Podcasts
The Retail & Hospitality ISAC Podcast
Ep 42
The Retail & Hospitality ISAC Podcast 1.10.24
Ep 42 | 1.10.24

RH-ISAC’s 10th Anniversary Year, Trustwave on Emerging Threats, and an Interview with the CISO of Colgate-Palmolive

Show Notes
Transcript

Luke Vander Linden: Happy New Year. This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center. And this is the "RH-ISAC Podcast." [ Music ] As I record this, I'm still cleaning the confetti out of my hair from New Year's Eve. I can't believe it's been a month since we've had an episode. We took the end of December off so you wouldn't feel compelled to interrupt opening presents to listen to our little show. Most RH-ISAC members were totally heads down on the holiday season anyway. But it is our first episode of 2024. We're kicking off an exciting series of interviews this week. It's been far too long since we've had RH-ISAC President Suzie Squier on. I hope that doesn't reflect in my performance review. She's been on in the past with segments we called "Suzie Plus One," where she interviews an important member of our community or the greater cybersecurity community. Well, she's back this episode and for the next several episodes, interviewing many of the CISOs and cybersecurity professionals who got the RH-ISAC started, or the R-CISC as it was known at the time. Suzie, of course, was here from the beginning too. But why these interviews, and why now? Well, 2024 marks our 10th year in existence. Pretty amazing journey and growth over that decade and lots of changes in the greater cybersecurity landscape as well. So, if there was ever a time not to miss any episodes, these would be the ones. Set your alarms, mark your calendars for the second and fourth Wednesdays of every month. Suzie's first interview is with Colin Anderson, a former RH-ISAC board member, in addition to being here at the beginning. Also, in this episode, I will speak with Ziv Mador, Vice President of Security Research for Trustwave, one of the RH-ISAC's associate members. And finally, we feature my interview and CISO spotlight with Alex Schuchman, CISO at Colgate-Palmolive. I had a chance to sit down with Alex and several of our many CISOs at our last Cyber Intelligence Summit in Plano, Texas. The summit is a great opportunity for us to get a lot of interviews with a lot of impressive people who are there. And you can join us. As you've heard me announce before, our next summit is in Denver, Colorado, April 9th through the 11th. Registration is already open and already humming along. Go to summit.rhisac.org to be a part. As always, if you have something cybersecurity related that you'd like to contribute, shoot us an email at podcast@rhisac.org. Or, if you're a member, hit me up on Slack or Member Exchange. And if your company is not yet a member of the RH-ISAC, make a New Year's resolution to join. Go to rhisac.org/join to learn more and to start the process. [ Music ]

Suzie Squier: Well, ladies and gentlemen, do I have a treat for you today. I am talking to the one and only Colin Anderson. Round of applause. [ Laughing ] How the heck are you?

Colin Anderson: Oh, doing well. Doing great. So great to see you.

Suzie Squier: Yeah. It's great to see you too. I miss you. I miss the whole gang. I really do. Looking forward to getting everybody back together for this fabulous 10th year anniversary we have coming up in 2024. Can you believe it?

Colin Anderson: Amazing.

Suzie Squier: And they said it wouldn't last. [Laughs] So, speaking of, let's go back in time. Can you remember, you were at Safeway at the time, what your atmosphere was like in early 2014 when it seemed as if the sky was falling in retail and hospitality because of some of the breaches we had that year? And how did that -- dude, can you remember what it was like in your environment then? And how did that kind of play out with like your board, your leadership, you know, things along those lines?

Colin Anderson: Yeah, there were several breaches that led up to Target. You know, there was Michaels and DSW and a few others. But Target was the tipping point. I mean, I honestly think the conversation and the need or the visibility of the cybersecurity function and the seas of change after that Target incident. Many of us might not have been reporting to the board prior to Target. But after Target, the board got to know us very well.

Suzie Squier: [Laughing] Yeah. You were a frequent visitor. [Laughing] So do you remember, like, for instance, your first board meeting that you had after that, like preparing your deck, getting things ready, like, was it just --

Colin Anderson: Well, I mean, the whole conversation, the question you had to ask was, can this happen to us? Or what happened? And can this happen to us? And so it was -- you were playing defense as opposed to playing offense. You know, now I think the conversation with the boards have changed in terms of, you know, how you're building a program and being proactive. But after Target, you were -- it was very reactionary. And the whole focus, especially for a large organization like Safeway, where, you know, can this happen to us and what do we need to do so it won't happen to us? And, you know, things right after the Target, you know, information was trickling out. We weren't quite crystal clear. We didn't know about that heating and AC, you know, third party that was the entry into all this. You know, we were just still trying to figure out how was their point of sale compromised. How was this -- How did this happen? And so, you know, soon after Target, we were still in a little bit of a guessing game.

Suzie Squier: Yeah. And this probably was started with the whole third-party industry --

Colin Anderson: Oh, absolutely.

Suzie Squier: -- the whole work on third parties. Because, I mean, that was obviously, you know, that was the focal point, as it turns out. Yeah.

