If you think your company is too small or mundane to become the target of ruthless, industry-agnostic cyber-criminals, or that your anti-virus computer software will aptly shield you from organized, Dark Web hacking syndicates, you might want to brace your company for a breach.
In short, that’s the urgent message coming from this Table of Experts panel of local cybersecurity experts who, more and more, are finding themselves on the front lines of response, defending the future of Pittsburgh businesses against this growing threat of phishing, identify theft, data kidnapping and financial disaster.
“Anybody who thinks they are not a target is misinformed,” said Michael Stratos, CEO of Pittsburgh-based Ideal Integrations, a computer systems integration company whose Blue Bastion division provides cybersecurity planning and incident response to businesses. “Everybody is a target…They don’t really understand that people get breached for resources and that…ransomware is a last resort. If [cyber-criminals] have no other way to get money out of this, then they’re going to sell it, encrypt it, and then hold somebody for ransom.”
Ideal Integrations hosted the panel discussion, in partnership with the Pittsburgh Business Times. Also joining the in-depth discussion were the following: Corey Bussard, director of cybersecurity services for Ideal Integrations’ Blue Bastion division; Daniel Desko, a shareholder with Pittsburgh accounting firm Schneider Downs who specializes in cybersecurity, forensics, risk management and compliance; Daniel Coast, a sales consultant with insurance broker Henderson Brothers, Inc.; and Peter Horne, an attorney and in-house counsel for Henderson Brothers.
Stratos and Horne moderated the discussion. Here’s what the panel had to say:
Michael Stratos: Let’s start with the compliance side of things. What do you see as the preferred method that hackers are using to gain access to systems?
Daniel Desko: What we’re seeing is it’s attacking the endpoint, attacking the human elements. I think a lot of the traditional security technologies – the next-gen firewalls, those types of main avenues into an organization, are not the consistent way in anymore. I think the attackers know they can exploit the edge and by exploiting the edge, that’s usually the weakest link. When we do incident response-type engagements or when we do our penetration-type engagements, if we’re using social engineering tactics and techniques, we have pretty much a 100 percent success rate or near 100 percent success rate. So that is, by far and wide, the easiest way or preferred method for hackers to gain an initial foothold.
Stratos: So, the analogy would be that if I were going to try to breach a house, I’m not going to try to walk in through the front door. I’m going to look for an easier method to get in.
Desko: Yep. Check the windows on the side or maybe the old coal chute. It’s no longer knocking on the front door, like you said. It’s looking for that other, softer spot. And for us, that’s easily the human and the endpoint that they’re working on.
Stratos: And what do you see as far as what companies, clients of yours, are doing to minimize the risk associated with those activities?
Desko: I think companies that pay attention to cyber risk are very focused on training. We see companies we work with focus on – and put dollars toward – training quite a bit. I think training is good. I think training is necessary. But I would rather see companies focus more on stopping those types of attacks before they get to the human – take the decision out of the humans’ hands. Whether that’s making sure they have a spam filter that works properly, or they have a next-generation type of anti-phishing solution. Something that doesn’t put it all on the user.
Stratos: What you’re saying is training these days is table stakes. You’re going to have to try to minimize the surface area of risk. However, you can do all the training in the world, and it only takes one to click on something, and all that training doesn’t really matter. It’s going to happen, right? So, yes, there’s a certain amount a focus you need on training however, it’s not or should not necessarily be the focus because what you do know is it’s not a matter of ‘if,” but a matter of ‘when’ they’re going to. So, it has to go to that next level.
Desko: Yes. I think companies should be analyzing what that attack path looks like and the cyber ‘kill chain’. It’s kind of stopping that threat from getting through that and the table stakes of training your employees. But if something makes it by both of those things, okay, then, what are all of the protections – the layers – you have behind that as well.
Stratos: Given that, what would be the top two things you would recommend that your clients should focus on beyond the table stakes of training?
Desko: What I don’t see a lot is people taking a threat risk-based look at their security programs. I think they just say, okay, I need this to fight this or this to fight that. It’s kind of reactionary. What I’d like to see is companies say, this is the most common threat vector; this is killing people, right? Things you should be doing. Okay, the spam filter gets evaded. The user training fails. They’re looking to have some sort of next-generation anti-virus tool at the end point, something that’s protecting not only the operating system, but protecting from next-level types of attacks more than a traditional anti-virus would.
A lot of today’s modern attacks are fileless types of attacks. They’re using utilities that are built into the operating system already, like Power Shell – things that might look normal to a traditional anti-virus tool. So one of the top things behind the user training would be having a next-gen, heuristic-type anti-virus tool or EDR tool at the end point. From there, preventing lateral movement from the end point, whether that’s blocking through the Windows firewall or a more advanced tool. But essentially, even if things make it by that next-gen anti-virus tool, and that will happen, preventing it from escalating from there.
