Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachael Lyon here with my co-host, Jonathan Knepper. Jon...

Jonathan Knepper:
Hi, Rachael.

Rachael Lyon:
Happy Friday. Now I have to ask you a question because I'm gonna date myself with this podcast recording, but RSA is next week. I have not packed yet, and I'm flying out in, like, four hours. Do you do that to yourself as well? I had all this game plan to do it last night, get ahead of the thing, be ready. No. No. I watch Dope Thief on Apple TV instead.

Jonathan Knepper:
I I do exactly the same thing. And for me, I love to drive to RSA because, it's nice and relaxing, but that that allows me to be even more, unprepared on my packing plans.

Rachael Lyon:
That's hilarious. I think I'm just gonna shove a bunch of stuff in a suitcase and just hope it works out when I get there, and we'll see. We'll see. So I'm excited to welcome to the podcast, Erika Dean. She is the chief security officer at Robinhood, where she oversees the security privacy and corporate engineering organizations. 

She has over two decades of experience in the security industry, including more than twenty years at Capital One Financial, where she held myriad cyber leadership roles, including chief information security officer for US Card International and Small Business. Welcome to the podcast, Erika.

Erika Dean:
Thank you. Very happy to be here. And I think I'm the same way as you two. I definitely wait till the last minute to pack. And then if I happen to have to go shopping while I'm there for something like a sweater, which is almost always what I forget, a sweater or a jacket, then I also don't think that's too bad.

Rachael Lyon:
Agreed. Agreed. It's all about options, you know, and and being flexible. I mean, everything delivers these days. It's kind of amazing. You could get same day delivery in most of the big cities, which

Erika Dean:
Yes. It's pretty nice.

Rachael Lyon:
Kind of encourages the last minute approach, I think. Yeah. I think so. Oh, I'm sorry. John, did you wanna kick us off? You know how I can I can chat all day?

[02:23] Cyber Threats in Fintech

Jonathan Knepper:
Yeah. Absolutely. So, you know, Eric, I think let's just start right off. What kinds of threats are you seeing today in in fintech, and, what kinds of things are are yourself and industry overall doing to proactively protect against those threats?

Erika Dean:
Yeah. That's a great question. The most interesting part about what we're seeing is it's not like it's new in the sense that we still have fishing. Fishing is one of the most popular things that I think continue to be pretty prevalent. But what's different about it is that it's faster, it's more sophisticated, it's harder to detect. You also have to worry about, what industry you're in. Even in financial, there's nuances. Right? If you're in a bank, if you're in a brokerage versus, like, a crypto company, all three of those are slightly different in nuance about how you would protect from a phishing perspective.

Erika Dean:
So a good example would be if you were just in a traditional bank or even brokerage, you have your normal phishing websites that would come up. You would hire a company to do takedown services. And that's pretty traditional. Like, most people have some sort of takedown service. But when you think about it from a crypto standpoint, that is completely different. How you do phishing in a crypto world, you have to worry about smart contracts. You have to worry about blockchain. And so the takedown surface has to be specialized.

Erika Dean:
So there's multitude of things you have to think about as as the industry, evolves. The other thing that we've seen with the social engineering and phishing is that AI generated deepfakes are becoming more prevalent. Mhmm. The way by which they craft the emails, AI is incorporated into that, which makes it more realistic, harder to detect, not as many spelling errors, not as many obvious things. They take things from real world scenarios, so they sound more real. So it's not that it's new per se, like the topic, still phishing, still social engineering, but it's becoming faster for them to stand things up Mhmm. Harder to detect. 

And so we are we are finding that in addition to take down services, you have to be very, like, on your game to make sure you're still taking in feeds and and, understanding whether or not there's other things that you have to do to make sure that you're actually getting them shut down or educating your people.

Erika Dean:
Right? Those things are still the things that you need to do, but having a diversified takedown services are also really, really important. The other thing that we're seeing that's emerging is, infiltration of, nation states into companies where they're actually trying to be employed, sit and wait, and then perform their attack. It used to be that they would be more around the espionage, but I think it's actually a way to get into the company, to get around some of the security controls. They also because of remote and not every company has gone back, it started when after COVID when most companies went remote where they could use deepfakes to try to like pretend to be someone else or they would, forge IDs, pretend to be someone else, have someone else interview, and then they would then do the work in the back end. 

