Helping customers to understand & implement modern security solutions to meet Cyber Insurance validation audits & self-attestation
Cyber Incident Coverage from an Insurance Landscape
Cyber Insurance (aka Cyber Liability Insurance (CLI)) provides a general line of coverage for mitigating losses, or the costs associated from cyber incidents, including data breaches, network and server infrastructure damage, as well as the potential business interruptions from things such as ‘Ransomware’. And, in order to determine what coverage is necessary, cyber liability insurers calculate those costs based on several key risk-factors, including what industry the insured customer resides within, the data being covered (Regulated e.g. PII / PCI / HIPAA / GDPR) etc... but most importantly, what security measures and controls are already in place prior to being insured?
Figure 1: VMware GIRT 2022 Report Findings – Data on the number and types of attacks for the industry
These providers want to ensure that their clients are taking fundamental safety measures to protect their systems, users, and the data. For example, in order to satisfy the common basic requirements of the Confidentiality, Integrity & Availability (CIA) triad (shown above), as it’s known in the industry, by which providers leverage solutions that can ensure those pillars are secured. One such tool is Multi-factor Authentication (MFA) for secure access and to better validate the integrity of the user’s identity and defend against account compromise and assurance of the partners making the data connection/exchange. Also, another key element is Data-at-Rest and in-Transit encryption of the data, using sound, accredited standards ex. NIST FIPS 140-2, Advanced Encryption Standard (AES) 256-bit in strength to harden against those attempts further protecting the confidentiality of the data being exchanged. Lastly, moving the cloud or having a sound ‘Disaster Recovery Plan’ and service in place, including backups to protect user availability to the data and services. Other US-based agencies, such as Cybersecurity Information Sharing Act (CISA) and numerous other global resources (ex. Nat'l Cyber Security Centre (NCSC) / EU Agency for Cybersecurity (ENISA) or Australian Cyber Security Centre (ACSC)) exist and provide sound guidance on the matter, but in reality, aside from small differences amongst them, most agree on these basic elements of the triad.
However, even with these basic CIA protection steps or the use of solicited services from the CLI providers, the increasing cost of ransomware remediations are pushing premiums up, as the increase in the number of attacks, as well as the number of ‘successful beachheads into organizations’, mean insurance is getting harder to get and more expensive to maintain. In some cases, providers have eliminated ransom reimbursement benefits altogether and many others have introduced strict underwriting guidelines, which can drag out application and renewal processes from what previously took days to weeks or even months. In light of this, both Managed Security Providers (MSPs) and their clients need to be addressing their cyber risk in order to efficiently check off boxes on the cyber insurance checklist to keep costs reasonable.
Figure 2: Verizon DBIR 2022 Report Findings – (4) key factors leading to breaches & highest element increase industry-wide
Thus, these factors have also helped push significant premium increases in cyber-insurance policies, both the EU and US have seen the rise of service offerings as a consequence. Many of those SPs of cyber protection services are the same insurance providers in order to gain not only revenue but to also attest to the security, controls and measures in place by those same insured customers and help mitigate those costs, both in premiums and also in the risks and amounts later that might be paid out in the case of a breach (much like buying an extended service & warranty package from the same auto dealership as the vehicle being warrantied and having their service dept take care of the vehicle’s maintenance along the way).
Typical Cyber Insurance Service Provider Offerings
For other insurers, they get a measure of assurance that those looking to get or renew policies are taking basic or moderate precautions to defend themselves prior to the enforcement of a policy. But even if an organization doesn’t buy into the CLI offerings above, the real option of either requiring a documented self or a 3rd party audit of these enterprise measures as due diligence will increasingly be required of those being or wishing to be insured. So, as it stands to reason, in order to validate that a certain level of security controls, standards and cybersecurity measures have been taken by the insured prior to issuing a policy, these audits will be required and can go even further, as seen in the next example.
Recently in the news, Travelers Property Casualty Company of America took a customer to court after learning that the company, International Control Services, Inc. (ICS), provided false information on its insurance policy application. Specifically, ICS claimed to have implemented MFA, but when they filed a claim following a ransomware attack, a forensic investigation instigated by Travelers discovered that ICS had not done so; thus, the contract was voided. As argued earlier, with the growing cases of cyber-related damages throughout the industry, many insurers are likely to insist on third-party verification for applicants’ self-attestations, or at a minimum more granular reports and details of implementations of security measures and controls prior to the acceptance of the policy.
Some CLI agencies use a ‘Factor Rating System’ to index contributing factors in their evaluation of an organization’s cyber risk and, therefore, appropriate insurance coverage they are offered and the premium they’ll pay can provide guidance in a selection for how much coverage a policy will be required to match an org’s insurable security threats. Unlike traditional insurance methods, these factors are often required to be updated and monitored on a continuous basis to map exposure and impact levels for current deployment and implementation of areas.
