The following is Part 2 of a three-part series revealing key highlights from Walmart Global Tech’s Media Day, compiled from a series of on-site tours, fireside chats, panels, roundtables and one-on-one interviews. For the Foreword and Part 1, click here.
Walmart co-founder Sam Walton believed in constant innovation — and the IT security pros working inside Walmart Global Tech’s Bentonville, Arkansas, headquarters appear to have taken that philosophy to heart, as indicated by the wide array of cyber initiatives the retail giant has pursued.
“At Walmart, we have an expansive environment and scalability that gets us an opportunity to really delve into the industry [and] look at what's going on in the future,” said Gary Simms Sr., senior director, information security strategy and architecture.
But it’s the connected triad of cyber threat intelligence, malware analysis and quantitative risk assessment that particularly stood out during WGT’s 2023 Media Day. And in some cases, the innovations WGT has developed in these fields is helping not just Walmart, but also the infosec industry as a whole.
Walmart relies on a combination of external CTI feeds and its own unique intel collection methods — tracking observations ranging from the latest phishing kit developments to adversaries’ malicious packet infrastructure. According to VP of Security Operations Jason O’Dell, Walmart personnel have contributed to more than half of the source code belonging to ViperMonkey — an open-source, Python-based VBA Emulation engine that’s capable of deobfuscating and analyzing malicious Macros hidden in Microsoft Office files.
“We’ve incorporated that open-source product, along with some other processes, to automatically go through and look at files for signs of maliciousness,” said O’Dell. “And in many instances… we’re able to generate indicators of compromise that are just not generally out there in the industry yet. And then we provide that over to some of the sharing services that we’re a part of.”
Indeed, “My team looks at over a million documents a year looking for changes in how threat actors are trying to get people to click something,” added Nolen Scaife, director of global cyber intelligence. “We have nearly 35,000 IOCs that we shared back to the security community in the last year, and 1,400 URLs we’ve identified that… as far as we could tell were unknown.”
ViperMonkey is one of three malware analysis tools that Walmart plays a major role in maintaining. There’s also Box JS, which is a program that analyzes malicious JavaScript files, and Box PS, which is used for scrutinizing weaponized PowerShell scripts. Using these tools, Walmart’s intel experts will often visit public malware repositories and analyze various downloaded files to see what information they can uncover.
The tools’ automated nature is a key part of making this all work at scale. After all, “There are so many pieces of malware out there, written in so many different languages that function differently, that if you don’t have any sort of automation for analyzing this malware, it forces your organization to be in a reactive posture, where you don’t have the resources to really dig into a piece of malware until it has landed in your in your environment,” said Kirk Sayre, senior technical expert, cyber intelligence. These open-source tools “are focusing on malware that’s typically used really early in the attack chain. Because if we can find things and block it early, that always saves a lot of hassle and trouble.”
According to Sayre, it takes less than a minute for these tools to analyze a piece of malware. “Compare that to what it would take a skilled human analyst to do [this], which might be anywhere from half an hour to a day to figure out what this thing actually does,” Sayre continued. “And since we’re the ones writing these tools, we’ve tailored these to just give us actionable information… the stuff that we’re really interested in.” This includes whether the malware communicates with any URLs, writes any files to disk, or tries to run commands on the computer. Walmart can then factor these findings into their threat hunts, attack simulations and detection rules.
“We learn from our threat intelligence team what the emerging threats are, and then we emulate those in an automated fashion,” said Carrie Roberts, enterprise technology expert, dynamic defense. “We turn them into scripts, so that we can run them over and over again for continuous validation.”
These scripts are shared with Atomic Red Team — an open-source library of attack emulation tests built upon the MITRE ATT&CK framework.
“Walmart associates have contributed almost 40% of all the contributions made to that project since it was released in 2017," Roberts continued.
Among the Walmart departments that particularly benefit from CTI data is the risk and compliance department. It’s this unit that relies on data to assign a quantitative score to potential sources of fraud and cybercriminal risk, such as malware campaigns, vulnerability exploits, third- and fourth-party partners and internal employees.
“We have a lot of teams that identify risk. But we have a team that aggregates those risks and helps us to identify what the priorities should be in terms of risk management,” said Jerry Geisler, SVP and global CISO, “so that we are we are expending the efforts and resources that we have against those things that can be most disruptive to our business or most impactful to our customers.”
Upon quantifying a vulnerability’s risk, Walmart can then “prioritize the remediation of that vulnerability up or down as necessary," explained Senior Director Russ Buckley, who claimed that empirically measuring risk based on observable data is very unique within the industry. “A lot of people don’t believe it can be done… And we say, ‘That’s great, because we love doing the impossible.’”
Walmart’s risk algorithms factor in a large number of dynamic variables that may include user website activity and employee network behavior (Buckley allowed SC Media to speculate but didn’t specifically confirm). The company typically performs snapshots of risk across its environment on a weekly basis, and when possible they share relevant findings with their own vendor community. “A lot of folks are very proprietary. [They] keep it close to the chest, where we believe that [making] everybody stronger makes us all better,” said Buckley.
Among the higher sources of risk — and this is true for any company — is the human element. This is why findings from Walmart’s CTI reports also are incorporated into the company’s customized year-round security awareness programs and phishing simulation tests, which are administered to around 1.39 million of the retailer’s 2.3 million associates, as well as vendors.
“My vision, my Nirvana… is I would love [if] every executive that comes into Walmart looks at the bottom of their screen and sees a ticker much like a stock ticker that tells you where your risk is. I’ll never get there,” Buckley continued. “This is not something we’re ever going to find. But everybody needs a goal, right?”
Additional innovations
Below is a recap of some of the other highlighted innovations from WGT Media Day.
Bot mitigation: On a monthly basis, Walmart literally blocks roughly 8.5 billion malicious bots. These include Grinch bots, aka sneaker bots, which are designed to swoop up high-in-demand items such as video games (for eventual resale) before actual human customers have a chance to purchase them legitimately.
“I think some consumers assume that as a retailer, we were just happy to get the sale regardless… and that just [isn’t] accurate,” said Geisler. “We are champions of the customer… We don’t want to sell our inventory to bots… We want to protect the shopping experience that you have with us.”
According to Kevin Bauer, senior director of ingress security, Walmart tackles the bot problem through a defense-in-depth approach, featuring multiple “layers of mitigation and detection. So we can either mitigate or manage these bots that are hitting our site...”
Although bots over the years have been programmed to act more like human purchasers, there are certain behaviors you can train your systems to watch out for, including suspicious mouse movements and keyboard velocity. Plus, “we have information from third-party… intelligence sources,” Bauer added. “We stitch it all together to tell the story… But the point here is, we are very data driven.”
“There’s also a full team of associates that performs a manual review after the fact. We’ll go through and they’ll look at each of the purchases for these items,” Bauer continued. “So it’s a full-stack, full-team affair.”
Walmart also has instituted a virtual queue that Bauer said is “akin to a line at a store” that “helps us control these types of sales” when there’s a large influx of human and bot traffic that flows in all at once.
Other bots attempt to use stolen and doxed credentials to takeover customers’ online accounts. To combat that, “We do have detection in place to try to catch these bots that are assessing these credentials to try to access customer accounts,” said Bauer. “But even beyond that, we have a team of bot ops analysts that are actually working to detect when we feel that a customer account is actually compromised. They will go through and they will reset an account immediately to flag it as compromised. And then we send a notice to the customer let them know…”
IAM: Walmart is big believer in the concepts of identity as a perimeter and least-privilege across its ecosystem, including its Linux and Windows servers, its mainframe, databases, cloud operations and applications. Through the use of federated identity and single sign on, “we not only ensure we manage that access centrally and securely, but [we can also] provide our end users a seamless sign-on experience across multiple applications in multiple environments, whether they be web-based, mobile, on prem or [based in the] cloud,” explained Melissa Yandell, senior director, identity and access management.
The point is to ensure that throughout the employee lifecycle, users have “only the amount of access that they need to perform their job role function,” Yandell continued. “And then if they need additional access, we have a process that goes through a formal request and then a formal approval, and then access is granted once we understand that it’s appropriate and justified.”
