Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I got the chance to speak to Jim Routh, the CSO of Aetna and one of the most experienced information security professionals in the game right now. Prior to being named Aetna’s CSO, Jim served as Aetna’s CISO for several years, served as head of application, mobile and internet security at JP Morgan Chase (pre-breach), and was the CISO of KPMG. Jim also serves as Chairman of the National Health ISAC and a Board Member of the FS-ISAC. Jim is a frequent speaker at RSA and this year he’s giving a talk that I’m very excited to attend (recently found out I get to go to RSA and I’m pumped)!
In the interview below, Jim and I discuss how he stays ahead of innovation in security, and the areas of security that haven’t been sufficiently addressed by the commercial market.
In a recent Wall Street Journal article, you note that you consume thousands of sources of threat information including several threat intelligence services and several threat information sharing centers. How do you sort through all of the noise and determine what’s important?
Some of it is automated. We use tools like Soltra Edge and BrightPoint, which provide machine-to-machine detection and analysis of threat intelligence. These tools leverage the STIX and TAXII protocols developed by the MITRE for the federal government to facilitate threat information sharing. The ISACs that we subscribe to push out daily notifications, which are then analyzed and scored based on their risk to the enterprise. The data sources internally and externally are divided into categories with individual assignments to monitor patterns daily. There are about 40-50 people who cull through the threat/vulnerability information each day to determine what’s noteworthy to discuss as a team. This is a cross-functional process including IT, Security and Privacy staff. It is important to come to consensus on what the risks to the enterprise are and how they evolve so the Threat Vulnerability Assessment (TVA) process enables us to do that every day.
You’ve also said that nation states are one of the most significant threats for commercial enterprises today. How do you think about protecting your organization against such a powerful adversary?
They are powerful because they are highly skilled and because they have deep pockets for resources. The Chinese for instance, use customized exploits known as “0 days”, which are very hard to detect since there are no signatures or patterns to detect. The nation states rely heavily on phishing, which is highly effective. They then spread malware that installs keyloggers, which harvest credentials from privileged individuals enabling them to move laterally within an enterprise seeking domain access. That access is then used for data exfiltration over long periods of time using common administrative protocols that make it more difficult to detect.
This is one example of control evolution that is required to deal with emerging threats that standards and frameworks struggle to keep up with. We invest in creating new capabilities to protect against in-bound phishing and privileged user monitoring. Historically, the number 1 control recommended for phishing is the education of enterprise users. Education of enterprise users is effectively teaching end-users not to not trust email. The dilemma for any enterprise is that taking trust out of a system is not a sustainable model. So education alone is insufficient for an enterprise. A better alternative is to add filtering capabilities to in-bound email using heuristics from domain analysis to determine the known good domains that send email and the malicious domains that send email. This provides a capability to reduce the number of phishing emails received by end-users and ultimately adding trust back into the system. There are other techniques that we are using for filtering in-bound email to eliminate phishing and fraudulent emails. These are all examples of controls that we are designing to change the rules for our adversaries.
We’ve designed these controls to prevent phishing because we’ve learned that conventional controls (like education of end-users) is not enough to meet business requirements to significantly reduce the number of targeted phishing attacks.
Aetna uses one of the leading secure email gateway capabilities which blocks malicious attachments and bulk fraudulent emails. These are excellent tools for commercially motivated fraudulent email, however the more targeted attacks that I’m referring to are well crafted with personal references and very difficult to detect using conventional tools.
We also use machine learning on domain attribute information and information gleaned from using the DMARC standard to apply heuristics to inbound email. It’s a technology that we’ve co-developed with a security software vendor that is offering it to the market in the next 90 days.
What’s the process like for finding and ultimately introducing new security products into your organization?
Every week we hold a 90-minute web conference in which we evaluate early stage companies and their potential products. All of these solutions are new, and these sessions educate us on how technology and security solutions are evolving. The primary purpose is to learn about new capabilities and to provide feedback to early stage firms seeking refinement of their potential products. There are about 50-60 attendees that participate from IT, Global Security and other areas in these weekly forums called STEEP sessions (Security Technology Exploratory Evaluation sessions).
I also receive on average about 5-10 calls per week from angel investors or VCs about new and innovative security startups. I’ll learn about what problem they are attempting to solve and then I’ll choose the ones I want to meet with to decide whether they’re appropriate to participate in STEEP sessions. After that, if we see potential in the solution in our environment, we’ll do a proof of concept to test out the capability and provide feedback to the vendor.
Are there any areas in security that the commercial market isn’t adequately addressing today?
Inbound phishing is one that offers significant potential for new capabilities–it’s the biggest risk by far in terms of volume of cyber risk. Privilege user monitoring is another. Next generation authentication is the third. We need to move beyond binary authentication to behavioral based authentication capabilities to both improve risk and the consumer experience.
- Pindrop Security raised the money from Google Capital and returning investors A16Z and IVP. Founder Vijay Balasubramaniyan claims that protecting against phone fraud is a $20 billion opportunity.
- Finalists include IoT security company Bastille Networks, Menlo Security, and Skyport Systems.
- A simple search on Shodan–a search engine for IoT devices–reveals feeds from unprotected webcams of babies sleeping, marijuana farms and more. As a result of such insecure products, various groups have tried to establish security standards for IoT devices.
- The success of companies like Check Point, CyberArk Varonis and Imperva have helped to establish Israel as a cybersecurity power. More and more Israeli cybersecurity startups are receiving VC. Israelapparently receives 20% of the world’s private invesment in cybersecurity.
- Distil Networks’ Cofounder and CEO Rami Essaid describes his biggest concerns for internet security in the year ahead.
- PhishMe continues to build more and more of a whole product surrounding its anti-phishing solution.