Month: April 2018

A Note from New Executive Director Suzie Squier

Having been on board at the RH-ISAC for a little over three weeks now, I can tell you a lot of work is being done to continue to break down the barriers that impede information sharing. There are three obstacles that prevent sharing: legal or internal policy constraints, limitations with staff resources and technology.

At the RH-ISAC, our goal is to eliminate these obstacles and help our members engage freely, proactively and simplistically. To that end, I’d like to share three ways we’re working to break down these barriers: 





  • Technology Roadmap: We’re transitioning to a new, secure and open architecture that will allow increased functionality and the ability to interface with a variety of threat intelligence platforms. This new architecture will also help resource-constrained teams more easily extract and import information with less manual effort. 
  • Legal/Policy Support: Technology is only one aspect of the puzzle. We still need member engagement to make it happen, and we are working to ease the other obstacles as well. The RH-ISAC is working on providing best practices for legal and internal policies to educate users and, as a result, increase the level of comfort in sharing information.
  • Trust: Trust is crucial in sharing. When the RH-ISAC journey began back in 2014, we organized frequent meetings where information security executives within the retail industry could get to know one another. Building those relationships was key to moving forward and creating the RH-ISAC. Those kinds of relationships; knowing the people you’re sharing with vs. seeing names on a screen, continue to be important. That’s why it’s so important that RH-ISAC members and non-members plan to attend our 2017 Retail Cyber Intelligence Summit, scheduled for this October 3-4 in Chicago!

We’re stronger together.

Suzie Squier
Executive Director

The Retail ISAC Announces a Featured Speaker Preview

The RH-ISAC is giving you a sneak peek of the 2017 Retail Cyber Intelligence Summit’s featured speakers! Join us October 3-4 in Chicago for Securing Retail: 002, an opportunity for members of the greater retail and consumer services industries – including restaurants, hospitality, convenience stores and more – to share best practices, gain insights, and network with other information security professionals.

Information sharing is based on trust, and the Summit is a forum for retail practitioners to meet, learn, and share with one another. Here’s a look at some of the exceptional speakers in our lineup.


Featured Speakers:

  • Deborah Dixson, SVP, Global CISO, Best Buy Co.
  • Roseann Larson, VP, CISO, VF Corporation
  • Adam Solomon, Associate, Hunton & Williams
  • Don Yeager, New York Times Best-Selling Author
  • Carson Zimmerman, Author, Cybersecurity Engineer

Member Exclusive

The RH-ISAC invites its members to attend our annual member meeting on the evening of October 3. This Gala includes cocktails and networking, announcements, dinner, an awards ceremony and more! RH-ISAC Core/Core+ members and one qualifying representative from RH-ISAC associate member organizations are welcome to attend. Space is limited. RSVP today by emailing


The 2017 Retail Cyber Intelligence Summit welcomes a diverse network of attendees including information security professionals from the most prominent retail and consumer services organizations in North America. Visit for attendee qualifications, location information, and to RSVP.

Questions? Please feel free to contact Alex Brown at

We hope to see you in Chicago!



RH-ISAC Taps TruSTAR as a new Partner in New Information Sharing Architecture

Today the RH-ISAC announced the addition of another threat intelligence partner, TruSTAR Technology.


TruSTAR is a valuable addition to the ISAC’s technology suite, built from the ground up the platform will increase our ability to break down barriers to intelligence exchange. The RH-ISAC now supports a more automated method to support ingest of member-shared data, to increase timely automated sharing of intel.


“Adding TruSTAR as a threat intelligence partner brings the RH-ISAC one step further in our strategic initiative to expand the capabilities of the Retail ISAC’s technology infrastructure. The RH-ISAC is breaking down barriers to information sharing and increasing the usability of actionable intelligence available for our users, allowing them to more easily ingest, act and mitigate cyber threats,” said Suzie Squier, Executive Director of the RH-ISAC. 


“TruSTAR gives RH-ISAC members the control and context they need to turn threat data into actionable intelligence,” said Paul Kurtz, co-founder and CEO of TruSTAR. “The platform we bring to RH-ISAC is not hypothetical. We power intelligence exchange across the financial services, energy, healthcare, and technology sectors. We are proud to bring our proven technology to the member organizations of RH-ISAC and facilitate the next generation information sharing among members.”

We will continue to share more information about new capabilities and partnerships as we continue to build our new architecture.


Have questions or want more information? Contact

RH-ISAC Highlights from the Retail Collaboratory

Earlier this month, the RH-ISAC team was proud to host our first Retail Collaboratory event. We welcomed a crowd of 130+ retail information security pros, industry experts, and strategic sponsor partners for two days of collaboration and member-led discussions. Our team is appreciative of the many individuals who helped build this inspiring event: the speakers and workshop facilitators who brought us valuable learning, and our sponsoring partners for their support. Our participants brought the Retail Collaboratory alive with their genuine desire to share knowledge, build bridges, and offer support to help us move the needle for retailers.

As a close out to the event, the RH-ISAC team brings you our top takeaways from the two days in Frisco, Texas. In no particular order:

  • Turning Ideas into Actions: For those of you in the room when Jamie Wallace led a discussion around the ‘lightbulb’ moments from the conference, I’m sure you’ll agree that the power of active and vulnerable engagement is vast. Each audience member was asked to share their key takeaway from the event. Going around the room we heard things like: ROI of sharing technologies, TIPs, defining process around sharing, handling threats, etc. Of the comments, what stood out was the similarity and differences in takeaways. Much of what attendees detailed wasn’t related to a particular agenda item, but it was actionable suggestions heard from facilitators, speakers, and attendees alike. We hope that the ideas and potential shared will turn into a reality.
  • Building a Benchmarking Framework: The CISO leaders launched a member-driven working group around strategic benchmarking. This group of leaders walked through the ‘what’ and the ‘why’ CISO benchmarking data is necessary and took the first steps toward solidifying a framework fit for our enterprise. The group will drive outcomes to support the need for retail industry focused data, with this session marking the beginning of a dedicated initiative for members to come together in small groups and work on benchmarking to align security investments with business investments, measure incident response and risk tolerance, frame out team structure and chart progress as a security organization.
  • Learning from One Another: The RH-ISAC ISAC analysts participated in several discussions intended to propel trust and engagement around relevant matters for fellow analysts. They saw organizations with less mature capabilities discussing their needs directly with those further down the path. Analysts expressed the need for comprehensive threat intelligence – Who, What, When, Where, Why and How (5W’s+H) – and best practices on using this information for defense, predicting threat activity, and defining the scope of responsiveness resources required. Interactive sessions and dialogue helped members to understand the value of building threat intelligence programs, and just what those programs look like. These conversations seeded ideas that will continue to be explored at the RH-ISAC Retail Annual Retail Cyber Intelligence Summit.
  • ATO and Fraud Activities Dominated Conversation: Fraud activity was discussed in nearly 50% of the conference sessions. It’s a complex problem, magnified by its impact to cyber and fraud areas, numerous actors and campaigns, and the variety of Tactics, Techniques, & Procedures (TTP’s) employed by criminal actors. The Retail Collaboratory served as a Launchpad for a Fraud Working Group, led by Matthew Harless at Synchrony Financial Bank. Matt and fellow RH-ISAC members and retailers framed the initial constructs for the working group at the event. Initial objectives include collective work to enable information flow for gift card fraud related activity, establishing guidelines for determining normal vs. abnormal behavior, and building awareness of “red flags” to reduce the impact of fraud crime.
  • Furry Friends: Lastly, how can we not mention Bronte the dog? A surprising, and perhaps a slightly operationally-stressful addition to the event, she was relaxed and happy to be around the masses during networking times and of course, food breaks. She brought joy to many – our members are clearly dog people!

Did we mention your top moment? What’d we miss? What would you like to see at the RH-ISAC Retail Cyber Intelligence Summit in October? E-mail us your comments at, we’re always interested in member feedback and suggestions.

Whose Line is it Anyway? One CISO’s Approach to Board Communications

Recently, the RH-ISAC team sat down with Scott Howitt, SVP & CISO at MGM Resorts International, to learn more about his approach to assessing, prioritizing, and communicating risk to the board of directors. To learn more about additional strategies, join Scott and other retail CISOs in an upcoming workshop discussion of risk tolerance taking place at the RH-ISAC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. The Collaboratory’s inaugural agenda can be found at Interested in participating? Contact us at

Welcome to the big time – as a CISO, your time has arrived. Today’s CISO regularly commands the attention of the Board and Audit Committee, and for good reason. Over recent years, industry impacting events have pushed cyber security to the top of board meeting agendas, and CISOs serve as an expert advisor in informing the board on organizational risks. As times and board priorities change, so too must the CISO’s strategy for deftly translating cyber security ‘speak’ into meaningful, board-level communications.

