An Insider's Guide to Cyber-Insurance and Security Guarantees

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

alright ladies and gentlemen I'd like to thank you all for coming this afternoon I'd like to welcome you here to an insurance and insiders guide to cyber insurance and security guarantees we're in Lagoon Cay today I'm speaking with us today is Jeremiah Grossman you may know him from white hat he's currently the chief of security strategy at Sentinel one we have a couple of housekeeping items today stop by the business hall located in Bayside a and B we'll also have the Welcome Reception tonight between 5:30 and seven black hat Arsenal is on its a the palm for a on level three and join us for the pony Awards in Mandalay B C and D tonight at 6:30 if everybody can put their cell phones on vibrate it makes it easier for us to ignore it while you wait for your voicemail to pick up so with that I'd like to introduce Jeremiah Grossman good afternoon everybody Jeremiah Grossman and I think this might be my seventeenth black hat presentation and I absolutely love this conference I've been coming to black hat since 2000 always great people always great talks I think it's second then on the industry so one thank you all very much for coming thank you to you BM for having me and I'm pretty excited about this particular presentation normally I give highly technical presentations on how to break the internet I'm going to give a talk today how we break the security industry so that should be fun and I'm sure I'm going to do you know ruffle a few feathers on security vendors I do not care because our industry must change because the work we do is important and not many people are believing us anymore and I'll get to all that stuff so you know you know a little bit about my background I spent the last yeah I've been in the industry maybe almost 20 years now most of which was in web security helping to protect websites in the web in general I've been fortunate enough to have a long career in that got many awards I've done presentations all over the world I like sharing what it is I know and what I think I know because I think this is the the best way for us to share knowledge I don't know if there's what's called a security expert anymore because there's too much for any one person to know so we all have to lean on each other on different areas of expertise in order for us to make you know real progress their teams are important so how do i preoccupy myself so I spent 15 years at white hat founder there so when you're a founder of a company sometimes it means your CEO sometimes it means your CTO sometimes it means your CEO again and so on down the range so I stepped away from white hat to focus on a different industry which was malware which was much bigger much you know rattled much longer and I think it was an unsolved problem out there and specifically ransomware which I will talk a little bit about and because it's you know taking over out there but these are the areas where I find are most interesting to me the largest problems one is the intersection of security guarantees and cyber insurance while you're all here how do we use the burden of remediation we our industry has gotten very good at finding vulnerabilities terrible at fixing them let alone fixing them quickly so if you guys want to know where your creative minds and innovation is going to be best served it's right there on valen remediation because it doesn't do us a lot of good to find vulnerabilities if we're not going to fix them and the fourth one there is security crowdsourcing every seaso will tell you every hiring manager in InfoSec will tell you they're just simply not enough people working in security and I've gone to at least 20 to 30 college campuses these days and I'm here to tell you that the cavalry is not coming you guys are it for better or worse and we're going to have to learn how to automate ourselves and become more efficient at what we do and start better leveraging our collective talents out there to make an impact so executed crowdsourcing is interest of mine and that relates to the skill shortage so let's talk about some numbers I like this particular quote here and I'll just read it to you verbatim it's by Lord Kelvin I often say that when you can measure what you're speaking about and express it in numbers you know something about it when you cannot measure it when you cannot express it in numbers your knowledge is of a meagre and unsatisfactory kind I really like knowing what it is I talk about and so I try to express what it is I know or think I know in terms of numbers and the best way that I can tell for where the industry is heading what customers wants what is going to make an impact in security is by following the money following the dollars where it's the bad guys money or it's the companies and corporations or or everyday people's money so we're going to talk about the security industry we're at one of the largest and I'll say the one probably one of the best probably the best security conference in the world and this is what we give to the security industry 2015 global spending on InfoSec is set to grow by close to five percent and this year will top seventy-five billion dollars seventy five billion dollars is what we get every single year or so to try to secure things and what we get for that money is for everybody to be hacked all the time we can do better and I think we can I think I know how but I want you to remember those two numbers the two numbers are very important seventy-five billion dollars that's what we get and it's grown by 5% per year growth rate indicates where people are most interest going forward and spending their money and spending their money now there's a lot of talk in the industry about who the bad guys are what they do their MOS and things like that so I just want to broadly characterize the different personas of the bad guys out there because I never ever want to lose sight of the bad guy I used to work at Yahoo many many years ago and I know what it's like to get attacked every single day I'm more or less a public figure out there and I get attacked you know more or less every single day you know the little password reset emails that you get when you change your password all my social media accounts get those every single day you know so I always want to know what the bad guys are up to because we cannot do security by checkbox compliance