Stratos: Minimizing the surface area that’s infected – at least allowing you to react quickly to minimize the damage.
Desko: Exactly.
Stratos: What do you see as the highest areas of concern that you feel your clients aren’t paying enough attention to?
Desko: It’s a couple things. One being not understanding what they’re up against from a threat intel perspective.
Stratos: Is it safe to assume that, in this day and age, that most of the clients don’t really realize what they’re up against?
Desko: Yes, I think it’s safe to easily say that. We worked on a ransomware attack where the threat actors gained a foothold through phishing, and our forensics showed that they actually were in those systems for about three months leading up to when they actually executed the ransomware.
I think there’s this common misconception of these types of attacks out there, where, we’ll be talking about this story like this, and people say, well, why don’t they just restore from backups? Well, because the attacker doesn’t want them to restore from backups. They’re going to try to gain access to their systems, put their hooks in, and dig their way in to really have the best chance of success as possible when they execute their ransomware.
They’re going to find your offline backups. They’re going to find your cloud storage. They’re going to find your network-attached storage. They’re going to take over those things. By the time they try to execute their ransomware, they’re going to have the best possible shot at that working for them so they can get a payday. I don’t think most companies understand the level of expertise and sophistication that they’re up against.
Stratos: To add an example, we’ll do a program where we’ll do a sample password hacking exercise for a company. I’d say that, on average, within 4 seconds, we have about 15 percent of the company’s passwords. That’s in 4 seconds. Give us an hour in that environment of password hacking, and we’ll have almost 25 percent at that point. Getting back to the idea that it only takes one, within 4 seconds to an hour, we have 25 percent of the passwords.
You talked about normal or unsuspicious activity. If I have credentials, then I’m considered normal walking around in this environment. These people that they’re up against – the tools that we use, we spend about $4,000 to build those tools. The people you’re up against are spending about $400,000 for those tools. So as fast as we’re getting in, they’re getting in infinitely faster. From a statistical perspective, that should give people an idea of what they’re up against.
The other thing that was mentioned of somebody you helped, where the hackers were in there for three months before, anybody even knew, the average is 120 days. What people also don’t understand is, when somebody breaches and they initially get in, they’re not looking to immediately do something to be noticed. They’re doing reconnaissance.
They’re monetizing the ‘customer’s’ network and looking for ways to sell that and make money. Typically, the one that eventually does the ransomware isn’t the one who originally breached the network.
Desko: If I could add to that, the second thing I wrote down for the areas of highest risk that most security programs don’t focus on are the basics. Back to these basics. You mentioned passwords. I think we all in the community agree that passwords are just terrible in general. It’s a bad way to control access and authentication to our most important stuff. You guys nailed it earlier when you were talking about cracking passwords. With a couple of GPUs [graphics processing units] now, you can crack an entire eight-character password space in a day or two.
Stratos: For the sake of this discussion, these hackers – who are these people? What do they look like?
Desko: I think what they look like is real companies. They probably sit in an office space, and they go to work every day, and their work is hacking into our systems and stealing our I.P., stealing our data, selling our customer data, or taking away our operational uptime and holding it for ransom.
Stratos: They’re very well-funded, and it’s billions of dollars.
Corey Bussard: It’s big business – it’s an actual big business today. Being on that receiving end and talking to someone who just breached a company and is asking for Bitcoins as payment to get decryption keys to decrypt all of those files they had encrypted. In those emails, they’re giving customer service to you. They’re saying, technically, that they will help you get through this chaos to unencrypt your files. In some ways, it’s a legitimate business.
Stratos: Up to the point of giving you the key to decrypt, they are, as they would prefer to say, ethical in an unethical manner. They will come through with giving you the keys because to them, that promotes their business, and that will get people to pay the ransom because they know they’re not lying when they say they’ll give you the decryption key. Before, it was ‘encrypt and pay,’ and there was a very low percentage that you would get those. That percentage has gone way up because they look at that as good business and repeat customers.
Daniel Coast: Regarding the encryption, you can go on the Dark Web and buy some of these exploits and deploy them, and these criminals may not have the means to unlock them for you.
Desko: You don’t even have to go to the Dark Web to get these tools. You can go to GitHub, which is owned by Microsoft. You could log on to GitHub right now, and you could download Mimikatz or CrackMapExec or any of these tools that are used by both the good guys and the bad guys in many forms.
One of the most common tools we see is Mimikatz. Mimikatz was created by a French researcher named Benjamin Delpy, who wanted to prove a point that Microsoft’s operating system stored passwords in plain text in memory. So he wrote this program to prove that point. Next thing you know, it’s like Pandora’s Box being opened up, and the code for this is out there. It was meant for good when he created it, but now it’s used for all kinds of bad.
Coast: When you think about the bad, too, in the United States, we prosecute cyber-crimes. But there are many countries around the world that do not. So we think about these industries that have spawned that have the liberty to operate freely to do the work. That’s what we’re up against.
