Month: September 2018

RH-ISAC Interviews: Members of Target’s Information Security Team

“Cyber security shouldn’t be considered a competitive advantage, but a collaborative effort,” writes Rich Agostino, CISO, Target—and speaker at the 2018 Retail Cyber Intelligence Summit. As part of our series from speakers and sponsors of this year’s Summit, we recently asked members of the Information Security Team from Target to respond to a few questions about retail cybersecurity.


RH-ISAC: What is the most exciting (or frightening) development you’ve seen lately in your field?

Jodie Kautt (Sr. Director, Information Security): I am really energized by the amount of innovation that is occurring in our industry, and not at security vendors, but at retailers, financial institutions, etc.  In particular, it’s been exciting to see the creativity our teams are bringing to integrating the sec into secdevops. Truly integrating security into devops is our most effective path forward and this transformation has pushed many of us to think of security differently, driving the innovation.


RH-ISAC: If you were given an extra hour every day, what would you do with it?

Kautt: I would love more time for creative thinking. I am a thinker and too often I don’t get this daily reflection time.


RH-ISAC: Do you think there is a need to create a big change in retail cyber security? If so, how would you do it?

Kautt: We need more information sharing across our industry.  We all have a shared mission and I would love to see us come together more to learn from one another.  It sounds simple, but for some reason we still aren’t there.  This is going to come with all of us just picking up the phone more and connecting when we see something that others could benefit from knowing.  We have made progress, but we need to do more.


RH-ISAC: Did you experience a personal, “game on” moment in cyber security?

Brenda Bjerke (Sr. Director, Information Risk Management): Every day is “game on” in the cyber security industry. From high level strategy down to the smallest detail of a particular security setting, having the right expertise and vigilance is critical to protecting companies from ever-changing threats. In my job, I focus on quickly assessing risk and the potential impact of issues so that my team can prioritize and focus on the most critical work.


RH-ISAC: Do you have a top tip for making a positive impact in retail cyber security?

Bjerke: I think that making a positive impact can be achieved by embracing diversity and inclusion. By doing this, we can better understand our guests and community and build a stronger team.  Creating an inclusive culture not only attracts good talent and builds a team that represents the guests that we serve, but it also helps to retain top talent. Sometimes it’s hard to understand where to start, it’s as simple as showing up and actively participating in Diversity and Inclusion events which demonstrates your willingness to learn and support. Also, by incorporating an invitation for team members to share during interactions can be a great starting point by asking, “Is there anything else on your mind that you would like to discuss?”


RH-ISAC: What is the key point you want attendees to learn as a result of attending your session/why is it important to them?

Rich Agostino (CISO): Often times, cyber security professionals think the most important thing we can do to reduce the impact of a security incident is through our technical response. However, I hope attendees leave the session thinking about how to plan and practice the critical skills for leading an organization through a security crisis.


RH-ISAC: What skills or characteristics do you think are most important for your job or the retail cyber security sector?

Agostino: Prioritization is key in a world where new threats are coming at us every day, so CISOs need to quickly assess situations and take decisive actions. The ability to influence our organization and industry is critical as well, because in security our success relies most heavily on our peers, leadership team, end users and the community.


RH-ISAC: Why is the RH-ISAC Summit important to the retail community?

Agostino: All companies, including retailers, need to constantly adapt to stay ahead of today’s cyber threats. Cyber security shouldn’t be considered a competitive advantage, but a collaborative effort. Each company’s willingness to actively share information is crucial; the more we share, the better we become at defending our companies and strengthening the capabilities of the retail industry. The retail community is well positioned to meet the challenges ahead and I am proud of the progress we have made.



Three Security Lessons to Keep in Mind Leading Up To the RH-ISAC Summit

By Heather Howland, VP of Marketing, Preempt

It’s never been more important for retailers to harden their cybersecurity posture— especially given the documented trend of intensified attacks on retailers during the rapidly-approaching holiday season. We’re excited to attend the 2018 Retail Cyber Intelligence Summit in Denver and look forward to learning from and sharing perspective with the RH-ISAC community, including some of the top retail companies in the world.

A CISO recently came to us with an all-too-common concern: Despite state-of-the-art investments in security solutions and a leading team, nothing was tying their security framework all together from a threat standpoint. We hear this repeatedly from security teams in industries across the board, and particularly in retail.

