As a continuation to the previous article, which touches upon using MS security stack to defend against ransomware, here are some thoughts around ways to get good deals on cyber security insurance using Microsoft security stack. This article is specifically meant to be a general guideline in an attempt to get good insurance rates for protection around damages and liabilities caused by ransomware attacks.

As a rule of thumb, cyber insurance cost will vary from organization to organization and depend on factors like business's annual revenue, number of systems, cyber hygiene, the industry business operates in and type of data it processes. In addition, if a business has been attacked before, it will most probably cost more compared to a business that has no history of attack or breach.

If a security incident (caused by a ransomware attack) falls within the insurance policy, the insurance company is dependent on performing a thorough investigation to find out what actually happened. If you don't have tools, competence and resources to show proof of what happened, you are totally dependent on what 3rd-party analysts find out and after the fact. By the time the analysts from 3rd-party scramble the resources and start investigations, the attackers may already have deleted logs, manipulated registry information and hidden their tracks.

• Data Reconstruction and Re-installing Systems:

Cyber Insurance mostly covers the cost of data reconstruction. However, the possibility to reconstruct data depends on many factors, like if the freed up space has been overwritten or not. For example the N3tw0rm ransomware, uses an usual way to deprive the victim-machine of free space by filling it with temporary files with all zeros in it. This is an attempt to deny the possibility of data reconstruction.  Cyber insurance usually also covers the cost for reinstalling the systems and getting your company up to speed, but you must be aware of the maximum downtime your company can tolerate. Arguably, in the best case scenario where you can tolerate the downtime with minimal costs, your company may get bad publicity. However, if the MTD has long gone by the time 3rd party consultants can allocate resources, begin the process, recreate the data and re-install and connect the systems, the losses may already have gone extremely high.

Thinking from an insurance company's perspective, who needs to step in and pay for the financial loss. They will tend to increase the insurance premiums, in case your company is unprepared for such an attack, or generally have bad cyber hygiene combined with ad-hoc routines. This is because when ransomwares hit companies, most of the operations normally come down to a complete halt, making it slightly different than usual security incidents. 

It is a common practice, that the insurance companies partner with third party specialist companies for data reconstruction, gathering forensics information, reinstalling systems, finding out what exactly happened and if the data was stolen. Since the third party companies most probably are not already working with your organization, it may take some time for them to assign resources and start their work. Although most of the insurance companies pay for these services, but it must be understood that not all the tangible and intangible loss can be covered by the insurance companies.

To get good deals on insurance premiums, the companies must be able to convince cyber insurance companies that they live by the principles of due-diligence and due-care. This would mean that they have effective monitoring and vulnerability management systems in place, have good policies and procedures to maintain IT hygiene, have robust system-patching routines, and have overview of the flow of critical data and protections around it.

Using Microsoft Azure Security Center we can not only perform security benchmarking, but also get near real time vulnerability assessment. We get information about where the vulnerability is found, and instructions of how to harden those systems and services. It strengthens the security posture and provides advanced threat protection across hybrid workloads and in multi-cloud environment. Using Azure defender, we can use ML-based Adaptive Application Control (AAC) to only allow white-listed applications to run. This article shows how AAC maps to MITRE ATT&CK Framework.

• Importance of Robust Backup 

The best preventive measure against getting affected by a successful ransomware attack, is having a robust backup solution. If an organization is missing backup solution which can be relied on when push comes to shove, the cost of the insurance will tend to go high. This is because once encrypted with very strong encryption algorithms, decryption may almost be impossible. Your only best hope is to have a robust backup solution in place.

With Azure backup solution, you can not only backup the cloud workloads but also on-premise files folders, systems, and even entire windows and Linux virtual machines. You can also backup Azure managed disks, file-shares, SQL databases etc. In this setup offered by Azure backup, an attacker has no direct access to backup storage or its contents. Even if the environment is already compromised the existing backups can not be touched or deleted. with built-in monitoring and alerting capabilities and an added layer of security where a pin code is required to modify backups, Azure backups is one of the most robust solutions out there in the market.

• Legal Proceedings

Cyber insurance usually also covers the cost for legal proceedings in case of third-party claims or data breaches. But before indulging in such activities, the insurance company needs to find out if the data has actually been breached.

Consider the example of a typical ransomware attack coming via an email message, containing a link to a malicious downloadable file. When the user clicks on the link, a malware gets downloaded on the system and initiates a CNC connection with the hacker. The attacker now having initial foothold, tries to move laterally, and manages to get hold of sensitive corporate data.

1. If the threat actor gets insight into your company's financial records, they know how much you are worth.
2. If the attacker also gets insight into company's cyber insurance policy, they know that the company has means to pay.
3. If attacker manages exfiltrate data, you may be subjected to double-extortion.

They will adjust their demands accordingly. It is therefore important to have an overview of  critical and sensitive information as well as where it resides and how it flows. Now if the attacker also successfully exfiltrates the data, you may unfortunately be double-extorted.

• How Microsoft Security Can help:

With Microsoft Security stack we can get forensics evidence exported to Azure log analytics before attackers can delete logs, in an attempt to hide their tracks. Considering the example, all the events,  logs, alerts, entities involved along with complete timeline from email security (using defender for Office 365), the client machines (using Windows Defender), the cloud and onPrem servers (using defender for Endpoints), identity information (using defender for identity and Azure identity protection), and cloud app security (using MCAS) can be exported to Log Analytics. In addition, all of these security tools come pre integrated with Azure Sentinel, which correlates the information and shows us the complete forensics information in a single pane of glass.

We can tag the data, based on criticality and sensitivity and deploy DLP policies on the endpoints on the cloud, on emails, MS teams etc. This gives us control of the data flow, and will help us protect sensitive information, which in-turn helps lower cyber insurance premiums.