In an era where digital security is not just an option but a critical pillar of every institution, the field of cybersecurity stands as the frontline defense against an ever-evolving threat environment.
This realm, characterized by its relentless pace and complex challenges, is not for the faint of heart. It demands expertise, constant vigilance, and a genuine passion for safeguarding the digital frontier.
In our new Executive Interview Series, we’re getting to the heart of cybersecurity by talking to the pros. These are the strategists, the pioneers, and the guardians of our online world. They’ll share real insights and practical advice to help readers stay secure, current, and better protect their organizations.
First up, we’re talking with Lorri Janssen Anessi, Director of External Cyber Assessments (ECA) at BlueVoyant.
Lorri’s career spans both the public and private sectors, including significant roles at the Department of Homeland Security (DHS) and the National Security Agency (NSA). Her vast expertise and commitment to the field are evident in every word she shares.
Expect to learn more about Lorri’s professional journey, her thoughts on the current trends in cybersecurity, the value of domain security, and much more.
Background and Professional Experience
Q: How did you get into the world of cybersecurity?
I began my career serving in the U.S. Air Force as a technical language analyst working on one of the U.S. government’s highest priority missions: counter-terrorism after 9/11.
As national priorities evolved and cyberattacks became more pervasive, I was called to work in the cybersecurity mission at the National Security Agency (NSA), an organization that was truly a pioneer in the field of cybersecurity.
Finding this new field to be extremely rewarding, it kick-started my passion for all things technology and cybersecurity. I quickly recognized the need for more advanced education and applied and was accepted into the Master of Electrical and Computer Engineering program at the Naval Postgraduate School.
This was a challenging program that provided the necessary skills that enabled me to make impactful contributions to the national cybersecurity mission. It also highlighted the need to foster passion and interest in STEM (science, technology, engineering, and math) for the next generation, especially women (a demographic that was and continues to be grossly underrepresented in this field).
Although my path to cybersecurity was non-traditional, I have found that my diverse experiences and career opportunities have contributed to my success, especially as I continue to challenge perspectives in the cybersecurity field, consistently seeking out innovation in this space.
Q: How did your roles in the public sector shape your approach to cybersecurity as you moved to the private sector?
In cybersecurity, there’s a definite overlap between the private and public sectors.
While I was in the public sector, we worked a lot with private partners. To be successful and deter cyberattacks, we have to work together and share the information we have about threat actor techniques, tactics, and procedures (TTPs)—the more we share, the easier it will be to counter these threats.
Having spent most of my career in the public sector, I feel I have gained a deep understanding of the cyber risks and the threat actors that orchestrate these attacks.
Mitigating risk proactively is critical, and understanding what vulnerabilities you as an organization have is key.
Administration of infrastructure is extremely challenging, especially if you are a large and complex organization with a lot of endpoints—compound those challenges if your digital assets are globally dispersed.
In order to get ahead of attacks, it’s important to understand what assets you have to help defend yourself.
Another key lesson that was evident during my time in the public sector was that physical borders no longer matter. The digitization of businesses and the use and storage of mass amounts of data online have created a challenging space to defend.
I saw this with transnational terrorist organizations, and we see it today when it comes to modern cyber threat actors. They can orchestrate their entire operation virtually without being colocated with one another. They can share tradecraft and techniques across oceans and continents and achieve great success.
Obfuscation techniques make it extremely difficult to attribute actions to people or groups who are responsible for crimes. Digitization of money and cryptocurrencies also makes it challenging to follow the money and thus identify cybercriminals—it’s almost like chasing a ghost in many cases.
Current Position at BlueVoyant
Q: What role does BlueVoyant play in the cybersecurity industry?
BlueVoyant was founded in 2017 by Jim Rosenthal (former COO of Morgan Stanley) and Thomas Glocer (former CEO of Thomson Reuters).
