Aflac automates threat intelligence to take a proactive security posture

Automation is enabling cybersecurity teams to work faster and smarter. By delegating tiresome, time-consuming tasks to machines, automation allows companies to extend their security efforts.

For insurance giant Aflac, applying automation to its threat intelligence program keeps it up-to-date on threat actors and techniques, providing intelligence to constantly inform changes to its security posture and defenses.

“When you look at the levers we have to pull, most of them have historically been a wait and see what the bad guys are going to do, and then react to that,” says Aflac CSO Tim Callahan. The company has over 10,000 employees and manages over $100 billion in assets.

Prior to joining Aflac in 2014, Callahan served in the U.S. Air Force and held security-focused roles at financial institutions such as SunTrust Bank and Peoples United Bank. He and his security team of around 250 are responsible for all aspects of security, including compliance and risk, physical and logical security, threat management, incident response, business resiliency and disaster recovery.

Callahan says cyber-criminals working for financial gain are the company’s main nemesis and the one it spends the most time and effort countering. To get ahead of the cyber criminals, Aflac has adopted a program that combines traditional threat intelligence feeds, predictive analytics, dark web intelligence and automated preventative measures. Callahan says this allows Aflac to be more proactive and offensive in its security posture. “Threat intelligence is one area where we can get ahead of that and we can start anticipating and being somewhat predictive on what the bad guys are going to do.” 

The art of threat intelligence automation

Through a combination of internally developed capabilities combined with off-the-shelf tools, Aflac takes data from a number of internal and external sources, runs analytics on the data, assigns confidence and risk factors determining the surety of the conclusion and the severity of the danger posed, and then uses that information to automatically apply protective measures.

Vendors included on the project include Infoblox and Flashpoint, but Aflac ingests data from other partners as well, including the Financial Services Information Sharing and Analysis Center, the National Cyber-Forensics and Training Alliance, various government programs, and the dark web. This information is then combined and processed with the company’s internal data gathered from the network, applications and security tools.

Various confidence scores will have different outcomes. A high confidence score about a bad domain will lead to blocking, while repeated failed logins will be noted and possibly combined with other data later. “It’s basically a team of individuals that are dedicated to studying and understanding what threat actors are doing,” says DJ Goldsworthy, director of security operations and threat management, Aflac. This includes knowing “who the threat actors are, what are their current tactics and techniques, and how are they changing and evolving. And as we gain new insight into threat actor capabilities and tactics, we’re using that information to advise our defensive strategy.”

Although the threat intelligence team has only five members, the system is able to block over two million bad connections with just 12 false positives. The system has over five million indicators of compromise (IOCs) stored on record and is constantly ingesting information from millions of data points.

The art, according to Aflac, is automatically tying threat intelligence to security orchestration to ensure the gathered data is valuable — for example, automatically blocking known bad email addresses, domains, IP addresses or files. Aflac tracks about 10 million data points at any given time and blocks more than 300,000 connections labeled high risk a month.

“We don’t just stop at blocking,” says Goldsworthy. “We take the information from those emails and we analyze it. If it’s malware, we reverse-engineer it and take all the intelligence out of it and put that into our threat intelligence data sets. We can see, for example, when threat actors shifted to macro-enabled office documents to distribute ransomware and then shifted again to malicious URLs to steal credentials.”

“That’s something we cultivate ourselves,” he adds, “because from a threat intelligence standpoint, all the sharing that happens is very beneficial, but there’s really no better intelligence that you can gather than what the threat actors are trying to send to your business on a day to day basis.”

While Goldsworthy says there are manual aspects to the program around some of the dark web monitoring and high-end malware analysis, it is necessary to have automation and orchestration to keep up with the pace of threats. The system also brings information together based on commonality. IOCs are grouped together threat actor or technique, meaning seemingly disparate data comes together to show wider patterns.

Threat intelligence could always use more intel

No system is perfect, and Aflac recently suffered an incident involving some of its sales representatives. In September 2018, the company revealed how Microsoft Office 365 email accounts belonging to independent contractor sales agents might have been compromised, leading to the leak of personal information such as names, addresses, social security numbers and some policy details.

“Our sales force is made up of independent agents, and we have an Office 365 instance that we offer,” explains Callahan. “The email incident was a phishing attack that a very few of our agents happen to fall for, but it was enough that it generated a lot of activity.” He says Aflac aims to become “more of a partner” to its sales force of smaller companies selling Aflac products and do more around both educating them on how they may be a target for criminals but also help secure those companies.

“That incident highlighted the need for cloud solutions to achieve parity with the more traditional on-premise solutions in terms of integrations and security capabilities,” says Goldworthy. “They’re maturing quickly but there are still some integrations points that don’t exist and allow for native capabilities that security teams have built to extend to those cloud environments.”

While he won’t say Aflac could have avoided the attack if it didn’t involve an Office 365 instance, Goldsworthy believes that if there had been an integration point that tied into the company’s threat intel platform, the system could “potentially could have provided some additional visibility.”

Callahan and Goldsworthy say priorities for 2019 and beyond include being more interactive with customers in the digital space, which includes having a strong client validation and authentication program that doesn’t impact customer experience. On the threat intelligence front, moving beyond largely atomic IOCs to more behavioral IOCs is also a goal.

“I think we’ll see more intel automation that leads to technique- and tactic-based blocking,” says Goldsworthy. “So if you see this behavior, not specifically this IP or this domain but this behavior, this indicates an attack with a high confidence. One of our core strategies is reusing our security research and our threat intelligence to advise our strategy around controls. How do we continue to improve our email protection? How do we improve our endpoint protection? How do we improve our data loss prevention protection? All of those are tactic- and technique-based preventative or detective controls.”

Security support from the top down

Aflac’s approach to security has garnered it a host of awards in recent years. As well as two CSO50 Awards, Callahan has won a CISO award from SC Magazine and the Stevie award for Tech Innovator of the Year. When asked about the secret to the company’s success, he cites how security is treated as a priority throughout Aflac’s hierarchy.

“If I were going to assign a single causal factor,” says Callahan, “it would be our support from our executive leadership and board of directors. They’re very active in our program, they want to know that we’re doing the right things.”

One example Callahan gives was the time Aflac CEO Dan Amos personally launched a contest among employees to see if they could come up with good ideas for improving security within the company. The winning idea – which received the $3,000 prize – was to have cybersecurity advocates in each department, a scheme dubbed the cybersecurity ambassador program.

“That’s just illustrative of the support that we get from our top execs,” says Callahan. “Because I have that support, every SVP and EVP in the company knows that it’s a high priority and they want to make sure that they’re supporting our program to that same degree that our CEO and top execs are.”