RH-ISAC wrapped up the last of five Regional Intelligence Workshops in July. These workshops, sponsored by SpyCloud, were all sold out and brought together security practitioners from various regions across the U.S. to discuss topics relevant to their local security community. Initially, we planned for in-person workshops, but we quickly moved to fully virtual programs to ensure the safety of all participants. As we navigated through murky waters brought on by unprecedented times, our hosts, speakers, sponsors, and internal team approached the world of virtual programs head-on and the spirit of serving our members, and we came out the other end proud of what we achieved!
Of all the insights gained at the workshops, one key theme stood out among them all: we are more alike than we are different, and we are not alone in our fight against cybercrime.
More than 150 RH-ISAC members and prospective members from over 60 retail and hospitality companies participated in interactive breakout sessions and listened to presentations from cybersecurity leaders in their community. Many participants said these virtual workshops felt like they were actually in-person. As Grant Sewell, director of information technology security at Safelite, described from his experience at the virtual workshop he hosted:
“This workshop was a great experience. Everyone was so engaged; it was like we were all sitting together. It was a great balance of social and professional interaction — just eating lunch together and sharing a drink at happy hour afterward made it feel like a typical RH-ISAC event. The event truly demonstrated the resiliency of our sector, adjusting to any situation in difficult times.”
During each workshop, we held a series of facilitated breakout sessions that allowed attendees to have organic discussion in a round-robin format to open up about their security operations. Below are some key findings and highlights from the workshop series:
RH-ISAC Regional Intelligence Workshop Series Highlights
Security Operations Snapshot
- Team size varies widely from organization to organization, but growth remains a common theme among practitioners – as both a solution to challenges faced within information security, and as a critically important mechanism to keep pace with business growth.
- A common challenge among attendees is disrupting siloed groups to eliminate redundancy, duplication of effort, and to maintain integrations especially now that everyone is working from home.
- Many participants brought up the importance of documentation, formalizing processes, and monitoring and consolidating platform and tool use to ensure central coordination and streamlined workflows.
Tools, Workflows, & Processes
- Every Threat Intelligence Platform (TIP) and security toolset stack is different, which is why it’s so important to hire someone who understands threat intelligence and teach them cyber rather than the other way around.
- A key challenge mentioned by attendees is not having a big enough team to build, maintain, and monitor simultaneously, but playbooks and workflows around common alerts are easy ways to quickly automate processes.
- The process of sharing through the RH-ISAC is different company by company based on what works best for the organizational ecosystem. Participants encourage new members to circle up internally to determine what their organizational guardrails are around sharing so they can build process.
Timeline of a Breach: Where & How Criminals Are Causing You the Most Damage
Chip Witt, vice president of product management at SpyCloud, covered a case study of a lengthy targeted attack on an executive, detailing the alarming and increasingly common threat of targeted account takeover and identity theft attacks. As one attendee described, “This is one of the best account takeover presentations that I’ve ever seen, and I’ve seen a lot!”
During the session, Chip explained that though targeted attacks account for 10% of attacks by volume, they cause 80% of the losses for businesses. These manual, creative, and highly effective attacks performed by humans, not bots, occur in the 18-24 months following the breach, and leverage varied techniques including blackmail, bypassing multi-factor authentication (MFA) via phishing and social engineering, and thwarting SMS-based two-factor authentication with SIM swapping. It can be years before the breached data shows up on darknet marketplaces for sale to less sophisticated criminals who will leverage it for automated credential stuffing attacks at scale. By that point, the data is considered a commodity.
SpyCloud asserts that early breach detection is key to reducing risk, along with continuous monitoring, forcing the use of multi-factor authentication and password managers, ending mandatory password rotation policies that entice users to revert to well-worn passwords, and adopting a zero–trust policy on links and attachments from unknown senders. Check out SpyCloud’s resource library to see more details on account takeover prevention.
RH-ISAC members can view all slides that have been approved to share on the events space of the Collaboration Portal.
Another thank you to our attendees, presenters, and our hosts: Brinker International, Safelite, Lowe’s, Columbia Sportswear, and Staples. And a big thank you to our sponsor, SpyCloud, for your continued support and help with making the 2020 Regional Intelligence Workshops happen! These collaborative events are so important to building and maintaining networks and establishing trust among information sharing organizations.
We can’t wait to see you online and in-person for our 2021 workshops!
Here is what our attendees said about our 2020 workshop series:
- “I had the chance to attend one prior RH-ISAC intel workshop last year in-person, and despite this event being virtual, there was no lack in content or quality. The RH-ISAC team did a really great job putting everything together while still making it feel as personable as possible. It’s great to get together for discussions with your peers and realize that most of us are working towards doing similar things, in similar fashions. One great benefit of the workshops is to see that when we come together, we can collaborate and give insight into our individual successes and failures with the work we are doing. This can allow for picking the brains of other RH-ISAC members on things you want to do that they might have already done or vice versa (Working smarter, not harder!). Also, I am a big proponent in giving back to the community when and where I can, and I am grateful to have had the opportunity to present to my peers about some of the work my team has been doing.”
“We share intel and communicate almost daily, but there’s something different about blocking off time during your day to engage with people face-to-face (even virtually). The RH-ISAC event gives you a chance to candidly talk to people in your industry who have much of the same goals that you do, and who are open to talking about new ideas and challenges facing all of us. A wonderful opportunity to get to know the membership and leadership of the ISAC.”
- “We enjoyed the RH-ISAC Virtual Regional Intelligence Workshop in June 2020 as a great way to connect with our peers in the industry during this time of no travel and remote work. It was good being able to have interactive conversations on current security issues with practitioners outside of our immediate, day-to-day circles, and to build and maintain relationships with our cybersecurity peers in RH-ISAC.”
- “I really enjoyed the interactions between the teams during the workshop. Throughout the day, I felt like we were in the office together collaborating on cyber topics.”
- “This is one of the best ATO presentations that I’ve ever seen, and I’ve seen a lot!”
- “It is great to connect with my colleagues from other companies in the region and is reassuring to know they’re facing the same challenges as we are. We’re not alone.”
- “The RH-ISAC virtual workshop flowed really well and had smooth transitions to the different breakouts. Being on webcam made the workshop very personal, with being able to talk face-to-face on different security topics.”