And so that is something we're also seeing that I would say it is of the most importance that you have a good network from an industry standpoint. You can get the right IOCs, the TTPs, so you can actually incorporate them into your hiring process to detect and actually remove them from the hiring before they actually get hired. Because, obviously, you don't wanna hire them and then find them from an insider perspective. Right.

Erika Dean:
The goal is to prevent them from ever being hired. So adjusting your hiring practices to be able to detect it. So having better background checks, doing ID verification, almost like you would if you were in custom you like, banking and doing your normal checks from a KYC perspective. You would wanna make sure you're you're doing something similar for onboarding employees and making sure that they're actually who they say they are. 

If you are no longer remote and you have offices, bring them in for interviews so that you can make sure that it's really the person you're interviewing is the person that's gonna start the the the day that they start. So, there is a lot of things you have to think about, especially as the world has changed. And that if you think about it, it hasn't been that long. COVID wasn't that long having to work from home, and most companies did indeed actually go remote Mhmm.

Erika Dean:
Because of of all of the restrictions that we had around being in office and, and so you had to adjust. And so I think that while companies are starting to move back into office, you still have some of the same threats you have to think about.

Rachael Lyon:
Yeah.

Erika Dean:
I think that one of the other things that, I continue to see as, something that's kind of, like, new and kind of arising is, just the the way that you can, from a QR code perspective, scanning QR codes, especially when you're trying to make things easier for customers. Like, when you think about it from a financial standpoint, even if you look at companies like Venmo, you have, like, a QR code. Obviously, people are trying to to get people to, like, incidentally pay someone else other than the person they're trying to pay. So it is very it is very important to kind of make sure that you have detections and controls in place to help your customers be mindful. So it's not always things that you can do as a company. It's also educating your customers.

[07:49] Preventing Threats with Intelligence Sharing

Rachael Lyon:
Absolutely. You know, kind of on that front, what I what I find really interesting, particularly in the in the fintech world, when maybe you identify these attack vectors or what's going on, you know, how does intelligence sharing work? Because I know that there's it's it's an interesting dichotomy in cyber. Sometimes there's I'm going to be a friend and slide it to you under the table, but then there's also kind of more formal channels. And I I'd be curious on your perspective there.

Erika Dean:
And it is a little bit of both. Right? I think that you have to have the industry channels of like FSI, SAC, where you get your normal TTPs. But in addition to that, it is also really important that you have a strong network, right, of other financials but also other industries. So matter of fact, one of the first indicators that we received, around the infiltration of nation states into, fintechs and technology was actually a technology company, not a fintech company. Interesting. And partnering with those companies to be able to, like, have your threat intelligence team and their threat intelligence team be on the same page, really, really critical. 

And so I do find that the network that you have bolsters your threat intelligence organization because you can then pair threat intelligence teams and make sure that you're both benefiting from what you're seeing from a trend perspective, what you're seeing in the dark web, the chatter. Plus, when you hear something about other companies and you're sharing that with them and, hey, this is where we found it, it allows for you to build that trust and that and that network across the board.

Erika Dean:
And so I do think it's really, really important to have both the official channels. Like, we obviously work with law enforcement. We work with industry normal, feeds. But then in addition to that, I think having, as you said, kind of like slide under the table, but it is having those conversations between company to company, making sure that you're able to share the TTPs and IOCs. Not that you're sharing confidential information because you're, you're literally just sharing the indicator itself that helps them to detect it in their own network. 

It's very similar to even in the fraud space. Right? You wanna make sure that you're sharing, hey, I'm seeing this fraud ring moving through this organization, giving your peers a heads up to say, this is what we're seeing so that they can also then incorporate that so that they don't get scammed from the same fraud ring.

Jonathan Knepper:
Do you have any examples kind of on this front that you can share of maybe some of these interesting indicators that have come through that have helped you find things?

Erika Dean:
I'm trying to say, like, how do you make sure that you don't actually Yeah.

Jonathan Knepper:
Without a word shaking any confidential stuff.