we have to know what the bad guys are up to in order to make a difference out there so one is we get the hacktivists you guys know these guys been names like anonymous LulzSec and so on down the range though they won't be they weren't the first they certainly won't be the last these are the guys that hack us and laugh at us which makes them not terribly dangerous as far as I'm concerned they're the Canaries in the coal mine they've hacked for a political message they're not interested in it for the money or the control or the power they're kind of in it for their moment of fan or to get out of political message we got the organized crime guys who are you know very sophisticated very streamlined they make a lot of money and they will hack you and not laugh at you which makes them far more dangerous they want to hack you and steal everything you've got they want to steal your money your data your computing resources they want to extort you anything they can to make a buck and they're all in it for the ROI then of course you got the nation-state guys which more and more we're doing battle with especially the larger systems where you're talking telecoms banks social networks healthcare operators they you know nation-states will go after them of course they will hack you and not laugh at you but they're not also not in it for the money their mo is different they're after data information control intellectual property and them and the list goes on maybe indirectly in it for the money but they like control and then we got little you know little tidbits of information on terrorism maybe the guys out there are hacking to make a little bit of money to perform kinetic attacks later down the road it's something to keep an eye on we'll see but I don't want to spend too much time on that but those are our main character classes so my background is web and so I like to keep this very top level stat because I liked working on web security and I wanted to know what it meant to secure the web the web right now has about a billion websites on it and it's growing by millions every single day so this is this is the problem that we're dealing with so every solution that we design out there if you're going to make an impact it must scale it must scale to the web it must scale to the Internet if it doesn't that's fine but if your product solution idea doesn't scale to the web you are not doing web security you are not doing Internet security you are doing something else perhaps it is still important but everything in what we do must scale now let's keep the bad guys in mind and look at what they're going after I like looking at the Verizon data breach report it's I think required reading out there so if you haven't read it if you haven't studied it it's good data it's you know I like to characterize that it's kind of like cybercrime CSI when it breach happens they'll call the Verizon Incident Response Team to go out there they'll do forensics investigations they'll try to figure out how the bad guys broke in what they did while they're there when they did it what they got and so on down the rage and they compile all these cases from law enforcement agencies all over the world they combine it into this big report so we can get a narrative of what the bad guys are doing so we don't have to guess anymore we have a pretty good idea of what the bad guys are doing so when you take a step back and look at this stuff all the different colors are different things that the bad guys are doing to our system and the main takeaway here that I got was that the bad guys are constantly shipping shifting tactics and different volumes of you know and different attack techniques so if you notice let's just we live stick with web right if you look at the top line there let's go back to year 2006 you know nearly 20 percent of the incidents out there had something to do with web then it dropped down later - you know maybe right around 10 percent and then it started waving if you take a look at this are we really to expect regulations laws compliance checklist PCI are they really going to help us when this is you know going like this I think what did they change PCI every two years look at what the bad guys do they shift constantly so we're going to have to keep up now as we focus in on it we take that heat map and we put it in a different chart from the DB IR you know one of the one of the lines I stole from Alex Stamos his presentation that he gave a want to say about a year ago so it's app SEC is eating the security industry or app SEC is eating security let us again what continue with our web theme if you take a look on the vertical and say the finance sector when the finance sector suffered a data breach 82% of the time there is some web security related component to it in the entertainment industry it was about half so this kind of gives us an idea of what the bad guys are how the bad guys target different industries with what types of techniques this is important then you know we'll keep going web and this is meant to illustrate that we're dealing with a lot of ohms and a lot of problems so this came from the Trustwave report web applications have tons of vulnerabilities and the vast majority of them do this this chart here came from the white hat security report because why not test many tens of thousands of websites so a way they read this particular chart is if you look at the third bar cross-site scripting 47% of the sites that we looked at at the time in 2015 at at least one instance of cross-site scripting the one that I thought was pretty interesting especially at the time with sequel injection I don't know everybody here is familiar with the term sequel injection if the bad guys want data that's how they use it all least 6% of the websites we looked at in 2016 and 2015 had at least one instance of sequel injection so the way to read this is just because you have a large volume of vulnerabilities out there of one particular class doesn't mean they cause a lot of damage the bad guys get to choose that stuff so this 6% vulnerability has been the cause of tons and tons of damage and still continues to this day and that number has now been somewhat fixed it used to be as high as 20% it's fallen off over the last five years but now it seems flat at 6% because our remediation is terrible so remember the early bullet point if you want to help the world help them fix vulnerabilities faster cheaper