Desko: Geopolitically, it’s very difficult. You have a wonderful law enforcement community here in the U.S. Here in Pittsburgh, we have access to some fantastic resources. But if you’re looking to prosecute or actually bring someone to justice for a lot of these things, that’s a lot harder. Often times, companies are fearful to work with law enforcement because they don’t want word to get out. So that also is a challenge. The sharing that occurs with law enforcement and the private sector, I think, is pretty important to solve this problem.
Peter Horne: You usually run into a scenario where law enforcement – they have a hard stance and don’t negotiate, don’t work with these guys and don’t pay the ransom. But you have a business to run, so, are you going to make a business decision to not do what law enforcement’s recommendation is and get your business back on track? That’s a delicate situation for a lot of organizations to deal with – that I’m going to go against the FBI’s advice.
Stratos: True, but the FBI has no care of whether you go under or not, they just don’t want you to promote the crime.
Desko: We’ve been in a few situations where clients have gotten lucky in ransomware cases where we’ll do our initial forensics, and they’ll allow us to share data with law enforcement, and law enforcement might actually recognize the threat actor or the ransomware or malware that has been used. They have records of encryption keys that have been used successfully in the past for various strains. It’s like maybe one in a hundred. It’s always worth checking; we’ve seen it work before.
Coast: Are people sharing more information with law enforcement so they can gain access to some of these trends?
Bussard: From our perspective, we decided just to go ahead and partner with law enforcement. What we did is set up quarterly meetings so that we could sit down and go over all the threats we’ve seen over the last quarter. Now, if a client specifically says they don’t want to be a part of that, we will talk about the threats that were found in an environment, but we won’t name the client. Now, the law enforcement agencies won’t be able to gather hard evidence from that, but at least they’ll have intelligence surrounding that. Or, they may already actually know. We’ve had a few times when we were called by somebody and were literally driving on our way there, and a law enforcement agency showed up before us and said, ‘hey, just so you know, you might be breached’. A lot of times, they already have intelligence into these things, and the businesses might not even be aware that they know.
In our opinion, we always try to push our clients to talk to law enforcement. It always is our stance to share as much information as possible with the law enforcement agencies because at that point, by not sharing the information, you’re perpetuating the bad activity.
Horne: You see the most vulnerable – you have municipalities, nonprofits, schools, these entities that don’t have all of the resources to do best-practice security, to have a team of lawyers, to have a team of forensic accountants, to have a team of security professionals. They’re most often the targets.
Stratos: There are a lot of compliance initiatives out there. What, if any, impact have you seen those initiatives make as far as security is concerned?
Desko: From a compliance perspective, you used the term ‘table stakes’ earlier. That’s exactly how I feel about a lot of the compliance frameworks out there. They are the base table stakes involved. I think it probably helps those companies make themselves a little less of an opportunistic type of a target. If it’s a targeted type of an attack, the compliance frameworks don’t go far or deep enough.
Let me explain. The target versus opportunist type of attack. The opportunistic is more of a spray-and-pray mentality where the attacker is just releasing phishing emails galore and investigating whoever clicks, they’ll see if it’s a juicy target and maybe dig in a little further. Or maybe it’s something like they’re using automated tools where you can just scan the Internet for open ports, open interfaces with common passwords, and they might find things that interest them from there. That’s opportunistic – a broad, shotgun-type approach.
The sniper approach is the targeted attacks. There are advanced persistent threat (APT) groups out there – the big game hunters, they call them – that will target specific types of businesses or specific industries and make them a focus of their efforts. My comment was that I think the compliance initiatives help raise the bar and make you more resistant to opportunistic attacks. But the compliance initiatives aren’t enough, in my opinion, to make you more resistant to the more advanced targeted threats.
Stratos: And let’s be honest, they’re not really that good at preventing the opportunistic either. It’s a guideline or some things that are put out there – table stakes. In this day and age, table stakes just aren’t enough. The days of ‘set-it-and-forget-it’ security are over. The firewall and anti-virus are not enough. Before, you’d buy your anti-virus, and you’d get your signature updates, and you were good. That’s not the case anymore.
It’s now the next-gen anti-virus, but it’s a level above that. It needs to be a level above that. This is where the whole budget for security comes into play. It’s a completely different landscape. Companies aren’t prepared from a budget perspective to spend on security what is necessary to actually be secure. Maybe to be compliant. Compliance is a little different than security. Our approach to compliance is, you become secure, which makes you compliant.
Stratos: The unfortunate part is that budgets typically only allow for you to try to become compliant and not secure. Would that be a common thing that you see?
Desko: Yes, I would agree with that. I would always prefer, while we have the hood up and all of your tools out and we’re looking at trying to get people compliant, we might as well go the extra mile. But that’s not always the case. You can’t always get there.
Horne: Would you say people are calling you post-breach or are they calling you proactively? What would your recommendation be there? How do you marry this compliance initiative with doing enough on the front end?
