Jed and Anthony delve into real questions from a cybersecurity policy application and discuss the ideas behind them.
Anthony DeGraw: Welcome everybody to another episode of The Helpdesk, hosted by Integris. We have Jed back on, this is my favorite Friday weekly content creation session with the man the myth, the legend, Jed, he’s down out of our Atlanta office. I am Anthony DeGraw. I’m up out of our New Jersey office. And today, Jed has some more stuff in the realm of cyber insurance applications and minimum standards that we’re going to continue to follow up on.
If you don’t like to consume audio. And you prefer the written word or blog posts. Jed has also put all of this together in a very nice, easy to read format that will be going live on the Integris blog as well in the near future here. So with that, I’m handing the keys of the kingdom over to Jed.
Jed Fearon: Thank you so much, Anthony. We are going to try to make a cybersecurity insurance application more interesting than it actually is. But I think the good news about what we’re talking about today is if there are insurance guidelines that clearly spell out what they want, then you would have a lot more ammunition to put the right IT systems in place.
You wouldn’t be gambling or speculating. No one likes to spend extra money on new things. But if there’s a good business reason to do it, it certainly makes it more palatable.
The “end all be all” cybersecurity solution
Anthony DeGraw: I think that’s a great way to say it, right? Like a lot of times. And I feel like this is probably going on for the last 5, 10, 15 years for some small business owners.
Medium-size, even mid-market and enterprise where it’s, I’m getting sold this, another cybersecurity solution that is supposed to be the end, all be all of everything in cyber. And I think to your point, the insurance marketplace, the carriers and whatnot are now starting to back up some of those solutions.
And they’re saying, Hey, these are the based on our research and what we know and the breaches we’ve seen and the remediation and claims and all of that. These are the minimum things we want in place, which to your point is now guiding small, medium sized businesses whoever’s going to get cyber insurance to understand, oh yeah, these are the things I should be putting into place to protect my environment and my business.
And now let me go execute on those things.
Jed Fearon: Definitely. I think it’s also a great ammunition to make a business case to a CFO. He or she is really watching the money, the P&Q’s. So if you can bring him or her documentation, then I think it’s almost a slam dunk. I’m not going to say a hundred percent, but it certainly makes it a less dramatic conversation.
So why don’t we get into a few of the questions right now?
Jed Fearon: This is from a section of a cyber application called ransomware preparedness. And it’s very important because anyone who is on LinkedIn or any sort of news source knows that ransomware is taking off, it’s exploding more and more each year. So one of the ways to curtail, you can’t completely prevent it, but certainly curtail it somewhat, is the use of endpoint protection. So the first question that they might ask a business is, do you use endpoint protection across your networks? Yes or no. And then Anthony, maybe you could get into what that means.
Anthony DeGraw: Absolutely. So endpoint protection there’s all different layers of cybersecurity and endpoint protection happens to be one of them.
Why is it called endpoint and what is an endpoint? So endpoint is anything in the network. Most users are going to be familiar with things like servers and switches and firewalls. And then most importantly their workstation would, that could be a laptop, it could be a desktop. And the goal is how do we protect that end point, especially as things move outside of the office. So even pre COVID. When we started to see some work from home or work from anywhere or people traveling what that caused is people were outside of their network. And soon as they got outside of that network, they became outside of the protection.
That the IT teams could put in place within the physical walls of their office. So the way the industry went is, we need to protect the actual endpoint, wherever it may sit in the world. And that’s where you got endpoint protection specifically around laptops right now is one of the main points that a lot of people are thinking about.
And the endpoint protections that we’ve known and used over, the most recent years, even 10, 15 years ago are what are called traditional based anti-virus systems. And those anti-virus systems are looking for malicious code, malware, and things like that based on a specific definition. So a definition of code is understood by the endpoint protection software and it is constantly looking for those things, those definitions, those codes, that trigger that on the actual endpoint. And that’s been very good. However, times have changed. And I know we’re going to get into that with the next question. So I’m not going to get ahead of myself, but it worked very well.