and easier this chart comes from very code they do static and dynamic analysis main competitor of white hat this is their their report this I think this is more static and a language so they saw 29% of the apps that they looked at had sequel injection vulnerabilities you're going to find an elevated volume of sequel injection valen you do static analysis because it doesn't take into account you know production safeguards and things like that but we're riddled with bones it's kind of at the bottom line is and everybody you ask every vendor every pen tester red team will tell you the same now when you find a vulnerability you can tell the customer what the phone is what site it is what URL how to fix it everything about its rating what it can do the badness and you know red alarm and everything else it does then becomes their responsibility to fix it so in between the point of time where you find it and the customer fixes it you get an average time to fix the way to read this is is that let's say you take the finance and insurance industry it takes them an average of a hundred and sixty days to fix a vulnerability after you've told them about it this is not the the lows and mediums and informational these are the ones that will not will make you not PCI compliant the ones that will make you headline news the ones that will rob you of your data 160 days and you can see it down the range you see the retail sector you want to know why I harp so incessantly on the on the crappiness that is PCI 227 days in the retail sector that is what's going on out there they want to tell me that that's making a real difference I'm looking at the math and I go I can't tell please to give me your data and they won't I know I heart pretty hard but I'm tired of seeing people get act on things that we are that we know how to fix now let's talk remediation rates that was time to fix these are remediation rates everybody's numbers are about line where you talk Trustwave Whitehead Verico at and on down the range remediation rates hover between fifty and sixty percent so that means fifty and sixty percent of the Von's that they know about that we find and report get fixed how many volumes is it take for the bad guy to win one great so we have to get those numbers at least eighty to ninety perhaps even a hundred percent we have to push these numbers much higher it's too easy on the bad guy so let's stick with that one vulnerability theme if they just have to find one vulnerability in order to win how many days of the year with if they go to a website can they find that one vault and exploit it so the way to read this one is 39% of the websites tested in 2015 had at least one serious remotely exploited vault remotely exploitable vulnerability that they knew about every single day of 2015 there was not a single day they didn't know about a remotely exploitable phone look at the retail sector I don't make these things up right sixty percent whether its sequel injection cross-site scripting cross-site request forgery whatever those are the bones that are in there now that's the bad news there are companies in the world and I know them by name that do a really good job and those are the ones in teal seventeen percent of the retail insurance websites had a/c remotely exploitable serious vulnerability less than 30 days of the year so those are the guys that are doing a really good job so when I wanted to learn about web security I just simply called up the chief of security or whoever the teams were and going how are you what do you guys doing that's different than everybody else and you know I was talking I was writing charts and doing spreadsheets and doing all this regression analysis and after years and years and years of studying like what makes companies different from on the other there are some behavior characteristic but the number one thing is some companies cared and some did it it was just the only way you know kind of work and one of the things that makes companies care a lot about securities when they get hat it was kind of interesting I did a slice of the data I looked at all the companies that got hacked and I did the metrics on them first the ones that never had a publicly reported breach and there was a significant difference the companies I had gotten hacked publicly in the past were significantly more secure after the fact than those that were not all right now we're buried in bones what do we look at next you guys know this stuff I just put some math to things that we you guys probably already implicitly felt and experienced at your workplace there is a survey that was done from all the attendees of blackout I think they got 250 respondents so it's you know kind of interesting sampling on how they felt their chances are of not getting hacked in the next twelve months three quarters of you three quarters of us felt that we were likely to get hacked in the next twelve months we do not believe we for whatever reason right or wrong good or bad that we can properly secure our own systems we are the security people where this is our jobs to protect these systems and three quarters of us do not think that we're going to be able to do that that's a little striking and it's almost it's very apathetic now you might say this is just one survey their methodology might be off great I'm with you so I started looking at other surveys you know that was from this year let's go back in time same thing here this is one by cyber edge cyber edge group you can see the number the numbers here let me see here there's a number of times you estimate that the global and the network might have read this out how many times do you estimate that your organization's global network has been compromised by a successful cyber attack within the last 12 months 38% said not once I do not believe them 7% said ten or more times another 15% between six and ten times and most everybody else is hacked one or more times so it's a lot of people have been hacked and they knew they were hacked let's read this one here what is the likelihood that your organization's network will be compromised by a successful cyberattack in 2015 most everybody said it's highly highly likely so 38 percent said somewhat likely you know you can kind of read it for yourself so this survey pretty much agreed with the black hat 1 the cyber edge group so we'll read this one here this kind of summarizes it 71 71 percent were affected by successful