CSO Jim Routh Leads Aetna’s Pioneering Security Team
April 2, 2018 • Amanda McKeon
Jim Routh is chief security officer of Aetna, a Fortune 500 company offering health care, dental, pharmacy, group life, disability, and long-term care insurance and employee benefits. With annual revenue exceeding 60 billion dollars and nearly 50 thousand employees, there’s a lot to secure.
In this episode, we explore Jim Routh’s career path, the unique challenges he faces as CSO for such a large public company, how he delegates authority and manages his time, his approach to threat intelligence, and his somewhat contrary approach to communicating risk with the Aetna board. We learn about Aetna’s move away from using Social Security numbers as identifiers, as well as their efforts to phase out traditional password-based user logins, all in the name of improving customer convenience and security. He also explains his adoption of model-driven security and the rise of unconventional controls.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 50 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Jim Routh is chief security officer of Aetna, a Fortune 500 company offering healthcare, dental, pharmacy, group life, disability, and long-term care insurance and employee benefits. With annual revenue exceeding $60 billion and nearly 50,000 employees, there’s a lot to secure.
Our conversation explores Routh’s career path, the unique challenges he faces as CSO for such a large public company, how he delegates authority and manages his time, his approach to threat intelligence, and his somewhat contrary approach to communicating with the Aetna board. He also explains his adoption of model-driven security and the rise of unconventional controls. Stay with us.
Well, I owe my career in security to my wife. And the reason for that is, I had moved my family from Massachusetts to Minnesota back in 1998, primarily so I didn’t have to travel. So I went to work for American Express in IT, and after about three and a half years, and three winters, one night after dinner, my wife said to me, “The kids and I are moving back east. Do you want to come?” And that’s when it became very clear that I needed to relocate. That relocation actually landed me a job in New York, where I moved back with American Express running marketing analytics, and then, that was merged with risk analytics. That two and a half year stint landed me the role as chief information security officer for American Express — the first one. So if it hadn’t been for my wife, I don’t think I would have been in security.
Well, it seems to me like the journey from marketing to security is an interesting one. Was that a lot of on-the-job learning for you as you went?
I started and had about 500 people, and most of them were econometricians. I didn’t even know what an econometrician was. Now, of course, today we call them data scientists, but back then, I had to literally look it up and say, “What exactly do you guys do?” So it turns out that if we fast-forward to today, Aetna has about 200 models in production driving frontline security controls, and 70 percent of those models are machine-learning models. So my background in data science with American Express actually has direct relevance to cybersecurity today. Now, I would … It wasn’t planned that way, but that’s kind of the way it’s worked out. Data science is driving a lot of our security controls today, and that’s just going to continue to grow.
You know, in preparing for our talk today, I was looking at some of the facts about Aetna and it’s really striking — the scale of the company. You know, millions of members, millions of doctors. How do you approach a task, or a challenge, when it’s so big?
Well, the one thing that’s beneficial is, Bertolini has always maintained that the vision and the mission for Aetna is to fundamentally change healthcare to improve the health of our members. And that’s a pretty broad and somewhat audacious mission statement. And so, our global security mission fits nicely within that, which is to improve the protection of information for our members as they’re getting healthier, and that means across the entire healthcare ecosystem.
So it’s not enough for us just to reduce the attack surface for Aetna — we want to reduce the attack surface for everyone in healthcare. So an example is, four years ago, we started a program to eliminate the use of the Social Security number as a unique identifier for our members. We have now eliminated 10 billion instances of Social Security numbers in our enterprise, in the enterprise of our vendors, and also within our planned sponsors, which are the employers that hire us to administer healthcare plans.
So we’ve had a dramatic impact, in a positive way, across the entire healthcare ecosystem. Now, we’ve got a long way to go, but it visibly has helped shrink the attack surface, and that’s a good thing for all of us.
Can you speak to your third-party suppliers? You know, we hear talk about how that is a potential vulnerability. How do you vet your third-party suppliers to make sure that they’re not introducing unnecessary security issues for the things they provide to you?
Sure. Well, third parties in healthcare — and many other industries as well, but certainly in healthcare — represent a big part of the cybersecurity risk for an enterprise. And that’s because we rely on a third party to provide critical services. They provide healthcare services to our members. They share information amongst different suppliers in, essentially, the theater of healthcare delivery. So they’re essential. And the one thing we do is, we don’t look at them as if we’re the big enterprise with the big wallet, to drive controls to our specifications and to their environment. We view them as a member of a community. They’re the member of, essentially, a community of third parties that offer essential services on behalf of our members, and so, we educate them and share cybersecurity and intelligence information, best practices information, techniques, tools, technology. So we literally have a forum every single year where we bring them together, and it’s a couple of days just to focus on the education of what’s changing in cybersecurity, what controls are most effective, and what technology and capabilities are emerging that are worthwhile.
