MassMutual’s Ariel Weintraub on bringing more intelligence to security

For the insurance company CISO, a do-it-yourself approach to security analytics and SOC staffing, pays off in increased agility and quicker responses to threats.

Ariel Weintraub, CISO, MassMutual
MassMutual

Ariel Weintraub sees intelligence, agility, and a more robust talent pipeline as key components of a strong cybersecurity program.

And as head of enterprise cybersecurity at MassMutual, an insurance and financial services firm, she has a plan on how to bring those pieces together to deliver for her organization.

In fact, Weintraub has already brought on new analytics capabilities, beefed up the company’s security operations center, and expanded its talent programs—all in an effort to achieve and sustain her objectives.

“We exist to support the business, so we have to understand the systems we’re protecting and what the business risks are, we have to understand the company’s priorities, and we have to have a way to quickly test against controls,” she says.

Weintraub moved into MassMutual’s top security role in February 2021, after working for 18 months as the company’s head of security operations and engineering.

As such, she already had a solid grasp on the organization and a clear vision of what she wanted to achieve as she took on CISO responsibilities with her promotion to the executive spot.

Building up in-house analytics, security operations

Weintraub acknowledges that MassMutual had some of her priority components in place before she became head of enterprise cybersecurity. But she saw a need to strengthen and mature her team’s capabilities on all those fronts to keep up with the ever-evolving and increasingly sophisticated threat landscape.

Weintraub says that reality is driving her initiatives.

One initiative is to bring more intelligence into the security function.

The company, she explains, had implemented a commercial user behavior analytics (UBA) tool before she took over security. It demonstrated the value of using analytics in cybersecurity, she says, but it also showed her the need to have algorithms more finely tuned to MassMutual’s own environment.

“It validated that we needed to do it on our own,” she says.

So she leveraged the company’s existing data science team to write the algorithms for its own proprietary UBA platform, one that Weintraub expected could better evaluate MassMutual’s own environment and its unique traffic patterns to differentiate normal from suspicious.

“We have a lot of complexity in our organization, and I believed with our internal resources we could build something more specific to our environment,” she says, explaining that as a large 170-year-old company it has a mix of on-premises and cloud resources as well as a significant number of processes to secure.

Weintraub saw another benefit in building a custom UBA platform: increased agility and quicker responses to evolving threat intelligence data.

“I have a red team, an offensive team, that’s constantly testing our controls. And they sit next to the team building the UBA platform, so they can make sure the UBA can catch their activities and adjust [to threats] in real time. We literally tune the tool while we do the testing and in real time can tweak the models. We can tweak to either a known use case or tweak for a new threat actor technique,” she says.

The in-house tool lets her team handle even large changes more quickly than commercial options, she adds, pointing out that her organization uses agile software development processes and works in sprints to ensure rapid delivery.

“It all makes us very agile,” she says.

Meanwhile, she says the intelligence within the tool further enables her and her team to better keep pace with the speed at which threat actors evolve tactics. As she points out: “Humans can’t keep up with the changes in techniques as fast as AI and machine learning models can.”

Expanding agility and strength

Weintraub is building agility and strength in other areas of her security department, too.

For example, she’s bringing more speed to risk re-prioritization, which had traditionally been done through a quarterly process that recertifies what the company considers its top risks.

“Threats may change quickly. And we recognize that we may need to more frequently reprioritize what our risks are, so if something new comes up, we can focus our time to adding new controls,” she says.

Key to this, she further explains, is using the NIST Cybersecurity Framework, the MITRE ATT&ACK Framework and a risk register (which she implemented).

Additionally, Weintraub has focused on evolving the company’s security operations center.

MassMutual had used a managed service provider for 24/7 monitoring with only a small in-house SOC team to handle escalated incidents.

Weintraub, however, said she believed an in-house team that knew the company and what normal vs. suspicious looked like (thanks in part to using its own UAB platform as well its use of commercial SIEM tool) would be more effective in identifying potential troubles.

As a result she now has a follow-the-sun operations center with locations in the United States, India, and Romania.

Weintraub said the SOC’s use of data, particularly within the UAB platform, and automation means she didn’t have to hire an army to staff the center to be highly effective.

“If you create a baseline of service accounts, then you know what’s normal,” she says.

The way Weintraub sees it, an in-house SOC team equipped with analytics models customized to its own IT environment and its own traffic patterns can better detect not only a compromise but also post-compromise lateral movements that are often hard to identify.

That capability, she says, makes it more likely that her company could detect even a zero-day attack.

“I don’t think MSPs have the context that someone working internally has,” she adds. “There are so many nuances, and if you don’t understand the business processes, the architecture, the context, you can either over-escalate incidents or miss the true events.”

Creating a talent strategy

Although Weintraub’s evolution of the SOC aligns with her goals of increased agility, intelligence, and responsiveness, she says she also saw the move to an in-house SOC as a way to address staffing issues.

“We recognized when I joined that we had a talent shortage and that we wanted to grow our team,” she says, noting that her company—like many others—saw burnout among SOC staffers.

To address both problems, Weintraub says she decided to use her SOC as a talent pipeline.

“For companies that build out their own SOC, you’re going to have more effective response and a great set of talent that can be leveraged for other purposes,” she says.

She hires people into the SOC where they can develop skills and experience and then move up into other areas of the organization.

And she looks to non-traditional areas, such as workers without computer or security degrees, to fill the SOC roles. That helps get around the market shortage of experienced security professionals and bolster diversity among her team.

She also looks for candidates with intellectual curiosity, knowing that she can teach them the technology and cybersecurity skills needed to do the work. (“It doesn’t work every time, but it works out most times,” she says.)

Additionally, Weintraub created a new rotation program for summer interns who are hired as full-time employees.

The two-year program, which starts with its first class late this spring, will have the new hires work in three different position for eight months each so they develop more skills, and thus, agility, and so they gain a greater view of the security profession and the company’s own operations.

Weintraub says the program fits well with her overall focus on professional development and diversity, saying both help bring needed skills, new thinking, and a variety of perspectives to the complex challenges facing security teams today.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.