$75 billion. That's the amount of money businesses, governments, and individuals pay every year to security companies. While some security companies provide good value, the reality is the number of incidents are still getting worse and more frequent. Hundreds of millions of people have had their personal information stolen, businesses all over the world are losing intellectual property, and financial fraud is in the billions of dollars. These stories are constant, seemingly never-ending, and customers are tired of it. They are even apathetic to the degree that customers are turning to cyber-insurance as an alternative to breach prevention. We know this because cyber-insurance is a thing. In fact, cyber-insurance is a skyrocketing business that is already influencing every area of the information security industry. This rise of cyber-insurance has also provided a new way for security vendors to help their customers. A way for them to make a real positive impact, differentiate themselves, and align their incentives to that of their own customers - I'm talking about security guarantees.
Security guarantees or guaranteeing security is almost a taboo subject in the industry. As skeptics are quick to point out, nothing is 100% secure. Everything can be hacked. They're technically right, of course, but they're also missing the bigger picture. Just like we all buy electronics, cars, tools, or toys for the kids, all of these items sometimes break - yet, every manufacturer still provides some kind of guarantee. Most often, at least a replacement, a manufacture can do this because they know how often their product breaks. If every other major industry in the world can do it, the security industry can too! And while many InfoSec practitioners are not yet aware of this, a few security vendors are already offering security guarantees. From private conversations, at least a half dozen or more are actively working with cyber-insurers and creating security guarantee programs of their own. Many of our peers are investing their time in this space as well. In not too long, security guarantees will become common.
InfoSec practitioners who want to get a head start, or even a leg up, in cyber-insurance and security guarantees - this presentation is just for you. Also, one does not simply launch a security guarantee program. A great many things must be discussed, analyzed, and accounted for first. The business model of the program must be carefully designed, product efficacy must be measured, risk calculated, lawyers consulted, impact on financial accounting rules understood, liability reinsured, and more. Security vendors, if you're interested in how to go about creating a security guarantee program of your own, I'll be providing several helpful tools and a process. And business managers who would like to understand the landscape and how security guarantees are a great help in the purchase process, this talk is also for you.
Why Teams call analytics are critical to your entire business
An Insiders Guide to Cyber-Insurance and Security Guarantees
1. AN INSIDERS GUIDE TO CYBER-INSURANCE AND
SECURITY GUARANTEES
JEREMIAH GROSSMAN
CHIEF OF SECURITY STRATEGY
@jeremiahg
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/
http://sentinelone.com/
2. BIO
WHO I AM…
▸Professional Hacker
▸Person of the Year (OWASP, 2015)
▸International Speaker
▸Black Belt in Brazilian Jiu-Jitsu
▸Founder of WhiteHat Security
3. AREAS OF INTEREST
▸Intersection of security guarantees and cyber-insurance
▸Malware / Ransomware
▸Easing the burden of vulnerability remediation
▸Security crowd-sourcing
▸Industry skill shortage
4. “I OFTEN SAY THAT WHEN YOU CAN MEASURE WHAT
YOU ARE SPEAKING ABOUT, AND EXPRESS IT IN
NUMBERS, YOU KNOW SOMETHING ABOUT IT;
BUT WHEN YOU CANNOT MEASURE IT, WHEN YOU
CANNOT EXPRESS IT IN NUMBERS, YOUR KNOWLEDGE
IS OF A MEAGRE AND UNSATISFACTORY KIND."
Lord Kelvin
5. “2015 GLOBAL SPENDING ON INFORMATION
SECURITY IS SET TO GROW BY CLOSE TO 5%
THIS YEAR TO TOP $75BN,…”
The Wall Street Journal
HYPER-GROWTH INDUSTRY
8. FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS OVER TIME ACROSS CONFIRMED DATA BREACHES.
VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
NO WAY REGULATIONS CAN KEEP UP.
9. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
“APPSEC IS EATING SECURITY"
INCIDENT PATTERNS BY INDUSTRY
11. VULNERABILITY LIKELIHOOD (1 OR MORE)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
70%!
56%!
47%!
29%! 26%! 24%!
16%! 15%! 11%! 11%! 8%! 6%! 6%! 6%! 5%!
0%!
10%!
20%!
30%!
40%!
50%!
60%!