Walmart leans on automated tools and systems to support its high-volume IAM engagements, explained Vanessa King, senior engineering manager. For instance, Walmart created an SSO dashboard for its web applications.
“What we ended up building was a centralized UI platform. And it combines the administrative functions as well as the monitoring or… auditing that they typically perform across a multitude of instances for SSO,” King said. “By centralizing all of this into one platform, we’re able to reduce the amount of time it takes to support these instances, especially when you’re considering the scale and scope of our organization.”
Yandell confirmed to SC Media that Walmart is also actively testing next-generation IAM solutions such as passwordless authentication, an innovation that many organizations believe will help create a more seamless user experience while eliminating the use of insecure credentials (see our video interview with Yandell for more on this topic).
Application security: With supply chain attacks an unfortunate reality, it’s important to know what code is finding its way applications. In the AppSec space, one of Walmart’s most intriguing innovations is its software composition analysis.
“We… partner with our vendors… and our developers to figure out what is it that they’re using to build those applications,” said Serena Curtin, director of application security. “Are they consuming third-party libraries? Are they building it all from scratch? What does that look like? And then we build our scanners around the customization that those developers are using.”
Performing this analysis allows Walmart to then institute automated vulnerability fixes for these developers.
“Those auto fixes are multifaceted,” Curtin elaborated. “Some of it is completely automated. Nobody touches it. It just happens. In other cases, as you might imagine, we have very complex systems. So we’ve got to tread lightly and make sure that we’re not going to cause more problems than we're trying to fix. And so… is it is a partnership. We will recommend a fix or put it in place. The developers get to then test that fix and accept or deny or modify that fix in the way that works for their application.”
The main benefit to all of this: “We don't slow [developers’] progress down as they build their applications. And we prevent those vulnerabilities from ever existing in the production application,” said Curtin. “Pretty cool stuff, and kind of next level, in my opinion.”
Emerging technology: Among the more cutting-edge, far-out tech concepts that Walmart is exploring are the metaverse, post-quantum encryption, delivery drones and automated trucks. All of these innovations come with their own security issues, so how does the company account for those?
This past September, the company began dabbling in the metaverse space by introducing Walmart-branded immersive experiences within the Roblox metaverse platform.
“We’re looking futuristically – doing research now, collaborating with partners in the industry, trying to fully understand what’s going on in that environment and how to secure it,” said Simms, the senior director of information security strategy and architecture. That way, “our customers, as they play in that environment and evolve to retail in that environment, can do it in a secure and sustainable manner.”
Post-quantum cryptography is another field that is gradually becoming a reality. For now, “it’s still evolutionary,” said Simms. We’re still trying to figure out… how are we going to manage quantum and what’s going to happen when these new algorithms come…?”
Justin Simpson, director of data security, said it’s important to ensure that, if quantum computers are actually realized in the near future, we’ve already “got the security controls in place today,” because once quantum actually hits the scene, “it’s too late” to start upgrading your encryption.
“What we have to do is… collaborate with our peers across the industry and figure out what’s the… right algorithm for us with our customer base,” Simpson continued. Because from a labor intensity standpoint, “it takes a lot more for an application team to [generate] a post-quantum cryptography key than it would be if it’s not.”
Meanwhile, Walmart’s potential usage of drones and automated vehicles adds yet another dimension of security, as it these transportation and delivery methods introduce not just cyber risk, but also physical risk. Still, it is part of the job for WGT thought leaders to remain open-minded about new ways of doing business.
“As we are debating or considering which directions to take our business — whether it be drone delivery or autonomous vehicles, etc. — security’s at the table” to help guide the company away from potential missteps, Geisler told SC Media.
“My team often hears me say that we do not want to be the Department of No. We want to enable our business. And one of the ways that we do that is making sure the business is [made aware] of risks that may be relevant to our space as we make those decisions,” Geisler said. “We want the company to be able to pursue those things that create value, but we want to move forward in a way that’s fully informed.”