It helped. There was many different varieties of endpoint protection and it was one of the layers that a company could put in place that better protect themselves. So that’s what endpoint protection is. It’s a minimum standard at Integris. You need to have it as one of the layers that we require going into it.
And now, as you can see on this application, the cyber insurance marketplace is also looking for whether or not an organization has that in place to offer them cyber insurance.
Jed Fearon: And I’ve seen applications that ask for items by brand name.
Anthony DeGraw: Yeah.
Jed Fearon: So that shows they’re really learning more about IT systems.
Across the network
Jed Fearon: Well, the second question fits in perfectly, do you use endpoint detection and response across your network. So different than protection detection and response? Yes or no?
Anthony DeGraw: Absolutely. So this is that next phase, right? That first phase, which we just discussed was the beginning phase. And it worked well for the time that being said, times change technology changes rapidly.
Cyber threat actors know exactly what they were going against and then how to avoid those systems. Even as we were talking about that first question of what is endpoint protection and why you need the end points. A traditional old school bank, right? That we used to have to protect ourselves from getting robbed because of the money sat in the safe, which was inside the four walls, which was then inside this safe.
And we did everything we could around that building to make sure the money was protected within the four walls. And then what happened? You get online banking, right? Are all of these online financial systems-
Jed Fearon: What could go wrong?
Anthony DeGraw: Right. Exactly. And now I’m not so much worried about the four walls of my bank because most banks don’t carry more than probably, I don’t know, $10,000.
I don’t know the actual number. So it doesn’t even make it worth while anymore. Not that I’m saying you shouldn’t do this, but to rob a bank. Because the money doesn’t sit there anymore. But where is it? It’s all online. So now the cyber threat actors are not going after. They’re not walking in the front door.
Now they’re trying to get in the back door, which is all online. So as with that, the same thing has happened with malicious software and malicious code, malware. And the way people are getting to the endpoint and what they’re doing, just a refresher, a definition based anti-virus system would need to know the definition of that code.
They’d have to be able to take that and scan it against the endpoint that it’s sitting on. What happens when that code is getting released or updated rapidly and that’s what’s happened now is the legacy endpoint protection providers could not keep up with the speed at which these malicious codes were coming out.
So the endpoint protection universe had to come up with a different way to protect. And that’s where you get into EDR or endpoint detection and response. And these new EDR systems are called behavior based. And what they’re trying to say is that, they’ll use next gen, they’ll use AI, they’ll use machine learning in their marketing.
But what they’re really saying, or the way they’re acting right now is that instead of trying to protect Jed against a known threat that may evolve and that I can’t keep up with the speed of. Rather than doing that, what I’m going to do is I’m going to just learn how Jed works every single day.
And I’m going to the AI, the machine learning, I’m going to see Jed opens Google Chrome every day. He opens HubSpot. He opens the website, he opens the CRM system. He opens the ERP system. He normally has five tabs open on his browser. He typically doesn’t download much or a certain amount of side. Typically-
Jed Fearon: Not even any more, I don’t download anything anymore.
Anthony DeGraw: Exactly. He uploads X amount. But the point being that system is now learning Jared’s behaviors. So what happens? All right. Jed clicks on the bad link or he downloads the bad attachment. And it starts going crazy in the background.
Jed doesn’t even know what’s going on. He may not even see it as a typical end user. All of the things that that that code is doing in the background, but the endpoint deduction response system is, and all of a sudden, within seconds, it’s triggered. Hey, this is not typical Jed activity on this device.
And they do all different types of things, but it’ll shut the system down. It’ll disconnect it from the internet. It will separate it out from the network. Basically, it’ll take Jed’s machine completely offline, to prevent any future damage or depth to the attack as it is happening.
So it has a really good ability to limit the attack and in split seconds act on activity that is not typical to the end user or in the network, wherever else the system may be deployed. So that’s the biggest difference.
Zero day vulnerabilities
Anthony DeGraw: And one other term I wanted to get in here, just so we make sure we get it out there is zero day vulnerabilities. The reason that-
Jed Fearon: I was about to bring that up, you read my mind.