70%!
80%!
90%!
100%!
InsufficientTransportLayer
Inform
ation
Leakage!
C
ross
Site
Scripting!Brute
Force!
C
ontentSpoofing!
C
ross
Site
RequestForgery!
U
RL
RedirectorAbuse!
Predictable
Resource
Location!
Session
Fixation!
InsufficientAuthorization!
D
irectory
Indexing!
Abuse
ofFunctionality!
SQ
L
Injection!
InsufficientPassw
ord
Recovery!
Fingerprinting!
12. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
TOP 10 VULNERABILITY CATEGORIES BY PROGRAMMING LANGUAGE
13. AVERAGE TIME-TO-FIX (DAYS)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
73!
97! 99! 108! 111!
130! 132! 136!
158! 160!
191! 192!
227!
0!
50!
100!
150!
200!
250!
Transportation!
Arts
&
Entertainm
ent!
Accom
m
odation!
Professional&
Scientific!
Public
Adm
inistration!O
therServices!
Inform
ation!
EducationalServices!
H
ealth
C
are
&
Social!
Finance
&
Insurance!M
anufacturing!
U
tilities!
RetailTrade!
14. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
PERCENT VULNERABILITIES
FOUND VS. FIXED
15. WINDOWS OF EXPOSURE
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
60%!
38%!
52%!
39%!
9%!
11%!
11%!
14%!
10%!
14%!
12%!
11%!
11%!
16%!
11%!
18%!
11%!
22%!
14%!
17%!
Retail Trade!
Information!
Health Care &!
Social Assistance!
Finance &!
Insurance!
Always Vulnerable!
Frequently Vulnerable (271-364 days a year)!
Regularly Vulnerable (151-270 days a year)!
Occasionally Vulnerable (31-150 days a year)!
Rarely Vulnerable (30 days or less a year)!
16.
17. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZATION’S
GLOBAL NETWORK HAS BEEN COMPROMISED BY A SUCCESSFUL
CYBERATTACK WITHIN THE LAST 12 MONTHS?
18. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S
NETWORK WILL BECOME COMPROMISED BY A
SUCCESSFUL CYBERATTACK IN 2015?
19. “71% WERE AFFECTED BY A
SUCCESSFUL CYBERATTACK IN
2014, BUT ONLY 52% EXPECT TO
FALL VICTIM AGAIN IN 2015.”
2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
MORE APATHY
20. DO YOU EXPECT A CYBERATTACK TO STRIKE
YOUR ORGANIZATION IN 2015? (N = 3,435)
A. YES 46%
B. NO 24%
C. UNSURE 30%
Respondents are global business and IT
professionals who are members of ISACA.
SURVEY’S ALL AGREE
23. DOWNSIDE PROTECTION
CYBER-INSURANCE
▸ As of 2014, American businesses
were expected to pay up to $2
billion on cyber-insurance
premiums, a 67% spike from $1.2
billion spent in 2013.
▸ Current expectations by one
industry watcher suggest 100%
growth in insurance premium
activity, possibly 130% growth.
24. “ACCORDING TO PWC, THE CYBER
INSURANCE MARKET IS SET TO
TRIPLE IN THE NEXT FEW YEARS AND
WILL REACH $7.5 BILLION BY 2020.”
Dark Reading
BOOMING INDUSTRY
25. “THE LARGEST BARRIER TO GROWTH IS LACK
OF ACTUARIAL DATA ABOUT CYBERATTACKS,
BUT THIS IS QUICKLY CHANGING WITH
CONTINUED CYBER ASSAULTS.”
“ABI RESEARCH FORECASTS THE MARKET TO
HIT US $10 BILLION BY 2020.”
ABI Research
HYPER-GROWTH
26. “ABOUT A THIRD OF U.S. COMPANIES
ALREADY HAVE SOME FORM OF CYBER-
INSURANCE COVERAGE, ACCORDING TO A
REPORT PRICEWATERHOUSECOOPERS
RELEASED LAST YEAR.”
The Parallax
BUY WHATEVER THERE IS
27. SMALL PAYOUTS. LARGE PAYOUTS.
BREACH CLAIMS
▸ Target spent $248 million after hackers
stole 40 million payment card accounts
and the personal information of up to 70
million customers. The insurance payout,
according to Target, will be $90 million.