Colin Anderson: We were always worried about our point-of-sale provider. You know, whether you're using, you know, NCR or whoever. But would you think about a heating and, you know, HVAC partner as being a risk to your organization? We would have never thought that, you know. No. I mean, we were doing a little bit of vendor risk, you know, but not like we're doing it today.

Suzie Squier: No, I can imagine. I can imagine. It's a whole nother function within your organization now. And they're not small functions, and they're vastly important. So it is really interesting. And I think it also, as you said, started the conversations with the board and really helped to elevate the role of the information security position.

Colin Anderson: In time.

Suzie Squier: Yeah. Yeah. That title just started popping up, you know, the chief information security.

Colin Anderson: Well, now everybody needs to have one. We're the greatest things around, right? You know, everybody wants their CISO. We all need to have a CISO, right? No, but back then, 10 years ago, there weren't a whole lot of organizations that had CISO. You might have had a director of security. And security was probably buried somewhere in a corner of IT. Now security is reporting to CEOs. Now it's, you know, outside the IT organization for many organizations. And the CIO is a peer to the CISO. I mean, the whole function has been definitely elevated because cybersecurity is now viewed as a business risk, you know. And it's not viewed as a IT risk.

Suzie Squier: As we can see in the whole SEC rulings and everything, right?

Colin Anderson: Absolutely.

Suzie Squier: Right. More fun, more fun coming down the pipe for everybody. [Laughs] Well, in addition to what you're doing internally and in that time period, we also were building what is now the Retail and Hospitality ISAC and gathering together. And tell me some of your thoughts about how that whole process that we went through, the first meeting we had in Pittsburgh, the second I think we had in DC, and just the gathering of people and meeting a lot of these, your peers, I think, for the first time.

Colin Anderson: Yeah, we knew some of each other from these Black Hat and RSA kind of conferences. But we didn't really develop the tight working relationships that we did until this kind of came together. And I missed that first Pittsburgh meeting.

Suzie Squier: I thought you did because you were out in the West Coast.

Colin Anderson: Yeah, I was traveling. I missed that Pittsburgh meeting, but I was at the DC meeting. And that's where I got hooked. You know, I saw what we could do together. And the biggest question then was, all right, how do we get this off the ground, you know? How do we make this happen? How do we get the funding together, get the leaders together? Because like we all had busy day jobs. It's not like any one of us could like jump in and lead this new organization. And so it was really interesting. And I love the fact that, you know, we're all coming together, and we saw an opportunity. We wanted to solve the problem. But we're literally like, how do we build this business? This is like, we had to build something here, and that was fun.

Suzie Squier: It was fun. And I have to give kudos to my former employer, RILA, who put up the money for us to get Booz Allen to help, you know, who has stood up a number of ISACs. You know, the FS-ISAC was a great support in helping us with like what does this model look like? You know, what do we do? And then, yeah, it was really just jump in with both feet and create an organization, create the board, create the foundations of information sharing. It was a great year, but it was a busy year.

Colin Anderson: And building that business plan, building that financial plan, I mean, like we were all CISOs that had been reporting to a board. But we actually hadn't been a board ourselves or on a board ourselves, you know. And so we have all these individuals. And RILA was hugely helpful to get us off the ground. But, you know, you have all these CISOs like trying to like, okay, how do we -- how do we build a board? What do we have to do if we're on a board? All that -- those board dynamics were --

Suzie Squier: All the governance stuff we had to figure out. And, you know, we did have other trade associations involved, which was great. We had NRF, and you may not remember, but we had the AAFA, the American Apparel and Footwear Association. God love that poor guy. He didn't even have a cyber group. And he kept showing up, probably going, what are these people talking about? But they were -- they were good. They stuck there with us. It was a -- it was a heady time of figuring it out and putting all the pieces together. But, you know, kudos to you and the other folks in the room who, because your day job was like you said, there was a lot of unknown facts that were still going on. So I'm sure everyone was searching in their environments. And then, in the middle of that, as you were just saying, we were putting pieces together to this organization. So but it's a fun time. It was, I mean, looking back, there was some of it was a little stressful at the time. But it was fun, wasn't it?

Colin Anderson: Yeah. I had a blast, you know, and I learned a lot. I did. And I built some really great relationships.

Suzie Squier: Absolutely. Long lasting. And as you and I were mentioning before the start of the recording, you and Scott Howard had had meetups at RSA and Black Hat and, you know, those relationships. And that's huge in this industry anyway.

Colin Anderson: Yeah.

Suzie Squier: You know, because, as we know, you're not competitors at all in this space, right?

Colin Anderson: Not at all. No. I mean, every organization I've been in, we've always -- I always have -- we always have competitors. And but cyber is not what we're competing on. And it's when one of us is hurt, we're all hurt. You know, it erodes the consumer trust no matter where you are. And so, you know, your most fiercest competitor could have a cyber incident. But you're going to lean in and help them. And they're going to lean in and help you because we're in this together.

Suzie Squier: And I think that's what immediately took place as we were building this that was that, you know, it takes time to build trust among individuals. It does. And the in-person time really helped. And we try to encourage in-person time, like at our summits, at our workshops, because you just can't replace that. But I think just that inherent feeling in information security really helps speed this process along, you know, in forming the organization and getting companies to jump in and then getting them to start participating in the sharing.

