit our Akamai edge servers first. And that actually gives us the ability to allow our customers to run their security policy in a very concise manner but across this global platform to keep the threats far away from their environment.

Luke Vander Linden: Wow. So, I have an interesting viewpoint into your customers' operations and for the retail world, I think -- by the way, this just came up earlier today, talk about Magecart attacks increasing again. And I think probably you have kind of a nice viewpoint on that.

Anthony Lauro: Yeah. You know, it's been interesting because, you know, Magecart as of, you know, the time of this recording is not necessarily new. It's been going on for quite some time. Initially, it's targeting the financial services industry. And I think what's really kind of interesting is to see a little bit of this evolution of how the attackers are kind of taking the Magecart-style attack and repurposing it for and kind of remodeling it themselves for their own needs.

Luke Vander Linden: Right. So, just backing up, what is a Magecart-style attack? For those who may not be super familiar with it.

Anthony Lauro: Great point. Magecart-style attack is essentially compromising a script that you as a company would knowingly load into your webpage at the time of page load. So, if you look at the waterfall chart of, you know, the things that are loading as part of your website, traditionally, you might look at that and say, oh, here's a JavaScript, you know, which is like a tag manager from Google, for instance. You know, and you see where that loads as part of the page load. The things that take longer to load, you would probably re-order those to the bottom of that waterfall chart so that the -- you know, you can get as much of the page to load up as quickly as possible. Well, during this kind of similar analysis of saying, hey, where are these, you know, third- and fourth-party scripts coming from? How are we utilizing those? We started to find out that, you know, attackers are compromising these third- and fourth-party scripts sometimes that, you know, they don't have -- you know, these smaller companies don't have the same level of security potentially or they're compromising something in your webpage that actually tricks that JavaScript into running malicious code in the browser of the user that's visiting your website. So, if I'm a bank and one of these scripts is compromised, it's now interacting with my web browser directly and has the potential to skim data or to, you know, collect and record or potentially redirect me wherever the attacker wants me to go.

Luke Vander Linden: So, it sounds like it's really capitalizing on things that are put on websites legitimately and kind of hiding around there. Is that the evolution that you're seeing?

Anthony Lauro: Yeah, well, I mean, so initially, this was, you know, against the Magento framework and this is kind of where the vulnerability kind of first, you know, reared its head if you will. But a little bit of the evolution is kind of tracking how attackers know that now more and more organizations realize that in-browser attacks, our clients' side browser attacks are a problem, and the evolution that we're tracking is them actually learning new ways to evade and obfuscate their code so that, you know, as a defender it's harder for you to identify if this is happening on your site or not. So, that's a little bit of that evolution. And it's, you know, I always say it's so impressive to see what the attackers do. You know, but when I'm talking to a client, they're like it's not cool or impressive when it's happening to us, right?

Luke Vander Linden: Yeah, so you have to pick your adjectives more carefully.

Anthony Lauro: Yes. Yes. You know, something I'm still learning over the years. But it's definitely -- it does show a massive amount of time spent thinking about new ways to continue the same attack patterns potentially but to hide amongst the noise and evade detection.

Luke Vander Linden: So, you mentioned Google tags as a potential vector here. Tell me a little bit more about how they disguise their attacks that way, using that tool.

Anthony Lauro: Yeah. So, you know, and this kind of goes into kind of a bigger category of, hey, are you expecting to see something here? Right. So, Google Tag Manager is something a lot of organizations use. If you were to look at a code snippet that identified itself as Google Tag Manager as part of your page load, you probably would not pay much attention. But the attackers found a way to disguise their malicious code hiding it behind the Google Tag Manager code. You know, so this -- you know, obviously, this is an invasive technique making it a little bit more challenging to detect. And I mean -- and these are even -- it goes from as simple as basic C4 in coding, you know, obfuscating any kind of URLs or callouts or keywords that they're using, you know, again, the whole goal here is to make sure you can find, you know, what you might be looking for as a defender.