With decades of experience in high-stakes industries and having navigated major market challenges (e.g., the 2008 financial crisis), they foresaw the next big challenge: defending against rapidly evolving cyber threats.
When founding BlueVoyant, Jim and Tom brought together leading experts from private industry and government in order to ensure that all organizations have access to best-in-class cyber defense, no matter their industry or geographic location.
At first, they created a traditional managed detection and response (MDR) platform, which protects your network from what comes in.
But they quickly realized that what was really missing in the space was on the supply chain defense (SCD) side—essentially, monitoring an organization’s entire vendor supply chain. If MDR is boundary in, SCD is boundary out.
So BlueVoyant has those two main branches: MDR and SCD—which is where I sit within the company. SCD is more vital than ever because, over the past few years, most attacks have been orchestrated through the third-party supply chain. Cybercriminals are opportunistic—they’ll go for the weakest link to gain entry to larger networks and organizations.
Today, BlueVoyant offers an end-to-end platform that combines internal and external cybersecurity to help clients across the globe defend against the most sophisticated attacks.
Q: As Director of External Cyber Assessments (ECA) at BlueVoyant, what does a typical day look like?
Under the general direction of the Chief Analytics Officer, I lead a team responsible for the production of clear and concise analytic deliverables for large enterprise customers. And, like I said, we’re part of the SCD branch.
In basic terms, I analyze organizations’ external risks and provide mitigation recommendations that can be considered for supply chain security, for mergers and acquisitions (M&A) or investment decisions.
We monitor and analyze our clients’ external attack surface—i.e., their entire third-party ecosystem or vendor supply chain—and tell them where their vulnerabilities exist and what they should do to reduce risk.
The analytic methodology we use for due diligence is the same one we use for continuous monitoring of SCD, but we focus on specific points when our clients are making decisions about an investment, merger, or acquisition.
Additionally, the ECA team collaborates across business units to produce cohesive products for general consumption. We provide sound cyber analysis and leverage key analytic insights, data analysis, and data outputs of various sources of threat data—such as indicators of compromise (IOC), adversary cyber campaigns, and external vulnerability scan results.
Our primary deliverables include due diligence assessments and reporting, threat intel reporting, and strategic-level cybersecurity assessments.
We also ensure that products derived from SCD for BlueVoyant are based on BlueVoyant data and analysis.
In this position, compliance and policy are also focus areas—I stay abreast of the current frameworks and their implications on our clients and their third-party ecosystems.
Honestly, I love my job. I really hope that the government gets influenced by the things that we’re doing, because I definitely think it’s making a difference and should be more heavily focused on..
Current Cybersecurity Threat Landscape
Q: What are the most impactful trends in cybersecurity for businesses today?
During the past years, four trends stood out:
- An elusive phishing trend in which malicious search engine ads are used as distribution vectors, luring unsuspecting victims to phishing websites.
- A continued upswing in unpatched zero-day and emerging vulnerabilities.
- Not implementing proper email security. Or, to be more specific, the lack of use of SPF (sender policy framework), DKIM (domain keys identified mail), and DMARC (domain-based message authentication, reporting, and conformance).
- Threat actors increasingly turning to generative artificial intelligence (AI) to create increasingly effective phishing campaigns.
Fortunately, recognizing these persistent trends allows organizations to proactively fortify their cyber defense strategy for the challenges expected in 2024. It’s crucial to remain vigilant and monitor continuously, and couple that with quick remediation efforts against external threats in the supply chain and across the clear, deep, and dark web.
Supply chain threats remain a significant risk to organizations, 97% of which endured negative impacts from a breach in a third-party or supplier partner during the past year. According to our research, this figure has ominously persisted for the past three years.
A company’s supply chain insecurity is the number one vector for exploiting the company. The predominance of attacks over the past year targeted the security of products used, services provided, and relationships between a company and its supply chain vendors.
