Navigating the Travel Industry with Threat Intelligence
Our guest this week is Collin Barry, Director of Cyber Threat Intelligence at Expedia Group. He shares his career path, including globetrotting stops at the CIA and with Booz Allen Hamilton, and what his day-to-day looks like at Expedia Group, leading their threat intelligence efforts, protecting their online travel and marketplace endeavours.
He shares his experience starting a threat intelligence operation from scratch, how he established buy-in from stakeholders, as well as why he believes attribution is secondary to understanding adversary tactics.
This podcast was produced in partnership with the CyberWire.
Dave Bittner: Hello, everyone. And welcome to episode 207 of the Recorded Future Podcast. I'm Dave Bittner from the CyberWire. Our guest this week is Collin Barry, Director of Cyber Threat Intelligence at Expedia Group. He shares his career path, including globe trotting stops at the CIA and with Booz Allen and what his day to day looks like at Expedia Group, leading their Threat Intelligence efforts, protecting their online travel and marketplace endeavors. He shares his experience, starting a Threat Intelligence operation from scratch, how he established buy-in from stakeholders as well as why he believes attribution is secondary to understanding adversary tactics. Stay with us.
Collin Berry Half in life is anything but straight. After college, I started out with American Express and I held a variety of positions over a nine-year period, working in business development strategy and closed out my tenure heading up the small business portfolio, which today is known as Open. I was based in London, England. And so that was my first foray into life as an ex-pat. After American express, I decided to return to graduate school full-time. I pursued a master's in international relations and it was in grad school that I was recruited into the CIA. And I was hired into the agency, the counter-intelligence center as an intelligence analyst, focused on a variety of subject areas, shall we say, that that fell within the rubric of counter-intelligence and I was at the agency for five years and received a phone call out of the blue from a good friend that I had worked with previously at the agency who invited me to consider an opportunity with Booz Allen Hamilton.
And that position came to pass. And I relocated to Stuttgart Germany, where I spent a few years supporting the... Basically Booz Allen was given a unique opportunity to help stand up the G-2 intelligence directorate within the US Africa command in Stuttgart. And I was specifically aligned to the J2X division, the counter intelligence and human intelligence division. And I was there for five years. And then I transitioned back to the United States and joined Booz Allen's commercial practice.
And that's where I became heavily involved in cybersecurity. We were supporting a big client in Minneapolis after a fairly significant cyber event. And I did that for a couple of years. And then Booz Allen asked me to move to Riyadh, Saudi Arabia, where I was helping to lead a project on behalf of the kingdom. And then after that, Booz Allen asked me to move to Singapore to help lead the cyber practice across the Asia-Pacific region. And I did that for a couple of years, and then an opportunity presented itself out of the blue to join Expedia Group. And by that time, after living overseas on different continents, I decided the time had come for me to indeed come home and let some grass grow under my feet.
Dave Bittner: Well, what is that experience like? I mean, the amount of international travel that you've had. I think that something that would intimidate a lot of people are there specific challenges to taking on those sorts of adventures?
Collin Berry That's a great question. There are. I think you have to be... It certainly takes a certain constitution to step into the void and embrace the ambiguity that comes with living overseas, particularly when one relocates alone without a family or anybody accompanying them. I think the hardest transition for me was when I first moved to London, I was 29 at the time and a little bit junior in my thinking, in my perspective, but boy very quickly I came to embrace life in London and all that Europe has to offer and the richness and the cultural diversity.
And so the next opportunity, it was Germany and then Riyadh and Singapore, and with each iteration, each expatriate move, it became easier and easier because you become more adept. You understand what you're up against, but it's less what you're up against. It's more about the excitement and the opportunity that is yet to unfold and really just the opportunity to completely immerse oneself in foreign cultures, foreign environments and just embrace the world and travel. There's no better opportunity to broaden one's horizons than to live and work overseas.
Dave Bittner: What sort of perspective does that give you being back state side now? Do you feel as though you look at your own country in a different light?
Collin Berry Absolutely. You definitely come to see your country in a different light. And I think when you travel overseas... So I've lived on four continents and I've traveled close to 70 countries. And when you traveled to countries that are less democratic, where people do not have freedoms, where there certainly is not what one would consider equality or justice or liberties, economic prosperity, you begin to realize just how fragile and tenuous our own countries experiment with democracy is, and how privileged we are to live in a country that upholds the democratic principles and values that we do. It's not to say that our country is perfect, but you certainly develop a much deeper appreciation, imperfections aside, a much deeper appreciation for the safety and the prosperity and really the opportunities that are at each of our feet to define our own path.