Colin Anderson: And sharing, it's one thing to say, hey, that's a great idea. I want to be a member. But talking to their general counsel about, hey, I'm going to share some stuff that's happening here. Like, yeah, I can anonymize it, maybe, but I'm going to be sharing, you know, stuff that's going on. Are you okay with that? You know, and that's, not every GC was.

Suzie Squier: And still are not. Yeah. Was that a forming of a new -- a relationship with the GCs at that time, too, or had you already had prior? I know with contracts and things like this. But did this -- do you think this helped change a little bit of like an information security officer's role with the -- with legal at all?

Colin Anderson: I'll be honest, I didn't have the best relationship with my GC at Safeway. We were not cut from the same cloth. But my GC relationship at Levi's was very, very different. Huge supporter, very tight relationship. And he helped me really, you know, embrace the opportunity, you know. But and that worked out really well because I left Safeway to Levi's in 2015. And we were still just kind of building our momentum in '15. And so I'd say it could have helped, but I had a good relationship with my GC going out of the gate when I started at Levi's.

Suzie Squier: Yeah, that's good. That is good. That was interesting, right? You jumped from Safeway over to Levi's. And unfortunately, we have lost you to the -- from the retail and hospitality to health care. I know. And you and I talk about this any time we meet that we miss you a ton, you know. So how are things? How are things in the health care slash workplace insurance? I mean, not health -- it's human resources.

Colin Anderson: It's human capital management --

Suzie Squier: Yeah, that's right. Sorry.

Colin Anderson: New role in capital management. Yeah, it's a very different than in retail, for sure. The stakes are higher, I think, to tell you the truth, which is good for cybersecurity. And I get a tremendous amount of support because if we don't have security, if we don't have customer trust, we don't have a business. So I'm meeting with our CEO, our leadership team board. I met with him earlier today. Very frequently, great line of sight, great support. But the stakes are pretty high. You know, in retail, I was always having to try to sell security, you know, like, why is it -- why is it important? You know, I don't have to sell the need for security in my organization. Everybody gets it. And everyone talks about security being a team sport. I think this is the first time I've actually felt that people embrace the idea of it being a team sport. And whether it be product, support, you know, everybody's kind of working to make sure that we're doing the right things and we have a good security culture. So it's very different, but there's pros and cons for sure.

Suzie Squier: It's interesting because we still got a lot of folks, heads of information security, asking about how do you sell, not, you know, how do you tell your story to the board? How do you sell your program? How do you ask for it? And you know, one thing that's come up recently is when you have an economic downturn, how do you, how do you continue to sell that when, you know, when, you know, the environment is not as conducive to sales as they used to be, you know? So it's -- that conversation continues. Sounds like you don't have that problem, though.

Colin Anderson: I mean, there's always only so much pie to go around. It's all supply and demand, right? You know, so the product team, the cyber team, the IT, we're all kind of fighting for a bigger slice of the pie. Resources are not unlimited, but the good thing is everybody sees the value and the importance of cybersecurity. Even my CIO, who we're both peers, and we both report up to our COO, we're in this together. You know, she has her role to play. I have my role to play. We're great partners.

Suzie Squier: Oh, that's good. That's good. Looking back at the growth of where we are today and you as our board chairman for a number of years, which, you know, always thank you for all of that support. And I loved working with you and Dave Spooner and the whole team. If you look back, what are you most proud of in your role in the building of the then R-CISC and the now RH-ISAC?

Colin Anderson: You know, the voice in the industry. You know, when we started out, nobody knew who we were. And we were having to ask to be invited to things. Now, we're asked to -- they're pulling us in, pulling RH-ISAC in. I think the voice in the industry that we've created over the last 10 years is one of the things I'm most proud of. The fact that we brought these industries together and we're helping, you know, not just members, but we're helping the industry raise the bar when it comes to cybersecurity. And the phrase, you know, a rising tide lifts all ships, is used frequently, you know, and it's so true. We've known for years that our attackers work together. You know, it's a whole ecosystem out there. So we should be working together too, sharing information, helping one another, talking about, hey, this product works, that product doesn't. You know, and we need to collaborate and share so we can all collectively, for our respective business, be stronger, stronger together. So those are probably the things I'm really, really proud of and just, gosh, the growth. I mean, we started out there in Pittsburgh in DC, eight or 10 of us with an idea, you know. Now, I don't know what your membership is at now, but it's got to be in several hundred, right?

Suzie Squier: Yeah, we're over 250, yeah, member companies with great growth, you know, still great growth and still a lot to do in North America but branching into Europe and UK. And God love, you know, some of our folks hanging in there. And Woolworths and down in some other folks in Australia. Yeah, Peter is still with us and building. And we've got some good conversations with South Africa. And so, it's really fun to see, as you said, really starting to emerge. A lot of work to do, a lot of work still to do. But I was just talking to one of our members yesterday, and he was saying how he's at a conference. And he meets up with somebody just like you and Scott. And then somebody comes up, and he says, what ISAC are you in? You should be in Retail and Hospitality. He thought we should get T-shirts. [Laughs] Well, it was great. Always great to see you. I've got to remember to reach out to you when I'm out West so we can catch up in person because always such a fun time. As we said, we were fortunate to have such a great group of people who just believed in the idea and kept moving this forward.