Anthony DeGraw: Yeah. I was trying to figure out how to weave that in the zero day vulnerabilities are the reason you’re seeing the switch from the traditional based systems to the EDR systems. Is the zero day vulnerabilities, as in the name, they come in so fast that the systems just can’t compete with those because what has to happen? The endpoint protection provider has to understand it. They have to update the solution. Then they have to deploy that update across everybody that has that in place. Most people, as we know, don’t update their systems, they don’t do it regularly, at best they do it every 30 days. And that’s where you see that traditional based EPP system completely diminished and where a behavioral based system makes more sense. And it’s all because of zero day vulnerabilities.
Jed Fearon: Well done. I think you’re ready for the next question.
Anthony DeGraw: Here we go.
Hardened baseline configuration across devices
Jed Fearon: Have you implemented a hardened baseline configuration? Across servers, laptops, desktops, and managed mobile devices.
Anthony DeGraw: Yeah. And the answer, I can almost guarantee this for 80%, if not more, of businesses is the answer to this is no. A matter of fact, I just got done yesterday. So as early as yesterday we just completed an assessment on a smaller sized law firm, 15 employees, and very basic things.
Password policies, group policies, screen lockout policies, local administrative rights, all different things that this question is asking are not in place. And the way we adapt-
Jed Fearon: We’re talking about the basic group settings from Microsoft.
Anthony DeGraw: Exactly correct. And it typically isn’t in a lot of the environments, it is not in place. Whether it’s active directory or the group policies, all of these things, which we call free security, by the way. To do these things. You do not need to buy anything. You don’t have to buy an endpoint detection and response system. You don’t, you just need to know how to set it up properly.
And that’s why it’s so important to work with the right type of firm. Employ the right type of people to get this done, right? The people that know this kind of stuff. And a lot of times the people that are employing those firms or employing those people don’t know the right questions to ask. So the answer here is that most of the times this is a no.
And as I mentioned already we mentioned a couple of things, group policies, active directory. It can be used for this. And then for the mobile devices, you have mobile device management. I don’t think I’ve walked into one company right now that has had mobile device management in place that, and it hasn’t been a gap that we’ve listed somewhere.
And the whole point of that is you switched on the mobile device side. Companies would give you from the it department, a Blackberry, or they’d give you after a little while, but people started getting the iPhones.
And then all of a sudden you saw this switch of the company saying, you know what? We don’t want to buy all these devices. We don’t want to buy all this data plans and minutes and all this. People don’t like, maybe blackberries anymore, or they want a Android or what, we don’t want to deal with it.
So why don’t we do something different called bring your own device? And that’s what a lot of companies did. The issues with that is they lost full control of their data. Soon as they allowed other folks to bring their devices and load up their email and calendars and documents and all of that directly on their phone or their tablets that they bought personally.
So you should have a mobile device management or an MDM solution in place. There’s many of them out there. And what that allows the organization to do is give the freedom and flexibility to the employees so they can pick their devices. They can pick their carrier, all of that. But it allows the organization to containerize their data, their business data on that person’s cell phone or tablet. So it’s almost the best of both worlds which is an interesting thing, but yeah, most of the time in terms of hardening the baseline configuration across servers, laptops, desktops, and mobile devices, it’s not there. It is free to do, free in the sense of you don’t have to buy something to do it. You do need to spend some time, human time, human capital on making sure it’s set up properly.
Jed Fearon: You’re right about time and human capital. When I was preparing for this interview and writing a blog on the same topic, I went to Microsoft’s page for baseline configurations, and it was a good 20 minute read with dozens of links and related topics, but it really requires knowing what you’re doing and also having an attention span to set it up where there’s a sheet of music where there’s a grounds for comparison, like a gold standard, if you will.
Anthony DeGraw: I don’t know if you Jed, you saw this while you were there, but they’ll tout all the time.
And we talked about this too. Just kind of piece of this question. Microsoft, if you go to their site, they’ll show you, they’ll tell you that there’s a thousand security features and checkboxes within the admin portal of Microsoft 365. And a lot of people don’t know that. And the same thing that they’re asking here about physical infrastructure, physical devices, like servers and laptops.