The use of AI gained traction last year, especially after the release of AI chatbots. And while generative AI will play a role in legitimate functions, it will, unfortunately, also become useful for potentially nefarious reasons. For instance, the MGM hack was orchestrated using AI to mimic an employee and IT help compromised user information.
Q: How should organizations balance the need for robust cybersecurity measures with the obligation to protect user privacy?
Cybersecurity and privacy are closely intertwined disciplines that should complement each other. By aligning their efforts, organizations can better protect their information assets and effectively meet security and privacy objectives.
Regulations—such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.—impose cybersecurity and privacy requirements for protecting sensitive information. The NIS2 Directive is an example of EU-wide legislation on cybersecurity that will impact EU companies in a wide variety of sectors. It will start to become EU-wide law later in 2024. Both GDPR and NIS2 have extraterritorial impacts, meaning even some U.S. companies need to comply, especially those that process EU citizen data and offer goods/services to EU citizens.
The intersection between cybersecurity and privacy should lie in their shared goal of protecting sensitive information and ensuring its integrity and availability. Both disciplines should focus on safeguarding individuals’ and organizations’ assets from unauthorized access, use, disclosure, alteration, or destruction.
Cybersecurity and privacy efforts often overlap in their emphasis on data protection:
- Cybersecurity measures, such as encryption, access controls, and data loss prevention tools, help secure data against unauthorized access or theft.
- Privacy measures, such as data minimization, anonymization, and consent management, focus on ensuring that personal information is handled in accordance with privacy regulations and individuals’ preferences.
All efforts should involve assessing and mitigating risks on data.
Both cybersecurity and privacy rely on user awareness and education to promote responsible behaviors and mitigate risks. Training programs teach individuals how to recognize and respond to cybersecurity threats, as well as how to protect their privacy online. Training and awareness must be ongoing due to the dynamic nature of threat actor TTPs.
Cybersecurity and Financial Services
Q: What unique cybersecurity challenges do financial institutions face?
Financial institutions will continue to be a valuable target for threat actors for the foreseeable future.
Aside from the fact that there could be a lucrative payoff resulting from an attack, financial institutions are also high-value targets because their clients span all sectors. If criminals gain access to a bank, for example, they also potentially gain access to personally identifiable information (PII) for all customers, which enables them to launch secondary attacks against those people or organizations.
Also, over the past year, BlueVoyant has observed a significant spike in the trade of compromised and fraudulent checks on the deep and dark web, particularly in the United States. While there was also some data for Latin America and Asia, the U.S. leads the way as the most targeted geographic area.
The number of check fraud reports filed by U.S. banks nearly doubled between 2021 and 2022. Fraudulent checks are primarily shared in underground groups on various instant messaging platforms—Telegram in particular—where new groups dedicated to advertising compromised checks spawn daily.
Financial institutions should first acknowledge the threat and then take the following measures:
- Check verification: increase the security level of check verification processes. This includes two-factor authentication for mobile deposits, MICR technology, and flagging any suspicious activity to account holders.
- Education: users need to be aware of the risk of sending checks via mail or leaving them unattended. We recommend encouraging users to deposit their checks at their local bank branches.
- Self-reporting: to stop check fraud attempts as quickly as possible, encourage users to report any suspicious activity in their accounts immediately.
BlueVoyant monitors thousands of communities in the deep and dark web, which allows us to research the check fraud methodology firsthand.
We report to our clients any time a fraudulent check is presented for sale, which allows them to revoke fraudulent checks before they pose a real threat.
Q: How can organizations and individuals better defend themselves against social engineering threats?
Defending against attacks such as phishing and spoofing requires a multi-layered approach that combines education, technology, and vigilance.
First, education.
Organizations must educate employees about the various types of phishing attacks, how to recognize suspicious emails, messages, or phone calls, and how to act if they see suspicious activity. Employees also need to be kept updated about the latest trends and practices.
To make sure employees understand how to identify URL destinations before clicking, URL inspection and link verification training is essential.
