JF Legault, Deputy CISO at J.P. Morgan Chase, lays out a strategy for transforming teams from a vulnerable perimeter to an early detection network.
Financial institutions have been a leading target for cyber crime since the dawn of the internet. But phishing schemes have become far more intricate, and cyber heists go beyond stealing money from a bank. JF Legault, Deputy CISO at J.P. Morgan Chase, explains how he leads cyber defense on the front lines of work — and lays out a strategy to transform teams into early detection networks. Then David Adrian from Chrome unpacks how web browsing protections, robust monitoring, and a real-time view of threats can fit into this kind of strategy to maximize resilience to a cyber attack.
JF Legault: We can go back to a quote from the Depression era bank robber, Willie Sutton. He had this infamous quote that said, like, "I rob banks because that's where the money is."
Kate Fazzini: Old fashioned bank heists aren’t so common today but modern financial institutions protect more than just money. And finance is consistently in the top three most targeted industries when it comes to cyber attacks.
JF Legault: There's accounts, but there's also a lot of strategic information with regards to transactions and the like, and that's what continues to make financial institutions a target for this.
Kate Fazzini: That’s JF Legault.
JF Legault: I’m Deputy Chief Information Security Officer at J.P. Morgan Chase.
Kate Fazzini: As a leader of cybersecurity operations for the bank and its clients, JF thinks constantly about every opportunity that an attacker could exploit — from software bugs, to natural disasters.
JF Legault: Whether the scenario be a technology outage, whether it be weather, a threat actor could use that as a lure.
We've actually seen, you know, like, fake donation sites when there's a natural disaster, right? Where people were looking to donate to earthquake relief or hurricane relief... the bad guys are there.
Kate Fazzini: And by setting up fake disaster relief websites, the bad guys can harvest any credentials that come with those well-meaning donations.
This is just one scenario in a bigger trend that JF’s seeing, where cyber attackers set traps to compromise team accounts.
JF Legault: We're seeing more and more threat actors using search engine optimization to present fake websites.
When somebody's doing an online search, the website will come up at the top versus the legitimate one they're looking for, and then they get the ability to deliver malicious software… So that's, like, a really interesting trend that people should think about.
You know, we used to train people to look for phishing based on, like, grammar and urgency and things like that. That's changing.
Kate Fazzini: Phishing and browser-based attacks are evolving to catch us where we spend our money, our attention, and our working hours.
And as work itself happens more consistently in web browsers, JF sees the role of a cybersecurity leader evolving, too.
JF Legault: I've been doing this for like 25 years now.
That overall evolution, we used to call it computer security, network security. It was very infrastructure focused.
And then there was an evolution to information security.
You know, when I look at the role today, a lot of it and, and most of it is really, how do you secure a business?
And I think that's where strong cybersecurity leaders are evolving towards is, like, how do you interface with your business? How do you understand the practices?
There's an evolution in a variety of technologies that help bad guys, so you also need to adapt based on the evolution of just... the world.
Kate Fazzini: From Bloomberg Media Studios and Chrome Enterprise, this is “Security, Bookmarked.”
I’m your host, Kate Fazzini — I’ve been a cybersecurity professional and journalist for over 20 years.
And on this podcast I’m talking with leaders in gaming, finance and manufacturing — about what security looks like in a workplace that’s moved to the cloud.
Much of what we think of as cybersecurity was pioneered in financial services. In fact, a bank created the first CISO role and banks invented many of the guidelines that are now standard across a range of industries.
According to the IMF, around 20% of all reported cyber incidents in the past 20 years have affected the global financial sector.
So today I’m speaking with JF — about what he’s learned as a leader of cybersecurity in finance.
JF Legault: Really my role is twofold. One is to represent cyber security in, in the lines of businesses, but it's also to hear where they're heading towards from a business strategy standpoint.
Kate Fazzini: And I’ll find out why he’s flipping the script on enterprise security — from simply defending the perimeter to transforming whole teams into early detection networks.
Then I’ll chat with David Adrian, Security Product Manager for Chrome, about how businesses can implement this kind of strategy, and set up a strong monitoring system, to protect their teams.
Kate Fazzini: Going back to the trend of cyber attackers using fake websites as phishing lures, JF talked me through each step of their attack path.
JF Legault: A lot of it starts with the end point. It starts via email or web browsing…
Credential theft continues to be a driver of this, and like phishing, phishing from two standpoints, either the credential theft that I mentioned, but also delivery of malware via those channels is normally step one.