Colin Anderson: You know, I'm part of FS-ISAC now and oh, great organization, lots of resources, but not the same community. I miss that tight-knit trust, knowing each other that I had with RH-ISAC. I don't have that same connection, that community feel in FS-ISAC. I mean, there's obviously a lot of resources. But you know, you've got something really special there with RH-ISAC and the community that you've built. And the trust within the community that you've built is really special. So keep it up.

Suzie Squier: Thank you. It's a great group of members. And, you know, I think of that, and, you know, that's a whole set of challenges when you get to be that size. So how can you put in systems now to, you know, if we ever get to that big, but how do you put systems out to keep that really wonderful, as you said, community feeling that we have? And it is special. I appreciate it, and I don't take it for granted at all.

Colin Anderson: Yeah. That's what I miss most. I really do.

Suzie Squier: Yeah. Good. Well, it was great catching up with you. Thanks so much always for your support over the years. And happy that things are going well with you where you are now. And we will be reaching out to have our celebration on the 10th, our 10-year celebration. Hopefully, you can join us for that. We would love to get the gang together.

Colin Anderson: That would be fabulous.

Suzie Squier: All right. Take care, Colin.

Colin Anderson: Take care. [ Music ] [ Music ]

Luke Vander Linden: All right. I'm now joined by Ziv Mador, Vice President of Security Research for Trustwave and SpiderLabs. Thanks for joining us on the "RH-ISAC Podcast," Ziv.

Ziv Mador: Hi, Luke. Good morning.

Luke Vander Linden: Good morning. Good afternoon. You're joining us from Israel. Hope you're well over there and safe. And we're at very different times. But it's great that we can use this technology to communicate with you, with each other, and with our listeners. So Trustwave is one of the RH-ISAC's associate members. Thank you for your support on that. For our listeners who aren't familiar with Trustwave or the awesome SpiderLabs group that you run, tell us more about it and what services it provides.

Ziv Mador: Sure. So Trustwave exists for 25 years. It's cybersecurity vendors that provide multiple services. First of all, MDR, which stands for Managed Detection and Response. We basically help many organizations around the world to protect their networks. And we monitor their incidents. We notify them whenever we see something suspicious or malicious in their environments. We also have a database security product called DbProtect to help protect against -- help secure databases. And last, MailMarshal product, which helps scan, filter unwanted email, malicious emails of all sorts. On top of that, we provide a variety of services such as penetration testing by the SpiderLabs team that you just mentioned, digital forensics and incident response, threat hunting, continual threat hunting. And on top of that, we have a group of security researchers. So all in all, there are 250 people in the SpiderLabs team that are the security expert team within Trustwave.

Luke Vander Linden: Excellent. And so what does the vice president of security research do?

Ziv Mador: Okay, that's my job, I guess.

Luke Vander Linden: That's you. That's you.

Ziv Mador: That's me. I run a team of security researchers, where we investigate a wide range of cybersecurity threats year around. Those threats can happen or deliver over email, over the network, over the web, in many different forms. We constantly look for new forms of malware, new ways to obfuscate and deliver malware. And this world is extremely dynamic. Our adversaries make their living from cybercrime. And sometimes there are also other motives. And that's why they always want to keep high ROI, return on investment, which means if their attacks get blocked, they will look for new ways to launch those attacks and conduct them. So the malware they create and use, the way they exploit products, the way they infiltrate into organizations constantly change. And we have to find those changes and make sure we provide the necessary response. In particular, make sure that all our services and products can detect those cases. We also have a very active blog site, it's called the SpiderLabs Blog, with more than half a million readers every year. We post about 70 blogs a year. So it's quite active. And that's where we share many of the insights we collect throughout that research.

Luke Vander Linden: Well, I appreciate that, and I appreciate you sharing your insights with us today. So, from your vantage point, working with lots of different organizations in a number of different sectors, what is particularly interesting about retail and hospitality to threat actors from your point of view?

Ziv Mador: Sure. So, in particular, what we do, for example, this year is to examine what's unique about each industry in the terms and from the perspective of cybersecurity threats. There are certain type of threat groups that target almost anyone. A good example is ransomware. They really don't care. They would target anyone who might pay, right? They don't really have any preference. But there are certain industries that have unique challenges that impact their security exposure. So you asked about retail and hospitality. Let's talk about those two. Retail, for example, as you know, e-commerce has become super popular. The scale of e-commerce more than tripled in four years.

Luke Vander Linden: Right. During COVID, everybody had to become an e-commerce business.

