An Insiders Guide to Cyber-Insurance and Security Guarantees
-
Upload
jeremiah-grossman -
Category
Technology
-
view
1.831 -
download
0
Transcript of An Insiders Guide to Cyber-Insurance and Security Guarantees
![Page 1: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/1.jpg)
AN INSIDERS GUIDE TO CYBER-INSURANCE AND SECURITY GUARANTEES
JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY
@jeremiahg https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/
http://sentinelone.com/
![Page 2: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/2.jpg)
BIO
WHO I AM…
▸Professional Hacker
▸Person of the Year (OWASP, 2015)
▸ International Speaker
▸Black Belt in Brazilian Jiu-Jitsu
▸Founder of WhiteHat Security
![Page 3: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/3.jpg)
AREAS OF INTEREST
▸ Intersection of security guarantees and cyber-insurance
▸Malware / Ransomware
▸Easing the burden of vulnerability remediation
▸Security crowd-sourcing
▸ Industry skill shortage
![Page 4: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/4.jpg)
“I OFTEN SAY THAT WHEN YOU CAN MEASURE WHAT YOU ARE SPEAKING ABOUT, AND EXPRESS IT IN NUMBERS, YOU KNOW SOMETHING ABOUT IT;
BUT WHEN YOU CANNOT MEASURE IT, WHEN YOU CANNOT EXPRESS IT IN NUMBERS, YOUR KNOWLEDGE IS OF A MEAGRE AND UNSATISFACTORY KIND."
Lord Kelvin
![Page 5: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/5.jpg)
“2015 GLOBAL SPENDING ON INFORMATION SECURITY IS SET TO GROW BY CLOSE TO 5% THIS YEAR TO TOP $75BN,…”
The Wall Street Journal
HYPER-GROWTH INDUSTRY
![Page 6: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/6.jpg)
ORGANIZED CRIME
NATION-STATE TERRORISM?
HACKTIVISTS
![Page 7: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/7.jpg)
1,073,777,722NETCRAFT: JULY 2016 WEB SERVER SURVEY
![Page 8: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/8.jpg)
FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS OVER TIME ACROSS CONFIRMED DATA BREACHES. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
NO WAY REGULATIONS CAN KEEP UP.
![Page 9: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/9.jpg)
VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
“APPSEC IS EATING SECURITY" INCIDENT PATTERNS BY INDUSTRY
![Page 10: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/10.jpg)
TRUSTWAVE GLOBAL SECURITY REPORT (2016)
APPLICATION SECURITY
![Page 11: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/11.jpg)
VULNERABILITY LIKELIHOOD (1 OR MORE)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
70%!56%!
47%!
29%! 26%! 24%!16%! 15%! 11%! 11%! 8%! 6%! 6%! 6%! 5%!
0%!
10%!
20%!
30%!
40%!
50%!
60%!
70%!
80%!
90%!
100%!
Insuffi
cient
Trans
port La
yer
Inform
ation
Leak
age !
Cross S
ite Scri
pting!
Brute F
orce !
Conten
t Spoo
fing!
Cross S
ite Req
uest
Forgery
!
URL Red
irecto
r Abus
e!
Predict
able
Resou
rce Lo
catio
n !
Sessio
n Fixa
tion!
Insuffi
cient
Authori
zatio
n !
Directo
ry Ind
exing!
Abuse o
f Fun
ction
ality !
SQL Inje
ction!
Insuffi
cient
Passw
ord Rec
overy!
Fingerp
rintin
g!
![Page 12: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/12.jpg)
VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
TOP 10 VULNERABILITY CATEGORIES BY PROGRAMMING LANGUAGE
![Page 13: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/13.jpg)
AVERAGE TIME-TO-FIX (DAYS)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
73!97! 99! 108 ! 111 ! 130! 132 ! 136!
158! 160!191! 192!
227!
0!
50!
100!
150!
200!
250!
Trans
portati
on!
Arts & Ente
rtainm
ent!
Accom
modati
on!
Profes
siona
l & Scie
ntific!
Public
Administra
tion !
Other S
ervice
s!
Inform
ation!
Educati
onal
Service
s!
Health
Care & Soc
ial!
Finan
ce & In
suran
ce!
Manufa
cturin
g!
Utilities!
Retail T
rade!
![Page 14: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/14.jpg)
VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
PERCENT VULNERABILITIES FOUND VS. FIXED
![Page 15: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/15.jpg)
WINDOWS OF EXPOSURE
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
60%!
