Navigate the shifting cyber insurance landscape with PAM+
by Remediant, on Oct 27, 2022
Business expenses associated with a data breach or ransomware attack continue to rise. IBM’s 2022 Cost of a Data Breach Report found an average cost of $9.44 million in the U.S. Worldwide, another study showed the average ransom payment increased 82% from 2020 to 2021. The increase in payouts occurred because organizations were unsuccessful in defending against these attacks. Munich Re’s 2022 Global Cyber Risk and Insurance Survey found that 83% of all C-Level respondents reported that their organizations were not adequately protected against cyber threats. As shown below, increasing costs are forcing cyber insurance providers to increase premiums and evolve their coverage requirements.
According to Fitch Ratings, insurance payouts on claims compared to earned premiums (direct loss ratio) have increased from 34% of premiums in 2018 to 65% of premiums in 2021.
Of course, higher payouts require insurers to increase premiums covering ransoms, damaged networks, and business interruption loss. Marsh, a leading insurance broker and risk advisor, reports that cyber insurance prices increased 79% in the second quarter of 2022, “down” from increases of 110% Q1 and 133% in the fourth quarter of 2021. At the same time, insurers in the Lloyd's of London market halved cyber coverage as ransomware attacks surged during the pandemic.
To secure coverage, organizations must provide evidence to insurers that they are taking appropriate steps to protect their assets. Smart organizations also realize they can improve security and lower premium costs by implementing the right controls
Where to Start? Think Like an Insurer
Security professionals learn to “think like an attacker” to defend systems, data, and applications. To protect data and control cyber insurance premiums, it might be better to view the world as the insurer. After all, both you and your insurer share the goal of reduced damage from a cyber attack.
Insurers measure risk as a function of the likelihood of a successful attack and the impact of ensuing damages. In today’s threat environment, insurers rightfully assume that an attacker can gain access to a network through phishing or credentials obtained on the dark web or other user-targeting attacks. In other words, the likelihood of an attack approaches 100%. Therefore, to estimate the second half of the function – the impact of a successful attack – insurers must evaluate what steps the organization has taken to mitigate risk or limit the blast radius of a successful attack.
A top priority for risk mitigation is to prevent the attacker from gaining administrative privileges that allow them to compromise additional admin credentials, access additional systems, create admin users to set up future attacks, and eventually, encrypt data for ransoms or steal sensitive data. Remediant’s research shows that in the average large enterprise, each employee workstation has 480 users with admin rights. Multiply that by thousands of endpoints and it is easy to understand “privilege sprawl.”
The risks introduced by privilege sprawl have led many insurers to require policyholders to implement controls for privileged accounts and limit lateral movement. This makes sense. However, organizations attempting to address this requirement using legacy Privileged Access Management (PAM) tools that focus on vaulting the highest privilege credentials miss important risk factors:
- Ignoring standing privileges; administrator accounts with “always on” 24x7x365 privileged access
- Not providing visibility into other areas attackers target including such as overlooked accounts.
- Doing little to mitigate the underlying enablers for lateral movement by focusing on protecting passwords instead of protecting access.
While legacy PAM may meet an insurer’s minimum requirements to manage privileged accounts, it would be a mistake to rely solely on this approach to secure your organization. If, as noted above, the insurer assumes that credentials are already compromised, organizations must have in place controls to render stolen credentials ineffective while allowing legitimate users required access. Pretending that vaulted credentials are still safe doesn’t help if we assume the attacker already possesses them. While legacy PAM solutions may “tick the box,” a different, more responsive approach to privileged identity attack surface is needed to provide evidence to insurers that they are taking the right steps to protect their assets – not simply meet minimum requirements.
PAM+: A New Approach to PAM
Today’s adversaries understand that leveraging privileged accounts is a simple and effective attack vector. PAM+ is a new, Zero Trust approach to managing privileged access. It eliminates standing privileges and provides Just-in-Time (JIT) privileged account access to help customers achieve Zero Standing Privilege (ZSP).
The PAM+ approach is agentless and easy to deploy, allowing one-click removal of often-undetected and over-provisioned 24X7 privileged accounts sprawl. When an administrator requires access to a device, they receive time-limited permissions under their own login. New authorization is required if an administrator needs privileged access to a different system. In short, PAM+ eliminates the impact of compromised administrative credentials, rendering password-stealing malware ineffective.
In the face of an increasingly complex cyber insurance landscape, PAM+ offers a way to meet cyber insurance carrier requirements and control run-away cyber insurance costs. Additionally, because deployment is exponentially faster than a legacy PAM solution, cyber insurance deadlines are met more quickly with a PAM+ approach, providing organizations with more rapid time-to-value.
Learn more about the current cyber insurance landscape and how legacy PAM tool sets may not protect against the actual risk cyber insurance providers care about in a November 8 webcast with our co-founder and CTO Tim Keeler. Tim will also review the recent Uber attack to illustrate how PAM+ can help protect your organization from attacks involving lateral movement.