The growth in frequency and severity of cyberattacks has caused organizations to rethink their security strategies. Major recent security threats, such as high-profile ransomware attacks and the Log4Shell vulnerabilities disclosed in 2021, have led to a greater focus on identity protection as adversaries rely on valid credentials to move laterally across target networks.
Cyber insurers know organizations buying cyber insurance policies must be prepared to detect, mitigate and respond to modern attacks as adversaries evolve their tactics, techniques and procedures (TTPs). These constantly evolving threats have significantly impacted cyber insurance. A strong identity protection strategy can boost enterprise security posture and drive the pace of cyber insurance initiatives.
Ransomware’s Impact on Insurance Premiums
According to the 2021 CrowdStrike Global Security Attitude Survey, 66% of organizations suffered at least one ransomware attack in 2021, and as shown in the CrowdStrike 2022 Global Threat Report, ransomware-related data leaks increased 82% from 2020 to 2021. The rise in ransomware is having a direct bearing on cyber insurance premiums and coverage: Marsh’s Global Insurance Market Index states cyber insurance premiums in Q2 2021 increased by 56% in the U.S., driven by the frequency and severity of ransomware claims.
Think from a Cyber Insurer’s Perspective
When buying cyber insurance, organizations are often concerned about business impact, revenue loss and other costs related to downtime after an attack in addition to determining the root cause of that downtime. It’s critical for them to assess their overall risk posture. Cyber insurers work closely with businesses to create a holistic view of systemic and dynamic risks, which directly influence their premium and coverage limit.
Active Directory (AD), often the weakest link in cyber defense, is an example of such risk. Because a majority of ransomware attacks leverage user credentials, organizations should strengthen their identity security posture in a way that works in unison with their endpoint protection strategy. Many of the steps involved in this, such as implementing multifactor authentication (MFA) and managing privileged accounts, are also requirements to meet when purchasing cyber insurance policies.
A Stronger Defense Against Identity-focused Attacks
Modern attacks like ransomware, and the recent Log4j and noPac incidents, primarily consist of two parts:
- Code execution: The adversary may execute code binaries on a single system to gain a foothold;
- Identity access: The adversary leverages credentials to access other systems and critical resources, move laterally and execute the code on multiple systems to encrypt critical data and hold it for a ransom
Note that adversaries targeting organizations with modern threats like ransomware may not necessarily follow the cyber kill chain in a linear manner. That is, they may not always infiltrate the organization through phishing attempts and then running exploit code on vulnerable endpoints. (When they do, CrowdStrike Falcon® Endpoint Protection modules protect by detecting and preventing code execution.) The adversary could instead infiltrate an organization from an endpoint not protected by CrowdStrike technology, and then use a valid compromised identity to access resources and move laterally.
Whichever way adversaries choose to enter the organization, they eventually may leverage workforce identities to move across the network, taking advantage of compromised credentials and weak AD security posture.
MFA’s Role in Identity Protection
MFA has become a crucial method for controlling access to critical applications and resources; even more so with a larger remote workforce across verticals. To protect against ransomware and comply with the baseline security posture, most insurers require organizations to enforce MFA on identities. Insurers may decline to do business with organizations that don’t enforce MFA or deploy endpoint security technology like next-gen antivirus or endpoint detection and response (EDR).
One way to enforce identity verification is to trigger MFA every time a user tries to access a resource or application. This can create MFA fatigue, however, which not only may reduce user productivity but also potentially creates a risk scenario in which the user inadvertently allows access to a malicious sign-in attempt.
CrowdStrike Falcon Identity Protection customers gain a better user experience and improved security with risk-based MFA: the user’s trust is evaluated in real time to determine whether to allow access to specific resources even before the authentication request hits the AD. With baselines and dynamic risks tied to every identity and its behavior, malicious activity — such as lateral movement, risky behavior, unusual endpoint usage, privilege escalation and malicious RDP login attempts — is detected and challenged in real time without requiring cumbersome log analytics or point solutions.
Shift from Narrow Privileged Access Management to Broader Identity Protection
The identity attack surface can be influenced by a single non-privileged account, so you shouldn’t narrow security efforts to only privileged accounts. Although privileged account management (PAM) is considered to be a critical part of cyber insurance by some providers, it’s important to understand that traditional PAM solutions provide visibility into only privileged accounts. In addition to requiring careful planning to deploy and configure a PAM solution, organizations should consider the probability that jump servers can be bypassed and password vaults can be compromised.
Think of PAM as an “operational” solution to “manage” privileged accounts. For example, PAM solutions do not prevent the misuse of valid credentials, they only manage the use of privileged accounts — however, a privileged account from PAM could still be used by a skilled adversary to go undetected within a customer environment.
|Function||PAM||CrowdStrike Falcon Identity Protection|
|ID store visibility||Limited to privileged accounts||All accounts across AD and Azure AD directories|
|Risk posture assessment||Incomplete or limited to privileged accounts||All human, service and privileged identities|
|Deployment||Requires careful planning (jump servers, session brokers and many more)||Rapid deployment and scalability with a cloud-delivered, single lightweight agent architecture|
|User experience (UX)||High user friction (password vaulting, session brokers)||Frictionless MFA/conditional access based on dynamic risk|
|Behavior, deviations monitoring||Limited to only privileged accounts||All accounts|
|Misuse of valid credentials||Not available||Full visibility: detection and prevention|
|Attack path visibility||Limited||Full visibility into the lifecycle of an attack across reconnaissance, lateral movement and persistence|
Falcon Identity Protection automatically classifies and assesses the privileges of all identities — think of it as next-generation privileged access security — with visibility and security control of all accounts tied to AD, Azure AD and SSOs like Okta, Ping and Active Directory Federation Services (ADFS). With identity segmentation and visibility into behavior and risks for all users, organizations can restrict access to high-value resources and stop ransomware attacks from progressing, thus complying with some of the critical cyber insurance requirements by adopting a broader identity protection strategy. Falcon Identity Protection can also complement your PAM solution by enabling holistic visibility, analytics and protection for your privileged identities and service accounts, and enforcement of risk-based MFA — improving the user experience for your administrators.
How Identity Protection Can Accelerate Cyber Insurance Initiatives is written by Narendran Vaideeswaran for www.crowdstrike.com