How a Strong Identity Protection Strategy Can Accelerate Your Cyber Insurance Initiatives

This blog was originally published by CrowdStrike here.

Written by Narendran Vaideeswaran, CrowdStrike.

The growth in frequency and severity of cyberattacks has caused organizations to rethink their security strategies. Major recent security threats, such as high-profile ransomware attacks and the Log4Shell vulnerabilities disclosed in 2021, have led to a greater focus on identity protection as adversaries rely on valid credentials to move laterally across target networks.

Cyber insurers know organizations buying cyber insurance policies must be prepared to detect, mitigate and respond to modern attacks as adversaries evolve their tactics, techniques and procedures (TTPs). These constantly evolving threats have significantly impacted cyber insurance. A strong identity protection strategy can boost enterprise security posture and drive the pace of cyber insurance initiatives.

Ransomware’s Impact on Insurance Premiums

According to the 2021 CrowdStrike Global Security Attitude Survey, 66% of organizations suffered at least one ransomware attack in 2021, and as shown in the CrowdStrike 2022 Global Threat Report, ransomware-related data leaks increased 82% from 2020 to 2021. The rise in ransomware is having a direct bearing on cyber insurance premiums and coverage: Marsh’s Global Insurance Market Index states cyber insurance premiums in Q2 2021 increased by 56% in the U.S., driven by the frequency and severity of ransomware claims.

Think from a Cyber Insurer’s Perspective

When buying cyber insurance, organizations are often concerned about business impact, revenue loss and other costs related to downtime after an attack in addition to determining the root cause of that downtime. It’s critical for them to assess their overall risk posture. Cyber insurers work closely with businesses to create a holistic view of systemic and dynamic risks, which directly influence their premium and coverage limit.

Active Directory (AD), often the weakest link in cyber defense, is an example of such risk. Because a majority of ransomware attacks leverage user credentials, organizations should strengthen their identity security posture in a way that works in unison with their endpoint protection strategy. Many of the steps involved in this, such as implementing multi factor authentication (MFA) and managing privileged accounts, are also requirements to meet when purchasing cyber insurance policies.

A Stronger Defense Against Identity-focused Attacks

Modern attacks like ransomware, and the recent Log4j and noPac incidents, primarily consist of two parts:

• Code execution: The adversary may execute code binaries on a single system to gain a foothold;
• Identity access: The adversary leverages credentials to access other systems and critical resources, move laterally and execute the code on multiple systems to encrypt critical data and hold it for a ransom

Note that adversaries targeting organizations with modern threats like ransomware may not necessarily follow the cyber kill chain in a linear manner. That is, they may not always infiltrate the organization through phishing attempts and then running exploit code on vulnerable endpoints. The adversary could instead infiltrate an organization from an unprotected endpoint, and then use a valid compromised identity to access resources and move laterally.

Whichever way adversaries choose to enter the organization, they eventually may leverage workforce identities to move across the network, taking advantage of compromised credentials and weak AD security posture.

MFA’s Role in Identity Protection

MFA has become a crucial method for controlling access to critical applications and resources; even more so with a larger remote workforce across verticals. To protect against ransomware and comply with the baseline security posture, most insurers require organizations to enforce MFA on identities. Insurers may decline to do business with organizations that don’t enforce MFA or deploy endpoint security technology like next-gen antivirus or endpoint detection and response (EDR).

One way to enforce identity verification is to trigger MFA every time a user tries to access a resource or application. This can create MFA fatigue, however, which not only may reduce user productivity but also potentially creates a risk scenario in which the user inadvertently allows access to a malicious sign-in attempt.

Shift from Narrow Privileged Access Management to Broader Identity Protection

The identity attack surface can be influenced by a single non-privileged account, so you shouldn’t narrow security efforts to only privileged accounts. Although privileged account management (PAM) is considered to be a critical part of cyber insurance by some providers, it’s important to understand that traditional PAM solutions provide visibility into only privileged accounts. In addition to requiring careful planning to deploy and configure a PAM solution, organizations should consider the probability that jump servers can be bypassed and password vaults can be compromised.

Think of PAM as an “operational” solution to “manage” privileged accounts. For example, PAM solutions do not prevent the misuse of valid credentials, they only manage the use of privileged accounts — however, a privileged account from PAM could still be used by a skilled adversary to go undetected within a customer environment.

What’s required is an identity protection solution that automatically classifies and assesses the privileges of all identities — think of it as next-generation privileged access security — with visibility and security control of all accounts tied to AD, Azure AD and SSOs like Okta, Ping and Active Directory Federation Services (ADFS). With identity segmentation and visibility into behavior and risks for all users, organizations can restrict access to high-value resources and stop ransomware attacks from progressing, thus complying with some of the critical cyber insurance requirements by adopting a broader identity protection strategy. Such a solution can also complement your PAM solution by enabling holistic visibility, analytics and protection for your privileged identities and service accounts, and enforcement of risk-based MFA — improving the user experience for your administrators.