At Preempt, we work with numerous retail companies, including brands like Charlotte Russe and Scotts Miracle-Gro, and we place tremendous importance on closely following the needs of our retail partners and customers. Many of the challenges facing retail are unique across industries. Here are three key areas to keep in mind in the lead-up to the 2018 Summit.


Expect increased interest in retail from malicious actors during the holiday season.

The retail industry’s seasonal nature means hackers have particular times where they know disguising their activity is easier than others. We already know that attacks against retailers are on the rise, and a July report found that U.S. retailers lead the world in data breaches.

Retail enterprises represent unique target for attackers, given the wealth of real-time personal data many maintain around customers, as well as complex supplier and partner relationships. RH-ISAC has previously highlighted the importance of increased security awareness during peak retail months (typically October to January), given the dramatically increased shopping activity and overall pace of business operations, increased staffing needs, and greater stress on supply chain and logistics. The National Retail Federation expects retail sales to increase 4.5 percent this year, and depending upon which forecast you’re reading, holiday season sales could be a record (eMarketer forecasts ecommerce to grow 15.3 percent in the holiday season this year). As RH-ISAC points out, attackers know that the holiday season is time-critical for retailers and presents an opportunity to place additional pressure for ransomware and other malicious activities. Stay vigilant!


Shifting assets to cloud shouldn’t mean a weaker security posture.

 Retailers are increasingly shifting assets to the cloud, in an effort to improve operations, increase visibility into the supply chain and overall business, and scale at greater speeds, among other reasons. Analyst firm Markets and Markets estimates the size of the retail cloud market will grow to more than $28 billion in 2021, up from approximately $11 billion in 2016. As organizations move to the cloud, they often sacrifice visibility and security, with cybersecurity solutions increasingly siloed. Retailers beware: with complex IT environments, a transition to cloud should not mean losing visibility, access or control.

It’s important to avoid the false sense of security enterprises often experience when they transition to a cloud environment, given the trust placed in cloud providers. It’s a common misconception that the burden falls on the cloud provider: Gartner predicts that between this year and 2022, “at least 95% of cloud security failures will be the customer’s fault.”

By embracing identity and access threat prevention, your cloud strategy can safeguard your organizational assets while enjoying the flexibility and scalability of cloud computing. First, you must maintain visibility into all platforms (on-prem, cloud and hybrid) and applications, and gain a complete understanding of which users are accessing what, including applications like Office 365 and Workday. You should consider scoring every user based on identity, behavior and risk to maintain a fluid and adaptive security posture.

Along with this holistic visibility into your enterprise environment, you should be ready to anticipate and respond to threats in real-time before they impact your business. Whether it’s a malicious actor looking to steal credentials, conduct reconnaissance or move laterally within your environment, or even a simple insider threat where employees make mistakes (over-privileged accounts, weak and improperly shared passwords), you will want to put a proactive approach in place to protect your organization. Identity and access threat prevention has never been more critical.


Education is key: Every member of your organization should be cyber aware.

 Every employee is on the frontline of your organization when it comes to cybersecurity. With phishing, malware and stolen credentials on the rise, you need to equip your organization’s personnel, and not just security or IT, with an understanding of the rapidly evolving threat landscape. Invest in training and education, particularly with the holiday season approaching.

Of course, employees aren’t always receptive to training. But you need to start with the fundamentals and ensure consistent policies are enforced, such as by requiring strong passwords and consistent multi-factor authentication. Your employees, from IT and beyond, should clearly understand that your organization is a 24/7 target, and your organizational data is a prime target for malicious actors.

Your strategies for employee education might include:

  • Encourage them care about cybersecurity: Explain how security affects each and every employee regardless of job role, and consider rewarding them for their efforts to deflect malicious actors and attempts
  • Start early: Consider teaching best practices during the onboarding process, and having refreshers throughout the year—particularly during the holiday season
  • Find advocates: Identify people within your organization who can lead on the issue and incentivize them to help their colleagues stay vigilant
  • Consider a live exercise for your IT / SOC: your experience wargaming a potential threat can be invaluable—and even fun

By emphasizing seasonal readiness, holistic visibility and security controls in the cloud, and organization-wide cybersecurity awareness, retailers can build their security posture to face today’s complex array of cybersecurity threats. We look forward to meeting with our customers, partners and peers at the third annual Retail Cyber Intelligence Summit in Denver.