Next, organizations must also implement robust email filtering and spam detection to identify and block phishing emails before they reach users’ inboxes.
Also, they need to incorporate multi-factor authentication (MFA) for sensitive systems or information. MFA adds a layer of security that challenges attackers and makes it harder for nefarious actors to compromise accounts or gain access to login credentials.
Finally, organizations need to implement a strong password policy. Not allowing easily guessed passwords, along with password update requirements, is critical.
Q: For smaller to mid-sized financial institutions, what would you recommend they tackle first to mitigate cyber threats?
Basic cyber hygiene makes it much harder for threat actors to be successful, regardless of an organization’s size.
I think the main piece of advice is to make sure that you have a baseline understanding of your network: you know what it looks like, and you keep your logs turned on.
If you do this, when an anomalous or unexpected activity occurs, you can notice it immediately and trigger a reaction and/or investigation.
Additionally, organizations should know what assets run in their network. There are so many assets parked out there that are still connected to the internet in an insecure way or running services that are not used, causing unnecessary and preventable risk.
Patching, education, software updating, traffic control, segmentation, access control, and regular control of user privileges are just some of the basics that help to defensively posture against attacks.
Our number one finding is incomplete email security, which people think isn’t that bad (they are wrong). The industry’s best practice is to authenticate emails with DMARC, DKIM, and SPF, but we don’t see that trifecta as much as we should.
A strong top-level domain can go a long way.
Q: How does a verified top-level domain, like .Bank, help financial institutions better combat cyber threats?
The majority of traffic that transpires between organizations online is domain name system (DNS) traffic. So DNS traffic has to be exposed, because different systems need to be able to interpret, transmit, and use it.
That’s why there are a lot of vulnerabilities in DNS traffic, such as spoofing. Many organizations use cloud hosting, which makes it easier for criminals to spoof and authenticate your network.
Conversely, top-level domains are a secure space to host your businesses and services—and this is extremely important. They help users identify the legitimacy and trustworthiness of websites.
TLDs, like a .Bank domain, offer stricter registration requirements and security measures, making them a more reliable and secure choice for bank websites and email.
For smaller to mid-sized banks, this is a huge benefit. A .Bank domain focuses exclusively on this one sector of banking, so you know that you can rely on their security, as they know the ins and outs.
Plus, it’s much easier for these banks to implement a .Bank domain, because larger banks have such gigantic networks with legacy software that makes it harder to move over to any other TLD.
Wrapping Up
Q: What initiatives have you been part of for STEM advocacy?
I’ve been working with STEMCx for the past three years. This organization works to inspire underrepresented minority (URM) students to pursue careers in STEM by offering academic support, hands-on learning, and interactions with STEM professionals.
While working for the government, I also did STEM outreach at elementary, middle, and high schools to ensure that the next generation had exposure to STEM, specifically cybersecurity and the secure use of the internet and online safety.
The younger generations have had access to technology from birth. They process and use technology vastly differently than older generations who did not have the same phones/computers/tablets.
It’s critical to develop these skills and spark interest at an early age—at all socioeconomic levels. STEM fields have historically been dominated by men and individuals from higher socio-economic backgrounds, so we need diversity and inclusion to ensure innovation.
Hopefully, we can create future leaders who will drive innovation and solutions for the challenges of tomorrow.
Q: What more can be done to ensure a diverse talent pipeline in cybersecurity and technical fields?
Some of the misconceptions surrounding diversity in the security industry are that you must be highly technical to have an impact or that you must have many years of experience.
These ideas are simply not true. The cybersecurity industry needs knowledge and perspectives from all kinds of fields.
In the end, cyber threat actors are people.
Their behaviors and techniques come from their knowledge and experiences. So, it’s imperative that cybersecurity teams leverage all kinds of experiences and challenge problem sets with fresh perspectives. This will foster and drive innovation in this space.
To learn more about the many benefits of a .Bank domain, schedule a meeting.