Bidemi (Bid) Ologunde is an intel analyst at Expedia Group. We were able to talk with Bid about topics ranging from his own podcast and background to the future of cybersecurity. His opinions expressed are his personal opinions and do not reflect the views of Expedia Group.
You are no stranger to podcasts as you have your own podcast. Tell us about your podcast.
Bid: My podcast is called The Bid Picture. I talk about cybersecurity, intelligence analysis, and the daily implications of cybersecurity. My audience ranges from executives to parents, to grandparents. There is something for everybody.
Tell us a little bit about your background. How did you begin your career in cybersecurity and how did you get to where you are now?
Bid: I started in cybersecurity about 15 to 20 years ago. Back in Nigeria, where I am originally from, I studied electrical engineering for my undergraduate degree. My research and focus back then was wireless network security. That is a good transition into the network aspect of cybersecurity, network security, making sure perimeter firewalls are well secure. Gradually, when I finished my graduate school in the U.S., I was able to transition naturally into cybersecurity, incident response, SOC operations, and a little of forensics. In the latter part of my career, threat intelligence. I took an academic route into cybersecurity.
How long have you been at Expedia and tell us a little bit about your role there?
Bid: I have been at Expedia for about a year so far. What my job entails is making sure that all the security teams have the tools, perspective, and context. Whatever threats we are encountering, how would it affect us internally. I advise all the security teams, and it is a two-way communication. What they are seeing, I provide context, what I am seeing, they provide me context regarding that. That is the nature of my role as an intelligent analyst.
What do you see as the biggest challenges right now? Not only your personal challenges in the role, but also the challenges that you and your team face.
Bid: As far as challenges, we have all seen the rise of artificial intelligence and how everybody is developing and deploying AI tools. Incidentally, the threat actors are also using these same tools to be able to fine tune their processes and attack vectors, to be able to get into networks and devices easy. The challenges I see are being able to stay one step ahead of these threat actors. Being able to think like them, to predict how they would use the same tools we are using to defend; how would they use these same tools to attack. That is the cat and mouse game that is defined for my role daily.
ChatGPT came out around November of last year. Everyone has been using it in every industry. Of course, these threat actors are using it to compose phishing emails. Now we are seeing phishing emails that do not have grammatical errors. That is something that keeps people like me up at night.
What other similar tools have you encountered during your career that are also used for both good and bad?
Bid: So far, social engineering and phishing go hand in hand. Social engineering is trying to manipulate or convince someone to do something they would rather not do. Phishing is a good example of that. Another way of social engineering is being carried out is through social media to share details of their lives online. For example, if their child is having a graduation party, they post it on Facebook. They travel on vacation, then they post pictures of themselves. That is all well and good because it brings people closer. However, thinking like a threat actor, I am using all the social media posts to gather as much data as I can about my target, whether it is an executive or an employee at an organization. For example, people go on LinkedIn to post pictures of their badge. The picture of that badge is a security risk, because now I know what your badge looks like. I can go ahead, make a fake copy, and get into your locations anywhere in the country. Social media is one example of something that has good intentions, but then the threat actors think they can use it to mop up data about individuals and organizations. We have seen where they use social media to acquire data about vendors, to then get into a larger organization. That happens all the time.
In this industry, you manage a lot and work with a multitude of additional vendors. How do you figure that out? How do you protect all the inputs into what you are trying to defend?
Bid: Let us take a step back and look at this concept from a holistic point of view. For example, take an aggregator like Expedia. There are these data points that touch Expedia from outside. We can control our own data, but of course, cannot control what someone is going to do with your picture you post on social media unless you have your social media page set to private. The best an organization can do, not just Expedia but any organization, is to make sure there are contracts in place to ensure everyone handles data effectively. You would not leave your front door open; you would not park your car in your driveway and leave the door open. You would lock your car door and go to bed at night hoping that no one is going to mess with your property. The same way, a company should make sure that everybody they are doing business with should make sure they have their data and all their customer data locked down because it is easy for one person’s data to serve as a jumping point into another person’s data. That is the best analogy I can come up with.
Over the course of your career, have you seen a big change in the way threat actors operate? Or is it always let us take a technology that has been well-intentioned and figure out a way to make it bad?
Bid: Actually, there is a mix of everything, and threat actors are very enterprising. They look for the easiest way to accomplish good for them, which for us is bad. For example, my Gmail password, if someone reuses the same password on a gaming website then forgets about it. Gmail is quite secure; it is difficult to code hack. However, if someone lays their hand on the password from that gaming website that I do not pay attention to, then they try the same password on thousands of websites. There is software to do that. All they need to do is just find one hit. Maybe it is from my Gmail, maybe my Costco account, maybe my Target account. Now they are inside. That is an example of using the bare minimum effort to accomplish the most damage. Another thing threat actors do is visit social media, look at people’s profiles; see the person’s high school, the name of the high school mascot. Then, this person’s mother’s maiden name because there an event, a family reunion they attended, and they took pictures. I see the banner from the family reunion, and I acquire the mother’s maiden name, then on and on. There are different methods these threat actors use to achieve the most damage with the least amount of effort. Another example is people posting pictures of their work badge on LinkedIn. That is something for people to rejoice and people say congratulations, but I am looking at that picture differently. I am not saying congratulations because there is nothing for me to congratulate you on, as I am trying to get into your company’s network. Now I have an insight.