Luke Vander Linden: Right. So, in this case, it's nothing that Google's doing wrong, it's just hiding behind something that's nearly ubiquitous on all professional websites.

Anthony Lauro: Correct. And this is like getting an email that says your taxes are due right around this time of the year, or a letter, you know, a marked envelope in the mail, you would kind of expect to be seeing that. So, that's kind of what they're taking advantage of in this case.

Luke Vander Linden: So, what are some other examples of how it's evolving maybe to use things that are legitimate and that would be expected or otherwise understood?

Anthony Lauro: Yeah. So, in February, we published that article about Magecart attacks disguised as Google Tag Manager. In June, we published another article talking about how the attackers are using legitimate websites to -- you know, basically hijacking legitimate websites in order to further obfuscate their attacks. So, some of the victims are identified in, you know, North America, Latin America, Europe. And these are, you know, hundreds of thousands of visitors per month potentially, you know, coming to these pages. And the attackers were able to, you know, get away with PAI, sell credit card info, etc., on the web. In fact, there was a large attack carried out against a Canadian beverage dealer, if you will, we'll just call them that that had similar techniques being used. But this is, you know, interesting because the attackers are making kind of a makeshift command-and-control server out of legitimate web servers, right? So, these hosted, you know, victims, they kind of act as distribution centers for this malicious code. You know, I guess some of the other things that are notable to mention, the attacks were targeting websites using Magento, WooCommerce, WordPress, Shopify -- I mean, just Shopify by itself, you just say that and people are like, yeah, there is business happening on Shopify that the attackers were specifically targeting using this method.

Luke Vander Linden: Wow. And all the other tools you mentioned are widely used as well. That's amazing. And so, you published this research on your website on your blog I assume.

Anthony Lauro: Correct. Yeah. We have a threat research blog. And in general, you know, I think kind of the interesting thing is we're tracking these, not just to better inform how we build defenses but we want people to know, we want people to understand what the threats are, the risks are, so that's part of what our threat research team does, is publish these articles, share code snippets, even, you know, request for comment, right, like are you guys seeing something, do you want to talk about it? You know, give us a ring. That's what we're here for, you know.

Luke Vander Linden: Yeah, that kind of sharing is why we exist as well to, you know, all band together for these things. So, we know that we had a great segment a couple of months ago on the podcast about PCI DSS version 4.0. That standard requires defenses in place to protect against Magecart-style web skimming attacks. Could you maybe walk us through anything in there that pertains specifically to scripts?

Anthony Lauro: Sure, sure. So, there's a couple of new requirements in PCI DSS 4.0. One of them is 6.4.3 and it simply says public-facing web applications are to be protected against attacks, confirming that each script is authorized, assuring the integrity in each script that runs, and keeping an inventory of all scripts to be maintained, you know, so that you can have that as justification why each script should be necessary in the first place, right? So, that's the first requirement. The other one is 11.6.1. And this takes a little bit different of a direction but it says unauthorized changes on payment pages are detected and responded to. So, you have to be able to detect unauthorized changes on payment pages and have a means to address them. Now, this is an interesting kind of takeaway here because most security for transactional pages like check out and, you know, kind of the later stages of your shopping process or transactional process, most of the time, you would focus on, hey, a web application firewall can defend against this type of abuse, right, because it's looking at the request between the attacker, the bad guy or gal, and the web server. But in this particular case, these scripts are executing as part of a known page load on a legitimate website and they're only interacting with the client-side browser. So, this really talks a lot about why we need visibility into those client-side interactions, what does that look like, how do we, you know, maintain a level of security, and apply the same level of, you know, risk reduction that we have with WAF, looking at the front end and things that are happening to the transactional changes that could be happening within the client side browser. So, this is a little bit different of a viewpoint on that.

Luke Vander Linden: Right. The attack surface is everywhere, not just on things that we can control as much.

Anthony Lauro: Correct. Absolutely.

Luke Vander Linden: Well, I really appreciate you coming on to tell us about this, Tony Lauro, Director of Security, Technology & Strategy from Akamai Technologies. Thanks very much for joining us in the podcast. And thanks very much to Akamai for their support.

