Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An Insiders Guide to Cyber-Insurance and Security Guarantees

3,115 views

Published on

$75 billion. That's the amount of money businesses, governments, and individuals pay every year to security companies. While some security companies provide good value, the reality is the number of incidents are still getting worse and more frequent. Hundreds of millions of people have had their personal information stolen, businesses all over the world are losing intellectual property, and financial fraud is in the billions of dollars. These stories are constant, seemingly never-ending, and customers are tired of it. They are even apathetic to the degree that customers are turning to cyber-insurance as an alternative to breach prevention. We know this because cyber-insurance is a thing. In fact, cyber-insurance is a skyrocketing business that is already influencing every area of the information security industry. This rise of cyber-insurance has also provided a new way for security vendors to help their customers. A way for them to make a real positive impact, differentiate themselves, and align their incentives to that of their own customers - I'm talking about security guarantees.

Security guarantees or guaranteeing security is almost a taboo subject in the industry. As skeptics are quick to point out, nothing is 100% secure. Everything can be hacked. They're technically right, of course, but they're also missing the bigger picture. Just like we all buy electronics, cars, tools, or toys for the kids, all of these items sometimes break - yet, every manufacturer still provides some kind of guarantee. Most often, at least a replacement, a manufacture can do this because they know how often their product breaks. If every other major industry in the world can do it, the security industry can too! And while many InfoSec practitioners are not yet aware of this, a few security vendors are already offering security guarantees. From private conversations, at least a half dozen or more are actively working with cyber-insurers and creating security guarantee programs of their own. Many of our peers are investing their time in this space as well. In not too long, security guarantees will become common.

InfoSec practitioners who want to get a head start, or even a leg up, in cyber-insurance and security guarantees - this presentation is just for you. Also, one does not simply launch a security guarantee program. A great many things must be discussed, analyzed, and accounted for first. The business model of the program must be carefully designed, product efficacy must be measured, risk calculated, lawyers consulted, impact on financial accounting rules understood, liability reinsured, and more. Security vendors, if you're interested in how to go about creating a security guarantee program of your own, I'll be providing several helpful tools and a process. And business managers who would like to understand the landscape and how security guarantees are a great help in the purchase process, this talk is also for you.