You sound very passionate about what you do. What advice would you give someone who is considering going into cybersecurity, whether the academic route or on their own? What is the best way for someone to break in or develop a passion like you have?
Bid: Thanks for that compliment. It is something I receive from people; my parents, my wife, even my son who is four years old. The best advice I would give is to find something you are passionate about and go all in. When I say go all in, every opportunity for you to learn, embrace it. Whether it is free resources on YouTube, LinkedIn Learning, one-on-one meet-ups, local cybersecurity meet-ups, or even podcasts. Take every opportunity you can to learn about this field as it is multifaceted. There is not just one aspect of cybersecurity.
I tell a lot of people I mentor, whether you are coming from the medical field, a legal background, or even carpentry, you have the skills to pivot into cybersecurity. It goes way beyond even being curious, wanting to learn. Having an end goal to make an impact in the community; I want to be able to host events at my local public library to tell kids about cybersecurity. I want to be able to advise family members of mine about the benefits of having different passwords. I want to be able to impact my friends who just post on social media. Whatever is your “why,” which is a cliché by now, “find your why.” That would make going all in easier because there are going to be ups and downs. There are going to be times when you question what I am doing exactly. That “why,” that answer to the why is what should keep you going.
In all those careers you see people pivoting to cybersecurity, not all of them are technical either. Your background happens to be technical, but there is room for the non-technical folks in cybersecurity.
Bid: Yes, it is not even tech. People think cybersecurity is only for nerds that wear glasses and spend hours on the internet, or hours on the computer in dark basements drinking Red Bull and Mountain Dew. I tell a lot of my friends and family members that there are hackers who wear military uniforms. There are hackers who wear suits and ties. There are hackers who wear sweatshirts and sweatpants. There are all types of people you will find in cybersecurity. On the good side, there are the good guys who wear all those different outfits. You do not solely need a technical background to be successful in cybersecurity.
Is this your first experience with the Retail and Hospitality ISAC or any ISACs in your career?
Bid: This is not my first experience with ISACs, but this is my first experience with the RH-ISAC. I started at Expedia just about a year ago. In general, I find ISACs a good way to collaborate and learn. I was always active in my previous roles. I was a member of the FS-ISAC, the Financial Services ISAC before. I was active there because I see it as an extension of my curiosity. Then, I go on the ISAC Slack channels or whatever platforms the ISAC is using, I collaborate, and ask questions. If there is a question I can answer, I answer. The best part of ISACs is there are guidelines that shape information sharing. You are not spilling all your company’s secrets.
There are guidelines both internally, and then each company has a way they engage. Then, even the RH-ISAC itself and all the previous ISACs I have worked with, there are guidelines. There are TLPs (traffic light protocols); amber, red, green, clear. Clear and green mean you can share as it is open-source. Amber is more guarded. Red is even more guarded. The strict guidelines are what I find very helpful because personally, I would not want my company’s information to be exposed even if it is on a sharing platform. Not to mention exposed to the client. The fact that those guidelines are in place, and everyone sticks to the guidelines is a big plus for me.
What do you find yourself using most in membership with RH-ISAC? You talked about sharing platforms and protecting what people share. Are you mainly looking at cyber threat intelligence? Are you involved in any of the working groups?
Bid: I am involved in the Dark Web Working Group. We meet every other Friday. Every working group I see, I try to join, and get a feel for what is going on there. Like I said, I am a fundamentally curious person. I like research and investigations. My wife will tell you that I like to know things so much it gets me in trouble sometimes. If I see a working group meeting coming up, I look at my work calendar, if time allows. Then I pop in, I stay quiet, and I listen to what is going on. It is an opportunity for me to learn more.
Where do you see the trajectory cybersecurity in the future?
Bid: I think with the rise of AI, we are going to see not exactly new attacks and threat vectors but new methods. For example, now phishing emails are going to be harder to detect because it is going to look like a regular email that a particular company sends.
Another thing is social engineering. We see social media becoming increasingly embedded into society, which leaves room for social engineering to become even less detectable. Something else to pay attention to is remote work now. Everyone is trying to go back to the office. We might see some companies keeping remote work as a fundamental part of their own culture. Phishing emails come up regarding that set-up, maybe HR related phishing emails. That is something to pay attention to.