 As CISO for MGM Resorts International, Scott Howitt is accountable for creating, implementing and overseeing a wide series of strategies and programs to limit information security risk across six separate business units. From retail to hotels, gaming, sports arenas, restaurants and entertainment venues, Scott’s purview encapsulates a wide range of risks which he must then assess, prioritize, and communicate to the board. Read on for a sampling of strategies Scott shared with our team, and for information on the opportunity to join him and more retail CISOs for an interactive, deep-dive discussion of these and other strategies.

 Educate yourself, then educate the board.

 Take advantage of the many online resources available on board guidance, including example questions that the board should ask of the CISO. If you’re not sure where to start, the New York Stock Exchange’s Corporate Board Member magazine can give you an idea of which questions board directors might bring to the table during your next meeting.

Recent litigation suits underscore the high price of the wrong answer to whether an organization has implemented ‘reasonable data security measures’. As the CISO, it’s your job to educate the board on your organization’s information security risk profile, which defensive measures are in place, and where resources are needed to enhance security posture. While it is up to each individual organization to implement security-driven defensive measures based on the unique nature of their risks, here are some useful resources to help the conversation:

  • This recently published document from the Federal Trade Commission (FTC) illustrates the top 10 lessons learned from recent law enforcement actions pursued by the FTC
  • The public private partnerships established between government and industries have made significant progress in improving the nation’s cybersecurity posture – your participation as a member of the RH-ISAC demonstrates your organization’s commitment to proactively strengthening your cybersecurity program’s capabilities
  • The NIST cybersecurity framework offers the model for a scalable approach to managing cybersecurity-related risks
  • The PCI data security standard applies to companies of any size that accept credit card payments

 Channel your inner CFO.

 Understand these terms and why they’re important, because odds are that every other individual in the board room will know them, too.

  • CAGR
  • CapEx/OpEx

Ie: Understand the net impact of status to [EBITDA, CAGR, operations] and provide solid reasoning to support your assertion.

Be proactive – hire an external auditor.

Because why wouldn’t you want to be the one driving this conversation? Bring in an external auditor to provide their opinion on the information you should be presenting to the board. Inevitably, the subject of an independent audit will be broached at some point. By initiating this process proactively, you’re well positioned to address questions and to communicate findings to leadership.

Remember, cybersecurity is an afterthought unless you can demonstrate the direct correlation between your program and business impact. Retailers can learn more about this approach along with additional strategies in Scott’s upcoming workshop discussion of risk tolerance taking place at the RH-ISAC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. Interested in participating? Contact us at

Key takeaways from the RH-ISAC’s week at RSA Conference

Hi, I’m Alex Brown. As Community Manager at the RH-ISAC, I’m thrilled to begin working with and learning from all of you on how to best facilitate conversations and disseminate information that drives value for you within your organizations and in the retail cybersecurity space. Kicking off what I hope to be an ongoing conversation, I wanted to share some information on what we’ve been up to thus far in 2017 and what we’re planning for all of you in the coming months.

Like many of you, the RH-ISAC team just wrapped up a brilliant week full of thoughtful conversation, strategy, development, and important security conversations at the 2017 RSA Conference. We connected with many from the ISAC and ISAO community, retailers, government agencies, associate members, and media partners. We’re energized and excited to move forward with partnerships that amplify opportunities to support the retail cyber intelligence community.

The RH-ISAC hosted several events at RSA. One session informed members of our 2017 initiatives that guide our advancement. We’re amplifying existing partnerships and building new ones to increase information sharing capabilities and enhance our access to intelligence that heightens strategic knowledge exchange. The RH-ISAC also facilitated a peer-to-peer discussion on digital transformation that focused on customer attack vectors, attacker innovation, strategies for mitigating risk, challenges and best practices in the field. Lastly, we had an open house on Friday morning for more informal conversation and connections with members. To those of you who took the time to attend our sessions, thank you for engaging and supporting the RH-ISAC community. We hope that your time spent with us was valuable.