38%!
52%!
39%!
9%!
11%!
11%!
14%!
10%!
14%!
12%!
11%!
11%!
16%!
11%!
18%!
11%!
22%!
14%!
17%!
Retail Trade !
Information !
Health Care &!Social Assistance !
Finance & !Insurance !
Always Vulnerable!Frequently Vulnerable (271-364 days a year) !Regularly Vulnerable (151-270 days a year) !Occasionally Vulnerable (31-150 days a year) !Rarely Vulnerable (30 days or less a year) !
![Page 16: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/16.jpg)
![Page 17: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/17.jpg)
CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE
HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZATION’S GLOBAL NETWORK HAS BEEN COMPROMISED BY A SUCCESSFUL
CYBERATTACK WITHIN THE LAST 12 MONTHS?
![Page 18: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/18.jpg)
CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE
WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S NETWORK WILL BECOME COMPROMISED BY A
SUCCESSFUL CYBERATTACK IN 2015?
![Page 19: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/19.jpg)
“71% WERE AFFECTED BY A SUCCESSFUL CYBERATTACK IN 2014, BUT ONLY 52% EXPECT TO FALL VICTIM AGAIN IN 2015.”
2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE
MORE APATHY
![Page 20: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/20.jpg)
DO YOU EXPECT A CYBERATTACK TO STRIKE YOUR ORGANIZATION IN 2015? (N = 3,435)
A. YES 46% B. NO 24%
C. UNSURE 30%
Respondents are global business and IT professionals who are members of ISACA.
SURVEY’S ALL AGREE
![Page 21: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/21.jpg)
APATHETIC.
REALISTIC.
BOTH?
![Page 22: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/22.jpg)
RANGE OF EXPECTED LOSSESRECORDS PREDICTION
(LOWER)!AVERAGE(LOWER)!
EXPECTED AVERAGE(UPPER)!
PREDICTION(UPPER)!
100 ! $1,170! $18,120! $25,450! $35,730! $555,660!
1,000! $3,110! $52,260! $67,480! $87,140! $1,461,730!
10,000! $8,280! $143,360! $178,960! $223,400! $3,866,400!
100,000! $21,900! $366,500! $474,600! $614,600! $10,283,200!
1,000,000! $57,600! $892,400! $1,258,670! $1,775,350! $27,500,090!
10,000,000! $150,700! $2,125,900 ! $3,338,020! $5,241,300! $73,943,950!
100,000,000! $392,000! $5,016,200 ! $8,852,540! $15,622,700! $199,895,100!
VERIZON DATA BREACH INVESTIGATIONS REPORT (2015)
![Page 23: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/23.jpg)
DOWNSIDE PROTECTION
CYBER-INSURANCE
▸ As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013.
▸ Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth.
![Page 24: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/24.jpg)
“ACCORDING TO PWC, THE CYBER INSURANCE MARKET IS SET TO TRIPLE IN THE NEXT FEW YEARS AND WILL REACH $7.5 BILLION BY 2020.”
Dark Reading
BOOMING INDUSTRY
![Page 25: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/25.jpg)
“THE LARGEST BARRIER TO GROWTH IS LACK OF ACTUARIAL DATA ABOUT CYBERATTACKS, BUT THIS IS QUICKLY CHANGING WITH CONTINUED CYBER ASSAULTS.”
“ABI RESEARCH FORECASTS THE MARKET TO HIT US $10 BILLION BY 2020.”
ABI Research
HYPER-GROWTH
![Page 26: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/26.jpg)
“ABOUT A THIRD OF U.S. COMPANIES ALREADY HAVE SOME FORM OF CYBER-INSURANCE COVERAGE, ACCORDING TO A REPORT PRICEWATERHOUSECOOPERS RELEASED LAST YEAR.”
The Parallax
BUY WHATEVER THERE IS
![Page 27: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/27.jpg)
SMALL PAYOUTS. LARGE PAYOUTS.
BREACH CLAIMS
▸ Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.
▸ Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.
![Page 28: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/28.jpg)
LOTS OF INSURERS GETTING INTO THE BUSINESS
BREACH CLAIMS
▸ “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.”
▸ “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
![Page 29: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/29.jpg)
“AVERAGE RATES FOR RETAILERS SURGED 32% IN THE FIRST HALF OF THIS YEAR, AFTER STAYING FLAT IN 2014, ACCORDING TO PREVIOUSLY UNREPORTED FIGURES FROM MARSH.”