Published in: Technology

An Insiders Guide to Cyber-Insurance and Security Guarantees

  1. 1. AN INSIDERS GUIDE TO CYBER-INSURANCE AND SECURITY GUARANTEES JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY @jeremiahg https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/ http://sentinelone.com/
  2. 2. BIO WHO I AM… ▸Professional Hacker ▸Person of the Year (OWASP, 2015) ▸International Speaker ▸Black Belt in Brazilian Jiu-Jitsu ▸Founder of WhiteHat Security
  3. 3. AREAS OF INTEREST ▸Intersection of security guarantees and cyber-insurance ▸Malware / Ransomware ▸Easing the burden of vulnerability remediation ▸Security crowd-sourcing ▸Industry skill shortage
  4. 4. “I OFTEN SAY THAT WHEN YOU CAN MEASURE WHAT YOU ARE SPEAKING ABOUT, AND EXPRESS IT IN NUMBERS, YOU KNOW SOMETHING ABOUT IT; BUT WHEN YOU CANNOT MEASURE IT, WHEN YOU CANNOT EXPRESS IT IN NUMBERS, YOUR KNOWLEDGE IS OF A MEAGRE AND UNSATISFACTORY KIND." Lord Kelvin
  5. 5. “2015 GLOBAL SPENDING ON INFORMATION SECURITY IS SET TO GROW BY CLOSE TO 5% THIS YEAR TO TOP $75BN,…” The Wall Street Journal HYPER-GROWTH INDUSTRY
  6. 6. ORGANIZED CRIME NATION-STATE TERRORISM? HACKTIVISTS
  7. 7. 1,073,777,722NETCRAFT: JULY 2016 WEB SERVER SURVEY
  8. 8. FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS OVER TIME ACROSS CONFIRMED DATA BREACHES. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016) NO WAY REGULATIONS CAN KEEP UP.
  9. 9. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016) “APPSEC IS EATING SECURITY" INCIDENT PATTERNS BY INDUSTRY
  10. 10. TRUSTWAVE GLOBAL SECURITY REPORT (2016) APPLICATION SECURITY
  11. 11. VULNERABILITY LIKELIHOOD (1 OR MORE) WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 70%! 56%! 47%! 29%! 26%! 24%! 16%! 15%! 11%! 11%! 8%! 6%! 6%! 6%! 5%! 0%! 10%! 20%! 30%! 40%! 50%! 60%! 70%! 80%! 90%! 100%! InsufficientTransportLayer Inform ation Leakage! C ross Site Scripting!Brute Force! C ontentSpoofing! C ross Site RequestForgery! U RL RedirectorAbuse! Predictable Resource Location! Session Fixation! InsufficientAuthorization! D irectory Indexing! Abuse ofFunctionality! SQ L Injection! InsufficientPassw ord Recovery! Fingerprinting!
  12. 12. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015 TOP 10 VULNERABILITY CATEGORIES BY PROGRAMMING LANGUAGE
  13. 13. AVERAGE TIME-TO-FIX (DAYS) WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 73! 97! 99! 108! 111! 130! 132! 136! 158! 160! 191! 192! 227! 0! 50! 100! 150! 200! 250! Transportation! Arts & Entertainm ent! Accom m odation! Professional& Scientific! Public Adm inistration!O therServices! Inform ation! EducationalServices! H ealth C are & Social! Finance & Insurance!M anufacturing! U tilities! RetailTrade!
  14. 14. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015 PERCENT VULNERABILITIES FOUND VS. FIXED
  15. 15. WINDOWS OF EXPOSURE WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 60%! 38%! 52%! 39%! 9%! 11%! 11%! 14%! 10%! 14%! 12%! 11%! 11%! 16%! 11%! 18%! 11%! 22%! 14%! 17%! Retail Trade! Information! Health Care &! Social Assistance! Finance &! Insurance! Always Vulnerable! Frequently Vulnerable (271-364 days a year)! Regularly Vulnerable (151-270 days a year)! Occasionally Vulnerable (31-150 days a year)! Rarely Vulnerable (30 days or less a year)!
  16. 16. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZATION’S GLOBAL NETWORK HAS BEEN COMPROMISED BY A SUCCESSFUL CYBERATTACK WITHIN THE LAST 12 MONTHS?
  17. 17. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S NETWORK WILL BECOME COMPROMISED BY A SUCCESSFUL CYBERATTACK IN 2015?
  18. 18. “71% WERE AFFECTED BY A SUCCESSFUL CYBERATTACK IN 2014, BUT ONLY 52% EXPECT TO FALL VICTIM AGAIN IN 2015.” 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE MORE APATHY
  19. 19. DO YOU EXPECT A CYBERATTACK TO STRIKE YOUR ORGANIZATION IN 2015? (N = 3,435) A. YES 46% 
 B. NO 24% C. UNSURE 30% Respondents are global business and IT professionals who are members of ISACA. SURVEY’S ALL AGREE
  20. 20. APATHETIC. REALISTIC. BOTH?
  21. 21. RANGE OF EXPECTED LOSSES RECORDS PREDICTION (LOWER)! AVERAGE (LOWER)! EXPECTED AVERAGE (UPPER)! PREDICTION (UPPER)! 100! $1,170! $18,120! $25,450! $35,730! $555,660! 1,000! $3,110! $52,260! $67,480! $87,140! $1,461,730! 10,000! $8,280! $143,360! $178,960! $223,400! $3,866,400! 100,000! $21,900! $366,500! $474,600! $614,600! $10,283,200! 1,000,000! $57,600! $892,400! $1,258,670! $1,775,350! $27,500,090! 10,000,000! $150,700! $2,125,900! $3,338,020! $5,241,300! $73,943,950! 100,000,000! $392,000! $5,016,200! $8,852,540! $15,622,700! $199,895,100! VERIZON DATA BREACH INVESTIGATIONS REPORT (2015)
  22. 22. DOWNSIDE PROTECTION CYBER-INSURANCE ▸ As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. ▸ Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth.
  23. 23. “ACCORDING TO PWC, THE CYBER INSURANCE MARKET IS SET TO TRIPLE IN THE NEXT FEW YEARS AND WILL REACH $7.5 BILLION BY 2020.” Dark Reading BOOMING INDUSTRY
  24. 24. “THE LARGEST BARRIER TO GROWTH IS LACK OF ACTUARIAL DATA ABOUT CYBERATTACKS, BUT THIS IS QUICKLY CHANGING WITH CONTINUED CYBER ASSAULTS.” “ABI RESEARCH FORECASTS THE MARKET TO HIT US $10 BILLION BY 2020.” ABI Research HYPER-GROWTH
  25. 25. “ABOUT A THIRD OF U.S. COMPANIES ALREADY HAVE SOME FORM OF CYBER- INSURANCE COVERAGE, ACCORDING TO A REPORT PRICEWATERHOUSECOOPERS RELEASED LAST YEAR.” The Parallax BUY WHATEVER THERE IS
  26. 26. SMALL PAYOUTS. LARGE PAYOUTS. BREACH CLAIMS ▸ Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million. ▸ Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.
  27. 27. LOTS OF INSURERS GETTING INTO THE BUSINESS BREACH CLAIMS ▸ “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” ▸ “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.”
  28. 28. “AVERAGE RATES FOR RETAILERS SURGED 32% IN THE FIRST HALF OF THIS YEAR, AFTER STAYING FLAT IN 2014, ACCORDING TO PREVIOUSLY UNREPORTED FIGURES FROM MARSH.” “AND EVEN THE BIGGEST INSURERS WILL NOT WRITE POLICIES FOR MORE THAN $100 MILLION FOR RISKY CUSTOMERS.” The Security Ledger INCIDENTS DRIVING UP COST OF PREMIUMS
  29. 29. 2014 – 2015 NEW SECURITY INVESTMENT VS. CYBER-INSURANCE $3,800,000,000 $3,200,000,000 Informa(on Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%)
  30. 30. EVER NOTICE HOW EVERYTHING IN THE INFORMATION SECURITY
 INDUSTRY IS SOLD “AS IS”? NO GUARANTEES NO WARRANTIES NO RETURN POLICIES
  31. 31. INFORMATION SECURITY 
 THE $75 BILLION GARAGE SALE