cyber attack in 2014 but but only half said they expected to fall victim again in 2015 I guess it packs do make you more secure alright and the last one here aisaka and I have about five or six of these surveys same thing here most security professionals think that they're going to get hacked again in the next 12 months this is concerning it might be apathetic it might be a risk realistic or that you might be realistically apathetic what are the losses because at the end of the day when we spend seventy five billion dollars for everybody get hacked all the time and for everybody to think we're going to get hacked again you know they're going to want you know somebody's going to want some lost numbers on why do we keep spending what are our loss is really so maybe we can use these numbers to buy cyber insurance or to justify spending more money the next year again this comes from the Verizon data breach report if you look down the middle the lines expected loss when you get a data breach if you have a million records if you have a million records the expected loss is right around 1.2 million but if you can tell the standard deviation is pretty wild it goes between 57,000 and 27 million dollars but the median there is pretty instructive so these are the lost numbers depending on the amount of data that you have to protect now what have we learned so far world is riddled with vulnerabilities most everybody thinks that they're going to get hacked and the lost numbers are actually pretty high what do you do then if you're a security professional if you're a CFO business unit order what do you do under these conditions you buy insurance somebody write somebody pay attention all right all right so I've been tracking the cyber security insurance industry for about three years now and every single year it grows between 60 and 70 percent some estimates put it as high as a hundred percent and right now it is about a three and a half to four billion dollar business this year it's pretty big some analysts or you know industry followers say it's the market for cyber insurance is going to grow by two 7.5 billion dollars by 2020 so it's a hyper growth industry and we should all be very paying very close attention to this one because I think it's only a matter of time before info sex masters change we're not going to kowtow to PCI we're actually going to be dictated to by this by the insurance industry and that's going to change everything about what we do so far the largest barrier to growth as they estimate and I've talked to a lot of cyber insurance guys and different companies and they say the largest barrier to growth is the lack of actual data about cyber attacks but this is quickly changing with continued cyber assaults what does this mean it means that largely it's not universally true but largely in my experience is that when you fill out your questionnaire to buy cybersecurity insurance you fill out this big questionnaire you'll say I want a million dollars in cyber insurance the premium will be 1% or so of the covered amount which means for a million dollars of insurance policy you'll pay about ten thousand dollars depending on what the policy covers and that's it one might think that actuarial data at the insurance companies will adjust the premiums you would be wrong dead wrong the only two variables I've seen the matter are the industry of which you're in and the amount of data which you hold there isn't great math yet that maps the security posture or the survey that you're filling out from the you know the CISOs office to the adjustment of the premiums no-one's done the correlation yet what's going on out there I think is the cyber insurance guys are going after a land grab they're trying to get all the policies in trying to get a whole bunch of customers and when the breaches happen and the incident response comes in they'll start doing the CSI game and start then figuring out what things you're doing what AV you bought what operating systems you have how often you patch how often you scan and L all sorts of things and then they'll adjust the premiums on security posture and guess what they're going to be mathematically correct in a way InfoSec could never be you can to follow this now the bit that sharers are going to say if you want cyber insurance you're going to do XY and Z and if you don't we're going to spike your premiums who's buying this stuff in the US estimates put cyber insurance as far as who's buying it at about one-third of US companies might be a little higher might be a little lower but a lot of companies are buying this stuff small medium and large are organizations alike there's a lot of skeptics out there and InfoSec and go like yeah but there's going to be fine print they can't insure this stuff they can't guarantee this stuff so what happens when there's a breach what happens when there's a claim are there payouts the answer is yes there are payouts I'm going to go through a couple of them here so you can kind of get an idea of the upper end now everybody here has heard of the target breach and the massive losses there you know that was had a blast radius around the region that was pretty big so target estimated that their losses from their breach of 40 million payment cards it was about a quarter billion dollars their cyber insured them back reportedly 90 million home depot had a reported loss after their breach at 43 million their cyber insurer paid them back 15 million so one more more time let's go through one more actually just stick with those two those two their signal to things one is big companies are buying cyber insurance breaches happen insurance companies are paying off and big companies are not buying enough insurance that's kind of interesting anthem another another notable one that I found a new story anthem has 150 to 200 million dollar policy I found this after they had their breach and I've been tracking right around 35 or so carriers insurance companies that offer cyber security insurance and it's pretty broad everybody from Liberty Mutual to Zurich to AIG and so on down the range and I know there's actually some insurance carriers in the room here and they're very interested in what we do and so if you watch closely in the industry you'll see a bunch of experts leading experts myself included that are getting involved in cyber insurance and watching real closely and the same is true in Reverse the insurance industry doesn't know a lot about InfoSec but they're starting to learn they're starting to come to our conferences now and learn what it is they we do how to speak our language and I'm going to start going to their conferences to try to speak their language because we're gonna have to bridge the gap because there's a lot of data to be shared and a lot of things to be learned so when you have a lot of insurance being bought and such large losses or claims being paid out you can expect a surge in in premiums and that's what's going on here average rates for retailers surged 32 percent in the first half of this year that was a 2015 after staying flat in 24 2014 and what's interesting about that particular quote is the cyber insurers are resistant it's not it's you know hard to find any policies that go over a hundred million dollars I have heard in order to go over a hundred million because you know yet companies like these Walmart and Apple and Microsoft that want very large cyber insurance policies and they're starting to stack insurance so they finally ensure that goes will cover the first 50 million next I will cover the next 100 million you know so on down the raisin the start stacking insurance in order to do that you need to work with a broker that can package all this stuff together now what do we learn about all this stuff how does this relate to us in our industry and where things are headed into the future this chart here is not built to scale just kind of look like that way so remember I asked you to remember those two numbers the industry is growing is at 75 billion dollars annually all the money that we spend on security products and services growing at 5% if you do the math there you get roughly 3.8 billion dollars and new money going into InfoSec to buy more firewalls and any virus and DLP and scanning and all kinds of that stuff if you compare that against cyber insurance which is at 3.2 to 3.5 maybe as high as for this year it's roughly comparable think about this for a moment the business has $100 to spend they are equally likely to buy insurance as they are to give it to us to prevent a hack that's an indictment of our industry they don't necessarily want to give us any more money to prevent hacks they just rather ensure the downside and be done with it anybody get heartburn over there is that just me okay there I'm going to show you this once one more slide here because I think this is a big reason for this and I think of no better place to show off this slide than Blackett in the show floor that I've spent a few minutes walking if you ever notice that everything in InfoSec is sold as is as is like every sign out there might as well say all sales final right like it's a going-out-of-business sale or something no guarantees no warranties no return policies on anything we do not accept this in any other industry that I'm aware of a set software and security not the watches we buy not TVs not clothes nothing everything out there comes with some kind of insurance return policy or guarantee except InfoSec right it's a seventy five billion dollar garage sale we can do better and we deserve to do better we deserve much better for ourselves now yeah I you know I started putting these ideas out there that security vendors should really start working with cyber insurers or the very least putting guarantees on what it is that they claim to do I got resistance that said many one but the top one was well you can't guarantee security I agreed but I don't think that's a very good reason not to do security guarantees when we go by Sony TVs or your next Playstation or your whatever it is right those TV sometimes break and they're offered to able to you know do guarantees why can't InfoSec are we so ignorant to how how how our products perform that we don't do this or products perform so badly that we wouldn't dare guarantee them there are a few companies out there and I'll detail them that have a really good idea of how well their products perform and I'll do some case studies later but one of the things I did I was doing my research is that what happens when you type security guarantee into your favorite search engine you get a bunch of results that look like this these are the we need those results that come back are usually financial institutions that will say these financial institutions deal with a lot of account takeovers you know somebody will send them an email phishing email give me your password or Mao or whatever they do an account takeover and liquidate lines transfer all the money out of their accounts steal it and rather than losing that customer these financial institutions will make the customer hole they'll guarantee that there will not be losses they'll give them all their money back that's what these guys do so this tells us something very important somehow these companies are able to guarantee the security of their systems while leveraging and buying the security products and services that we do not this is very strange to me so they buy firewalls and DLP and scanning and things like that all the products that we don't guarantee but collectively they're off are able to offer security guarantees to their customers so they've already paved the way so I know we can do these things all right so I think this is actually a very big opportunity for us for us as an industry for every practitioner here for every vendor at the show and in order for us to change the industry and get our credibility back I'm going to ask you to do a couple of things but you know to help but before we get there I'm going to go over some three case studies because this is supposed to be a practitioners guide I'm going to show you three companies it's not to pitch you or to sell you or anything like that because what I really want is not two things one more security vendors offering security guarantees and two is I want the customers in the room to start asking for their vendors to give them security guarantees if they want to claim their product does X Y & Z I'm willing to believe if you're willing to guarantee it I think that's fair so ask them so the first one I'm going to the company I work for now this is a reason why I'm there they offer a security guarantee based upon ransomware so the company are sent no one does a you know malware so you install the the agent on the end point you know Windows Mac PC server desktop or whatever and it's meant to stop ransomware or malware