Erika Dean:
I was like, how do you say it without tipping off the the bad guys that might be listening? So I would say for the nation state, the really cool thing is that we did end up getting, like, a list of, like, email addresses and, names with addresses that they would typically use and, AI generated images that they would use from a interviewing standpoint. And so we actually did incorporate that back into our interviewing process to be able to review. We were able to obviously search for the email addresses to be able to determine whether or not we saw anyone in our pipeline. And so I do think that even something as simple as that are IOCs that we can actually incorporate back into it. 

Or, from a fraud ring perspective, like IP addresses that were associated to particular activities, also has been really helpful to be able to detect fraud rings and be able to to shut it down. Obviously, that has evolved over the years, and I think that this is something that's been going on for years of intel sharing. Even when I worked at Capital One, the same thing. Right? Like, we would share between other financials, and that was a really, really big thing, especially during the time when when it first started to, kick up around credential stuffing.

Erika Dean:
They would use some of the same bots and pods of trying to attack financial services. And so it allowed each financial service to kind of ramp up. So when you have, like, IP addresses, locations, traffic patterns, those are all IOCs that get funneled into a network of, from an industry standpoint, it allows us to actually really hone in on our detections or even in some cases blocks. Right? You wanna make sure that you're able to apply those.

Rachael Lyon:
To that point, I think this is an interesting question too, because when you talk about sharing just enough information on the attack without trying to exploit your own information, but how do you I mean, that line, you You know what I mean? Like, you you wanna give enough information so someone else can take action, but you don't wanna reveal your back end. I mean, how do you find that line sometimes? Because I imagine it could get

Erika Dean:
really tricky. It does get a little tricky in some instances. I think that it is really understanding what is okay to share Mhmm. And with whom to share because you still have to have a some level of trust. And even though you're both organizations trying to protect your companies and you have threat intelligence teams, and they're supposed to be aimed at aiming at the same direction. Right? You're you're supposed to be on the same side. You still don't want to give confidential information. So you only wanna give the data elements from the attacker, not from the customer or the target.

Erika Dean:
And so it is it is a little bit more straightforward, but sometimes it can kind of bleed because as they're gaining information from a customer standpoint, if the attacker has actually infiltrated, right, then you're actually gonna run into some problems where you're like, okay. I have to make sure I only give what the indicator was of how we actually found the attacker and not any of the information of where they were taking the information from. So I think if you weigh on that side of, like, being cautious and making sure that you're thinking about it from what do you need to know about the threat actor versus, like, what they were trying to obtain, it makes it a lot easier. I will say that you can generalize. 

Like, if you're, talking to another threat intel team and you say, okay, here is what we saw in our traffic patterns around where the threat actor was coming, what they were going for, The part of what they were going for would typically be, okay. They were targeting customers' financial data or they were targeting not actually trying to take anything. They were trying to place malware in the system. And so it allows understand, like, what it is.

Erika Dean:
And then you can even tell them, like, this was the package that they were they were, applying in the in the environment, and here's what you need to look for. But we wouldn't tell them, like, they put it into this part of the directory of this. Right? You just wouldn't go down to that detail. Yeah. Because it's not necessary for them. Yeah.

[14:41] Vetting Third-Party Threat Intelligence

Jonathan Knepper:
Yeah. That makes sense. And how do you how do you assess and manage kind of the risks of of all the third party players here, right? Like, you've mentioned it's like industry player, you know, common FinTech industry people, but there's also like third party industry folks who are participating in this. What kind of protocols do you have there to to manage that?

Erika Dean:
Yeah. Third party relationships are always interesting, both from a threat intelligence gathering perspective because they're treated the same way as every other third party that we have. So if we're going to, utilize their APIs and pull information, we still wanna make sure that we're not pulling something that's gonna cause our company harm. Right. And so we still perform the normal third party assessment, making sure that we understand how they do security, knowing and understand how they do incident response. Do we have a clause within our our our contract with them that says you have to report an incident? Do they make sure that they actually have a vulnerability management program? 

So all the normal things you would do for any other third party, you would want to do for any of the engagement you have with a third party that you're going to be receiving threat intelligence information from. You also wanna make sure you're doing a vetting. Right? You don't wanna just take someone that you met at some conference because that that could also not be good.