Typical Cyber Insurance Provider Factor Rating Categories
The intent is to capture a potential client’s security posture in these different environments, as each has a different effect on the client’s security risk score. But the cost of doing so often can be close to or equal the prices of some small contracts and has been hampering the cybersecurity industry growth projections for the last decade. CXOs of insured organizations should not expect a payout for poor cybersecurity policies or practices and this is in line with other insurance-related products that often require some form of inspection / audit before a policy is issued or may void a policy if, after an incident, undisclosed deficiencies are found.
There are basic guidelines that are typically looked for when establishing good corporate or organizational Cyber-hygiene that can assist in greatly reducing the scoring and factor along the lines of the CIA triad.
Typical Organizational Mitigation Measures for Reducing Factor Rating Scores
Regardless of your industry, if you’re self-attesting, most analysts will advise an organization that in order to be best prepared for both the incident, as well as the prequel attestation or audit, be brutally honest and have detailed supporting documentation to support your agency’s conclusion. Although you could still be confronted by the insurance agency or challenged about the breadth or depth of coverage or costs, you will be in a much stronger position to gain ground in either case. If doing so, control the instinct to deny the results completely and embrace the opportunity to learn from the report(s). Explain how these may be false positives and also use the results to strengthen the relationship for the future audits within your organizations and the teams responsible. For example, when taking back the lessons learned to your respective Security Operations Center / Information & Technology and other support teams to enhance or make improvements where necessary; start with the easiest on the list and move up the ladder.
Also, taking guidance from well-established framework, control guidance, such as National Institute of Standards & Technology (NIST) and their Special Publications ex. SP 800-171 Controlled Unclassified Information security controls are a gold mine for tips and areas to focus, both before and after an audit. It is also very likely that for self-attestation or audit, a Cyber insurance group may leverage those very controls as a blueprint or ‘exam template’ for your grading?! Some providers can even deliver a deeper assessment of that cyber risk when connectors or Application Programming Interfaces (APIs) to other service providers or security solutions are integrated. These integrations offer additional risk rating evaluation and can provide the additional benefit of cost savings, much in the same way a typical auto insurance firm à la Geiko or Progressive can do by getting access to your vehicles On-Board Diagnostics (OBD) module to send driver stats back to them for constant evaluation of your driving habits and thus the risks you pose for payouts.
Security Control & Framework Alignment
Figure 3: NIST Guidance for Security Controls with Forrester’s ZT Model
Many firms also provide initial risk scoring and policy acceptance, terms, and rates based on a company’s ability to show detailed documentation on their adherence to certain industry best-practices. Two key areas for this are from the NIST) Special Publication groups, such as SP 800-171 <and> the Zero Trust Architecture guidance within 800-207. These controls can be used for securing all devices and services within an organization; however, this is only the first step. The larger, more important, aspect today is the identification of the new protection paradigm, the ‘Data’.
Other top resources for guidance on cybersecurity fundamentals for the global industry are the Center for Internet Security (CIS) Benchmarks, which are highly regarded and corroborate NIST’s framework guidance, providing more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats. Although not specifically aimed at customer’s compliance, Open Web Application Security Project (OWASP) Top 10 is an outstanding list of areas your software and service providers need to ensure they are accounting for during their development of solution offerings, prior to a clients use of them and to provide additional end-user protection.
Whether it is an organization’s own, or the customers they serve, ‘the Data’ is the single most important asset and ultimately ‘target’ of any breach. And whether that’s in the form of a ‘Ransomware’ attack, whereby that ‘data’ is denied access <or> it is the theft of said data, the damage and exposure is still the organizations to manage and protect. And whether an organization relies on NIST, or cloud-hosted services that attest to following the controls of SP 800-171 or it’s bigger brother, 800-53 FISMA (which FedRAMP for FedGov cloud security attestation is based on and VMware adheres to for its Public Sector customers); there are still requirements for the end-agency / organization. So, it’s simply not a migrate or ‘subscribe and forget’. AWS & Azure both explicitly outline that there are several overlying areas of customer ‘responsibility’ for their specific enclave or domain of operation on top of their Infrastructure-as-a-Service cloud-hosting. So, moving to the cloud, although highly recommended and a part of the journey for enhanced security under both Cyber insurance qualification, as it is for Zero Trust, there are higher level areas of controls and security needed above and beyond simply the hosting controls; this is where VMware can assist!
