Secondly, organizations need to assess the risk across those assets, prioritizing and addressing existing vulnerabilities and configuration problems. It’s important to note that no organization will have a 100% risk-free cyber environment. All businesses will have misconfigurations, unpatched software, or unchecked system privileges. And because you’re never going to be able to patch 25,000 vulnerabilities in one day or even a week, triaging the risks that are most likely to impact core aspects of the business is so important. But certainly, many of those vulnerabilities are more critical to address than others—for example, those that are internet-facing or actively exploited.
Thirdly, organizations will want to analyze their risk assessment and execute mitigation strategies based on how they’ve prioritized their vulnerabilities. Depending on the exposures, organizations may be able to automate some of the mitigation strategies.
Beyond ASM—and specific to the endpoint space that Trend Micro and many other vendors are involved in—there are substantial risks when products are not fully deployed (e.g., a discovery process was not completed appropriately) or are not kept up to date. In terms of the latter issue, if you’re running a three-year-old product, it doesn’t matter what vendor you’ve got; you’re going to be exposed to cyberattacks. Essentially, what was effective against ransomware three years ago with an endpoint product will not be effective today, so it’s critical to stay current, both from a software and strategy standpoint.
A: What should insurers look for when assessing an organization’s cybersecurity posture?
E: Cybersecurity is and always has been a complex risk to navigate. In general, the approach we’ve seen insurers take when assessing an organization’s cybersecurity posture relates to information gathering. Whether from questionnaires or live collection, insurers often rely on data science to determine the factors contributing to an organization’s risk. It’s not too dissimilar to the approach cybersecurity vendors like Trend Micro take.
A trap that insurers tend to fall into, however, is they focus too heavily on an organization’s vendors and the cybersecurity features they offer on a surface level. Obviously, partnering with a cybersecurity vendor can go a long way toward improving cybersecurity. But the fact that a business has invested in these solutions doesn’t tell insurers a lot when taken at face value.
As an example, insurers can ask an organization if they have endpoint detection and response (EDR) solutions in place. And while it’s helpful for organizations to have EDR, insurers have no idea if the customer is using it, if they’re actively monitoring EDR alerts or utilize a managed service provider to stay on top of EDR-related processes.
Put another way, the mere presence of a control doesn’t necessarily allude to a strong cybersecurity posture. Still, that doesn’t mean these types of questions aren’t necessary. For example, if a current or prospective customer indicates they don’t have multifactor authentication, that’s a red flag. But insurers need to go deeper in some cases, and focusing on how the customer is utilizing, monitoring, or configuring their cybersecurity tools can be just as important as whether these tools are in place.
From an insurer’s standpoint, continuous monitoring as it relates to how security controls are deployed is crucial. In general, insurers should consider measuring an organization’s response time to a potential threat. It’s also vital for insurers to know how often security measures are updated and who monitors the system.
I also feel there’s more room for cybersecurity vendors and insurers to work more closely together, as they both have a common goal: Insurers don’t want a claim, and the cybersecurity vendor doesn’t want a breach.
A: How quickly does the cybersecurity landscape evolve? What does the future of cybersecurity look like?
E: When it comes to preventing cyberattacks, the detection logic is constantly evolving. It’s a cat-and-mouse game, and cybercriminals continue to find ways around defense strategies.
Often, cybersecurity vendors are playing catchup. For example, suppose a cybercriminal finds a new way to use a Microsoft Windows system utility. In that case, it will take some time before a vendor has the behavioral logic to look for that particular activity.
We’re certainly in a very active period where every cybersecurity vendor needs regular updates to their detection logic. While machine learning can help with this process, those models still require frequent updates.
So, essentially, all cybersecurity vendors are constantly improving the detection capabilities they have in their products—and organizations want to stay current. However, this doesn’t mean a full product update is required on a regular basis, especially in the case of SaaS-based products that get updated automatically by the vendor or receive regular over-the-air updates. The customers that end up in the most trouble are typically the ones running on-premises software and not updating it frequently.
Thankfully, as quickly as the attack strategies change, so do the protection methods. Customers in the best position are the ones doing what they can with respect to detection. That includes leveraging managed services as well as technologies like EDR and extended detection and response (XDR). XDR extends the EDR approach beyond the endpoint to correlate threat activity across endpoints, email, networks and more.
And given the pace at which cybersecurity issues and protection strategies evolve, customers need to prioritize what they learn to improve their cybersecurity posture. You get an avalanche of data when you execute a discovery of vulnerabilities, catalog your assets, examine threat activity in your environment and analyze user activity. At that point, you have to determine what your most serious problems are. That kind of prioritization is tremendously valuable when it comes to reducing exposures. It all feeds into strong ASM practices, which we touched on earlier.
In terms of what’s on the horizon, there’s significant hype around the zero trust and secure access service edge (SASE) capabilities. Zero trust is essentially a security framework mandating that—before granting or maintaining access to applications and data—all users (inside and outside an organization) must authenticate, authorize, and undergo ongoing security configuration and validation.
Fundamentally, with zero trust, you’re getting your business into a state where, by default, you say no when new connections or access requests come in. Then, you’re making a dynamic, automated decision on a granular level about what to do with those requests. Should this access take place? Should this laptop be able to talk to this other part of the network? This approach has tremendous benefits with respect to slowing down attackers.
SASE is the application of the zero trust approach via cloud-based architecture. By converging capabilities from two discrete areas (network and security), SASE provides more granular, scalable security across the attack surface without compromising the user experience. For example, zero trust network access (ZTNA), a core component of SASE, provides extended security services for a user’s contextual identity (location, device security posture, etc.) to dictate policy controls and data movement.
So, I would say ASM, the zero trust framework, and SASE architecture are three areas to pay attention to in the current market.
To learn more about improving your cybersecurity posture and cyber insurance, check out the following resources:
Read More HERE