Subscribe
Share
Share
Embed
Featuring distinguished guests from the business world and government, Ahead of the Threat will confront some of the biggest questions in cyber: How will emerging technology impact corporate America? How can corporate boards be structured for cyber resilience? What does the FBI think about generative artificial intelligence? Listen to new episodes biweekly and stay Ahead of the Threat.
Listen to Ahead of the Threat episodes, read the transcripts, and find related material at fbi.gov/aheadofthethreat.
You can also follow the FBI Cyber Division on LinkedIn at linkedin.com/company/fbicyber.
Brett Leatherman, assistant director of the FBI Cyber Division: Welcome back to “Ahead of the Threat.” I’m Bret Leatherman, assistant director for the FBI Cyber Division.
Today’s guest is Deneen DeFiore, vice president and chief information security officer [CISO] at United Airlines. Deneen runs cybersecurity and digital risk for an enterprise that flies more than 4,500 aircraft a day, operates in more than 200 countries, and counts on technology working at every airport, every gate, and every cockpit.
We talk about what resilience actually looks like when downtime isn’t an option, how she thinks about identity and third-party risk at scale, and where the aviation sector is heading next.
But before that conversation, the news. Joining me today is Todd Hemmen, deputy assistant director for the Cyber Capabilities Branch at FBI Cyber Division. Todd’s branch runs CTAOS [Cyber Technical Analytics Operations Section]—you heard from Adam Maddock in a prior news segment—the Cyber Operational Support Section, the Cyber Readiness Section, and the National Cyber Investigative Joint Task Force.
Todd, welcome to the show.
Todd Hemmen, deputy assistant director of the FBI Cyber Division's Cyber Capabilities Branch: Thanks Brett. It’s good to be here.
Leatherman: Good to have you. Hey, tell us a little bit about the Cyber Capabilities Branch and what your teams do.
Hemmen: Yeah. Happy to do it. So, Brett, you give a lot of ... public engagements. You’re involved in a lot of speaking engagements. Myself and the other deputy assistant directors are as well. I feel like this first question, although it should be a softball, it always just comes out a little bit awkward.
The Cyber Capabilities Branch has such a robust mission that it’s hard to kind of consolidate everything that we do into … in a short response. But let me give it my best effort. What I’d like to do is talk kind of broadly about all of the things that we do and then focus on a couple of specific areas.
So, one, you talked about our technical capabilities. I think most people when they hear “Cyber Capabilities Branch” expect that we have a technical capabilities component. So, I’ll touch on that in a little bit more detail.
A second bucket falling under the Capabilities Branch is our industry engagement effort. Cyber Division has consolidated all of its industry engagement portfolios under a single section.
And I’ll talk a little bit more about where we are with industry engagement and where we hope to go.
In addition to those two, we also have the Global Partnerships Program [GPP]. Brett, you had Maeve Healy on in, I believe, Episode Four, and I thought she did a really nice job of explaining what GPP does in our international footprint.
Twenty-two assistant law enforcement attachés [ALATs] spanning 20 countries in five continents shows the significance that the FBI places on having good relationships with our foreign counterparts.
You mentioned the National Cyber Investigative Joint Task Force, NCIJTF. That task force has been in existence since 2008. Their stated mission is to coordinate and share intelligence and information across all of the U.S. government. We have a variety of law enforcement, intelligence community, and other government partners that participate on NCIJTF.
And finally, our Cyber Readiness Section. These are the men and women who operate behind the scenes to ensure that we have our budget taken care of. They take care of the logistics for Cyber Division. They provide security. And finally, workforce planning.
So, that’s a that’s a big remit. That’s kind of broadly what the Capabilities Branch does. Let me talk a little bit more about our technical capabilities. Brett, I think you heard this yesterday, as did I. The technical capabilities … is a very sexy mission. I don’t know that we’d heard that before, but that was stated in the meeting yesterday. We’re getting T-shirts made very soon.
So, the technical capabilities mission, beyond what you heard from Adam Maddock last week with the Cyber Action Team, that’s a big part of our technical capabilities. I won’t go into detail because Adam did a really nice job of summarizing the role of CAT. In addition to CAT, we have additional surge support services.
So, these are specialized services based on subject matter experts within the Cyber Division, whose role is to support FBI case teams in the field when they encounter a need for these specialized expertise. So, intrusion analysis, endpoint forensics, big data analytics, maybe that’s support with ingesting or normalizing data. Maybe that’s just combing through a lot of data. Malware reverse engineering.
And then finally our computer network operations team, or CNO team. We’ve heard a lot in recent reporting on the government’s role in offensive operations and working closely with partners in private sector to conduct operations. So, I’d say the CNO role is a little more nuanced than what I would consider broadly to be defined under offensive operations.
This is the team within Cyber Division that’s responsible for legally authorized remote-access operations. So, a big part of our surge support services. We also provide, under the Capabilities Branch and under the capabilities team, tool development. We have multiple tools that, again, are meant to further FBI cyber field office investigations. We’re not responsible for tool development for the enterprise as a whole, but we are responsible for a couple of flagship tools that FBI case teams in the field use.
So, let me give you just a couple examples. One, we have a tool that reviews and analyzes various data sets that have been obtained through law enforcement process with the intent to use this tool to help develop criminal persona attribution, to establish pattern of life, to generate investigative leads. So, this is a tool that’s used primarily in cybercriminal investigations to help further those investigations.
Yet another example of a tool that we have is a threat hunting tool that’s used to query cyber threat indicators across multiple CTI [Cyber Threat Intelligence] enrichment platforms. Again, with the goal of enriching known information about FBI investigative subjects and helping to identify investigative leads.
Brett, one thing I would say about our tool development component is, while Cyber Division centrally does develop tools, the second tool I just mentioned was developed by a case agent in the field.
One of the great things about the Cyber Division development team is that we’re able to see across the enterprise where tools have been developed by innovative case agents or computer scientists in the field. And when we see the potential for application across the enterprise, we have the ability to adopt those tools, adopt management of those tools, and maybe further develop them, but make them available to the organization as a whole.
So, we encourage innovation in the field. We support that through our own efforts at Headquarters. And then I’ll touch just briefly on our private-sector engagement role.
So, as I mentioned, Cyber Division has recently consolidated all of our private-sector engagement efforts under a single section. And really, our goal here is to further mature the work that we’re doing, the great work that we’re doing with private-sector partners.
The FBI has done a really good job—Cyber Division has done a really good job in the past of establishing relationships and maybe developing partnerships within those relationships where we hope to mature these private-sector partnerships in situations where it makes sense, maybe not broadly, but we’d like to see a greater emphasis on bilateral threat sharing.