The Need for Cyber Threat Intelligence: What Are we Concerned About? Part 2

Cyber threat intelligence (CTI) requirements guide not only what intel is collected, but also how it is analyzed and used for IR, the SOC analyst and the business, as well.

Developing a good set of requirements helps the organization:

  • Monitor the right threat actors
  • Collect the most useful intel
  • Prepare intelligence in the right format and level of detail for the consumer
  • Avoid wasting time and costs on collecting and disseminating trivial data

The organizational mission has always framed the scope of intel requirement determinations and the same is true for the business environment and related risks. We all know how risk tolerance varies within organizations, risk impact—measured in costs to operations and revenue, including the attack surface that provides access to those business functions—also fluctuate, sometimes with great disparity. This “variance” changes over time, depending upon many business factors, internal and external to the company. Accordingly, a cyber threat analyst must move beyond the traditional IR and SOC environment to also consider the collection of “essential elements” within the perspective of key business drivers and operations.

This broader view alters the workflow from one of identifying “threat concerns – collecting requirements” to one that also identifies business risks, the attack surface to key systems, the application of security controls and compliance frameworks, and the organization’s financial commitment to maintain an identified and measurable “security operating picture.” While many seasoned cyber threat analysts may already consider this type of approach within the context of determining “intel requirements,” I am adding emphasis here to ensure the discovery of any variable that may evolve the traditional intel collections framework to a broader and more holistic methodology. This expanded methodology is also the start of the integration of cyber threat intelligence with business intelligence. It allows for more strategic design and application of security investments as “counter measures” in an effort to “buy down” risk to the business. This approach also acknowledges that physical and cyber “attack vectors” continue to merge and can no longer be efficiently addressed from the separate company silos such as “cyber threat intelligence,” “risk assessment” and “business intelligence.”

So what does an intel collection process look like?

Intel 471 breaks the approach down to identifying “essential elements” and “intel consumers,” which is applicable for a business-oriented environment. Essential elements define the who what, when, where and how specific threat information is collected. Intel consumers are those who act on and make key business decisions based on those essential elements. A phased approach looks like this:

Step 1. Compile production requirements:

  • Identify internal intel consumers
  • Determine their key decision points and frequency (daily, weekly, monthly)
  • Agree on production deliverables and expectations (scope, format, level of analysis)

Step 2. Compile intelligence requirements:

  • Select and rank intel requirements that align with the production requirements identified in Step 1

Step 3. Create Intelligence Collection Plan:

  • Prioritize collections based upon available resources, data sources and collection restraints
  • Task CTI with specific areas of responsibility
  • Revise Collection Plan regularly

Step 4: Produce intelligence:

  • Leverage data sources to satisfy Collection Plan
  • Answer each essential element for each threat
  • Identify collection gaps when sources are not available
  • Compile and disseminate to identified consumers

Step 5:  Track progress and assess feedback.:

  • Consider feedback part of the delivery process
  • Consistently assess research gaps
  • Revise production and communication requirements

The business itself is an essential part of the battlefield for the cyber threat analyst. It requires new skills for communication, the correlation of disparate data, and an awareness of business impact as a priority. It also represents a new, leadership-oriented, role for the threat analyst. Let’s not forget, the reason we collect intel is so that our organizations can make better business decisions. Defining intel collection requirements with the business in mind provides an additional context that guides the collection of key information not just for IR or SOC analysts, but also investment strategies for security, risk management and the business.

RH-ISAC Interviews: Tae Kim, Capital One

“The window of time we had to stop the leveraging of known vulnerabilities, has now seemingly turned into an advantage for the advanced threat actors.,” writes Tae Kim, Senior Manager, Cyber Intelligence at Capital One Financial Corporation —and speaker at the 2018 Retail Cyber Intelligence Summit. As part of our series from speakers and sponsors of this year’s Summit, we recently asked Tae to respond to a few questions about retail cybersecurity.

What developments does Tae see in cybersecurity? Read on.


RH-ISAC: Did you experience a personal, “game on” moment in cyber security?

Kim: In my previous position, a day after a major attack against the United States, there was a late-night meeting between various organizations, including the White House. This meeting was being held to form an initial consensus to determine the direction of the collective investigation efforts. There was strong skepticism against what seemed to be an obvious perpetrator. However, when it was my turn to speak, I laid out my initial assessment and convinced others to focus their efforts against one target. Within days, there was sufficient evidence to prove who was behind the attack.