Ziv Mador: Exactly. Exactly. So it surpassed a trillion dollars. And because of that, and because it's so popular, many businesses now sell their products over the web. They also support mobile applications, which means that securing their networks have become a lot more complicated. Think about it. A retail chain 20 years ago, all they had, quote/unquote, "is physical stores," right? But now they have physical stores, they have websites, they have mobile applications, they sometimes have social media. They have many more areas where they can be attacked. And now, with the digital transformation, if your data is accessible, or at least if it's stored on a web server, for example, the credit cards you collect, the user information, your catalog, if it's available on a website, that website can be attacked. And if the attackers can infiltrate into that web server, they might steal all that information, or they might disrupt services. Usually, they would prefer to exfiltrate data and then try to do some extortion.

Luke Vander Linden: So, on the other hand, hospitality, even though it also has lots of ways to interact online, it's still a very physical and place-oriented industry and sector.

Ziv Mador: You're correct. And that's exactly characterized some of the unique challenges of the hospitality industry. So let's talk about a few of them. First of all, hotels, for example, obviously, host guests, many guests every day. Those guests roam through their facilities. So if, say, some server room is not properly secured, the door is open, or some other computer -- a hotel's computer accessible to a guest, that guest is malicious, they might use that to plug in a thumb drive or access those computers or servers. But beyond that, all those guests, benign guests, legitimate guests, they connect to the Wi-Fi networks, right? They connect to use the business centers of the hotel. So that means that those networks can be considered dirty because they are not controlled. The laptops that connect to them or the mobile phones that connect to them might be infected. And that adds to the risk.

Luke Vander Linden: Right. So, tell me more about the kinds of research Trustwave does for specifically these two sectors, retail and hospitality.

Ziv Mador: Sure. So Trustwave, as I mentioned earlier, one of the services we provide is penetration testing and red teaming, which means that we help organizations find all those vulnerabilities in their environments. And there are many places where they can exist: in the web application, in the mobile application, on their networks, in their servers. And even educating and training their people is important because, as we often say, the people behind the keyboard is yet another possible vulnerability. We, every year, conduct more than 100,000 hours of penetration testing globally. Through that work, we find more than 30,000 vulnerabilities. So, you see, we collect a lot of information. Beyond that, we collect a vast amount of threat intelligence by using many, many different ways, honeypots and telemetry from our products and many other ways. I mentioned earlier the MDR service we provide. We collect between 4 billion to 12 billion events every day, security events, globally. So all that volume of data allows us to understand pretty well the trends of cyber threats around the world. And often, when we are asked, when we're approached, for example, by the media, with questions about different threats, we already know about them. In fact, we already researched them. We already updated our signatures and products to make sure we can detect them.

Luke Vander Linden: That's incredible. So, outside of using this information and this data and this great resource and this great wealth of information to protect your clients, do you put out any reports or speak back to the industry about these things?

Ziv Mador: Yes. We give many webinars. As I said first, we share many of the information on our blog. It's a great resource. Beyond that, we give webinars. We do customer education events. And often, we provide them threat reports that are specific to their environments and to their industry. That happens quite often. But look, I do want to mention also, this year, we started releasing industry-specific threat reports. So far, we released six reports. Retail and hospitality are the two of them. The other ones are for the financial sector, for the health industry, manufacturing, and more are coming. So, many customers, many organizations value them because they are a lot more focused. As we talked earlier, there are challenges that are unique to each industry. So, those threat reports focus specifically on those challenges. And the type of malware and the type of cyber threats that we see impact those organizations. And then we come with actionable recommendations: how to mitigate those threats and how to harden your environment and how to reduce the risk.

Luke Vander Linden: Well, that's great. Because, obviously, you know, you can work to protect your clients. We can work to protect our members. But it's really the industry coming together to protect itself which is important because something that's going to hit one of our companies is going to hit one who is not. And if we work to protect everyone, then it helps everybody out. So let's get into some of those threats that you were talking about. What are the main threats that we should be concerned about now? And getting out your crystal ball, what are the emerging ones that you're seeing?

Ziv Mador: Sure. So, first of all, the most disturbing threat that impacts so many companies and organizations around the world is ransomware. Ransomware groups have gone a long way in the last 20 years. They have become a lot more sophisticated. And that comes to play in a few ways. First of all, they manage to infiltrate many more organizations, including big organizations that put big efforts into securing their networks. And still, they are successful. You can see some big names in the news that were attacked successfully by ransomware groups. Secondly, they use what we call now double-extortion techniques. So, you might remember then, say, five, 10 years ago, if a company or even a consumer was attacked with ransomware, all they did back then is to encrypt their files or delete them, usually encrypt the files and ask for some ransom so they are decrypted and become usable again, right? But now what they do, they try also to exfiltrate them as much as they can. And usually when they attack big companies, they manage to exfiltrate many gigabytes, sometimes terabytes of data. And they will target the most sensitive data that the company has. It might be their customer list, diagrams, source code, their intellectual property, credit card information, whatever they can capture which they know that is the most valuable information of that organization. And they will exfiltrate as much as they can. And now what they're going to do is to start the extortion. Usually, almost always, they will post some samples of that data on their blog site, on some dark web form, to show that they really got into that organization. Sometimes, they might include screenshots of internal service. That means the organization cannot deny they were attacked anymore. They cannot. It's something perhaps many organizations did 10 years ago. They claimed they were -- that no damage was caused or that the damage is very limited. Now they show that they captured critical information, and they got access to critical internal servers. So the organization cannot deny it anymore. And they start extortion. They say, okay, now we released only that sample, but we'll start releasing more and more information unless you pay us X amount of dollars in Bitcoins or some other cryptocurrency. And those ransom fees increase over the years. Now, on average, they're around a million dollar, which is a lot of money. But if you think about the potential damage to the organization, sometimes it's cheaper to pay.