And really with the ultimate goal to operationalize the threat intelligence we’re … receiving from industry. They have immense visibility into data and telemetry that we don’t have. But on the same, in the same way, we also want to help further inform what industry is doing to secure their own networks. So, we feel like growing towards this more mature bilateral threat-intelligence-sharing dynamic really helps both government and private sector-partners.
Leatherman: Yeah, that’s great. And that’s part of why we have AWS, Microsoft, Google, Huntress. Today, United, on the podcast is to share that perspective because it’s an equally important perspective.
Todd, I think the Capabilities Branch touches on each of the three news items that we have today, to talk about. So three items today, they all come back to the same idea of deterrence and disruption.
Sometimes you put a person in the courtroom. Sometimes you take the adversaries’ infrastructure off the board. Sometimes you hand the defender community a playbook to pull the easy options away from the bad actors. And Story One demonstrates kind of the first thing, which is putting somebody in the courtroom.
On April 26, Italian authorities transferred Xu Zewei, a 34-year-old PRC national, into U.S. custody. He appeared the next day in U.S. District Court in Houston, Texas, on a nine-count federal indictment.
The charges allege that Zu worked as a contract hacker for the PRC Ministry of State Security, specifically the Shanghai State Security Bureau, while employed at a private firm called Shanghai Power Rock Network. DOJ describes Power Rock as one of the many enabling companies the PRC government uses to obscure its hand in cyber operations.
Between February 2020 and June 2021, the indictment alleges, Xu and his codefendant, who remains at large, ran two phases. In early 2020, they allegedly targeted U.S. universities, immunologists, virologists working on COVID 19 vaccines. In late 2020, they allegedly moved to exploiting Microsoft Exchange Server zero days and deploying web shells.
The activity Microsoft tracked as HAFNIUM, which is now tracked as Silk Typhoon, was really significant in in how it deployed web shells to on-premises Microsoft Exchange servers throughout the United States. The broader campaign really compromised over 12,700 U.S. organizations.
The charges are allegations. Xu is presumed innocent unless and until proven guilty.
So, Todd, this is a significant extradition of a cybercriminal here to the United States to face charges. One thing we talked about with Maeve was ... the use of Cyber ALATs as part of our work with international partners.
Can you talk a little bit about the Italian nexus here and our work with our partners and the ALAT in country to kind of facilitate what happened in the case of Xu.
Hemmen: Yeah. So, absolutely happy to. First of all, great case, great outcome. This is a very, very rare extradition of a Chinese or alleged Chinese intelligence officer based on hacking charges or 1030 charges. So, great case. Yeah. I’d love to touch on the dynamic with our partners in Italy.
So, as you relayed, this was in partnership with our Italian counterparts. We do have, when we talked about our Global Partnership Program, we have an embedded, cyber assistant law enforcement attache that sits in Rome, that’s in Italy and was instrumental in coordinating with our Italian partners to make sure that this extradition was successfully executed.
There were some significant time sensitivities to this operation. There was immense coordination that happened behind the scenes.
And ultimately, this came down, Brett, to partnerships. We have enjoyed a fantastic partnership with the Italians, with Polizia Postale specifically.
You may remember, you and I met some of our counterparts just a couple months ago here in D.C. Had a great information-sharing meeting with them. We’re working closely with them in a couple different specific areas that I won’t get into, but, fantastic partnership.
And really, that’s what these cyber ALATs are all about. We’re about establishing and furthering those partnerships so that when the case comes where we need cooperation from a foreign partner, we’ve established relationships to make this happen.
So, in this particular case, Xu was in country, we had an opportunity based upon an existing indictment to work with the Italians to bring him into custody and then work through the legal process to successfully extradite him.
So. Fantastic case. Brett, I do want to add one little note that, just as a as a kind of random factoid regarding this case. I mentioned earlier that we have a tool in the Cyber Capabilities Branch that was developed by a case agent in a field office. That case agent actually came from the Houston Field Office, the same office that is responsible for indicting and extraditing Xu.
And that case agent was the individual responsible for—we talked about technical operations, or remote access operations—was responsible for remediating many compromised devices pursuant to judicial order for the Microsoft Exchange vulnerability in the HAFNIUM case.
So, small FBI world to bring these things together, shows a couple of different aspects of the work done in the Capabilities Branch. And which supported this investigation and extradition.
Leatherman: Yeah, our teams wear many hats. But the good news is when they work, they work across the enterprise in ways that we can employ across the enterprise to have real impact. And the HAFNIUM campaign and our work to mitigate it was one of the first times we leveraged Rule 41, you know, judicial oversight, to remove adversary capacity and capability from that infrastructure in novel ways.
And first, we alerted the public to what was happening, along with Microsoft; worked very closely with them. We asked folks and gave them guidance on how to remove web shells and adversary access. But when it looked like the actors could actually exploit and do bad things in those environments, then we use that method to remove those web shells in that capacity from the actors.
We continue to do that in real, meaningful ways. Which takes us to kind of to the next story, which is Operation Masquerade. On April 7, DOJ and the FBI announced Operation Masquerade, which was also a court-authorized disruption of a DNS [Domain Name System] hijacking network, this time run by the Russian Military Intelligence Unit 26165, the GRU element better known in open source as APT 28.
This was roughly 18,000 compromised TP-Link routers running outdated firmware. The GRU manipulated DNS settings to silently redirect victim traffic to attacker infrastructure, supporting espionage against more than 200 organizations across 23 states and over 120 countries.
When they manipulated the DNS, it didn’t just impact the router, but those DNS settings propagated to devices throughout the house. So, you think about connecting your phone, your laptop, your tablet, your kid’s devices; or in business, all the infrastructure within your business is now routing its traffic through GRU-based infrastructure.
Very, very consequential. In this case, FBI Boston and with support from Philadelphia and of course, your teams, led with the Eastern District of Pennsylvania and DOJ’s national security cyberteams, a disruption operation to remove the adversary capacity from those routers and to basically lock the actors out and protect those routers. So, very significant operation, thousands of routers that the GRU was leveraging.
This was actually the fourth time since 2018 that the FBI has conducted operations to remove GRU access to edge devices. So, Todd, what does that say about kind of both what the actors are targeting, in the way of edge devices, and how we need to respond, both in law enforcement and industry?
Hemmen: Yeah. So, great question. Again, great case. It’s always nice to see kind of the partnership in these cases with … within the government, with private sector and industry actually had a great role in this investigation as well. We’re seeing a lot more victimization occur on the edge of networks. We’re seeing threat actors continue to target these edge devices.