Desko: There are some clients that don’t even have compliance requirements. Sometimes we’re able to talk them into doing some of the basics, whether it’s executing a penetration test or a cyber-risk analysis to show them where they might be the most vulnerable. So at least they’ll have an idea or a plan to start to say, okay, this is maybe where we need to focus or least they understand what their baseline might look like or how far away they might be from a compliance standpoint.
Then there are the folks that call you post-breach that didn’t plan ahead and did not want to pay for some of these more proactive services. That’s when it’s tough. You’re always willing to pay when your data is being held hostage, but you never want to be in that situation either.
Horne: How much more do you think somebody with no preparation pays in one of these incidents than somebody who had some proactive planning?
Desko: Usually the ones who don’t focus much on cyber and don’t do a lot of preparation are the ones who get hit hard. Folks who pay a little more attention and have some basics in place can maybe see some of the early signs of an attack occurring and can call in experts like Blue Bastion or us or whoever before it gets to the point where ransomware gets executed across the infrastructure.
Coast: You talked about exploiting certain industries, and you talked about preparedness. There are definitely certain industries that we talk to from an insurance perspective, and they say, ‘we’re not really a target’.I ask them, ‘do you use the Internet?’
Stratos: I’m going to say some things to you, and let me hear your response. ‘I don’t really need to spend that much on security. There’s nothing in my network that somebody would want. I’m not a bank.’
Desko: Do you use online banking for your business?
Stratos: Yes, I do.
Desko: Do you do wire transfers?
Stratos: Yes.
Desko: That’s interesting. Do you pay your vendors through online banking and wire transfers?
Stratos: Yes, we do.
Desko: That’s interesting. What if your accountant got a phishing email that said, whoever your top vendor is, dollar-wise, per month, that their account records have been updated. Here’s a new routing and checking number. Can you please update your records, kindly? Do you think your accountant would be a good accountant and have nice customer service and update their records?
Stratos: Aha! The point is, anybody who thinks they are not a target is misinformed. Everybody is a target, whether it be for what you just described, which was very good, resources. They don’t really understand that people get breached for resources, and that, to be honest, ransomware is a last resort. If they have no other way to get money out of this, then they’re going to sell it, encrypt it, and then hold somebody for ransom.
Desko: That’s the nuclear option.
Bussard: The other option is to drop something like an Emotet and gather every person in the organization’s data – all of their usernames and passwords for their personal banking accounts and then drop ransomware to hide their tracks.
Stratos: People don’t realize that, how many people use their work computers to do online banking?
Bussard: Or log into Facebook, and that’s the same username and password that they use for their bank and that they use for Twitter and that they use for you name it.
Stratos: They just got the keys to your kingdom because they’ve just harvested your credentials.
Desko: By the way, newer versions of Emotet also steal your contacts out of your Outlook, and they start to email all of your contacts with Emotet as you. So not only are you totally in a bad place, but then you’re helping to perpetuate the attack with all of your friends, family, customers, vendors, whoever.
Stratos: From your perspective, what is the current state of cyber-liability insurance in the marketplace?
Coast: Great timing for you to be asking me that question. I just got back from a conference with the brightest and best minds in the industry, and I think all of them are very enthusiastic about writing more cyber-coverage. I would call the market strong. We continue to see good performance in the cyber books overall.. We’re seeing an uptick in the purchase of cyber coverage. But at the same time, we are seeing a continued increase in claims, so it’s a bit corollary.
Horne: Are they making it affordable?
Coast: When you look at the state of the market, where we were, say, 5 years ago, it was a very cumbersome process to buy the coverage, and again, that prior conversation of, ‘hey, we really don’t have that risk, and it’s a lot of money for a million dollars of coverage.’ The pricing certainly has softened and come down.
But I will say we’re starting to see more expense load in the claims. The claim dollars are getting bigger; the costs are bigger on forensics. So I do think we’re probably going to reach a tipping point where the carriers get a little bit more responsible with their pricing models, and we see some increased costs around premiums for the increased costs in claims.
Stratos: So in a sense, business is good for you because the landscape of cybersecurity out there is bad?
Coast: That’s correct. I put our buyers into three buckets. You have small business, your middle market, and your public companies. On the small business side, it’s easy to buy the coverage. We’re seeing more uptake there. We’re actually seeing insurers throw in some ancillary cyber coverage as part their small-business package to give them some coverage for cyber.
In the middle-market space, we’re absolutely seeing more of an interest level. For Henderson Brothers, that really is our core customer group.. Pricing has continued to be affordable and the application process has gotten easier. On the public market side, certainly cyber now is a board room discussion. Every board room in America probably is talking about their cyber-risk. And if they’re not, they should be. The criminals are industry-agnostic. They don’t care what you do. They want to disrupt your business and get your money. And that’s the message that we take to our customers.
