Ep 2: How AI Can Help Level the Playing Field with Blackhawk Network Global CISO Selim Aissi

Evan: Hi there and welcome to Enterprise Software Defenders, a showed that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the real AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

Mike: And I'm Mike Britton, the CISO of Abnormal Security. Today on the show we're bringing you a conversation with Selim Aissi, Chief Information Security Officer at Blackhawk Network. Blackhawk Network provides branded gift cards and digital payment services alongside some of the world's most recognizable brands.

In this conversation, Selim shares how the perimeter of security is moving closer to identity, interesting attack vectors he's seen recently, and his optimism for AI's role in the future of cybersecurity.

Evan: First of all, Selim, thank you so much for taking the time to join with us. Always excited to chat with you and I'm excited for us to learn more about you and your experience. 

Selim: Thank you. Likewise, appreciate that.

Evan: So, may maybe kick us off to give our listeners a little more background about you and the work you do. Can you share a little bit about what your role at Blackhawk network is? 

Selim: Yeah, so I'm currently the Chief Information Security officer of Blackhawk Network and I overlook security engineering operations, GRC, data privacy for that matter also something that we started last year as part of this InfoSec program and also cyber resilience in the company.

Evan: Do you mind sharing a little bit of what Blackhawk network is? Because I think everyone's probably interfaces without maybe knowing, right? It's not as common a name, but it affects a lot more people than they probably realize. Will you share a little bit of what you guys do?

Selim: So Blackhawk Network has been operating for a very long time, over 20 years and they started off with the branded gift cards. So a lot of the cards that you see, at Target or Safeway, probably many of them are, Blackhawk Network originated. The company pivoted though over the years to, uh, uh, more digital services as in, uh, incentives is a, a huge business for us. And, um, and uh, also the digital gift card or e-gift card as well. So, um, so that's basically, um, branded payment and incentives is where our focus is.

Evan: So for probably most people that use a gift card, they've kind of, uh, used basically your service behind the scenes. So it affects a lot of people.

Um, Selim will you share a little bit about how you got into cybersecurity? 

Selim: So, My first job out of college, uh, was at General Dynamics, uh, working on the M 182 tank. What I learned on that job is that security has to be built into any systems. We truly didn't have to spend a lot of time bolting security into whatever systems we developed, whether it's the commander's system or the gunners, or any other subsystems. Security came into the picture as part of the requirements of how to build software. Uh, that was my first interaction with security. But then, uh, I joined Intel com Corporation, uh, worked there for 10 years working on, uh, security every day on the product side. So we develop a lot of crypto systems and securing claves and a lot of capabilities that went into the Intel systems. Some were software based, some were hardware based. Some were in between, you know, we've built a lot of firmware and biased capabilities as well. So that's really like the roots of my, you know, security background. 

Mike: Yeah, what a great career and story. You definitely don't hear about people getting into security by building tanks but that's definitely a great way to start. One of the things I wanted to ask you about is, you know, what are some unique cybersecurity use cases at Blackhawk that the average person may not appreciate? 

Selim: I think the biggest aspect of our business is the volume of fraud and the complexity of the fraud.

A lot of that is highly sophisticated, highly automated these days. The evasion techniques that they have learned over the years, and, you know, as, um, some of my best friends say out there, you know, uh, follow the money, right? That's what the adversaries are doing, you know, wherever, you know, there, there is money, they're gonna follow it.

Uh, get more sophisticated. And, um, uh, today, uh, you know, fraud is, is definitely, um, uh, a huge issue for our industry. 

Evan: And so, as you know, probably better than anyone, um, you know, the cybersecurity has changed a lot of the last 10 years with kinda enterprise software shift to the cloud. Can you share maybe how some of the threat landscape has changed? Right. As enterprises are adopting more of these, you know, cloud and SaaS based, uh, software systems.

Selim: I think what has really changed over the years is the following. One, the level of sophistication. And that is also tied to the amount of money the adversaries have been able to, to make over the years. So the sophistication level, the evasion techniques have evolved tremendously over the years. Uh, Two, the collaboration between the different, uh, adversaries in terms of collection or theft or, uh, of identity and credential.

