How Elias Oxendine Ensures There Are No Weak Links at Brown-Forman

When asked about Brown-Forman’s relationship with Google, Elias Oxendine laughs, as he’s right about to meet with the tech giant to learn about its enterprise security and data loss prevention.

However, this isn’t just an instance of amusing happenstance. As global director of IT security for Brown-Forman—one of the largest American-owned spirits and wine companies—Oxendine occasionally joins Brown-Forman’s Google team in its quarterly business reviews with Google to learn about new security features.  

“There’s a security component to Google’s offerings, where periodically, they provide us an update on the latest and greatest,” Oxendine says. “Once we see the presentation, we assess the features to determine if it improves our risk posture. If so, we then decide when and how to deploy it out across our business so we can add that extra layer of security.”

And with a $12.3 billion net worth and beverages sold in more than 160 countries, there’s a lot to protect. Based in Louisville, Kentucky, Brown-Forman manufactures more than twenty-five renowned brands, including Jack Daniel’s, Woodford Reserve, and Old Forester.

Elias Oxendine
Elias Oxendine, Brown-Forman

At a company that large, IT security is a constantly evolving animal. There are always new threats to be aware of and new phishing scams to be averted, meaning that Oxendine is always making updates to Brown-Forman’s security posture—some big and some small.

“Every year, we assess our risk posture, establish our focus areas, and make adjustments to our road map as necessary,” Oxendine says. “Periodically throughout the fiscal year, we evaluate emerging security threats and employ risk-based decision-making to determine if the risk poses a threat to our environment.  If it does, we generate a mitigation plan, and then we prioritize the solution for implementation.”

From 2017 to early 2018, one of the bigger security measures was the outsourcing of security operations to AT&T—specifically, a service called Manage, Detect, and Respond.  Another measure involved deploying security to the endpoints.

“We rolled out McAfee as our endpoint security solution,” Oxendine says. “That was to replace a previous security tool that was having some issues keeping up with the latest version of the Google Chrome browser.  We went through the RFP process and employed a decision matrix to eventually land on the McAfee endpoint security solution.”

Another focus area for the company is its patch management program, he says. Oxendine and team use Rapid7, a vulnerability scanner, to scan the network and identify known vulnerabilities. “We track the aging of these vulnerabilities by severity then subsequently assess business impact to prioritize our patching efforts.”

The AT&T outsourcing, McAfee Endpoint installation, and improved patch management were all implemented behind the scenes with no action required from employees. But many of Oxendine’s other initiatives have started with the individual—seemingly small procedures that nonetheless hold a great deal of significance.

For instance, Gmail has started providing a colorful banner that pops up and alerts users whenever an email arrives from someone outside of the Brown-Forman domain, which could possibly be a phishing email. Additionally, Gmail generates another alert when a user receives an email from an external sender the first time. However, once the user validates it is a trusted source and engages in email exchanges with the sender, the alert goes away.   

Supplementing the Gmail alerts, Oxendine and his team have set it so any email from outside the Brown-Forman domain contains the word “external” in the subject line.

“We’re trying to give our employees enough visual cues—speed bumps, if you will—so that they slow down, take a minute to really evaluate the email, and run through the phish email vetting process,” Oxendine says. This all comes in addition to IT needing to review and approve the installation of any software on a Brown-Forman asset. “We periodically conduct a software inventory of our assets and validate that against our software catalog, which contains our list of approved software. For any software that’s not in our software catalog, it warrants a discussion to understand the business need and subsequently a risk assessment.”

If the software does prove to be safe and satisfies a business requirement, it has the chance to get approved then subsequently installed to satisfy that business need.  

“We have a technology assessment group  that meets weekly to review new software requests,” Oxendine says. “Security is involved for data protection purposes and to make sure we’re not introducing any vulnerabilities into our environment. Also, our desktop team is involved to ensure whatever software we’re installing on the asset functions and works properly with our core group of preinstalled software. We’re currently implementing a security solution that will prevent our users from downloading and installing software without getting IT approval first.“

Finally, Brown-Forman, like many companies, conducts quarterly phishing exercises via the Wombat Security Awareness tool.

“We’re able to assess our employee security awareness by conducting periodic phishing exercises,” Oxendine explains. “We capture metrics identifying how many failed the exercise and where we need to increase our training efforts. Google prevents numerous messages from getting through to our inboxes, so those that do make it through are well-written and crafted. We’re only as strong as our weakest link.”