Published on November 1st, 2022 📆 | 2451 Views ⚑
0Cybersecurity Posture & Insurance Outlook with Advisen
Secondly, organizations need to assess the risk across those assets, prioritizing and addressing existing vulnerabilities and configuration problems. Itâs important to note that no organization will have a 100% risk-free cyber environment. All businesses will have misconfigurations, unpatched software, or unchecked system privileges. And because youâre never going to be able to patch 25,000 vulnerabilities in one day or even a week, triaging the risks that are most likely to impact core aspects of the business is so important. But certainly, many of those vulnerabilities are more critical to address than othersâfor example, those that are internet-facing or actively exploited.
Thirdly, organizations will want to analyze their risk assessment and execute mitigation strategies based on how theyâve prioritized their vulnerabilities. Depending on the exposures, organizations may be able to automate some of the mitigation strategies.
Beyond ASMâand specific to the endpoint space that Trend Micro and many other vendors are involved inâthere are substantial risks when products are not fully deployed (e.g., a discovery process was not completed appropriately) or are not kept up to date. In terms of the latter issue, if youâre running a three-year-old product, it doesnât matter what vendor youâve got; youâre going to be exposed to cyberattacks. Essentially, what was effective against ransomware three years ago with an endpoint product will not be effective today, so itâs critical to stay current, both from a software and strategy standpoint.
A: What should insurers look for when assessing an organizationâs cybersecurity posture?
E: Cybersecurity is and always has been a complex risk to navigate. In general, the approach weâve seen insurers take when assessing an organizationâs cybersecurity posture relates to information gathering. Whether from questionnaires or live collection, insurers often rely on data science to determine the factors contributing to an organizationâs risk. Itâs not too dissimilar to the approach cybersecurity vendors like Trend Micro take.
A trap that insurers tend to fall into, however, is they focus too heavily on an organizationâs vendors and the cybersecurity features they offer on a surface level. Obviously, partnering with a cybersecurity vendor can go a long way toward improving cybersecurity. But the fact that a business has invested in these solutions doesnât tell insurers a lot when taken at face value.
As an example, insurers can ask an organization if they have endpoint detection and response (EDR) solutions in place. And while itâs helpful for organizations to have EDR, insurers have no idea if the customer is using it, if theyâre actively monitoring EDR alerts or utilize a managed service provider to stay on top of EDR-related processes.
Put another way, the mere presence of a control doesn't necessarily allude to a strong cybersecurity posture. Still, that doesnât mean these types of questions arenât necessary. For example, if a current or prospective customer indicates they donât have multifactor authentication, thatâs a red flag. But insurers need to go deeper in some cases, and focusing on how the customer is utilizing, monitoring, or configuring their cybersecurity tools can be just as important as whether these tools are in place.
From an insurerâs standpoint, continuous monitoring as it relates to how security controls are deployed is crucial. In general, insurers should consider measuring an organizationâs response time to a potential threat. Itâs also vital for insurers to know how often security measures are updated and who monitors the system.
I also feel thereâs more room for cybersecurity vendors and insurers to work more closely together, as they both have a common goal: Insurers don't want a claim, and the cybersecurity vendor doesn't want a breach.
A: How quickly does the cybersecurity landscape evolve? What does the future of cybersecurity look like?
E: When it comes to preventing cyberattacks, the detection logic is constantly evolving. Itâs a cat-and-mouse game, and cybercriminals continue to find ways around defense strategies.
Often, cybersecurity vendors are playing catchup. For example, suppose a cybercriminal finds a new way to use a Microsoft Windows system utility. In that case, it will take some time before a vendor has the behavioral logic to look for that particular activity.
We're certainly in a very active period where every cybersecurity vendor needs regular updates to their detection logic. While machine learning can help with this process, those models still require frequent updates.
So, essentially, all cybersecurity vendors are constantly improving the detection capabilities they have in their productsâand organizations want to stay current. However, this doesnât mean a full product update is required on a regular basis, especially in the case of SaaS-based products that get updated automatically by the vendor or receive regular over-the-air updates. The customers that end up in the most trouble are typically the ones running on-premises software and not updating it frequently.
Thankfully, as quickly as the attack strategies change, so do the protection methods. Customers in the best position are the ones doing what they can with respect to detection. That includes leveraging managed services as well as technologies like EDR and extended detection and response (XDR). XDR extends the EDR approach beyond the endpoint to correlate threat activity across endpoints, email, networks and more.
And given the pace at which cybersecurity issues and protection strategies evolve, customers need to prioritize what they learn to improve their cybersecurity posture. You get an avalanche of data when you execute a discovery of vulnerabilities, catalog your assets, examine threat activity in your environment and analyze user activity. At that point, you have to determine what your most serious problems are. That kind of prioritization is tremendously valuable when it comes to reducing exposures. It all feeds into strong ASM practices, which we touched on earlier.
In terms of whatâs on the horizon, thereâs significant hype around the zero trust and secure access service edge (SASE) capabilities. Zero trust is essentially a security framework mandating thatâbefore granting or maintaining access to applications and dataâall users (inside and outside an organization) must authenticate, authorize, and undergo ongoing security configuration and validation.
Fundamentally, with zero trust, you're getting your business into a state where, by default, you say no when new connections or access requests come in. Then, you're making a dynamic, automated decision on a granular level about what to do with those requests. Should this access take place? Should this laptop be able to talk to this other part of the network? This approach has tremendous benefits with respect to slowing down attackers.
SASE is the application of the zero trust approach via cloud-based architecture. By converging capabilities from two discrete areas (network and security), SASE provides more granular, scalable security across the attack surface without compromising the user experience. For example, zero trust network access (ZTNA), a core component of SASE, provides extended security services for a userâs contextual identity (location, device security posture, etc.) to dictate policy controls and data movement.
So, I would say ASM, the zero trust framework, and SASE architecture are three areas to pay attention to in the current market.
Next steps
To learn more about improving your cybersecurity posture and cyber insurance, check out the following resources:
Gloss