Cyber insurance is not new, in fact it has been around for more than 10 years. Still it remains a complicated issue with confusion about what’s covered and what isn’t. And with incidentals of data breaches rising, so are cyber insurance premiums themselves. One thing is clear: Companies will be breached at some point, if they haven’t been breached already and protecting your organization to minimize financial loss is critical.
This SlideShare by SecureAuth and SC Magazine, will discuss what security professionals need to know to ensure they are protected, including:
The current state of cyber insurance from a business operations perspective – what is covered and what isn’t
What insurance companies look for (ie. people, process, system) regarding your ability to response to an attack
How financial reimbursement does not address the real impact of a data breach
How adaptive access control can help minimize the potential loss of breached data, reduce CI premiums and keep you ahead of the game
7. 7Copyright SecureAuth Corporation 2016
Economics Lesson
“One of the most
important simple
truths in this
technological war
is that you simply
cannot AFFORD to
prevent a
successful attack.”
–Tyler Wrightson
8. 8Copyright SecureAuth Corporation 2016
AD HOCINFRASTRUCTURE
BASED
COMPLIA NCE
BASED
THREAT
BASED
RISK BASED/
DATA CENTRIC BUSINESS
ALIGNEDX
Shortcut =
Failure to Pass
The Security Journey
Business Aligned Strategy: Create a security program that enables your organization by
understanding the business objectives, compliance objectives, threats and material risks.
.
9. 9Copyright SecureAuth Corporation 2016
System
security
Network
security
Endpoint
security
Data
security
Security
management
User
security
Application
security
Secure
infrastructure
10. 10Copyright SecureAuth Corporation 2016
The 5 Key Questions of Cyber Liability Insurance
+ If a breach were to occur, what quantifiable direct impact would it have on
business, customers and the supply chain?
+ Is there an established framework the insurance provider uses to assess security
readiness?
+ What does the provider expect you to do to qualify for a suitable policy?
+ Will they be satisfied with the documentation you provide or will they require a
thorough audit of policies and practices?
+ Who will you engage in the conversation to reduce cost and manage risk?
11. 11Copyright SecureAuth Corporation 2016
The 5 Key Post Breach Activities
+ If a breach were to occur, do you know what the coverage levels and limits are?
+ Are you following an established program for responding to an incident?
+ What does the provider expect you to do to upon identification of an incident?
+ Will they be satisfied with the documentation you provide or will they require a
third party assessment?
+ Who will you engage to manage the incident?
14. 14Copyright SecureAuth Corporation 2016
Data Breaches: A Global Epidemic
781 publicly reported data breaches in 2015
Billion+ identities compromised
15. 15Copyright SecureAuth Corporation 2016
Anatomy of a Data Breach
Initial
Penetration
Establish
Foothold
Escalate
Privileges
Complete
Mission
Lateral
Movement
Majority of the breaches in the enterprises
start with social engineering and phishing
Intruders gained access through a Citrix
remote access portal set up for use by
employees. {Home Depot Breach}
"The hackers acquired elevated rights that allowed them to navigate
portions of Home Depot's network and to deploy unique, custom built
malware on its self check out systems in the U.S. and Canada.” – eWeek
16. 16Copyright SecureAuth Corporation 2016
Why Adaptive Access Control to Mitigate
Risk?
+ Traditional security infrastructures are routinely circumvented
– Billions spent annually on Endpoint and Network security, yet breaches
persist
+ Both the FBI & White House’s under the new Cybersecurity
National Action Plan recommend the use of multi-factor
authentication.
+ The right level of security controls can help reduce your Cyber
Liability Insurance premium and strengthen your security
posture.
17. 17Copyright SecureAuth Corporation 2016
Why SecureAuth?
SecureAuth acts as a central authentication point, controlling
access to all on-premises and cloud-based applications:
Pre-authentication
capabilities protect
against APT and
prevent unauthorized
users from gaining
access to your critical
networks and
applications.
Continuous
authentication provides
early detection and
insight into your overall
network and
application traffic.
Flexible workflows
allow you to quickly
respond to attacks by
leveraging step-up
authentication during a
major security incident.
18. 18Copyright SecureAuth Corporation 2016
Risk Layers
Dynamic Adaptive Authentication
• Layered Risk Analysis
= Stronger Security
• No User Experience
Impact
• Only present multi-
factor authentication
when needed
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Behavioral Biometrics
19. 19Copyright SecureAuth Corporation 2016
Device Recognition
+ First time authentication: register the endpoint device
+ Subsequent authentications: validate the endpoint device
+ Device recognition can include:
– web browser configuration – device IP address
– language – screen resolution
– installed fonts – browser cookies settings
– browser plugin – time zone
21. 21Copyright SecureAuth Corporation 2016
Identity Store Lookup
+ Compare and filter based on information in the store
+ Can be based on any attribute of the user
23. 23Copyright SecureAuth Corporation 2016
Geo-Velocity
+ Compare current location and login history to determine
whether an improbable travel event has occurred
24. 24Copyright SecureAuth Corporation 2016
+ Analyze behavior that can be used to verify a person
+ Gather and store characteristics about the way the user
interacts with a device such as:
– Keystroke dynamics
– Mouse movements
– Gesture patterns
– Motion patterns
Behavioral Biometrics
25. 25Copyright SecureAuth Corporation 2016
Cyber Crime
Hacktivism
Anonymous Proxy
Advanced Persistent
Threat (APT)
SecureAuth
Threat Service
Threat Intelligence
Threat Information
Black/White Lists
Threat Service
Combining Threat Intelligence & Threat Information for Best-in-Class Security
26. 26Copyright SecureAuth Corporation 2016
Putting it all together
Device Recognition
IP Reputation
Identity Store Lookup
Geo-Location
Geo-Velocity
Behavioral Biometrics
Threat Service
Device Recognition
Decision
Allow Access
Require MFA
Redirect
Deny AccessUser
Pre-Auth
Analysis
27. 27Copyright SecureAuth Corporation 2016
In Summary
+ Cyber Liability Insurance is no substitute for good
security and practices
– Write and put in place a data breach response plan
– Conduct an external penetration test to highlight potential
areas to address
– Keep all your systems and software patched up.