Our third-party community is divided into different segments. We have brokers on the front end that deal with relationships with entities that we do business with. We have healthcare providers that are, you know … Their mission is to provide the health of our members, improve that health through treatment and programs. We have vendors that host member information for claims processing, and we have IT vendors that provide critical infrastructure. So across the board, each segment is part of a portfolio with a specific set of control requirements and educational programs for information sharing.
From our perspective, they’re all part of a community. We’re a member of that community, and we influence what they do, but we also listen and get feedback in terms of what the challenge is that they have, and we try to work on solving that together. So there’s nothing easy about cybersecurity in any enterprise, but the entire ecosystem has to fundamentally improve its resiliency, and that means adjusting controls as new information becomes available and new threats and threat actor tactics evolve and change. It’s a constant struggle to keep up with all of the change, and every enterprise goes through that.
Being part of a community with information sharing and technology capabilities to enhance resiliency — it makes everyone better. And frankly, we have probably 550 hosting providers, specifically, that we rely on on a day in, day out basis. So it’s a large environment. We have probably 160,000 brokers that we work with, and of course, they have the access to member information through the underwriting process, or through the sales process, and we want to protect that as well, so third parties are a critical part of our security program, and an essential partner in resiliency.
Can you take us through and describe for us your leadership style? How do you delegate, and how do you make sure that all the things that require your attention … How do you prioritize?
Well, first and foremost, we teach technique. So there’s tools, there’s technology, and there’s technique — the three Ts of cybersecurity. Most people think talent is the most important element of the three Ts, but we don’t believe that. We actually believe that technique is the most important, because we don’t have any problem attracting world-class talent to come to work for us in our program. We’re fortunate in that regard — that’s not the norm. The norm is there’s very few highly skilled people in the marketplace that are available. From our standpoint, we’re able to attract not only talent, but diverse talent. 40 percent of our employees in security are women, 23 percent are people of color, 17 percent are veterans, and we strive to constantly improve those. So we’re not looking just for world-class talent, we’re looking for world-class, diverse talent, and we attract them by giving them an opportunity to learn the skills and competency that they want to invest in, and showing them the techniques that are based on unconventional controls.
Conventional controls that are part of a standard risk framework are the baseline, and they are central, but they’re not sufficient today to stay and remain resilient. Unconventional controls may not be part of a conventional risk framework, but they’re largely addressed through innovation, and that innovation is what allows us to constantly change our controls and create friction for the threat adversary. So every day, 1.5 control procedures, or standards, are changed every single day, in a constant change.
In terms of my leadership style, I teach technique. I focus on technique, and essentially, I have four chief information security officers that all have responsibility for a different part of the business — in some cases, a separate subsidiary, and that’s their accountability. I’m essentially giving them an opportunity to learn what it takes to make decisions on allocation of scarce resource to the highest risk. And they do that in the context of their own business, and I give them enough opportunity to learn and develop the skills necessary for communication and leadership across the business, because many of the security programs that we drive are fundamentally changing the business.
Yeah, let’s dig into that a little bit. I mean, in the time that you’ve been on the job there, what are some of the key changes that you’ve seen?
Probably the most significant change that we’re introducing, in terms of breadth and scope, is to eliminate the use of passwords for our consumers. Now, I’ll give you a little bit of context for that. It seems a little bit strange, a security function talking about eliminating core control for 99 percent of the authentication that’s done across the enterprise. So the explanation is this. In 2016, there were three billion credentials harvested by criminals. The folks that did that study, Shape Security, believe that that’s just based on publicly available information, and if they used all intelligence, including intelligence in the private sector, they think that number is closer to 10 billion.
Now, what that means is, the whole premise of a password is, it’s a secret that only you have as an individual, and unfortunately, that premise is no longer valid. With the supply of both credentials coming from breaches and phishing attacks, and major breaches that we read about, combine that with the demographic information that’s available from consumer records that are harvested in millions at a time, and the criminals having an arsenal — that makes it a lot easier to bypass traditional binary authentication controls like user ID and password.
There’s something called credential stuffing. A threat actor can use a tool like Sentry MBA and take 10,000 credentials from one domain that’s been harvested or acquired in the dark web, and then use it on any other domain that they wish, and they’re going to get a 2 percent hit. 200 accounts out of the 10,000, they’re going get a hit on … across any domain, simply because most of us can’t remember the passwords that we need for all of the hundreds of sites and mobile apps that we put passwords into. And the net result is, credential stuffing is becoming easier, and more easy to do at scale.