Erika Dean:
You wanna make sure that you're actually understanding, like, what is this company about? Are they actually the best company for you to gain the information? You don't have an unlimited amount of budget. You wanna make sure you're getting the best money for what you're actually getting from a product standpoint. So it's no different than any other product selection. Having a bake off understanding, like, what are they offering, how their posture is from a security standpoint, and will you actually get what you want from them in a safe way? And so it is it is very similar to how you would just treat it. 

From a networking standpoint, usually, you would only start that process if you'd been working with them for a while and you understand, like, how is their environment. And so it's very similar. And also the conversation is around, like, they're not giving you any. You're not transferring actual, like, data.

Erika Dean:
It's more like data points and elements that would normally be sent, like, via email. Not like I would download a file. That's normally from an industry player, not a, not a, like another, business that you're partnering with. You know, and usually, like, if you're it's another fintech partner or another technology partner, you already understand their company and most of the time you probably already have a relationship of some sort. So you've already gone through the third party process. So that is also, a lot of cases as well.

Rachael Lyon:
I imagine with fintech though, it's really complex, the number of vendors and networks that you are integrated into, like globally. I mean, it's how do you manage that, Erika?

Erika Dean:
Third parties are a large part of almost any technology, especially if it's a large technology company or a financial services industry, whether that's fintech or, you know, brick and mortar financial. Yeah. And I would say the the only way to manage it is to actually have a program by which it catalogs all of your third parties. You track it. You have a process that starts from procurement, and there is no way to circumvent that process. Like, you can't buy something off of a credit card. You wanna make sure that that process starts at procurement and then funnels through into a third party risk management program, which includes cybersecurity assessment, sometimes a site assessment to make sure their physical controls are in place, that they have background checks, having a robust third party risk management program, really important, having a good team of lawyers to make sure your contracts are solid that, like, say, for example, you wanna make sure that you have the instant response part of it. But in some cases, depending on the vendor, you might even wanna say, there will be a penalty if we catch you not telling us about something and we find out about it from the news.

Erika Dean:
And so getting really honed in on the language of the contracts are important, having follow-up meetings. So if it's a really critical third party and you wanna make sure your risk ranking third parties, Because, like, the cleaning service may be one risk level, but a company that is literally handling all of your most sensitive data might be at another risk level. And so you wanna make sure you understand what they are. And if they're super critical, you have quarterly check ins with them where they actually tell you about what are they doing from a business standpoint. Are they resolving the things that you have found from your assessments and making sure that communication remains open and having that check-in so they know we're we're partnering in here. We wanna make sure we're on the same page. 

And so having a a robust program escalation process to make sure that if something's not being resolved, the executive that is accountable for that relationship is leaning in and talking to their CEO, their CIO, that we're able to connect with their CSO and that leadership team. So it is making sure it's the it's a robust process and, a lot of tracking.

Erika Dean:
Right? You wanna make sure you have a system of record, that you have more or less like a scorecard for every vendor that you have. Mhmm. But it it does get very complex. And it does require that you pay attention because it is one of the most common ways, especially now. They really do like to attack a third party and then hit multiple companies. Mhmm. So if you don't know the kind of company you're doing business with, that could be an entryway for an attacker. Even if you secure your entire environment, one connection could cause that to just fade away.

[20:26] Securing Crypto: Unique Challenges

Jonathan Knepper:
Absolutely. So I I wanted to go back to something you mentioned early on, which was around crypto and blockchain and smart contracts. You know, I think, you know, there's there's a lot of risk there in how how immutable things are after they happen. Can can you talk about, you know, how how you handle making sure you still have the velocity, right, to be able to handle transactions? But but what kinds of things can be done to protect against both kind of intrinsic things, like faults within smart contracts in addition to things that might be attackers, kind of in that space?

Erika Dean:
Yeah. There's a lot of things that you have to think about. It is it is a different way of securing a crypto environment versus, like, a normal, banking environment because you do have to worry about the fact that once it's gone, it's it's gone. There's it's not able to be traced in a lot of cases. Right? You you've started to hear in the news about a bunch of heists and things like that, and some of them, interestingly enough, was through a third party. Right? They infiltrate a third party, made it seem like the approval. 

It is making sure that how you have your approvals and your checks and balances are in the right pattern and that you understand how each connection works in making sure that who is signing off on it is actually the person that should be signing off, and the request is actually coming from the customer and the recipient that's supposed to be and not some third party that's kind of intercepted between the two of them. It is also why I said, even from a phishing standpoint, you have to make sure that you're paying attention to that because traditional takedown services wouldn't necessarily know how to approach them.

