When you operate at the unparalleled scale of Walmart, cybersecurity must transcend network borders. The Fortune 1 company invests heavily in a security awareness training program, which extends to its 2.3 million associates — and the company's third-party vendors.
"We do have an expectation that organizations that we partner together with will have the appropriate level of rigor as a part of their programs to help mitigate the risks to us," said Jason O'Dell, VP of security operations for Walmart Global Tech. "However, we do not predicate our defenses on that."
Instead, Walmart's strategy leans on a defense in depth approach, making sure information security addresses industrywide challenges through investments to protect the company, its employees and its customers.
The vastness of Walmart's network extends to cyberspace. Walmart Global Tech processes 6 trillion data points every year through its security operations centers, part of the telemetry logs it consumes. A small subset of the data, for example, would come from firewall logs.
"You can very quickly see that it's impossible to review the 6 trillion data points as fast as we needed to if we were to do that manually," O'Dell said. "So we have to use automation."
Developed internally, one such tool uses automation and machine learning to search for anomalous behavior across Walmart's systems. Another tool, also built in-house, lets the incident response team complete automatic analysis of systems for an initial review, which helps mitigate potential supply chain attacks, he said.
As household name brands, Fortune 100 companies see a different attack surface than the average company, especially organizations in retail or financial services, according to Chris Silva, VP analyst at Gartner. "They're always a bigger target."
"They're seeing the baddest of the bad, they're seeing most of what we would call zero-day attacks," said Silva. These organizations may see threats that have never been seen in the wild, which may lack methods to effectively respond to them and which tools cannot effectively sniff out.
Bigger threats require bigger teams, too. While Walmart declined to say how large its security team is, or how much it spends on security each year, the Walmart Global Tech Team has more than 20,000 associates.
Gartner projects end-user security spending will grow 11.3% next year, reaching $188.3 billion. The largest portion of this will extend to security services, with spending set to surpass $76.4 billion in 2023.
These large-scale organizations "need a team, not just the average size, but probably double that," Silva said. "They're running multiple different security tools to make sure if something slips by tool No. 1, tool No. 2 can pick it up."
They can get to a place in size, where their security operations centers can reach the size of a midsized-company, he said.
Walmart's security team relies on automation to extract tactics, techniques and procedures from its telemetry, which it in turn shares with the information security community, including private partners and information sharing and analysis centers.
In those centers, verticals "share information with each other because we all know that attackers are sharing information with each other," O'Dell said.
Security wins at Walmart
Because of Walmart's size, it is sometimes difficult for it to find a product to buy off-the-shelf. In response, the company builds in-house and it customizes. But it is also a heavy contributor in the open source community.
"We're contributing wide swaths of code or even, in some instances, the majority of the updates over to those open source projects," O'Dell said.
One such project is ViperMonkey, a Visual Basic for Applications emulsion engine that analyzes and de-obfuscates malicious VBA macros across Microsoft Office files. Walmart's infosec team contributes the majority of the code to the project.
Before ViperMonkey, the infosec team used manual processes to analyze a total of 2,000 malicious files each year. Using the tool’s automation, Walmart can now parse one million files per year.
"That's a big win from an automation perspective," O'Dell said. "The data allows us to drive more results from a cyber intelligence community, which not only can we use to better protect our organization, our customers, our associates, but also [we can] feed that intel back over to other organizations so they can also better protect themselves."