Figure 4: VMware Security Alignment to Security Control Groups
VMware Solution Mitigation Overview
Workspace ONE Suite
Workspace ONE can be a key foundation for meeting the needs of the necessary controls and security an organization needs to perform its own self-attestation or full-blown audit by a 3rd party. It is built on VMware's Workspace ONE UEM technology that provides for the standard aspects of Mobile Device Management (MDM) and Mobile App Management (MAM) including Unified Application Catalog. Workspace ONE integrates with virtual desktop application delivery via VMware Horizon on a common identity framework with Workspace ONE Assist to complete a full End-User-Computing (EUC) Suite that can leverage Baselines as a key feature of enrollment, onboarding, and compliance.
Additionally, on traditional endpoints and within the cloud, Carbon Black and Carbon Black Cloud can provide enhanced EDR/IR/XDR capabilities and integrate with Workspace ONE to provide a comprehensive protection story. VMware NSX can provide an integration into Network Detection & Response (NDR) and employ real-time, continuous monitoring of systems to detect and investigate potential threats before using automation to contain and remove them and provide true XDR with NGFW / IPS & other advanced network-based security measures. Lastly, you can improve your cloud protection stance by leveraging VMware’s CloudHealth to protect against threats to modern cloud-native applications and workloads that enterprises use is on the rise. Meanwhile, attacker groups are becoming more effective and dangerous, leaving many organizations stuck between a rock and a hard place when it comes to cybersecurity. CloudHealth can also help your organization or service providers secure against the MITRE ATT&CK Cloud Matrix, which is solely focused on cloud attack vectors.
FedRAMP Workspace ONE = UEM + Hub Services + Intelligence + Access + MTD + Horizon
Figure 5: EUC Portfolio Logical View with Product Links
Each of the components, brings together the foundation for a Zero Trust Architecture that can be partnered and integrated together within VMware Anywhere Workspace solution, building trust to empower organizations’ anywhere workforce with secure and frictionless experiences by:
- Delivering unique integrations enabling tailored experiences and higher productivity for frontline, hybrid, and remote users, across heterogeneous environments including physical and virtual devices and multiple OS’s.
- Enabling Zero Trust Network Access (ZTNA) with remote support for any device (BYO, 3rd party or VMware-managed) in a true hybrid workforce and provide a Security Operations Center (SOC) / Information & Technology support team the tools and telemetry for Indicator of Compromise (IoC) on mobile.
- Facilitating flexible deployment options to obtain immediate value for prioritized use cases, so you can scale at your own pace to harness the full potential of an integrated platform.
- Optimizing security and experience through an integrated approach that combines market-leading technologies essential for hybrid work. This integrated approach provides connected visibility and context, ensuring broader security coverage, including Workspace ONE Mobile Threat Defense (MTD) to enhance the end-user / end-device compliance and endpoint security model alongside traditional endpoints with VMware’s Carbon Black.
Zero Trust Deployment First Steps & Instances:
In order to satisfy the ZT requirements at the end-user level, strong requirements are needed, including:
- Modern Management — Devices are enrolled, configured and managed, while guaranteeing the health and security of the device while accessing Corp. / Agency resources, such as servers / cloud / data etc...
- Device Health — Applications and services have the mechanisms to validate MFA and device status prior to and during access to those org resources.
- Identity Management — provide for MFA and passwordless authentication, as well as Single Sign-On (SSO) to secure access to both devices, applications and communications with organizational resources on-prem or in the cloud.
- Anywhere Workspace — ability to access corporate / agency resources when not on a managed device.
- Least Privilege Access (LPA) — Access to resources is limited to the minimum required for a specific role.
- Data Loss Prevention (DLP) — Ability to ensure that data leakage or extraction is detected and stopped.
Figure 6: VMware Endpoint Security Logical Alignment to ZT elements
As the industry progresses and matures, changes and standardization are likely to be outcomes. And since these threats such as extortion, deepfakes, and ransomware will continue, your organization will need up-to-date intelligence, best practices, and a modern security infrastructure to guard your valuable assets and to meet the likely ever-growing requirements of Cyber Liability Insurance under-writers, VMware will be here to assist!
For more in-depth details regarding VMware’s most recent industry accolades and reviews, see the following blogs & external links:
- Blog: VMware Named as a Leader & Visionary in the most recent 2022 Gartner Magic Quadrant for UEM Tools
- Blog: VMware named a Leader in three of 2022's IDC MarketScape Assessments for UEM
- Tech Zone: VMware's Incorporating Presidential Exec Order for Zero Trust
- Tech Zone: Compliance for NIST SP 800-171 Controls with VMware
- VMware Tech Zone Security Portal
- VMware Tech Zone Zero Trust Portal
- VMware Tech Zone Public Sector Portal
- VMware Security Blogs
- Tech Zone: VMware Workspace ONE UEM - Baselines Feature Walk-Through
- Tech Zone: Using Baselines to Apply Industry Recommended Settings Video