Tag Archives: Casey Corcoran

How to Measure ‘Vital Signs’ for Cyber Risk

By now, senior directors at most organizations probably are cognizant of the proliferation of network breaches and fully grasp the notion that risk mitigation must be brought to bear.

However, cybersecurity practitioners can be notoriously poor communicators. Many lack the jargon-free communication skills to present a clear picture of rising cyber exposures, one that can be measured and acted on.

That is the fundamental problem that start-up FourV Systems seeks to address—by defining and consistently measuring what Derek Gabbard, president and co-founder, refers to as the “vital signs” of cyber risk.

See also: Cyber Risk: The Expanding Threat  

“The communication gap that exists between the security teams and the leadership teams and the boards of enterprises is a pretty substantial one,” Gabbard says. “And we think we can help them get on the same page.”

FourV’s cyber risk intelligence platform, GreySpark Cyber, takes the raw data from various systems like the security information event manager (SIEM), analyzes it and scores it into six indices that include defense effectiveness and surface area.

“It gives security practitioners a taxonomy for explaining what they’re doing and the board of directors a way to understanding it,” Vice President Casey Corcoran says.

Making risk understandable

While GreySpark helps the organization’s leadership visualize security risk, it also gives the security team a simplified dashboard for tracking security events. They can drill down on specific threat indicators to see what caused a decrease in the score and track the threat to affected systems and all the way down to the endpoints in order to remediate it.

“We normalize the data so one sensor type—like a firewall—doesn’t overshadow another,” Corcoran says. “So when you see the defense effectiveness score, you can see that there’s probably a layer missing, because a certain area is missing a defense.”

Several companies are trying to solve the same problem of showing risk in easy-to-understand format, but Corcoran says they typically only look at outside indicators.

“What we’re doing is taking the same approach (as some others) and asking, ‘how risky is what’s going on inside the organization?’ ” he says.

See also: Better Way to Assess Cyber Risks?

He uses the analogy of a fort to illustrate how this works. When the barbarians are attacking, he says, other companies can tell you whether the moat has water or alligators, whether the bridge is up or down and whether there’s enough oil to throw on the barbarians climbing the wall.

“But they don’t tell you what the barbarians inside the fort are doing, how bad it is—and that’s what we’re measuring, “ he says.

FourV Systems, which officially launched in June 2015, is a spinoff and subsidiary of SRC Inc., a government research and development and services company that employs 1,000 people and originated out of Syracuse University.

SRC, an independent nonprofit founded in 1957, works in the areas of environment, defense and intelligence agencies, with customers such as the U.S. military, Department of Homeland Security and Environmental Protection Agency.

Big need for big data analytics

Gabbard, who was a cyber manager at SRC, saw potential in commercializing some of the intellectual property. He homed in on the big-data analytics aspect, created a business plan and secured start-up funding from the parent company.

The GreySpark reasoning engine was developed by SRC over seven or more years of work on “solutions for critical national security problems,” according to FourV. Starting out with just that engine, as well as the system’s chief architect, Gabbard grew the start-up to 10 current U.S. employees. The support services staff will be scaled as the company grows in the next couple of years.

See also: Analytics and Survival in the Data Age

The first version of GreySpark, which was released at the end of March following several months of beta testing, is focused on IT operations risk through the “vital signs” indices. Currently, three more major releases are planned.

The next release will include a personnel risk assessment, followed by infrastructure maturity risk. The final component will be risk management, looking at the security return on investment. Corcoran says the goal is to have two releases per year, with maintenance updates in between.

“We’re trying to sort of lift the fog that I think the leadership teams and the boards of many enterprises feel in dealing with security,” Gabbard says, “and give them standard metrics that they can understand and look at on a daily, weekly, monthly and annual basis.”

This post first appeared on ThirdCertainty. It was written by Rodika Tollefson.

Cyber, Tech Security Start to Merge

A convergence between the cyber insurance and tech security sectors is fast gaining momentum.

If this trend accelerates, it could help commercial cyber liability policies create a fresh wellspring of insurance premiums, just as life insurance caught on in the 1800s and auto policies took off in the 1900s.

The drivers of change are substantive. As companies scramble to mitigate risks posed by steadily worsening cyber threats, insurers and underwriters are hustling to meet overheated demand for cyber liability coverage. The cyber insurance market expanded by roughly 60% from 2014-15, topping about $3 billion last year. ABI Research sees no slowing of that breakneck growth rate and estimates the global cyber insurance market will top $10 billion by 2020.

However, for that projection to be realized, the insurance sector must somehow attain the capacity to build reliable actuarial tables that are fundamental to any type of insurance sales. Trouble is, gauging a company’s security posture has turned out to be a much more complex endeavor than anything the insurance industry has mastered before — such as assessing human life expectancy or calculating how much risk to assign a particular driver.

There is endless network traffic data, to be sure. But, at present, there is no efficient means to bring it to bear. And to complicate things, companies fear bad publicity and often vigorously resist sharing the type of valuable attack intelligence needed to calculate risk profiles.

