true
Blog Customer Spotlight Webinar: PVH Corp.

Customer Spotlight Webinar: PVH Corp.

TruSTAR has a new webinar series, Customer Spotlight, where we invite security leaders and operators from across the TruSTAR community to share insight on lessons learned, challenges, and opportunities around a particular theme at the intersection of security and intelligence.

If you are an RH-ISAC user who would like free access to RH-ISAC’s Intelligence Exchange on the TruSTAR platform, please click here.

For the first webinar in this series, we sat down and talked with Mike Ekladious, Senior Cyber Security Analyst, and Nick Zaky, Senior Director of Security Operations, from Fortune 500 Retailer PVH to learn how they leverage the TruSTAR platform to help to automate and accelerate their team’s phishing investigations as well as manage PVH's multiple intelligence sources.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

If you look at the FBI stats from IC3, they're seeing 3-4x increase in the number of cyber crimes submitted in the last seven weeks compared to normal months. Google's putting out data about this massive uptick in phishing sites related to COVID campaigns. Are you seeing this, or is it more business as usual?

Nick Zaky, Senior Director of Security Operations, PVH:

Honestly, we're not seeing a lot of the COVID-specific attacks hit our environment. We saw an uptick in reports by our end users when this first started, and I think it was really more just the sensitivity to what was going on. I won't say we see zero COVID-related attacks, but I think our email gateways have identified thousands of domains that are COVID-related infrastructure for phishing. We're not seeing that type of attack.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

COVID-19 has forced a lot of organizations to go fully remote for the first time, but I know PVH houses global brands like Calvin Klein and Tommy Hilfigure.Were you always a fairly remote team? Can you give a little color to folks around what the nature of your team looks like? And how the operational battle rhythm had to adjust for you guys in this new remote environment?

Nick Zaky, Senior Director of Security Operations, PVH:

We had a couple of things on our side prior to this. One, I run one of the only global teams in the company so we've been used to working remotely. The other thing is, we've had a policy of work from home one day a week so our infrastructure was pretty much there.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

Mike, can you give folks an idea at PVH of what, roughly, what the volume of user-reported emails is looking like? And a little bit about your process for how you guys manage that today?

Mike Ekladious, Senior Cyber Security Analyst, PVH:

We see about 500 emails a day, all user-reported phishing email attempts. We have a good rule on our end with our team which is, whoever's shift it's on, the spam box is always empty before you end your shift.

We have team members in Europe and Asia, so, every analyst is looking at something different. So those 500 emails, to process and go through, takes time. But we also alleviate that fact by, every time someone reports a phishing email and it goes to our spam box, we actually forward it into TruSTAR. So indicators get parsed and correlated with other internal and external intelligence sources in our security stack. We also do simulatedphishing campaigns to test our users, because obviously the weakest point in the security chain is the user. If you're throwing the user in the security stack, they're your first point of entry for anything.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

How would you describe the role that TruSTAR played for you in that sifting through the 500 emails? Is it surfacing the ones you need to spend your time on? Is it bringing enrichment to the event? How do you describe that, Mike?

Mike Ekladious, Senior Cyber Security Analyst, PVH:

It depends on the situation. When we identify a malicious phishing email, you always want to know the scope of it because it's quickly and easily identifiable. If you detonate the URL, you already know the IOCs that come out of them. Now we want to know, have these IOCs been reported in your environment? TruSTAR helps in identifying those patterns.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

How have you leveraged what you have today with TruSTAR and your own technical skills to get creative in the pipeline?

Mike Ekladious, Senior Cyber Security Analyst, PVH:

You have your open source threat intel and you have your closed source and whatever you paid for and vice versa. That's a lot of data coming in. You also have to look at the fidelity of the data. How accurate is it? That's why this Vetted Enclave comes into play, and it's something that we do to help segregate what we have and what users report, and what we validate personally.

When we validate a malware family, and we know this hash belongs to this malware family, we actually push that into the Vetted Enclave that we have with TruSTAR. That Enclave links directly with our SIEM, so it also searches for that IOC if it ever hits our environment in a firewall or something like that. We'll get a trigger or notice saying we've seen it. So you have to do the, "Hey, I trust you, but I need to look at it for myself," type of deal. And that's how we connect it.

The other part of it is the automation with Python scripting. We have scripts in the background that constantly detect,push, and pull indicators based on matches. Our Vetted Enclave automatically works without SIEM, saving my team time on detection workflows.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

Nick, okay, you got your gateway, you got your users, you've got TruSTAR. Tell me a little bit about what the main responsibility and accountability for your email gateway are? How do you think about the role of your users and user-reported emails in terms of managing the phishing threat vector at large?

Nick Zaky, Senior Director of Security Operations, PVH:

Our email gateway’s primary responsibility is being an anti-spam tool, and to help us block spam before getting to the organization. We've seen in the past when we've run reports, anywhere upwards of 97% of all emails coming into the environment are marked as spam and thrown out. The things that get past that will roll into a sandbox. Our sandbox is responsible for detonating attachments, detonating URLs that it hasn't seen before, classifying them and looking for the zero day type attacks, which I think is pretty common in a lot of environments.

A lot of sandboxes function in a way where it's not going to wait 10 minutes before it forwards an email on. It's going to let the first one go as it evaluates, and if it marks it as malicious, then it'll prevent any future ones from coming through. So those type attacks, or even things that aren't malicious in nature from a technology standpoint, that are credential harvesting attacks, they don't have to leverage malware. They don't have to leverage necessarily known malicious domains.

With this phishing triage workflow, it’s a matter of weeding throughout all the noise, and I would say about 90% of the reports are noise.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

How do you think about your intelligence sources and which ones are higher fidelity than others or maybe use cases?

