Life, the universe and everything: Wendi Whitmore on the challenges of leading a global cybersecurity crack squad

As a child, Wendi Whitmore wanted to be a fighter pilot. Today she is less Maverick from Top Gun, and more a cyber version of Jack Reacher in her role as senior vice president of Unit 42 at Palo Alto Networks. Unit 42 is the security giant’s combined threat intelligence and response team. It identifies the worst actors on the internet, it moves to stop them, and Whitmore is in charge of making sure it does.

However, she wouldn’t be in this position today had she not pursued her dream of being a fighter pilot. Whitmore decided to become a special agent with the US Air Force because of a memorable encounter at its recruitment expo when she was finishing college.

“I had a ROTC [reserve officers training corps] scholarship at the University of San Diego and I was planning on being a fighter pilot. I’d had the chance to fly some aircraft and, frankly, I wasn’t very good at it. I was in a position where I was entering the Air Force and I owed them time for paying for my education,” Whitmore told Connected.

“I knew nothing about the career field until I was a senior in college. In my graduating class, there were 34 officers and only two were computer crime investigators. At the alumni day, there were officers in all kinds of uniforms but there was one girl with long blonde hair, a sleek black suit, high heels and carrying a gun. I was like ‘what does she do?’ She was the Air Force counterintelligence recruiter.”

Her head firmly turned, Whitmore would pursue a role involving counterintelligence, counter espionage, fraud investigations and computer crime investigations.

These were the relatively early days of the internet and less than a year after the 9/11 attacks.

“Breaches weren’t well known at the time. Big companies like Google and Amazon didn’t have security teams. Years ago my parents would joke about what I did for a living. They were very sceptical because I was travelling to all these different countries and they’d ask ‘are you a spy?’,” Whitmore said.

“How I would explain it today is that we all see reports of companies getting breached or hacked. When this happens, the companies typically hire a team of responders, like a special forces team, that parachutes in to help them investigate these attacks.”

Whitmore’s team finds out who is responsible for a breach, what access they had, how to remove them and how to prevent the same type of attack from happening again.

An opportunity arises

Whitmore mustered out of the Air Force in 2006 and continued her journey in cybersecurity, becoming increasingly focused on incident response. This included roles as managing director of the cybersecurity firm Mandiant, vice president of the cloud native cybersecurity platform Crowd Strike, and leading IBM’s X-Force, the IT giant’s threat intelligence unit.

“At Mandiant the mission was clear: to investigate the most significant breaches in the world and provide solutions to our clients. It was a natural transition from the military. Going from something as big as the Air Force to a small organisation taught me a lot,” she said. From here, Whitmore would make a significant gear shift by joining forces with the global cybersecurity firm Palo Alto.

“For the longest time, Palo Alto didn’t have that incident response capability as they were product focused. They were focused on operationalising the information they had in the products they had. What they didn’t have was the equivalent of a special forces team.”

That team arrived at the Palo Alto operation in 2020 with the acquisition of Crypsis. Named for the ability of plants or animals to avoid detection, an anti-predator adaptation, Crypsis brought the incident response capabilities Palo Alto needed to the threat intelligence skills of the existing Unit 42. More importantly, in Whitmore’s case, it presented an opportunity for her to lead a unique unit that combined intelligence and response.

“The Palo Alto chief executive Nikesh Arora reached out to me to bring the intelligence aspect to their operations, and was attracted by the opportunity to bring that capability to the company.” The result of this collaboration is Unit 42 as we know it today.

“From the outset I recognised that the key driver is making all product developers and engineers understand what we do, why we are doing it and what we are fighting for. It’s about protecting our clients every day.”

Don’t panic

The name Unit 42 is derived from The Hitchhiker’s Guide to the Galaxy, where 42 is the answer to the question of life, the universe, and everything. That answer isn’t much use, however, if you don’t know the right question to ask. And that’s where Whitmore’s team comes in, working out what customers need to ask when something catastrophic happens. Her first piece of advice is: don’t panic. That’s particularly important given the current geopolitical landscape.

“When we look at the threat landscape now with a real-life war, cyber is a domain where that war can be waged. What we’ve seen so far with Russia and Ukraine is that Russia has used destructive malware attacks to target Ukrainian government systems,” Whitmore said.

“What we haven’t seen yet are widespread cyberattacks throughout other parts of Europe or the United States. We are prepared for attacks against critical infrastructure, such as energy, fuel and financial services systems.

She said this was a time for any organisation involved in such infrastructure, or others such as health and water services, to be extra vigilant for cyber threats.

“Any organisation with connectivity into Ukrainian systems or offices with access to their networks should certainly have multifactor authentication and network segmentation in place right now,” Whitmore said.

“The best thing is to remain calm and be thoroughly prepared. Often best practice recommendations get overlooked because they seem too simplistic, but they can be the key to making sure you detect an attack quickly and contain it when it occurs.”

Most importantly, Whitmore recommends ensuring that an organisation’s leadership team is prepared to make decisions quickly in the event of a crisis.

“The reasons organisations hire us is because we respond to these types of attacks all the time and we can remain calm. This enables us to make better decisions. Organisations need to have playbooks documented, not just for security or IT teams but for all their leaders across multiple domains.

“It’s about making sure you know what to do if networks go offline or systems are destroyed. What is your plan B or C? Make sure leadership is clear on what their defined roles are.”

While the crisis in Ukraine has heightened tensions around cybersecurity, Whitmore said the issue had been growing before the breakout of the conflict.

“There’s a threat right now regardless of Ukraine and Russia. Anyone doing business on the internet is operating on an attack surface. Virtually no business can operate without ensuring employees can access data remotely. As a result, you’ve got to find a way to protect critical data.

“You’ve got to understand who has access, what infrastructure it resides on, and make sure you can protect that as much as possible.”

Combining experience

Whitmore is carrying this advice to roles beyond her day job. While no longer in the Air Force, she remains active in the US government's defence against and response to cyberattacks. She is an inaugural member of the US Cyber Safety Review Board (CSRB), a group formed by the Department of Homeland Security. The CSRB is focused on investigations following major breaches, and kicked off operations in early February.

“We want to provide best practice recommendations based on learnings from these breaches,” she said.

The first major investigation of the CSRB is into the Log4j vulnerability, called Log4Shell. Log4j is an open source software used on most devices, be they smartphones or laptops. When you see a 404 message online, that’s usually Log4j at work with the web server recording the event that the web page you tried to reach does not exist and the system logging that event.

Log4Shell was described by Jen Easterly, director of the US Cybersecurity and Infrastructure Security agency as the most serious vulnerability she had ever seen, with hundreds of thousands of efforts to exploit it already being detected. Addressing this is the first task for Whitmore’s group.

“The biggest challenge with Log4j is for organisations to understand which software they are running that’s vulnerable to exploitation. As it’s open source, coders and developers use a wide variety of libraries. Understanding where that software library exists within an environment is challenging,” she said.

“We want to empower organisations to make it much easier to do that. Understanding the process of responsible vulnerability and disclosure is important, but from a response perspective organisations want to know how to respond most quickly and effectively.”

Whitmore’s group is identifying the organisations that did the best job of locating the vulnerability and those who responded in the best manner. The CSRB will use this information to work out what strategies can be combined and deployed to protect more organisations in future.

It’s worthwhile work, but is a story that is difficult for the cybersecurity community to keep telling. Security fatigue, with businesses and individuals getting tired of threat after threat being publicised, has long been a concern for the whole industry.

“There’s no silver bullet for it,” Whitmore said. “The theme I look for is to try to simplify the problem. In terms of communication, it has to be made relevant who you are speaking to, understanding what challenge they have and explaining the impact it can have on them.

“The biggest challenge clients have today is that there are so many solutions out there that it becomes complex to integrate them and get answers quickly. Today, all the organisations we work with want us to come in, provide them with answers as quickly as possible, but do it in a way that optimises their spending going forward.”

The EMEA region has become a major focus for Whitmore, despite Unit 42 only being a year old. When she sat down with me, she was on a fortnight tour of Palo Alto’s key locations in this area.

“There are so many countries across the region. We initially focused on Britain and Ireland, France, Germany and the UAE. We’ll soon be expanding to France, Benelux and the Nordics. I see us growing quite a bit and we’ve seen a tremendous amount of demand already just in the short time we’ve been in the region,” she said.

“The problems are pervasive everywhere. I’ve been building teams in Europe for the past 12 years across every company I have worked with. Relative to the North American teams, the European teams are as big, if not bigger. It’s a dynamic environment. Every country is different, so we are always keeping our eyes and ears open.”

The outlook

Whitmore has a surprisingly upbeat tone for someone who has to deal with some of the darkest challenges on the web on a daily basis, and has done so for 20 years. She attributes this to her belief that she goes to bed very night knowing she has done some good. Experience helps strengthen her resolve, too.

“When looking forward, it’s always a good idea to look back first. Over the past few years, we’ve seen that ransomware attackers have become more professional. In particular, they took the time with the pandemic to regroup . . . We’ve seen this with the escalating conflict between Anonymous and Conti.”