The obsolescence of passwords is upon us. And changing out passwords for an alternative approach for authentication — it’s expensive, it takes a lot of design work, and it takes a lot of time to do that. So we started about three years ago, and we decided that multi-factor authentication wasn’t enough. Even though it’s the standard across all risk frameworks, we just don’t believe that it’s enough. So we’re moving into a realm of continuous, behavioral-based authentication, where we know enough about the end user, their use of technology, and their behavior that we can develop a mathematical representation of that. Then, we can measure their actual behavior against that mathematical representation, see what the variance is between the two, calculate that in a risk score, and the risk score feeds the app that provides access based on what that risk score is, and then, different apps can make different decisions based on different thresholds.
So essentially, it’s a continuous authentication process. It’s not an event, that once you provide the user ID and password you’re in and trusted in the system. In this case, it’s continuously doing authentication based on your behavior to make sure that someone else isn’t using your credentials and stopping that immediately.
The nice thing about all of this is, it means the end user, or the consumer, doesn’t have to remember passwords. They don’t have to worry about resetting passwords. They can essentially log in — if you think of the login process without doing anything — just by opening the mobile app, or going to a website, if it’s a webpage. We also embraced the FIDO standard that allows individuals to choose which biometric they wish to use on their device of choice, and we take that as a factor, or as an attribute, that we then feed into our risk engine, looking at many, many other attributes — somewhere between 30 and 60 attributes, whether it’s a mobile or a web application.
So we’re able to authenticate more effectively than passwords, yet reduce and eliminate the friction to the consumer at the same time, so it’s kind of a win-win opportunity for us. It’s something that every enterprise will have to do in the next decade. We’re getting an early start on that, and so far, the results are very positive.
I want to switch gears a little bit and talk about threat intelligence and the part that it plays in the work that you do. How do you choose to dial in the type and amount of threat intelligence you use? Can you give us some insights there?
So, number one, threat intelligence is absolutely essential to a risk-driven security program. And I would argue that security programs have to be risk-driven. What that means is, as threat actor tactics change, or evolve, we, in the enterprise, need to understand that and have to adjust our controls based on the evolution of the threat actor tactics. We’re trying to create friction for the threat actor and reduce friction for the consumer, at the same time. That’s an ongoing process that’s fed by security intelligence.
One thing I’ve learned is, there is no single source for security intelligence. Now, we use private sources, where we’re paying for security intelligence capabilities and resources, and essentially, providing the security intelligence provider with the types of information that we’re most interested in. What our future plans are, from a security standpoint and control standpoint, what our biggest risks are — that interaction improves the quality of the security intelligence that we get that’s tailored to meet the needs of our particular industry.
The most important part of security intelligence comes from our peers. It’s through an ISAC — information sharing analysis center. We’re part of two: The NH-ISAC for healthcare, and the FS-ISAC for financial services. We work with the threat intel committees in both. We’re part of the threat intel community, and we share information amongst ourselves, and we validate the information we get from security intelligence providers and open source intelligence providers. That validation helps us determine whether attacks are targeted or opportunistic, what the impact is, what controls work, what controls don’t work, and what information is essential. And that collective pool allows us, in times of crisis — like for WannaCry and NotPetya — to share malware samples, do reverse engineering on malware, understand exactly what the threat vector is, and then, share that information across the industry so everybody is aware of that, to basically improve the entire resiliency of the industry while also protecting our own enterprise.
Security intelligence data comes from multiple sources, multiple different types. It’s customized based on the individual requirements we have that we provide to the security intelligence provider. But the interaction with others that consume that information through different channels, like the ISACs, is what makes it most relevant and gives us the ability to determine what the impact is for our enterprise and the overall industry.
When you have to communicate the type of work that you do to the folks who are higher up in the company, from the board members to the CEO, how do you go about that translation to turn the technical into, I would imagine, a conversation about risk?
I don’t use translation.
And frankly, my view is a little bit controversial, but I don’t talk about risk very often.
The probability of risk is very difficult to articulate at the enterprise level. Now, that’s in the best of circumstances with a lot of data to support the risk probability calculation, and most of the time, we don’t have a lot of data to support that. So, actually talking about the probability to risk, especially at the board level, it’s kind of a rat hole that I avoid.