Stratos: You had mentioned about a million dollars in coverage as being affordable. But we’ve also seen some legacy stuff where people have a hundred thousand dollars in coverage, and they believe they are properly covered. You mentioned that the cost of forensics and even IR. What we’ve seen is that, a 200- to 300-person company with x amount of infrastructure to support those users. If they have a full-blown IR event and they are held ransom, and they don’t have the means to come out from under that encryption and have to pay that ransom and then have to go through that entire event, that could be a $400,000 to $500,000 event easily.
Coast: Yeah, they’ll blow through a hundred thousand dollars quite fast when having to respond to a breach.
Horne: Could you walk through why it’s that expensive and talk about all of the teams you interact with and what all you would cover?
Coast: Let’s talk a little bit about how the coverage is structured. The way that a cyber policy is structured is that you have both first-party and third-party coverage. When you look at the claims trends that are happening out there – and cyber is still a relative immature industry – we don’t have years and years of case law with third-party claims coming from these cyber events. What we see is first-party expense of having to respond to a breach.
When we talk about incidence response, what do we mean? Legal is a big part of IR.. It’s a very specialized part of the legal world, and it’s a very expensive. You’re getting partner rate at $500, $600, $700 an hour. And then pull in the forensics side and I’m seeing those costs creep up as well. Cyber claims are very complex and you need a specialized team to help you respond to a breach. That’s what you are buying with a cyber policy.
Desko: Can you talk about the role that legal counsel plays and why it’s so important?
Coast: The reason legal is so important is you’re dealing with privileged information. So it’s critical that you have professionals that are experts in this space that can help you manage that breach.
Desko: I would just add that I think the tough thing about cyber and the law is that It’s so fractured.
Coast: Yes, it is different in every state in America. Each state is going to have specific guidelines set by the attorney general in that state as to how you respond to that breach. So when you think about it from Pennsylvania to Texas to California, which is a much more difficult state to operate in, we see varying costs around those breaches.
Desko: And it’s extremely hard in the middle of all this chaos to confidently analyze all of these data sets -- particularly forensic data sets -- to come to a conclusion to say, here’s all the data that was breached, and some states have this, was there an intent to harm? Or was it just a smash-and-grab to get the ransomware? So you have to look at that threshold.
Coast: We’re certainly seeing a trend in consumer privacy. If you look at what has happened in Europe in the last couple of years, you have the General Data Protection Regulation, and we see that migrating. Now we have the California Consumer Protection Act. So we’re seeing these types of laws migrate around the world. California is first, but will it come to Pennsylvania, New Jersey, New York? It’s a matter of time before these laws are enacted in other states, which is only going to increase the cost around the breach.
Horne: So you’ve put in place your legal counsel, and the legal counsel creates that privilege that you can communicate with them. If you really have a breach or you’re investigating a breach, at least it’s not going to be accessible to the public, at least not initially. An attorney will coordinate with your network team, your forensic team, your insurance team.
And your attorney could be panel-provided under a cyber-liability insurance policy or could be somebody whom you trust as your legal and you want to get in advance. The breach coach – the attorney’s role there – is to make sure that’s all coordinated and he or she, maybe even with a PR firm, is probably going to be your lead negotiator with the bad actor.
Bussard: Talking to the public is another big one. What to say at the appropriate times. The legal team is the one who is going to deem whether it’s an actual breach or not according to that state’s law. So they’ll coach you through – or bring in a coach to tell you – what you need to say during that incident so that you’re not fumbling with what to say when you’re worrying about the incident itself.
Stratos: A good way to describe this is a whirlwind. You get thrown into a situation which most people haven’t been through and which they know nothing about, and you already are dealing with the repercussions of not being able to function as a company, and now you’re being thrust into a new world of dealing from a legal perspective, from a legal response perspective, from an insurance perspective as well.
Coast: Michael, when I’m talking to our clients and prospects, one of the main questions I’ll ask around cyber is, do you have an incident response plan? It’s a great starting point. We hear ‘no’ a lot. When we hear no, we say this is exactly why you need to buy cyber-liability insurance because, effectively, you’re helping yourself by buying some incident response.
Stratos: Basically, you’re supposed to have a disaster recovery plan, and this isn’t new. This has been around for a lot of years, and it typically is something that is woefully misunderstood and underfunded, if they have one at all. But it’s a very destructive event if it does occur, to the point of eventually putting people out of business. Security incidents are no different. It is a form of disaster.
Stratos: Back to the insurance side of things. Most people probably don’t know what all is or isn’t covered because you have this event that occurs. You try to find someone to help. You may or may not have cyber liability. You get somebody – an instant response team to help. That’s a cost. Is that covered by cyber liability?
Coast: It is.
Stratos: So, the next part, where are we in this process? We need new infrastructure to help us get out from under this ransomware. Is that potentially covered by this insurance?