Email addresses, DDoS attacks, um, different extortion techniques. I think the third one is, is, you know, leveraging SaaS. Uh, a lot of the attacks that we see on a daily basis are provided as a service by the adversary to other adversaries. So not only the good guys are using SaaS services, but there is also also, you know, a significant, um, number of adversarial services provided as a SaaS and a pass. Uh, I think those are mainly the, the key trend that I've seen over the years that help two things. One, the sophistication of the attacks. Two, the volume and, and complexity of the attacks as well. 

Evan: And so in terms of like emerging attacks, is there something you've seen recently?

I, because you know, you, you're kind of, uh, you send us, you, you see the things that are a little more advanced before other people, right? Maybe the average securitization. Are there things that are just coming out now or maybe new attacks, either techniques that people are using where you're like, "Hey, I gotta keep my eye on this", because we've seen this and I think other people might be start talking about this in, you know, the next month, quarter year?

Selim: I think what really triggered my interest over the past few months is, um, by looking at some of the, um, attacks that are based on extortion. Specifically ransomware. The evasion techniques and the security tool defeaters that they have embedded, especially in the first and second payloads of the attack, are definitely some of the best that I've seen in in my career.

You know, obviously there's a lot of investment on, on adversarial side and, and these types of evasion techniques and especially the defeaters is very interesting because, you know, a lot of us in invest in various tools, especially at the endpoint, but also on the network, you know, to block, you know, um, lateral movement.

As these, you know, attacks become more sophisticated and they target defeating, you know, the security tools that are in place, uh, it raises a huge question, right, in terms of, you know, how can we raise the bar to make sure that our controls are not defeated? Cause at the end of the day, you know, that's where we wanna be.

So that's really where I saw a lot of sophistication, uh, in the evasion techniques. I've seen sophistication in evasion techniques, even on the fraud side. A lot of the frauds run, are using different types of defeaters for the controls that you, they know you have in place for rate limiting and detection of, uh, automated attacks such as, um, attacks generated by bots. Those are, to me, you know, some of the biggest concern that I have.

And, you know, I always assume the worst. I assume that the first layer of defense probably will be defeated. We do a lot of threat modeling. Uh, like now we do a lot of threat modeling for, uh, our products, applications, and also for the, uh, corporate network. And the reason we do a lot of that is if the first layer is defeated, what happenS next? Can you stop an attack, you know, at the second, you know, the next layer? Uh, looking at like the OSI model, if the malware or ransomware or, you know, some other type of attack, you know, comes in from the end point. How far can it go? How far can it penetrate through the network? That's always a question in my mind. And, and that's where we spend a lot of energy to make sure that even if the first layer is defeated, how can you detect and block, you know, the attack at a, at the next stage. 

Evan: One of the themes on the show has been, or a common thing we've heard from guests is the, The perimeter security is moving kind of closer and closer to identity, right? And closer to the actual business applications. So you see kind of more enterprise software being used for collaboration or for systems of record.

Does that make it then hard? Like are there new use cases that security execs should be thinking about? Because sometimes you don't have as many points, right? It's not network endpoint and then application, right? It's kind of direct to the data. So how does that, um, I guess what are some of the new. You know, that new world where it has that change, and the use cases you think security leaders should be thinking about? 

Selim: No, you're absolutely right. I, I think the, the notion of the perimeter, as we know has, has evolved over the years. There are also two other orthogonal trends that also added some complexity to this. The second one is the massive use of APIs, especially public APIs, but also private APIs. Uh, versus, you know, Direct connect for VPN, you know, other types of connections that we have, have been used to over the years.

A lot of information is sh, you know, shared over APIs these days. Uh, so that's another angle. The third angle is the remote work, and that hasn't stopped yet, although it's kind of slowed down a little bit. But my perspective has always been employees working remotely are in a hostile environment. Right, the old days where everybody showed up to the office, you know, uh, are gone.