In this case, there was a vulnerability. In many cases we’re encountering end of life devices. So, we need to understand both government and industry that this continues to be a really pervasive attack surface. And take appropriate actions to mitigate. We talked about some of our mitigation strategies as part of Operation Winter SHIELD, and those hold true here as well.
So, things like removing end-of-life devices is relevant in this conversation. Specific to this investigation you talked about outdated firmware also being exploited. So, I think it’s employing the right cybersecurity techniques to make sure that we’re doing just kind of basic ... basic cybersecurity hygiene towards our edge devices or other aspects we could talk about to make these environments more secure.
But I think that the take home message is, threat actors are targeting our edge devices, our end-of-life devices. And we need to take appropriate actions to make sure that we’re stopping before they gain access into our environments.
Additionally, in this case, Brett, we saw where they not only would weaponize these edge devices, but they were starting to gain, through an adversary in the middle attack, access to credentials or stolen credentials, email content.
They were starting to leverage the information that they received to then further conduct intelligence operations and identify who some of the most high-target victims were. So, again, all of this is mitigated, or at least defended against with better hygiene towards how we are treating our network devices.
Leatherman: Yeah. Once they drop into your environment, it’s not just the router that’s at risk, but now they’ve got internal access to your network, and they can start to enumerate what’s across your ecosystem and move laterally to more sensitive areas.
That’s their goal. It’s not just to collect DNS traffic, which is consequential enough. It’s also to look at other opportunities, I think, to move laterally, escalate privilege, and have greater impact in the environment.
Yeah. I would recommend folks like tomorrow look at an inventory of your edge devices. “What kind of devices are we running? Are they end of life? When do they become end of life? Do they have vulnerabilities? How are we patching those devices and how quickly are we patching those devices?” You know, those are ways that organizations could have mitigated this attack.
And then if you’re accessing them remotely, are we leveraging multi-factor authentication, phish-resistant multi-factor authentication to connect and manage those devices? Those are all steps that organizations can take probably tomorrow to start moving the needle on that.
So that’s the second lever. When it comes to disruption and deterrence. We’ve talked about courtrooms. We’ve now talked about court-authorized operations.
The third one that we see that really scales the furthest, because it’s not just our work alone here in the FBI, is empowering the defender community to do something about what we’re seeing. It’s sharing critical intelligence to support the defense community and the cybersecurity community.
So, on April 23, the UK’s National Cyber Security Center led a 16-agency joint advisory on China-nexus covert networks compromising devices, same thing: at the edge. FBI signed on, along with all the other countries, because it is such a prevalent issue.
The headline finding was that PRC-nexus actors have shifted from infrastructure they procure themselves to externally provisioned, or stolen, covert networks built from compromised consumer routers, IoT devices, smart devices. The advisory references Integrity Technology Group, previously sanctioned, which managed the Raptor Train botnet that infected more than 200,000 devices in 2024.
The defender guidance is this: static IP block lists and one-off takedowns aren’t enough anymore. We need to map and baseline our edge device traffic. Understand behavior in that traffic. Static indicators change so often.
If you’re talking about networks where you have tens or hundreds of thousands of devices, you can no longer just block IPs anymore, especially, simply limiting it to VPN and remote access is no longer effective because now they’re leveraging residential proxies to get into your environment. Very tough to block.
Todd, this advisory pushes the work to industry. Where’s the line between the intelligence we can share with industry and what they need to action with what we can do from these court-authorized operations? This is an example where we want to take action where we can, pursuant to our authorities, but we need industry’s help here to start to plug some of these gaps.
And so how do they start to approach that that side of the equation?
Hemmen: Yeah, I think great question. And I think this just goes to the spirit of what we are accomplishing in many ways and continuing to try to drive toward with industry partners. I said it before, and I’ll repeat it, industry has immense data. They have immense visibility into what’s happening within their networks. That’s information we don’t have.
But what we do have is cyberthreat intelligence, cyberthreat indicators. I received statistics within the last month or so from one of our teams that the FBI is uniquely in possession of more than 50% of our national security cyberthreat indicators. And this is a credit to our investigative work: the case data that we have.
If we had sharing agreements, sharing arrangements with industry where we could responsibly and securely share this type of information with industry partners, industry partners could compare with what they’re seeing through their unique visibility.
We are all better for this dynamic.
So, Brett, you know that we have this arrangement with certain industry partners and it’s an area we’d like to continue to mature. Again, we see this as helping to inform network defense for industry partners, so critical, and furthering our investigations. … Getting a better picture from the FBI Cyber Division’s perspective on the extent of the nation-state adversarial issue.
So, more sharing is where we need to end, and we need to really, on both sides, be able to operationalize this information.
Leatherman: Yeah. And that’s part of the FBI’s value proposition here, is that we have authorities that allow us to collect those national security indicators that you talked about, that nobody else can. We have … FISA 702 as part of our national security authority base.
We have, certainly, our ability to collect, via subpoenas, search warrants against adversary infrastructure. That intelligence is important. And that is part of the 50% that you talked about ... those nation-state kind of that threat intelligence. That is the value proposition of bringing the FBI in as a partner, whether it’s in sharing cyberthreat intelligence.
But equally important is if you suffer a breach, contacting your local field office, because we have those indicators that we can we can bring to bear during your incident response, during your containment and eradication activity, where our goal is to help you contain the actors.
Leatherman: We also want to pursue our investigative, you know, avenues to go after the actors themselves. But we do that in a way that also preserves victim equities and helps them get back on to equal playing ground. And that’s incredibly important. And that’s what the teams do in our Threat Analytics Collaboration Unit and the various engagement teams that … work in your branch.
Hemmen: Yeah. That’s right, Brett. We have access to unique information and we can’t broadly share that and we won’t broadly share that, but we will work with victims. We are a victim-centric organization.
That is true across operational divisions and certainly in Cyber. That is a high priority for us. So, we want to help victims. We obviously want to pursue our investigative mission in the process.
But we can do both things. And I think the closer we work with industry partners, the more they understand how we can help in these dynamics, the better off that we’ll all be.
Leatherman: Yeah. Accountability, disruption, resilience. Three new stories that highlight, you know, we have a specific role in the law enforcement intelligence community side. Industry has a specific role in raising our collective resilience, but we all need to work together to share this information in a way that combats rogue countries who want to leverage their companies and contract hackers to engage in hacking against U.S. equities.
So, incredibly important. Todd, thanks for your time. I want to thank you and all your teams that do the incredible technical work, that work across the interagency as part of the NCIJTF, that keep us running from a logistics and a finance and a budget standpoint and allow our folks on the frontlines to continue to do the job day in and day out.
And then, you know, increasingly closing the gaps with our industry partners. It’s really meaningful. I know they spend a lot of time doing it, and they’re really good at what they do. But thank you for the time today and for the teams and what they do.