What we continue to see in terms of exploitation is things like, you know, not having multi factor authentication on remote access, on remote login, or an element of, like, push fatigue: There are multi factor authentication solutions that send a pop up and then people just end up hitting the ‘yes’ button somehow because they're just tired of seeing it.
Kate Fazzini: But tricking someone into signing into a website is just the first step.
JF Legault: And I think what's important for organizations is that there's multiple steps that are carried out by an actor.
I think understanding these attack paths, of how actors operate and carry out their activity, is hugely important, because the more you understand, the more you can design layered control.
So what if an actor is able to obtain credentials? Well, those credentials, if you've got multi factor, they won't work, right? They might get them part of the way, but they won't get them logged in.
Let's say they're able to get logged in. Well, actors are going to start carrying out some element of reconnaissance on the network. So how would you detect that reconnaissance or how would you detect them setting up a foothold on the network?
So it's really about as early detection as possible and understanding those early indicators of an adversary being present on the network.
Kate Fazzini: One of the biggest threats that JF and I talked about was an ongoing rise in ransomware attacks — where attackers don’t go directly after a bank’s money, or even its data.
Instead, they try to paralyze the bank itself, which can have serious consequences for the greater business world.
JF Legault: The financial services ecosystem interfaces with utilities, infrastructure, all of the clearing and settlement payment providers, the third parties that we rely on day to day…
Kate Fazzini: And protecting that entire ecosystem at a global scale? That’s daunting.
So I asked JF how to secure a high-stakes perimeter that goes way beyond the bank vault.
JF Legault: What's made this so interesting for bad guys is when you look at organizations that have historically stored sensitive information or process sensitive information, they have been highly regulated, they've had a lot of focus in terms of building up security controls.
But by focusing on the disruption, the availability aspect, right? Like, ransomware operators are now able to target a variety of organizations that don't store transactional information, that don't store personally identifiable information, and that causes broader disruption, and I think that's why we take our role incredibly seriously in securing the broader financial ecosystem.
Kate Fazzini: That was a great answer, because I think to the consumer or the banker who needs availability, it kind of doesn't matter if it's down because of ransomware or a hurricane. It's just, when is it coming back up? And what, what is the alternative?
JF Legault: Yeah, I still remember, back in my early days we had one vendor that had a data center in Florida and another one in California. So you basically have a data center in hurricane territory and you have another one in, you know, earthquake territory. And you might go, like, “Why is this part of your role? To think, like, site resiliency strategy with clients?”
Well, our clients operate in a bunch of different industries and, if they can't move money, because people can't go into the office, and they can't work from home, that has a direct impact on their day to day operations, if they can’t move money…
And I think that's why ransomware has had such an impact, because it attacks confidentiality and integrity AND availability, so actually, three elements of the CIA triad.
And that causes broader disruption, and I think that also gains more focus, because organizations are actually stricken as a result of these attacks.
Kate Fazzini: You know, businesses are always online now, especially after COVID, lots of people working remotely, having to be on at all times, customers expect you to be available at all times…
Another source of constant surprises, I imagine, is the third parties that you, you have to work with, um, in the hundreds and thousands, maybe hundreds of thousands — so how do you manage resilience when there are all of these other factors in the form of vendors and other companies that you're hinging your operations on? How do you deal with that in terms of resilience?
JF Legault: You know, you mentioned the pandemic. The pandemic was a vector for adversaries. Everybody was after information for the pandemic, right? So it became a very interesting lure for bad guys to send, like, phishing emails, set up fake websites. So it became like a lure for social engineering.
And then companies shifted very, very quickly to work from home. And by doing so, they may have exposed infrastructure that may not have been as secure as it should, to be exposed to the internet. And that gave threat actors a path into some organizations, but it also affected business practices.
There were organizations that were ready for it, that had been working their resiliency plans for years for pandemics.
The financial services sector is one of those areas, where it's basically part of our DNA to build out strong resiliency and recovery mechanisms, and our role was to, like, work with our business to rethink some of the controls and get the message out, the awareness message out, to our clients.
And it gets really interesting when you start to break down resiliency and recovery for organizations, as a result of things like a ransomware event.
Kate Fazzini: So then, I am also thinking of vulnerability management, which we kind of never… (chuckles) it's not very, um, fun to talk about, right?
JF Legault: Right, like vulnerability management. Foundational to everything, right?
Kate Fazzini: The, the patching, the kind of day to day… you know, there's a lot of talk about alert fatigue, but you have people who need to access the web, who are on their browsers from wherever they are all the time. How do you, how do you deal with web browser security?