RH-ISAC: What is the most exciting (or frightening) development you’ve seen lately in your field?

Kim: As an observer of the cyber landscape since 2006, it is definitely exciting to see the heightened cyber security awareness beyond government or major business entities. However, the speed of how fast things are advancing is definitely frightening. Just a few years ago, it was surprising to see threat actors weaponizing a published vulnerability within a few months, but now we are seeing them turn it around in a matter of weeks if not days. The window of time we had to stop the leveraging of known vulnerabilities, has now seemingly turned into an advantage for the advanced threat actors.


RH-ISAC: What skills or characteristics do you think are most important for your job or the retail cyber security sector?

Kim: My job in the retail cyber security sector is probably not any different, in terms of what skills or characteristics would make a person or team successful, compared to other sectors. A strong willingness to learn a new topic or technology, even from mistakes or successes, helps a person or team grow stronger. And learning is only possible if someone is willing to listen to different opinions and help, by providing constructive feedback when appropriate. You need to have a mindset to take the job more seriously than yourself and be humble to be able to admit your mistakes. When you say that you were wrong about something, it means that you have already learned something.

RH-ISAC Interviews: Doug Stephens, Retail Futurist

“Isolationism makes everyone less safe,” writes Doug Stephens, Retail Futurist —and Opening Keynote speaker at the 2018 Retail Cyber Intelligence Summit. As part of our series from speakers and sponsors of this year’s Summit, we recently asked Doug to respond to a few questions about the future of retail.

What developments does Doug see in retail’s future? Read on.


RH-ISAC: Can you identify 2-3 top changes to the retail industry we’ll see in the next 5 years?

Stephens: I believe that there is going to be significant fallout in the commercial real estate industry as brands and retailers downsize and vacate physical footprints – particularly in North American and European markets.

  • Look for Amazon to continue to break into new categories of goods and services as they continue to leverage cheap capital for expansion. I expect that they are going to have a particularly profound impact on the shipping and delivery industry, as they scale essentially what will be a direct competitor to industry incumbents. In fact, it’s entirely possible that Amazon will not only compete effectively with shipping industry giants but will become the new gold standard in the category and begin to outsource their capabilities and capacity beyond their own needs, much the same as they’ve done with their Amazon Web Services business.
  • Retailers generally will continue to wrestle with understanding and appealing to a new generation(s) of consumers. Millennials and Centennials have a very different outlook on material possessions and very different expectations of brands. What’s cool is what’s emerging, evolving and new. This will put tremendous pressure on incumbent brands and retailers to perpetually reinvent and fascinate consumers with unique offerings, products and most of all, experiences.


RH-ISAC: Where does cybersecurity fit into the changing landscape of the retail economy?

Stephens: I fully expect that by as early as 2033 the majority of the retail economy in developed countries and Asia will be transacted online. Physical retail will still be important but not for the distribution of products, as much as for the distribution of branded experiences. With that, the role and function of cybersecurity will become a paramount element of a retailer’s ability to function safely and effectively.


RH-ISAC: What opportunities do you see for cybersecurity teams to play a role in the success of a Retail business/brand?

Stephens: The traditional assumption has been that cybersecurity has been a function that operates in the background, largely invisible to customers – an eye in the sky, if you will. This will likely change as consumers increasingly seek reassurance that their data and privacy are being clearly and overtly guarded by the companies they do business with. For that reason, I see cybersecurity playing more of a starring role in a brands value proposition and comprising a true competitive advantage for those brands that outperform.


RH-ISAC: Why is it important for Retail organizations to trust groups to share threat intelligence?

Stephens: Corporate cybersecurity is conceptually no different than international defenses against terrorism. Nations depend on shared intelligence to keep track of known threats and to thwart emerging bad actors. The need for countries to use shared systems for intelligence sharing contributes to the enhanced safety of all. The same is true of retail organizations.  Isolationism makes everyone less safe.


RH-ISAC: How can retail organizations prepare for the future of retail? Is it more important to adapt to change, or be the change maker?

Stephens: I believe the sheer speed of change is creating conditions where adaptation is becoming tremendously more difficult. Adaptation also implicitly suggests that you’re going to let external factors, phenomenon and even competitors dictate your reactive strategy. I recommend to all my clients that they not try to predict the future they get, but rather engineer the future they want.