Anthony Lauro: My pleasure. Thanks for having me, Luke. I appreciate it. [ Music ]

Luke Vander Linden: All right. Now, we're joined by Michael Francess, Senior Manager of cybersecurity advanced threat and response for Wyndham Hotels and Resorts. Thanks for coming on the podcast, Michael. And thanks for being our member spotlight.

Michael Francess: Absolutely. Thanks for having me.

Luke Vander Linden: So, give us a little information about yourself. What does a senior manager of cybersecurity advanced threat and response at Wyndham do?

Michael Francess: Sure. So, yeah, I've been with Wyndham for about six years now. I oversee all functions related to threat intelligence, incident response, and computer forensics. So, think of it as your escalation point for the SOC, advisor for the CISO, advisor for my VP who oversees everything, traditional cybersecurity outside of IAM in architecture. So, yeah, so it's a good group, good group. And we have a lot of fun here.

Luke Vander Linden: So, you've been there for six years. Did you always work in cybersecurity, either at Wyndham or in your previous roles?

Michael Francess: Yeah. But, you know, as someone in their mid-30s, I've spent 15 years of my career in cybersecurity, which is a lot for someone as young as I have. I got into the industry really early, off the bench at Geek Squad, working at Best Buy out here on Long Island. It's something I knew I always wanted to do. I've always enjoyed cleaning up systems, doing IT work. Got really into the removal of malware, an identification of malware. And had an opportunity really early on, I was studying for cybersecurity at a local state university and got pulled into CA technologies out here on Long Island, it was a major tech employer. And at the time, they owned CA Antivirus and PestPatrol and, you know wanted to work my way up towards getting on like the virus research team there. Did a lot of IT work there and my career kind of took off from that.

Luke Vander Linden: So, you've been in cybersecurity almost as long there's been cybersecurity. So, what was compelling about it to get you -- I mean, you clearly have always had kind of a tech aptitude coming from the Geek Squad. But what made -- what was so compelling about cybersecurity that you wanted to make the leap?

Michael Francess: It was -- it's something that, as I said, it was something I enjoyed doing, first and foremost, just being able to research different things. But really what really gravitated me towards the industry and towards the career, not only looking forward and doing -- wanting to do malware reverse engineering and research. But what really got me hooked into the industry was when the APT one report dropped from NBN detailing Chinese MSN cyber operations and kind of completely opening up the door to the threat intelligence side of the house. That was the main fork in my career, that was the main pivot point, and really delved hard into that, you know, at that point in time.

Luke Vander Linden: So, you must love access to the CTI that comes from 250 different retailers that are members of the RH-ISAC.

Michael Francess: Yeah, yeah, it's great. Sometimes it's a firehose but there's a lot of really, really great information there, especially, you know, getting so tactical down to what my peers are seeing. You know, even though from a business sense, you know, the Marriotts, the Hiltons, the IHGs of the world that are competitors to Wyndham, on this side of the fence, you know, when it comes to cyber defense and resilience, they're just like an extension of my team. And that's all possible through HR-ISAC.

Luke Vander Linden: Right. We do like to say that our members may compete with each other on price, product, marketing, but not on the security of the data and their customers' data. So, having access to so much threat intelligence from both retail, the broader -- our broader membership, but then specifically hospitality, what would you say are some of the unique challenges that you see at Wyndham or just to the extent that you can, or in the hospitality industry?

Michael Francess: I think for hospitality in general, we see a wide gamut of actors, mainly on the cybercrime side, right, we see a lot of commodity cybercrime activity. So, having to have all your bases covered there from, you know, making sure, you know, initial attack vectors such as email and external criminal vulnerabilities are locked down and tight, which can be very tough for a hospitality company, especially if they do -- they manage IT side at hotels. That can be a lot of systems, a lot of assets, a lot of different shapes and sizes, a lot of different locales, a lot of different cultures you've got to deal with. So, just like typical retail that can be very difficult and very expensive. Also, maturity. You know, hospitality, definitely in the mid to late-2010s, definitely got rinsed by a couple of different actors. So, specifically FIN7. And I think that caused a lot of us to mature, which has been great to be able to integrate well into something like RH-ISAC. I mean, when we first joined the ISAC -- prior to that before we even joined the ISAC, we were with another threat-sharing group with a couple of industry partners. And, you know, the maturity wasn't there along the line. And I think just seeing that really come to fruition these last couple of years has been really exciting to see, just the maturity across the hospitality space when it comes to cyber.