Hemmen: Thanks, Brett. It’s a pleasure to be here.
Leatherman: All right. Next up my conversation with Deneen DeFiore of United Airlines.
***
Leatherman: Welcome back to “Ahead of the Threat.” My guest today is Deneen DeFiore, vice president and CISO [chief information security officer] at United Airlines.
Deneen leads cybersecurity digital risk for an airline that moves roughly 170 million passengers a year, operates across six continents, and runs on everything from flight management systems to connected aircraft to passenger data platforms. When something goes wrong in an airline, people tend to notice. Flights stop. Passengers are stranded. It’s really not an abstract risk … conversation.
Beyond United, Deneen serves on the Cybersecurity Committee at the Airlines for America and is on the board of the Aviation ISAC [Information Sharing and Analysis Centers]. In 2022, she was appointed to the President’s National Infrastructure Advisory Council, advising the White House on critical infrastructure resilience. Before United, she spent over two decades at General Electric, including at GE Aviation.
She started her career not in technology, but in health care, with a degree in biology from Kent State. She joined United six weeks before Covid shut down the world and had to stand up secure remote access for the entire organization in a matter of weeks. Deneen welcome to “Ahead of the Threat.”
Deneen DeFiore, vice president and chief information security officer, United Airlines: Thanks for having me. It’s a pleasure to be here.
Leatherman: Great. Deneen, you run cybersecurity for one of the largest airlines in the world. For folks in our audience who protect banks or hospitals or other entities, what’s different about defending an airline? What makes this job unique?
DeFiore: Sure. So, I think particularly at the airline, you had mentioned in your intro, right? People notice when things go wrong. So, cybersecurity is not just about protecting the network or protecting the data—our customers’ and our passengers’ data. It’s really around protecting the operation. So, you know, we have to center our security program around resiliency and then operating—being able to operate the airline—when things aren’t going to plan.
So, you know, it’s just like the operation managing through a weather event. We have to manage the airline through a cybersecurity event and do that in a way that’s like seamless to our customers and our employees. So, I think that’s probably the biggest nuance there. The other thing that is really important, and this translates to other industries as well, too, is around the safety component.
So, the decisions we make around implementing security strategies, security controls could have operational impacts as well as safety impacts. So, we really anchor our program … you know, every change that we do, every policy that we want to implement, we do through a safety-risk assessment. So, I think those are probably the two core kind of nuances. Resiliency as a core tenet. And then safety as well.
Leatherman: Yeah. It’s interesting. A lot of people think when they think about, you know, the role of a CISO, they think about zero breach, the idea that we cannot be compromised by a bad guy, by bad actors, whether it’s nation-state or criminals. But we’re increasingly moving to this environment where it’s how do we fight through breach.
Right? And how do we how do we contain up front the blast radius and how do we fight through that? So, how do you approach resilience at United? What does that mean when it comes to moving aircraft and moving people? How do you fight through and how do you approach that?
DeFiore: And so, I think like if you think about aviation, right, the whole kind of industry is not built around the perfect day. Everything going great, right? We build around the reality that conditions change, components can fail, but operations have to still continue safely. So, cyber resilience has to work really the same way. So, the way we approach it at United is really understanding what is critical to run the airline.
So, we have … we understand the capabilities like, “Okay, we need to run, we need to have flight dispatch, flight planning, you know, pilot and crew records, you know, for the legalities, like, all those things have to be in place to run the airline safely and compliantly.”
So, we take those core capabilities, and then we make sure that our … we have cyber resiliency in the systems, processes, people, and technology that are supporting those capabilities. Also understanding that, you know, we’re going to … if something does happen, we have to understand the entitlement that we can operate in.
For example, if there’s … an issue with integrity in the data around flight planning. Well, yeah, you can manually plan a flight, but it’s going to take you 3.5 hours. And at the scale we operate, that isn’t going to work. Right? So, understanding those capabilities, working with our business partners and our operations partners to understand, okay, what do we need to put in place to run the airline when the operation is under duress?
So, it’s a really comprehensive kind of approach to cyber resiliency. And we kind of … we think about it the same way as operational resiliency. Cyber resiliency has the same approaches and processes integrated into the airline.
Leatherman: Yeah, that’s incredibly important. So, that’s … the first part is really how do we ensure that we’re meeting regulatory requirements? Because you’re a highly regulated sector, right? But I think what’s unique about United and really, I think a lot of organizations that sit in regulated space could look at, is not just driving towards regulation, but how do we drive towards threat mitigation as well, and not let regulation be the driving factor behind how we implement controls.
Can you talk a little bit about how you take a threat-centric approach to understand, you know, beyond regulation, how do we protect stakeholders through cybersecurity?
DeFiore: Yeah. So, our program is really intelligence based, right. So not only the information that we get from, you know, our intelligence … cyber intelligence partners, whether it be a commercial partnership or whether it be, you know, with folks like you from the FBI or other government agencies and global agencies. We do our own research and understand what is happening in our environment.
So, intelligence really drives prioritization around where we invest preventively in the program, as well as how we kind of shape our defenses. Right? And that intelligence has to be paired not only with, like, what is happening in a threat environment, but also what is happening in the, I’ll say, the digital or technology environment, because things change all the time.
Especially nowadays, it’s just so dynamic that, you know, what you thought you’re protecting today is different than what you think you’re protecting tomorrow. So, you’ve got to be continuously assessing that as well, too. So, you know, intelligence really drives … that prioritization and understanding of where we need to focus based on the digital environment and also what outcomes the business is trying to—the airline—is trying to achieve.
Right? Because threat management is risk management. … You know, there’s always a trade off. You’re not going to be able to do everything you want to do as a CISO. You still have to run the airline and operate it. So, that intelligence drives the prioritization, as well as understanding the environment to make sure that we can operate at the risk tolerance that we feel comfortable with. Regardless of regulation, we will always do what is right and what we need to and what we’re obligated to.
But we also pair that up with like our risk tolerance and where we want to be.
Leatherman: Yeah, I really like that perspective of cybersecurity and threat intelligence as a business enabler. And I’ve heard that from some CISOs before on this podcast is it’s not necessarily … what do we need to do to curb, you know, to curb the risk but also impacts our business outcomes. Instead, you look at it as how can what we’re doing or how do we approach what we’re doing as a business enabler.
Can you talk a little bit about how you think through that business enablement?
DeFiore: Yeah, that’s really a key kind of tenet in the way we want to be, the way we want to show up at United Airlines. Right? We’re there to protect and defend the organization, but … we’re also there to manage risk and to take, you know, probably riskier situations away so the business can do things that they couldn’t do before. Like enable different customer experiences or operate in different locations that we probably wouldn’t be able to operate in previously.