infections we designed this security guarantee around the product this is the my my risk mapping an Excel table you can read the line items there I wanted to know how well the product performs so I looked at all the data in the company all the reports by customers because all the telemetry data on unwritten you know different malware families that got infected the things we missed the things that we found what are the losses and things like that I mapped it all out no nice spreadsheet I put the math in there I started running the numbers I then you know talked to custom bag I said what if we did the guarantee like this and what if he did it like that once I got the product right I then got it reinsured by our business insurance company so you might think you know one of the concerns that customers have when you offer these security guarantees is what happens when there's a payout are you going to be solvent are you going to be around to you know pay us back so remember I mentioned that when you buy a million dollar cyber insurance policy is probably going to cost you 10 grand I'm going to give you some numbers here and they will be shocking to you so I'm used to dealing with companies that are about you know operating within that are about 50 50 employees to about 400 in organizations of that size that are sub 50 million annual revenue the business insurance that you buy errors and omissions insurance you know things like that general business liability will cost you between fifty fifteen thousand and thirty thousand dollars per year so when we put this program together this the so this is not cyber insurance this general business liability when there's a payout the the liability will they get transferred to the business insurer they signed up for this so think about it this way we're able to offer this guarantee backed by our business insurance you just talk to them and they'll likely do it for you that's the trick there this is this is how easy it really is I want to see it's that easy because you have to have a few conversations you have to run your analytics and show them what you can do but this is what it what it takes so far the program's been on a week so there's not going to be any claims numbers but what's the guarantee I care everybody thinking about in their head so I'm gonna go over it very quickly again it's not another vendor pitch but I do want to tell you what the guarantee is because I want you to take things like this to other security vendors so what we said is if we miss a ransomware infection and the only way to get the data back is by paying the ransom we'll pay the ransom up to $1,000 per endpoint with a max cap per customer at a million dollars very simple guarantee draw a line in the sand and go we're just going to guarantee something we're going to guarantee it this way and that's really all it is if we miss we want the customer not to be liable we want it to be on us so that's one I'll give you another one the company is with before the one I found Whitehead security we're in the vulnerability assessment business when you do vulnerability assessment what's why do you do vulnerability assessment you want to find the vulnerabilities and get them fixed before the bad guys exploit them when a vulnerability assessment company messes up what does that mean it means you miss the vulnerability that you should have found and it got the customer hacked fair enough good now that program it was the first of its kind I didn't know what I was doing then and it took me 18 months to figure out how to do it two and a half years I'm gonna say two almost three years went by still no claims still no payouts because what we did is I looked at last ten years worth of data thousand collective customers 30,000 websites how many times did we miss a vulnerability we should have found they got the customer hack and there was a material breach material breach not like you just missed across that scripting vulnerability that some security researcher found no no we're talking about stopping breaches it was eight to ten times over ten years where we really screwed up so we had a metric there so it was way less than one percent of the time in any given year so I relayed those numbers to the insurer it allowed us to go up to 250 million dollars and total liability for twenty thousand dollars this is doable so what was that particular guarantee this was if a web site covered by Sentinel II that's what they call the product attacks what a bio miss Vaughn ability the customer would be refunded for the product cuz we don't think the product performed if it you know if we missed a bone and we'd cover the first half million of their breach costs just draw a line in the sand right there the last one I'll give you is a you know because there's been security guarantees in the past money-back guarantee I think Symantec had one on if you miss malware we'll give your money back not terribly rich I was looking for something a little bit better and other ones like I think true secure had one something like that but I don't remember the details on it but here's a company called true Sona they do transactional authentication and I like identity fraud so you want to do somebody's authenticating of the system you want to know is it really that person and when a trend financial transaction across is this transaction valid that's their that's the problem that they solve they have a hardware software combination that verifies this and if you notice here I pulled this right off they're PDFs that's their their claims as far as their performance metrics but that they then took to their underwriter to price the program was launched at the beginning of the year it took them 18 months to figure out the cyber ensure their assurance company that they worked with wanted to make sure that the product performed is advertised so they had a company called strawz Feinberg they ran assessments on behalf of the underwriter to measure performance that's where these numbers came from so far no claims and no payouts so that's their performance metrics the things you absolutely need to know because they know how well their product performs you share it with the underwriter you run your math and you start doing your guarantees so what are their guarantees they have four different levels it gets a little confusing when you when you read the charts but don't worry about it I want to go straight to the big one they