RH-ISAC Interviews: Jamie Butler, Endgame

“. . .the speed to weaponize a vulnerability has decreased down to days from the first PoC.” writes Endgame’s CTO, Jamie Butler. As part of our series from speakers and sponsors of this year’s Retail Cyber Intelligence Summit., we recently asked Jamie to respond to a few questions about the Summit and retail cybersecurity.

What was Jamie’s “game on” moment in cybersecurity? Read on.


RH-ISAC: Jamie, can you describe the work you do for us?

Butler: As CTO, I oversee our Research, Engineering and Product Management teams. I work with our Research team to understand the latest threats and macro trends in attacks. I use those findings to inform our Executive and Engineering teams about what we should be building toward for the future, and I work with the Product Management team to understand the customer and partner use cases, including workflow and integration needs.


RH-ISAC: Did you experience a personal, “game on” moment in cyber security?

Butler: I started programming at the age of 12, but I don’t think I was extremely interested in cyber security until I saw the movie Sneakers in high school. Looking back, I know the movie can be cheesy in some parts, but I still like it as a lighthearted spy drama since it opened my eyes to cyber espionage.

My career began at the NSA and I was there during 9/11, which was definitely a life changing experience and event. After the NSA, I think one of the big “game on” moments for me was when I discovered a corporation selling what I believed were subpar tools to the government. I felt these tools were comparable to what could be downloaded for free off the Internet. ­­I believed our country deserved better, so I set out to build it. Building great products of value that are not just hype, and treating customers like partners and friends is still what drives me today. When I look at the computer security industry and see people or corporations deviating from that standard, it is my “game on” moment and fires me up to be and do better personally.


RH-ISAC: What is the most exciting (or frightening) development you’ve seen lately in your field?

Butler: I think the most frightening development has been the migration of tools and/or expertise from the national level to the cybercriminal domain. Also, the speed to weaponize a vulnerability has decreased down to days from the first PoC. Basically, the attackers are getting better and faster while our business processes are inherently slower. It is an alarming scenario when private corporations basically need their own cyber army to defend themselves.


RH-ISAC: Why is the RH-ISAC Summit important to the retail community?

Butler: I think this Summit is important because of the challenges corporations face in combating the speed and efficacy of cybercriminals. Although segments of the retail sector may compete commercially, I think there is a lot we can learn from each other collectively in the cyber security domain.






Webinar Recap: Implementing Multifactor Authentication for E-Commerce

NIST Releases Cybersecurity Guide to Help Reduce Online Retail Fraud

Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been collaborating with retailers and technology vendors on a cybersecurity project using multifactor authentication (MFA) to help reduce the risk of online fraudulent purchases. The project resulted in the recently published draft of cybersecurity practice guide, NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce.

The draft guide may be published, but our work is just beginning. Recently, the project’s lead engineer participated in an RH-ISAC community webinar, during which he reviewed the contents of the guide.

A First for the NCCoE

The Multifactor Authentication for E-Commerce Practice Guide was the NCCoE’s first retail sector project. With so many challenges facing this sector, we made improving the security of online purchases a top priority. Here’s why: According to a recent independent analysis, e-commerce fraud increased by 30 percent in 2017, compared with 2016, as malicious actors shift from using stolen credit card data in stores at the checkout counter to using stolen credit card data for fraudulent online shopping. Because online retailers cannot utilize all the benefits of improved credit card technology, the NCCoE focused upon helping online retailers implement stronger user authentication methods.

Learn more about the process and the guide in the full document here

What Say You?

During the recent RH-ISAC webinar, Implementing Multifactor Authentication for E-Commerce, participants responded to a series of questions regarding their experience with MFA. Below is what we learned:

  • Do you already offer Multifactor Authentication for customers? (select one)
    • Yes – 33%
    • Will offer it within 6 months – 0%
    • No – 67%


  • What might keep you from implementing Multifactor Authentication? (select all that apply)
    • Cost – 57%
    • Existing fraud reduction tactics – 29%
    • Project success risk – 43%
    • Could turn away customers due to increased complexity during the purchaser checkout process – 86%
    • Your organization’s technical expertise on MFA implementations – 29%


  • What 2nd authentication factor does your organization prefer? (select all that apply)
    • Hardware token-Customer brings their own device – 50%
    • Hardware token-Retailer supplied device – 25%
    • Mobile application – 50%
    • Text (Short Message Service-SMS) – 25%
    • Email – 0%


Tell Us What You Think!