I use the language that the board and senior business leaders are most comfortable with, and that’s the language of economics, so I talk about operating costs, I talk about reducing total cost of ownership, I talk about productivity gains. These are all of the things that they’re well versed in. They understand, so there’s no translation required. I try to demystify the arcane language of technology and in-depth cybersecurity engineering to talk about business processes, and how to enable business processes to provide better value at a lower cost. Because that’s what board members understand — it’s a language that’s universal, and it works for me.
Now, others would prefer to talk about risk, and the probability of risk, and quantifying that, and there’s lots of tools and methodologies that help do that. My own experience is not really worthwhile. I mean, I’ve convinced — in the case of Social Security numbers — I convinced the board and the senior leaders at Aetna to do this project, which is a $67 million project. I convinced them to do it because it’s the right thing to do for the consumer. There wasn’t … I basically said there is no cost-benefit analysis. It’s money we have to spend that we get no return on that we can measure, but again, it’s the right thing to do for the industry and for our members. And they all bought into it, and I think they’re grateful that they did. As a result, Aetna’s an industry leader in shrinking the attack surface.
Now, that was one project. Almost every other project that I’ve ever asked for funding for, there was a cost-benefit analysis and a return on investment that was identified. We have a software security program that’s one of the most mature in the industry, measured through BSIMM. Well, we basically sold the program and executed against the goal of improving productivity for all of software development. We have about a $21 million gain in productivity every year because we either reduce vulnerabilities through preventative steps, or we fix vulnerabilities earlier in the lifecycle. The combination of those two things adds to significant productivity enhancement, and that makes the program worthwhile from an investment management standpoint.
So, notice that I didn’t say anything about risk. And so, that’s kind of my approach.
Yeah, that’s interesting because it is a little contrary to, I suppose, what is popular today. That’s very insightful for me to hear your description of that. It certainly makes sense, but it’s not a direction that I hear very many people talk about these days. So, I think that’s fascinating. Good for you. It seems to be working well for you.
The future of cybersecurity actually happens to be here today, but most cybersecurity professionals aren’t aware of it, and it’s largely because the technology is creeping up on them and it’s not self-evident. But what’s happening to security is, we’re moving into a world, or realm, where model-driven security is an essential component for the resilient enterprise, and our threat actors are using models and data science to attack the enterprise. So, it’s model versus model.
Now, I’ll start from the good guys’ side. About three and a half years ago, I hired a chief data scientist dedicated to security. Very talented guy. He had nine years of experience in the NSA where he worked on security using data analytics. I asked him — and at the time I thought it was the right thing to do — but I asked him, “Build us a data lake for the enterprise for security that we could run models against, and figure out where to allocate our scarce resources to do cyber hunting to get the best bang for the buck.” Seemed to make sense. A lot of people said, “Yeah, yeah, that’s worthwhile. That’s a good application of data science.”
Well, while he did that … He did an outstanding job of that. He built 106 models in about a year and a half’s time. While he did that, and did exactly what I asked him to do, we implemented eight other implementations in the production of models. These are unsupervised machine-learning models driving frontline security controls, whether it’s authentication, privileges, management, email filtering, or endpoint protection — these are all cases where we implemented the technology. It’s driving frontline security controls. It’s not just producing data and results that we’re analyzing, but it’s actually part of the fabric of the control.
So today — privileges, I’m going to use as an example — every single registered user in the network has a behavioral score based on four different types of behavior — physical access, email, web browsing, and entitlement information — all combined into a massive data lake that was established. A bunch of models that represent that numerically. Each individual registered user has that.
When they ask for a privilege — and we don’t grant privileges indetally — everything has a timeframe in terms of every privilege, and when they get a privilege, we measure their actual behavior against the pattern. We see any deviation, and if it’s a slight deviation, we send an email to their boss, who has the context to know what they should be doing and when, and their boss decides if it’s good or bad. The green button in the email says it’s okay, but if it’s a red button, they hit that and the credential is automatically revoked. But if there’s a number of anomalies, in terms of anomalistic events, the model decides to revoke privilege immediately in real time without any human intervention. It initiates an orchestration for a security incident — again, no human intervention — and allows us to essentially revoke privilege in milliseconds in real time in the case of a threat.
I know of no other system in the world that has that across the entire enterprise. We’ve had it in place for about a year and a half. That’s one example of what was put in place that’s essentially a model — in this case, several models — driving frontline security controls, and we’re seeing that more and more. We have 200 models in production today, and we’re constantly growing that catalog of models. I see, in the very near future — two, three years down the road — we’ll be actually sharing models from one enterprise to another to deploy effective security controls across enterprises. Models and data science today represents the foundation of cybersecurity for the next decade.
That’s Jim Routh. He’s the chief security officer at Aetna, and we thank him for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.