– Have adaptive access controls in place that can reduce your
Cyber Insurance premium and strengthen your security
posture.
Not a single destination, but a journey. Security leaders need to continually reevaluate org’s strengths, weakness and goals while aligning security measures appropriately to foster business growth
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Data breaches have reached epidemic proportions globally.
781 publicly reported data breaches in 2015
Over a billion+ identities compromised
Hacking and Phising is the #1 cause at 36%.
A robust cyber insurance policy can help businesses weather the storm more effectively when a data breach or network security failure has occurred.
Or device fingerprint. Not to be mistaken with a biometric fingerprint
Device fingerprinting is typically a two-stage process
on first time authentication we register an endpoint, and on subsequent authentications we validate an endpoint against the stored device fingerprint
The actual device fingerprint, uses and relies on certain characteristics about that endpoint. Such as;
web browser configuration
language
installed fonts
browser plugins
device IP address
screen resolution
browser cookies settings
Time zone
We can take IP reputation data, e.g. IP addresses that are on black lists and deny the authentication based upon that. For example, if the IP address of the machine from which the user is trying to authentication is part of a Tor network, a known bonnet, or an IP known to be associated with known bad actors.
The ability to use geo-location and login history to determine whether an improbable travel event has occurred:
Analyzing some measurable behavior that can be used to identify a person.
Leading up to the auth, gathering certain characteristics about the way that the user is interacting with the device, such as;
Keystroke dynamics
Mouse movements
Gesture, and touch
Motion patterns
The Problems:
User name and password alone are simply not enough to protect you from a breach. Up to 60+% of attacks involve the use of valid, yet compromised/stolen, credentials. Even multi-factor authentication methods are being compromised. Additional security measures are needed to protect against today’s advanced cyber threats (Adaptive Auth)
Authentication traffic is plentiful and hard to determine between legitimate employees, partners, and customers and attackers trying to infiltrate your network and resources for a variety of bad reasons (military and economic advantage, financial gain, or to deface and cause social and political unrest)
Simple IP reputation services don’t provide depth or additional information with context for rapid, effective incident response and can flood SOCs with too much information to quickly digest and act
Some threat services do not have deep and wide experience globally to provide blanket coverage against all threat types, leaving buyers with a false sense of security
The Solution:
Combination of multiple threat intelligence, information, and blacklisted IP addresses for the best-of-breed protection from todays threats including APT, Cyber Crime, Hacktivism as well as anonymous proxies and anonymity networks, such as Tor. Beyond just one threat service, the SecureAuth Threat Service combines multiple threat feeds to provide unprecedented coverage and protection. Not only does the SecureAuth Threat Service make customers aware of advanced threats and can deny or require MFA to access, we also provide valuable time saving intelligence and information to accelerate investigation and remediation among your SoC staff and incident responders.
SecureAuth Threat Service Value/Benefits:
Early warning system – able to detect when a user is attempting to authenticate from an anonymous proxy or anonymity network – a bad actor trying to conceal their true identity (Huge help when identifying bad actors who are using compromised, yet valid, credentials.)
Threat intelligence & information – beyond simply providing that the IP Address is “bad”, this service provide context around the IP Address - e.g. actor type, malware family, etc.
Answers burning questions - ‘Does a threat against identity exist?’, ‘Who is behind an attack?’, and ‘Why did they target us?’
Identify attackers already in - Help detect bad actors that are moving laterally within your network
Reduce Response Time - Customers can use this threat intelligence and information to cut through the noise and aid Security Operations Center (SoC) staff and incident responders alike, so they know what to focus on during an investigation.
More is better than one - Best because it combines multiple threat services (FireEye, Neustar, Blacklists/Whitelist) and the feeds available will only increase over time to also cover threats specific to certain industry verticals.
Experience Matters (FireEye) - 10 years of experience battling the world’s most advanced cyber threats, global network of 11 million advanced threat sensors. Leverage a mathematical graph database with more than 115 million nodes that dynamically models the relationships between the tools and tactics cyber threat groups use, the operations they conduct, and the sponsors who back them.
Layered Approach provides greatest security - SecureAuth Threat Service used in conjunction with SecureAuth Adaptive Authentication, provide an intricate web of risk checks that make it nearly impossible for attackers to penetrate.