Over the last few months we have been reading more and more about cyber-insurance policies. Leading insurance companies are underwriting coverages that address a wide array of cyber risks including: third-party loss resulting from a security or data breach, direct first-party costs resulting from a breach, lost income and operating expense resulting from a security or data breach, threats to disclose data or attack a system to extort money, as well as a number of other coverages.
Besides actual coverage of damages, the policies provide a series of benefits and features generally covered by third party security firms. The wide area of benefits relies on pre-breach detection best practices in a number of areas such as end-user education, training, audit and compliance and deploying real-time detection technologies. If a breach has occurred, an after-the-fact incidence response is required and another layer of coverage kicks in to assist with forensics and investigations, notification and monitoring – and of course legal counsel.
However, a key area is omitted in this layered approach; breaches that may have already occurred. Real time detection is great and a necessary step in protecting the enterprise, but this process overlooks threats that may already exists. The “breach-detection gap”, or the time in which a breach occurs until the time that it is identified, in most cases is over 6 months. Data has shown that malware is often active inside a network for over 6 months before being identified.
There is new technology that’s not commonly used as part of current best practices that can identify and remediate unidentified threats in your systems that already exist. Known as active “hunt” technologies, these tools should be deployed as part of the process to actively audit and review end-points for malware that may currently reside in the system.
Hunt technology requires minimum deployment time, is easy to use and requires a lower level of services than other security technologies, and eventually significantly decreased costs. The process is very straight forward:
1. Hunt – Identify end-point devices to survey and collect data; ensuring host, process, modules, drivers, memory, users, autostarts and hooks are reviewed.
2. Analyze – Provide understandable analysis through stages that quickly identify areas of known good and known bad, as well as handle false positives. This will reduce time to decision while having the ability to rapidly identify proprietary and third party malware analysis (multi-engine, static + dynamic).
3. Remediate and Report – Provide the IT security team with actionable steps and data to determine the risk levels of identified malware. Also, provide the ability (if desired) to isolate the endpoint and/or remove malware.
If hunt technology is incorporated as a best practice across the insurance industry, there will be two main benefits. First, insurance premiums will be easier to establish. There are no actuarial tables to determine if a company is at risk or how long before they are breached. A simple hunt assessment can determine if malware currently exists in the system and if the organization’s current practices to maintain a clean system are deployed and working as designed. Second, the inclusion of hunt as part of the security best practices will identify any malware and significantly shorten the breach-detection gap; thus limiting damage to the entity and lowering the total cost of exposure.
As security continues to consume billions upon billions of dollars, hunt technologies will need to become part of the mainstream security posture to ensure that networks are not infected. In today’s cybercrime filled world it’s not just about keeping the bad guys out, it is making sure that they are not already in.