Our inspired group of RH-ISAC staff are now diving head first into the 2017 Retail Collaboratory, the next big meeting for information security professionals within retail. This event, taking place May 9-10 in Frisco, Tx is a unique, two-day forum designed with workshop and whiteboard style sessions intended to shepherd meaningful dialogue that addresses retail critical subjects.

Look for an announcement in the coming week that highlights some of our exciting speakers and sessions. Interested in attending? Please go here to learn more about qualifications to attend, hotel information, and to register today.

Interested in participating in the agenda? Questions about the Collaboratory? Please reach out to me directly at

The Retail ISAC (RH-ISAC) Presents our Holiday Guidance Series for Retailers

The Retail ISAC (RH-ISAC) is pleased to invite all eligible retailers to join in our upcoming Holiday Guidance webinar series designed to arm information security professionals from retail, restaurants, hotels, hospitality, and our partner sectors with actionable insight, strategies, and peer discussion opportunities throughout this most busy time of year! Interested individuals can email for registration details and join prepared to engage and share during these lively, interactive sessions. For more information on the RH-ISAC email

As many of you are aware, on October 21, 2016, a series of distributed denial-of-service (DDoS) attacks against Dyn DNS impacted the availability of a number of sites concentrated in the Northeast US and, later, other areas of the country. Impacted sites included: PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, and RuneScape. While the attacks were still ongoing, Flashpoint was able to confirm that at least one portion of the attack was initiated by a Mirai Command and Control server. RH-ISAC Core/Core+ members and eligable, non-member retailers are invited to join on Wednesday, November 2 from 11-12p pacific/2-3p eastern for An After-Action Analysis of the Mirai Botnet Attacks on Dyn. During this session, Allison Nixon, Director of Research, and Zach Wikholm, Research Developer at Flashpoint, will discuss the anatomy and implications of the attacks. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

Next up, the RH-ISAC will host a Q3 Threat Briefing on Thursday, November 3 from 10-11a pacific/1-2p eastern to evaluate the retail cybersecurity threat landscape and preparations for the coming holiday season. This interactive session is led by Executive Director, Brian Engle and Research Director, Wendy Nather and includes an overview of Q3 observed threats as well as analysis of observed significant events, current threat trends, and anticipated threats as we approach the upcoming holiday season. The briefing is designed to be interactive, and participants are encouraged to join prepared to share and contribute to the session as we together anticipate the threats that may be in store, along with the priorities for preparing to defend against them in advance of the holiday season. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

The RH-ISAC is proud to support the information security community in these important conversations and to serve as the conduit for collaboration, information sharing and cooperation among retailers worldwide. We are stronger together.

*The RH-ISAC leverages the The US-CERT Traffic Light Protocol (TLP)  to specify how and where contributed threat intelligence may be shared. TLP Green indicates that the information  may be passed around a general community, but should not be shared in public. For example, a notification about a phishing campaign affecting everyone who uses a particular POS system could be shared even outside the RH-ISAC with other retailers, but should not be discussed on Twitter or Facebook where adversaries could see it; nor should it be shared with the media.

Beyond the Cybersecurity Breach: To the Right of Boom

A series of cybersecurity breaches in the 2013 to 2014 timeframe were the shot heard throughout the industry for many retailers. For some retailers the shot has resulted in a direct hit, while for others it has served as a warning fired across the bow. In all cases, the impact of these events has resulted in significant changes in strategies for retailers as they fortify their defenses and protect the payment channel from cyber criminals.


Cybersecurity efforts have largely been focused on the timeline to the left of the breach event. Strategies have included shoring up the payment transaction with end to end encryption, bolstering extensive layers of protection and defensive measures, and developing improved detection and monitoring capabilities to thwart cybersecurity breaches of payment card and customer information. Among the numerous strategic efforts was the formation of the RH-ISAC to enable threat intelligence and cybersecurity information sharing throughout the industry to get ahead of the threat.


These cybersecurity efforts have demonstrated a continued diligent and programmatic effort is needed to protect against the attacks of criminals. However, these efforts in and of themselves are not enough, as the impact of payment card breaches has a ripple effect of loss and costs to many organizations outside of the breached merchant. The ensuing fraud and monetization performed by criminals is costly and broadly impacting, affecting financial firms, merchants, and the consumer cardholders to the tune of millions upon millions of dollars per year. The LexisNexis 2016 True Cost of Fraud report ( provides a grim representation of fraud statistics with indications of fraud losses increasing across the board.