The same question could be asked about cloud environments, right? Because of those thousand checkboxes in Microsoft, how many did you click off? Most of the time they’re setting it up with nothing in place. Because it may create a user issue. It may not connect well with something else and they don’t know how to configure it.
So there’s a lot of different versions of this, but yeah, one of our finding our typical finding in the cloud environments is a true evaluation of what’s in place, minimum standards and whatnot for that as well.
Jed Fearon: Well, I think people would, you know, IT folks that maybe don’t have all their certifications that might be doing it casually wouldn’t understand the interdependencies between the different settings.
So they might set up something the right way within that disabled something else. And doesn’t take into consideration if we’re talking cloud. It might, take the server, the legacy server offline. There’s a lot of information to unpack there.
Anthony DeGraw: Yeah, that happens all the time with like basic example there’s firewalls, right?
We’ll go in. We’ll do an analysis on the firewall. Open it up. Look at the configuration. And half of the settings are turned off and I always say the customer purchased the right device or the recommended device. Then the person who set it up couldn’t figure out how to make all the security settings that come with that device to work with the rest of the network. So therefore we just turn everything off, close our eyes and keep moving forward. It’s not the right way to do it.
Target time to deploy critical patches
Jed Fearon: So the next question is, what is your target time to deploy critical patches?
And the first option is fewer than 30 days. Then it’s 30 to 90 days. Then number three is 90 to 180 days. And then the fourth option is more than 180 days. Insurance companies want to know, what say you Anthony?
Anthony DeGraw: Yeah. Very similar path is what we’ve talked about here. So once again, I’ll bring up the smaller law firm, but this could be duplicated in any type of environment.
The patches we found on the servers and endpoints, the last time they were done was six months ago. We’ll have that. And the last time they were done. So before the six months, so go back six months, they were done then. So it’s been six months before that it was three years.
Jed Fearon: That sounds like a zero day vulnerability open house.
Anthony DeGraw: Exactly. They had over three years at one point, they’ve had six months since they’ve been done again.
And what is it, once again? Another version of free security, the operating systems, the third parties are telling you here’s my patch. Please deploy it. We know about this vulnerability. We’ve given you the fix. Please do it. And it just, it doesn’t get done.
I’ll hit this on two different angles. On the IT side. So when we have folks that have IT teams in place what happens here is they don’t have a defined process. It takes one of their team members. They have to do it overnight or on the weekends.
And therefore they’re utilizing one of their few resources to do something overnight for 12 hours or possibly all weekend long from the stories I’ve been told. And then what happens is that person is now down for a day off or whatnot because they have to recuperate from that. So therefore they lose them on their service side.
And that’s why they don’t like to do it. That’s an example that I have from within smaller IT teams. And even some larger ones in other ones, they just don’t like doing it. It’s to be very honest and frank, it’s a pain in the ass. For instance, Microsoft will release a patch. And you actually have to go test that patch in another environment to make sure that it doesn’t screw everything else up.
There’s been numerous cases of Microsoft will release a patch as quickly as possible. You’ll go and deploy that patch in the environment and it blows up the environment and causes so much more issues. So there’s a standardized process that a team needs to take. To get the patch, test the patch, then deploy the patch and then deal with the issues that come from the patch being deployed.
Hopefully none, but it does come up. So I would say my gut here would say that most organizations are in that three to six month time window, depending on the look and feel of their team. I would say best practices, is obviously you would like to do it within 30 days. My gut would tell me that within 30 to 60 days would be a pretty solid best practice.
One of the main reasons why I go a little bit longer than 30 days is to make sure that the test of the patch is happening before it’s actually deployed, which can take some time as well. So yeah, that less than 30 days is ideal. I think within 60 days you’re going to be okay. But yeah, all the time and it’s not just operating systems, right?
It’s not just Windows or Microsoft. It’s also things like Adobe, things like Java. A lot of times those are getting caught after because they’re on everybody’s end points but as an easy target and those also need to be patched. So at the end result of this, if you have a company like an Integris do this, is you should get a patch compliance report.
