Ann Barron-DiCamillo - VP of Cyber Threat Intelligence and Incident Response, American Express


Written by

After years working for the departments of Homeland Security and Defense, Ann Barron-DiCamillo is applying that security know-how to protecting American Express. She discusses her approach to network defense and how financial organizations have responded to being in the crosshairs of hackers in recent years.

CyberScoopHow have you seen cyberdefense technology evolve in the few years since you left government for the private sector?

Ann Barron-DiCamillo: When I was at DOD, DISA [Defense Information Systems Agency] leadership laid the foundation for a host-based vendor program that really forced vendors to come up with products that were interoperable with each other – open APIs [application programming interfaces] and SDKs [software development kits] for integration.

The cross-vendor integration of cybersecurity tools has evolved and will continue to evolve as it’s a critical aspect to have tools that “play well with others” in large environments to be able to fully leverage best-of-breed and not be stuck with a single vendor solution set.

One of the big things that we’ve focused on is “orchestration” and “automation.” Operationalizing those capabilities is a big focus for us. We want to minimize the time [that defenders] spend on manual work, instead allowing them to pursue more advanced analysis and hunting, using their cyber tradecraft.

CSWhat’s the next step that the financial industry can take in boosting its cybersecurity?

ABD Financial organizations have gotten a lot of “love” from threat actors over the years, so they are no stranger to understanding the adversary and hardening their environments as a result. You remember the DDOS attacks from 2012-2013. Having the ability to implement automation solutions and the capability to add in modules to enhance existing controls – all the while accomplishing it in a way that is seamless and transitional – is really where you’re seeing the more mature financial organizations move.

Another important focus is constantly reviewing controls across the kill chain for any potential gaps caused by increases in a threat actor’s tactics or new vulnerabilities that can be exploited.

CSHow can the bigger companies help the smaller ones to make them more secure in the financial sector?

ABD: We’re an active participant in the information sharing environment. With robust information-sharing in cyberspace, one organization’s detection can really result in being another organization’s prevention. With such threat-information sharing programs across critical infrastructure partners, our “competimates” are our partners in cyberthreat intelligence.

CSWhat are some other technological advancements that can help close the gap in cyberdefense?

ABD: One example is next-generation antivirus capabilities that streamline how this was handled in the past. Adversaries are moving to the endpoint. So you want to go to where they’re going, and make sure you have the endpoint locked down.

Good threat intelligence is one thing, but making sure you know what to do with it is another and ensuring it’s not just another generator of noise within your environment. Creating a robust cyberthreat intelligence program can be both a tipping point for activity as well as resource to enhance on-going investigations.

I’m trying to focus on technologies that can deliver multiple capabilities within one agent or are agent-less or even have dissolvable agents — all in an effort to reduce the footprint we have on our endpoints while taking advantage of advances in technology improvements in the vendor space.

I’m interested in emerging capabilities that support and collect our advanced operators’ “tribal knowledge.”  These kinds of tools can help enhance incident response investigations before an incident happens.