Coast: It can be, to answer that question. We’re seeing the evolution of cyber. It’s going to trail what’s happening out there from a breach standpoint. We’re seeing hardware replacement. We’re seeing software replacement being a trend in the market where they’re adding some semblance of coverage. Now, it’s not going to pay to provide you with entirely new hardware or software. But it gives you some enhanced coverage, maybe $100,000 or a $200,000 sub-limit to build into the policy to prevent this from happening again.
Stratos: The next part, legal fees, breach coach? Those are all part of it? And writing at least portions of an incidence response plan once it does occur?
Coast: Yes, absolutely. But there’s also one thing I want to add that’s in the policy, and that the actual business interruption loss – your revenue. And that’s really important. We’ve seen a lot of companies in this middle market, manufacturers, that cannot operate their business due to a breach. Certainly, they have all of the incident response, legal, forensic costs associated with the breach. But at the same time, they can’t operate so they’re losing money every single day.
So it’s really important that, when we analyze an insurance program for a client, we’re setting the right limits for coverage of business interruption loss as well, and there are some other nuances like that when we get into vendors and third parties that overlay with that loss.
Stratos: I have car insurance, and I know that my car has certain levels of security like an alarm system and anti-lock brakes, and I get breaks on my insurance for having these things. So, what in the cyber-liability industry as far as risk management strategies are looked upon favorably, or is that industry mature enough that it’s starting to take those things into account when it prices out cyber liability?
Coast: We will talk to companies, and they’ll say, we’re not there yet with our plans and our systems. We don’t have enough history, and we need another year to get our security tightened up. And I say, don’t let that prevent you from filling out an application and going through the process to buy cyber insurance. That’s why you should be buying it.
The markets are maturing to gather more intel about the security of an organization, and certainly, the more secure you are and the more work you do on the front end, like phishing simulations, like incident response planning, certainly will not hurt you, and you should be seeing more preferential rating. Not having that is not going to preclude you from obtaining cyber insurance.
Horne: Just to add to that list, log monitoring, different types of firewall protections you can put in place.
Coast: Something as simple as hardware asset management – knowing who has your laptops and where they are.
Stratos: Do you see that coming in the future, where people who have a more mature security program will get lower costs in cyber-liability insurance?
Coast: Yeah, I think as there is more actuarial data around losses you will see more scrutiny on underwriting. Losses drive the pricing models of the carriers. Better security should prevent losses which should provide better pricing.
Horne: I would say there is not a direct correlation presently, but if you implement these risk-management strategies, and you have a better claims experience – experience in how much you’ve paid out in claims, then as you renew your cyber policy the next year, as you have claims that aren’t as severe as they should be, now you become a really great risk for that carrier or other carriers that are in play, and you pay less per unit over time instead of a direct discount that you would get.
Stratos: You said there has been an uptick of claims. What kinds of claims are you receiving? Where are the most costly claims right now?
Coast: I brought this report with me; it’s the Net Diligence Cyber Claims Study from 2018, the most recent study. So when you look at the sectors affected, the top four here are professional services, health care, financial services, and retail. That does not preclude Western Pennsylvania and manufacturing because we do a lot of that, and they’re getting hit every week. That just gives you a frame of mind of some of the types of industries being impacted.
From a cost and loss standpoint, hackers, ransomware, malware and stolen laptops are the top four causes of loss. And your average breach cost is $603,000.
Coast: We actually are going through a breach right now with a client, and we’re seeing just forensic rate of $500 an hour.
Horne: Those are the claims types, and we’re seeing some claims issues, but an important item to think about in a claims scenario is the claim trigger. This trigger is when will coverage apply. It is becoming a double-edged sword as to, it’s a gray area, so can you get the benefit of coverage, or it’s a gray area and the carrier maybe is going to reserve its rights to take some kind of limiting path. So a claims issue is, are you going to have a claim if it’s a true breach? Are you going to have a claim if it’s an unauthorized disclosure? Are you going to have a claim if there’s a lack of control?
Say you’re going through a phishing attempt with one of your employees, and they clicked on the link and they have fallen into the trap that’s laid by the bad actor. But they haven’t wired any money yet. They haven’t been encrypted or been suffering from ransomware yet.
Maybe you have a sophisticated enough IT partner that quarantined that and put a stop to it. You had to spend money to get to that point. Did you have a claim? That is a question that is policy-specific. But depending on how it came in, depending on what happened and how it was executed, maybe you do, maybe you don’t. It depends on your claims trigger. You certainly need professional help to identify the point where coverage may apply.
Stratos: As for as the industry, who do you see as being the top insurance provider as far as cyber liability?
Coast: We’re seeing more interest in the space. There are several carriers that are in the forefront of cyber. From a national carrier standpoint, you have Chubb, Travelers, CNA, Ironshore, AIG. Then you have more specialty markets like a Beazley that are really strong in cyber. There are dozens that we work with, and all have varying coverage forms. And one of those carriers is going to have different partners within their policies. So it’s really important to understand who the partners are from a breach response, forensics and legal standpoint, and also having the flexibility to be able to pick the partners you want to use based on your experience. We can help with that.