Right? So, you know, an example of that is like using, you know, identity verification technology to create a really trusted experience for our customers so we can rely on, you know, that trusted, validated identity and offer them things like, “Okay, you can travel, you can use that identity verification to move through the lobby a little bit quicker.”
Right? Or not have to manually check in when you are, say … a law enforcement officer carrying, you know, carrying a weapon or things like that. We’re able to do things like that with our security technology that enable outcomes for the business. That is really cool.
Leatherman: Those efficiencies are incredibly important because now as somebody who travels a lot on behalf of the U.S. government, you know, there are times where I’m not necessarily scanning my ticket. I’m getting a facial recognition scan that ties me somehow to a ticket. Yet, you guys are securing all that identity information at the same time you’re making it more efficient to move, you know, passengers on and off aircraft.
DeFiore: There’s times when you want … like friction is appropriate. Right? But, most of the time the kind of, I’ll say, the practice is to make it, you know, make it seamless, right? Make sure that you have security built into the processes and the operation in a seamless manner so people can, you know, feel good about that trusted experience without those, you know, without the bumps in the road.
Leatherman: Yeah. Last year, the FBI put out a public product on Scattered Spider. We continued to kind of watch them move from the retail industry to the insurance industry. And then we saw them pivot into the aviation sector, not just here in the United States, but across the globe. So, we put that public warning out there.
You mentioned the FBI as kind of part of your threat intelligence picture. So, you are unique in that, you know, you’re a target of both criminal actors like Scattered Spider as well as nation-state actors targeting you out of very sophisticated intelligence services. How do you and your team think about prioritizing those threats, which are very different across the enterprise?
DeFiore: So, I mean … there is a thoughtful kind of process, right? Based on threats, risk, and our tolerance. But a lot of times what we find is that, you know, there’s synergies, right? And the approaches … that we put in place so we can take care of an attack path, right? That maybe a cybercriminal is exploiting, but then we close off some, you know, close off some pathways as well to a nation-state.
So, we really try to get the most bang for our buck. And in essence, because, again, we have limited resources, you know, and change is always hard to implement at the scale that we need to implement across, you know, an organization like United.
So, we really try to be most efficient and effective in getting those threat signals, looking at kind of … all the places where we could put some mitigations in place, or controls in place and kind of synergize and harmonize that way.
Leatherman: Yeah. We tend to see all actors use the path of least resistance to get in. So, whether it’s identity and access management, whether it’s edge devices, that’s where they tend to target their exploitation. It’s very rare that we in today’s environment see them using some sort of zero day or bespoke piece of malware. And so, I think covering your bases in that way really increases the resilience you talked about, Number one, but it also removes the easy wins for the bad actors.
Where are some of the areas that you guys tend to focus on those easy wins? And plugging those up? Is it like identity and access management? Do you spend a lot of time on edge devices, cloud platforms?
DeFiore: Well, I think especially, you know, over the last couple of years, right? The kind of edge devices and those, kind of … the focus right on the threat actors, be it nation-state or cybercriminals, to kind of exploit those because those devices and those approaches, right, where they’re not instrumented the way the rest of the environment is.
You can’t stick a CrowdStrike agent, right, on an edge device and expect to get the protections and telemetry. So, we had to really rethink, “Okay, how do we protect those environments, how do we get the signals out of those environments? And then how do we have … I’ll say a greater context in correlation, right, within our telemetry to be able to defend those environments?”
So, we did spend a lot of time on that. The other thing too, is, you know, you have to be able to reduce your attack surface. So, you know, a lot of things are exposed to the internet because it’s easy to do. I mean, it’s easy to do that. We are really focusing on making sure that if we’re exposing something to the internet, it’s appropriate.
And then we also have, you know, strategies around, you know, secure access, private access … to limit the ability. So, we’re not publishing it broadly to the internet where we are. And that’s a journey because, you know, we’re a big company, and we’ve got tons of applications and services. So, we’re kind of methodically doing, you know, doing that.
And then lastly, I mean, you know, it is table stakes and everybody is talking about this. But you know, you have to make sure that you have secure access, a form of multi-factor authentication, if you do external exposure from, you know, interactive logins to, you know, services, non-human identities. You’ve got to figure that out.
So, we spent a lot of time on doing that. And it’s not a one-size-fits-all approach, either. I think that identity access is hard, right? And that’s why we see threat actors exploiting it. Because for the past, whatever 20 to 35 years, we haven’t gotten it right and we still have a lot of work to do.
And, you know, I think with AI and agentic AI and identity associated with that, it’s going to be even harder. So, it’s a real pivot, or a pivotal moment, right, in the cybersecurity industry to figure this out.
Leatherman: Yeah. And it’s … you really have to balance the technical controls, which we’ve talked a lot about here so far, and the training that you provide: help desks, end users, and others. We saw Scattered Spider and now Shiny Hunters and others targeting help desks and password resets. So how do you approach that social engineering side and securing the human?
DeFiore: Yeah, and that was, you know, a big focus for us, as we learn from other industry events and as we kind of culminated last summer, right, with the kind of signal from the FBI and other Intel agencies that aviation was going to be kind of the next target. So, I think it’s, you know, looking at the secure, the security, I’ll say posture of your support services. Not only helpdesk, but all the support services.
We do things like, you know, the I’ll say red teaming and pen testing of the service desk. But again, you have thousands and thousands, hundreds of thousands of calls, right? Coming in to and requests coming into the service desk in an organization like that. So, relying on, I’ll say, … if you rely on manual processes and people to follow SOPs [standard operating procedures] in every case, you’re probably not going to be successful, right?
So, what we’ve done is introduce an automated identity verification. So, with a third-party service, every time you’re calling the helpdesk, internally at United to make sure you are who you are. Right? So, we have to have a identity verification before you move through to get your password reset, your account unlocked, your MFA, a device added to your MFA program or profile, those types of things.
So, that’s what I said. I mentioned earlier, friction sometimes is good. We also remove the kind of barrier of, you know, we’re not going to measure our helpdesk on their, you know, their customer satisfaction scores for these types of calls because it’s going to be hard. It’s going to be longer. And that’s the way it is, you know, and there’s a trade off there and when I explain to my counterparts in the operation, you know, this is what it’s going to be, they’re like, okay, we get it.
You know, that makes sense. And we all agree that that’s the way it’s going to go. But we are really taking seriously that social engineering threat with the training, with automated controls, measuring that those controls are doing what they’re saying they’re doing on a continuous evaluation. Looking at the call data and request data to make sure that SOPs are being followed and when they’re not, we’re identifying the root cause.