Activities observed and shared between retailers within the RH-ISAC have provided insights into the complex nature of the criminal efforts in several significant events. These observations have allowed leading cybersecurity experts to see into the expertise and division of labor at the stages of the Lockheed Martin Cyber Kill Chain that include the development of tools and weapons, the delivery of these weapons, and the eventual command and control enable leading to exploitation and exfiltration of data. The adversaries are not just working together; they are creating an economic marketplace of efficiency for attacking industries and businesses. The criminal capabilities then extend into the monetization and extraction of funds through additional stages not contemplated by the Lockheed Martin Cyber Kill Chain.


In order to disrupt the cybercriminal fraud crime chain, it is apparent that we need to see increased collaborative efforts between cybersecurity and fraud professionals, applying techniques and intelligence from all sides of the equation to combat the criminals. As we wrap up Cybersecurity Awareness Month and approach Fraud Awareness Week November 13-19, 2016, let’s put our brains and efforts together to make a real difference in our continued work to secure retail. (Or some derivative of our Securing Retail theme).


– Brian Engle

RH-ISAC Executive Director 

Accepting the Challenge

Last week was our inaugural RH-ISAC Summit in Chicago. With just over 200 attendees, we had the most significant retail industry professionals covering the latest and greatest in cybersecurity issues and trends.


Kicking off the two days of deep discussions was a session with the RH-ISAC Board of Directors sharing their vision of the future. Building on the the critically important topic of collaboration, one of our Board Members, David McLeod (CISO, JC Penney) talked about important security measures that need to be adopted more widely within the industry. He described this as “making the minority the majority,” a theme that carried throughout the Summit, and has become a mantra for the RH-ISAC community efforts.


Through collaboration and discussions in the many interactive sessions that occurred over the two-day Summit, sharing was the name of the game. The National Cybersecurity Center of Excellent (NCCoE) proposed two reference architecture projects: Multifactor Authentication for e-Commerce and Securing Non-Credit Card, Sensitive Consumer Data, both of which are intended to put promotable practices into the form of reproducible technology. Attendees listed other practices they had successfully implemented, such as geo-blocking, card data tokenization, E2E and P2P encryption, and phishing awareness training. Securing eCommerce is a significant focus for our members, and a primary research topic for the RH-ISAC that will have many ongoing workshop efforts.


RH-ISAC members presented on everything from mobile payment security to practical metrics and IoT, and our Associate Members brought their expertise to the table in areas such as using threat intel for continuous monitoring, restoring trust after a breach, and first principles for network defenders. We rounded out the lineup with global perspectives, such as the geopolitical implications for retail cybersecurity and using disruptive technologies to assist in disasters. One of the things I’m really proud of is the wide variety of topics we featured; this conference showed that the RH-ISAC membership has a multitude of risks that are not just at the traditional Point of Sale terminal.


Everyone has their favorite high points from the summit – I have to admit that recognizing the RH-ISAC top contributors at our member dinner was at the top of the list, but the Q&A session with Brian Krebs was a close second. Overall, the best part for me was seeing organizations of all sizes sitting down together and learning from one another. While the Amazons, Googles, Facebooks and AT&Ts of the world may have resources the rest of us can only dream of, we can share a vision of how to make security work. And we’ll check in on our progress next year.

Sharing Threat Intelligence at Both Ends of the Chain

An SC Magazine e-book came out recently, dubbed “Retail Retaliation,” which gives a good summation of some of the issues facing retailers these days. It’s an oversimplification to say it’s all about that POS, but we certainly know that attackers are going to keep exploiting vulnerabilities where the transactions occur.

Ranging from physical compromise of the POS system to malware drops, lateral attacks across the network, supply chain tampering, and application-level fraud, there are multiple layers and vectors to monitor. Threat intelligence encompasses much more than machine-readable indicators that go straight into a rule or a filter: it has to include tactics and techniques such as misusing the transaction communication system to send spam, or hijacking customer accounts to commit warranty fraud. While trading indicators on POS malware is important, we need to make sure that the information exchange goes all along the supply chain, the “kill” chain, the transaction chain, and the fraud chain.