said because you have to price this stuff accordingly it cost about 100 100 dollars per user per month to buy but they will back each transaction so if you do a financial transaction that runs through true SONA up to a million dollars per transaction that's how much they'll guarantee it so they're pretty sure that their technology works all right so it's three case studies so anytime anybody says well security companies can't do this I'm not hearing it anymore I've just given you three and I describe for you how they actually implement it the last one I'll give you is on the opposite side you can buy our kits and ransom kits out there for you know a few tens of dollars few hundreds of dollars and the malware guys will guarantee that their products perform if the bad guys can do it I'm sure the good guys can - at least that at least they better do so so we have that now the last piece of the puzzle the one didn't see coming is a what can only be described as a security FICO score so when the insurers are going to price risk they're going to price you and price your premiums they're going to want a very simple score so when you get a you know when you want to apply for a financial loan you get your FICO score right you know you know your credit rating is X and therefore you can we'll give you a loan at this price for you know this percentage and this interest and things like that we're going to need something like that at InfoSec and there's probably at least two dozen companies trying out there but one I'm going to be following very closely is one one by Mudge you know I I just call them Mudge that's how I knew I'm growing up I'm going to read this one verbatim here the Zack Cozart Lu if your software is literally incendiary but it will give you a way to comparison shop a browsers applications in any virus products according to how hardened they are against attack and they also push software makers to improve their code to avoid a low score and remain competitive this might be the first step to a software security FICO score that you can use when you buy products partner with companies and so on and so forth because what's killing us out there if app SEC is eating security is that these EULA's are destroying any notion of liability and they have to go away you know these Euler's will say no warranties no liabilities no returns and all that kind of stuff this can't be allowed to continue so what this quote in the news article I thought was fascinating but also humorous no one is suggesting putting sloppy programmers to death but holding software companies liable for defective programs and nullifying licensing clauses that have effectively disclaimed such liability may may make sense given the increasing prevalence of online breaches I wholeheartedly agree well at least not putting the developers to death right but not not so much so that's where we are we're going to see a lot of innovation in this particular space how do we measure the performance of software and software security because we're gonna have to start rating these things our world is driven and run on software if there's any one thing that is true we're going to have more software tomorrow than we than we had today and how much how much time do we have five minutes okay so we're going to leave some time for questions I'm going to there's one more slide after this but one of the things that I like to guess grandstand on a little bit out there is that the work that we do is very very important we protect the web we protect the Internet we protect endpoints the work that we do impacts billions of people around the world we got you know C so is from you know Facebook and app not so much Apple I don't think they have a C so yeah but you know different security practitioners around the role all of you our job is protecting the data payment data personal secrets I mean we do everything on the web we bank we shop we pay our bills we you know our most intimate moments are shared online we're more honest with Google than we are with anybody else in our lives including ourselves right we want to protect this data and it's very important that we do so and I think that it's a very noble pursuit to you know for one to spend their lives at that particular way and one of the ones that I want to leave you with here before we open it up to questions that Dan beer I believe you said this a year ago at blackhat as a keynote says the only two products not covered by product liability are religion and software and software shall not escape much longer I cannot think of a better way to end the in this presentation than that and if you have questions I am here for you and I want to thank you again for being here please remember two things one if your security vendor please start offering security guarantees if this wasn't enough information for you let me give you my email address email me I'll tell you how to do it and if you're a customer of said products and services please start asking your vendors you can change the industry and we can do it together and with that thank you all for being here it's been my pleasure yeah I guess the question is can you imagine cyber insurers having a black box in your network that goes that tries to measure what you do to adjust premiums I I yeah that's an interesting idea I've not heard that one it wouldn't surprise me I think if that comes it won't be it'd probably take a couple years so now X I can imagine what that device might be uh other questions yes sir yeah so I the question was how does IOT and IOT vendors relate to this whole discussion their security is definitely an afterthought that's why I think the ulis have to go away the liability wise they're going to a bead n gear one of the things he said is they're going to have to take on liability or after a certain amount of time you don't have to give us your source code pick one that's going to take an act of Congress I think to actually do that but I think they're going to have to I want to see security differentiated I don't like new laws and new regulations but that's just more of a political interest I can see you either one actually happening but I do think they represent an undue risk going forward I don't know how we escape that yet it's going to have to play out a little bit unfortunately yes sir here at the NCUA our business of being the public trust or finances so they think they don't the second part is your guarantee