JetBlue CISO Tim Rohrbaugh on putting threat intelligence at the center

Understanding threat actors and the tactics they use informs how Rohrbaugh develops his cybersecurity strategy, allocates resources, and leads his team.

Tim Rohrbaugh, CISO, JetBlue 
JetBlue

Tim Rohrbaugh is developing a criminal mind.

Rohrbaugh assures that he’ll use his new mindset for good, but he nonetheless believes it’s a necessary move: He says thinking like bad actors is critical to succeed in his fight against them.

“We as defenders really need to understand who the adversaries are, what their tactics are, what their techniques are,” he says.

Success is nonnegotiable for Rohrbaugh, who took over as chief information security officer at JetBlue Airways in 2019. Like CISOs everywhere, he has seen bad actors ratchet up their attacks and do increasingly more harm with successful hacks. At the same time, he has watched as the world has become ever more reliant on digital interactions.

The need for efficient and effective cyber defenses has never been greater, he says.

“You know you’re being targeted but you can’t close everything down, so you have to be elegant and precise with how you’re spending your time and dollars. That’s where threat intelligence takes a primary seat.”

Formative ideas

Rohrbaugh’s interest in the criminal mind grew from an early interest in psychology.

A Navy veteran and triathlete, he had become interested in the field after reading John J. Ratey’s book Spark: The Revolutionary New Science of Exercise and the Brain.

He turned again to psychology later when he worked at Intersections Inc., maker of Identity Guard, where he was a senior vice president and CISO. He was looking for ways to more effectively discuss cybersecurity with board members and fellow executives. That’s when he came across Made to Stick: Why Some Ideas Survive and Others Die, a book by brothers Chip and Dan Heath that explores the idea of “stickiness” and its importance for making concepts interesting and getting support for them.

“It got me thinking about the role of communicators and meeting people where they are, creating a narrative and explaining [security] in ways that match up with the schema in people’s brains. We as CISOs should communicate security and privacy in ways people understand so they embrace them and become partners,” Rohrbaugh says.

As that thought process was taking hold, Rohrbaugh was also serving as Intersection’s head of product and customer experience. He says that role, with its focus on engaging customers, had him focusing even more on the need to understand the mindsets of others so he could engage them on their level.

Rohrbaugh, a self-described autodidactic, nursed this idea as he read more about gamification, incentives, psychology, and neuroscience. He thought about how those disciplines apply to the cybersecurity profession. And he started to focus on the motivations driving the threat actors.

He then borrowed the marketing practice of developing customer personas, taking that practice to create threat actor personas to help him better understand who they are and the tactics they use.

“I’m trying to answer: Who is coming after us and what do they want?” he explains.

Towards a threat-informed defense

Such work is more than a mental exercise. Rohrbaugh says that this work informs how he as a CISO develops his cybersecurity strategy, allocates resources, and leads his team.

He uses insights into threat actors to create a threat-informed defense, an approach advocated by cybersecurity leaders such as The MITRE Corp. MITRE defines threat-informed defense as applying “a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyberattacks.”

Rohrbaugh is actively doing just that.

He is part of an Information Sharing and Analysis Center (ISAC). He’s also a member of software company AttackIQ’s Informed Defenders Council, another information-sharing group. And he leans on reports from FireEye, Intel 471, Q6 Cyber, and other companies that publish threat intelligence reports.

Rohrbaugh says such associations, along with the informal channels that he and other security experts use to exchange insights, help him get a closer to real-time understanding of the threats that are coming at him, how they’re evolving, and how they’re re-using existing known tactics.

Those details, he explains, are key to understanding the bad actors, figuring out their strategies, the tools they have, what they want, and how they’ll try to reach their targets.

“They’re creatures of habit, and until [a strategy] is not successful, they’re going to stick with it,” Rohrbaugh says. “So sharing information about them—who are they going after, what do they do when they’re in, what are they looking at once in—has helped because knowing all that is how you can piece together the who and the why.”

He, like other CISOs, have seen threat actors evolve over the decades from individuals testing their skills to professional enterprises that need skills and resources to succeed.

“Criminality now is another form of business, and these adversaries have some of the same concerns around level of efforts and costs, issues around skills development. They have to pay for infrastructure, internet fees, and 800 numbers. So if we can figure this out, find ways to drive up costs and make it painful for them when they come after us, we can find ways around them,” Rohrbaugh says. For example, he says CISOs can turn the tables on the bad actors and use techniques from their own arsenals, such as credential stuffing, to drive them back. “If you time things right, do things in a certain way, you can drive up their costs and force them to go somewhere else.”

Rohrbaugh notes that this approach is still emerging.

He credits those information-sharing associations and CISOs, with their relatively new willingness to share data, for advancing this practice. “In the past, we who had defense teams were all very secretive about what we’re doing. But now we’re all working together,” he says.

Advances in technology also have helped, he adds, as log data and intelligence let CISOs, security teams, and security vendors track and analyze threats, attack attempts, and successful breaches.

Putting threat intelligence at the center

For Rohrbaugh, this threat-informed approach and his own ideas about understanding the bad actors shape how his security department should operate.

As JetBlue’s CISO, Rohrbaugh restructured his department and built a threat hunting capability while also changing up some roles and responsibilities—in addition to maintaining existing security team work.

He shifted the security department from one that uses a project-based approach to one with a product mindset, introducing agile principles to develop nimbleness and foster ownership, accountability, and innovation from all corners of the department.

And he leaned more on vendors to help build up his threat intelligence program, noting that JetBlue has had a longstanding approach of collaborating with vendors as full business partners—an approach he readily adopted.

He says the work is showing results.

“We put threat intelligence at the center of the program I’m building here,” he says. “You have to focus on the defense controls and monitoring the threat actors who are coming after you. And the only way to do that is to have a coalition of players who can answer the questions about the threats coming after you.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline