Over the last few months, we have been reading more and more about cyber-insurance policies. Leading insurance companies are underwriting coverages that address a wide array of cyber risks including: third-party loss resulting from a security or data breach, direct first-party costs resulting from a breach, lost income and operating expense resulting from a security or data breach, threats to disclose data or attack a system to extort money, as well as a number of other coverages.
Besides actual coverage of damages, the policies provide a series of benefits and features generally covered by third party security firms. The wide area of benefits relies on pre-breach detection best practices in a number of areas such as end-user education, training, audit and compliance and deploying real-time detection technologies. If a breach has occurred, an after-the-fact incidence response is required and another layer of coverage kicks in to assist with forensics and investigations, notification and monitoring – and of course legal counsel.
However, a key area is omitted in this layered approach; breaches that may have already occurred. Real time detection is great and a necessary step in protecting the enterprise, but this process overlooks threats that may already exist. The “breach-detection gap”, or the time in which a breach occurs until the time that it is identified, in most cases is over 6 months. Data has shown that malware is often active inside a network for over 6 months before being identified.
There is new technology that’s not commonly used as part of current best practices that can identify and remediate unidentified threats in your systems that already exist. Known as active “hunt” technologies, these tools should be deployed as part of the process to actively audit and review end-points for malware that may currently reside in the system.
Hunt technology requires minimum deployment time, is easy to use and requires a lower level of services than other security technologies, and eventually significantly decreases costs. The process is very straight forward:
1. Hunt – Identify end-point devices to survey and collect data; ensuring host, process, modules, drivers, memory, users, autostarts and hooks are reviewed.
2. Analyze – Provide understandable analysis through stages that quickly identify areas of known good and known bad, as well as handle false positives. This will reduce the time to decide while having the ability to rapidly identify proprietary and third party malware analysis (multi-engine, static + dynamic).
3. Remediate and Report – Provide the IT security team with actionable steps and data to determine the risk levels of identified malware. Also, provide the ability (if desired) to isolate the endpoint and/or remove malware.
If hunt technology is incorporated as a best practice across the insurance industry, there will be two main benefits. First, insurance premiums will be easier to establish. There are no actuarial tables to determine if a company is at risk or how long before they are breached. A simple hunt assessment can determine if malware currently exists in the system and if the organization’s current practices to maintain a clean system are deployed and working as designed. Second, the inclusion of hunt as part of the security best practices will identify any malware and significantly shorten the breach-detection gap; thus limiting damage to the entity and lowering the total cost of exposure.
As security continues to consume billions upon billions of dollars, hunt technologies will need to become part of the mainstream security posture to ensure that networks are not infected. In today’s cybercrime filled world, it’s not just about keeping the bad guys out, it is making sure that they are not already in.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »