Tag Archives: Rook Security

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

Cyber, Tech Security Start to Merge

A convergence between the cyber insurance and tech security sectors is fast gaining momentum.

If this trend accelerates, it could help commercial cyber liability policies create a fresh wellspring of insurance premiums, just as life insurance caught on in the 1800s and auto policies took off in the 1900s.

The drivers of change are substantive. As companies scramble to mitigate risks posed by steadily worsening cyber threats, insurers and underwriters are hustling to meet overheated demand for cyber liability coverage. The cyber insurance market expanded by roughly 60% from 2014-15, topping about $3 billion last year. ABI Research sees no slowing of that breakneck growth rate and estimates the global cyber insurance market will top $10 billion by 2020.

However, for that projection to be realized, the insurance sector must somehow attain the capacity to build reliable actuarial tables that are fundamental to any type of insurance sales. Trouble is, gauging a company’s security posture has turned out to be a much more complex endeavor than anything the insurance industry has mastered before — such as assessing human life expectancy or calculating how much risk to assign a particular driver.

There is endless network traffic data, to be sure. But, at present, there is no efficient means to bring it to bear. And to complicate things, companies fear bad publicity and often vigorously resist sharing the type of valuable attack intelligence needed to calculate risk profiles.

See Also: IRS Is Stepping Up Anti-Fraud Measures

“It’s the wild, wild West,” says Mike Patterson, vice president of strategy at Rook Security. “Everyone is jumping in the market chasing premiums, and they are doing it without a full understanding of the risk involvement, from an underwriting perspective.”

Enter the burgeoning tech security sector. Security vendors supply some $75 billion of security hardware, software and services annually. And with cyber threats continuing to intensify, tech security is on track to continue growing at an estimated 5% to 12% annual rate over the next few years.

As security vendors develop and deliver more sophisticated prevention and detection technologies, they are amassing larger, richer data sets about the resiliency of company networks. It seems obvious to some, but the accelerating convergence of insurance and security is inevitable.

“Underwriters are really trying to figure out how to quantify the risks of the policies they’re underwriting,” says Craig Hinkley, CEO of web application security vendor WhiteHat Security. “We’ve been researching our customers’ websites and web applications for 15 years, so we’re actually swimming in actuarial data right now.”

Models to watch

The questions of the moment: Who will be the early adopters?; and which collaborations will emerge as enduring models? ThirdCertainty interviewed a handful of tech security vendors at the giant RSA cybersecurity conference in San Francisco in March that are testing the waters. Here is a rundown on three of them:

WhiteHat Security

WhiteHat recently struck a partnership with Franchise Perils, an insurer of online retail websites —Franchise Perils will contribute toward the purchase of WhiteHat’s flagship service, Sentinel, for any online retailer purchasing a cyber policy. This amounts to a steep discount, enticing clients to use WhiteHat’s cutting-edge technology.

hink
Craig Hinkley, WhiteHat Security CEO

Part of WhiteHat’s services include helping corporate clients test their digital defenses with a small army of ethical hackers who “attack” the company and expose weaknesses. If a company quickly fixes its vulnerabilities, WhiteHat will give it a higher score in its WhiteHat Security Index, ranging from 0 to 800 — similar to a credit rating for consumers.

“That translates into a safer, more secure website and web application, which reduces the probably of you being hacked,” Hinkley says. “And that’s exactly what underwriters need to know for cyber insurance policies.”

For businesses that fix their vulnerabilities, WhiteHat guarantees the companies will not get hacked. If they do get hacked, WhiteHat will pay as much as $500,000 in remediation costs for the data breach.

FourV Systems

This start-up has just introduced an innovative threat intelligence monitoring and security posture scoring system aimed, for the moment, mainly at large enterprises in financial services, healthcare and government.

corc
Casey Corcoran, FourV Systems vice president of strategy

FourV’s goal is to enable a large retailer or bank to monitor the status of its network security day-to-day, or even hour-to-hour, much as a business routinely tracks daily sales, says Casey Corcoran, vice president of strategy at FourV.

“You could tell by noon whether the pattern that you’re seeing in your risk is shaping up properly for that day of the week,” says Corcoran, a former tech executive at Jos A. Bank Clothiers. “If it’s not, you can fix it.”

FourV CEO Derek Gabbard foresees a day in the not-too-distant future when a senior executive will wake up in the morning, glance at her Apple watch and use a FourV app to check the company’s security risk index.

gabb
Derek Gabbard, FourV Systems CEO

The idea is to create “risk discussions that are nontechnical, easy-to-understand and jargon-less for the leadership team,” Gabbard says, “so that they have confidence in the work that the chief information security officer and his teams are doing.”

Once FourV gets some traction and amasses large enough data sets, it expects to be able to see — and eventually to be able to predict — risk patterns in vertical industries. Such analysis should be very useful in building actuarial tables, Gabbard told ThirdCertainty. The company already has begun brainstorming how it might go about selling that data directly to the insurance industry, perhaps even by developing a dashboard customized for underwriters.

Rook Security

This tech security vendor supplies managed security services and does forensics investigations of network breaches. Rook investigators respond like a cyber SWAT team to all types of cyber threats, whether that may be a minor data breach that is easily fixed or a deadly cyber attack that requires teams of cyber investigators to jet around the globe.

Listen to a podcast: Drivers behind the rise of cyber insurance

Communication surrounding cyber attacks can be messy and full of mistakes that worsen the damage, according to J.J. Thompson, Rook’s CEO. So Rook’s new War Room app has set up a digital command center for tech and security teams to monitor attacks and to respond swiftly.

patt
Mike Patterson, vice president of strategy, Rook Security

Whether Rook arrives before or after a breach, it quickly gets an inside look at the state of network security. Mike Patterson, Rook’s vice president of strategy, told ThirdCertainty that the readiness of companies varies widely. Some companies boast strong security staffs, resources and planning, while others only have one or two full-time security people — or none at all.

“Not everyone is as prepared as they should be,” Patterson says. “But that’s changing, with much more awareness now on the importance of security and taking care of your data.”

Rook is seeking to be the default option — brought in by the insurer — for post-breach incident response and forensics. It is also looking to provide a service where Rook would be retained by a company to come in and improve security postures so the client qualifies for cyber coverage or gets better pricing.

“It’s a really good opportunity to go shopping for cyber insurance because you’re going to get great rates, and everyone is going to be a little bit slack on the writing terms because they want that business,” Patterson says.

ThirdCertainty’s Edward Iwata contributed to this story.