Horne: If you have a partner that you’re already using from one of those areas who knows your system, know-how you operate. Maybe they’ve reviewed a copy of your incident response plan. That helps you in this hurricane of an event.
But to your point, the typical panel provider is coming in cold. You don’t want the first time you look at that list to be the day you’re running around with your hair on fire. You want to have a provider that’s local (that can be at your facility same day), that knows who you are ahead of time, who maybe even knows a little bit about your systems, these are all valuable qualities in finding an IR partner. Coast: Who maybe even helps you draft your incident response plan and they have a role in that incident response plan. That’s where we, as the broker, help our clients understand how that process works and help them select a carrier partner that can work with them to get the right team in place based on their needs. And it’s our job to educate them about that.
Stratos: Right. Your part is integral to them making the right choices when it comes to one choosing not just the insurance but the right type of insurance and the other ancillary coverages that are now becoming available and educating them on, yes, there is a panel, but you have the right to maybe choose somebody else. Maybe there are people who already have gotten cyber liability and must use the panel provider because that’s what was in place at the time. But maybe at the renewal they can change that.
But whether they have to use the panel or not, here’s what we see – and you can chime in on this if you see differently. The time that it takes to get somebody from that panel is typically a considerable amount of time. When there’s an incident, we’ve seen it take 48 to 72 hours for somebody to get in contact. We’ve seen it go as long as three weeks.
Going back to the house analogy, if your house is on fire, and you call the fire department to put out the fire, you can’t wait 48 to 72 hours or three weeks for somebody to come and put out the fire. You need somebody to jump in and help right away. That’s the benefit of having somebody who already knows your environment, you have a relationship, can jump in right away and start helping. And even if you have to go to a panel, somebody on this side needs to manage the whole thing going on.
Horne: Corey, you told me this story before where you were working on a client, you had boots on the ground, you drove there within two hours of receiving the breach notice, and they had this other partner who was six time zones away trying to remote in and help them out, and yet you had boots on the ground right there.
Bussard: Something I really want to point out that’s very important is that local is a world of difference. If you call your cyber liability team and they involve a national team. And let’s say that, in that scenario, we are parachuting someone in because they have to. They could be coming from California or the U.K.
What happens is, as an incident responder, you need to do data analysis. What that specifically means is reviewing the environment to understand what is happening. That would be step one. Step two, then, is to contain the malware as much as possible. Is this across the entire organization or is it only happening in a certain quadrant. Then the next step is to eradicate it, to completely remove it from the specific quarantine or everywhere if possible. After that, you would have your post-incident response duties. In this instance, we landed, handled the containment, and then three weeks later, the panel provider initiated its work.
What happens a lot of times, we’ll have a client call us. Our first question is, do you have cyber liability insurance? If you do, we want you to call them and get the ball rolling there. And we’ll go ahead and start data analysis and start containment. Once you have your timeframe. from your cyber liability insurance company, we’ll go to that next stage until they are ready to help.
Desko: One really important thing he said is the data analysis piece in the beginning. Triaging that situation to understand what is happening is so far out of the mind of most traditional IT people. Typically the first thought is to just wipe the machine and reimage it and put it back in place or let’s just restore it from this last backup and put it back in place. They just want to forget about it, put it out of their mind and get it operational.
What is important is those first crucial hours, you really want to gather that data, analyze what’s actually happening, so you can put a good plan into place that’s going to set you up for success. That’s why you need folks like Corey and his team to do that kind of analysis. You need to identify what the problem is first, then you can find a solution.
Bussard: That’s where that local piece comes into play. If I know that, maybe, they’re an hour away, and I can call them. Maybe it will take them two hours to get somebody ready. But they’re not hopping on a flight, packing those bags, doing all of those extra steps. We’re driving to your office, sitting down on your machines and doing our data analysis. That’s why the local piece is key.
Stratos: The other part that has helped us in these scenarios is, because we do have an infrastructure side to the company. Infrastructure plays a role. That’s why I asked about it on the insurance side of things – equipment replacement and things of that nature. As Corey said, when you are hit and hit hard, basically your entire network is infected and inoperable. We can typically create a quarantine that at least gives us an operating, or quarantine zone, where we can work from there out. That has been helpful because there are situations that are local and we can at least get started while we’re getting people there. So we’re not dead in the world. We’re at least starting to do recon analysis, figuring out what we’re up against.
Stratos: In these incident response scenarios, what have you found to be the most effective tools and/or programs to combat these scenarios? Let’s start with prevention.
Bussard: I want to go back to something that you said earlier, which was basics. One thing I dislike about hearing the basics, is that, while it’s extremely true, a lot of people think they can go out and get x solution, and I’m good. There’s no easy button to cyber security. It’s an ever-evolving landscape. There’s no silver bullet.