What are sort of the best practices today, versus what they were when you first started?
JF Legault: That's a great question. I get the point around alert fatigue and volumes, but it's really about thinking through the entire life cycle of that attack.
So going back to, like, how do you drive awareness for employees not to click on links?
If they do click, how are you filtering the sites that they're going to that could be malicious? Interestingly enough, most systems that assist in, like, categorization of websites have a functionality that blocks uncategorized websites, meaning websites that are too new to have a category associated with them.
And oftentimes these are the ones that the threat actors have just recently set up to look like a legitimate website that, you know, somebody will click on — and you can actually see a significant reduction of that browsing risk if you're eliminating websites that are too new, that have just been stood up, that have like a certificate mismatch, and things like that.
Kate Fazzini: When you think about enterprise security and finance, and especially about protecting teams, uh, what are the most critical threats that you're watching out for?
JF Legault: I think there’s two aspects to this.
We often talk about "how do we protect the workforce?" But it's also like, how do we use our workforce as the first indicator of an attack or of targeting.
So, you know, one of the things that's, like, hugely important is how do you mine the reports that you're getting from end users around cyber issues or targeting?
We test our employees for phishing on a quarterly basis. The first thing we were doing was we were measuring click rates. And then we thought to ourselves, well, let's start measuring the reporting rate, because what we want to know is, if somebody is going to get this, are they going to forward it to us?
But then it was also measuring the forward rate. Meaning people's reaction often with a phishing email is they send it to their colleagues, and they go, "Is this legit?" So they're actually amplifying the adversary's reach by forwarding it to a bunch of people who may click on it, who would have never gotten it.
So it's really, how do you think through the awareness for people with the most common types of attacks — but also, how do you turn your entire workforce into early detection sensors? Where they're reporting what they're seeing to the cybersecurity organization so they can promptly take action on it.
And that is a game changer in the early stages of an attack because people will notice, "Hey, there's something wrong here. I have never seen this happen before..."
It might be a glitch, but it also might be a bad guy, a threat actor that's doing something that's absolutely unexpected that just revealed their presence on the networks.
Organizations need to be ready and continuously adapting to the threat landscape.
Kate Fazzini: JF’s strategy called out the importance of monitoring for potential threats and risky activities.
But when monitoring means catching a fake disaster relief website, leaders need to recognize how opening a browser for work shapes people’s behavior.
David Adrian: Security certainly isn't top of mind for most users most of the time — you know, they're trying to get their work done, and they're probably also trying to get their life done.
Kate Fazzini: That’s David Adrian, Security Product Manager for Chrome.
David Adrian: For most people, browsing the internet may not seem like a big deal, but if you’re an administrator for a bank, or other organizations that have a lot of customer data, then keeping your employees safe on the web should be even more top of mind.
Kate Fazzini: He told me how he would approach protecting teams from cyber attacks that take advantage of search.
David Adrian: Chrome runs a feature called Safe Browsing, which, uh, attempts to warn on sites that are known to be phishing sites, known to be malware, and it doesn't reveal what sites that you're visiting.
You can opt into a version of it called Enhanced Safe Browsing, which is able to do the checks in real time by sending them back to the Safe Browsing server; that could be a good sort of trade off to make if you want additional protection against malware and against phishing regardless of if they're being phished at work or phished at home on their work device.
And in fact, Safe Browsing is like such a popular feature that it's also an open API leveraged by some other browsers
Kate Fazzini: So, of course you're dealing with data on these vulnerabilities that is at the scale of Google. So you have access to a great deal of very relevant data about vulnerabilities and not only that, but what of those vulnerabilities can actually lead to a problem.
David Adrian: Absolutely. Yeah. Google is crawling the web every day for its search engine. And as part of that, it's also seeing malware and that sort of same crawling is powering safe browsing.
And safe Browsing is just something you get out of the box with Chrome, among other end user features, like site isolation.
Then we have other features that are built with enterprises and businesses in mind. For example, with Chrome Enterprise Premium, you can implement filters based on website categories that you’ve defined.
And you can get reporting that shows how your teams are handling those filters — so for example: Are people getting fatigued by their alerts and clicking through, regardless?
Having that kind of information means teams can get visibility into what’s happening in their fleet and take action based on their findings.
Kate Fazzini: This is great, because one of the big intractable longtime problems in cyber security is just a lack of visibility into process and how things are working in the web apps and web browsers, which is realistically how people are actually working, um, today, in the modern office workspace.