The NCCoE believes the draft guide helps meet a critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to help enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on October 22, 2018.

And to learn more about the work of the NCCoE Retail team and to contribute new ideas for improving the cybersecurity of the retail sector, please consider joining our Retail Community of Interest. If interested, send an email to

RH-ISAC Interviews: Justin Swisher, Anomali

“Organizations are recognizing that threat intelligence supports decision making, informs incident response and drives threat hunting,” writes Justin Swisher, Security Strategy Manager at Anomali—and speaker at the 2018 Retail Cyber Intelligence Summit. As part of our series from speakers and sponsors of this year’s Summit, we recently asked Justin to respond to a few questions about retail cybersecurity.

What developments does Justin see in cybersecurity? Read on.

RH-ISAC: How would you describe what you do?

Swisher: I assist organizations who are just starting out with threat intelligence. I work with them to identify requirements, highlight specific functions intelligence can support, and make sense of the overwhelming amount of intelligence data available currently. The end goal is a threat intelligence team that is relevant and provides actionable information at all levels of the business.

RH-ISAC: What is the most exciting development you’ve seen lately in your field?
Swisher: I’m excited to see that threat intelligence is becoming more than just threat feeds. Organizations are recognizing that threat intelligence supports decision making, informs incident response, and drives threat hunting.

RH-ISAC: Why is the RH-ISAC Summit important to the retail community?
Swisher: Bringing RH-ISAC members together helps foster stronger relationships and helps build trust in the community. Additionally, it can provide a safe environment for in-person discussions about security issues of value to the community. This kind of activity is what makes the community stronger and the sharing more meaningful.

RH-ISAC Interviews: Phillip Miller, Brooks Brothers

“If our designers, buyers and innovators are hamstrung by security in the pursuit of product development, they will either go around us or fail to produce expected outcomes,” writes Phillip Miller, Head of Infrastructure & CISO, Brooks Brothers—and speaker at the 2018 Retail Cyber Intelligence Summit. We recently asked Phillip to respond to a few questions about the Summit, his session and retail cybersecurity. This is the first in a series we’ll be bringing you from speakers and sponsors of this year’s Summit.

So, how can cybersecurity teams make a positive impact? Read on.

RH-ISAC: If you were given an extra hour every day, what would you do with it?

Miller: Read more. There is so much to be learned about successful retailing and merchandising.


RH-ISAC: What is the key point you want attendees to learn as a result of attending your session/why is it important to them?

Miller: When I got my first computer in 1981, it did not take me long to realize that there were as many opportunities to cause it to “fail” as there were capabilities for achieving useful outcomes. As chipsets changed, languages developed, peripherals became more advanced and computers became ever more connected, those ‘failure points’ expanded exponentially. I have always enjoyed chasing down those failure points, whether self-induced, caused by third-party code or by malicious attackers. My own skills developed and matured as the capabilities of the devices also grew; the essential skills of troubleshooting, understanding networking fundamentals and the knowledge of lower-level functions of a computer were absorbed and tested at a time in the past where outcomes were not valued higher than the experimentation that achieved them. I have great concern for our industry that we are not focusing sufficiently on core skills, nor giving our team members enough opportunity for exploration and testing theories. Reliance on “tools” and “managed services” at the expense—not the augmentation of—analysis and the scientific method is a threat to our effectiveness. There is most definitely a place for automation, artificial intelligence and machine learning, but the most successful cybercriminals understand those capabilities too, and have both skills and time to deploy—with everything to win, and little to lose. If we forget how to build, debug, analyze and ‘hack’ our own systems then we are creating unnecessary opportunities for those who seek to harm our organizations. I hope that in my session, people will gain a renewed interest in some of the basics, truly understand the value of an incident response plan, and have a very tangible understanding of how close the threats are.


RH-ISAC: Do you have a top tip for making a positive impact in retail cyber security?