Luke Vander Linden: Right. So, speaking of maturity, you guys work with thousands of different franchisees because you have so many properties and work with so many. And some of these franchisees are huge companies that really frankly the public hasn't heard of, but they may own hundreds of properties. But some of them are mom-and-pops that own one or two properties. So, how much do you get involved with the franchisees and supporting them and kind of bringing them into the fold of Wyndham's environment?

Michael Francess: Yes. A franchisee model in some ways works to our benefit. I mean, we are far and wide a little bit more hands-off that manage IT property there. But we do a lot of overseeing, right? So, we'll reach out to the franchisees internally if we have to, if we spot something during routine monitoring. But, yeah, it does make things a little difficult because we don't have hands-on, eyes-on most of those franchisees. So, it can present a little bit of a challenge but when there is something that we do find that we do have to get engaged, typically those franchisees are very happy to get the assistance and get the guidance from us.

Luke Vander Linden: That's good. That's good that there are -- they welcome oversight from the brand. Tell me a little bit about -- I assume, I hope that you're not all work and no play. What do you do in your free time? What kind of hobbies do you have?

Michael Francess: Yeah. I got definitely one main hobby that takes up a lot of my time. Outside of PC gaming, I've always built PCs, I've been doing that for -- since I like the sixth grade. But outside of that and gaming, I actually manage the community database for a sports zone game called Eastside Hockey Manager. So, I'm the community lead for that. If you've ever played Football Manager, right, those kind of intense sports zones, it's that but for hockey. So, I manage a database that covers the entire world, all the way down to bantam level, you know, 13-year-old's hockey, all the way up to every single pro league across the world. So, I know pretty much every league, every team, almost every player when it comes to hockey -- ice hockey around the world. Yeah, it's a really fun hobby. I've made a lot of friends all across the globe with that. It's been a really, really fun thing. I've been doing that for about four or five years now. So, that takes up the majority of my time. I'm always editing that database. I edit the game more than I play the game at this point. But it's been a lot of fun.

Luke Vander Linden: And a real Islander fan I assume.

Michael Francess: Yep. Yep, you've got that right. A classic Jets Islanders Mets so I'm a glutton for punishment.

Luke Vander Linden: Excellent, yes, low self-esteem.

Michael Francess: Yeah, yeah. So, but it's been exciting. I mean, you know, the Islanders have had a couple of really, really good runs here with the new ordership and the new building in Elmont, it's fantastic. I do have access to season tickets so I do go a fair amount. So, yeah. Hockey is pretty much -- hockey and music are pretty much my life outside of cyber for sure.

Luke Vander Linden: Possibly one of the more successful New York teams in recent years as well.

Michael Francess: Yeah. Believe it or not, yeah.

Luke Vander Linden: Of all sports. So, if I had to ask you to get out your crystal ball and tell me what you think is coming up in the future for cybersecurity. And I'm kind of putting you on the spot here, but what do you think is happening in the future?