So, continuous improvement in this area, because … if you don’t, if you take your eye off of it for a one minute, right, … that’s a minute too late.
Leatherman: Yeah. We’re in this environment where, you talked about it, consistent verification and validation of credentials, of controls, of efficacy overall. We’ve got to get beyond this area where, you know, we implement the control. We verify it once and then we assume it’s just going to continue to work. Or we assume the identity’s not going to be compromised.
It’s that consistent friction that you mentioned, that can sometimes be an inconvenience to end users. We try to make that as easy as we can in controls, but at the end of the day, that friction is okay. A recognition that that friction is okay, is a good thing.
Okay. Now, you talked a little bit about threat intelligence. Tell me about your relationship with others in the sector. For example, other airlines. You are, you have been, a part of Airlines for America. You’re part of the Aviation ISAC.
Talk about the community of airlines and the intelligence you share with each other and the value that you see.
DeFiore: Oh, absolutely. So, you know, being part of those organizations and a trusted partner in that ecosystem really is so important in aviation. We are so deeply interconnected. Right? I always say, I’ve said this a thousand times, you can’t get a plane from point A to point B safely and securely without hundreds, maybe even thousands of people and different organizations touching, you know, part of that logistic.
So, we really do have to act as a collective unit and, you know, securing it, managing threats, and managing risk across that ecosystem. So, you know, being part of those organizations and having those relationships really enables us to, you know, to share information. To say, okay, if we see it, we push it out to, you know, the ISAC or share with our trusted airlines and the whole sector gets stronger then.
Right? So that type of collaboration, I think, really materially changes our ability to detect and be prepared collectively across the organization, across the aviation industry. You know, I think the ISACs really, it’s a real-time collaboration. … You know, you could think of that as prevent, detect, remediate across airlines, airports, manufacturers.
Right? Supply chain. So, that’s kind of where we see that. A4A [Airlines for America], we really work with them to be the voice of the airline industry to, you know, government agencies to stay ahead of the threats and really reflect kind of the reality of what airlines are going through to protect themselves. So, we have a mutual understanding and policy can be shaped that way going forward.
Leatherman: Yeah. Some sectors look at this as competition in this space, right? You’re competitors in the market. And so, there are these silos that are artificially built or naturally built, frankly, in some cases because of that competitive nature.
But really, when it comes to aviation safety, passenger safety, moving aircraft, protecting real-world scenarios that could have tremendous consequence, this is an area you want to see your airlines cooperating.
So, hearing that you guys are working together, seeing these threat actors sharing intelligence should provide the audience a level of, I think, satisfaction, that when they fly that the threat intelligence is being shared across it.
DeFiore: It is collective intelligence and collective, kind of, protection. And even … response as well.
Leatherman: And you guys probably use similar infrastructure, similar software, similar technology, all of which are going to be targeted, likely at the same time. And that provides, really, threat intelligence nobody else brings to the table when you can tell your partners, hey, this particular platform is under attack, right?
DeFiore: You got it. We’re constantly sharing, and, you know, I’m communicating with my counterparts at Delta and American a lot.
Leatherman: Yeah. That’s great. And then we talked a little bit about the ecosystem that you kind of deal with. You’ve got airports, you’ve got ground handlers, you’ve got booking platforms, you’ve got on premises, off premises, you’ve got maintenance contractors, cloud providers. A problem with any one of those can cascade into your overall operations.
So, how do you get your arms around the risk in that kind of environment when you’re looking at that kind of third-party ecosystem?
DeFiore: Yeah. So, really kind of managing that ecosystem risk for us means understanding all those critical dependencies. Right? Like that is really key. So, we do a lot of work in understanding, again, not just systems or technology vendors, but service providers. You know, all the different people and organizations that play parts in delivering that capability to the airline.
So, once we understand that, we, you know, we do a bunch of different things. We, you know, segment where possible. We build technical … different technical controls and expectations. We have, of course, contractual, you know, protections in place as well. And then we also have to have operational contingencies because technology will fail. A service provider will, you know, have an issue.
So, when there’s a partner that’s affected, that we have to be able to understand how … to run the airline. Like, you know, I always say like, you can’t transfer … You can transfer some risk, right? But you can’t transfer or outsource accountability. You know, you have to take that on, yourself.
So, that’s how we kind of think about it.
Leatherman: Yeah. And you guys have been tested before. You and the airline industries in general. In July of 2024, the CrowdStrike outage grounded nearly 1,400 of your flights over three days. Your teams manually rebooted more than 26,000 devices across 365 airports worldwide. Then in October of 2025, an AWS outage took down check in and reservation systems for multiple carriers.
Not just you guys. What did you learn from those experiences about what resilience actually looks like in practice, when those kind of third-party incidents that aren’t your fault, but … are in your environment actually affecting operations?
DeFiore: Yeah. So, I think, you know, those types of like big global kind of outages and impacts, kind of those events reinforce a couple of things for me. I think, you know, first of all, it’s that recovery is a core competency, right? So, it can’t just live in your plan. Right? And you pull it out and think you’re going to follow your checklist and everything is going to work.
So, we really, every time there’s … not an event that just impacts us, but other events that we see, similarities. We always learn from that. Aviation, if you think about aviation, you know, if there’s an incident in aviation, there’s a whole investigation, root cause analysis, the whole kind of system is assessed. We do the same thing from these technology outages and cyber events.
So, really understanding what root cause is, how we can improve, particularly on the, I’ll say, crisis management and recovery competencies. Secondly, I think, you know, from these like from the events you particularly mentioned that concentration risk is real, right? So, we are in a world where there are … a lot of our operating model and a lot of companies’ operating model depends on a single technology path.
So, that becomes, you know, if there’s an issue with that vendor, it escalates very quickly. So, really understanding … really understanding where those points are, those concentration points are. And then building alternate paths where you can, rehearsing again the recovery so the organization can move with confidence when the core kind of system capabilities are degraded.
So … really kind of making that a core way of how you assess risk and operate. And then, you know, thirdly, in our environment, I would say, you know, as much as we want to say automation is going to save everything, manual recovery still matters, right? So, in large-scale operations there are moments when operational continuity still depends on teams being able to execute a manual workaround with discipline.
So, we’ve spent a lot of time … like, understanding where those choke points are and how we would kind of mobilize manual efforts. If it is something, like you said, rebooting workstations at airports or if it’s, you know, … like moving bags and getting, you know, passenger bags to the places they need to be in a manual way at scale.
So, those are the types of things that we built in, you know, that recovery in our operating environment and that really makes us … I think that makes us, but also tests an organization if you’re actually resilient.