Anonymous, a vigilante hacker group, has released five years’ worth of chat logs from Conti, a cybercrime group allied with the Russian government, which has provided insights into how advanced Conti’s operations have become.

“We can see that Conti has spent a lot of time finding the right resources. They have the same hiring and retention challenges that we do; it’s easy to get recruited to another threat actor group. We’ll continue to see these groups delegate more of their work streams and convergence between nation state actors and cybercrime actors. It will be like public-private partnerships in crime, with more destructive attacks,” Whitmore said.

“With hacktivists (activist hackers) in general, not just Anonymous, it’s going to be interesting to see what unfolds over the next six months to a year. Hacktivists tend to get polarised around a cause. That landscape is incredibly dynamic.”

With ransomware in particular, she expects more attacks akin to the targeting of the HSE in Ireland last year.

“Organisations need to work closely with government and intelligence partners,” she said. “The ability for Interpol and Europol or the FBI in the US to provide answers within minutes, to make effective decisions, has changed dramatically over the last 12 months. We continue to see the benefit of information sharing.

“These are economic crimes that impact the world. We’ve seen a rise in quadruple monetisation, where data is encrypted, the target is extorted, then a DDoS [direct denial of service] attack, and finally providing your information to your clients. Whatever derivations they can think of, they will.”

Whitmore also expects an evolution in how cloud attacks are perpetrated in the coming months, with the cloud becoming a more common location for threat actors to base their attacks.

“Over 30 per cent of the attacks we investigate now are based in the cloud. Moving data to cloud infrastructure gives clients more efficiency in managing data. That said, a lot of organisations maintain default configurations, which when done at scale makes it easier for hackers to access that data,” she said.

“Best security practices need to be put in place in the cloud. We need to think about security in the cloud realm the same way we do in the physical. State actors are going to go wherever the data is. If it’s in the cloud, that’s where they will attack.”

The threats are significant but Whitmore is confident that organisations are becoming more mature when it comes to managing risk and making security an asset for their business, not just a necessary investment.

“A lot of my career has been focused on being reactive. The good news is that more of the work we are doing shifts towards the proactive phase. We can work with organisations before an attack so they can prepare and contain an attack as quickly as possible,” she said.

That’s the journey she wants Unit 42 to bring its clients on around the world. Wherever the threats are, Whitmore wants Unit 42 to be there to help businesses and government bodies be ready for whatever gets thrown at them.

“Expanding throughout the world is a huge impetus for us. This year the focus is on building throughout EMEA. Moving forward, we’ll be focused on Japan and Asia-Pacific. Today we have partnerships with over 200 international organisations in terms of intelligence sharing. We’ve got strong relationships and credibility in that space.

“I’d like to bring Unit 42 to the forefront of thought leadership in threat intelligence services. We want to share our point of view with the world. As we look to grow the team and expand internationally, we want to raise our profile by sharing more, and infusing more of our products with our unique threat intelligence.”

Whitmore is amazed by how much her career has changed but also how much the cyber landscape has evolved.

“Being able to see examples of people that look like you, where I saw a woman who did that job, is so important,” she said. “I remember a conversation with a boss I had who had been a spy for the US government. He was well versed in how different intelligence agencies worked, and I explained to him the amount of data that had been stolen in a major breach.

“He was confused, so I explained that it was like a spy coming into a US agency that stole a stack of information a mile high. His eyes just opened wide. That kickstarted my focus on communicating effectively. The world is now aware that these issues occur, and of the massive impact they can have. And sometimes it’s less about how you respond in the wake of a breach, and more about how you communicate that response.”

Who can join Whitmore's team?

As Whitmore seeks to recruit top talent to join Unit 42, she knows competition for the best, be they graduates or experienced veterans, is fierce. As head of a unique service, she believes she can make tempting offers with true challenges irrespective of experience.

“If you are coming straight out of university, I’d focus on showing the opportunity to have a job where you can use curiosity to solve challenging problems. We’re looking for people who take a puzzle and look to spin it, or to find holes or gaps in answers,” she said.

“We want people with inquisitive mindsets. That ability to solve challenging problems can be used to shape the foundation of what you do and applied to any field in the future.”

Understandably, as Unit 42 is a young organisation, Whitmore is on the hunt for experienced talent that can add to its development particularly at this early stage.

“People making career changes can feel like they are leaving a field where they didn’t feel they had a lot of impact over what was going on, or a positive impact on the world. In our job, there is such a mission focus. It’s clear, every day, that we’re trying to stop attackers and we’re sharing that data with competitors and law enforcement agencies.

“You can go to bed at night feeling tired but knowing that you are doing something good. Certainly, in this day and age with the conflict going on, to feel like you are actually making a difference is huge.”