Michael Francess: I mean, I hate to dive into like the AI doomscape card but I do definitely believe that AI is going to cause some issues. We're already starting to see that with a large language model type AI but as we start to see other different types of AI and different uses for it, I think that there's going to be more negative than positive coming out of that space, unfortunately. And especially if the US doesn't get its act together around, you know, policies and regulations on some of these companies, and continuing to allow, you know the foxes to guard the hen house, if you will. You know. So it'll be interesting to see what comes out of Europe there. But that's definitely something that's on my radar, I mean, these large language models being used to, again, kind of elevate and enhance these commodity actors which is really the main entry point, you know, what continues to really scare me coming out of Black Hat, I still think that companies, especially very, very large organizations hearing from friends at work incidents, we're still not getting the basics right. And it's really, really scary to see. You know, I've been doing this for close to 15 years now, and the fact that we're still not patching asset management is still a problem. Cloud is still widely misunderstood. We're seeing a lot of very, very large organizations who are, you know, shifting to cloud or building out infrastructure in cloud, but not realizing that the security is really on that organization, right? They're still assuming that, well, security is Google's problem, security is Amazon's problem, security is Microsoft's problem. To an extent it is. But I think that there is still a large misunderstanding there. It's definitely causing a lot of headache and a lot of problems, unfortunately. So, I think that, you know, to go back to your original question, not just AI but I think the complexity of the cloud and the misunderstanding there, the lack of talent is still going to be a pain point going forward. Yeah, that's kind of my prediction. But hopefully, as these companies go through their incidents, they come out on the better half funding and resources, and, you know, they become more resilient, just like I talked about how hospitality has kind of come out on the other side of that hill in I think overall a much better space.

Luke Vander Linden: Those kinds of challenges will continue to keep your plate full. What do you think -- what do you see your career progressing, not necessarily that you're looking for a new job but like where do you see yourself going in 10, 20 years?

Michael Francess: Yeah. Yeah. No risk of that to anyone in Wyndham listening, you guys keep me fat and happy. Yeah, I think what's going to be exciting is just continue to see where the areas that I oversee kind of go. You know, fingers crossed, I'm hoping to add our red team as soon as next year and get to more headcount like everyone is kind of hoping to get more headcount. But, yeah, I mean, I think that's where we're -- once we get to more people on the team with some different mindset and different capabilities, we'll be able to open up more avenues for different services for Wyndham. Looking to mature from, you know, ad hoc threat hunting or routine threat hunting but more into continuous detection engineering. That's something. That plus adding red team capabilities are definitely the two things that I'm looking forward to adding in the coming years.

Luke Vander Linden: And as a seasoned cybersecurity veteran, any advice for our listeners, both members and non-members out there?

Michael Francess: As I said, get the basics right. Try to shift that risk as left as possible. Don't ignore your vendors. Please, please, please stop disrespecting your vendors. They do provide good service when you ask for it. Unfortunately, you may have to pay for it as well. I think that that's a huge thing that's overseen is, you know, the first thing in budget negotiations when it comes to a vendor is what are you cutting out, training and professional services. And I think that that is a huge mistake. You know, where Wyndham has been really successful is we partner with our vendors, we view them as extensions of our internal security team. If they're successful, Wyndham is successful, right? So, we take their advice, their health checks, you know their -- here's how you guys should be configured very, very seriously, especially on the email side, especially on the external vulnerabilities side. And that's what allows us to be more resilient in the system. Yeah. So, that's what I would recommend.

Luke Vander Linden: That's great advice. I appreciate that. I mean, because vendors, memberships, other -- people from other organizations, great assets, as you said before, an extension of your own department and your own efforts. Very well. Excellent. Michael Francess, Senior Manager of Cybersecurity Advanced Threat and Response from Wyndham Hotels & Resorts. Thank you very much for allowing us to spotlight you. And thanks for your support of the RH-ISAC.

Michael Francess: Absolutely. Thanks very much. [ Music ]

Luke Vander Linden: Thank you to my guests, Ryan Miller and Leah Schwartzman of Target, Tony Lauro of Akamai Technologies, and Michael Francess of Wyndham. One announcement. It seems like we just got home from the cyber intelligence summit in Dallas, Texas, and we did, it was just last month. But in case you haven't heard, we're switching it up next year. Our next summit will be in April and in Denver, Colorado. The website is already live and you can go ahead and register. Just go to summit.rhisac.org. As always, thank you to the production team who do their best to make this sound good. For the RH-ISAC that's Annie Chambliss and Marisa Troscianecki. And from N2K Networks, formerly known as the CyberWire, Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thanks to you for tuning in. Stay safe out there.