It’s its own deliverable. It should be given to you every 30 days. And then don’t tell you where you are in terms of patch compliance. Usually it’s never going to be a hundred percent. And there’s reasons for that. An employee has a laptop at a remote location or in their home and they haven’t powered it on in three months or something like that.
So they’re there, there’s some outliers here, but the end result is to understand where you are, what end points aren’t patched. And then how do we get them patched?
Segregating end-of-life hardware and systems
Jed Fearon: Well said, well said. So the fifth question and I had fun writing about this. Do you segregate end of life or out of support hardware and systems.
And I definitely, when I was answering this, I was fairly opinionated. I said, segregating them as a step in the right direction. Pardon the bossiness and advance. I recommend retiring them because they’re no longer patched and updated.
Anthony DeGraw: So I’m going to actually read you. I’m just pulling up on my other screen here, the actual finding. Give me one second because this talks perfectly. Here we go.
Hardware and software lifecycle management is a gap, lack of standardization. And this could be, this is a perfect use case for a lot of different organization. The organization has a mix of HP, Lenovo, Apple and Dell systems. We’re all over the place. Basically go to your local Best Buy and pick up a device.
Not a good thing to do. And there’s also business implications and business productivity, things that I could touch on as well. Jed, you may want to remind me because I may forget after I get through this some business use cases, not just the security use case on this one. More than 50% of the environment computers are outside of their three-year warranty periods and approximately five years old. The switches are aging and support for them is end of life in April of ’23. Additionally the server is over five years old and the extended warranty expires in June of this year. The server that runs the entire environment.
It was also noted the operating system is end of life, as of March 2020. That happened to be two years ago. Additionally the server is running 2008 R2 and is still on the network, which has been proven and written about extensively on the internet about how vulnerable that is. And that server went end of life in January of 2020, exactly two years ago.
And our executive summary here is that these things are constantly changing. You have warranties, you have end of life, and you have the average age of the device or the unit that we’re talking about. And obviously, for the use case of support is end of life, right?
We’re January 2020s of the world for support. That means those providers, those manufacturers of those systems that they have written it off. They’ve literally written it off. If we are not going to focus any more energy or attention on this system. It’s on you now, you need to upgrade basically is what they’re saying.
And they’re fairly, what’s the word I’m looking for?
Jed Fearon: Lenient?
Anthony DeGraw: Lenient. Yeah.
Jed Fearon: Drag it out quite a bit.
Anthony DeGraw: Exactly. And you can buy one year extended service packs and things like that. So they’re fairly lenient, but eventually they do put their foot in the ground and say, we’re done.
We’re not working on this anymore. So that’s, that’s a clear red flag, right? That needs to be retired and you need to have a plan for that. And your technology providers should be helping you with. Or your IT teams should be showing you that. The next thing, the next area I would go to, so that’s the most extreme. In the middle you have outside or age, right in the middle, you have age as the middle ground, right?
This thing, this laptop that I’m talking on right now is five years old. It’s not, but I’m using that as an example. It’s five years old and the average business laptop three to five years is probably really well, you got your money out of. The potential that laptop shuts down or just blows up on me and a user that in that employee could be down for a day or two.
And with today’s supply chain issues, who knows how long that could take to get it fixed or get them a new end point. So that can be an issue. And you want to stay ahead of that. And then the earliest one is the warranty. You can have three-year warranties, four-year warranties, and five-year warranties, right?
You can extend those, but our rule of thumb per se, is that, you want every device in your network under a warranty, because like I said, if it goes to down or it blows up, switch it out, switch it in and you’re and you keep moving. So yeah, that’s what we see in terms of understanding and expiring systems and hardware,
Jed Fearon: When you mentioned system. That’s a great theme for how you have global security, expansive security across an enterprise. And the whole idea of having end of life assets that are segregated and not on the network. Or maybe not on the network all the time. And it seems like they would be cracks in the foundation because I think the whole idea is that you put a hardened shell around your environment and then apply standards and baselines, for comparison and improvement policies.