Erika Dean:
Right? They're gonna think about it as for a website, but they use Telegram services, they use Discord, right? It's not the same environment, and so you do have to know all the different aspects of it. It's also making sure that you have the right, staff on hand because it's not it's not, okay, you have a pen tester. They're used to pen testing websites and applications. When you have a crypto company, you have to make sure that you're actually testing smart contracts, that you are doing audits against those smart contracts to make sure that there's not gaps in the controls that you have. 

And so there is a multitude of things that you have to think about, when you have something like blockchain environments, to make sure that you don't have a hole in the environment that it's basically the money's going to be gone because you can't get it back. You can't trace it. It's really, really hard to, like, figure out, like, where are you going to go after that? So, yes, it is it is a different way of thinking about things.

Rachael Lyon:
You hear those stories too when, you know, they they lost, I guess, the the hard drive that had all their crypto on it or whatever, and actually threw it away and it was $10,000,000 or something. And it's gone. It's gone gone. It makes you wanna cry for them because how do you how do you fix that? But it happens.

Erika Dean:
Yes. And it and I would say and what's worse is that you can't you can't just say, yes. We'll just we'll just give that all back. Right? It's not it's not it's not that simple. So, having an external wallet is, yes. There's a plus and minus to it. Sure. You have the control over it and you have the security around it, but then you also it's only you.

Erika Dean:
So, it is it is it is terrifying. I think that if you think about it, it's there's a lot of a lot of things you kind of have to, like, work through. Like, you have online wallets, which a company will help you to protect, and then you have your other digital wallets where you're actually controlling a lot more of it. It does put a lot more into some customer sense, but if they are not familiar with how to manage their own crypto, it can be scary dangerous for them to lose a lot of money.

Jonathan Knepper:
So, you know, moving on here a bit, you know, Robinhood has has shaped a lot around the incident disclosure rules, and and, you've you've applied a lot of pressure on things becoming law. What what kind of principles guided your approaches here?

Erika Dean:
The principle usually is when we talk about any any regulation where we're able to opine on, it is looking at it from an industry standpoint and and how to make both the customer safe. Mhmm. But but also, like, is it is it something that's gonna cause an attacker to have an upper hand? Because when you were talking about cybersecurity, there is a balance. Like, for example, the disclosure requirement for the SEC in the original language, it it was disclosing a lot more information. And when you do that, especially during an investigation, you had to report in a very short window that things were going, like, you had it you had an incident, which means an attacker, if they're still in the system, you are gonna be in trouble. Right? It means that you're giving them a leg up. You're helping them to understand where you are in your investigation. And so being able to say it more of a high level, hey.

Erika Dean:
There's something happening. We've contained it. This is what's happening, and having it disclosed more directly to the SEC versus to all of your investors and the SEC is a big difference. And you do have to worry about that. Right? You have to worry about the information you disclose even in this conversation. Right? Part of this is, like, making sure you don't disclose too much because not the only people are listening or people that wanna learn. There are also threat actors listening. You have to understand what that looks like and making sure that you're not giving too much detail.

Erika Dean:
So going into policy making is the same thing. Making sure that we're giving enough information so investors can make informed decisions and that they have the information that they need, but not giving too much information by which someone else can utilize that to do more bad things or to to pivot and change what they're already doing if they're already in your systems.

Rachael Lyon:
And with that, we're gonna call today's episode a wrap. And please be sure to join us for part two of our conversation with Erika Dean next week where we pick right up where we left off. As always, thank you for joining us, and don't forget to subscribe. You get a fresh new episode in your inbox every single Tuesday. So until next time, everyone. Stay safe.

About Our Guest

Erika Dean, CSO Robinhood

Erika Dean is Chief Security Officer of Robinhood Markets. She oversees the Security, Privacy and Corporate Engineering organizations, which include the information security and productivity functions. Erika has over 20 years of experience in the security industry. Prior to joining Robinhood, she spent over 20 years at Capital One Financial, where she held a variety of leadership positions in cybersecurity, including serving as the Chief Information Security Officer for US Card, International, and Small Business.