#BHUSA Interview: Sherrod DeGrippo

Written by

Sherrod DeGrippo
Sherrod DeGrippo

Sherrod DeGrippo is senior director of the threat research and detection team at Proofpoint. She is passionate, she is smart, and she has a lot to say about the cybersecurity industry, and isn’t afraid to say it

“We need to change the perception of the vendor community in this industry,” insists Sherrod DeGrippo. She gestures around the corridor we sit in to do this interview at the Mandalay Bay hotel in Las Vegas and declares: “Black Hat is the epitome for treating vendors crappy. But we’re great. We have amazing data and we make an amazing impact.”

DeGrippo can’t imagine working anywhere other than “vendorland” now. At the beginning of her career she did some work for the Federal Government in the National Nuclear Security Administration (NNSA) but there’s no looking back now. “I love vendorland, it’s great, we’re great and I never want to leave” she smiles.

For her, the advantages of working at a vendor are plentiful. “We have huge amounts of amazing data to start,” she begins, “you get a high-level view of the threats and nothing ever gets in the way of – or prioritized over – being most secure. The focus is always on protection and security and you never hit a road bump.”

The vendor community is close, she says, as the industry is still relatively small. “Fifteen years ago there wasn’t really an industry,” she recalls, “but we built it and everyone knows everyone. It’s a weirdly surprisingly social community."

Black Hat is the epitome for treating vendors crappy

Despite the hearts in her eyes for ‘vendorland’, DeGrippo knows it hasn’t always been perfect. “The FUD vendor marketing completely destroyed the trust in our industry,” she remembers. “It caused infosec vendors to lose the trust of their customers. I don’t think the industry does it anymore and I don’t think we can ever go back to that. FUD is really looked down upon, it put a bad taste in customers’ mouths.”

So if FUD has dissipated, what has replaced it? “We’re more solution-orientated and advocacy focused now”, she says. 

The Gender Discussion

DeGrippo leads a highly-talented team of mostly male researchers. Is this something she’d like to change? “Of course. I’d love it if my team were more diverse and we hope to get there. A diverse way of thinking and diverse backgrounds improves performance. If you have a room full of the same people, you’re in the wrong room.”

I ask her if she gets fed up of being asked about being a woman in the industry. She smiles and pauses before replying “an amount of talking about it is important, but we don’t want it to become everything we are and all we talk about. We need to be having other conversations. We’re great at our jobs and that should be the talking point.”

She does concede that she does suffer self-conscious bias. “Not many women do what I do, so I try to overcome it by doing the best I possibly can.”

She considers her team her greatest achievement to date. She lights up talking about them, saying they “work hard, have so much talent and make me laugh all the time.”

Threat actors have become more sophisticated and more invested in their reconnaissance

Her hiring is her number one strength, she says. “Building the team has been one of my best achievements – enabling them to do the things they are best at. We also churn out research and protect millions of people – it feels really good, and that’s an impact you can only have being a vendor.”

Threats and Threat Actors

“Threat actors have become more sophisticated and more invested in their reconnaissance. We’ve got the technical systems pretty much handled, but it’s human nature and human interference that threat actors are now looking at.

“We have to work on securing the gap with humans and technology and leverage and combine the two, because that’s what the threat actors are doing.”

One trend from the past year that DeGrippo identifies is that campaigns have become much smaller but more targeted. “Tactics have changed to become more focused,” she says. “We’re seeing campaigns that target certain verticals, or verticals within regions. Threat actors are redefining attacks and their accuracy and their communication is getting better, with way less errors.”

DeGrippo also points to the evolution in banking Trojans and the change in ransomware becoming more targeted, although the volume of ransomware attacks has decreased.  “We’re getting better at counter-intelligence on threat actors. We’re doing our research around who they are and what they’re doing.”

DeGrippo describes the typical threat actor as “often Eastern Europe, typically young. Often threat actors come from cultures with depressed economies or where there is little moral judgement assigned to hacking, so it’s perceived to be a victimless crime.”

What’s hot on Infosecurity Magazine?