And, you know, you can put all kinds of, you know, physical security around, you know, your employees and your most, you know, important assets, uh, in the company. Now, um, the now are people, you know, most people are, and, uh, therefore, you know, going back to point number one, you know, the perimeter doesn't exist anymore.

You know, if there's a good percentage of employees, uh, you know, operating out of hostile environments, uh, that's a completely new dynamic that we've been dealing with now for a couple, three years. I think those are very important trends. 

Evan: Yeah. I, I, I talked with someone last week and they said, "My job used to be easy before Covid. I had to protect one data center. Now I have 30,000 data centers because every employee is on their iPad, their laptop, their personal computer. Right. All connecting from their, their home. Right. It really changes. You know what, what the, the network looks like." 

Selim: Absolutely. That, that's exactly the challenge we're dealing with.

Mike: Yeah, I would agree with you that COVID has definitely changed the paradigm and, as they say, you know, once the toothpaste is out of the tube there's no going back . With that said, where do you feel that security leaders need to, you know, focus and invest their resources on in this cloud first world?

Selim: I think with this new cloud first world, there, there are two or three areas where I, I still feel like we, we need to improve. Uh, one, the shared trust model is still fuzzy in, in my mind because malware doesn't stop at the VM and, and higher. Malware can also exist below the vm. And the customer still doesn't have any control over anything below the VM or visibility for that matter.

I think that that's something that still needs to evolve. I think we all kind of took it for granted, you know, this shared trust model. If you have, you know, very sensitive applications, mission critical applications is always a concern. You know, what happens below the VM? Uh, number two, the, um, sophistication of the monitoring techniques and multi-cloud in hybrid environments is still highly fragmented. Uh, we still have to go look for three different monitoring tools, uh, and the level of sophistication is still not that robust. The third area is also something that not only applies to the hybrid cloud and the cloud first, is the fragmentation of the security tools.

You know, we often have to go find 10 different tools to do five different jobs, and they high, they're highly fragmented. So for me as a customer, I need to go stitch all of that and, and, and do a lot of integration. Let me give you an example just to clarify. So let's say, um, you know, we have, you know, networking, you know, intrusion detection, intrusion prevention, you know, EDR, and SIM slash So. We still have to end up integrating a lot of those tools to have a better visibility for, for the SOC team. There's usually little integration out of the box for many of the tools that we end up deploying on a daily basis. I see threat intelligence as central to all of these capabilities, you know, but at the same time, you know, we still have to integrate a lot of these capabilities to a central threat intel platform. I would love to see one day, you know, a lot of these tools come ready with integrated threat intelligence out of the box in, you know, API based integration with other security tools that we, uh, that we, that we need, that we use. Uh, I'm not saying not, you know, all of the security tools don't come with that, but I'm still seeing the majority of the security tools not, you know, ready out of the box with these, uh, capabilities that, um, I mentioned.

Evan: I was at RSA last week talking to a lot of customers, and that was kind of one of the themes we kept hearing is, "Hey, I have less time energy for my security operation, so I need more of these products to kind of work out of the box with little configuration and tuning." The second one was, I need small number of platforms that all work together rather than have kinda a, a long tail point solutions. The third one was AI, right? Like you couldn't not talk about AI at, at any security conference this year. I think one of the frustrations is that, you know, everyone's talking about AI and it's supposed to have this huge impact, but sometimes people don't always see the impact that they're promised. Right. And there's a gap between the promise and the reality. Do you have any kind of counter examples or any kind of use cases, right, especially with some of the, you know, the anti-fraud work you do. Um, are there any cases where you feel like AI's actually delivering results? Right. Kind of better than most people would expect you, that you'd like to share? Just so people can, um, you know, see if there's any kind of hope there.