Mike Ekladious, Senior Cyber Security Analyst, PVH:

The Ronald Reagan, "Trust but verify" quote is what I live by. Even paid intel sources that we have, until I verify and look at it for myself and vet it, that's the only intel source I really trust.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

What about you, Nick? I'm curious, how do you think about the sources and use cases?

Nick Zaky, Senior Director of Security Operations, PVH:

I do agree with Mike, trust but verify. However, there's a concept of the believability of the source that's reporting that so you have to validate the believability of the person. If it's our end users reporting a phishing attempt, the believability honestly is quite low. And you have to vet that, you have no choice.

Intelligence coming in from RH-ISAC has better quality. It's a medium-fidelity source, but if you're working with a sharing consortium like RH-ISAC, consistently, you start to understand the analysts that you can trust. It's the 80/20 rule. 80% of the reports in the ISAC are reported by 20% of the members, and certain parts of those 20%, are high-fidelity reporters.

Moving up the chain, I think that commercial intel should be your most reliable. If it's not, then you're paying for the wrong source. I’m also asked, how do we evaluate sources? We do put intel sources head-to-head, so we will take an intelligence source and put it head-to-head and do a POC during the same timeline over the course of several weeks side by side, and see who's doing well and who's reporting things and who's not. TruSTAR’s enrichment capab ilities help us more accurately evaluate intelligence sources.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

Mike, can you walk through what happens from soup to nuts in the pipeline as you constructed it?

Mike Ekladious, Senior Cyber Security Analyst, PVH:

There is a process that goes through when you identify a phishing email. The first and foremost one is things that heighten your security awareness, such as misspellings, etc. Then there’s the header information. The header information is so helpful in the sense of at least identifying where it’s coming from. Who are they leveraging? Who are they relaying through?

At the same time, if you have a file or a URL, it's the perfect time to sandbox it and then have your sandbox start to kick up while you look at the header information. Ideally, you're looking between anywhere from 5-15 minutes for a phishing email, to really go through it, especially if you're in a sandbox. Sandboxes are hit or miss.

Then it’s another 10 minutes just examining the report that comes out of the sandbox, what registry keys were touched, what domains were contacted that you couldn't see in the background, and vice versa. So once you identify all that, then you're on the next hunt of, how many people actually got this in my environment. So you go through and figure out the impact and the scope. At the same time, start to submit those IOCs to start getting blocked, and then start taking action while you identify this.

We've done a lot of automation techniques, especially automating our ticketing process. So we would send one email into our ticketing system and based on what IOCs are in that email, it automatically opens up tickets to the appropriate teams to take appropriate actions. We also have custom scripts that are running in the background to trigger certain things, and we're uploading it into TruSTAR. So if it's a malware family, whatever it is, and we have new IOCs, we would go ahead and submit that into TruSTAR into the Vetted Enclave, which would shoot it into our SIEM.

Finally, we try to give back to the community for intelligence sharing as much as we can.

Patrick Coughlin, Co-Founder and CEO, TruSTAR:

Nick, we talked in the past about how you described the maturity journey of your organization. Can you walk the community through that here today?

Nick Zaky, Senior Director of Security Operations, PVH:

I think everybody on this call is somewhere within a spectrum of maturity within their program. I think their program can be broken down into a number of different processes that are probably also on some sort of spectrum of maturity. If you're a retail company, you probably start with brand protection, lookalike domains, brand-specific, social media type pages and things like that. You start with blocking the domains and trying to do takedowns. That's not necessarily intelligence thieves right now. To me, it's IOCs and the data, and you're playing whack-a-mole a little bit. But you have to start somewhere so that's where you start.

From there, you try to pivot as a group to really take a look at IOCs and correlate them with other data sources. A TIP is a great tool for doing that, but if you don't have a TIP, maybe you start out by going out to research the domain, look at the who-is infrastructure and pivot on that. You may not actually know it's a campaign, but at least now we can start to identify the infrastructure of an attacker.

Now we're putting a heavier cost on their attack, because we're really making them stand up new infrastructure. It's time, it's money. The goal for me is to make attacking PVH as costly for them as possible so that they can turn around and attack one of our competitors instead.

From there, we move into information sharing and leveraging the research other analysts are already doing. Our competitors are so valuable to us from a security standpoint because of the information sharing that occurs. I can't tell you how much value we found from being a member of the ISAC. We found wonderful collaborations within the community, and we've done things I never thought would be possible or acceptable.

I would never have thought that I could bounce something off an analyst at a competing company, have them look at one of my reports, and give me feedback.

If you haven't shared, share, because it comes back to you threefold. You'd be surprised how much other analysts are willing to help once they see you contribute. It's almost an extension of our team at the point, because we're a $12 billion company, I've got four guys full-time doing operations right now. I mean, we think the big ones help the little ones, and that isn't just size. It could be a skill set. It could be a lot of other things.

To view the full webinar recording, click here.

IBM & City of Los Angeles Select TruSTAR to Build Security Tool for Local Businesses On Tuesday, at the 2019 LA Cyber Lab Summit, The City of Los Angeles announced their business partnership with IBM Security and TruSTAR to help local ... Read More
Making Sense of Unstructured Intelligence Data Using NLP The push towards structuring threat intelligence data has gained new momentum with the proliferation of new intelligence sharing ontologies like ... Read More
TruSTAR’s Paul Kurtz Talks To Executive Director of IT-ISAC About the Benefits of Intelligence Fusion   In the past twenty years, companies have deployed more technology, processes, and people to defend its applications and systems than ever before… ... Read More