See Also: IRS Is Stepping Up Anti-Fraud Measures

“It’s the wild, wild West,” says Mike Patterson, vice president of strategy at Rook Security. “Everyone is jumping in the market chasing premiums, and they are doing it without a full understanding of the risk involvement, from an underwriting perspective.”

Enter the burgeoning tech security sector. Security vendors supply some $75 billion of security hardware, software and services annually. And with cyber threats continuing to intensify, tech security is on track to continue growing at an estimated 5% to 12% annual rate over the next few years.

As security vendors develop and deliver more sophisticated prevention and detection technologies, they are amassing larger, richer data sets about the resiliency of company networks. It seems obvious to some, but the accelerating convergence of insurance and security is inevitable.

“Underwriters are really trying to figure out how to quantify the risks of the policies they’re underwriting,” says Craig Hinkley, CEO of web application security vendor WhiteHat Security. “We’ve been researching our customers’ websites and web applications for 15 years, so we’re actually swimming in actuarial data right now.”

Models to watch

The questions of the moment: Who will be the early adopters?; and which collaborations will emerge as enduring models? ThirdCertainty interviewed a handful of tech security vendors at the giant RSA cybersecurity conference in San Francisco in March that are testing the waters. Here is a rundown on three of them:

WhiteHat Security

WhiteHat recently struck a partnership with Franchise Perils, an insurer of online retail websites —Franchise Perils will contribute toward the purchase of WhiteHat’s flagship service, Sentinel, for any online retailer purchasing a cyber policy. This amounts to a steep discount, enticing clients to use WhiteHat’s cutting-edge technology.

hink
Craig Hinkley, WhiteHat Security CEO

Part of WhiteHat’s services include helping corporate clients test their digital defenses with a small army of ethical hackers who “attack” the company and expose weaknesses. If a company quickly fixes its vulnerabilities, WhiteHat will give it a higher score in its WhiteHat Security Index, ranging from 0 to 800 — similar to a credit rating for consumers.

“That translates into a safer, more secure website and web application, which reduces the probably of you being hacked,” Hinkley says. “And that’s exactly what underwriters need to know for cyber insurance policies.”

For businesses that fix their vulnerabilities, WhiteHat guarantees the companies will not get hacked. If they do get hacked, WhiteHat will pay as much as $500,000 in remediation costs for the data breach.

FourV Systems

This start-up has just introduced an innovative threat intelligence monitoring and security posture scoring system aimed, for the moment, mainly at large enterprises in financial services, healthcare and government.

corc
Casey Corcoran, FourV Systems vice president of strategy

FourV’s goal is to enable a large retailer or bank to monitor the status of its network security day-to-day, or even hour-to-hour, much as a business routinely tracks daily sales, says Casey Corcoran, vice president of strategy at FourV.

“You could tell by noon whether the pattern that you’re seeing in your risk is shaping up properly for that day of the week,” says Corcoran, a former tech executive at Jos A. Bank Clothiers. “If it’s not, you can fix it.”

FourV CEO Derek Gabbard foresees a day in the not-too-distant future when a senior executive will wake up in the morning, glance at her Apple watch and use a FourV app to check the company’s security risk index.

gabb
Derek Gabbard, FourV Systems CEO

The idea is to create “risk discussions that are nontechnical, easy-to-understand and jargon-less for the leadership team,” Gabbard says, “so that they have confidence in the work that the chief information security officer and his teams are doing.”

Once FourV gets some traction and amasses large enough data sets, it expects to be able to see — and eventually to be able to predict — risk patterns in vertical industries. Such analysis should be very useful in building actuarial tables, Gabbard told ThirdCertainty. The company already has begun brainstorming how it might go about selling that data directly to the insurance industry, perhaps even by developing a dashboard customized for underwriters.

Rook Security

This tech security vendor supplies managed security services and does forensics investigations of network breaches. Rook investigators respond like a cyber SWAT team to all types of cyber threats, whether that may be a minor data breach that is easily fixed or a deadly cyber attack that requires teams of cyber investigators to jet around the globe.

Listen to a podcast: Drivers behind the rise of cyber insurance

Communication surrounding cyber attacks can be messy and full of mistakes that worsen the damage, according to J.J. Thompson, Rook’s CEO. So Rook’s new War Room app has set up a digital command center for tech and security teams to monitor attacks and to respond swiftly.

patt
Mike Patterson, vice president of strategy, Rook Security

Whether Rook arrives before or after a breach, it quickly gets an inside look at the state of network security. Mike Patterson, Rook’s vice president of strategy, told ThirdCertainty that the readiness of companies varies widely. Some companies boast strong security staffs, resources and planning, while others only have one or two full-time security people — or none at all.

“Not everyone is as prepared as they should be,” Patterson says. “But that’s changing, with much more awareness now on the importance of security and taking care of your data.”

Rook is seeking to be the default option — brought in by the insurer — for post-breach incident response and forensics. It is also looking to provide a service where Rook would be retained by a company to come in and improve security postures so the client qualifies for cyber coverage or gets better pricing.

“It’s a really good opportunity to go shopping for cyber insurance because you’re going to get great rates, and everyone is going to be a little bit slack on the writing terms because they want that business,” Patterson says.

ThirdCertainty’s Edward Iwata contributed to this story.