Selim: I see a lot of innovation, um, you know, that is based on AI. You know, over the past three or four years, I have seen security tools coming to the world with AI based capabilities, self-learning. Some of those are, um, in the EDR, some in the email security, some on the, on the, uh, anti-bot, you know, slash fraud detection. Um, especially in the analytics, security analytics, I've seen some innovation that is based on AI engines and the intrusion detection also I have seen some AI. I really think in you know, every area of security can leverage, can use some of the AI because they all deal, deal with some kind of threat. And for a self-learning system and system that learns from large data sets, there's so much, you know, so much learning from all of the threats over the past 30 years.

I was thinking the other day, you know, dreaming about the optimum data protection tool that would. Learn where all of the data stores are, discover everything, all the types of data, do the data tagging, do the data lineage, data tracking, and come up with the best protection methodology, whether it's decontexting, tokenization, encryption, you know, whatever method makes sense for that data store because you can't be come in with a big hammer, hammer and you know, encrypt all of the data. So I think AI can play a huge role in something like that. Um, now I think a lot of the use cases that we've seen are, you know, somewhat malware and threat related, uh, whether it's, you know, email security or some other, uh, tools that we've seen.

But I think AI can be leveraged by, by anything that is related to cybersecurity. I think there's so much overlap between the two. And I'm very optimistic about this. I, I think, you know, five to 10 years from today, you know, a AI will be the norm to most of the security tools 

Evan: Well, Selim, this is why we're friends, cause both of us are both, uh, AI optimist of sorts. Maybe, uh, you know, you mentioned kind of dreaming about this. Help us, help us dream a little bit more about the future, right? What do you see as AI's potential impact and like the future of the world? Something you feel high conviction, Hey, this is gonna really transform the way people do security. But maybe something, some, something that, you know, the average person would not believe. The average person might, you know, one of your peers might think of science fiction, but you feel kind of a, a high level conviction that there, there's, there's a promise there. 

Selim:  What I see that the future is, you know, some, somebody like myself, you know, a CISO of a, of a large FinTech company or a large, you know, healthcare company doesn't have to deploy, you know, 40-50 security tools. The CISO would only have to deploy two or three capabilities that can perform the functions of all of these highly fragmented tools that we have to deploy today.

Uh, these tools are self-learning, just like the example I mentioned to you in, in passing about data protection. I don't need to deploy, you know, six, seven different tools to deal with data protection. You know, it's one tool that is intelligent enough that can do, you know, the learning, the data lineage and, and, and also the protection on top of that.

Now, same with the other tools, um, you know, whether it's a malware detection and uh, or endpoint protection, you know, the, the, the tool needs to be able to, to do a multitude of, of things versus just identifying, you know, an anomalous behavior and blocking it. So, uh, I think that's where AI can come in very handy and unifying a lot of these overlapping capabilities where, for me as a buyer, I need to go by, you know, 30, 40, you know, security tools. I think AI can help, unify, can help a lot of, add a lot of intelligence and learning. And there's so much to learn from, you know, whether it's my own environment or you know, other companies. There's so much to learn from. So this is a very, you know, fertile ground for these types of techniques to come in and, and help, you know, unlike many other areas where these tools don't have, you know, um, a lot of information to go learn from. So, um, that's why I'm really highly op, optimistic that this is definitely going to help us tremendously. 

Mike: Yeah, I couldn't agree with you more. I definitely share your optimism about AI's future with cybersecurity and look forward to seeing all the problems we're going to be able to solve with it. 

Well, it looks like we're at the top of our hour and needing to wrap up this conversation, and, uh, definitely want to thank you for your time here today and, I really learned a lot throughout our talk and I definitely look forward to future conversations with you. 

Evan: Selim, thank you so much for taking time to chat with us, and looking forward to chatting again soon. 

Selim: Thank you very much for your time. I truly appreciate the opportunity and, uh, we'll talk to you soon.

Mike: That was Selim Aissi, Chief Information Security Officer at Blackhawk Network. 

Evan: Thanks for listening to the Enterprise Software Defenders podcast. I'm Evan Reiser, the CEO and founder of Abnormal Security. 

Mike: And I'm Mike Britton, the CISO of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

Evan: This show is produced by Josh Meer. See you next time.