on the company two great questions I don't know if I know the answer the first one I've not do the banks might be further along because they have regulatory pressure on them that or oversight that could be I really don't know for a fact but I do think when customers get hacked on a bank they will move banks or financial institutions so I think it's kind of like a stoploss there I don't know for sure on the second one are we misaligning the incentives when we're starting to pay ransoms so one of the things that I researched I was looking at very closely and that that misaligned incentives does happen in the kidnapping and ransom industry the things that happen in South America and then watch of the economics of that and that does hold true and I think it might be true in this space that I'm talking about here but not not for a while the bad guys are just kind of indiscriminate what does mass blast everybody and whoever pays pays but I could see later as their jobs get harder as it's harder to monetize ransomware then they'll probably do target selection but I don't think that's today tomorrow or it's not going to be for a while but I could see that happening what to be very careful with it and in those space the knr insurance guys they K&R insurance guys do have a confidentiality clause that you cannot tell that your company has can our insurance otherwise the deal's off sure yes yeah are the cyber insurers hiring independent auditors to look at the security of those that they're going to insure oh yeah are they looking at the existing reports or making them doing new ones I think it's both but I think it's also few and a few and far between and more come I knew no no there's companies out there to do audits and do investigations after the fact but one of the things I've learned is looking at I've looked at probably two dozen cyber insurance policies so far and the one I think I like to say is when you've read one cyber insurance policy you've read exactly one cyber insurance policy they're all they're all different there's going to be standardization that's happened so I don't know if that's happening a lot today I think it will happen a lot tomorrow so to speak but not not just yet because no one really knows what to audit for no one really knows what works yet it does happen and just having antivirus really helped does patching weekly versus monthly really helped like we think it does but we really don't have math to back it up yet yes sir so the question is are are they going to be able to really suss out what in InfoSec works which is what doesn't work already be able to get rid of the conventional wisdom I think so but I think it's going to take them some time to do so because they don't have live telemetry of the system at the time of breach they had it like a year six months ago I think at the very least I think if they're going to have a very big industry let's say 50 100 billion dollars in ten years they're going to have to figure that out but I think it's going to take some time to get there where they suffer a lot of hacks in the meantime I think it's eventually it'll happen but it's going to it's going to take time one of the things I did at Whitehead was I looked at customers as far as what they did in their apps tech programs and I control and I did a regression analysis over their bones and I did find some interesting findings it wasn't like a smoking gun or anything but I think it'll happen just it's going to take some time to two minutes yes sir so two things happen one is in cyber insurance that there are no Black Swan events there's no earthquakes there's no hurricanes that wipes out everybody in California so to speak so it's only one company at a time so their losses are somewhat restricted and they're operating in an industry that's hundreds and hundreds of billions of dollars so we have to have to suffer you know a few hundred million dollars in losses they can tolerate and what I found is in a number of cases when I was reading the incident reports and the payouts I was like why did the insurance company pay out on that one that doesn't it seem like they didn't have to they're in a land grab right now as best I can tell they're paying out when on plate on times where I don't think they should pay out to keep the customer happy to avoid a negative reputation so I think the dollar figures that they're looking at here so far are so tiny to them that they're just going for it and they're paying for their own attic actuarials later yes sir so what's the relationship between let's say app sack and operational security relative to like pricing and premiums there isn't one I don't think they take into account the survey data all to price premiums I think it's just the industry you're in and the amount of data that you have and they're going to figure out later what the security posture is of those two things and how to adjust the premiums later I don't think they bear any any correlation yet at least I can't tell from the pricing ah yes sir so question is uh I'd say cyber insurance policies are they covering the intangible or the intangible costs let's say brand damage versus cleanup efforts and fines and things like that yeah from everything I've read so far they're solely going after the the hard cost fines legal fees down times and things like that they're not covering brand damage and things like that best I can tell so far are we want one more question Oh 100 check though those are one over here okay sorry yeah yeah yeah so so yeah what happens when you have a critical infrastructure goes down they're gonna need billions of dollars and covers I don't think they're getting policies in the billions yet they're gonna have to stack it should there probably have some to cover some offset because why wouldn't you buy it at this point but they're going to need larger policies to get there they're gonna have to stack insurance and probably the insurance industry isn't quite ready for that yet so it'll happen eventually just not right now um if there are more questions I'm going to probably make my way outside I'll make myself available if you have more questions and thank you all for staying and I appreciate your time

Info

Channel: Black Hat

Views: 4,456

Rating: 4.7818184 out of 5

Keywords: InfoSec, BlackHat, Black Hat, Information Security

Id: nFtchKxtGmc

Channel Id: undefined

Length: 50min 50sec (3050 seconds)

Published: Tue Nov 22 2016