▸ Home Depot reported $43 million in
expenses related to its September 2014
hack, which affected 56 million credit and
debit card holders. Insurance covered only
$15 million.
28. LOTS OF INSURERS GETTING INTO THE BUSINESS
BREACH CLAIMS
▸ “Anthem has $150 million to $200
million in cyber coverage, including
excess layers, sources say.”
▸ “Insurers providing excess layers of
cyber coverage include: Lloyd’s of
London syndicates: operating units
of Liberty Mutual Holding Co.;
Zurich Insurance Group; and CNA
Financial Corp., sources say.”
29. “AVERAGE RATES FOR RETAILERS SURGED 32% IN
THE FIRST HALF OF THIS YEAR, AFTER STAYING
FLAT IN 2014, ACCORDING TO PREVIOUSLY
UNREPORTED FIGURES FROM MARSH.”
“AND EVEN THE BIGGEST INSURERS WILL NOT
WRITE POLICIES FOR MORE THAN $100 MILLION
FOR RISKY CUSTOMERS.”
The Security Ledger
INCIDENTS DRIVING UP COST OF PREMIUMS
30. 2014 – 2015
NEW SECURITY INVESTMENT VS. CYBER-INSURANCE
$3,800,000,000
$3,200,000,000
Informa(on Security Spending (Global)
~ $3.8 billion in new spending (+4.7%)
Cyber-Security Insurance
~$3.2 billion in spending (+67%)
31. EVER NOTICE HOW
EVERYTHING IN THE
INFORMATION SECURITY
INDUSTRY IS SOLD “AS IS”?
NO GUARANTEES
NO WARRANTIES
NO RETURN POLICIES
36. SECURITY GUARANTEE
DETAILS
▸ Program Launched: July 2016.
▸ Setting up their guarantee with the
underwriter took 3 months.
▸ Claims or payouts? 0.
37. SENTINELONE’S GUARANTEE OFFERS FINANCIAL
SUPPORT OF $1,000 PER ENDPOINT (UP TO $1
MILLION PER COMPANY), SECURING AGAINST
FINANCIAL IMPLICATIONS OF A RANSOMWARE
INFECTION, IF SENTINELONE IS UNABLE TO
BLOCK OR REMEDIATE THE EFFECTS.
38. SECURITY GUARANTEE
DETAILS
▸ Program Launched: August 2014.
▸ Setting up their guarantee with the
underwriter took 18 months.
▸ Claims or payouts? 0.
39. IF A WEBSITE COVERED BY SENTINEL ELITE
IS HACKED, EXPLOITED BY A MISSED
VULNERABILITY, THE CUSTOMER WILL BE
REFUNDED IN FULL AND OFFERED UP TO
$500,000 IN BREACH LOSS COMPENSATION.
40. SECURITY GUARANTEE
DETAILS
▸ Program Launched: January 2016.
▸ Setting up their guarantee with the
underwriter took 18 months.
▸ Stroz Friedberg ran the
assessments on behalf of the
underwriter to measure
performance.
▸ Claims or payouts? 0.
41.
42. MALWARE KITS COME WITH WARRANTEES
Malware offered for $249 with a service level
agreement (SLA) and replacement warranty if the
creation is detected by any antivirus within 9 months
43. “…THE ZATKOS’ OPERATION WON’T TELL YOU IF
YOUR SOFTWARE IS LITERALLY INCENDIARY, BUT IT
WILL GIVE YOU A WAY TO COMPARISON-SHOP
BROWSERS, APPLICATIONS, AND ANTIVIRUS
PRODUCTS ACCORDING TO HOW HARDENED THEY
ARE AGAINST ATTACK. IT MAY ALSO PUSH
SOFTWARE MAKERS TO IMPROVE THEIR CODE TO
AVOID A LOW SCORE AND REMAIN COMPETITIVE.“
The Intercept
THE CYBER INDEPENDENT TESTING LAB
44. “THE ONLY TWO PRODUCTS NOT COVERED
BY PRODUCT LIABILITY ARE RELIGION AND
SOFTWARE, AND SOFTWARE SHALL NOT
ESCAPE MUCH LONGER.”
Dan Geer
CISO, In-Q-Tel