Protecting the Brand, Products, and People at Perdue Farms
September 10, 2018 • Amanda McKeon
Perdue Farms is a major U.S. agricultural business, best known for its processing of chicken, turkey, and pork, and is one of the nation’s top providers of grain. Founded nearly a century ago as a “mom-and-pop” business with a small flock of chickens, today the company marks sales in excess of $6.5 billion a year and has over 20,000 employees.
Chris Wolski is head of information security and data protection at Perdue Farms, and he joins us to describe the unique intersection of cyber and physical systems he and his team help protect.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 73 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Perdue Farms is a major U.S. agricultural business best known for their processing of chicken, turkey, and pork, and is one of the top providers of grain. Founded nearly a century ago as a mom-and-pop business with a small flock of chickens, today the company marks sales in excess of $6.5 billion a year, with over 20,000 employees.
Chris Wolski is director of information security and data protection at Perdue Farms, and he joins us to describe the unique intersection of cyber and physical systems he and his team help protect. Stay with us.
My first computer was a little Bally game system. It came with a basic cartridge, and that’s how I started learning about programming. And if you look up a Bally game system, you’ll see how old that makes me. From there on, my grandmother had continually upgraded my capabilities by buying newer computers, and eventually, we integrated off of using the family television for the monitor and actually had a real monitor on a desk. I graduated high school, joined the Navy, got into information security through data collection and data classification, and then after 20 years, retired.
I went back into the Navy as a civilian. I did a little time over at the Joint Chiefs of Staff doing incident response for them. For me, that was a long commute. I was still living in Delaware and had a two-hour commute to Washington, D.C. every day. From there, I’m like, “Well, there’s got to be something closer.” Then, Perdue Farms came and said they were looking for an information security analyst, and that’s how I ended up here at Perdue. Since that time, I’ve promoted up, and now I am the director of information security at Perdue Farms.
Give us some insight into what the contrast is between the time you spent with the Navy and in the government to the private sector.
The contrast I see most is something actually kind of unfounded. I thought there was going to be a significant political difference between the two. There’s actually … It still exists in the private sector, it’s just how it’s handled that is different. That’s the contrast. The political games that you have play within an organization — a private organization such as Perdue — it’s more personal. In the government, I felt that there was more hierarchy. You cannot talk to somebody unless you have permission up the chain and different tree level to be able to talk to somebody.
Here, once I’ve established myself, I’ve been able … I could go and talk to others within the organization and, if necessary, I can backfill my supervisor. It’s nothing for me to be able to go talk to the CEO and say what’s on my mind and then backfill the CIO.
What are the differences in the types of challenges that you’re facing day-to-day between the government and in the private sector?
I think it’s the same. Challenges are the same when it comes to money. The differences are, we still do color money. We have capital and we have opex, and the challenge that comes in is, where, what flavor money, or what color money we’re going to use for this year. What is acceptable? Are we looking more to spend operationally, or are we going to do more of the capital expense? The other issues that we have are the awareness part of it. Within government, it’s pretty much mandated. Everybody understands cybersecurity or has to understand cybersecurity as part of their job. It’s much easier to implement policy because it’s a “do as I tell you” mentality in the government, in the military. Working as a civilian in the private sector, it’s much less that and more of, okay, let me help you understand and kind of guide you toward understanding what cybersecurity is.
Now, I’m certainly familiar with Perdue Farms, having grown up here in Maryland and taking trips to the eastern shore, to Ocean City, every summer as a child. You would drive by the Perdue Farms there, where chickens were raised. Sometimes you’d be traveling down the highway and a truck full of chickens would drive by, which for a kid from the suburbs, was something to see. Can you give us an idea of the scope of Perdue Farms from a cybersecurity point of view? What kinds of things do you have to deal with day to day?
On a day-to-day basis for cybersecurity at Perdue, we’re really looking at protecting the brand name. Brand — to be the most trusted name in agriculture — applies to the cybersecurity realm here. We don’t want to have the Perdue name dragged down because of a cybersecurity event. At the same time, we want to ensure that we’re protecting our employees to prevent an accidental phishing click or to inadvertently introduce malware into our environment. We typically look at Perdue as having four different, I guess, “opponents,” if you want to say it that way. We have to deal with the hacktivists because we have people that don’t like how we raise chickens, or, like, the chickens in the truck, or don’t like to eat meat. We have those people that we have to protect against.
We have nation-state actors that we need to protect against. While it’s not a large threat, it does exist. And then we also have, of course, the internal user that we have to worry about. And finally, like every other organization, the cybercriminals that are out there and trying to make a quick buck off of some ransomware or account takeover, whatever the case may be.
Now, how do you handle dealing with third-party risk? You have a lot of suppliers, you work with a lot of farms. It’s a huge industrial operation that you have there. How do you approach that?
With third-party risk, we look closely at the documentation that they have. We try to find third parties that have completed some sort of SOC documentation, SOC 1 or SOC 2, that can attest to their level of cybersecurity. Really, we want to make sure that we’re dealing with third parties that understand where we’re coming from as far as security, and that we can also understand what they’re having. Additionally, we look to researching our third parties through the Recorded Future threat intelligence product, and we also do some web searching to see what’s out there for that company to make sure that we’re dealing with a company that’s legitimate. As far as the farmers, the farmers are all independent contractors. We don’t provide much in the way for them, but they have some access to some external sites, but nothing internal.
Can you describe to me what your process is? How do you approach communicating with the folks who are above you in the organization? The board of directors, the people that you have to report to — how do you take care of translating that message when it comes to security and budgets and things like that?
When talking to the board or to people that really don’t understand cybersecurity or the technology or the terms, I use a lot of analogies that they can relate to. It’s bringing back kind of a storytelling mentality, like, “If we did this,” and putting it in a term that they’d understand, “then we can protect this.” It’s kind of like medieval terms, going back to the castle and the moat. Help them understand that Perdue Farms is the castle we have to protect. Analogies like that. Or when I’m talking with the transportation folks, putting it in terms of how they operate so that they can understand it, and then once they get it, then you can see that light bulb come on and, “Oh okay, now I understand what you’re trying to say.”
How about in terms of incident response? When things do happen, how do you all prepare for that? Do you practice ahead of time? What’s your approach to that?
For incident response, we have a proactive plan in place. One of the things I brought with me from the Department of Defense is a tiered-level response. Something as simple as malware showing up on a device does not require an entire incident response team to go and activate and run like kids toward a soccer ball. What we do is … It’s very measured, and then as the incident grows, if it’s something that cannot be handled by my team, then we start looking at bringing in other team members, like infrastructure or legal, and then if it’s something that cannot be contained internally, then we’ll definitely reach out to a third party to assist us. It’s very measured. It’s efficient and actually has kind of a flowchart mentality or function to it.
Now, what about your own management style? When you’re working with your team, what’s your leadership style?
I’ve learned to become — being that Navy chief petty officer — I’ve really come to be a coach and mentor. I sit with my team. I’m not off in some office somewhere. I work with them, and when they have questions, cybersecurity related or incident response related, I’m right there with them. I help them answer the question. And then I give them the tasks, day-to-day tasks, and expect them to do it, and I don’t hover over them. I’m not micromanaging or standing over their shoulder, making sure they click the right button. If they have questions, they know they can come approach me and they’ll get answers in a way that helps them learn what the best process is. Or maybe, sometimes, I’ll even learn from them because they’re like, “Oh, well how about this way?” And I’m like, “Oh, that’s pretty cool. Show me that again.” And then we improve our process.
You mentioned mentoring, and I know that’s something that’s important to you. Can you describe to us why you think that is important? And how do you take on that task of mentoring people?
When mentoring, it’s about helping the person get to their goal. It’s not doing it for them. For me, to mentor somebody, I’ll point them in the right direction, maybe give them a little bit of something to research, but at the same time, giving them a little support that backstops them and helps them grow on their own. Mentoring is one of those things that the person then starts feeling some sort of self-achievement when they’ve completed something on their own, when they’ve been directed and pointed in a way that somebody can understand the whole process. I think it sparks innovation in some ways because when you’re mentoring, like I say, you’re not giving them the entire answer, you’re giving them a direction to go in and then maybe sometimes they come up with their own solution, and that definitely can help improve the business and help the department and information security as a whole.
I seek out mentors to help me in gaining my next level. It’s not something that’s looking at that for me to provide, but I also use mentors to help guide my decisions personally and professionally.
I want to talk about threat intelligence and how you view it — the importance it has to you. I know you use the Recorded Future tool there at Perdue. Can you just describe to us how you approach threat intelligence?
Threat intelligence is another member of my team — especially the Recorded Future tool. It gives me time to be able to focus on the issues I have here in my office and at the same time, use the tools and the other sources out there to keep me abreast of what’s going on in the industry, what could be going on with our threats. And being able to provide that information to the people in my organization that really could use it to protect us physically. Sometimes we learn about protests in advance because of the threat intelligence, and then additionally, we find out when something has been leaked out onto the internet that shouldn’t have been leaked out. It allows us to be proactive and at the same time, reactive.
It’s one of these things that has proven its value in a very quick, short time frame. We’ve only been with Recorded Future for probably about six months now, and the subscription that we got has already paid for itself just with the visibility that we’ve gained that we didn’t have before.
Now, what would your advice be to someone who is considering using threat intelligence? In terms of shopping around and dialing in, what is the best approach for them?
Understanding what your threat intelligence requirements are. What is it that you’re looking for? What is it that you’re trying to answer? For us, it’s brand protection and understanding the tactics and techniques of the threat actors against us. Understanding what those requirements are will help you in deciding the best product for you. If it’s something where you’re looking at just being able to understand different indicators of compromise, maybe finding something that provides that would work for you. Whereas, if you’re looking for something that’s a little more strategic — and in my case, being able to present something to the board — that provides a strategic roadmap to address the different threats that we face … It really depends on what you’re looking to do with that information, that intelligence.
It’s a really interesting point you bring up about the intelligence coming through what we would consider to be a cyber domain, through something like Recorded Future, but you’re getting real-world intelligence as well. You talk about things like potential protests, which are physical, non-cyber events, but you get the information from them through that information domain.
That’s correct. For example, if there’s a protest planned at one of our facilities, I can lead that off to the physical security officer here so that he can make sure that there’s guards in place and that communication is put out. The company is ready to respond with a public communication or whatever steps necessary to protect the company and the associates with the company. So, the employees, as well.
Our thanks to Chris Wolski from Perdue Farms for joining us.
If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.
The Physical and the Digital of Open Source Intelligence
January 20, 2020 • Monica Todros
Our guest this week is Nico Dekens Online, people know him as the “Dutch OSINT Guy,” a handle...
Master Your Patch Management With Vulnerability Response: Our Latest ServiceNow Integration
January 14, 2020 • The Recorded Future Team
It’s tough out there for vulnerability management teams You’re dealing with hundreds of...