“AND EVEN THE BIGGEST INSURERS WILL NOT WRITE POLICIES FOR MORE THAN $100 MILLION FOR RISKY CUSTOMERS.”
The Security Ledger
INCIDENTS DRIVING UP COST OF PREMIUMS
![Page 30: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/30.jpg)
2014 – 2015 NEW SECURITY INVESTMENT VS. CYBER-INSURANCE
$3,800,000,000
$3,200,000,000
Informa(onSecuritySpending(Global)~$3.8billioninnewspending(+4.7%)
Cyber-SecurityInsurance~$3.2billioninspending(+67%)
![Page 31: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/31.jpg)
EVER NOTICE HOW EVERYTHING IN THE INFORMATION SECURITY INDUSTRY IS SOLD “AS IS”?
NO GUARANTEES NO WARRANTIES NO RETURN POLICIES
![Page 32: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/32.jpg)
INFORMATION SECURITY THE $75 BILLION GARAGE SALE
![Page 33: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/33.jpg)
![Page 34: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/34.jpg)
INFOSEC’S BIGGEST OPPORTUNITYSECURITY GUARANTEES
![Page 35: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/35.jpg)
SECURITY VENDORS
CASE STUDIES
▸ SentinelOne
▸WhiteHat Security
▸ Trusona
▸Others…
![Page 36: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/36.jpg)
SECURITY GUARANTEE
DETAILS
▸ Program Launched: July 2016.
▸ Setting up their guarantee with the underwriter took 3 months.
▸ Claims or payouts? 0.
![Page 37: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/37.jpg)
SENTINELONE’S GUARANTEE OFFERS FINANCIAL SUPPORT OF $1,000 PER ENDPOINT (UP TO $1 MILLION PER COMPANY), SECURING AGAINST FINANCIAL IMPLICATIONS OF A RANSOMWARE INFECTION, IF SENTINELONE IS UNABLE TO BLOCK OR REMEDIATE THE EFFECTS.
![Page 38: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/38.jpg)
SECURITY GUARANTEE
DETAILS
▸ Program Launched: August 2014.
▸ Setting up their guarantee with the underwriter took 18 months.
▸ Claims or payouts? 0.
![Page 39: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/39.jpg)
IF A WEBSITE COVERED BY SENTINEL ELITE IS HACKED, EXPLOITED BY A MISSED VULNERABILITY, THE CUSTOMER WILL BE REFUNDED IN FULL AND OFFERED UP TO $500,000 IN BREACH LOSS COMPENSATION.
![Page 40: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/40.jpg)
SECURITY GUARANTEE
DETAILS
▸ Program Launched: January 2016.
▸ Setting up their guarantee with the underwriter took 18 months.
▸ Stroz Friedberg ran the assessments on behalf of the underwriter to measure performance.
▸ Claims or payouts? 0.
![Page 41: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/41.jpg)
![Page 42: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/42.jpg)
MALWARE KITS COME WITH WARRANTEES
Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months
![Page 43: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/43.jpg)
“…THE ZATKOS’ OPERATION WON’T TELL YOU IF YOUR SOFTWARE IS LITERALLY INCENDIARY, BUT IT WILL GIVE YOU A WAY TO COMPARISON-SHOP BROWSERS, APPLICATIONS, AND ANTIVIRUS PRODUCTS ACCORDING TO HOW HARDENED THEY ARE AGAINST ATTACK. IT MAY ALSO PUSH SOFTWARE MAKERS TO IMPROVE THEIR CODE TO AVOID A LOW SCORE AND REMAIN COMPETITIVE.“
The Intercept
THE CYBER INDEPENDENT TESTING LAB
![Page 44: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/44.jpg)
“THE ONLY TWO PRODUCTS NOT COVERED BY PRODUCT LIABILITY ARE RELIGION AND SOFTWARE, AND SOFTWARE SHALL NOT ESCAPE MUCH LONGER.”
Dan Geer CISO, In-Q-Tel
![Page 45: An Insiders Guide to Cyber-Insurance and Security Guarantees](https://reader036.fdocuments.us/reader036/viewer/2022070602/58787e8d1a28ab466c8b5779/html5/thumbnails/45.jpg)
THANK YOU
Jeremiah Grossman
@jeremiahg https://www.facebook.com/jeremiahgrossman
https://www.linkedin.com/in/grossmanjeremiah https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/