Miller: Invest wisely. Retailers that are successful need three things: (a) a viable profit margin; (b) products the customers will purchase; (c) a compelling reason to be the merchant of choice. As security professionals we must ensure that everything we spend on is directly connected to one of these three objectives. If we unnecessarily burden the operating expenses and suppress margins, it doesn’t matter how secure we are. If our designers, buyers and innovators are hamstrung by security in the pursuit of product development, they will either go around us or fail to produce expected outcomes. Protecting our customer information without creating unnecessary friction sometimes requires creative solutions that don’t fit cleanly into a rigid compliance framework. Wise investments in people, process and technology will help you with your company’s overall mission and you will have made a positive impact. I would also suggest that openly sharing knowledge and ideas, being part of a community and not seeking personal gain or recognition will improve the outcomes.


RH-ISAC: Do you think there is a need to create a big change in retail cyber security? If so, how would you do it?

Miller: Yes, we need to consistently and fearlessly advocate for the consumer. Too often we are presented solutions by vendors that have excellent business solutions but lackluster security. When we approach them from a technical angle or compliance “miss,” we fail to help both the vendor and our internal stakeholders recognize the real risk. Instead we must, without using fear, uncertainty and doubt, explain from a customer perspective what the real risks are. Allow GDPR and the California privacy laws speak for themselves—focus upon the human side and stories that illustrate the real consequences of gaps in solutions. The free exchange of data of an API’s cloud connectors, file transfers, etc. poses a genuine risk but is not easily understood. Unsecured cloud-storage, weak password controls, excessive permissions in SaaS applications all contribute to the problem but are difficult to explain. As leaders in the information security business, it is a key part of our role to educate first and admonish only as a last resort. If we focus our efforts upon educating those who influence or determine future solutions, and do so from the position of a customer advocate, we have a greater opportunity for relevance and protection of customer information.


Join Phillip for Responding to a Payment Card Breach: Incident Response Planning and for the CISO panel: The Opportunities and Challenges of Outsourcing Security Operations and, if you haven’t registered for the 2018 Retail Cyber Intelligence Summit, check out the superb speaker lineup!



The Need for Cyber Threat Intelligence: What Are we Concerned About?

This is one of a series of posts addressing key threats to the retail sector in an attempt to identify which information assets and systems must be protected, and to examine the value of identifying adversaries and intelligence consumers.

Today, the most serious data breaches and disruptions result from well-planned, complex attacks that target specific companies or industries. Sophisticated, well-funded attackers make detection difficult by:

  • Utilizing social engineering techniques and multiphase campaigns that cannot be identified by simple threat indicators or blocked by frontline defenses.
  • Constantly adapting their tools, tactics and procedures to evade even advanced cybersecurity measures.

They have also raised the stakes by systematically targeting their victims’ most valuable information assets and business systems.

While most cyber threat intelligence (CTI) may focus upon knowledge about adversaries—and their motivations, intentions and methods, that knowledge becomes “intelligent” when aligned to key business risks, with key threats and threat vectors that target those business risks. Once those threats are known, we can begin strategically applying countermeasures to reduce that risk and help drive cyber security investment strategies accordingly.

By identifying top threat concerns and threat vectors, we can then guide not only what intelligence is best collected, but also how it is analyzed and used. What intel should be collected is often captured as “intel requirements.” How it is analyzed and used informs the content and structure of CTI teams and technologies—and how that intelligence is communicated to the right people, at the right frequency and in the right format.

RH-ISAC Survey Research

Early this year, we conducted a sample survey to identify what our members consider to be the top threats they are facing. While we had good information regarding the type of intel posted and shared among our members, we wanted to see if the intel posted aligned to perceived key threats. Additionally, we wanted to look for threat vectors where multiple threats could be addressed, and whether strategic countermeasures and security controls could be applied.  And, not surprisingly, this is what we discovered: the top threat concerns are phishing, credential takeover and advanced persistent threat (APT). The top threat vector is email, as is evident in the intel that our members share.

So, what does this mean for CISOs and their teams?

From an intelligence perspective, this data helps member organizations collect the most useful intel, monitor the right threat actors, prepare intelligence in the right format and level of detail for each intelligence consumer, and avoid wasting time and money collecting and disseminating trivial data.

From a security perspective, it helps member organizations align detection and protection systems, security controls and investment strategies for those risks that matter most to each organization.

With the top threat concerns identified, organizations can further define their collection efforts by defining key requirements for that intel, including the key individuals who may benefit from the consumption of that intel. Our next post will address intel requirements and why it’s important to start any intel program by first identifying them.