Leatherman: Yeah. I hear you saying practice, practice, practice. Right? It’s not just about having an incident response plan. That’s as good as the paper it’s printed on. If you haven’t practiced it, you don’t know where the gaps are, right? From our perspective in the FBI, we do a lot of incident response in the cyberfront to industry, critical infrastructure, and the government, domestically, internationally.
And what we see is organizations that practice their incident response plan, not just once a year, but on a regular basis, those organizations that bring in all stakeholders, not just the cybersecurity teams, but have the discussions and engagement with the boards of directors, have it with your external and internal counsel, bring law enforcement into the some of those tabletop exercises.
What does that look like from your perspective? You guys clearly have incident response plans, but you have to often … think outside what is probable to what is potentially, you know, a disparate thing that may actually come into play in a cyber incident. You often have to imagine what’s in the realm of possible. Right?
And so, what does the practice look like in practice for you guys when it comes to incident response?
DeFiore: Yeah. So, … we do have, you know, I would say like, incident response plans. I’ll say what people think of incident response plans, like the cyberteam kind of combating the threat and containing and eradicating.
Right? So, we do all that and we continue to evolve and practice that on a, you know, a continuous basis within the cybersecurity organization.
But I think the more important point is we have an integrated practice with our crisis management team and our emergency operations center at the airline. So, we take a look at not just the technical implications, but the operational impacts. So, you know, what if we have an issue, how does it affect moving aircraft? How does it affect, you know, moving crew or supporting crew, serving customers?
You know, things like that. So, we don’t, we really kind of iterate on those and then we pair that not only with the technical response, but the operational response. And then we start to create those playbooks and we test them and we continuously validate and adjust on kind of the changing environment.
I think it’s really important to, you know … to continually kind of push at scenarios and practice scenarios, even walkthrough if you’re not doing a big you know, we do a big quarterly, you know, drills and things like that with the whole airline, but even kind of the walkthroughs and tabletops that you have at periodic points and more frequently than not is super important.
I would say it’s kind of more of an art than a science, right? Because again, those checklists, they give you a starting point. But you have to be able to work in this environment and have, again, trusted relationships. The data that you need to make decisions in a very, I’ll say, dynamic and, you know … stressful environment or time.
So, the more you can build that muscle memory the more … I don’t want to ever say it’s easy, but it becomes easier to operate in that environment, and you have more confidence in the actions you’re taking are actually going to, are actually driving resiliency or threat management or operational resilience.
Leatherman: Yeah. I’ve mentioned on the show here, I’m a pilot. So, I love talking to an airline. But the idea behind emergency response and being a pilot is you have checklists. And the checklists are not there in obscurity. We practice emergency operations, whether it’s fires, you know, failure to retract or extend landing gear, or flap failures, like whatever it is, hardware or otherwise.
We practice that all the time, and then you are really attuned at going down your checklist, your incident response plan. But often what you find is that provides you the most … the prioritized list of where you need to go to fly the aircraft and keep it safe. But then you start to troubleshoot off of that where you need to.
And that happens because you’ve practiced it so often, you’ve done it so often and injected so many different scenarios that now, you know I’m hitting the checklist items. But as I do this, there are these things that have come up in practice that I could also address in doing that. It’s got to … I have to imagine it’s the same when you’re in crisis.
DeFiore: Yes. It’s really the same concept. We don’t want like … separate, like totally different processes or totally different philosophy than the way we run the airline. So, we really embed like cybersecurity, cybersafety, cyber resiliency into the operational processes and manage it the way we would manage other crisis events at the airline.
So … it’s a good practice, it’s a good framework to work in because it really does. We’re celebrating our 100th birthday, you know, as an airline, the aviation industry has been around for more than that. So, it’s a proven way to do things. So, I think, you know, we have … a lot of synergies and ability to take that framework and operate as threats evolve. As digital. You know, evolves.
And it’s really the same in my mind.
Leatherman: And then you’ve gone through a lot of tabletop exercises, and then you’ve gone through true crises where you had infrastructure issues. For CISOs out there who haven’t had the reps when it comes to actual crisis, a ransomware attack, a major third-party incident that really impacts your data integrity, availability, or confidentiality.
Like what are things that you would recommend they start to think about today when it comes to how to prepare for a cyber incident that is not traditional, like a lot of people are like, “Okay, disconnect these things. Ensure that we’ve, you know, we’re looking through these logs.”
But what other things should they start to think through are areas to really focus on in advance of a major cyber incident that has been valuable to you as you’ve gone through these?
DeFiore: Yeah. So, I think besides kind of like your, again, your technical IR [incident response] plan, there’s a whole, I’ll say, … there’s like two bookends in my mind. There’s making sure you have trusted relationships with either, you know, not just intelligence firms, but law enforcement and other government agencies. You don’t want to be like calling these folks up the first time you’re in a crisis because they’re like, “Who are you? What are you doing?”
Like what? You have to be able to have those relationships and develop those relationships. And it’s better for those parties to have a mutual understanding of what the environment looks like, what the outcomes you’re trying to achieve are, what your priorities are. And have that alignment, you know, evolve over time under, you know, your own terms versus in a crisis.
Right? So, I think that’s super important. The other end of the spectrum, right, is around, making sure that you have the, I’ll say, operational and business hooks into your response plan. It’s one thing to be able to recover from ransomware. It’s another thing how to run the business, your organization, that airline under those conditions.
And I think that’s not going to be you as the CISO. You mean people are going to look to you to say, “Well, what do I do?” But that’s not … you can’t do that. Like in that crisis. You’re trying to manage the threat actor, you know, contain the threat, eradicate, recover the systems to make it safe.
You have to make sure that that cross-functional, you know, business counterparts understand what to expect in an incident, what they need to do to make sure that they can run their function, their organization, in a manner that is appropriate under those conditions, and like make sure that they understand that.
Because that cyber event management is cross-functional across the whole entire organization. And if you haven’t started that, no matter what you do on the technical response piece, you’re going to cause, you know, revenue … there’s going to be revenue impact, reputational impact, regulatory issues. You know, potential customer safety, whatever it is. Right? Like you got to get that right. So, I would spend a lot of time doing that … doing that as well.
Leatherman: Great. Yeah, I love that you guys have a great relationship with the FBI, which gives you the availability of intelligence that that you can only get from law enforcement agencies. And then when crisis hits, we’re joined at the hip to understand, how do we … can help you with containment or response activity while also allowing you to do your job in containment and response and just being that supporting element within government?
And then you guys give us valuable information, you in general, an industry that allows us to pursue threat actors upstream using the infrastructure that they use to target us.
