While many enterprise tech executives focused on the pivot to work from home and related initiatives during this past pandemic year, these efforts probably weren't at the top of the list for chief information security officers. For these IT leaders, monitoring the world of cyber-attacks and protecting the enterprise against them is the top priority.
That's certainly true for MassMutual Chief Information Security Officer Ariel Weintraub. In the last 12 months, new types of cyberattacks have hit the headlines and grabbed the attention of top IT security executives across all industries. The big one, of course, is the SolarWinds attack, first disclosed in December 2020, in which a software company's software updates were used to distribute a backdoor Trojan to 18,000 organizations worldwide. This attack has been called the largest and most sophisticated in history.
Weintraub said that the SolarWinds attack and other more recent supply chain attacks have added another dimension to strategy plans around protecting the company.
"It makes us think differently in terms of being an insurance company and a financial services company in terms of who our threat actors are and who is most interested in us from a target perspective," she said.
For instance, previous supply chain attacks or third-party attacks have sought to disrupt shipping operations, for example, which is not anything that would have impacted a company like MassMutual. While Weintraub would have tracked such threats, they weren't necessarily relevant, she said.
"But when [these attacks] are used for espionage and also used opportunistically, meaning there was compromised code that was pushed out to all of the customers of this particular software supplier, we may be more likely targeted or impacted because of the ways the techniques were used."
What does that mean for how MassMutual looks at these threats?
"It makes us think about nation states differently and requires us to prioritize certain programs like our third-party risk management and IT hygiene as much more significant than previously looked at in terms of nation state threat actors," Weintraub said.
Here's how it works at MassMutual. Within the company's security intelligence program, the team manages a list of known adversaries that would have a potential interest in insurance and financial companies. MassMutual also periodically restacks the top cyber risks that are important to the company.
"Any time there's any major event, either external or internal, it allows us to reprioritize," Weintraub said.
These types of cyberthreats are certainly at the top of the list, but MassMutual also has a number of other projects and initiatives underway, too.
One of these initiatives includes assisting the business with the security of its transformation from an on-premises operation to a multi-cloud operation. Weintraub said that means they are developing controls up front and in an a automated way so that they are not hindering the pace of digital adoption.
A related project is a pilot now underway to replace conventional controls such as passwords with biometrics and behavioral attributes. These behavior attributes are how any given person uses their computer -- how quickly they type, how they use the mouse, what applications they have open. The pilot is being run with the intention to roll out to internal users later this year, and Weintraub said MassMutual is also exploring how it could be used with external customers.
As a member of the pilot program, Weintraub is a fan of the technology. It's more secure and she doesn't have to remember any passwords.
The biometrics and behavioral attribute access is one example of how MassMutual's security operation is working closely with the company's data science team. The security team also partners with the data science team for the security operations center. There's a team of analysts monitoring the infrastructure on a 24/7 basis, but to better manage the volume of logs and alerts that need to be reviewed manually the security team has worked with the data science team to create models for alerting specifically on anomalous events.
"That could be through baselining what is normal for internal users to detect if there's a potential compromise of an internal account or taking external events and data captured from intel providers to prioritize and identify the specific most important critical events hitting us from the outside," Weintraub said.
Another big project that is underway is an effort to move towards zero trust architecture. Weintraub said that this is an industry trend that was partially driven by the pandemic and so many people working from home.
"It's the idea of identity as a perimeter outside of physical perimeter walls," Weintraub said. "Things like firewall are the more conventional controls that used to be the way we protected our corporate environment," Weintraub said. "We now have to think more creatively and broadly about how people access resources."
In zero trust architecture, you put the trust on the identity of the user accessing the resources and not necessarily on the physical location, she said.
Finally, while it's not a project, Weintraub said that there's a serious shortage of talent in the cybersecurity arena. Historically, MassMutual has hired from a traditional technology background of computers or engineering. Now the company is broadening its approach to include less traditional candidates. The company is looking for people who can solve problems and think creatively. It's a bonus if you have both data science and cybersecurity skills.
"I think there's a big convergence of cyber and data science, and an opportunity for people to grow their technical knowledge in those areas," Weintraub said. "We ultimately need people with intellectual curiosity who can solve some of these complex problems."