Dave Bittner: Mm, let's talk some about your current day to day. I mean, what sort of things take up your time, or what are the challenges you face in work?
Collin Berry So I was brought into Expedia Group in October of 2019, and there was new pre-existing cyber Threat Intelligence program. And so it was a very unique opportunity for me to come in and design and build a Threat Intelligence program and capability from the ground up. And so I was able to harness a diverse set of experiences from the CIA to Booz Allen Hamilton and have that opportunity to bring that instinct and that experience to bear. So I took a few months really to understand and study Expedia Group. I wanted to understand the nature of our company, the operating model, the backend infrastructure, our footprint, our strategies, and from there, understand where the revenue drivers are and what are the, the technologies that are supporting those revenue generators, and what are the processes that are supporting those technologies. And from there, it's a de-layering effort, if you will.
That gave me a much clearer view as to the type of Threat Intelligence program that I need to stand up where to set my sights in terms of intelligence, curation, information curation, to produce relevant actionable information for the C-suite the board on down to the chief security officer, and then a host of security practitioners, network engineers, architects, incident responders, vulnerability engineers. The challenge, and it's been more of an opportunity, but, well, the challenge is certainly been with COVID. I didn't come in and I wasn't given a blank check. So I had to find a way to secure investment, a modest investment to invest in a Threat Intelligence platform to invest in a managed intelligence feed. Obviously that's recorded future how you and I came to know each other. And so those two components alone give the program quite a bit of strategic lift.
And so I would say the challenge has been building that program in a time of COVID. There is no precedent for what the world has been through over the last 16, 17 months. And then the other challenge really is just so Expedia Group after it was divested or spun out of Microsoft, I think in 1996, the company has enjoyed tremendous growth and success. And a lot of that growth and success came through a host of acquisitions. That's a little bit of a challenge to understand our attack surface and backend infrastructure to figure out what's most critical for us to protect.
Dave Bittner: Now is that a matter, because through the process of acquisitions that system A gets blended with system B. And so you end up with this thing that wasn't necessarily designed from the outset to all be one unified working system?
Collin Berry That's correct. It's a bit of a patchwork. And so there has been a tremendous effort to consolidate the brands, to consolidate the backend infrastructure and drive towards something that's more uniform and standardized and scalable.
Dave Bittner: How did you go about getting buy-in. If someone's spinning up a new program, how do you get all of the various parties to participate in and provide you with the things that you need?
Collin Berry Well, I started small. The very first thing that I did was to lay out a strategy deck that articulated the purpose of the Threat Intelligence program, the value of the Threat Intelligence program, what the inputs are, what the design is in terms of the components, right? And then of course the methodology, the intelligence life cycle, if you will, that's universal that anchored much of my thinking and the build, and then identifying the metrics, right? At Expedia Group, we have OKRs objectives. But it's figuring out how are we going to demonstrate tangible value. I made a couple of pitches around the value of a Threat Intelligence program, the role that it plays, the importance of having a curated, managed intelligence feed to give us the enrichment and context that our current vendor does.
The real lift in February of 2020 through our managed intelligence partner, they alerted us to some activity that was going on in an underground forum. And very quickly, we came to understand that threat actors had reverse engineered, a coupon generating algorithm that we offered through one of our strategic partners. And we took very quick action. And within seven days, we were able to shut it down and realized about just shy of a $3 million cost avoidance. That certainly got the attention of a number of people. And to realize the tangible value of what we were able to provide.
Dave Bittner: Can you give us some insights specifically of how Threat Intelligence is valuable within the travel industry? I mean, that's a great example you just gave us. So are there any other ones that come to mind that apply to travel specifically?
Collin Berry I tend to view Threat Intelligence in somewhat of a universal fashion. So the value of Threat Intelligence to a travel company versus a manufacturing company versus a semiconductor or a technology company. I think it's all in my mind, it's the same. It's just that there's different inputs in the types of intelligence that you're gathering based on the nature of the business. But the output is the same to inform executives, giving them situational awareness, helping them to understand the context of the situation to yield decision advantage. And then it becomes a bit more operational or tactical for the security practitioners, the incident responders who need context on an IP, or helping our colleagues in fraud to defend against botnet attacks. So I think for the travel industry, and that's an interesting question.