Luke Vander Linden: Right, just to pay.

Ziv Mador: Yes, even though it's a very risky approach.

Luke Vander Linden: I guess inflation is hitting everywhere. But in some cases, we've seen with the MOVEit, for example, breach that happened, they just skip over the encryption and just go right for the double extortion part of things.

Ziv Mador: Yes, MOVEit is an interesting example. It's what we call a supply chain attack. Because what happens is that every organization now, every business now, relies on some third-party solutions, some third-party products and technology. Many websites, for example, use APIs and other B2B, business-to-business, model to get services from some other vendors. We use products from other vendors for inventory management, for network management, for so many different things. And if any of those vendors get breached, the bad guys can get access to our networks. So even if we perfectly protect our networks, they might still get in or inject malicious code into our networks.

Luke Vander Linden: So do you see that as the greatest risk now, third-party?

Ziv Mador: It's not necessarily the biggest one. But it's certainly one of the ways that the cybercriminals manage to get foothold into many environments. And what's more concerning here is that one breach can end up with many compromised environments. Why? Take the SolarWinds as an example, right? Just one company that was breached, but they managed to push out a malicious update through the SolarWinds update service. And they got access to thousands of different environments. That's the concern here. It's a one-to-many attack.

Luke Vander Linden: So how can retailers, hotels, other hospitality, restaurants, consumer-facing organizations, how can they minimize their security risks from your point of view?

Ziv Mador: So there are multiple things they should do. And it's certainly not a simple task. I don't want to downplay the complexity of securing a large, certainly not a global enterprise network with all their complexity tasks. But there are certain elements that must be part of the security plan, the security policy. First of all, the human element. The personnel has to be trained continuously. And if someone fails to complete the training, or you can try to do some phishing test, and they click the phishing test, then talk to them again, educate them. Because we have to remember, for a successful attack, all you need, all the bad guy need, is one successful phishing attack, right? They might send 500 phishing attacks, 500 phishing emails. It's enough that one of them will be clicked or the attachment will be opened. And that's enough for them to get the initial foothold.

Luke Vander Linden: The good guys have to be right every time. The bad guys only have to be right once, the old saying.

Ziv Mador: Exactly. You're absolutely right. The second thing is secure the email vector. The email which is one of the most common ways how they craft their attacks, right? Again, I mentioned phishing emails, but there are many other types of malicious emails, business email compromise, scams and others. Many security email gateways can filter out most of that unwanted email and reduce the risk. And sometimes, even if you run two email security solutions side by side, you will reduce the risk even further. I'll give you an example. Microsoft 365 provides email security filtering, which is pretty good. But what we found is that still, some malicious emails managed to get through. Then what we did, we installed our secure email gateway next to Microsoft 365 and sent thousands of malicious emails of different types through that malicious emails we collected from many different sources, not just our own collection. And our secure email gateway managed to detect 90% of the malicious emails that Microsoft 365 failed to detect. So that means, by running two email security solutions side by side, you can reduce the risk by 10x or so. The third thing I would say, you've got to make sure that the computers and the devices in your environment are secure and are fully patched. That's critical because one of the ways how the bad guys get in is through vulnerability exploitation. So, obviously, the operating system has to be updated. But basically, any business application, any application that runs on those servers, have to be updated and updated quickly. Some organizations are a bit slow to install the patches. That means that there is still a vulnerability window that the bad guys can exploit. So try to minimize that vulnerability window by installing those patches quickly. Build an effective inventory and third-party database. Know exactly what's your threat exposure. We talked about MOVEit, but again, big organizations use many different third-party solutions. Many different -- Exactly. You have to understand precisely what solutions you use in your environment. Work with those vendors to make sure they're properly protected as much as you can. Make sure you work only with vendors you trust. And even require them to go through some security testing periodically to make sure the threat is minimized. The last thing I want to mention is around threat hunting. One of the things in our world is that it's not a matter of if we're going to be successfully attacked. It's only a matter of when. It's possible that your network is already compromised. It's possible that some threat actor already lurking in your environment, already infected some computer. Sometimes, and that's usually the case, they will manage to infect a relatively insignificant computer in your network, let's say, the computer that the receptionist used. Okay. She or he opened some attachment they shouldn't. The machine got -- the computer got infected. But that's not where the critical data is. The critical data is on some other database or some critical server. They'll try to move laterally through the network and get to those critical servers. So it can take time. It can take them days. It can take them weeks. If you manage to find that malicious code, that malware, those attackers on your network before they cause the real damage, that can save you a lot of money and reputation damage and so on. So what we do, for example, in continual threat hunting, is periodically scan the internal network and look for those signs of infection. And if we see any suspicious sign, we'll try to collect as much information as we can. We'll analyze those suspicious files until we either isolate the threat and clean it or ensure that it's not malicious.