So, can you talk a little bit about the importance of kind of that relationship?
DeFiore: Sure. So, I think, you know, again, I’ll say it again, most important and effective part of our relationship with the FBI particularly, is before the incident, right? Regular contact, trusted information sharing, knowing who to call, because it’s not always clear as well too, like you know the way the FBI is organized. It’s, “Okay, well, we’re based in Chicago, but things are actually happening over here. And who’s going to take the lead or whatever.”
So really understanding that because you don’t want to have to navigate that through a crisis anyway. You know … and that’s really, really important. I think the FBI really brings … like the value of the FBI as an engagement there. You bring a broader view than any one company can have on its own.
Right? So, you see patterns across organizations, across sector activity and even kind of emerging, I’ll say, tactics that we aren’t going to see. Right? So that helps us tune our defenses, prioritize action on actually what’s happening versus what’s theoretically possible. Right? So, I think it’s super important for organizations to have that type of relationship with the FBI.
And, you know, the last thing, too, is I think people need to understand and recognize that, you know, my job as a CISO and my team’s job is to protect the organization and the operation. You know, the law enforcement, FBI, is to get these guys right? Right? And sometimes they are opposed in the way we want to do things.
But if you keep that understanding in mind and you’re communicating about, “Well, okay, if … the FBI wants to do this, but hey, we’ve got an operation to run. We can’t …” You know, I mean, like, this is the consequence of it. You get to a better outcome when you’re collaborating and communicating in that trusted way.
Leatherman: Yeah. I think trust is built before the crisis. Right? That’s so important. So, that when the crisis happens, that’s when you’re spending that trust in that relationship that you built early. I would encourage anybody who’s listening, you can get a list of FBI field offices from fbi.gov.
And actually, we’ve built into IC3.gov, you’ll see a private industry tab at the top: an opportunity to reach out to your local field office. You fill out a form, it gets sent to the field office and we’ll get you connected to the cyberteam there if you have an interest.
So, recently, I noted something here that’s unique. There’s a talent gap. There continues to be a talent gap in the cyber discipline.
But we all need folks to defend United and the networks … that you guys defend. So, United recently launched a cybersecurity rotational program specifically designed for early career talent from nontraditional backgrounds.
You’ve talked about hiring people who didn’t come up through the traditional IT pipeline. So, what are you seeing work and why does that matter in this industry?
DeFiore: I think it really matters because, again, as technology is consumed at such an exponential rate nowadays, you know, the attack surface grows along with that. And that means we have more to do on the cyber security side. We’re not going to hire our way out of the, you know, out of being able to get enough people to, you know, work in the field and protect the organizations we need to do.
So, I think one of the most important things that we can do is build talent through experience. Not just … It’s just not academics in theory. Right? So, the program we put in place is rotational because we want people to develop range, have practical experience. They can learn incident response, identity, risk management, engineering, governance, and then have all the operational context of being at an airline in that program.
Right? What I found especially … and one of the reasons we kind of launched this was there was a lot of interest from, you know, people in the airline. Say a ramp worker, a customer service agent, a flight attendant that maybe was trying to, you know, go to school, you know, go to school, get a program, or just had a passion around technology.
And they understood the operation. So having them come in to … transition to a cybersecurity career from an operations career has been tremendous help for my team, because we have additional context in the way, like the way the airline works.
They’re like, “Oh yeah, well, if we do this or respond this way, that’ll break this. You mean that’ll break this operational process.” Or, “Oh, the pilots are going to get really, you know, upset about that. You don’t want to do that. Let’s talk to them before we do that.”
So, I think those rotational programs really provide a lot of value. Not only for the people that are coming through and getting the experience, but also, you know, building a workforce that is, you know, understands the business and makes sound decisions under pressure and really creates a resilient organization that way.
Leatherman: Yeah, that is incredibly important. We could all do with a more technical workforce in general. Even if they don’t work in cybersecurity. It gives them the exposure to the tech that I think they really need and that security mindset. But we all, and I’m a big advocate for, succession planning for all of us, at all levels of the organizational structure and identifying those future leaders through those rotational opportunities. I have no doubt it’s incredibly important for you guys and for all of us.
Deneen, last question. The show is about getting ahead of the threat here. You’ve spent over 20 years doing this across, you know, aviation. And serving in some pretty concrete roles, both within United and within the sector. If you had just a few minutes with a fellow CISO or a CEO or a board member, what would you tell them they should start doing right now if they’re not already doing it?
What should they be thinking about as we’ve kind of advanced into this new threat environment? That, from your perspective, would be incredibly important.
DeFiore: Yeah. So, I think it’s really understanding that, you know, I don’t think what … we’re dealing with in the future, right? It’s not, it’s not going to change what we defend. … What’s changing is the speed and precision in which attackers, you know, can operate. And even and also defenders can operate.
Right? So, you know, there’s going to be much more capability … that I think we’re just scratching the service surface now. So, I think that means that, you know, if we’re not; if CISOs and board members aren’t thinking about, I’ll say, moving into more of a continuous controls environment, more intelligence environment, and having, I’ll say, the approach to get those capabilities embedded in the enterprise processes, they need to start doing that now.
Because it’s really not just how, you know, I think not just how CISOs defend technology and secure technology.
It’s going to be like, in this new world, it’s going to be helping, like the business use technology and govern it, you know, responsibly and securely because it’s just going to get too big, too fast at scale. And we’ve got to figure out how to shift that paradigm, right. So we can operate at that scale. So, that’s what I would say.
Like let’s start thinking about that and figure out how we’re going to make those, you know, we make those changes and that shift in paradigm.
Leatherman: I couldn’t agree more. Deneen DeFiore, vice president and CISO at United Airlines, thank you so much for joining us today on “Ahead of the Threat.”
DeFiore: Thank you for having me, it was a pleasure.
Leatherman: Yep. So, you’ve heard a lot today, I think that is tremendously valuable about continuing verification and validation across the spectrum; looking at those controls; looking at the identity and access management; cybersecurity as a business enabler; developing the next generation of cyber leader; and raising our collective technical acumen across the organization in resilience is incredibly important in today’s environment. Being able to not just prevent every breach, but really to be resilient across the breach.
So, really enjoyed today’s conversation. To our listeners, thank you for tuning in. If your organization experiences a cyber breach, we encourage you to report it to the FBI, to your local field office. We’re here to help. We bring threat intelligence to bear that helps with containment while we pursue the adversary. There’s deterrence through defense, but also deterrence through offense.
And our teams are out there imposing cost on malicious cyber actors every single day. I’m Brett Leatherman, assistant director of the FBI Cyber Division. And together, let’s stay ahead of the threat. Thanks.