Whenever I say the basics, I want to clearly define what that means. That means, step one: understanding your user base and what are their habits? What is their job? What are they supposed to be doing and using that computer for? That’s step one. In my mind, if you don’t know what your users are supposed to be doing on a day-to-day basis, you are blind to so many things. You don’t even need to go get a budget for this.
Next would be thinking about things, and a good place to start would be what’s called the CIS Top 20. CIS is the Center for Internet Security. It’s a framework for compliance and ensuring you have the right control measures in place. Those are great basic steps. But buying a tool set to come in and solve a security problem, it will help you solve some problems, but it won’t solve all of them.
As a service provider, one of the most effective tools or knowledge is a defense and depth understanding – what methodology that particular client wants to implore in their business. Things that will assist them in identifying when there is any activity.
Some of the things we’ve had the most success with are next-gen AVs and Endpoint detection response. But the problem with those solutions is you need to have the expertise to run them. That’s one set of tools. Another set of tools is micro-segmentation tools. It’s a separation of duties. These machines should only be talking to these machines. What should be happening is your domain controllers should be talking to your workstations to authenticate them or allow them into the network.
But it always comes back to, those tools are really awesome, but they’re only as good as the basics you put into place.
Horne: So we’re talking about, there are either off-the-shelf or customizable solutions that are out there, but there’s still a customization or “analysis of people” element to your entire security protocol.
Stratos: It goes back to what we were saying before that security no longer is set-it-and-forget-it anymore. You can’t just buy security and put it in place and forget about it and walk away. It’s something that needs to be watched 24/7 so that when the event occurs, the mean time to detection and response is much lower, and that’s what all of us work on is processing tools to lower time to detection and response.
Horne: What’s out there to help me prioritize these alerts that I’m supposed to be tending to at 2 a.m.?
Stratos: From our perspective as a provider, we implemented something called SOAR: Security Orchestration Automation and Response, which effectively is a centralized place to take all those alerts, do correlations, give all the analysts information to more quickly and effectively figure out what is going on and how to respond. And in many cases, we automate the response.
Bussard: SOAR enhances the richness of the alerts.
Horne: So what is the next step? How do I close out the alert that I’m getting?
Bussard: There are a lot of methodologies surrounding that, and that’s usually driven by the client we have at that time. We have it from, we receive an alert and we reach out to the client and ask how they want us to proceed, all the way to an exact scenario would be you have somebody externally brute-force attacking your firewall. Our alert comes through and says the firewall blocked it, did its job, and we’re cool. So our alert goes over to our client, who says we’re good and you don’t have to do anything.
Let’s say it makes it through the firewall. That’s a different alert. So that alert says it made it to this machine. So that tool can reach out to your endpoint solution and say, did they have a successful login? Yes they did. So now that alert comes back to my team, and we can do many different things. They’re called playbooks. We can kick off automated responses and actions to that such as killing processes or logging that user out.
Horne: What was the most catastrophic incident you’ve worked on, why was it so severe, and would could they have done to prevent or mitigate it?
Stratos: There was a specific organization. At first, it was told to us that the size was about 250 workstations that were affected by the incident. That grew to more than 800, so that’s a typical scenario that people even within their own environments don’t realize the reach of what is going on.
Bussard: If I could just add, going back to the basics for mitigation specifically, if you look at that CIS top 20, I believe one or two is asset discovery. Understanding what’s going on in your environment is a really good example of the basics.
Stratos: They had been breached, probably for 190 days, not just at endpoints but on the back end. They also had a specialized set of computers that were servicing a specific software that was a legacy piece of software and the endpoints could not be upgraded. They were critical machines to the environment and the business.
What we walked into was basically a house that was on fire and being robbed. The front door was opened and the windows were opened and none of them could be shut, and we had to figure out a way to make it functional in that scenario. Oh, and there was a time limit in which we had to do that before it had to get to a point where machines had to be completely wiped and we started from scratch.
Corey’s team had to be very creative in creating a scenario where we built a cleansed environment and then went through a scenario of moving piece by piece the environments over to the cleansed side while they still had to be operable with the uncleansed side.
All the while the two or different strains of malware that were going on in there, key loggers, etc., were continuing to try to spread. It was a very tough situation. The team worked very hard to get it under control while still allowing the business to function in the midst of all of this. Eventually, it was completely eradicated, and they moved on to being in a much better place.
Bussard: One other thing: They did not have cyber-liability insurance. They paid out of pocket. They had compliance, but one of their checkmark boxes was, do they log their machines, and do they check it once a month? It was a very low bar.
Stratos: In the end, here, the one thing to keep in mind for everybody is that, as daunting as this is, don’t get paralyzed by it. You don’t need to get it perfect, you just need to get it started.
This Table of Experts was written and compiled by Daniel Bates, a Pittsburgh-based freelance writer.