Luke Vander Linden: Wow. Excellent. Well, Ziv Mador, thank you very much for joining us. Vice President of Security Research for Trustwave. Thanks for being on the "RH-ISAC Podcast."

Ziv Mador: It was my pleasure. Thank you very much, Luke, and Happy Holidays. [ Music ]

Luke Vander Linden: All right. I'm now joined by Alex Schuchman, CISO at Colgate-Palmolive. Thanks very much for joining us on the "RH-ISAC Podcast."

Alex Schuchman: Thanks for having me.

Luke Vander Linden: And it's great to see you again. We're in person today doing this recording. But we last saw each other when you hosted a workshop for us at your offices in New Jersey earlier this year. So thanks also for doing that.

Alex Schuchman: Yeah, that was one of my favorite events because it allowed me not to travel but still attend an ISAC event.

Luke Vander Linden: Yeah, it was great. I got to go to that because I live a drive away. So I didn't fly myself, but I did travel. I rented a car and drove down.

Alex Schuchman: And we're happy to host more events in the future, and we got a great turnout.

Luke Vander Linden: Yeah, we did. And we would love that, so thank you very much for that offer. Why don't you tell me a little bit about yourself, what you do at Colgate-Palmolive, and, more importantly, how you got to that role?

Alex Schuchman: Yeah, so currently, I'm the CISO for Colgate-Palmolive company. But I've actually been at the company for 26 years. I only joined the security org about four, four and a half years ago. Majority of my career, I have been -- I've always been in IT. So I started doing email and networking, and then I shifted over to more applications. So ERP implementations in Latin America and different parts of the world. Then shifted over again to leading the analytics function within our company. And then shifted again to CRM as one of the CRM practice leads. And then moved on to architecture, cloud, DevOps. And then finally joined the wonderful world of security.

Luke Vander Linden: Wow, that's great. So you've done it all. And you've always been an advocate for emerging technology so far in your time with the RH-ISAC. Tell me a little bit more about that.

Alex Schuchman: Earlier in my career, I had the opportunity to really work closely with our sales and marketing organizations on the business side. And they were looking for solutions to problems that a lot of the large-scale vendors weren't offering. Or they were frustrated with some of the capabilities that were being offered from those vendors. So I worked closely with the business leaders to try to find innovative technology startup companies that could solve their problems. And then really fast forward to today in the security org, I carried that same methodology with me and said, if I'm looking for a vendor, don't just look at the large incumbent vendors, but also look for some innovative startups that really can solve problems in a creative manner.

Luke Vander Linden: So what are some of the technologies, without necessarily naming any specific companies, that you see as impacting cybersecurity or technology the most in the coming years or months or whatever?

Alex Schuchman: So I think cloud security is a very important topic. It's covered in many different areas by many different vendors. It's one of the largest growth areas for most companies who are really getting away from a traditional data center or a traditional hosting provider. But at the same time, it has a large attack surface, and it has a large opportunity for misconfiguration. So really finding an innovative vendor who can make it easy for a traditional, really, security engineer or security analyst to understand cloud security misconfigurations or vulnerabilities and actually action it without them having to become a superstar cloud expert.

Luke Vander Linden: Okay. That's great. No, I think we can't mention emerging technology without mentioning those two letters, AI. How do you see that as impacting our industry?

Alex Schuchman: Yeah, it's really interesting. And obviously, you can't go five minutes without seeing an article on generative AI. But realistically, AI, ML has been around for many years. Many companies, including ours, are using these technologies. But I think the large-scale interest in generative AI is really the thing that's getting all the press. And, you know, I think the main interesting differentiation in the generative AI is really the fact that it democratizes the ability to use the models that have already been generated and create new output. Where in the past, you had to really be a data scientist or have a very specific skill set in order to take advantage of AI or ML. Now, you have people in our sales, marketing, finance, HR departments trying to determine how they can use generative AI to improve their business processes.

Luke Vander Linden: And it is one of those things where you just can't issue a proclamation that it's prohibited. You have to -- people are going to try to use it, and so you have to kind of give them guardrails, right, on how they're allowed to use it.

Alex Schuchman: Yeah, I think the key in really my experience in the application world has been, you know, how can we make technology a business enabler? So in the context of gen AI, it's going to keep changing. It's going to keep evolving. The vendors will keep getting better, and new ones will keep popping up. So, from a security point of view, we want to make sure the employees have access to this technology. But we put guardrails there. We put really controls on what they can and can't do. And, at the end of the day, we also want to know what they're doing. No different than EDR or DLP technology, where you want to put rule engines in on top of that technology to govern it.

Luke Vander Linden: Right. Let's pivot to fraud, or digital fraud, or, you know, online fraud. How does that impact your role in cybersecurity?