Planning for end-of-life equipment financially
Anthony DeGraw: There’s a financial impact on this as well. And I love it having the financial conversation with organizations, CFOs and controllers, and you want to get ahead of this. Everybody talks about them not wanting to spend money and that’s not typically what I’ve seen is they need to be educated on when and how, and have a plan for it.
They don’t want it sprung on them. They don’t want, I have to spend $50,000 this year to get to baseline. And I didn’t know that. They wanted articulated to them and all of these things can be planned out. When three years is up, when five years is up, your IT provider can tell you the average life of the server that you just purchased or whatnot.
And that should be communicated to them.
Security Operations Centers
Jed Fearon: That is a perfect lead into our final question. And in my blog on this topic, I definitely honed in on the word established because I don’t really feel that’s realistic, but here’s the question. And then you could agree or disagree whether or not established is the right word.
How do you establish a Security Operations Center.
Anthony DeGraw: Yeah. I’ve haven’t walked into any clients in my time that have a Security Operation Center. I haven’t walked into many or any Managed Service or IT providers that have a full-blown Security Operation Center. A lot of those organizations are reaching out to third parties if they’re even thinking about it to facilitate utilizing them as part of the solution in.
So I, my gut would tell me this question is answered no 99% of the time. And it’s another reason why you would engage a Managed IT Service Provider that has a high level of operational maturity and scale to provide that type of solution to you. And I’ll keep that one short and brief, cause I think it’s pretty cut and dry from what I’ve seen.
Jed Fearon: So ConnectWise has a fantastic portfolio of Security Operation Center as a Service.
Anthony DeGraw: Yep.
Jed Fearon: Based on acquisitions they’ve made recently, but that would be a way to bundle in. And just for the audience that doesn’t know, this ConnectWise is the leading management software for MSPs and we use ConnectWise.
So they have these fantastic services that are rolled in that you can get various increments applied to your environment, which you wouldn’t build out your own Security Operation Center. But it would be something you’d subscribe to and ConnectWise could certainly make that a lot easier.
Anthony DeGraw: Yeah. And they’re one of our partners, we have a few other partners that are in this realm as well, but yeah, this is something you’re going to go outside of.
You’re not going to know how to hire for it. It’s going to be very expensive, the talent. And even if you were able to attract that talent into your organization, they’re going to get bored fairly quickly working on such a smaller environment, right? The these individuals want to be seen thousands, tens of thousands of endpoints working on active things all the time.
So yeah, it’s complex and I wouldn’t think that most, I wouldn’t even recommend that most businesses put that into place.
Working with IT provider for cyber policy approvals
Anthony DeGraw: So everything that we’ve talked about today, Anthony, if you’re going to run it by your insurance company and get help with your MSP presenting it, all of it’s managed, the reports are managed by ConnectWise professional services, automation and then remote monitoring and management tools, which create all of these inventory reports called an IT roadmap, but all the documentation that you would need to show your insurance company. So they approve you for your cyber policy.
Yeah, absolutely. You would work with your IT provider to come up and make sure that these things are getting done. Some of these things I mentioned, most of these questions are free, right? Maybe three of the five were, Hey, this is free to do. Or a solution needs to be put in place. A lot of times, it’s just making sure that it’s getting done. Typically we find that folks are paying for that service, but then when you go into assess it, it’s not actually happening. So yeah, part of this hopefully leads businesses to ask the right questions because insurance is asking for it to providers or to their IT teams to make sure that they’re doing what they’re supposed to be doing.
And then not just ask the question and get a yes or a no. Get documentation to prove it, as Jed just mentioned.
There’s, a lot of times we ask questions of folks and we get the right answer or the smart answer, but when you go one layer more, you get the wrong answer. So make sure you’re going one more layer than just asking the question.
Jed Fearon: That’s a great response. I’m looking forward to our next session.
Anthony DeGraw: Awesome. Jed. Thank you so much, man. Appreciate it.
Jed Fearon: Appreciate it, buddy. You have a great weekend.