Expedia considered to be a little bit of a hybrid. We are in terms of industrial classification where we're a tourism for hospitality, but we're also an e-commerce marketplace. And so we know that there are threat actors out there, nation states that have certainly demonstrated an interest in vacuuming up data from many companies, many industries sensibly for purposes of profiling and the Marriotts of the world and the MGMs are no exception to that. And so I think from that standpoint, we also know there's a couple of nation states, China, Iran that have demonstrated interest in travel industry data. I think from an e-commerce perspective, it's a different set of threat actors, right? You have your financially motivated threat actors, the thin groups that are going after the Magento and the e-commerce sites payment skimmers to get access to card data, financial data.
Dave Bittner: What is your advice to someone who is looking to spin up Threat Intelligence within their own organization? Someone who is tasked with that in a similar way that you were, do you have any, having been through what you have, any words of wisdom for folks who find themselves in that situation?
Collin Berry Yeah. I think the first thing is to bring, if you have passion for what you do, and you have an appreciation for more than just the mechanics of intelligence, but the art of intelligence and it's that art form through publishing narratives, just getting a perspective out there that is unique, that's original with respect to the company that you're working for or supporting. I think that helps to garner attention in the right measurable focused way. Start small. The two critical tools that I would consider are a Threat Intelligence platform that helps to centralize collection of intelligence data from numerous sources helps to aggregate that data, present that data in a comprehensible and usable format across multiple stakeholders. I would also say that a managed intelligence feed is critical. There's a number out there that have greater and greater capabilities as time goes by to harvest information from underground forums.
Collin Berry A number of these companies are partnering with ISPs. And so they're getting an even richer data flow of telemetry. The two combined provide strategic lift to deliver something that's comprehensive, that's context rich, and as I've shared another key piece of advice that I've shared with my executives Expedia Group, and my colleagues is I'm less focused on attribution. I'm more in this certainly came to light with solarium, even though I think we now have a pretty good idea considering that The White House has taken action. But I'm more considerate, interested in the why and the how. Because I think those two, once you understand how threat adversaries are executing attacks or evolving in their sophistication and their techniques and the technologies that they're utilized utilizing why they're going after certain targets, those two angles alone provide a much richer insight into the nature of the defense that we need to Mount.
And it helps us to better identify and assess our own vulnerabilities and where to shore up our defenses. One more piece of advice I would offer is I think intelligence requirements at the risk of sounding stay at cliche, just sitting down once you understand the business. And actually that's my first piece of advice is when you step into a company, you really have to get to know the company that you're supporting. Take a few months and just study the company as I had shared, right? The operating model of the global footprint, the backend infrastructure, how does the company make money? What are the technologies supporting those revenue generating models and what are the processes underlying the technologies. And that then helps you to start thinking about the intelligence requirements and you can sharpen your pencil and frame a series of interrogatives that you can present to the stakeholders to go a bit deeper into what they're concerned with, what keeps them up at night, what strategies are in play, what partnerships are in play. As the business continues to evolve, so does the Threat Intelligence program and its requirements.
Dave Bittner: You're consuming Threat Intelligence. Do you find it valuable to also put the information that you gather out there? Is there a collaborative mode within the industry? Do you have colleagues that you're swapping information with? We're seeing this thread, what are you all seeing? Does that happen as well?
Collin Berry Absolutely. So I have frequent contact with my counterparts, with several companies here in Seattle. Those are informal dialogues and engagements, our Threat Intelligence platform partner. They have facilitated a host of round tables and working discussions with their other clients across multiple industry sectors. We've also had conversations with an ISAC. We're not in a position just yet to join, but I've already written a position paper and submitted it to senior leadership as to why I think joining an ISAC is absolutely beneficial to us. It creates a tremendous advantage to have that collaborative forum. I'm also part of the NCFTA in Pittsburgh. I was nominated and accepted into that forum. I have regular dialogue with federal law enforcement. So there's a, yes, long-winded answer to your question, but there's information sharing and exchanges that occur on multiple levels.
Dave Bittner: Our thanks to Expedia's Collin Barry for joining us. Don't forget to sign up for the Recorded Future cyber daily email, where everyday you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. You can find that at recordedfuture.com/intel. We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future Podcast production team includes coordinating producer, Caitlin Mattingly. The show is produced by the CyberWire with executive editor Peter Kilby and I'm Dave Bittner. Thanks for listening.