Alex Schuchman: Yeah, I think the interesting thing around fraud, and I'll take it from a consumer packaged goods perspective, which, of course, is what Colgate-Palmolive is, you know, I think one of the big areas that we're seeing emerging from a security vendor perspective is really how can we stop BEC email fraud with the specific goal around invoice payment or malicious fake invoice payment or bank account changes that are really paying an invoice, which is a legitimate invoice but obviously to the attacker's bank account and not the appropriate bank account.

Luke Vander Linden: Right, redirecting it, right. So you do make the point that you're a CPG, which, you know, fits in the retail world. You're also a massively global corporation. How does that affect the work you do and make it more difficult or, you know, streamline things? How are things different being global?

Alex Schuchman: Yeah, some days I'm envious when I talk to some of my peers who have a 100% footprint in the US. But at the same time, we really have a lot of different diverse issues come up. You know, we have operations in pretty much every country in the world. And we're the only global security organization that's supporting all of them. So many of the times in the morning, we're dealing with maybe some issue in Europe where we have local legal telling us about a local regulation that we have to comply with. Or else maybe in the afternoon, we're dealing with something in the US or LatAm. And it does keep things quite interesting. And it really has the ability to keep you learning on a daily basis because every day, we wind up finding something new and something challenging that we have to overcome.

Luke Vander Linden: And I imagine you have team members all over the globe as well in order to chase the sun or just to follow where the threat actors are?

Alex Schuchman: Yeah, so we have three core locations. I'm based in New Jersey, which is where our IT headquarters is. Our corporate headquarters is in New York City. But we have people spread throughout the US in my security organization. Then, outside of the US, we have our largest location is in Mumbai, India, where my security org is also co-located with our ongoing shared services organization that does our day-to-day operational support. So that allows them to also partner with their peers in the other function areas within IT. And then I have my red team in Tel Aviv. Oh, and we specifically stood the red team up there so that we could get the offensive talent.

Luke Vander Linden: Excellent. That's great. So you're able to chase the talent as well as chase the sun. Now, I saw on LinkedIn, because we were on LinkedIn not too long ago, you won an award.

Alex Schuchman: Yeah, I do quite a bit during my day job as CISO. But then on the side, I try to do a lot with employee resource groups.

Luke Vander Linden: Oh, okay.

Alex Schuchman: So one employee resource group, which is one I won the award for, was the Asian Action Network. And I did a lot of cultural activities and information sessions to raise awareness around Asian and South Asian activities for our employee base. And then currently, I'm also one of the co-leads for Colgate's Abilities Network. It's our employee resource group that's focused on accessibility and people with disabilities while they're in the workplace and how we can make it an easier experience for them.

Luke Vander Linden: Wow, that's terrific. That's great. Congratulations on that. I guess finally, you know, getting out your crystal ball, what do you see as the biggest emerging threats, in specifically retail and hospitality or just for cybersecurity in general?

Alex Schuchman: I think the organized side of organized crime has definitely been accelerating in the last few months. And you know, we don't just see a script kiddie or an unsophisticated threat actor, but we're seeing these really coordinated attacks. And the FBI is giving posts out that says there's even singular or multiple attacks from different groups coordinating together. So, you know, if that emerging threat continues to emerge, that makes it even harder for us as defenders.

Luke Vander Linden: And from your perspective as CPG, do you see it mostly around the selling of stolen goods or are there counterfeit goods being sold as well?

Alex Schuchman: So we're seeing threats on the OT side because we're a manufacturer. And we have seen other peer companies in the CPG space get hit with attacks on their OT infrastructure. But on the same side and the business side of the house, not only are we selling to B2Bs like a supermarket or a big box store, like many of the retailers in the ISAC, but we're also selling direct to consumers. So we sell on e-commerce sites as well, so we get attacks from all different angles.

Luke Vander Linden: Okay. Wow. Well, Alex Schuchman, thank you very much for joining us on the "RH-ISAC Podcast." Appreciate it.

Alex Schuchman: Thanks for having me. [ Music ]

Luke Vander Linden: A huge thank you to our fabulous guests, Colin Anderson and, of course, RH-ISAC President Suzie Squier, to Ziv Mador of Trustwave and Alex Schuchman of Colgate-Palmolive. As always, thanks to the production team who do their best to make us sound good. For the RH-ISAC, that's the amazing Annie Chambliss. And from N2K Networks, Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thanks to you for tuning in. Happy New Year and stay safe out there. [ Music ]

The Retail & Hospitality ISAC Podcast
Podcast Info
HOST(S):
Luke Vander Linden
Luke Vander Linden is the VP of membership and marketing at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), the cybersecurity sharing and collaboration community for the consumer-facing business sector. In his role at RH-ISAC, Luke is responsible for member growth and engagement and, as part of the leadership team, overall organizational strategy. Luke lives in Connecticut with his wife and two sons.
Schedule: Biweekly. Wednesdays.
Credits: RH-ISAC Producers are Annie Chambliss and Marisa Troscianecki, Senior Producer is Jennifer Eiben, Theme Song by Elliott Peltzman, Mixing by Tré Hester.
Creator: Retail & Hospitality ISAC
The Retail & Hospitality ISAC Podcast