David Adrian: Absolutely, and like the old way of looking at this would just be what programs did you launch? And it'd be like, "oh, well you launched a web browser."
Kate Fazzini: (Chuckles)
David Adrian: And it's like, okay, well what does that mean? Right? You could have done anything inside of that now. So you need to know what's happening inside.
Kate Fazzini: Yeah, and thinking about where the work is actually happening, right?
Because too often, I think, in security we’ve gotten used to looking at the people in a certain way — they’re just people making mistakes, people forwarding emails, people clicking on dangerous links — we look at people and see them as weak points.
But instead we could be treating every one of those people as a point of defense, so…
So what do you think about this growing emphasis on resiliency and managing threats, and what is the role of teams in creating that resiliency?
David Adrian: Yeah, I think this idea of cybersecurity resilience is becoming more and more popular — especially in the financial services sector, where the stakes are really high.
Breaches are going to happen, and mitigating and responding to them should be something that takes five minutes, not five days or five years.
I talked last time about how strong identity is really important. Once you have strong identity, you can start doing access controls and authorization and limiting who has access to what, instead of everyone having access to everything.
And the more that you can do that, you can pair that with audit logs, right? Audit logs are the key to any security monitoring.
Kate Fazzini: Yes, and whenever you can pair different pieces of information that you have, vulnerabilities with audit logs, for instance, you start to get that matrixed view, which allows you to take action in a much more meaningful way.
David Adrian: Yeah. What you want is that people's regular day-to-day web browsing is instrumented and understood as a baseline so that when something anomalous happens, it's detected as being anomalous. You can't have an anomaly without a baseline.
Ideally, you want that detection to happen automatically, whether that's just because you've had something very simple, like blocking a copy paste from your CRM into some sort of public document, or it's something more complicated about detecting a download from a site that normally doesn't have a download.
And then where Chrome Enterprise Premium can really help is identifying the nonstandard usages, the anomalies, and remediating those.
You can get an audit log of all of the events that are happening in Chrome, all of the user interactions, and so on, and that is exposed, uh, through the cloud, either directly to you via APIs or it can integrate with a sort of third party SIM provider, um, and hook into your security team's workflow to look for anything out of the ordinary — whether that's through integrating with data loss prevention, um, or just more specific rule sets on, "Hey, this thing looks different than normal."
And then in that world, you know, you're not relying on the users to always make the right decision, but you're trying to detect when the users haven't made the right decision, or are doing something weird, and then if you've paired that with all of the other best practices, then hopefully your, your time to mitigation is very fast, and it's actually a very low impact event if something bad did happen.
Kate Fazzini: Yeah, and we have so many amazing technology solutions now, but it also reminds me of how difficult it can be for a security team to implement the new technologies that they want to have. And that's where, again, we go back to the people involved. You really have to have strong leadership who are listening in to their security teams and their experts and able to make the right decisions for the company in terms of what kind of security measures are going to work the best for them and the level of visibility that they want.
David Adrian: Absolutely. I think it's this move to management becoming something that the security team or whoever is responsible for security, that the management of the web browser or of a phone or of the device is actually a security product, like, rather than just an IT product.
Cause all of, sort of, modern security operations is about identifying who's logging in in a web browser and securing that web browser, whether that browser is on a laptop, that browser is on a phone, um, it's on a company owned phone, or it's on a personal phone, it's ensuring that whatever device the user is going to some browser, signing in on, has some minimum security posture, you've strongly authenticated them, you can wipe data if you need to.
And all of these things might have previously been something that you'd just been like, "Oh, that's something that just IT has to deal with for IT related reasons..."
And it's like, no, actually these problems are really deeply central to the security story of a modern workplace as well.
Kate Fazzini: To learn more about how the most trusted enterprise browser can help protect your organization, visit chrome enterprise dot google.
Next time on Security, Bookmarked, I’ll talk to Kurtis Minder, a renowned ransomware negotiator, about the security challenges he’s tackled in the manufacturing industry.
Kurtis Minder: We have been the manufacturer of this particular product for almost a hundred years. And the way that we manufacture this product and the materials we use to manufacture this product are our trade secret.
I am concerned that that information has left the building, and I won't know about that risk for some time until a competitor of mine makes the exact same product in five years from now and puts me out of business.
Kate Fazzini: Security, Bookmarked is a podcast from Bloomberg Media Studios and Chrome Enterprise. Subscribe in your podcast app, so you don’t miss our newest episode.
I’m Kate Fazzini. Thanks for listening.