Director of Engineering - Security from Coalition here (we participated in the event) - We committed to building more free security tools for all organisations to protect themselves. We’ve already made Coalition Control our Attack Surface discovery and monitoring platform free (https://control.coalitioninc.com) and we will continue to add more features and more tools for free there. If there are any questions,I am happy to answer them!
1) Certain infrastructure should be off the net automatically - pipelines, water treatment plants and similar things (or online with hardware guaranteed one ways connections).
2) Standards for testing backups.
3) Standards for IoS devices (a million insecure Internet light bulbs, what could possibly go wrong).
4) Standards for not having a hundred companies auto-updating onto the systems of critical infrastructure companies.
The great thing about insurance is that we don't just get to create baselines our policyholders must adhere to, we also get to enforce them. A perfect example of this is anyone that has a policy with us must have RDP behind VPN/ whitelisted only to specific IPs. I spent years trying for free to convince orgs to do this and was ignored, here we convince all our policyholders to do it and everyday more and more companies as we onboard them.
For backups, not only do they need to have it, they need to be tested, kept offline and encrypted - this doesnt apply to all its split by revenue bands/industry/mix of other logic.
IoT devices - they get notified in Control if we find any on the internet and told to not have them directly exposed
* Do you know if there are any follow up meetings planned? Did they discuss some kind of process?
* what were the main concerns discussed?
* interesting to find out about the coalition (I was briefly involved in a similar insurance setup in my home country). Is your ‘baseline’ derived from some standard? Can I find it online?
Yes the group will continue to meet and I believe more will come out overtime as we start to better define how we as private entities can help the gov.
- our baseline is internal. We are with our customers end to end. From selling the policy to scanning them, notifying them and we have our own incident response team which means that we learn a lot with every claim. So when we add a vulnerability in critical state in Control you can assume it came from learnings of losses combined with our cybersecurity expertise.
Nice feedback loop you have there! (re last point). If you can point to the actual proven ‘indicators of risk’ instead of flagging every potential issue onder the sun, everyone is going to love you!
I look forward to a summary report on incidents somewhere in the future ;)
There are multiple parts to the underwriting process (full disclosure I run the team that does data collection and security at Coalition where the op you're replying to works). Part of the data we collect is used for risk selection (do we want you on our book?) and then other piece is used for pricing and thats where technologies, providers and a lot of other things come in! Lmk if u have any questions!
Super cool of you to respond. You're solving one of the most interesting problems in security. I worked on a concept for modelling an SPV for an event driven ILS for cyber policies many years ago, and the barrier was the bond modelling people wanted a standardized risk model signed off by a university, which to me seemed like /dev/null for risk, and seemed to miss the point. I'm just excitable about that topic, it's probably not a useful public discussion, I'll certainly keep an eye to what you're doing for my institutional clients. Rooting for you.
Hi, person responsible for the teams that do this at Coalition! Anytime you get a quote from us, we scan all your domains, subdomains and ip addresses. We hit the main ports that might have services running we know are dangerous and your quote might come back contingent on certain actions, for example: if you have Admin panels exposed to the internet we will require that you put them behind a VPN. We give you a PDF that describes all our findings and how we did the association with your org. If you become a policyholder we offer perimeter scanning and notify you when we find weird stuff and make security experts available at no cost to help you fix things! You can read more about it here https://www.coalitioninc.com/blog/analyzing-policyholders-te... though what we do at underwriting time has substantially evolved since. Ask me anything here or on twitter @balgan
CEO of BinaryEdge here, ur 100% right. If I show you the queue of posts we have you'd see similar posts to this one just with different technologies that we have seen being infected or misused(etcd, docker, and about 10 or 20 more types of DB's).