  32. 32. INFOSEC’S BIGGEST OPPORTUNITY SECURITY GUARANTEES
  33. 33. SECURITY VENDORS CASE STUDIES ▸ SentinelOne ▸ WhiteHat Security ▸ Trusona ▸ Others…
  34. 34. SECURITY GUARANTEE DETAILS ▸ Program Launched: July 2016. ▸ Setting up their guarantee with the underwriter took 3 months. ▸ Claims or payouts? 0.
  35. 35. SENTINELONE’S GUARANTEE OFFERS FINANCIAL SUPPORT OF $1,000 PER ENDPOINT (UP TO $1 MILLION PER COMPANY), SECURING AGAINST FINANCIAL IMPLICATIONS OF A RANSOMWARE INFECTION, IF SENTINELONE IS UNABLE TO BLOCK OR REMEDIATE THE EFFECTS.
  36. 36. SECURITY GUARANTEE DETAILS ▸ Program Launched: August 2014. ▸ Setting up their guarantee with the underwriter took 18 months. ▸ Claims or payouts? 0.
  37. 37. IF A WEBSITE COVERED BY SENTINEL ELITE IS HACKED, EXPLOITED BY A MISSED VULNERABILITY, THE CUSTOMER WILL BE REFUNDED IN FULL AND OFFERED UP TO $500,000 IN BREACH LOSS COMPENSATION.
  38. 38. SECURITY GUARANTEE DETAILS ▸ Program Launched: January 2016. ▸ Setting up their guarantee with the underwriter took 18 months. ▸ Stroz Friedberg ran the assessments on behalf of the underwriter to measure performance. ▸ Claims or payouts? 0.
  39. 39. MALWARE KITS COME WITH WARRANTEES Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months
  40. 40. “…THE ZATKOS’ OPERATION WON’T TELL YOU IF YOUR SOFTWARE IS LITERALLY INCENDIARY, BUT IT WILL GIVE YOU A WAY TO COMPARISON-SHOP BROWSERS, APPLICATIONS, AND ANTIVIRUS PRODUCTS ACCORDING TO HOW HARDENED THEY ARE AGAINST ATTACK. IT MAY ALSO PUSH SOFTWARE MAKERS TO IMPROVE THEIR CODE TO AVOID A LOW SCORE AND REMAIN COMPETITIVE.“ The Intercept THE CYBER INDEPENDENT TESTING LAB
  41. 41. “THE ONLY TWO PRODUCTS NOT COVERED BY PRODUCT LIABILITY ARE RELIGION AND SOFTWARE, AND SOFTWARE SHALL NOT ESCAPE MUCH LONGER.” Dan Geer CISO, In-Q-Tel
  42. 42. THANK YOU Jeremiah Grossman @jeremiahg https://www.facebook.com/jeremiahgrossman https://www.linkedin.com/in/grossmanjeremiah https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/

×